Admin

Preface
Administration in Cisco Prime LAN Management Solution (LMS) 4.2 groups all the activities and tasks
that a user with Network or System Administrator privileges needs to perform.
This preface details the related documents that support the Admin feature, and demonstrates the styles
and conventions used in this guide. This preface contains:
• Audience
• Document Conventions
• Product Documentation
Audience
This guide is for users who are skilled in network administration and management, and for network
operators who use this guide to make configuration changes of devices using LMS. The network
administrator or operator should be familiar with the following:
• Basic Network Administration and Management
• Basic Solaris System Administration
• Basic Windows System Administration
• Basic Soft Appliance System Administration
• Basic LMS Administration
Document Conventions
Table 1 describes the conventions followed in the user guide.
Table 1 Conventions Used
Item Convention
Commands and keywords boldface font
Variables for which you supply values italic font
Displayed session and system information screen font
Information you enter boldface screen font
Administration of Cisco Prime LAN Management Solution 4.2

OL-25947-01 v
Table 1 Conventions Used (continued)
Item Convention
Variables you enter italic screen font
Menu items and button names boldface font
Selecting a menu item in paragraphs Option > Network Preferences
Selecting a menu item in tables Option > Network Preferences
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Product Documentation
Note We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
Table 2 describes the product documentation that is available.
Table 2 Product Documentation
Document Title Available Formats

Administration of Cisco Prime LAN Management • On Cisco.com at
Solution 4.2 (this document) http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/
user/guide/admin/admin.html
• PDF version part of Cisco Prime LMS 4.2
Product DVD.
Context-sensitive online help Select an option from the navigation tree, then
click Help.
Getting Started with Cisco Prime LAN • On Cisco.com at
Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/
user/guide/getting_started/
lms42_getstart_guide.html
Product DVD.
Configuration Management with Cisco Prime • On Cisco.com at
LAN Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/
user/guide/configuration/config.html
Product DVD.

vi OL-25947-01
Table 2 Product Documentation (continued)

Monitoring and Troubleshooting with Cisco • On Cisco.com at
Prime LAN Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/us
er/guide/lms_monitor/lms_mnt.html
Product DVD.
Inventory Management with Cisco PrimeLAN • On Cisco.com at
er/guide/inventory/inventory.html
Product DVD.
Technology Work Centers in Cisco Prime LAN • On Cisco.com at
er/guide/workcenters/wcug.html
Product DVD.
Reports Management with Cisco PrimeLAN • On Cisco.com at
er/guide/reports/lms42_reports_guide.html
Product DVD.
Installing and Migrating to Cisco Prime LAN • On Cisco.com at
ciscoworks_lan_management_solution/4.2/in
stall/guide/install.html
Product DVD.
Navigation Guide for Cisco Prime LAN • On Cisco.com at
ciscoworks_lan_management_solution/4.2/N
avigation/guide/lms42_nav_guide.html
Product DVD.
Open Database Schema Support in Cisco Prime • On Cisco.com at
LAN Management Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/da
tabase_schema4.2/guide/dbviews.html
Product DVD.

OL-25947-01 vii
Table 2 Product Documentation (continued)

Release Notes for Cisco Prime LAN Management • On Cisco.com at
Solution 4.2 http://www.cisco.com/en/US/docs/net_mgmt/
ciscoworks_lan_management_solution/4.2/re
lease/notes/lms42rel.html
Product DVD.
Supported Devices Table for Cisco Prime LAN • On Cisco.com at
ciscoworks_lan_management_solution/4.2/de
vice_support/table/lms42sdt.html
Product DVD.
Documentation Roadmap for Cisco Prime LAN Printed document part of Software kit
Management Solution 4.2
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.

viii OL-25947-01
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment: “This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.

OL-25947-01 1
Notices
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:

Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not
cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: “This product includes software written
by Tim Hudson (tjh@cryptsoft.com)”.

2 OL-25947-01
Notices
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].

OL-25947-01 3
Notices

4 OL-25947-01
CHAPTER 1
Overview of Administration
This guide is intended for Local Area Network (LAN) administrators and management professionals
who perform LAN configurations and monitor LAN performance.
The Admin menu groups all the activities and tasks that a user with Network or System Administrator
privileges can perform.
This section explains:
• How the guide is organized?
• Administration Tasks
• Understanding the System Dashboard
How the guide is organized?

The Administration user guide is organized as follows:
Table 1-1 Administration User Guide
Chapter Description
Chapter 1, “Overview of Administration” Provides information on the organization of Administration with Cisco Prime
LMS user guide, and describes the System Dashboard portlets in LMS.
Chapter 1, “Setting up Security” Describes the security mechanisms that help to prevent unauthenticated access
to LMS server, Cisco Prime applications, and data. LMS provides features for
managing security while operating in single-server and multi-server modes.
Chapter 1, “Administering LMS Server” Describes how to use administrative features to ensure that the server is perform-
ing properly.
You can manage processes, set up backup parameters, update licensing informa-
tion, collect server information, manage jobs and resources, and configure sys-
tem-wide information on the Cisco Prime LMS Server.
Chapter 1, “Administering Discovery Describes how to configure discovery settings, and perform administrative tasks
Settings and Device and Credential Repos- in DCR.
itory”

OL-25947-01 1-1
Chapter 1 Overview of Administration
How the guide is organized?
Table 1-1 Administration User Guide (continued)
Chapter Description
Chapter 1, “Managing Groups” Describes how to use the Grouping feature in LMS.
LMS 4.2 has a more robust device grouping which can support 600 device
groups. The other grouping services that are available in LMS are:
• Fault Group
• IPSLA Collector Group
• Port and Module Group
Chapter 1, “Administering Data Collec- Describes how to use Data Collection.
tion”
Chapter 1, “User Tracking and Dynamic Describes how to use User Tracking and Dynamic Updates.
Updates”
User Tracking allows you to track end stations.
Dynamic Updates are asynchronous updates that are based on SNMP MAC no-
tifications traps.which
Chapter 1, “Administering Collection Describes how to configure the various collection settings in LMS.
Settings”
Chapter 1, “Monitoring and Troubleshoot- Describes how to configure all the administrative tasks that you need to perform
ing Settings” to monitor and troubleshoot your network using LMS.
Chapter 1, “Notification and Action Describes how to configure the the administrative tasks involved in setting up no-
Settings” tification, syslog settings.
You can also customize the names and event severity, create and activate a noti-
fication subscriptions, and setup up automated actions for Change Audit tasks
and syslogs.
Chapter 1, “Administering Change Audit Describes how to perform Change Audit tasks and set your preference to
and Software Management” download images.
Chapter 1, “Managing Jobs” Describes how to manage jobs in LMS, and set up job approval for certain
modules in LMS.
Chapter 1, “Working With Software Describes how to use the Software Center to check for software and device
Center” support updates, download them to their server file system along with the related
dependent packages, and install the device updates.
Chapter 1, “Discrepancies and Describes how to use the Discrepancies Reporting module of LMS to view the
Best Practices Deviations” discrepancies and best practices deviations in your network.
Chapter 1, “Report Setting” Describes how to configure some settings for generating reports and set a report
publish location.
Chapter 1, “Purge Settings” Describes how to configure the purge settings of all modules in LMS.
Chapter 1, “Debugging Options” Describes how to configure the debugging settings of all modules in LMS.
You can also view the details of all the log files.
Chapter 1, “Understanding LMS Tasks” Describes all LMS tasks.
Appendix 1, “CLI Tools” Describes all the CLI utilities that are available for the administrator in LMS 4.2.
Appendix 1, “Troubleshooting and FAQs” Provides troubleshooting and FAQs.
Appendix 1, “Data Extraction Engine” Describes how to export User Tracking, Topology, and Discrepancy application
data using Data Extraction Engine

1-2 OL-25947-01
Administration Tasks
Table 1-1 Administration User Guide (continued)
Chapter Description
Appendix 1, “Understanding Cisco Prime Describes the various levels of security implemented in Cisco Prime LMS.
Security”
Appendix 1, “Commands to Enable MAC Provides information on the list of commands that needs to run on each device
Notification Traps on Devices” to enable MAC Notification traps
The System Administration tasks are grouped into:
• Authentication Mode Setup
• Backup
• Cisco.com Settings
• Debug Settings
• Group Management
• License Management
• Log Rotation
• Server Monitoring
• SMTP Default Server
• Device Management Functions
• Software Center
• System Preferences
• User Management
The Network Administration tasks are grouped into:
• Change Audit Settings
• Discovery Settings
• PSIRT, EOS and EOL Settings
• Configuration Job Settings
• Device Credential Settings
• Best Practises Deviation Settings
• Display Settings
• Monitor and Troubleshoot
• Notification and Action Settings
• Purge Settings
• Resource Browser
• Software Image Management
The Collection Settings are grouped into:
• Config

OL-25947-01 1-3
• Data Collection
• Fault
• Inventory
• Performance
• Syslog
• User Tracking
• VRF Lite
Apart from the system administration and network administration tasks, you can also perform:
• Trust Management
– Local Server
– Multi Server
• Job Management
– Job Browser
– Job Approval
The two dashboards in the Admin menu are:
• System Dashboard. For more information, see Understanding the System Dashboard
• Device Status Dashboard.
This section is explained in the Inventory Online Help.
IPv6 Support in LMS

LMS provides IPv6 Support for the following features:

1-4 OL-25947-01
Application IPv6 Supported Features

Common Services The following features in Common Services support IPv6:
• Device Discovery
Common Services Device Discovery allows you to discover devices
from IPv6 networks, using CDP and Ping Sweep on IP Range Device
Discovery modules.
• DCR and Grouping Services
DCR supports IPv6 and stores the expanded format of IPv6 Addresses
that are discovered by the CDP and Ping Sweep on IP Range modules.
• Device Polling
The device polling feature allows you to poll device using IPv6 address.
• Device Selector
The device selector feature allows you to search a device using IPv6
address either in a compressed format or in a expanded format.
• Configuring Default Credentials
You can define a default credential policy type based on the standard
IPv6 Address format (6 octets separated by periods).
You can now create group rules based on IPv6 management addresses.
LMS supports IPv6 Addressing scheme in the following Device Discovery
pages:
• Seed Device Setting Page
• SNMP Settings Page
• Filter Settings Page
In the Device Troubleshooting home page, the existing IP Address field
supports IPv6 Addresses.

OL-25947-01 1-5

Inventory, Config and The following features/technologies in Inventory, Config and Image
Image Management Management support IPv6:
• Assigning an IPv6 Address to a Layer 3 device or VLAN
• Retrieving software files from a device
• Distributing different versions of software to a device
• Scheduling retrieval of software from a device
• Retrieving configuration files from a device
• Distributing a new configuration to a device
• Distributing a historical configuration file to a device
• Scheduling distribution of configuration files to a device
• Provisioning Auto Smart Ports on ASP-capable devices
• Medianet
• Provisioning Identity on Identity-capable devices
• Configuring Syslogs
• IPv6 sorting in Work Center Grids.
CiscoView CiscoView allows you to enter an IPv6 Address of a device to display the
device view for configuring and remote monitoring.

1-6 OL-25947-01

Network Topology, The following features in Network Topology, Layer 2 Services and User
Layer 2 Services and Tracking support IPv6:
User Tracking
• Data Collection
The following tasks related to Data Collection are supported in the IPv6
environment:
– SNMP Timeout and Retry configuration for IPv6 devices
– Viewing Data Collection Metrics and reports for IPv4/IPv6 devices
– Creating group rules based on IPv6 Subnet and IPv6 Subnet Masks
– Device-based debugging for IPv6 devices
• Topology
The following tasks related to Topology are supported in the IPv6
environment:
– Setting an IPv6 Address as the preferred Management Address
from Topology view
– Cross-launching Inventory, Config and Image Management and
CiscoView from Topology Services - Device Dashboard and Add to
Critical Poller
– Selecting IPv6 devices for Device Type Topology Filter
• Network Topology, Layer 2 Services and User Tracking Reports
IP Address fields in all these reports except User Tracking reports can
now display IPv6 Addresses.
You can sort the reports based on IP Addresses (IPv4 and IPv6).
• VLAN Configuration
The following VLAN related configurations are supported in the IPv6
environment:
– Configure VLAN
– Delete VLAN
– Create Private VLAN
– Delete Private VLAN
– Configure Port Assignment
– Configure Promiscuous Ports
– Create Trunk
– Modify Trunk Attributes
Monitoring and LMS supports IPv6 Addressing scheme in Device Performance
Troubleshooting Management.
Note In LMS, IPv6 support is provided for Dual stack devices.

OL-25947-01 1-7
Understanding the System Dashboard

The System Dashboard has the following portlets:
Note The data in these portlets does not appear based on any role-based authorization, both device-level or
user-level authorization.
• Cisco Prime Product Updates

• Critical Message Window
• Device Credentials and AAA Information
• Log Space Usage
• Process Status
• System Backup Status
• User Login Information
• Job Information Status
• Audit Trail Information
• Job Approval
• Syslog Collectors Information
• Supported Device Finder Portlet
• VRF Collector Summary
• Collection Summary Portlet
Cisco Prime Product Updates

You can view the recent updates and announcements of Cisco Prime products using Cisco Prime Product
Updates.
Critical Message Window

In the Critical Message Window portlet, you can view the alerts for Cisco Prime Drive Utilization and
for processes that are down. For details, see Utilizing Space in the Cisco Prime Drive.
For instance, if the usage of the drive exceeds the specified limit, the alerts appear. You can click the
help link to view the details, and can reduce drive utilization.
You must configure the refresh time in the portlets.
You can also get information about:
• Authentication mode fallback
Authentication mode from which the user fallbacks to the Local Authentication module. This
message appears when the user is in fallback mode.
• License expiration

1-8 OL-25947-01
• Single Sign On (SSO) master unreachability, which is applicable only for a slave server.
Utilizing Space in the Cisco Prime Drive
You can use the space in Cisco Prime LMS drive in the following ways:
• Delete the unwanted log files from the NMSROOT directory.
• Use the log rotate functionality, to rotate the logs to other drives.
• Remove unwanted files from the NMSROOT drive.
Note The Authentication modes appear in the Critical Message Window portlet (in red) if you do not
have full privileges in the Device Credential and AAA Information portlet.
Table 1-2 lists the Critical Message Window portlet details.
Table 1-2 Critical Message Window Portlet
Details Description
Cisco Prime Drive Utilization Displays the utilization of the drive for Windows, Solaris
and Soft Appliance.
For Windows:
Drive is where the product is installed.
For example, 'C' drive in case of "C/Program
Files/CSCOpx"
For Solaris/Soft Appliance:
The portlet displays the File System utilization of the
following:
/opt - Product Installed location
/var - Log file details location.
Processes xyz are down. Displays the processes that are down.
For example:ESS, EssMonitor, Proxy All the processes that are down are displayed in red in the
and so on. portlet.
However, when Fault processes such as DFMCTMStartup
and Data Purge are down, they are not displayed in the
Critical Message Window portlet.
Device Credentials and AAA Information

The Device Credentials and AAA Information portlet allows you to view the information about the
device credentials, admin settings, security settings, and device polling status.
The security settings enable you to view the security settings in LMS such as the Authentication mode,
and Single sign-on configuration.
Table 1-3 lists the Device Credentials and AAA Information portlet details.

OL-25947-01 1-9
Table 1-3 Device Credentials and AAA Information Portlet
Field Description
Authentication Mode Mode selected to authenticate the LMS server when logging into the LMS
application. For example, TACACS+, MS Active Directory.
• If the status is displayed in green, authentication is successful in the local or
external server.
• The status is in red when you log into the Cisco Prime application in fallback
mode.
Authorization Mode Mode used to authorize the user after authentication. From LMS 4.0, only the
Local Authentication mode is used to authenticate users, and authorize them to
access Cisco Prime LMS. ACS mode is not available.
Single Sign On (SSO) Mode SSO mode such as Stand alone and Master/Slave.
No. of Devices Number of devices. Click on the number to view the DCR Device Management
page details.
DCR Mode DCR mode such as Standalone, Master, Slave.
For more information about DCR mode, see DCR Architecture in Inventory
Management Online Help.
For more information on changing the DCR mode, see Changing DCR Mode.
Device Polling Status
Device Polling Status Status of the device polling.
The status can be either enabled or disabled.
If the status is enabled, then it displays the scheduled jobs along with the Job ID.
For example Job ID: 1034.
Device Polling Frequency Polling frequency of the devices.
This frequency can be:
• Every 6 hours
• Every 12 hours
• Daily
• Weekly
• Monthly
Total Unreachable Devices Total number of devices that are not reachable.
Click the unreachable device link to view the report.
Next Polling Schedule Time at which the next polling is scheduled.
Log Space Usage

In Log Space Usage portlet, you can manage the reports on log file size.
The Log Space Usage portlet also displays details of all log files, including the Tomcat and Apache log
files. You must configure the refresh time in the portlets.
Table 1-4 lists the Log Space Usage portlet details.

1-10 OL-25947-01
Table 1-4 Log Space Usage Portlet
Field Description
Log File Name of the log file such as syslog.log, EDS.log upm_base.log, and
so on.
The asterisk (*) displayed along with some log file name denotes
that there are multiple files available.
Directory Displays the location of the logfile.
For instance, var/adm/CSCOpx/log.
File Size Current size of the log file in kilo bytes.
You can click the portlet name in the title bar of the portlet to navigate to Log File status report page
(Reports > System > Status > Log File).
For more information on the list of log files, see Maintaining Log Files.
Process Status
In Process Status portlet, you can manage all the activities or jobs.
Table 1-5 lists the Process Status portlet details.
Table 1-5 Process Status Portlet
Field Description
State Status of the process, such as Failed to start, Running normally and
Shutdown.
No. of Process Number of processes in each state.
You can click the portlet name in the title bar of the portlet to navigate to the Process Status report page
(Reports > System > Status > Process).
You can click the link displayed in the portlet to start or stop the process.
System Backup Status

In the System Backup Status portlet, you can view the details such as the current backup schedule, last
backup status, last backup location and the time when the last backup was completed.
You should back up the database regularly so that you have a safe copy of the database. You cannot back
up the database while restoring it. Whenever you perform a backup, all the databases of the installed
applications are backed up.
LMS provides a single backup and restore facility to back up and restore all applications installed on the
LMS server. You cannot backup or restore individual portal databases without the LMS backup utility.
See, Backing up Data Using CLI for more information on the backup utility.
To schedule system backups at regular intervals, select Admin > System > Backup.
Table 1-6 lists the System Backup Job Details portlet fields.

OL-25947-01 1-11
Table 1-6 System Backup Job Details Portlet
Field Description
Backup Schedule Date and time at which the backup was scheduled.
You can click the link corresponding to the Backup Schedule to
view/schedule the respective Backup Job details.
Last Backup Completed at Date and time when the last backup was completed.
Last Backup Status Status of the last backup.
Last Backup Location Location of the last backup.
You can click on the portlet name in the title bar of the portlet to navigate to the Backup Job page.
User Login Information

In the User Login Information portlet, you can view the information on users currently logged into LMS
server.
Table 1-7 lists the User Login Information portlet details.
.
Table 1-7 User Login Information Portlet
Field Description
No. of Logged-in Users Number of users who have logged in.
You can click the number of logged-in users to view the Who is Logged on
Report page (also available from Reports > System > Users > Who is Logged
On).
Users Log-in details of all users and the number of sessions opened by each user.
Note You can send broadcast messages to logged-in users by clicking the Send Message to all users
link displayed in the User Login Information and the users will receive the message within 60
seconds by default.
You can click the portlet name in the title bar of the portlet to navigate to the Who is Logged on Report
page.
For more information on setting up local users, see Setting up Local Users.
Job Information Status

In the Job Information Status portlet, you can view the status of up to 20 jobs of the installed
applications. You can click the portlet name in the title bar of the portlet to navigate to the Job Browser
page.

1-12 OL-25947-01
Table 1-8 lists the Job Information Status portlet details.
Table 1-8 Job Information Status Portlet
Field Description
Job ID Unique ID assigned to the job by the system, when the job is created. The Job IDs are
displayed in ID.No.of.Instances format in periodic jobs.
For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job
whose ID is 1002.
When you click the Job ID, the job details, if available, are displayed.
Job Type Type of the job.
For example, Inventory Collection, SyslogDefaultPurge, and Net Config Job.
Status Status of the scheduled jobs that are completed.
The Job states include Succeeded, Failed, Crashed, Cancelled, and Rejected.
The status of the succeeded jobs are displayed in green and the Failed, Crashed,
Cancelled, and Rejected jobs are displayed in red.
Job Description Description of the job provided by the job creator.
It can contain alphanumeric characters.
Owner Name of the user who created the job.
Scheduled At Date and time at which the job is scheduled to run.
Audit Trail Information

In the Audit Trail Information portlet, you can view the details of the changes made to the LMS
application by the user.
Table 1-9 lists the Audit Trail Information portlet details.
Table 1-9 Audit Trail Information Portlet
Field Description
User Name Name of the person who performed the change. This is the name entered
when the person logged in.
It can be the name under which the LMS application is running, or the name
under which the Telnet connection is established.
Application Name Name of the LMS component involved in the network change. For example,
Change Audit, Device Management, ICServer, NetConfig, and NetShow.
Creation Time Date and the time at which the changes were performed on the LMS server.
Description Brief summary of the change that occurred on the LMS server.
You can click the portlet name in the title bar to navigate directly to the Report Generator page.

OL-25947-01 1-13
Job Approval
In Job Approval portlet, you can view the list of all jobs.
To configure Job Approval portlet, see Configuring the Job Approval portlet.
Table 1-10 lists the Job Approval portlet details.
Table 1-10 Job Approval Portlet
Field Description
Job ID ID of the job that has been given for approval.
The unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so
on, the job IDs are in the number x format. The x represents the number of instances of
the job.
For example, 1001.3, indicates that this is the third instance of the job ID 1001.
Click the Job ID hyperlink to view the job details.
Job Description Description of the job.
Job Schedule Date and time for which the job is scheduled.
The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will
run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects it,
the job is moved to its rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other
instances are also considered as approved.
You are notified by e-mail, when a job approved by you is created.
This portlet enforces the approval process by sending job requests through e-mail to people on the
approved list.
You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details
page in LMS.
In the Job Approval portlet, you can view the list of Job details.
You can configure the Job Approval portlet to set the number of records to be displayed in the portlet,
and refresh time both manually and automatically.
Configuring the Job Approval portlet

To configure the Job Approval portlet:
Step 1 Click the Configuration icon. You can:

Step 2 Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Step 3 Select the number of records to be displayed in the portlet from the Show Last Records drop-down list.
Step 4 Click Save to view the portlet with the configured settings.

1-14 OL-25947-01
Syslog Collectors Information

Syslog Collectors Information portlet displays the list of remote Syslog collectors subscribed to the LMS
servers. It contains the syslog collector information such as the name of the remote syslog, analyzer
name, status and the number of packets received.
Syslog Collector is a service to receive, filter and forward syslogs to one or more Syslog servers. In this
way the collectors reduces traffic on the network as well as the processing load on the server.
By default you can only view the remote Syslog analyzer name, status and the number of packets
received. However, you can configure the portlet for you to view the other details in the portlet such as
the number of packets that are filtered, invalid, dropped, or forwarded.
Table 1-11 lists the Syslog Collectors Information portlet details.
Table 1-11 Syslog Collectors Information Portlet
Field Description
Name Host name or the IP address on which the collector is installed.
Status Status of the Remote Syslog Collector. For example, whether it is
connected.
Received Number of packets received.
To configure Syslog Collectors Information:
Step 1 Move the mouse over the title bar of the Syslog Collector
Step 2 Click the configuration icon. You can:
• Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The
items in the portlet get refreshed at the changed Refresh frequency.
• Select the check box against the type of syslog message (Filtered, Invalid, Dropped, Forwarded) to
view the respective columns in the Syslog Collector portlet.
– Filtered—Number of filtered messages. Filters are defined with the option Message Filters
option. See Defining Syslog Message Filters for more information.
– Invalid—Number of invalid Syslog messages.
– Dropped—Number of Syslog messages dropped.
– Forwarded—Number of forwarded Syslog messages.
Supported Device Finder Portlet

The Supported Device Finder portlet enables you to view the details of the devices that are supported in
various LMS applications.
By default the Supported Device Finder portlet is added to the System View.
This portlet enables you to:
• Locate the supported devices in the LMS applications

OL-25947-01 1-15
• Get the latest updates on devices that are supported and those that will be supported in the upcoming
releases.
• Raise a request through mail to support a new device that is not supported.
You can search the support of devices added to the DCR using the following search options:
• IP Address
• Host Name
• Device Name
• Model Name
• SysObjectID
To search using Supported Device Finder portlet:
Step 1 There are three scenarios when the device is not supported:
• If the device is not supported in the current installation the following message appears:
The device is not supported, click here for more information.
• If the requested device is supported in later releases, and not available with your present installation,
the following message appears:
Not supported in Installed version <<version number>>. Support available in version
<< version number>>
Note If the device is not currently supported with your existing package, you can install the latest IDU
from Cisco.com to get the device support.
• If the requested device is not supported in any releases, the following message appears:
The device is not supported, click here for more information.
Step 2 Click the click here link and a popup box appears:
The popup box has the following information:
• OK button to raise a request for the unsupported device.
• Disclaimer: Please note that all efforts will be made to provide support to this request, however we
are unable to commit to a time-line at this moment.
• Links to the latest device updates
• Link to the Supported Devices Table
Step 3 Click OK button to raise a request for the SysObject ID or Model Name. For example, sysobjectId or
Model name.
The SysobjectID or the Model Name appears based on the entries made in the portlet.
The default mail client is launched.
The To field and Subject field has the following address and entries:
• To field: lms-dev-supreq@external.cisco.com
• Subject field: Request for new Device Support. For example, <<Model name /SysObjectId>>
The body lists the application names.
Step 4 Enter Yes against the respective application names for which device support is required.

1-16 OL-25947-01
Step 5 Click Send to send a request.
IP Address
You can use the IP Address option to search the devices that are supported in the LMS application.
To search using the IP Address:
Step 1 Select the IP Address from the drop-down list.

Step 2 Enter an IP Address in the IP Address field and click Submit.
All applications are displayed, regardless of whether they are installed or not. The supported servers are
also displayed.
• If the requested device is supported in the later releases and you have not installed it, the following
support details are displayed:
Supported in LMS 3.2. Click here to download
• If the requested devices is in the roadmap of next recent releases, the following supported details
message is displayed.
Support expected by Sept ‘08.
• If the requested device is not supported in any release, the following supported details are displayed.
Click here to send a request to support team.
Host Name
You can use the Host Name option to search the devices that are supported in the LMS applications.
To search using the Host Name:
Step 1 Select the Host Name from the drop-down list.

Step 2 Enter a Host Name in the Host Name field and click Submit.
Note The valid Host Name characters are A-Z, a-z, 0-9, _.
All LMS functions are displayed. The supported servers are also displayed.
The LMS applications are:
• Inventory, Config and Image Management
• Network Topology, Layer 2 Services and User Tracking
• Fault Management
• IPSLA Performance Management
• Device Performance Management
For more information on the server supported details, see Step 2 of IP Address.

OL-25947-01 1-17
Device Name
You can use the Device Name option to search the devices that are supported in the LMS applications.
To search using the Device Name:
Step 1 Select the Device Name from the drop-down list.
Note The valid Device Name characters are A-Z, a-z, 0-9, _.
Step 2 Enter a Device Name in the Device Name field and click Submit.
SysObjectID
You can use the SysObjectID option to search the devices that are supported in the LMS application.
To search using the SysObjectID:
Step 1 Select the SysObjectID from the drop-down list.

Step 2 Enter a SysObjectID in the SysObjectID field and click Submit.
All LMS functions are displayed, regardless of whether they are installed or not. The supported servers
are also displayed.
Model Name
You can use the Model Name option to search the devices that are supported in the LMS application.
To search using the Model Name:
Step 1 Select the Model Name from the drop-down list.

Step 2 Enter a Model Name in the Model Name field and click Submit.
Note You can also use a wildcard search, (*), to search for the model name.
VRF Collector Summary

In the VRF Collector Summary portlet, you can view details of the VRF collection, number of VRFs
discovered, number of VRF-supported and VRF-capable devices.

1-18 OL-25947-01
Table 1-12 lists the VRF process summary portlet details.
Table 1-12 VRF Process Summary Portlet
Field Description
VRF Collector Status Status of the VRF Collector. The two states are:
• Running—Indicates that the VRF collector is running.
• Idle—Indicates that the VRF collector is not running.
VRF Collector Last Completion Time Indicates the time when the VRF collection is completed.
Total VRFs Discovered Total number of VRFs discovered. Click the number to launch the Virtual Network
Manager Report.
VRF Supported Devices [H/W and S/W Number of VRF-supported devices. These devices have both VRF-supported
Supported] hardware and software. Click the number to launch the VRF Readiness report.
VRF Capable Devices [H/W Supported, Number of VRF-capable devices. These devices have VRF-supported hardware but
S/W Update Required] these devices do not have the supported IOS image for VRF. Click the number to
launch the VRF Readiness report.
Collection Summary Portlet

In the Collection Summary portlet, you can view details of the different collectors in LMS.
Table 1-13 lists the Collection Summary portlet details.
Table 1-13 Collection Summary Portlet
Field Description
Collector Name Name of the Collector. The various collectors in LMS are:
• Inventory Collection
• Config Archive
• EnergyWise Collection
• Device Discovery
• Fault Discovery
• Topology Data Collection
• UT Major Acquisition
• VRF Collection
Succeeded Indicates if the respective collection has completed successfully.
Note In Inventory Collection, Succedded will give the count of devices that
were successfully inventory collected at least once. In Config Archive,
partial success state devices will not be shown in Succeeded or Failed
columns.

OL-25947-01 1-19
Table 1-13 Collection Summary Portlet (continued)
Field Description
Failed Indicates if the respective collection has failed.
Note In Inventory Collection, Failed will give the count of devices that are
recently failed. A device which was previously successfully inventory
collected and recently failed will have entry in both the columns. We
should not compare this with DCR device count.
Last Completion Time Indicates the time when the collection is completed.
Current Status Status of the Collector. The two states are:
• Running—Indicates that the collector is running.
• Idle—Indicates that the collector is not running.
Schedule Click the Schedule link next to the respective collector to launch the corresponding
page. You can now schedule the collector.
To configure this portlet:
Step 1 Move the mouse over the title bar of the Collection Summary Portlet.
Step 2 Click the configuration icon.
Step 3 Select the Auto Refresh check box.
Step 4 Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The items
in the portlet get refreshed at the changed Refresh frequency.
Note The data in the above portlets is not populated based on device-level or user-level authorization.
Role-based access control is not applicable to the portlets.
Note From LMS 4.2.2, the Collection Summary Portlet page will display the total number of managed devices
in LMS server. The customer can view the detailed list of the devices managed by the LMS server by
clicking the Managed Device count link on the Collection Summary Portlet page.

1-20 OL-25947-01
CHAPTER 2
Setting up Security
LMS 4.2 provides security mechanisms that help to prevent unauthenticated access to LMS server, LMS
applications, and data. LMS provides features for managing security while operating in single-server and
multi-server modes.
You can specify the user authentication mode using the Authentication Mode Setup.
This chapter explains the following:
• Managing Security in Single-Server Mode
• Managing Security in Multi-Server Mode
• Setting up the Authentication Mode
• Managing Roles
• Managing Cisco.com Connection
• Support Settings
Managing Security in Single-Server Mode

You can configure the following in Single-Server mode:
• Browser-Server Security Mode Setup: LMS 4.2 Server uses Secure Socket Layer encryption to
provide secure access between the client browser and management server and also among the
management server and the devices. You can enable or disable SSL depending on your need to use
secure access between the client browser and management server.
• Local User Policy Setup: Set up username and password policies for local users using this option.
• Local User Setup: Edit user settings, add users and assign roles, modify your profile and delete a
user, or view a user’s settings using this option.
• Self Signed Certificate Setup: Create self-signed certificates that can enable SSL connections
between the client browser and the management server.
You can set up browser-server security, add and modify users, and create self signed certificate using the
features that come under Single-Server Management in the Security Settings user interface.
The Single-Server Management page displays the mode of server security and the information on self
signed certificate.

OL-25947-01 2-1
Chapter 2 Setting up Security
To open the Single-Server Management page:
Step 1 Select Admin > Trust Management > Local Server

The Browser-Server Security Mode Setup page appears.
Step 2 Click Single-Server Management in TOC.
The Single-Server Management page displays the mode of server security and the information on self
signed certificate.
This section contains the following:

• Setting up Browser-Server Security
• Setting up Local User Policy
• Setting up Local Users
• Creating Self Signed Certificates
Setting up Browser-Server Security

LMS provides secure access between the client browser and management server. It does this using SSL
(Secure Socket Layer).
SSL encrypts the transmission channel between the client, and server. LMS provides secure access
between the client browser, and management server.
SSL is an application-level protocol that enables secure transactions of data through privacy,
authentication, and data integrity. It relies upon certificates, public keys, and private keys.
You can enable SSL if you want to open the LMS application in secure mode. If you want to open the
LMS application in non-secure mode (http), you can disable SSL. The login pages always open in SSL
mode, irrespective of the Browser-Server security mode.
LMS Server uses certificates for authenticating secure access between the client browser and the
management server. To enable SSL from the client browser, you must have the necessary security
certificates on your computer. See Creating Self Signed Certificates for more information.
You can enable or disable the Browser Server Security using LMS Server GUI or Command Line
Interface CLI.
This section has the following:
• Enabling Browser-Server Security From the LMS Server
• Disabling Browser-Server Security From the LMS Server

2-2 OL-25947-01
Enabling Browser-Server Security From the LMS Server

To enable Browser-Server Security:
Step 1 Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2 Select the Enable option to enable SSL.
Step 3 Click Apply.
Step 4 Log out from your Cisco Prime session and close all browser sessions.
Step 5 Restart the Daemon Manager from the LMS Server CLI:
On Windows:
a. Enter net stop crmdmgtd
b. Enter net start crmdmgtd
On Solaris/Soft Appliance:
a. Enter /etc/init.d/dmgtd stop
b. Enter /etc/init.d/dmgtd start
Step 6 Restart the browser and the Cisco Prime session.
When you restart the Cisco Prime session after enabling SSL, you must enter the URL with the following
changes:
• The URL should begin with https instead of http to indicate secure connection. Cisco Prime will
automatically redirect you to HTTPS mode if SSL is enabled.
• Change the port number suffix from 1741 to 443.
If you do not make the above changes, LMS Server will automatically redirect you to https mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Disabling Browser-Server Security From the LMS Server

To disable Browser-Server Security:
Step 1 Select Admin > Trust Management > Local Server > Browser-Server Security Mode Setup.
The Browser-Server Security Mode Setup dialog box appears.
Step 2 Select the Disable option to disable SSL.
Step 3 Click Apply.
Step 4 Log out from your Cisco Prime session, and close all browser sessions.

OL-25947-01 2-3
On Windows:
Step 6 Restart the browser, and the Cisco Prime session.
When you restart the Cisco Prime session after disabling SSL, you must enter the URL with the
following changes:
• The URL should begin with http instead of https to indicate that connection is not secure.
The port numbers mentioned above are applicable for LMS Server running on Windows.
On Solaris/Soft Appliance, if the default port (1741) is used by another application, you can select a
different port during LMS Server installation.
Setting up Local User Policy

You can setup username and password policies for Local Authentication users in LMS.
With the new local user policy, you can:
• Start the local username with a number
• Include special characters in local username
• Specify the length of local username
• Specify the length of local user password
• Include at least characters from lowercase, uppercase, digits and special characters in password.
The password should not be:
• Same as the username, or the username in reverse
• Have the same character repeated three times, in sequence
• A variant of the word Cisco
You can apply only one local user policy at a time.
You cannot define policies for each local user. The local user policy you set up applies to all users
including the administrative users.
The local usernames that begin with numbers and contain special characters are not subject to the
security limitations of authentication and authorization in LMS Servers integrated with pluggable
authentication modules such as Active Directory.

2-4 OL-25947-01
To set up local user policies:
Step 1 Select Admin > System > User Management > Local User Policy Setup.
The Local User Policy Setup page appears.
Step 2 Select Allow Special Characters in username to allow special characters in the username.
You can include the following special characters in the username:
Special Character Description

~ Tilde
@ Commercial At character
# Number sign
_ Underscore
' Apostrophe
- Hyphen
/ Solidus or Leading slash
\ Trailing slash
. Period
space Non-breaking space
Note You can add the special characters including hyphen and period in local username only when
you have selected this check box. You cannot start a local username with special characters
except _ (Underscore).
Step 3 Select Allow Username to start with numbers to allow the first character of a local username to be a
numeral.
You can enter any number between 0 to 9 in the username as the first character if you have enabled this
option.
Step 4 Enter the minimum and maximum length of username of local users.
The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum username length field that is greater than the number
in maximum username length field.
Step 5 Enter the minimum and maximum length of password of local users.
The default minimum length is 5 characters and the default maximum length is 256 characters.
You can enter any number between 1 and 256 in the minimum and maximum fields.
Ensure that you do not enter a number in minimum password length field that is greater than the number
in maximum password length field.
Step 6 Click Apply to save the changes.

OL-25947-01 2-5
Setting up Local Users

Local User Setup feature helps you to:
• Import users
• Export users
• Modify your profile
• Add a local user
• Edit user profiles
• Delete local users
You can also set up local users and reset Cisco Prime password through CLI.
• About User Accounts
• Understanding Security Levels
• Importing and Exporting Local Users
• Importing Local Users Using CLI
• Importing Users From ACS
• Adding and Modifying a Local User
• Adding Local Users Using CLI
• Assigning Roles on NDG Basis
• Modifying Your Profile
About User Accounts

Several Cisco Prime network management and application management operations are potentially
disruptive to the network, or to the applications themselves, and must be protected.
To prevent such operations from being used accidentally or maliciously, Cisco Prime uses a multi-level
security system that allows access only to certain features, to users who can authenticate themselves at
the appropriate level.
LMS provides two predefined login IDs for which the password is specified during installation:
• guest—After authentication and authorization, user will have the default role. After a fresh
installation, the default role is Help Desk. You can change the default roles, see Managing Roles for
more information.
• admin—This login provides the user access to all Cisco Prime tasks.
However, as an administrator, you can create additional unique login IDs for users in your company.
Note The LMS Server Administrator can set the passwords for admin and guest users during installation.
Contact the LMS Server Administrator if you do not know the password for admin.

2-6 OL-25947-01
Understanding Security Levels

System administrators determine user security levels when users are granted access to Cisco Prime.
When users are granted logins to the Cisco Prime application, they are assigned one or more roles.
A role is a collection of privileges that dictate the type of system access you have. A privilege is a task
or operation defined within the application. The set of privileges assigned to you, defines your role and
dictates how much and what type of system access you have.
The user role or combination of roles, dictates the tasks that are presented to the users. For information
on tasks that can be performed with each role, see Permissions Report (Reports > System > Users >
Permission). See also About Cisco Prime Pluggable Authentication. Other roles are displayed,
depending on your applications.
Importing and Exporting Local Users

You can import local users from the client. If you want to import local users to the local server from a
remote LMS Server, you must first import the file from the remote server to the client and then use the
import function from the LMS UI.
Note When you import local users, if there are no roles associated with the users, the default role will be
associated with them.
You can also export the local users to an output file.

You can import local users from the client through CLI. See, Importing Local Users Using CLI for more
information.
You can import local users from ACS through CLI. See, Importing Users From ACS for more
information.
Before you import users from the client, you must install the peer certificate of the remote server in the
local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate for more
information.

OL-25947-01 2-7
To import users from a remote server:
Step 1 Select Admin > System > User Management > Local User Setup.
The Local User Setup page appears.
Step 2 You can do one of the following:
• Import:
– Click Import Users. You can import only files in the XML format.
– Click Browse and select a file from the client.
– Click Submit. To return to the Local User Setup page, click Cancel.
• Export:
– Select the users for whom you want to export information. If you want to select all the users,
you can check the check box next to the User field.
– Click Export. The files exported are in XML format.
A message appears prompting you to open or save the LMSuserExport.xml file. This file is
saved in the client. Click Cancel to return to the Local User Setup page.
Importing Local Users Using CLI

This feature allows you to import information about local users to the local server, from a remote LMS
Server.
You should have the privileges to import local users from the remote LMS Server through CLI.
Before you import users from a remote server, you should install the peer certificate of the remote server
in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate
for more information.
To import users from a remote server, enter the following commands:
• NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber
Username Password (on Solaris/Soft Appliance)
• NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber
Username Password (on Windows)
where,
• Protocol — Protocol of the remote LMS Server.
The supported values are HTTP or HTTPS.
• Hostname — Hostname or IP address of the remote LMS Server.
• Portnumber — Port Number of the remote LMS Server.
• Username — Remote LMS Server login Username.
• Password — Remote LMS Server login Password.
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin

2-8 OL-25947-01
Importing Users From ACS

To import users from ACS through CLI, enter the following commands:
• NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on
Solaris/Soft Appliance)
• NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on
Windows)
where,
• Filename — Output of executing CSUtil.exe.
• Password — Default password assigned to all the importing users.
To execute CSUtil.exe follow the steps below:
Step 1 Go to Start > Run in the ACS server.

Step 2 Enter services.msc in the Run command and click OK
It will list all the services registered.
Step 3 Select CSAuth and right click to get the Stop option.
Step 4 Click Stop to stop the CSAuth service
Step 5 Execute the command <ACS install directory>/bin/CSUtil.exe -q -d <output file> from CLI.
The output file which we got by running the CSUtil.exe should be given as the input while importing
users.
Log Files
The information on the users added or imported into the LMS Server is stored in the following files,
when you use the import local user CLI commands:
• /var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)
• NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages, and other information that you can use for
troubleshooting.
Adding and Modifying a Local User

You can add more users into Cisco Prime as required.
You can add only one user at a time through the user interface. See Adding Local Users Using CLI for
adding bulk users. You can delete Stale Users From Cisco Prime LMS Portal. See Deleting Stale Users
From LMS Portal for more details.
To add or edit a user:
Step 2 Click Add or Edit.

OL-25947-01 2-9
The User Information dialog box appears with the following fields:
Field Description
Username Enter the username. The value is case-insensitive.
You can control the length of the username, start the username with a
number, or include special characters in the local username.
To do this, you must set up the username and password policy in the Local
User Policy Setup page. See Setting up Local User Policy for information.
Password Enter the password.
You can control the length of the password when you set up policies for local
users. See Setting up Local User Policy for information.
Verify Password Re-enter the password.
E-mail Enter the e-mail ID. This is mandatory if you assign the approver role to the
local user. Otherwise, this is optional.
Authorization Type Select the radio button corresponding to the authorization type. You can
choose from:
• Full Authorization–Select this radio button to enable full authorization
to the user.
• Enable Task Authorization–Select this radio button to enable a role, and
the privileges and tasks associated with the roles, to the user.
After you select this option, you have to select the desired role from the
list of Roles. This is applicable for all devices.
• Enable Device Authorization–Select this radio button to enable
authorization to device groups.
After you select this option, you have to:
– Select the device group from the Device Group.
– Select the role you want to associate with the device group. The user
group can perform the tasks that are assigned to the chosen roles on
the chosen device groups.
Roles Select the check box corresponding to the role to specify the roles to be
assigned to the user from the Roles pane. The user group can perform the
tasks that are assigned to the chosen role on all devices and device groups.
The following roles are available:
• Help Desk
• Approver
• Network Operator
• Network Administrator
• System Administrator
• Super Admin
Network Level Login Enter the network device login credentials for LMS to communicate with the
Credentials network devices.
Username Enter the username.

2-10 OL-25947-01
Field Description
Password Enter the password.
Verify Password Re-enter the password.
Enable Password Enter the enable password.
Verify Password Re-enter the enable password.
Step 3 Click OK. To return to the Local User Setup page, click Cancel.
Adding Local Users Using CLI

You can add bulk local users through CLI. This feature allows you to specify a file that has the
information about the local users as an input. The input file you use should be a plain text file.
Note You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
• Username — Local username. The local username is case-insensitive.
• Password — Password for the local user account name.
You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.
• E-mail — E-mail address of the local user.
This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.
• Roles — Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
– Help Desk
– Approver
– System Administrator
– Network Administrator
– Network Operator
– Super Admin
• DeviceUname—Device login username
• DevicePassword—Device login password
• DeviceEnPassword —Device enable password.

OL-25947-01 2-11
The following is an example of local user information to be represented in the input text file:
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes
To add local users through CLI, enter the following commands:

• NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft
Appliance)
• NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows)
where,
• Filename — Absolute path of the filename containing local users information.
• Password — Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.
For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin
Log Files
The user information added or imported into the LMS Server is stored in the following files, when you
use the import local user CLI command:
• /var/adm/CSCOpx/log/AddUser.log (on Solaris/Soft Appliance)
• NMSROOT\log\AddUser.log (on Windows)
The AddUser.log file registers the information on the number of users added or imported into LMS
Server, number of duplicate users, error messages and other information that you can use for
troubleshooting.
Deleting Stale Users From LMS Portal

This section describes how to delete stale users from LMS Portal.
When you delete the user names from Cisco Prime Common Services application, they are deleted only
from the Common Services database and not from LMS Portal database.
The usernames remain in LMS Portal as stale users.

2-12 OL-25947-01
To delete stale users from LMS Portal:
Step 1 Go to the following link:

http://server-name:portno/cwportal/c/portal/StaleUserDeletion.
Step 2 In the URL, enter a server name and launch the URL in the browser window.
The Portal Stale User Deletion page is displayed.
Step 3 Click the Delete Stale Users button.
The stale users are deleted from the Portal database.
Assigning Roles on NDG Basis

You can choose to assign any number of role and device group combinations for a selected user or user
group to operate on Network Device Groups.
You should note the following to assign roles on a NDG basis:
• If you have assigned a Network Device Group to your AAA client (LMS Server and network
devices), you must assign that device group to a role.
You cannot have role and device group combinations assigned to a user without assigning the
Network Device Group to your AAA client.
• You can assign only one role to a user, to operate on an NDG.
• If a user requires privileges other than those associated with the current role, to operate on an NDG,
a custom role should be created. All necessary privileges to enable the user to operate on the NDG
should be given to this role.
For example, if a user needs to have Approver and Network Operator privileges to operate on NDG1,
you can create a new custom role with Network Operator and Approver privileges, and assign the
role to the user to operate on NDG1.
• You cannot assign roles to the DEFAULT device group. When the DEFAULT (unassigned device
group) is selected, you can perform only the Help Desk role, irrespective of the roles chosen.
To assign the proper role, the network access server (NAS) should be added to device groups other
than DEFAULT.
Modifying Your Profile

To edit your profile:
Step 2 Click Modify My Profile to modify the credentials of the logged in user and the network device login
credentials.
Step 3 Enter the user login details like username, password, and e-mail address.
The E-mail field is mandatory if you assign the approver role to the local user, otherwise, this is optional.

OL-25947-01 2-13
Step 4 Enter the network device login credentials for LMS to communicate with the network devices.
Enter the values for username, password, and enable password.
Step 5 Click OK. To return to the Local User Setup page without saving the modifications, click Cancel.
Creating Self Signed Certificates

Cisco Prime allows you to create security certificates that enable SSL communication between your
client browser and management server.
Self signed certificates are valid for five years from the date of creation. When the certificate expires,
the browser prompts you to install the certificate again from the server where you have installed Cisco
Prime.
Note If you regenerate the certificate, when you are in multi-server mode, existing peer relations might break.
The peers need to re-import the certificate in this scenario.
This section explains the following:

• Creating a Self Signed Certificate From the User Interface
• Working With Third Party Security Certificates

2-14 OL-25947-01
Creating a Self Signed Certificate From the User Interface

To create a certificate from the user interface:
Step 1 Select Admin > Trust Management > Local Server > Certificate Setup.
The Certificate Setup page appears.
Step 2 Enter the values required for the fields described in the following table:
Field Usage Notes
Country Name Two character country code.
State or Province Two character state or province code or the complete name of the
state or province.
City Two character city or town code or the complete name of the city or
town.
Organization Name Complete name of your organization or an abbreviation.
Organization Unit Name Complete name of your department or an abbreviation.
Server Name DNS name, IP Address, or hostname of the computer.
Enter the server name with a proper and resolvable domain name.
This is displayed on your certificate (whether self-signed or third
party issued). Local host or 127.0.0.1 should not be given.
Email Address E-mail address to which the mail has to be sent.
Step 3 Click Apply to create the certificate.

The process generates the following files:
• server.key—Private key of the server.
• server.crt—Self- signed certificate of the server.
• server.pk8—Private key of the server in PKCS#8 format.
• server.csr—Certificate Signing Request (CSR) file.
You can use the CSR file to request a security certificate, if you want to use a third party security
certificate.
If the certificate is not a Self signed certificate, you cannot modify it.
To return to the Cisco Prime home page, click Cancel.

OL-25947-01 2-15
Managing Security in Multi-Server Mode
Working With Third Party Security Certificates

Cisco Prime provides an option to use security certificates issued by third party certificate authorities
(CAs). You may want to use this option in cases where your organizational policy prevents you from
using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a
particular CA.
You can use these certificates to enable SSL when you need secure access between LMS Server and your
client browser.
You can upload Third Party Security Certificates using the SSL Utility Script. See Working With Third
Party Security Certificates.

Communication among peer servers that are part of a multi-server domain has to be secure. In
multi-server mode the server is configured as DCR Master/Slave or Single Sign-On Master/Slave. In a
multi-server scenario, secure communication between peer LMS Servers is enabled using certificates
and shared secrets.
You must copy certificates between the LMS Servers. You should also generate a shared secret on one
server, and configure it on the other servers that need to communicate with the server. The shared secret
is tied to a particular Cisco Prime user (for authorization).
You can configure the following in Multi-Server mode:
• Peer Server Account Setup: Helps you create users who can log into LMS Servers and perform
certain tasks. These users should be set up to enable communication among multiple LMS Servers.
• System Identity Setup: Enables communication among multiple LMS Servers based on a trust model
addressed by Certificates and shared secrets. System Identity setup should be used to create a trust
user on slave or regular servers for communication to happen in multi-server scenarios.
• Peer Server Certificate Setup: Adds the certificate of another LMS Server into its trusted store. This
allows LMS Servers to communicate with one another using SSL.
• Single Sign-On Setup: Enables you to use your browser session to transparently navigate to multiple
LMS Servers without authenticating to each server.
The Current Multi-Server Settings page displays the mode of server security and the information on self
signed certificate.
To open the Current Multi-Server Settings page:
Step 1 Select Admin > Trust Management > Multi Server.

Step 2 Click Current Multi-Server Setting in TOC.
The Current Multi-Server Settings page displays the Single Sign-On details.

2-16 OL-25947-01
This section has the following information that helps you to understand better, the features that enable
secure communication between peer servers in a multi-server domain:
This section contains:
• Setting up Peer Server Account
• Setting up System Identity Account
• Setting up Peer Server Certificate
• Enabling Single Sign-On
Setting up Peer Server Account

Peer Server Account Setup helps you create users who can login to LMS Servers and perform certain
tasks. These users should be set up to enable communication among multiple LMS Servers. Users
created using Peer Server Account Setup can authenticate processes running on remote LMS Servers.
You can add a Peer Server user, edit user information and role, and delete a user.
To add a Peer Server user:
Step 1 Select Admin > Trust Management > Multi Server > Peer Server Account Setup.
The Peer Server Account Setup page appears.
Step 2 Click Add.
Step 3 Enter the username in the Username field.
Step 4 Enter the password in the Password field.
Step 5 Re-enter the password in the Verify field.
Step 6 Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.
To edit Peer Server user information:
Step 2 Click Edit.
Step 5 Click OK. To return to the Peer Server Account Setup page without saving the changes, click Cancel.

OL-25947-01 2-17
To delete a Peer Server user:
Step 2 Select the check box corresponding to the user you want to delete.
Step 3 Click Delete.
The confirmation dialog box appears.
Step 4 Click OK to confirm. To return to the Peer Server Account Setup page without saving the changes, click
Cancel.
Setting up System Identity Account

Communication between multiple LMS Servers is enabled based on a trust model addressed by
certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are
part of a multi-server setup. This user enables communication among servers that are part of a domain.
There can be only one System Identity User for each machine.
The System Identity User you configure must be a Peer Server User. The System Identity User you create
must be a local user with all privileges.
You can either configure the System Identity User with the predefined Super Admin role or with a
custom role created with all privileges. If you change the System Identity User later, you must ensure
that you add the local user with all privileges in Cisco Prime.
Cisco Prime installation program allows you to have the admin user configured as the default System
Identity User.
For the admin user to work as a System Identity User, the same password should be configured on all
machines that are part of the domain, while installing Cisco Prime on the machines part of that domain.
If this is done, the user admin serves the purpose of System Identity user. See Installing and Migrating
to Cisco Prime LAN Management Solution 4.2 for details.
If you create a System Identity User, the default System Identity User, admin, is replaced by the newly
created user.
While you create the System Identity User, LMS checks whether:
• The user is a Local User with all privileges. If the user is not present, or if the user does not have all
privileges, an error message appears.
• The System Identity User is also a Peer Server User. If not, the user will be made a Peer Server User.
For peer to peer communication to work in a multi-server domain, you have to configure the same
System Identity User on all the machines that are part of the domain.
For example, if S1, S2, S3, S4 are part of a domain, and you configure a new System Identity User, say
Joe, on S1, you have to configure the same user, Joe, with the same password you specified on S1, on all
the other servers, S2, S3, and S4, to enable communication between them.
See Master-Slave Configuration Prerequisites and Enabling Single Sign-On to know more on the usage
of this features.

2-18 OL-25947-01
To add a System Identity user:
Step 1 Select Admin > Trust Management > Multi Server > System Identity Setup
Step 2 Enter the username in the Username field.
Step 5 Click Apply.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
Setting up Peer Server Certificate

You can add the certificate of another LMS Server into its trusted store. This will allow one LMS Server
to communicate with another using SSL. If a LMS Server needs to communicate with another LMS
Server, it must possess the certificate of the other server. You can add certificates of any number of peer
LMS Servers to the trusted store of each server.
You must add peer server certificates if LMS Servers are configured with Self-Signed Certificates. If the
certificates have been signed by popular CAs such as Verisign, and GlobalSign. this is not compulsory.
However we recommend that you add peer server certificates to avoid any possible problems with SSL
communication.
You can setup peer server certificates from the client browser and from a browser session on the server
where LMS Server is installed.
Ensure that there are no mismatches in the date and time settings between the servers. In case you find
any date or time mismatch, you need to correct it before proceeding.
If you change the date or time of the peer server, you must regenerate the self signed certificate of the
peer server.
To add peer LMS Server certificates:
Step 1 Select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
The Peer Server Certificate page appears with a list of certificates imported from other servers.
Step 2 Click Add.
Step 3 Enter the IP address/hostname of peer LMS Server in the corresponding fields.
If you specify a server name, it must be entered in DNS. Otherwise specify the IP Address.
Step 4 Enter the value of the SSL (HTTPS) Port of the peer LMS Server. The default SSL(HTTPS) Port of the
peer LMS Server is 443.
Step 5 Click OK. To return to the Peer Server Certificate page, click Cancel.

OL-25947-01 2-19
To delete peer certificates:
Step 1 Select the check box corresponding to the certificate you want to delete.
The confirmation dialog box appears.
Step 3 Click OK to confirm. To return to the Peer Server Certificate page, click Cancel.
You can also view the details of the client certificates. For this, select the check box corresponding to
the certificate and click View.
Enabling Single Sign-On

With Single Sign-On (SSO), you can use your browser session to transparently navigate to multiple LMS
Servers without authenticating to each of them. Communication among multiple LMS Servers is enabled
based on a trust model addressed by Certificates and shared secrets.
• Single Sign-On Setup
• Navigating Through the Single Sign-On Domain
• Changing the Single Sign-On Mode
Single Sign-On Setup

The following tasks need to be done initially:
• One of the LMS Servers should be set up as the Authentication Server (AS).
• Trust should be built between the LMS Servers, using self signed certificates. A trusted certificate
is created by adding it in the trust key store of the server. Cisco Prime TrustStore or KeyStore is
maintained by the certificate management framework in LMS.
• Each LMS Server should setup a shared secret with the authentication server. The System Identity
user password acts as a secret key for Single Sign-On.
The Single Sign-On Authentication Server is called the Master, and the Single Sign-On Regular Server
(RS) is called the Slave.
You must perform the following tasks if the server is configured either as Master or as Slave:
• Configure the System Identity User and password in both Master and Slave. The System Identity
User name and password you specify in Master and Slave should be the same.
• Configure the Master Self Signed Certificate in Slave.
Single Sign-On uses System Identity user password as the secret key to provide confidentiality and
authenticity between Master and Slave. We recommend that you have the same user name and password
for both Master and Slave.
The Common Name (CN) in the certificate should match with that of the Master server name. Otherwise
it would not be considered as a valid certificate.

2-20 OL-25947-01
Single Sign-On is used only for authentication and not for authorization. In Single Sign-On,
authentication always takes place from the Single Sign-On Master server (Authentication Server-AS).
Hence, you need to provide the username and password as configured in Single Sign-On AS.
Authorization happens at the respective servers.
If Regular Server (RS) is configured for any Pluggable Authentication Module (PAM), say Active
Directory (AD), and AS is configured for Local Authentication, then authentication happens as per the
credentials in Local Authentication (AS) and vice versa.
For example, if server A is configured as Single Sign-On Master (AS) and the AAA mode setup is Active
Directory (AD) and Server B is configured as Single Sign-On Slave (RS) and the AAA mode setup is
Local Authentication:
When you login to server B (http://B:1741), your authentication request is forwarded to server A (AS)
and you get authenticated according to the username and password configured in AD. However,
authorization happens only in server B.
The privileges for the logged in user in any server within the Single Sign-On domain will depend upon
the user roles configured in that server. If the user is present only in the Single Sign-On Authentication
Server and not in the Regular Server, then that user gets authenticated according to the credentials in the
authentication server, but has only HelpDesk privileges in the Regular Server.
We recommend that you:
• Add the user across all servers within the Single Sign-On domain.
• Assign appropriate roles to the user, in each of the LMS Servers.
See Setting up System Identity Account for more information on how to set up System Identity User.
Single Sign-On uses the System Identity User password as the secret key to provide confidentiality and
authenticity between Master and Slave.
The System Identity User password you specify in Master and Slave should be the same.
We recommend that you have the same user name and password across Master and Slave.
To configure the Master Self Signed Certificate in the Slave, select Admin > Trust Management >
Multi Server > Peer Server Certificate Setup.
The Common Name (CN) in the certificate should match with the Master server name. Otherwise, it
would not be considered as a valid certificate.
Navigating Through the Single Sign-On Domain

The Authentication Server and all Regular Servers that are configured on this Authentication Server
forms an Single Sign-On domain. If you login to any of the servers that are part of the same Single
Sign-On domain, you can launch any other server that is part of the domain.
You can navigate through the Single Sign-On domain in two ways:
• Registering Server Links
• Launching a New Browser Instance
Registering Server Links

You can register the links of the servers’ part of the Single Sign-On domain, in any of the servers, using
the Link registration feature.
The registered links will appear either under Third Party or Custom tools, depending on what you specify
during registration. If you click on the registered link, it launches the page corresponding to the
registered link.

OL-25947-01 2-21
You must specify the URL, with the context while registering the server link.
For example, let ABC and XYZ be part of the same Single Sign-On domain. You can register the link for
ABC on XYZ. While registering server ABC in XYZ, you have to specify the URL as:
http://ABC:1741/cwhp/cwhp.applications.do
If ABC is running in HTTPS mode, you have to specify the URL as:
https://ABC:443/cwhp/cwhp.applications.do
In the above example, clicking on the registered link will launch the Cisco Prime home page of server
ABC.
Launching a New Browser Instance

After logging into any of the servers that are part of the Single Sign-On domain, you can open a new
browser instance from that server, and provide the URL of any other server of the Single Sign-On
domain, to which you need to navigate.
Note We recommend that you do not use the IP address of the servers that are part of Single Sign-On or
localhost, while specifying the URL.
For example, suppose ABC and XYZ are part of an Single Sign-On domain.
Step 1 Login to ABC.

Step 2 Launch a new browser instance (File > New > Window, in Internet Explorer) from the same browser
window.
Step 3 Enter the URL, with the context (http://XYZ:1741/cwhp/cwhp.applications.do) of XYZ in the new
browser instance.
This launches the Cisco Prime home page of XYZ, directly.
Changing the Single Sign-On Mode

The LMS server can be configured for Single Sign-On. It can also be configured to be in Standalone
mode (Normal mode, without Single Sign-On).
When the server is configured for Single Sign-On, it can either be in:
• Master mode—The Single Sign-On Authentication Server does the authentication and sends the
result to the Regular Server.
Change the Single Sign-On mode to Master, if login is required for all Single Sign-On regular
servers. Login requests for all the Single Sign-On regular servers will be served from the Master.
• Slave mode—Single Sign-On Regular server for which authentication is done at the Master.
While logging into regular server, if the authentication server is not reachable, the following
message appears:
SSO unreachable

2-22 OL-25947-01
Only one server is configured to be in the Master mode. All other servers are configured as Slaves. If the
server is configured as an Single Sign-On Regular server (Slave), you should provide the following
details:
• Master server name
The Master server name must be DNS resolvable. If you change the name of the Single Sign-On
Master server, in the /etc/hosts file, you must restart the Daemon Manager for the name resolution
to reflect in the Slave.
If you have configured more than one Single Sign-On Slave servers for a Single Sign-On Master
server, you must ensure that you enter either the fully qualified domain name or hostname of the
Master consistently in all the Slave servers.
Authentication will not occur if you enter a domain name of the Master in a Single Sign-On Slave
and hostname of the Master in another Single Sign-On Slave of the same Master server.
• Login Port of the Master (443)
To change the Single Sign-On mode to Standalone:
Step 1 Select Admin > Trust Management > Multi Server > Single Sign-On Setup.
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2 Select Standalone (Normal) radio button.
Step 3 Click Apply. To return to the Cisco Prime home page, click Cancel.
To change the Single Sign-On mode to Master:
The Single Sign-On Setup page shows the current Single Sign On mode.
Step 2 Select the Master (SSO Authentication Server) radio button.
Step 3 Click Apply. To return to the Cisco Prime home page, click Cancel.
To change the SSO mode to Slave:
The Single Sign-On Setup page shows the current Single Sign-On mode.
Step 2 Select the Slave (SSO Regular Server) radio button.
Step 3 Enter the Master server name and port number.
If you select the Slave mode, ensure that you specify the Master server name and port. The default port
is 443. The server configured as Master (or Authentication Server) should be DNS resolvable.

OL-25947-01 2-23
Setting up the Authentication Mode
Step 4 Click Apply.

It checks if:
• The System Identity user password of the Slave matches that of the Master.
• The Self Signed Certificate of the Master is added as the peer certificate in the Slave. The Common
Name (CN) in the certificate matches with the Master server name.
• The Master is up and running on the specified port.
In case any of these checks fail, you are prompted to perform these steps before proceeding.
To return to the Cisco Prime home page, click Cancel.

Depending on your LMS Server platform (UNIX or Windows), different login modules that provide
Authentication, Authorization, and Accounting services are available. This feature allows you to select
login modules and set their options.
The LMS Server provides mechanisms used to authenticate users for Cisco Prime applications.
However, many network managers already have a means of authenticating users. To use your current
authentication database for Cisco Prime authentication, you can select a login module (TACACS+,
RADIUS, and others).
This section contains the following topics:
• Authentication Using Login Modules - Overview
• Cisco Secure ACS Support for LMS Applications
• Setting the Login Module to Pluggable Authentication Modules
After you select and configure a login module, all authentication transactions are performed by that
module.
To assign a user to a different role, such as the System Admin role, you must configure the user locally.
Such users must have the same user ID locally, as they have in the alternative authentication source.
Users log in with the user ID and password associated with the current login module.
Authentication Using Login Modules - Overview

Cisco Prime login modules allow administrators to add new users using a source of authentication other
than the native LMS Server mechanism (that is, the Local Authentication login module).
• About Cisco Prime Pluggable Authentication
• Understanding Fallback Options
• Debugging

2-24 OL-25947-01
About Cisco Prime Pluggable Authentication

By default, Cisco Prime LMS uses LMS Server authentication (Local Authentication) to authenticate
users, and authorize them to access Cisco Prime LMS.
After authentication, your authorization is based on the privileges that have been assigned to you.
A privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role. It dictates how much, and what type of system access you have.
The LMS Server authorization scheme has the following default or predefined roles. You can also create
user defined roles and assign the user with a set of privileges, that would suit your needs. See Managing
Roles for more information. The predefined roles are listed here in order from the least privileged to most
privileged:
• Help Desk — Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device, or schedule a job that will reach the network.
• Approver — Can approve all LMS tasks.
• Network Operator — Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
• Network Administrator — Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
• System Administrator — Can perform all Cisco Prime system administration tasks.
• Super Admin — Can perform all Cisco Prime operations including administration and approval
tasks. By default, this role has full privileges.
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
The LMS Server determines user roles. Therefore, all users must be in the local database of user IDs and
passwords. Users who are authenticated by an alternative service and who are not in the local database
are assigned to the same role as the guest user (by default, the Help Desk role).
Understanding Fallback Options

Fallback options allow you to access the software if the login module fails, or you accidentally lock
yourself or others. There are three login module fallback options. These are available on all platforms.
The following table gives you the details:
Option Description
Allow all Local Authentication users to fallback to All users can access Cisco Prime using the Local
the Local Authentication login. login if the current login module fails and only if
PAM is unreachable.
Warning Selecting this option allows local

authentication for users when the
external authentication server is
unreachable.
Only allow the following user to fallback to the Specified users can access Cisco Prime using the
Local Authentication login if preceding login Local login if the current login module fails. Use
fails: username. commas between user names.
Allow no fallbacks to the Local Authentication No access is allowed if the current login module
login. fails.

OL-25947-01 2-25
Debugging
Cisco Prime allows you to enable debugging on the current login module so that you have additional
information in the log files that you can use for troubleshooting. Turn debugging on only when requested
to do so by your customer service representative.
Enabling debugging does not alter the behavior of the modules.
Debugging information is not exposed in the user interface, but is stored in the stdout.log file in the
following locations:
• NMSROOT/MDC/tomcat/logs/stdout.log (on Solaris/Soft Appliance)
• NMSROOT\MDC\tomcat\logs\stdout.log (on Windows)
where NMSROOT is the Cisco Prime installation directory.
Cisco Secure ACS Support for LMS Applications

Cisco Prime LMS supports TACACS+ mode of authentication. To use this mode, you must have a Cisco
Secure ACS (Access Control Server), installed on your network. LMS 4.2 supports the following
versions of Cisco Secure ACS:
• Cisco Secure ACS 4.2 for Windows Server
• Cisco Secure ACS 5.x for Windows Server
• Cisco Secure Appliance 4.2
• Cisco Secure Appliance 5.x
Note Cisco Secure ACS also supports RADIUS mode of authentication.
Setting the Login Module to Pluggable Authentication Modules

The Login Module defines how authorization and authentication are performed and how the login
modules are changed.
• Changing Login Module to Local Authentication
• Changing Login Module to Local Unix System
• Changing Login Module to Local NT System
• Changing Login Module to MS Active Directory
• Changing Login Module to RADIUS
• Changing Login Module to TACACS+
To set the login module:
Step 1 Select Admin > System > Authentication Mode Setup.

The Authentication Mode Setup page appears.
Step 2 The Authentication Mode Setup page displays the current login module, and the available login modules.
The available login modules are:

2-26 OL-25947-01
• Local Authentication
• Local Unix System
• Local NT System
• MS Active Directory
• RADIUS
• TACACS+

OL-25947-01 2-27
The login username is case sensitive when you use the following login modules:
• Local Unix System
• RADIUS (only on Solaris)
• TACACS+ (only on Solaris)
Step 3 Select a login module.
Step 4 Click Change.
The Login Module Options popup window appears.
Step 5 Enter the corresponding login module information.
See the respective login module section for login module options.
Step 6 Click OK. To return to the Authentication Mode Setup page, click Cancel.
Changing Login Module to Local Authentication

To change the login module to Local Authentication:

Step 2 Select the Local Authentication radio button.
The Login Module Options popup window appears.
Step 4 Set the Debug option to False.
Set it to True for debugging purposes, when requested by your customer service representative.
Changing Login Module to Local Unix System

This option is available only on Unix systems.
To change the login module to Local Unix System:

Step 2 Select the Local Unix System radio button.
The Login Module Options popup window appears with the following details:
Field Description
Selected Login Module Local UNIX System.
Description Cisco Prime native Solaris module.

2-28 OL-25947-01
Field Description
Debug Set to False, by default.
Set to True for debugging purposes, when requested by your customer
service representative.
Login fallback options Set the option for fallback to the Local Authentication module if the
alternative service fails.
Changing Login Module to Local NT System

This option is available only on Windows
To change the login module to Local NT System:

Step 2 Select Local NT System radio button.
Field Description
Selected Login Module Local NT System.
Description Cisco Prime native NT login module.
Domain Set to localhost.
Changing Login Module to MS Active Directory

The MS Active Directory login module implements Lightweight Directory Access Protocol (LDAP).
Before a user logs in, the user account should be set up in the LDAP server.
When you change the login module to MS Active Directory, you should configure any one of the
following options to integrate LMS Server with Active Directory server for authentication services:
• Distinguished Name (DN)
A distinguished name is made up of three parts, Relative Distinguished Name Prefix (RDN-Prefix),
User login, and Usersroot.

OL-25947-01 2-29
You have to configure RDN-Prefix and Usersroot in Cisco Prime. The login name is appended to
RDN-Prefix when the user logs into Cisco Prime.
For example, a distinguished name could be represented as:
cn=User_Name ou=org1 dc=embu dc=cisco. The RDN Prefix is cn=, User login is User_Name, and
Usersroot is ou=org1 dc=embu, dc=cisco.
A Distinguished Name is composed of cn (any numbers), ou (any numbers) and dc (any numbers).
You can specify more than one usersroot value. Each usersroot value should be separated by a
semicolon.
• User Principal Name (UPN)
User principal name is composed of two parts, User login and User Principal Name Suffix
(UPN-Suffix).
The User Principal Name suffix configured in Cisco Prime is appended to the login name when the
user logs into Cisco Prime.
The second part of the UPN, the UPN suffix, identifies the domain in which the user account is
located. This UPN suffix can be the DNS name of any domain, or it can be an alternative name
created by an administrator and used just for log in purposes.
For example, a User Principal Name could be represented as user1@mydept.mycompany.com, where
user1 is the login name and @mydept.mycompany.com represents the UPN-Suffix.
• Domain name
You should configure the Active Directory domain name in Cisco Prime that contains a set of users
which needs to be integrated, for a domain based authentication.
For example, if you want the users of MyDomain domain in MS Active Directory server to be
authenticated in LMS Server, you should specify MyDomain in this field.
Each domain also has a pre-Windows 2000 domain name for use by computers running operating
systems released earlier than Windows 2000 operating systems. Similarly each user account has a
pre-Windows 2000 user login name.
The user account in the DomainName\UserName format used to log into the operating systems
released earlier than Windows 2000 operating systems is called Security Account Manager (SAM)
account. You can also configure SAM account in the LDAP server and enter the same name in Cisco
Prime when you change the login module to Microsoft Active Directory.
When the Distinguished Name based authentication to Active Directory server fails, Cisco Prime
attempts to authenticate the Active Directory server using the User Principal Name string.
When both the Distinguished Name based authentication and the User Principal Name based
authentication fails, LMS Server tries to authenticate using the Domain name.
To change login module to MS Active Directory:

Step 2 Select MS Active Directory radio button.

2-30 OL-25947-01
Field Description
Selected Login Module Name of the login module (MS Active Directory) you have selected in the
Authentication Mode setup page.
Description Brief description about the login module you have selected.
For the MS Active Directory login module, the description displayed is
Cisco Prime MS Active Directory module.
Server Name of the LDAP server.
Default set to ldap://ldap.company.com.
Usersroot User objects in MS Active Directory.
Default set to cn=users, dc=servername, dc=company, dc=com.
For example, if users in the Active Directory have
ou=myDept, dc=myCompany, dc=com in their Distinguished Name (DN)
strings, you should specify the same in this field to integrate the LMS Server
with the MS Active Directory server.
You can also enter multiple usersroot values separated by semicolon.
For example, you can enter ou=myDept, dc=myCompany, dc=com;
ou=Dept1, ou=Dept2, dc=myCompany, dc=com.
When you integrate your LMS Server with MS Active server, you should
configure this field for a Distinguished Name based authentication.
If you are using Windows 2008 Active Directory, you have to provide the
complete Usersroot information (including cn=Username). This is because
Windows 2008 Active Directory implementation has disabled anonymous
search requests.
Otherwise, if your Active Directory Server allows anonymous binds, you
need to specify only dc=servername, dc=company, dc=com.
RDN-Prefix String prefixed with login username to form a Relative Distinguished Name
(RDN).
Default is set to cn=.
For example when you have configured this field as cn= and log into the
server as MyUser, the RDN formed is cn=MyUser.
When you integrate your LMS Server with MS Active server, you must
configure this field for a Distinguished Name based authentication.
UPN-Suffix String suffixed with login username, usually the domain in which the user
account is located to form a User Principal name.
You should configure this field for a UPN based authentication.
For example, if the UPN of Active Directory users who need to be
integrated with Cisco Prime are user1@mydept.mycompany.com,
user2@mydept.mycompany.com, and user3@mydept.mycompany.com, you
should mention @mydept.mycompany.com in this field.

OL-25947-01 2-31
Field Description
AD-Domain Active Directory domain.
You should configure this field for a domain based authentication. Users of
the specified domain in MS Active Directory server are authenticated when
you integrate the LMS Server with MS Active Directory server.
You can set any of the following options:
• Allow all Local Authentication users to fallback to the Local
Authentication login.
• Allow only the specified users to fallback to the Local Authentication
login.
When you select this option, you should enter one or more Local
Authentication usernames separated by commas.
This is the default login fallback option.
• Do not allow any fallback to the Local Authentication login.
Note Important configuration guidelines are listed below:

• You must enter a value for at least one of the fields: Usersroot, UPN-Suffix, and AD-Domain. You
cannot leave all the three fields blank.
• To allow only particular group of users to log into LMS, do not configure UPN-Suffix, and
AD-Domain.
After the integration of LMS Server with MS Active Directory server, you can log into LMS Server with
an Active Directory username and the corresponding password.
MS Active Directory server provides authentication services to LMS Server by the default simple
authentication mechanism.
To provide a secure authentication mechanism with DIGEST-MD5 to LMS Server, you should:
Step 1 Edit the Account Options of a user in the MS Active Directory Server and enable the Store password
using reversible encryption option.
Step 2 Reset the password of the user to authenticate properly.
Step 3 Configure the cam.properties file in LMS Server located at NMSRoot/lib/classpath, where NMSRoot is
your Cisco Prime Installation directory.
You must change the following line in the cam.properties file from:

2-32 OL-25947-01
#LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
to
LDAP_AUTHENTICATION_MECHANISM=DIGEST-MD5
If you want the secure authentication mechanism to fallback to simple authentication mechanism, you
must configure the LDAP_FALLBACK_AUTHENTICATION_NEED property.
You must change the following line in the cam.properties file from:
#LDAP_FALLBACK_AUTHENTICATION_NEED=True
to
LDAP_FALLBACK_AUTHENTICATION_NEED=True
Step 4 Save the changes to the cam.properties file.
Note You need not restart the Daemon Manager.
Digest-MD5 authentication supports only User Principal Name and Security Account Manager user
accounts. You cannot log into LMS Server with the User login name.
Active Directory users who are logged into Cisco Prime, have the privileges of a Help Desk role. To
assign other privileges to Active Directory users, you must set up a user in Cisco Prime with the same
name.
For example, to assign the System Administrator privileges to a MS Active Directory users User1 and
User2 in Cisco Prime, you must set up User1 and User2 in Cisco Prime and assign System Administrator
role to them. When the users log into Cisco Prime, they also have the System Administrator privileges.
Changing Login Module to RADIUS

To change login module to RADIUS:

Step 2 Select the RADIUS radio button.

OL-25947-01 2-33

Field Description
Selected Login Module RADIUS.
Description Cisco Prime RADIUS module.
Server Set to module type servername, radius.company.com.
Port Set to 1645. Attempt to override it only if your authentication
server was configured with a non-default port.
Key Enter the secret key.
Set to True for debugging purposes, when requested by your
customer service representative.
Login fallback options Set the option for fallback to the Local Authentication module if
the alternative service fails.
Changing Login Module to TACACS+

To change login module to TACACS+:

Step 2 Select TACACS+ radio button.
Field Description
Selected Login Module TACACS+.
Description Cisco Prime TACACS+ login module.
Server Set to module type tacacs.company.com
Port Set to 49. The listed port number is the default for this
protocol.
Attempt to override it only if your authentication server was
configured with a non-default port.
Secondary Server Set to module type tacacs.company.com. This is the secondary
fallback server.
Secondary Port Set to 49. The listed port number is the default for this
protocol.

2-34 OL-25947-01
Field Description
Tertiary Server Set to module type tacacs.company.com. This is the tertiary
fallback server.
Tertiary Port Set to 49. The listed port number is the default for this
protocol.
Key Enter the secret key.
Set to True for debugging purposes, when requested by your
customer service representative.
Login fallback options Set the option for fallback to the Local Authentication module
if the alternative service fails.
Note The values True or False should not be entered in the Server, Secondary Server and Tertiary
Server fields, the corresponding Port fields or the Key field.
After you change the login module, you do not have to restart Cisco Prime. The user who logs in after
the change, automatically uses the new module. Changes to the login module are logged in the following
files:
• NMSROOT/MDC/Tomcat/logs/stdout.log (On Solaris/Soft Appliance)
• NMSROOT\MDC\Tomcat\logs\stdout.log (On Windows)
where NMSROOT is your Cisco Prime Installation directory.
Resetting Login Module
To reset the login module of LMS Server to Local Authentication:
Step 1 Stop the Daemon Manager using:

• net stop crmdmgtd (On Windows)
or
• /etc/init.d/dmgtd stop (On Solaris/Soft Appliance)
Step 2 Run the following script:
• NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl (On Windows)
or
• NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl (On Solaris/Soft Appliance)

OL-25947-01 2-35
Managing Roles
Step 3 Start the Daemon Manager using:

• net start crmdmgtd (On Windows)
or
• /etc/init.d/dmgtd start (On Solaris/Soft Appliance)
This resets the login module to Local Authentication mode.
Step 4 Enter a username in the User ID field.
Step 5 Enter the corresponding password in the Password field.
Step 6 Click Login or press Enter.
You are now logged into LMS Server.
Managing Roles
After authentication, your authorization is based on the privileges that have been assigned to you. A
privilege is a task or an operation defined within the application. The set of privileges assigned to you,
defines your role.
The LMS authorization scheme provides you with the following system-defined roles.
• Help Desk — Can access network status information only. Can access persisted data on the system
and cannot perform any action on a device or schedule a job which will reach the network.
• Approver — Can approve all tasks.
• Network Operator — Can perform all Help Desk tasks. Can perform tasks related to network data
collection. Cannot perform any task that requires write access on the network.
• Network Administrator — Can perform all Network Operators tasks. Can perform tasks that result
in a network configuration change.
• System Administrator — Can perform all Cisco Prime system administration tasks.
• Super Admin — Can perform all Cisco Prime operations including the administration and approval
tasks. This role has full privileges.
You can select a role and set it as the default role. After installing LMS 4.2, Help Desk will be the default
role.
If you do not want to use the system-defined roles, you can create custom roles and associate tasks to
them. You can also remove all the custom roles and retain only the predefined roles using a CLI tool,
see, Removing Custom Roles Using CLI.
To manage roles:
Step 1 Select Admin > System > User Management > Role Management Setup. The Role Management
Setup Page appears with the available roles, their descriptions, and the default role.
Note You cannot edit, delete, or export system-defined roles.

2-36 OL-25947-01
Managing Roles
Step 2 You can do the following:
Button Description
Add Click Add to add user-defined roles. The Role Management Page appears.
To add a role:
1. Enter the role name and description.
2. Select the tasks that have to be assigned to the new role.
The task can be identified using the search option. The search uses the task name and the task
description to perform a complete search. The search results and All tab contents are
synchronized. Any selections made on search results will reflected in all tab. For more details
see Searching LMS Tasks.
3. Click OK to add the new role or click Cancel to return to the Role Management Setup Page.
For more information on the various tasks in LMS 4.2, see Understanding LMS Tasks.
Edit Select a user-defined role and click Edit to edit the role. The Role Management Page appears. To edit
a role:
1. Modify the role description if required.
2. Select or deselect the check box corresponding to the required tasks.
3. Click OK to save the changes, or click Cancel to return to the Role Management Setup Page.
Delete To delete a role:
1. Select one or more user-defined roles and click Delete to delete the roles.
2. Click OK to confirm or Cancel to return to the Role Management Setup Page.
If the deleted role is assigned to any user, then it will remove the association of this role with the user.
Copy You can use this option to modify a system-defined role.
To copy a role:
1. Select a role from the roles and click Copy. The Role Management Page appears.
2. Enter the role name and description.
3. Select or deselect the check box corresponding to the tasks.
4. Click OK to add the new role, or click Cancel to return to the Role Management Setup Page.
Export You can export roles only in the XML format. The file will be saved in the client.
To export roles:
Select the user-defined roles that you want to export and click Export. A message appears prompting
you to open or save the LMSRoleExport.xml file.

OL-25947-01 2-37
Managing Roles
Button Description
Import You can import roles only in the XML format.
To import roles:
1. Click Import.
2. Click Browse and select a file from the client.
3. Specify if you want to to overwrite, merge or backup the existing roles when you import roles:
4. Click Submit to import the roles or Cancel to return to the Role Management Setup Page.
You can choose to:
• Overwrite—Roles with the same names will be overwritten.
• Merge—Roles with the same names will be updated with details of the existing role and details
of the imported role.
• Backup—Roles with the same names will be overwritten. The existing role will be renamed as
CopyOf<Role name>.
Set as Default Default role will be assigned to users who:
• Do not have any role assigned to them.
• Have logged in using an external authentication server, like PAM, and are not available in the local
database.
When multiple roles are set as default role, the user will be assigned with all the roles selected as
default roles.
If there is no default role configured, then authorization will fail for users who:
• Do not have any role assigned to them.
• Have logged in using an external authentication server, like PAM, and are not available in the local
database.
To set a default role:
1. Select a role from the roles listed in the Role Management Setup Page.
2. Click Set as Default. The selected roles will be the default roles.
Clear Default Click Clear Default to clear the default role. After you clear the default role, authorization will fail
for any user assigned without this role.
Note After adding roles you must assign one or more roles to your users, select Admin > System > User
Management > Local User Setup.
Searching LMS Tasks

To search the LMS tasks,
Step 1 Specify the exact task name or the first few characters of the task name in the search text box and click
the search icon. The task name is case-insensitive.
For example enter admin or *admin or admin* or *change* in the search text box.

2-38 OL-25947-01
Managing Cisco.com Connection
• admin – will search for the task and task description that contains the exact term admin.
• *admin – will search for the task and task description that ends with the term admin either in task
name or description.
• admin* – will search for the task and task description that begins with the term admin either in task
name or description.
• *change* – will search for the task and task description that contains the term change.
If there are no search results generated, then a pop-up window appears.
Note You are not allowed to use any other wildcard character apart from *.
Step 2 Click the Search Results tab to see the corresponding search result.
In the All tab, the task tree will be in a collapsed state, whereas in the Search Results tab, the task tree
will be in the expanded state.
You will note that when you select or unselect a particular set of tasks in the Search Results tab, the
same set of tasks will be automatically selected or unselected in the All tab.
Removing Custom Roles Using CLI

You can use a CLI tool to remove all the user-defined roles and retain only the system-defined roles.
To do this:
On Windows, run:
NMSRoot\bin\ResetToFactoryRole.pl
On Solaris/Soft Appliance, run:
NMSRoot/bin/ResetToFactoryRole.pl
Managing Cisco.com Connection

Certain Software Center features require Cisco.com access. This means that Cisco Prime must be
configured with a Cisco.com account, which is to be used when downloading new and updated packages.
• Setting up Cisco.com User Account
• Setting Up the Proxy Server
To view the Cisco.com Connection Details, select Admin > System > Cisco.com Settings >
Connection Management. The Cisco.com Connection Management page displays the current Proxy
Server settings.
Setting up Cisco.com User Account

This feature lets you add and modify Cisco.com user login names and password.
To set up Cisco.com login account:

OL-25947-01 2-39
Support Settings
Step 1 Select Admin > System > Cisco.com Settings.

Step 2 Click User Account Setup in the TOC list.
The User Account Setup page appears.
Step 3 Enter your Cisco.com Username, and Cisco.com Password.
Step 4 Re-enter the password in the Verify Password field.
Step 5 Click Apply.
Setting Up the Proxy Server

You can update the proxy server configuration using the Proxy Server set up option.
To update your proxy server configuration:
Step 1 Select Admin > System > Cisco.com Settings.

Step 2 Click Proxy Server Setup in the TOC list.
The Proxy Server Setup page appears.
Step 3 Enter the Proxy Server host name or IP address, and the port number.
Optionally, you can enter the Username and Password for accessing the proxy server.
If you have entered your password, re-enter the same password in the Verify Password field.
Step 4 Click Apply.
Support Settings
From LMS 4.2.2, Cisco Prime LAN Management Solution will support the Support Settings feature to
allow user to set the following two types of interactions:
• Enabling interactions directly from the LMS server
• Enabling interactions only through client system
For more information on creating a new service request and updating an existing service request, see
Creating/Updating Support Case section in Getting Started with Cisco Prime LAN Management
Solution 4.2.

2-40 OL-25947-01
CHAPTER 3
Administering LMS Server
LMS includes several administrative features to ensure that the server is performing properly. You can
manage processes, set up backup parameters, update licensing information, collect server information,
manage jobs and resources, and configure system-wide information on the LMS Server.
• Using Daemon Manager
• Managing Processes
• Backing Up Data
• Backup for Cisco Prime Infrastructure
• Licensing Cisco Prime LMS
• Compliane and Audit Manager (CAAM) Server License
This chapter has the following information:
• Using Daemon Manager
• Managing Processes
• Backing Up Data
• Licensing Cisco Prime LMS
• Configuring a Default SMTP Server
• Collecting Server Information
• Collecting Self Test Information
• Messaging Online Users
• Managing Resources
• Collecting Server Information
• Collecting Self Test Information
• Messaging Online Users
• Managing Resources
• Modifying System Preferences
• Configuring Log Files Rotation
• Modifying System Preferences
• Configuring Disk Space Threshold Limit
• Effects of Third Party Backup Utility and Virus Scanner

OL-25947-01 3-1
Chapter 3 Administering LMS Server
Using Daemon Manager
• Configuring TFTP
• Cisco Prime Integration Application Settings
Using Daemon Manager

The Daemon Manager provides the following services:
• Maintains the startup dependencies among processes.
• Starts and stops processes based on their dependency relationships.
• Restarts processes if an abnormal termination is detected.
• Monitors the status of processes.
The Daemon Manager is useful to applications that have long-running processes that must be monitored
and restarted, if necessary. It is also used to start processes in a dependency sequence, and to start
transient jobs.
Do not start the Daemon Manager immediately after you stop it. The ports used by the Daemon Manager
will be in use for some time after the Daemon Manager is stopped. Wait for at least a minute before you
start the Daemon Manager.
If the System resources are less than the resources required to install the application, the Daemon
Manager restart displays warning messages that are logged into dmgtd.log.
You cannot start the Daemon Manager if there are non-SSL compliant applications installed on the server
when SSL is enabled in LMS.
Restarting Daemon Manager on Solaris/Soft Appliance

To restart Daemon Manager on Solaris/Soft Appliance:
Step 1 Log in as root.

Step 2 Enter /etc/init.d/dmgtd stop to stop the Daemon Manager.
Step 3 Enter /etc/init.d/dmgtd start to start the Daemon Manager.
Restarting Daemon Manager on Windows

To restart Daemon Manager on Windows:
Step 1 Go to the command prompt.

Step 2 Enter net stop crmdmgtd to stop the Daemon Manager.
Step 3 Enter net start crmdmgtd to start the Daemon Manager.
Do not start the Daemon Manager immediately after you stop it. The ports used by Daemon Manager
will be in use for some more time even after the Daemon Manager is stopped. Wait for at least one minute
before you start the Daemon Manager.
If the System resources are less than the required resources to install the application, Daemon Manager
restart displays warning messages that are logged into syslog.log.

3-2 OL-25947-01
Managing Processes
Managing Processes
Cisco Prime applications use back-end processes to manage application-specific activities or jobs. The
process management tools enable you to manage these backend processes to optimize or troubleshoot
the LMS Server.
You can do the following activities:
• View the details of all processes
• Filter and show only processes of a specific state
• Start the processes
• Stop the processes
All mandatory processes are started when you start the system.
See LMS Back-end Processes for a list of Cisco Prime back-end processes used by LMS.
You can manage the Cisco Prime processes through CLI. See Managing Processes Through CLI for more
information.
Note Your role and privileges determine whether you can use this option.

• Process States
• Viewing Process Details
• Viewing Processes of a Specific State
• Starting a Process
• Stopping a Process
Process States
The state of the Cisco Prime backend processes fall under either one of the following categories:
State Description
Running normally Processes are started and are running normally.
Sometimes, you find the state of a few processes as follows:
Program started - No mgt msgs received
This indicates that the processes are started automatically at boot and are
running normally.
Never started Processes that cannot start automatically and are to be started by operator
or administrator.
Failed to run Processes that failed to start because of an error in the system.
Administratively Processes that are stopped by the system or by the administrator.
shutdown

OL-25947-01 3-3
Managing Processes
State Description
Transient Terminated Terminated transient processes.
Processes that are created or started by Daemon Manager whenever
required are called transient processes.
Waiting to Initialize Processes that are yet to run normally and are in initialization phase.
Viewing Process Details

To view Process details:
Step 1 Select Admin > System > Server Monitoring > Processes.
The Process Management page appears with all Cisco Prime processes listed.
You can see the following information of a Cisco Prime process in the Process Management window:
Column Description
ProcessName Name of the process. Describes how the process is registered. See LMS Back-end
Processes for more information on process description. For information on
suite-specific processes, see the relevant Online help.
You cannot view the details of Apache and Tomcat processes or restart them from
the user interface. But you can view the details of these processes in Process
Status report (Reports > System > Status > Process).
ProcessState Process status and a summary of the log file entries for the process. If the process
fails, this column is highlighted in red.
ProcessId Unique number by which the operating system identifies each running program.
ProcessRC Return code. 0 represents normal program operation. Any other number
represents an error. See the error log for details.
ProcessSigNo Signal number. 0 represents normal program operation. Any other number is the
last signal delivered to the program before it terminated.
ProcessStartTime Time and date on which the process was started.
ProcessStopTime Time and date on which the process was stopped.
Step 2 Click the ProcessName link of a process to view its details.

The Process Details popup window appears with the following information:
Column Description
Process Name of the process.
Path File Location.
Flags Flags used to register the process with the Daemon Manager.
Startup Method used to start the process (manual or automatic).
Dependencies Other processes that are running, and that are required for this process to
run.

3-4 OL-25947-01
Managing Processes
Step 3 Click OK.
You can click the Refresh icon on the top-right corner of the page to initiate a page refresh and view the
updated information of the processes.
Viewing Processes of a Specific State

To view processes of a specific state:
The Process Management page appears.
Step 2 Select a process state from the Show Only process state.
You can select any one of the following process states:
• Never started
• Waiting to initialize
• Running normally
• Failed to run
• Transient terminated
• Administrator has shut down this server
• Program started — No mgt msgs received
See Process States for description of each of these process states.
The details of processes of the selected state appears.
Starting a Process
To start a process:
Step 2 Select the check box corresponding to the process.
Step 3 Click Start.
Stopping a Process
To stop a process:
Step 2 Select the check box corresponding to the process.

OL-25947-01 3-5
Managing Processes
Step 3 Click Stop.
LMS Back-end Processes

The back-end processes in the LMS Server are required to manage application specific activities and
jobs.
Table 3-1 lists the back-end processes in LMS Server, their description and dependent processes.
In LMS 4.2, Compliance and Audit Manager (CAAM) Server is added as a new back-end process.
Log files for most of the processes are located in the following locations:
• On Solaris/Soft Appliance—var/adm/CSCOpx/log
• On Windows—NMSROOT\log, where NMSROOT is your Cisco Prime default installation directory.
You can also manage the Cisco Prime processes through CLI. You can perform the following activities
through CLI:
• Viewing Process Details Through CLI
• Viewing Brief Details of Processes
• Viewing Processes Statistics
• Server Back-end Processes
• Inventory, Config and Image Management Processes
• Network Topology, Layer 2 Services and User Tracking Processes
• IPSLA Performance Management Processes and Dependency Processes
• Device Performance Management Module Processes
• Fault Management Processes
Server Back-end Processes

Table 3-1 lists the LMS 4.2 Server Back-end processes and their dependency processes.

3-6 OL-25947-01
Managing Processes
Table 3-1 Cisco Prime LMS 4.2 Server Back-end Processes and their Descriptions
Normal Process Dependent Pro-

Process Name Description State cess Log Files
Apache Apache web server used on both UNIX Program started - TomcatMonitor NMSRoot\MDC\
and Windows systems. This hosts the No mgt msgs Apache\logs
base Cisco Prime home page and all received (On Windows)
major applications. /opt/CSCOpx/MDC/
You cannot view the details of this Apache/logs
process or restart this process from the (On Solaris/Soft Ap-
user interface (from Process Manage- pliance)
ment page).
CmfDbEngine Sybase database instance used by the Program started - None NMSRoot/MDC/log/
base Cisco Prime framework. No mgt msgs daemons.log
received (On Solaris/Soft
Appliance only)
CmfDbMonitor Monitors the CmfDbEngine process and Running CmfDbEngine NMSRoot\log\
periodically checks for connectivity and normally CmfDbMonitor.log
SQL errors. (On Windows)
/var/adm/CSCOpx/log
/CmfDbMonitor.log
(On Solaris/Soft Ap-
pliance)
CMFOGSServer Device grouping service in CS that Program started - CmfDbMonitor, NMSRoot\log\
provides grouping capability based on No mgt msgs EssMonitor, CMFOGSServer.log
device attributes stored in DCRServer. received DCRServer (On Windows)
/var/adm/CSCOpx/log
/CMFOGSServer.log
pliance)
CSDiscovery Transient process created by Daemon Transient Termi- — NMSRoot\log\
Manager. This process initiates Device nated CSDiscovery.log
Discovery. (On Windows)
/var/adm/CSCOpx/log
/CSDiscovery.log
pliance)

OL-25947-01 3-7
Managing Processes

CSRegistryServer Registry Server for other CS processes Running — NMSRoot\log\
such as DCRServer and CMFOGSServer normally CSRegistryServer.log
and provides the backbone for inter-pro- (On Windows)
cess communication for DCRServer and
/var/adm/CSCOpx/log
CMFOGSServer.
/daemons.log
Sometimes, the Tomcat process may start (On Solaris/Soft Ap-
this process. In such cases, the process pliance)
status is displayed as follows:
Administrator has shut down this
server
You can ignore this error message.
DCRServer Device List and Credential Repository Running TomcatMonitor, NMSRoot\log\
Server that provides the repository for normally CmfDbMonitor, DCRServer.log
shared device list and credentials to be EssMonitor (On Windows)
used across applications. /var/adm/CSCOpx/log
/daemons.log
pliance)
DCRDevicePoll Transient process created by Daemon Transient Termi- — NMSRoot\log\
Manager. This process initiates Device nated DCRDevicePoll.log
Polling. (On Windows)
/var/adm/CSCOpx/log
/DCRDevicePoll.log
pliance)
diskWatcher Monitors disk space availability on the Running — NMSRoot\log\
LMS Server. normally diskWatcher.log
(On Windows)
See Configuring Disk Space Threshold
Limit for more information. /var/adm/CSCOpx/log
/diskWatcher.log
pliance)
EDS Legacy Event Distribution engine. This Running NameService- NMSRoot\log\
is currently used by some applications to normally Monitor EDS.log
send and receive event messages. (On Windows)
/var/adm/CSCOpx/log
/daemons.log
pliance)

3-8 OL-25947-01
Managing Processes

EDS-GCF EDS - Generic Consumer Framework Running EDS, CmfDb- NMSRoot\log\
process. It is an extension to EDS that normally Monitor EDS-GCF.log
allows Generic Event Consumers to (On Windows)
provide a pluggable event interface.
/var/adm/CSCOpx/log
/daemons.log
pliance)
ESS Event Services Software. The new Program started - — NMSRoot\log\ESS.log
engine that handles distribution of events No mgt msgs (On Windows)
between processes. This is slated to received
/var/adm/CSCOpx/log
eventually replace EDS.
/daemons.log
pliance)
EssMonitor Monitors ESS process to check if events Running ESS NMSRoot\log\
related functionality works properly. normally EssMonitor.log
This process shuts down automatically (On Windows)
when the ESS process fails or does not /var/adm/CSCOpx/log
function properly. /daemons.log
pliance)
EventFramework Event management bus, LMS uses this to Program started - EssMonitor No log files
facilitate event transmissions between No mgt msgs
daemons. received
FDRewinder Enables the rotation of log files function- Never started — /var/adm/CSCOpx/log
ality using logrot. /daemons.log
(Solaris/Soft
Appliance Only)
pliance)
jrm Job and Resource Manager. This allows Program started - CmfDbMonitor, NMSRoot\log\
scheduling of jobs to be run at specific No mgt msgs NameService- jrm.log
times. It also allows locking and received Monitor, EDS, Es- (On Windows)
unlocking of resources. sMonitor /var/adm/CSCOpx/log
/daemons.log
pliance)
LicenseServer Provides Licensing functionality for Program started - — NMSRoot\log\
evaluation and file based licensing mech- No mgt msgs LicenseServer.log
anisms. received (On Windows)
/var/adm/CSCOpx/log
/daemons.log
pliance)

OL-25947-01 3-9
Managing Processes

NameService- Name Service agent that monitors Running NameServer NMSRoot\log\
Monitor objects and messages and acts as a Normally NameServiceMoni-
gateway between the JacORB clients and tor.log
the Name Server. (On Windows)
/var/adm/CSCOpx/log
/daemons.log
pliance)
NameServer Object Request Broker for the JacORB Program started - — NMSRoot\log\
framework used in Cisco Prime. No mgt msgs NameServer.log
received (On Windows)
/var/adm/CSCOpx/log
/daemons.log
pliance)
Tomcat Java servlet engine used on Windows, Program started - — NMSRoot\MDC\
Solaris and Soft Appliance systems No mgt msgs tomcat\logs\stdout.log
hosting applications based on the Cisco received (On Windows)
Prime desktop. /opt/CSCOpx/MDC/
You cannot view the details of this tomcat/logs/std-
process or restart this process from the out.log(On
user interface (from Process Manage- Solaris/Soft Appli-
ment page). ance)
TomcatMonitor Monitors the health of the Tomcat Running Tomcat NMSRoot\log\
process and shuts down automatically normally TomcatMonitor.log
when Tomcat fails or does not function (On Windows)
properly.
/var/adm/CSCOpx/log
/daemons.log
pliance)

3-10 OL-25947-01
Managing Processes
Inventory, Config and Image Management Processes

Table 3-2 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes
Dependency
Process Name (Sequential) Log Information Description
RMEDbEngine None NA System service: the database engine for
Inventory, Config and Image Management
applications.
ConfigMgmtServer EssentialsDM dcmaservice.log Configuration Management service performs
the following tasks,
• Collects the configuration for the LMS
managed devices on request from jobs or
user Interface.
• Archives new version if there is a
difference between the fetched
configuration and the latest configuration
in archive.
• Parses the configuration based on configlet
rules and generates differences between the
configurations.
• Logs change record for every new version
of archived running configuration.
• Detects config changes on the device and
triggers configuration collection
• Caches the device and NetConfig template
mapping information.
• Populates the database with NetShow
system-defined command sets and
NetShow commands by retaining them
from device packages.
ConfigUtilityService EssentialsDM cfgutilservice.log ConfigUtilityService parses the archived
configurations of the devices for assessing the
technology readiness of the devices. It does
config and CLI parsing.
ConfigUtilService also performs OGS grouping
attributes updates at the end of Inventory
collection.
SyslogCollector ESS SyslogCollector.log Filters and sends the syslog objects to various
SyslogAnalyzer services subscribed to it.

OL-25947-01 3-11
Managing Processes
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes (continued)
Dependency
EssentialsDM ESS EssentialsDM_Server.log It publishes a dummy Common Services
Transport Mechanism (CSTM) service name to
DCRServer
synchronize publishing of service names with
LMSDbEngine CSTM.
All other LMS services that publish service
names with CSTM are made dependant on this
service either directly or indirectly.
After adding devices to LMS, this service
triggers for Inventory and Configuration
collection.
System service that monitors the accessibility
of the LMS database engine that helps to ensure
that the system is not started until the database
engine is ready.
EnergyWise EssentialsDM ICServer EnergyWise.log EnergyWise process provides services for:
EnergyWiseUI.log • EnergyWise endpoint and device collection
EnergyWiseConfiguratio • EnergyWise monitoring
n.log
• EnergyWise compliance check
EnergyWiseMonitoring.l
• Auto-push of EnergyWise policies on the
og
devices.
EnergyWiseCollection.lo
g
EnergyWiseNative.log
EnergyWiseComplianceC
heck.log
EnergyWiseNativeCompl
iance.log
EnergyWise_Purge.log
EnergyWiseNativePolicy.
log
CTMJrmServer EssentialsDM CTMJrmServer.log This service is a proxy to the JRM service. This
is used by LMS to connect to the JRM service.
jrm
It hides all the direct interaction with JRM.
Tomcat
ChangeAudit EssentialsDM ChangeAudit.log Change Audit program that provides back-end
database services for applications that want to
CTMJrmServer
log network changes and for Change Audit
jrm reports and Automated actions

3-12 OL-25947-01
Managing Processes
Table 3-2 Inventory, Config and Image Management Processes and Dependency Processes (continued)
Dependency
ICServer ESS IC_Server.log This is a service that collects and stores
Inventory information from the device using
CTMJrmServer
SNMP.
It also detects changes that occurred between
the last time Inventory was collected for a
device, and the current Inventory collection.
SyslogAnalyzer ESS SyslogAnalyzer.log for It takes the filter definition from the user and
Windows sends it to the various Syslog Collectors it is
EssentialsDM
subscribed to.
AnalyzerDebug.log for
CTMJrmServer
Solaris/Soft Appliance Receives the syslogs from the Syslog collector
jrm and inserts them into the database and also takes
automated actions from the user.
PMCOGSServer LMSOGSServer PMCOGSServer.log Port and Module group administration service.
This is used for managing Port and Module
groups.
ANIDbEngine None None System service: Database engine for Topology
and Identity Services.
ANIServer EDS ani.log System service: Collects device information for
Topology and Identity Services.
ANIDbEngine
MACUHIC EssMonitor macuhic.log System service: Receives and processes SNMP
traps for Dynamic UT
ANIDbEngine
UTLITE EssMonitor utlite.log System service: Receives and processes the
UTLITE data
ANIDbEngine
UTMajorAcquisition ANIServer ut.log UTMajor Acquisition is a transient process.
System service: Collects end hosts information.
UTManager EssMonitor utm.log System service: Queries external system for
Dynamic UT
ANIDbEngine
DCRServer
VNMServer ANIDbEngine Vnmserver.log System service: Handles VRF Lite Services like
configuration, VRF Lite collector job
scheduling
WlseUHIC ANIDbEngine wlseuhic.log System service: Collects information from
Wlse Device
Compliance and Essentials DM caam_server.log The Compliance and Audit Manager server
Audit Manager collects information from the Inventory and
cammserverui.log
(CAAM) Server Configuration management servers and stores
caamservercollection.log the details in a database.
If you stop or restart any of these processes you must stop and restart their dependency processes. See
Table 3-2 for the list of dependent processes.
You can stop and restart the process using Admin > System > Server Monitoring > Processes.

OL-25947-01 3-13
Managing Processes
Network Topology, Layer 2 Services and User Tracking Processes

Table 3-3 lists Inventory, Config and Image Management processes, and their dependency processes.
Table 3-3 Network Topology, Layer 2 Services and User Tracking Processes and Dependency Processes
Dependency
ANIDbEngine None None System service: Database engine for
Topology and Identity Services.
ANIServer EDS ani.log System service: Collects device information
for Topology and Identity Services.
ANIDbEngine
MACUHIC EssMonitor macuhic.log System service: Receives and processes
ANIDbEngine SNMP traps for Dynamic UT
UTLITE EssMonitor utlite.log System service: Receives and processes the

UTLITE data
ANIDbEngine
UTMajorAcquisition ANIServer ut.log UTMajor Acquisition is a transient process.
System service: Collects end hosts
information.
UTManager EssMonitor utm.log System service: Queries external system for
Dynamic UT
ANIDbEngine
DCRServer
VNMServer ANIDbEngine Vnmserver.log System service: Handles VRF Lite Services
like configuration, VRF Lite collector job
scheduling
WlseUHIC ANIDbEngine wlseuhic.log System service: Collects information from
Wlse Device

3-14 OL-25947-01
Managing Processes
IPSLA Performance Management Processes and Dependency Processes

Table 3-4 lists the LMS 4.2 Performance Management processes and their dependency processes.
Table 3-4 LMS 4.2 IPSLA Performance Management Process and the Dependency Processes
Dependency (Sequen-
Process Name Description tial) Default State Log Files
IPMProcess Provides core function of managing DCRServer, Program ipmserver.log,dmgtd.log
IPSLA Performance Management IpmDbEngine
Started
Devices, Collectors and Operations in
LMS. jrm
IPMOGSServer IPSLA Performance Management CmfDbMonitor, Program IPMOGSServer.log,
group administration service. This is EssMonitor,
Started
IPMOGSClient.log
used for managing IPSLA Performance
Management collector groups. It is also DCRServer,
used for IPSLA Performance Manage- IpmDbEngine
ment Collector selector.
IpmDbEngine IPSLA Performance Management NA Program dmgtd.log
Database Engine service. Started
It is used for managing and storing
IPSLA Performance Management
related information on the database
Device Performance Management Module Processes

Table 3-5 gives a description of key processes in Device Performance Management module.
Table 3-5 Key Processes in LMS 4.2 Device Performance Management Module
Dependent Default
Process Name Description Process State Log Files
UPMDbEngine This is the Device None Started None
Performance Management
database engine process. If
this process is down, you will
not be able to access Device
module of LMS, and polling,
threshold monitoring, and
trendwatch monitoring will
fail.

OL-25947-01 3-15
Managing Processes
Table 3-5 Key Processes in LMS 4.2 Device Performance Management Module
Dependent Default
Process Name Description Process State Log Files
UPMDbMonitor Responsible for monitoring UPMDbEngine Started UPMDbMonitor.log
the UPMDbEngine process.
UPMProcess Responsible for the Polling DCRServer, Started upm_process.log
engine, Threshold UPMDbMonitor
monitoring and Poller
Management features of
LMS. If this process is down,
poller management,
threshold management,
trendwatch management will
fail.
Fault Management Processes

Table 3-6 provides a complete list of Fault Management-related Cisco Prime processes. Logs for most
of these processes are provided in Table 1-2.
Table 3-6 Fault Management Related Processes
Default
Name Description Dependency State Log Files
AdapterServer/ Event adapter takes events from backend None Program adapterServer.log,
AdapterServer 1 servers. Started adapterServer1.log
, daemons.log
DataPurge Data Purge—Starts as scheduled in the GUI and jrm Administrato DPS.log,
purges the Fault History database. r has shut daemons.log
down this
server

3-16 OL-25947-01
Managing Processes
Table 3-6 Fault Management Related Processes (continued)
Default
DfmBroker Fault Management Broker maintains a registry None Program brstart.log
about Fault Management domain managers, that Started
register the following information with the
broker when its initialization is complete:
• Application name of the domain manager
• Hostname on which the domain manager is
running
• TCP port at which the HTTP server is
listening
When a client needs to connect to the domain
manager, it first connects to the broker to
determine the hostname and TCP port the HTTP
service of that server is listening.
It then disconnects from the broker and
establishes a connection to the domain manager.
The DfmBroker log file is located at
NMSROOT/objects/smarts/local/logs/brstart.log
.
DFMLogServer Controls Fault Management logs. None Program DfmLogService.lo
Started g, daemons.log
DFMMultiProcLog Handles processes with multiple threads. None Program MultiProcLogger.l
ger Started og, daemons.log
DFMOGSServer Fault Grouping Service Server evaluates group CmfDbEngine, Program DFMOGSServer.l
membership. ESS, DCRServer, Started og
TISServer
DfmServer/DfmSe Infrastructure device domain manager, a DfmBroker Running DFM.log,
rver 1 program that provides backend services for Normally DFM1.log
Fault Management. Services include SNMP
data retrieval and event analysis. The
DfmServer log is
NMSROOT/objects/smarts/logs/DFM.log.
If there are two instances of the DfmServer
running, each will have a log file, DFM.log and
DFM1.log.
DFMCTMStartup Handles interprocess communication. None Administrato DFMCTMStartup.
r has shut log, daemons.log
down this
server
EPMDbEngine Event Promulgation Module (EPM) database None Program EPM.log
engine—Repository for the EPM module. Started
EPMServer Sends events to notification services. EPMDbEngine Running EPM.log
Normally

OL-25947-01 3-17
Managing Processes
Table 3-6 Fault Management Related Processes (continued)
Default
FHDbEngine Fault History database engine—Repository for None Program daemons.log
alerts and events. Started
FHPurgeTask Fault History purge task. None Transient FHCollector.log,
terminated FHUI.log
FHServer Fault History server, a program that runs EPMServer, Running FHServer.log
backend services for Fault History. EPMDbEngine, Normally
FHDBEngine
Interactor Provides inventory and device information to InventoryCollect Program Interactor.log
the Detailed Device View (DDV); updates the or Started
DDV with events.
Interactor 1 Provides inventory and device information to Inventory Program Interactor1.log
the Detailed Device View (DDV); updates the Collector 1 Started
DDV with events.
InventoryCollector Synchronizes voice device inventory with ESS, TISServer, Running InventoryCollector
/ infrastructure device inventory. Handles all DFMOGSServer Normally/Pr .log,
InventoryCollector inventory events, such as adding and deleting ogram InventoryCollector
1 devices. Started 1.log
INVDbEngine Inventory database engine—Repository for None Program daemons.log
devices. Started
NOSServer Notification Server monitors alerts and sends EPMDbEngine, Running nos.log
notifications based on subscriptions. EPMServer, Normally
INVDbEngine,
DFMOGSServer
PTMServer Polling and thresholds server. DFMOGSServer Running PTMServer.log
Normally
PMServer PMServer is used for the Partition Manager INVDbEngine Running PMServer.log (For
funtionality for the Fault Management module EssMonitor Normally Windows)
of LMS. When you add a device to the Fault daemons.log (For
Management module, it is always added to the Solaris/Soft
default partition 0. Appliance)
All the debug logs related to PMServer can be
found at NMSROOT/log/dfmLogs/PM
TISServer Inventory server. EssMonitor, Program TISServer.log
INVDbEngine Started

3-18 OL-25947-01
Backing Up Data
Backing Up Data
You should back up the database regularly so that you have a safe copy of the database. You can schedule
immediate, daily, weekly, or monthly automatic database backups. You should have necessary privileges
to use this option.
You cannot back up the database while restoring the database. LMS uses multiple databases to store
client application data. These databases are backed up whenever you perform a backup.
Backup requires enough storage space on the target location for the backup to start.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
Caution You should never backup data to the Cisco Prime Installation directory NMSROOT/backup. Sometimes,
storing the backup data in this location may corrupt the Cisco Prime installation.

• Scheduling a Backup
• Restoring Data
• Changing the Database Password
• Effects of Backup-Restore on DCR
• Master-Slave Configuration Prerequisites and Restore Operations
• Effects of Backup-Restore on Groups
Scheduling a Backup
You can schedule a backup using the LMS UI or use the backup utility through CLI. See, Backing up
Data Using CLI for more information.
To schedule a backup:
Step 1 Select Admin > System > Backup.

The Backup Job page appears.
Step 2 Enter the appropriate information in the following fields:
Field Description
Backup Directory Location of the backup directory. We recommend that your target location be on
a different partition than the Cisco Prime installation location.
The backup directory should not contain any special character.
Generations Maximum number of backups to be stored in the backup directory.
Time From the lists, select the time period between which you want the backup to
occur. Use a 24-hour format.

OL-25947-01 3-19
Backing Up Data
Field Description
E-mail Enter a valid e-mail ID in this field.
You can enter multiple e-mail IDs separated by commas.
The system uses the e-mail ID or e-mail IDs to notify you the following:
• New backup schedules.
• Status of immediate or scheduled backup jobs upon their completion.
• Cancelled backup schedules.
Warning There may be a problem in sending e-mails when you have

enabled virus scanner in the Cisco Prime LMS Server.
Frequency Select the backup schedule:
• Immediately - The database is backed up immediately.
• Daily - The database is backed up every day at the time specified.
• Weekly - The database is backed up once a week on the day and time
specified. Select a day from the Day of week list.
• Monthly - The database is backed up once a month on the day and time
specified. Select a day from the Day of month list.
You cannot schedule more than one backup at a time. The new schedule
overwrites the previous schedule, if any.
Step 3 Click Apply.

The Schedule Backup message verifies your schedule and provides the location of backup log files.
Examine the log file at the following location to verify backup status:
/var/adm/CSCOpx/log/dbbackup.log
On Windows:
NMSROOT\log\dbbackup.log
You can remove the scheduled backup at any time. Click Remove to delete the scheduled backup job.
The Remove button appears only if you have scheduled any backup.
Restoring Data
The new restore framework supports restore across versions. This enables you to restore data from
versions 3.1, 3.2. The restore framework checks the version of the archive.
• If the archive is of the current version, then the restore from current version is run.
• If the backup archive is of an older version, the backup data is converted to LMS format, if needed,
and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and
restart Cisco Prime while restoring data.

3-20 OL-25947-01
Backing Up Data
In all backup-restore scenarios, a back up is taken from a machine A, and the backed up data, say Ab, is
restored on the same machine A, or on a different machine B.
Ensure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data
of such tasks.
For details on effect of restore operation on DCR modes, and Groups, see Effects of Backup-Restore on
DCR and Effects of Backup-Restore on Groups.
Caution Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on the LMS
Server where you want to restore the data. You should not continue the restore when there is a mismatch,
as it may cause problems in the functionality of Cisco Prime applications.
• Restoring Data On Solaris/Soft Appliance
• Restoring Data On Windows
Restoring Data On Solaris/Soft Appliance

To restore the data on Solaris/Soft Appliance:
Step 1 Log in as the superuser, and enter the root password.

Step 2 Stop all processes by entering:
/etc/init.d/dmgtd stop
Step 3 Restore the database by entering:

/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]
• [-t temporary directory]—The restore framework uses a temporary directory to extract the content
of backup archive.
By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData.
You can customize this, by using this – t option, where you can specify your own temp directory.
This is to avoid overloading NMSROOT
• [-gen generationNumber]—Optional. By default, it is the latest generation. If generations 1 through
5 exist, then 5 will be the latest.
• [-d backup directory]—Required. Which backup directory to use.
• [-h]—Provides help. When used with -d <backup directory> syntax, shows correct syntax along
with available suites and generations.
To restore the most recent version, enter:
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl -d backup directory
For example, -d /var/backup
Step 4 Examine the log file in the following location to verify that the database was restored by entering:
/var/adm/CSCOpx/log/restorebackup.log
Step 5 Restart the system:
/etc/init.d/dmgtd start

OL-25947-01 3-21
Backing Up Data
Restoring Data On Windows

To restore the data on Windows, make sure you have the correct permissions, and do the following:
Step 1 Stop all processes by entering the following at the command line:
net stop crmdmgtd
Step 2 Restore the database by entering:
NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl [-t temporary directory] [-gen
generationNumber] [-d backup directory] [-h]
where NMSROOT is the Cisco Prime installation directory. See the previous section for command option
descriptions.
To restore the most recent version, enter the following command:
NMSROOT\bin\perl NMSROOT\bin\restorebackup.pl -d backup directory
Step 3 Examine the log file in the following location to verify that the database was restored by entering:
NMSROOT\log\restorebackup.log
Step 4 Restart the system by entering:
net start crmdmgtd
Note For more details on restoring data see Migrating Data to Cisco Prime LAN Management Solution 4.2 in
Installing and Migrating to Cisco Prime LAN Management Solution 4.2
Changing the Database Password

You must enter the database password while installing Cisco Prime. If you do not enter the password,
Cisco Prime generates the password at random. However, we recommend that you change the password
periodically to ensure system security.
Caution You need to shut down Cisco Prime, change the password and then restart Cisco Prime, for the changes
to take effect. Make sure you are not running any critical tasks. Otherwise, you might lose data.

• Changing Password on Solaris/Soft Appliance
• Changing Password on Windows
• Formats Available for Changing the Database Password
Changing Password on Solaris/Soft Appliance

To change the password on Solaris/Soft Appliance:

3-22 OL-25947-01
Backing Up Data

Step 3 Change to the installation directory by entering:

cd NMSROOT/bin
NMSROOT is your default Cisco Prime installation directory.
Step 4 Enter the following command to list the different formats available for changing the database password:
NMSROOT/bin/perl dbpasswd.pl
Step 5 When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.
Step 6 Start all processes by entering:
/etc/init.d/dmgtd start
Changing Password on Windows

To change the password on Windows:
Step 1 At the command line, make sure you have the correct permissions.
net stop crmdmgtd
Step 3 Change to the Installation Directory by entering:

cd NMSROOT\bin
NMSROOT is your default Cisco Prime installation directory.
Step 4 Enter the following command to list the different formats available for changing the database password:
NMSROOT\bin\perl dbpasswd.pl
Step 5 When prompted, enter the new password and verify it by re-entering it.
The password can contain a maximum of 30 characters.
Step 6 Start all processes by entering:
net start crmdmgtd

OL-25947-01 3-23
Backing Up Data
Formats Available for Changing the Database Password

The different formats available and the commands for changing the database passwords on Windows,
Solaris and Soft Appliance platforms are tabulated below:
Format Command
Format 1 detects the available datasource names On Solaris/Soft Appliance:
and databases and prompts you to enter and NMSROOT/bin/perl dbpasswd.pl all
confirm the passwords for each of them.
On Windows:
It also allows you to encrypt the password.
NMSROOT\bin\perl dbpasswd.pl all
Format 2 allows you to list all the databases and On Solaris/Soft Appliance:
datasource names (DSNs) available in the server.
NMSROOT/bin/perl dbpasswd.pl listdsn
On Windows:
NMSROOT\bin\perl dbpasswd.pl listdsn
Format3 allows you to change the database On Solaris/Soft Appliance:
password.
NMSROOT/bin/perl dbpasswd.pl dsn=odbc_datasource
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=odbc_datasource
Format 4 allows you to change the database On Solaris/Soft Appliance:
password for a specific DSN. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
It also allows you to enter a new password in the
On Windows:
command line using the npwd option.
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
Format 5 allows you to encrypt the existing On Solaris/Soft Appliance:
database password. NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name encyption=yes
On Windows:
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name encyption=yes
Format 6 allows you to change the database On Solaris/Soft Appliance:
password for a specific DSN.
NMSROOT/bin/perl dbpasswd.pl dsn=dsn-name npwd=new-password
Format 6.0 also: encryption=yes
• Allows you to enter a new password in the On Windows:

command line using the npwd option.
NMSROOT\bin\perl dbpasswd.pl dsn=dsn-name npwd=new-password
• Allows you to encrypt the password using the encryption=yes
encryption option.
Effects of Backup-Restore on DCR

Data changes are a normal part of any restore from a backup. However, because Device and Credential
Repository (DCR) is a distributed system with varying modes, it is also possible for any restored DCR to:
• Change modes.

3-24 OL-25947-01
Backing Up Data
For example, a Standalone DCR can be set after a backup to act as a Slave. When the restore is
performed, it will be reset to the Standalone mode. It depends on the DCR mode of the machine from
which the backup was taken (source machine), and the machine on which the data was restored
(target machine).
• Change Master/Slave relationships.
For example, a DCR Slave may be using Master A at the time a backup is taken. Later, the domain
may be changed to use Master B, and the Slave reset to use Master B. When the restore is performed,
the Slave will attempt to use Master A.
For detailed information on DCR, see Managing Device and Credentials in Inventory Management
Guide.
The following scenarios helps you understand the implications of Restore operations on DCR.
• Restoring Data From a DCR Standalone
• Restoring Data From S1 on S1
• Restoring Data From S1 to M1
• Restoring Data From S1 on M2
• Restoring Data From M1 on M1
• Restoring Data From M1 to M2
Restoring Data From a DCR Standalone

If you restore the data backed up from a machine in the Standalone mode, on any machine whose
working mode is either Standalone, Master, or Slave, the end mode will be Standalone.
Let X be a machine in Standalone mode.
If you restore the data backed up from X, say Xb, on another Standalone machine Y, or a Slave S, or a
Master M, the end mode of Y, S, and M will be Standalone. Also, any slave of M will switch to
Standalone mode.
Further scenarios can be better explained based on the following DCR set up.
Let us assume there are two DCR domains.
• For Domain 1, you have M1 as Master, and S1, and S2 as Slaves.
• For Domain 2, you have M2 as Master, and S3, and S4 as Slaves.
Restoring Data From S1 on S1

Suppose you take a backup from S1. After sometime, you restore the backed up data, say S1b, on S1. S1
will look for its Master M1, and the Master-Slave relation between S1 and M1 will be intact, since M1
is available.
However, note that the restore on S1 will practically be of no effect since S1 and M1 will synchronize
after the restore on S1. The changes that have taken place after the backup was taken from S1 will be
reflected in S1, even if S1b is restored on S1.
In the above example, if the restore on S1 is performed when Master M1 is down, or has crashed, the
end mode of S1 will be Standalone. This is because S1 will try to contact M1, and will fail because M1
is down.
Restoring Data From S1 to M1

Suppose you take a backup from S1 and restore the backed up data, say S1b, on M1. M1 will switch to
Standalone mode because, after backup, it will not be able to find a Master. S1 will also switch to
Standalone mode.

OL-25947-01 3-25
Backing Up Data
At the time of backup, if there were 1000 devices in M1, the Slave S1 would also have 1000 devices.
Assume more devices are added to M1 after the Backup. S1 will have the up-to-date device list. However,
after restore on M1, M1 will have only 1000 devices. In other words, the data on S1 will be more recent
than the data on M1.
Restoring Data From S1 on M2

Suppose you take a backup from S1 and restore the backed up data, say S1b, on M2, which is the Master
in the DCR Domain 2 in our example.
After the restore, the end mode of M2 will be Slave. That is, M2 will become a Slave of M1. Also, S3,
and S4, which were Slaves of M2, will switch to the Standalone mode.
Restoring Data From M1 on M1

Suppose you take a back up from M1. After the backup you would be performing several operations that
would bring about changes in the Master and the corresponding Slaves; M1, S1, and S2 in our example.
Now, if you restore the backed up data M1b, on M1 itself. The Master M1 will have data that is older
than the data in the Slaves, S1, and S2. In other words, the Slaves will have more recent data than that
on the Master.
To avoid this, you must perform the Restore operation in the following sequence:
Step 1 Back up data from the slaves, S1 and S2.

Step 2 Back up data from the Master, M1.
This is to ensure that the data backed up from M1 is more recent than the data backed up from S1 and S2.
Step 3 Stop Daemon Manager on all three machines.
Step 4 Restore data on the Master, M1.
Step 5 Restart Daemon Manager on M1.
Step 6 Restore data on S1, and S2 after the Master is up and stable,
Step 7 Restart Daemon Manager on S1, and S2.
This ensures that Master has more recent data than the Slaves.
Note To avoid disturbances to the Master- Slave relationship, and to maintain consistency, it is better to take
a back up of all machines at the same time.
Restoring Data From M1 to M2

Suppose you take a backup from M1, and restore the backed up data, say M1b, on M2.
S3, and S4 which were Slaves of M2, will switch to Standalone mode.
Master-Slave Configuration Prerequisites and Restore Operations

DCR Master-Slave setup requires you to perform certain tasks prior to Master-Slave configuration, to
enable proper, and secure communication between them. This involves copying certificates, and setting
up a valid system identity user. For details, see Master-Slave Configuration Prerequisites.

3-26 OL-25947-01
Backing Up Data
Restore operations can affect Master-Slave relationships because they may modify these pre-configured
parameters.
For example, let M1 be the Master, and S1 its Slave. Let X be a standalone server.
Suppose you take a backup from S1, and restore the backed up data, say S1b on X.
Now, X has to be in Slave mode.
Since, M1 and S1 already shared a Master-Slave relationship, M1 will have the peer certificate of S1,
and S1 will have the certificate of M1.
After the restore operation, X will get the certificate of M1. However, if peer certificate of X is not
present on M1, X will not be able to have M1 as its Master.
So you have to ensure that the certificates of the peer machines are in place, before you do a Restore.
Other Master-Slave configuration prerequisites such as System Identity user configuration and Peer
Server Account user configuration might get affected by Restore operations.
For example: In M1 you have Joe as a Peer Server User and in S1 you add Joe as a System Identity user.
You take a backup from S1.
After you take the backup, say you change the Peer Server User and System Identity User to Bob.
Now if you restore the backed up data, say S1b the system Identity User would not be Bob anymore. This
will upset the Master-Slave relationship.
During restore you are prompted to confirm whether you need to overwrite the SSL certificate.
SSL certificates are tied to individual machines. So if you take a backup on one machine and restore it
on another, you should be careful not to overwrite the SSL certificate.
However, if you backup data from a machine and restore it to the same machine, you may overwrite the
SSL certificate.
Effects of Backup-Restore on Groups

Backup-Restore operations have an implication on the way Groups will be displayed in the LMS. The
changes in Groups behavior is discussed in relation with the Device and Credential Repository (DCR)
mode changes explained in Effects of Backup-Restore on DCR.
If you perform a backup on machine A and restore the backed up data, say Ab, on the same machine, the
system-defined groups, and the user-defined groups created after the data backup will be removed.
The following scenarios helps you understand the implications of Restore operations on Groups.
• Restoring Data From a DCR Standalone
• Restoring Data From S1 on S1
• Restoring Data From M1 on M2
Restoring Data From a DCR Standalone

The following scenarios have to be considered:
• Restore data from a Standalone machine A to another Standalone machine B:
The provider group name will change accordingly. That is, the provider group CS @A will become
CS@B.

OL-25947-01 3-27
Backup for Cisco Prime Infrastructure
• Restore data from a Standalone machine A to a Master M:

The Master will switch to Standalone mode. The provider group name will be updated accordingly.
The Slave groups will be removed from the Master.
Only the groups pertaining to LMS and the applications installed in the Standalone machine will be
visible. All dependent Slaves of M will become Standalone.
• Restore data from a Standalone machine A to a Slave S:
The Slave will switch to Standalone mode. The provider group name is updated accordingly. The
groups pertaining to other Slaves in the domain, and the Master of S, will be removed from S. The
groups UI will be enabled.
The subsequent sections are based on the scenarios discussed in the Effects of Backup-Restore on DCR.
Restoring Data From S1 on S1

No impact on CS groups.
There may be applications installed on S1. Say you create 10 groups in the Applications before you
backup data from S1. After backup, assume you create 10 more groups in the Applications. After restore,
the 10 groups you created after backup will not be present. This loss of newly added groups also
propagates to other Slaves in the domain.

After restore, both S1 and M1 will switch to Standalone mode. Both will have only those groups
pertaining to LMS installed on the individual machines. Groups UI is enabled on S1. Also, the other
Slaves of M1 will switch to Standalone mode.

After restore, M2 will become a Slave of M1. The Groups UI in M2 will be disabled. M2 will pickup all
the groups from M1. Groups in M2 will be propagated to other slaves in the domain. All the slaves of
M2 (before restore) will now switch to Standalone mode.
Restoring Data From M1 on M2

Slaves of M2, that is S3 and S4, will switch to Standalone mode. Groups pertaining to S3 and S4 will be
deleted from M2.
In all the cases the System-defined Groups, and the User-defined Groups, are carried over and updated
in the target machine.
Backup for Cisco Prime Infrastructure

From LMS 4.2.2, Cisco Prime LAN Management Solutions will support data migration to Cisco Prime
Infrastructure (PI) and the device data from LMS 4.2.x versions can be exported to PI 1.2.
The following two procedures will be used to export data from LMS to PI:
• Exporting Device Credentials Repository (DCR) data from LMS—User can export the Device List
and Credentials to a CSV file that would be shown as a link. The data backup status and backup
location will be displayed at the bottom of the Export Data to Prime Infrastructure page.

3-28 OL-25947-01
Licensing Cisco Prime LMS
• Exporting complete data of LMS—This option enables you to store data in an external server or
LMS server. The default backup location will be populated in the Backup location field at the bottom
of the Export Data to Prime Infrastructure page. If the user chooses storing data in external server,
the external server credentials namely Server IP or Host name, username, password and backup
location will be required.
Licensing Cisco Prime LMS

You must register your software and obtain a product license before you start using an application. You
can obtain a product license and license your application, view details of your current software license,
or update to a new license from the Licensing page.
LMS will authenticate and perform the license check.
If your current license count is lower than your earlier license count, and you restore the data now,
devices that exceed the current licence count will be moved to Suspended state.
• Obtaining a License for Cisco Prime LMS
• Licensing the Application
• Viewing License Information
• Updating Licenses
• Ordering LMS licenses
Obtaining a License for Cisco Prime LMS

To obtain a product license for your Cisco Prime applications, register your software at one of the
following websites. You will need to provide the Product Authorization Key (PAK), which is printed on
a label affixed to the Bundle sub-box.
If you are a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license
If you are not a registered user of Cisco.com, use this website:
http://www.cisco.com/go/license/public
The product license will be sent to the e-mail address you provide during registration. Retain this license
with your Cisco Prime software records.
Licensing the Application

After you obtain the product license, perform these steps to license your software:
Step 1 Copy the new license file to the LMS Server, with read permission for casuser/casusers.
Step 2 Select Admin > System > License Management.
The License Information page appears. The License Information page displays the name, version, size,
status and expiration date of the license.
Step 3 Click Update.
Step 4 Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 5 Click OK.

OL-25947-01 3-29
Compliane and Audit Manager (CAAM) Server License
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise an error message is displayed.
To return to the License Information page, click Cancel.
Note You must have Compliance and Audit Manager (CAAM) server license for accesing the CAAM features
in LMS 4.2. For more details, refer Compliane and Audit Manager (CAAM) Server License.
Viewing License Information

To view details of your current software license, select Admin > System > License Management to
open the License Information page.
The license name, license version, size (device limit for the licensed application), status of the license,
and the expiration date of the license appear under License Information.
The license version shows the major version of the application.
Updating Licenses
You can view details of your current software license, or update to a new license from the License page.
To update to a new license from the Licensing page:
Step 1 Select Admin > System > License Management.

The License Information page displays the license name, license version, status of the license, and the
expiration date of the license.
Step 2 Click Update.
Step 3 Enter the path to the new license file in the License field, or click Browse to locate the new file.
Step 4 Click OK.
The system verifies whether the license file is valid, and updates the license. The updated licensing
information appears in the License Information page. Otherwise, an error message is displayed.
To return to the License Information page, click Cancel.
Ordering LMS licenses

For availability, ordering, upgrade, and licensing options refer to www.cisco.com/go/lms
Compliane and Audit Manager (CAAM) Server License

You must have CAAM server license for accessing the following CAAM features in LMS:
• Compliance data collection
• Compliance profile execution
• Compliance Policy and groups
• HIPAA Compliance Reports
• SOX(COBIT) Compliance Reports

3-30 OL-25947-01
Configuring a Default SMTP Server
• ISO/IEC 27002 Compliance Reports

• NSA Compliance Reports
• PCI DSS Compliance Reports
• Department of Homeland Security (DHS) Checklist Reports
• Defense Information Systems Agency (DISA) Checklists
• Center for Internet Security (CIS) Benchmarkss
The following Compliance and Audit Reports are supported only by LMS license and do not require
CAAM server license.
• Service Reports
• Lifecycle Management Reports
• Vendor Advisory Reports
Configuring a Default SMTP Server

This SMTP server is used by default when you add or edit subscriptions for e-mail notifications or send
e-mail notifications from the Alerts and Activities display. LMS also provides a facility for specifying a
default SMTP server. Specifying a default server here will override the setting used by LMS.
Step 1 Select Admin > System > SMTP Default Server.

Step 2 Enter a fully qualified SMTP server name.
Step 3 Click Apply.
Collecting Server Information

This feature helps you to get the required information about the server. The information about the server
includes system information, environment, configuration, logs, web server information, device and
credentials administration information, and grouping services information.
You can use the collected server information for troubleshooting.
For example, when you have chosen to collect the grouping services information about the server, the
following details will be collected and stored:
• Status of LMS grouping server. The status values are Running, and Not Running.
• List of groups created in the LMS grouping server.
• Content of the registry and properties files associated with LMS.
• Status of the grouping server installed on same Cisco Prime
Server. The status values are Running, and Not Running.
• List of groups created in the LMS grouping server.
• Content of the properties files associated with other applications.
• Error encountered if the grouping servers are not running or if they are not reachable.

OL-25947-01 3-31
Collecting Server Information
You can look into this collected information to find out the errors with grouping servers and debug them.
You can also collect server information using CLI. See Collecting Server Information Using CLI
To collect the server information:
Step 1 Select Admin > System > Server Monitoring > Collect Server Information.
The Collect Server Information page appears.
Step 2 Click Create to collect the current server information.
The Collect Server Information popup dialog box appears with a list of options. The available options
are:
• System Information — Displays the server type, operating system version, installation date of
operating system, and other system information.
• Event Logs — Displays the logs of events in the LMS Server.
• Cisco Prime Registry — Displays the registry entries of Cisco Prime components installed in the
server.
• Tomcat Log Files — Displays the log files corresponding to the application server.
• Grouping Service — Displays the information of grouping servers and the groups created in the
grouping server.
• Application Registry Details — Displays the information of applications registered with Cisco
Prime home page.
• Device Credentials Admin Information — Displays the details of DCR mode, status of DCR Master,
number of devices in DCR and the contents of DCR configuration files.
• ODBC Configuration — Displays the information about the configuration of database connection
in the LMS Server.
• Product Log Files — Displays the contents of log files of all Cisco Prime components.
• Environment Variables — Displays the list of environmental variables set up in the LMS Server.
• Process Status — Displays the name of processes, current state of the process, process ID, start and
finish time of the process, and other information.
• Network Configuration — Displays information about the various configurations in a network.
• Memory and Harddrive Status — Displays details of free space and total space of memory and hard
disk drives in the LMS Server.
• JRE Registry — Displays information about the Java Runtime Environment registry files.
Step 3 Select the check boxes corresponding to the options you need.
You can use the All check box to select or deselect all the available options.
By default all the check boxes are selected.
Step 4 Click OK.
The server information for the selected components is collected.
Collecting server information may take longer if more components are selected.
To return to the Collect Server Information page, click Cancel.
You can click Refresh in the Collect Server Information page to see the latest status.

3-32 OL-25947-01
Collecting Self Test Information
To view the collected information:
Step 2 Click Server Information at the date time link to view the collected server information.
The popup window displays the server information collected.
Step 3 View server information by clicking the corresponding link in the Table of Contents.
To delete the collected server information:
Step 1 Select Admin > System > Server Monitoring > Collect Server Information
Step 2 Select the corresponding check box of the server information you want to delete.
Collecting Server Information Using CLI

You can also collect server information using CLI.
Enter the following command:
• NMSROOT\bin\perl NMSROOT\bin\collect.info (on Windows)
or
• NMSROOT/bin/perl NMSROOT/bin/collect.info (on Solaris/Soft Appliance)
where NMSROOT is the directory where you installed Cisco Prime.
Collecting Self Test Information

You can view self test reports using this option. Self test feature helps to test certain basic functions of
the server.
Execute the following steps to receive the system generated self test report to your Email ID.
Step 1 Go to Admin > System > Server Monitoring > Selftest.

Step 2 Select the E-mail text box and enter your Email ID.
Step 3 Click Save.
The system generated self test report will be sent to the specified Email ID.
Execute the following steps to create a self test report.
Step 1 Select Admin > System > Server Monitoring > Selftest.

OL-25947-01 3-33
Messaging Online Users
Step 2 Click Create to perform a selftest and to view the report.

Step 3 Click the Selftest Information at date time link.
A popup window displays the selftest information report.
To delete a Selftest Information report, select the checkbox and click Delete.
In LMS 4.2, the selftest report provides the following Hardware Parameters details:
• Memory availability
• Swap
• CPU
• DSN
• Backup status
• Number of MIB objects being polled
• Maximum number of MIB objects that can be managed
• Syslog database size
If the syslog database size exceeds 10 GB you need to purge the syslog records to reclaim space. Do the
following to purge syslog records and reclaim the database space:
Note If you want to backup the syslogs, refer Setting the Syslog Backup Policy.
Step 1 Perform a forced purge of Syslog messages, refer Performing a Syslog Forced Purge.
Step 2 Open RMEDebugToolsReadme.txt from
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools.
Step 3 Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and execute the
perl script DBSpaceReclaimer.pl.
Note The perl script will reclaim the space occupied by SyslogFirst.db, SyslogSecond.db and
SyslogThird.db files present in the server. The amount of space reclaimed will depend on the
purge criteria that you specify. The most effective way to reclaim the space is to purge the
records older than 1 day.
Messaging Online Users

You can use the Notify User feature in LMS to broadcast messages to online users.
You can post messages to users with active Cisco Prime browsers. By default, the messages will be
received within 60 seconds. You can also change this polling interval.
To send a broadcast message:

3-34 OL-25947-01
Managing Resources
Step 1 Select Admin > System > User Management > Notify Users.
The Notify Users page lists all the users currently logged in.
Step 2 Enter the message in the Message field and click Send.
The Status field displays the status of the message.
Note If you are using Microsoft Internet Explorer, make sure your browser is set to check for updates on every
visit to the page.
Managing Resources
LMS provides a Resource Browser for managing resources. You can free locked resources, when
necessary, if you have appropriate privileges. All users (including those with Help Desk role alone) can
access the Resource browser page. The Refresh icon in the Resource browser is available for all users.
Note The System Identity user must configure all the Resource management related tasks. The Browse
Resources and Free Resources tasks should be enabled.
To view Resource details:
Step 1 Select Admin > Network > Resource Browser.

The Resource Browser page displays the following details:
Item Description
Resource Name of the resource currently locked.
Job ID / Owner Number assigned to this task at creation time. Identifies all related locked
resources, and user who locked the resource.
Time Locked Time this lock was established.
Expire Time Lock expiration time.
To free locked resources:
Step 1 Select Admin > Network > Resource Browser.

The Resource Browser page appears.
Step 2 Check the check box corresponding to the Job ID.
Step 3 Click Free Resources.
All users (except those with Help Desk and Approver role) can perform the Free Resource operation in
the Resource browser.

OL-25947-01 3-35
Modifying System Preferences
To view updated resources, click Refresh.

You can configure system-wide information on the LMS Server using the System Preferences option. It
is a way to centrally locate information that is used by Cisco Prime applications.
Field Description
SMTP Server System-wide name of the SMTP server used by Cisco Prime applications to
deliver reports. The default server name is localhost.
Administrator Cisco Prime Administrator e-mail ID.
E-mail ID
This e-mail address is used as the From Address in all mails sent from LMS
Server.
There is no default e-mail ID.
Enable E-mail Allows you to enable e-mail attachments in the mails sent from LMS Server.
Attachment
This option helps you to attach PDF or CSV reports with the e-mail after the
scheduled jobs have completed.
This option is disabled by default.
Maximum Maximum size of the e-mail attachments that are allowed to be sent from LMS
Attachment Size Server.
You can specify the attachment size in KB or MB.
RCP User Name used by network device when it connects to LMS Server to run rcp.
User account must exist on UNIX systems, and should also be configured on
devices as local user in the ip rcmd configuration command. The default RCP
username is cwuser.
SCP User Name used by network device when it connects to LMS Server to run SCP.
The username you have entered here is used for authorization while transferring
software images using SCP protocol.
You must specify a user name that has SSH authorization on a Solaris system.
SCP uses this authorization for transferring the software images.
This field is available only if Cisco Prime LMS applications are installed on the
LMS Server.
SCP Password Enter the password for SCP User in this field.
The password you have entered here is used for authentication while
transferring software images using SCP protocol.
You must specify a user name that has SSH authentication on a Solaris system.
SCP uses this authentication for transferring the software images.
LMS Server.

3-36 OL-25947-01
Field Description
SCP Verify Password Re-enter the SCP password in this field.
LMS Server.
Enable crmlogger Enable the Domain Name Service Resolution for the crmlog service using this
DNS resolution field. Note that enabling the DNS Resolution for the crmlog service will slow
down the Syslog performance.
The crmlog service will stop and start when you enable or disable the Domain
Name Service Resolution for crmlog service. If the crmlog registry does not
contain the CrmDnsResolution parameter, it will be created automatically when
you enable the service.
This field is available only on Windows systems.
Disable Idle Timeout By default this settings will be enabled and time interval for idle page will be
Settings 120 minutes.
Idle Timeout You can choose the time interval ranging from 15, 30, 45, 60 and 120 minutes.
A page is considered to be idle when there is no mouse or keyboard movement
in a particular screen.
If the page is kept idle for the set time period then a pop up redirecting the page
to idle page will be displayed. You can click cancel to avoid redirecting to the
idle page.
If you are redirected to the idle page then click the hyperlink click here to return
to your previous page.
To edit system preferences:
Step 1 Select Admin > System > System Preferences.

The System Preferences page appears.
Step 2 Enter the following information:
• SMTP Server
• Administrator E-mail ID
• Maximum Attachment Size
• RCP User
Caution Set this information carefully. If you introduce errors, users may not be able to log in.
Step 3 Check the Enable crmlogger DNS Resolution check box to enable the Domain Name Service Resolution
for the crmlog service, on a Windows system.
Step 4 Enter the following fields, which are available only if Cisco Prime LMS applications are installed on the
LMS Server:
• SCP User
• SCP Password
• SCP Verify Password

OL-25947-01 3-37
Configuring Log Files Rotation
Step 5 Click Apply after making the changes. To cancel the changes, click Cancel.

Log files can expand and fill up disk space. Log files rotation helps you manage the log files more
efficiently. See Maintaining Log Files for an overview of maintaining the log files in LMS Server.
Logrot is a log rotation program that enables you to control the size growth of the log files. It helps you
to:
• Rotate log files while Cisco Prime is running.
• Optionally archive and compress rotated logs.
• Rotate log files only when they have reached a particular size.
Logrot helps you easily add new files. You can configure Logrot either from the UI or from the CLI.
The following log files are maintained by the log rotation program:
• Daemon Manager
• Web server log files
• Configuring Log Files Rotation Settings From the User Interface
• Configuring Log Files For Rotation From the User Interface
• Scheduling Log Files Rotation
• Configuring Logrot Utility
• Running Logrot Script
• Viewing the Scheduled Logrot Job
Configuring Log Files Rotation Settings From the User Interface

To configure log files rotation from the user interface:
Step 1 Select Admin > System > Log Rotation.

The Log Rotation page appears.
Step 2 Set your backup directory in the Backup Directory field.
This backup directory stores the rotated log files.
You can also use the Browse button to select a directory from the file browser. The default directory is:
• NMSROOT\log on Windows systems
• /var/adm/CSCOpx/log on Solaris/Soft Appliance systems
If you do not set a backup directory, each log file will be rotated in its current directory.
Step 3 Select Restart Daemon Manager check box to stop and start the Daemon Manager before the log
rotation starts. This is optional.

3-38 OL-25947-01
Configuring Log Files For Rotation From the User Interface

To add the log files for rotation:

Step 2 Click Add to add the log files you wish to rotate.
The Configure Logrot page appears.
Step 3 Enter the name of the log file in the Select Log File field.
You can enter only one log file at a time.
You should specify log file using its fully-qualified path. If the log files do not exist in the path you have
specified, this will not be considered for rotation.
You can also click Browse to select a log file name from the file system.
Step 4 Enter the maximum file size in the Maximum Logrot Size field.
The log file will not be rotated until this size is reached.
You can enter the file size in KB or MB. The default file size is 1024 KB. The maximum file size for log
rotation is 4096 MB.
Step 5 Select a file compression type from Compression Format.
The supported formats are:
• Z—UNIX compression (on Solaris/Soft Appliance only)
• gz—GNU gzip
• bz2—bzip2 (on Solaris/Soft Appliance only)
Step 6 Specify the number of backups in the No of Backups field.
If you do not want to keep any archives, enter 0 (the default) for this option.
To return to the Log Rotation page, click Cancel.
To edit the log files that you have configured for rotation:

Step 2 Select a record from the list of log files displayed.
Step 3 Click Edit.
The Edit Logrot page appears.
Step 4 Edit the name of the log file. The rotated log files will be stored with the new name you have edited.
Step 5 Edit the log file size, compression type or number of archive revisions.
To return to the Log Rotation page, click Cancel.

OL-25947-01 3-39
Scheduling Log Files Rotation

To schedule log files rotation:

Step 2 Click Schedule.
The Schedule Logrot appears.
Step 3 Select a value in the Hour and Min drop-down lists to specify the time at which the log rotation should
start.
You should specify the time in 24-hour format.
Step 4 Select a periodic or immediate backup schedule in the Frequency field.
The available schedule frequencies are:
• Immediate—Log rotation job runs immediately.
• Daily—Log rotation job runs every day at the time specified.
• Weekly—Log rotation job runs once a week on the day and time specified. Select a day from the
Day of Week list.
• Monthly—Log rotation job runs once a month on the day and time specified. Select a day from the
Day of Month list.
You can remove a schedule at any time. Click Remove to delete the scheduled job. The Remove button
is enabled only if you have scheduled a log rotation. To return to the Log Rotation page, click Cancel.
Configuring Logrot Utility

Logrot should be installed on the same machine where you have installed LMS.
To configure the Logrot script:
Step 1 Enter:
• NMSROOT\bin\perl.exe NMSROOT\bin\logrot.pl -c (on Windows)
• Run /opt/CSCOpx/bin/logrot.pl -c (on Solaris/Soft Appliance)
The Logrot configuration menu appears. You have the following options:
• Edit variables.
• Edit log files.
• Quit and save changes.
• Quit without saving change.
Step 2 Select Edit variables to set your Backup Directory.
If you do not set a backup directory, each log will be rotated in its current directory.

3-40 OL-25947-01
Step 3 Select Edit log files to add log files you wish Logrot to rotate.
You can specify log files using fully-qualified or relative paths. If a relative path is specified, and the log
file does not exist in that path, the default log file path for your operating system will be added during
rotation (for example, /var/adm/CSCOpx/log on Solaris/Soft Appliance).
Step 4 Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default)
for this option.
Step 5 Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in
kilobytes (KB). The default is 1024 KB or 1 MB.
Step 6 Specify the file compression type to be used. It can be:
• Z—UNIX compression (on Solaris/Soft Appliance only)
• gz—GNU gzip
• bz2—bzip2 (on Solaris/Soft Appliance only)
When deleting logfiles, you can choose to delete an individual file, a list of files, or all files matching a
certain pattern.
For example, 1-3 means delete files numbered 1 through 3. a list of comma-separated file numbers, for
example, 1,21, means delete files numbered 1 and 21. A pattern string *.log means delete all files that
match the pattern *.log.
You can also specify the special pattern, *, which means delete all logfiles in the configuration.
Running Logrot Script

To run the Logrot Script enter:
• On Windows:
Enter NMSROOT\bin\perl NMSROOT\bin\logrot.pl
• On Solaris/Soft Appliance:
Run /opt/CSCOpx/bin/logrot.pl
You can schedule log rotation so that the utility works on a specified time and day.
The following command line flags are accepted:
• -v option to get verbose messages.
• -s option shuts down dmgtd before rotating logs.
Caution The Restart Delay variable controls the waiting duration (in seconds) before proceeding, after dmgtd is
shutdown. This option is only used if the -s argument is given to logrot. The default delay is 60 seconds.
• -c option reruns the configuration tool.

• -h option displays the help.
The following wrapLogrot permissions should be checked for proper working of LogRotation.
For Solaris:
bash-3.00# ls -l /opt/CSCOpx/bin/wrapLogrot
-r-sr-x--- 1 root casusers 6852 Oct 1 19:08
/opt/CSCOpx/bin/wrapLogrot

OL-25947-01 3-41
Configuring Disk Space Threshold Limit
For Virtual Appliance:

[root@HOSTNAME bin]# ls -l wrapLogrot
-r-sr-s--- 1 root casusers 7430 Sep 26 16:00 wrapLogrot
Viewing the Scheduled Logrot Job

You can view the scheduled jobs log file to troubleshoot the logrot utility.
To look at the scheduled logrot job:
• On Windows, use the command: crontab.cmd
• On Solaris, use the command:
crontab -l <UserName>
Example:
To view the job scheduled to run as root user, use the command:
crontab -l root
To view the job scheduled to run as casuser, use the command:
crontab -l casuser
• On Soft Appliance, use the command:

crontab -lu <UserName>
Example:
To view the job scheduled to run as root user, use the command:
crontab -lu root
To view the job scheduled to run as casuser, use the command:
crontab -lu casuser
Configuring Disk Space Threshold Limit

DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file.
Disk space information is calculated for the following directories on LMS Server:
• Cisco Prime Installation directory (on both platforms)
• /var directory (on Solaris/Soft Appliance platform only)
• /tmp directory (on Solaris/Soft Appliance platform only)
The process calculates the disk space availability of the LMS Server directories at a regular interval of
approximately one hour.
In Solaris machines, the disk spaces of /opt file system is calculated in the first 30 minutes of every one
hour time. The disk spaces of /var file system and /tmp file system are calculated in the next 15 minutes
and in the last 15 minutes of an approximate one hour time interval.
This process also alerts you when the disk space is less than the threshold level you have configured in
the User Interface. Alerts are sent as urgent messages to logged in users. You can also receive the alert
messages through e-mail if you have configured your e-mail ID along with threshold level.

3-42 OL-25947-01
Effects of Third Party Backup Utility and Virus Scanner
This process records the alert information in the system log files. The alert information is recorded in
diskWatcher.log and syslog.log files in Windows machines. They are stored in diskWatcher.log and
daemons.log files in Solaris machines.
To configure the disk space threshold limit:
Step 1 Select Admin > System > Server Monitoring > DiskWatcher Configuration.
The DiskWatcher Configuration page appears.
Step 2 Enter a threshold value in the Threshold for Cisco Prime Installation Directory field to monitor the disk
space in the Cisco Prime Installation directory. This is mandatory.
You should enter the threshold value in units of MB or GB.
Step 3 Enter a threshold value in the Threshold for /var and /tmp Directories field to monitor the disk space in
Solaris file systems. This is mandatory.
You should enter the threshold value in units of MB or GB.
Note This field is available only on Solaris systems.
Step 4 Enter a valid e-mail in the E-mail ID field.

You can enter multiple e-mail addresses separated by commas.
The system uses the e-mail addresses to notify about the disk space availability when the disk space is
less than the threshold limit you have configured.
There may be a problem in sending e-mails if you have enabled virus scanner in the LMS Server.
Step 5 Click Apply to save the changes or click Cancel to reset the values.
Effects of Third Party Backup Utility and Virus Scanner

Sometimes, the LMS database fails to run and throws the following Sybase Assertion error message:
*** ERROR *** Assertion failed: 100909 (9.0.0.1383).
100909 is the Assertion ID.
The following are the scenarios where Assertion Error might appear:
• If you use any third-party backup software to back up a live, running database, the Assertion Error
might be thrown.
This is because some of the database pages that have been modified will be in the database server
cache, so the database file will be in an inconsistent state.
• If you use any anti-virus software.
The reason is, Adaptive Server Anywhere performs many reads and writes other than the normal I/O
operations, which contribute to the good performance of Adaptive Server Anywhere. However,
anti-virus software might detect this as a potential problem and quarantine the file.
This becomes hazardous if the .log or temporary files are quarantined, and it may cause corruption
by interfering with the normal functions of the database. Poor performance can also occur if the
anti-virus software is checking all I/O operations performed by the database server.

OL-25947-01 3-43
Configuring TFTP
We recommend that you do not use third-party backup software for backing up a running database.
We also recommend that you configure your anti-virus software so that it must not scan the
NMSROOT/databases directory.
NMSROOT is the directory where you have installed Cisco Prime.
Configuring TFTP
This applies only to Solaris.
The TFTP (Trivial File Transfer Protocol) daemon shipped by Cisco Prime LMS supports TCP
(Transmission Control Protocol) Wrappers.
If the TCP Wrapper support is not configured properly in the server where Cisco Prime is installed, the
jobs requiring TFTP may fail.
To ensure that TFTP works properly, check the following configuration files:
• If /etc/hosts.allow file is present, ensure that the command in.tftpd is given as in.tftpd:ALL If the
command is not there in the file at all, add it as in.tftpd:ALL
• If /etc/hosts.deny file is present, ensure that the command in.tftpd is not there in the file
• If both the files are not present (/etc/hosts.allow and /etc/hosts.deny), you do not need to make any
changes
Note The TCP Wrapper software extends the abilities of inetd to provide support for every server daemon
under its control. It provides logging support, returns messages to connections, and permits a daemon to
accept only internal connections.
Displaying LMS Server Name With Browser Title

Displaying LMS Server name with browser title helps you to identify the server from which the
application window is launched especially in a multi-server setup and Single Sign-On based setup.
You can enable or disable the option of displaying the LMS Server name along with the browser title.
When you choose to display the server name in the browser title, the browser window displays the title
in the following format:
Hostname - ApplicationWindowTitle
where,
– Hostname is the name of the LMS Server
– ApplicationWindowTitle is the title of application window launched from LMS Server.
Note By default, the option of displaying the LMS Server name with the application window title in the
browser is enabled.
For example, if the name of your LMS Server is lmsdocultra, then the title of the Cisco Prime home
page is displayed as lmsdocultra - CiscoPrime.
If you launch LMS from the Cisco Prime LMS, the title of the LMS window is displayed as lmsdocultra
- LMS Home.

3-44 OL-25947-01
Cisco Prime Integration Application Settings
You can also enable or disable the display of server name with the browser title by changing the
configurations in a properties file.
Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:
• Enable or disable the option of displaying server name with browser title.
• Change the format of display from Hostname - ApplicationWindowTitle to
ApplicationWindowTitle - Hostname and vice versa.
• Replace hyphen (-) with any other delimiter except empty spaces.
• Trim the spaces between the Hostname, delimiter and Application window title.

The Cisco Network Analysis Module Traffic Analyzer (NAM) offers flow-based traffic analysis of
applications, hosts, and conversations, performance-based measurements on application, server, and
network latency, quality of experience metrics for network-based services such as voice over IP (VoIP)
and video. Only NAM 4.1 is supported in LMS 4.2. The Cisco Prime Integration Application Settings
page allows you to configure NAM.
To add, edit, or delete the NAM configuration details:
Step 1 Select Admin > Cisco Prime Integration > Application Settings. The Application Settings page
appears.
Step 2 You can do the following:
• Add
– Click Add. The Server Configuration page appears.
– Select NAM from the drop-down list.
– Enter the IP Address in the NAM IP field.
– Enter the user name and password in the corresponding fields.
– Enter the SNMP read community.
– Select either HTTP or HTTPS as the protocol.
– Enter the port number.
– Click Add to add the new NAM configuration details or Cancel to return to the NAM
Configuration page.
• Edit
– Select a configuration detail that has to be edited.
– Click Edit. The Edit NAM Configuration page appears.
– Enter the IP Address in the NAM IP field.
– Enter the user name and password in the corresponding fields.
– Enter the SNMP read community.
– Select either HTTP or HTTPS as the protocol.
– Enter the port number.
– Click Edit to save the changes or Cancel to return to the NAM Configuration page.

OL-25947-01 3-45
• Delete
– Select a configuration detail that has to be deleted.
– Click Delete. A confirmation dialog box appears.
– Click OK to confirm or Cancel to return to the NAM Configuration page.
• Filter
– In the Filter By field, select the filter criteria e.g. ApplicationName from the drop-down list.
– In the Matches text box, enter the matching details e.g. NAM.
– Click Go, to execute the selected filter condition.
– Click Clear Filter, to clear the filter condition.

3-46 OL-25947-01
CHAPTER 4
Administering Discovery Settings and Device
and Credential Repository
You can configure discovery settings, and perform some administrative tasks in DCR.
This chapter contains:
• Scheduling Device Discovery
• Configuring Device Selector
• Administering Device and Credential Repository
For details on configuring discovery logging, see Configuring Discovery Logging.
Scheduling Device Discovery

You can schedule one or more Device Discovery jobs. The optimum Device Discovery schedule depends
on the size of network and changes in the network.
Before you schedule a Device Discovery job, read the following:
• Only one Device Discovery job can run at a time.
• Ensure jobs, other than Device Discovery, are not scheduled parallely along with the Device
Discovery jobs. If any other jobs are scheduled parallely, Device Discovery job will take more than
5 min to complete.
• When you schedule Device Discovery jobs, ensure that the schedule time does not overlap each
other. Otherwise, one of the Device Discovery jobs may fail.
• You should configure the Device Discovery settings before you schedule a Device Discovery job.
Otherwise, the system displays an error message when you try add a schedule. However, you can
edit the Device Discovery settings for the scheduled job later.
From the Discovery Schedule page, you can:
• Add a Device Discovery schedule. See Adding Device Discovery Schedule for details.
• Modify a Device Discovery schedule. See Editing Device Discovery Schedule for details.
• Delete a Device Discovery schedule. See Deleting Device Discovery Schedule for details.
• Navigate to LMS Job Browser page. See Viewing the Status of Device Discovery Schedules for
details.
• Start device discovery. See Starting Device Discovery for details.

OL-25947-01 4-1
Chapter 4 Administering Discovery Settings and Device and Credential Repository
• Maintain multiple Device Discovery Settings for multiple schedules. See Maintaining Multiple
Discovery Settings for Multiple Scheduled Jobs for details.
• View the Discovery Settings configured for the selected Device Discovery Schedule. See Viewing
Discovery Settings for Selected Discovery Schedule for details.
• Edit the Discovery Settings for the selected Device Discovery Schedule. See Viewing Discovery
Settings for Selected Discovery Schedule for details.
Adding Device Discovery Schedule

To add a Device Discovery schedule:
Step 1 Select Admin > Network > Discovery Settings > Schedule.
The Discovery Schedule page appears.
Step 2 Click Add.
The Add Discovery Schedule popup window appears.
The Device Discovery schedules are dependent of Device Discovery Settings. You cannot click the Add
button if you have not configured Device Discovery Settings.
The Add button is disabled on a fresh installation of LMS in LMS Server.
Step 3 Select a value in the Hour and Min drop-down lists to specify the time when the Device Discovery should
start.
You should specify the time in 24-hour format.
Step 4 Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 5 Enter a description in the Job Description field. This is optional.
You cannot edit the description entered in this field later.
Note The job description should not contain special characters like , and #.
Step 6 Click Schedule.

The Device Discovery schedule is created and assigned with a job ID. Email notification is sent to the
email address you have configured in the Discovery Settings wizard.
Editing Device Discovery Schedule

To edit a Device Discovery schedule:
Step 2 Select a Device Discovery schedule from the list.
Step 3 Click Edit.
The Edit Discovery Schedule popup window appears.
Step 4 Edit the values in the Hour and Min drop-down list, if required.

4-2 OL-25947-01
Step 5 Select the days of the week on which the Device Discovery is to be scheduled, in the Recurrence Pattern
field.
Step 6 Click Schedule to save the changes.
Deleting Device Discovery Schedule

To delete a Device Discovery schedule:
Step 2 Select a Device Discovery schedule from the list.
The Delete Confirmation dialog box appears.
Step 4 Click OK.
The selected Device Discovery schedule is deleted from the list of schedules.
Caution Before you remove a Device Discovery schedule, ensure it is completed. Otherwise, if the
Device Discovery job is running, deleting the schedule will stop the job first and then will
remove it.
Starting Device Discovery

To start immediate discovery for scheduled job:
Step 2 Select a job from the list.
Step 3 Click Start Discovery. A popup window appears with the information on the immediate jobID.
The Start Discovery button will be disabled before setting any jobs or if a discovery is already running.
Step 4 Click OK. The Device Discovery summary screen appears.
You can view the status of the job in Job Browser page (Admin > Jobs > Browser).
Viewing the Status of Device Discovery Schedules

You can navigate to LMS Job Browser page from the Discovery Schedule page to view the latest status
of Device Discovery jobs.
To do so:

OL-25947-01 4-3
Step 2 Click the link provided at the bottom of the page.

The Job Browser page displays the Device Discovery jobs.
Maintaining Multiple Discovery Settings for Multiple Scheduled Jobs

Before creating a scheduled job, you must configure the Device Discovery settings. You can edit the
settings for scheduled jobs later and maintain different settings for different jobs.
To view the existing Device Discovery settings for a selected job, see Viewing Discovery Settings for
Selected Discovery Schedule.
To edit the Device Discovery settings for a selected job, see Editing Discovery Settings for Selected
Discovery Schedule.
Viewing Discovery Settings for Selected Discovery Schedule

You can view the Discovery settings used to create the selected Discovery Schedule job.
To do so:
Step 2 Select a Discovery schedule from the list.
Step 3 Click View Settings.
The View Discovery Settings dialog box appears.
Step 4 Click OK to return to the Discovery Schedule page after you have view the schedule.
Editing Discovery Settings for Selected Discovery Schedule

You can edit the Discovery Settings used to create the selected Discovery Schedule job.
To do so:
Step 2 Select a Discovery schedule from the list.
Step 3 Click Edit Settings.
The Module Settings page of Discovery Settings wizard appears.
Step 4 Edit the required module settings and click Next. The Seed Devices Settings page appears.
Step 5 Edit the required seed devices settings and click Next. If you do not want to proceed further, click
Finish. The SNMP Settings page appears.
Step 6 Edit the SNMP settings and click Next. If you do not want to proceed further, click Finish.
The Filter Settings page appears.
Step 7 Edit the Filter settings and click Next. If you do not want to proceed further, click Finish.
The Global Settings page appears.
Step 8 Edit the Global settings and click Next. If you do not want to proceed further, click Finish.

4-4 OL-25947-01
Configuring Device Selector
The Discovery Settings Summary page appears.

Step 9 Click Finish to return to Discovery Schedule page.

The improved Device Selector allows you to search the devices in DCR. It helps to locate the devices
and perform the various device management tasks quickly. With this improved Device Selector, you need
not remember the device type or application group hierarchy to locate the devices.
The devices are categorized under Device Type based groups, User Defined groups, Subnet Based
groups, or under All Groups.
You can define the settings of the Device Selector pane to customize the display of devices and the order
of display. You can customize the top level groups, sub-groups and the list of devices displayed under
each group using the Group Customization option.
The Group Ordering option allows you to specify the order of display in which the groups are seen in
the Device Selector pane. See Device Selector Settings for more information.
The Device Selector Settings are specific to each user. You can search for devices using a Simple search
or an Advanced search. See Searching Devices for more information.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
The Device Selector is used to select devices to perform various device management tasks. The device
selector lists all devices in a group. The Device Name of the devices added in DCR is displayed in the
Device Selector pane.
The Device Selector contains the following components:
Component Name Description

Search Input Enter your search expression in this text field.
You can enter a single device name or multiple device names in this field.
You can enter the following as search inputs for searching multiple devices:
• Comma separated list of full device names
• Device names with wildcard characters, (?) and (*), to search for
multiple devices matching the text string entered in this input field.
The wildcard character ? matches a single character in a device name
and the wildcard character * matches multiple characters in a device
name.
• Combination of comma separated list of device names, and device
names with wildcard characters.
See Performing Simple Search for more information.
Search Use this icon to perform a Simple search of devices, after you have entered
your search input. See Performing Simple Search for more information.
Advanced Search Use this icon to perform an Advanced search of devices. See Performing
Advanced Search for more information.

OL-25947-01 4-5
Component Name Description

All This tab lists all the top-level device groups and the device names under
each group in a hierarchical format (tree view).
The top-level device groups include:
• All Devices
• Device Type Groups
• Subnet Groups
• User Defined Groups
See Understanding Device Groups for more information on types of device
groups.
Search Results This tab displays all the Simple or Advanced search results and you can
select all devices, clear all devices, or select a few devices from the list.
The Simple search results are based on the device name of the devices
added to DCR. The Advanced search results are based on the grouping
attributes of the grouping services server.
Selection This tab lists all the devices that you have selected in the All or Search
Results tab or through a combination of both. You can also use this tab to
deselect the devices you have already selected.
You can perform more than one search and can accumulate your selection
of devices.
The Device Selector displays the number of devices selected by you at the bottom. When you click the
link provided, it launches the Selection Tab.
Tool tips are also provided for devices that contain long names so that you do not have to scroll
horizontally to see the complete device name.
This section contains the following information:
• Selecting Devices for Device Management Tasks
• Searching Devices
• Device Selector Settings
Selecting Devices for Device Management Tasks

You can select devices to perform various device management tasks such as editing device credentials
and viewing device credentials, using any of these methods:
• Selecting Devices From All Tab
• Selecting Devices From Search Results
• Combination of Selection From All Tab and Search Results
Selecting Devices From All Tab

The All tab lists the top-level device groups and the device names under each group in a hierarchical
format (tree view).

4-6 OL-25947-01
You can select the devices from the tree view. The Selection tab shows the flat list of selected devices
from the All tab.
You should expand the nodes of the top-level device groups and sub groups to see the list of devices
within a group and select the devices you want. We recommend that you do not expand all and leave all
the multiple group nodes open. This may affect the performance of the device selector.
Selecting Devices From Search Results

You can perform a Simple Search or an Advanced Search, and the search results are displayed under the
Search Results tab. You can select the devices you want from the Search Results tab. The Selection tab
and the All tab, display the devices you have selected from the Search Results tab.
Note You can perform more than one search and can accumulate your selection of devices.
Combination of Selection From All Tab and Search Results

You can select the devices from the All tab and add more devices to the Selection list from the Simple
or Advanced search results in the Search Results tab.
The Selection tab displays the accumulated list from both All and Search Results tabs.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the Selection tab.
Searching Devices
With the improved Device Selector, you can search for the devices by performing a Simple search or an
Advanced search. In both cases, you do not need to remember the name of the devices and the groups in
which the devices are grouped.
Note The search string is not case sensitive in LMS.

• Performing Simple Search
• Performing Advanced Search
Performing Simple Search

You can enter your search criteria in the Search Input field and search for the devices using the Search
icon. The search results are based on the device name of the devices added in DCR.
Note the following points when you perform a Simple search.
• You can enter a comma separated list of device names to search for multiple devices.
• You can use the wildcard characters, * and ?, to search for multiple devices that match the text string
entered in this input field. Multiple wildcard characters are allowed in a search string.
• You can use the combination of comma separated list of device names and wildcard characters in
the device names to search for multiple devices.
• If you are not using the wildcard characters, make sure that you enter the full device name.
For example, when you enter device2?, *.cisco1,*device10* as search input, the system displays:

OL-25947-01 4-7
• Device names starting with device2 and with only one character after device2
• Device names ending with .cisco1
• Device names containing the text string device10
Performing Advanced Search

Use the Advanced Search icon to open the Advanced Search popup window and specify a set of rules for
performing an Advanced search. The advanced search is based on the grouping attributes of the
application's grouping server.
You can create a rule in the Advanced Search dialog box by either:
• Using Expressions
or
• Using Rule Text Fields
You can verify if the rule you have entered is correct using the Check Syntax button, and reset the rule
you have created using the Clear button.
Using Expressions
You can use expressions to form a rule in the Advanced Search Dialog box. Each rule expression
contains:
• Device Type — Object type used for forming a group. All expressions start with the string Device
• Variables — Device attributes used to form a device group. The list of variables for advanced search
are Category, DeviceIdentity, DisplayName, DomainName, HostName, ManagementIpAddress,
MDFId, Model, Series, SystemObjectID, and the user-defined data, if any.
The list of device attributes are different across Cisco Prime modules. The Advanced Search window
in the Device Selector of Cisco Prime applications displays the respective device attributes as
variables.
• Operators — Various operators to be used with the rule. The list of operators includes equals,
contains, startswith, and endswith. The list of operators changes dynamically with the value of the
variable selected.
For the ManagementIpAddress variable, you can select the range operator other than the standard
list of operators. The range operator enables you to search for devices of the specified range of IP
Addresses. SeeUsing IP Address Range to Form a Search Rule for more information.
• Value — Value of the variable. The value field changes dynamically with the value of the variable
and operator selected, and this may be a text field or a list box.
After you define the rule settings, click Add Expression to add the rule expression.
You can also enter multiple rule expressions using the logical operators. The logical operators include
OR, EXCLUDE and AND.
Using IP Address Range to Form a Search Rule

The range operator enables you to search the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a search rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:

4-8 OL-25947-01
• Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
• Use the hyphen character (-) as a separator between the numbers within a range.
• Specify the range of IP Addresses within the [ and ] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
• Enter numbers lesser than 0 and greater than 255 in the IP Address range.
• Enter any characters other than the range separator (-).
• Enter the value of highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
Example for forming a Search Rule Using Expressions

For example, if you want to search all the devices in the network whose device name contains
TestDevice or their IP Addresses within the range 10.10.210.207 to 10.10.212.247, you must perform
the following:
Step 1 Click the Advanced Search icon in the Device Selector pane.
The Define Advanced Search Rule dialog box appears.
Step 2 Create a search rule expression. To do so:
a. Select Variable as DisplayName
b. Select Operator as equals
c. Enter the Value as TestDevice
Step 3 Click Add Rule Expression.
The rule is added into the Rule Text.
Step 4 Create another rule expression. To do this:
a. Select OR as the logical operator
b. Select Variable as ManagementIPAddress/IP.Address
c. Select Operator as range
d. Enter the Value as 10.10.[210-212].[207-247]
The rule is appended into the Rule Text.
Step 6 Click Search to display the devices that satisfies the specified rule in the Device Selection dialog box.

OL-25947-01 4-9
Using Rule Text Fields
You can use Rule Text Fields to directly enter a rule without building any expressions. Ensure the rule
you create follows the syntax Object type.Variable Operator Value.
You can also enter multiple rule expressions using the logical operators.
For example, if you want to search all the devices in the network whose device name contains
TestDevice or their SysObjectIDs start with 1.3.12.1.4, you must construct a rule as follows:
Device.DisplayName contains "TestDevice" OR Device.SystemObjectID startswith
“1.3.12.1.4"
Note We recommend that you use expressions to construct a complex rule instead of creating them using the
Rule Text field. Use the Rule Text field to make any minor edits to the constructed rule.
Additional Notes
Read the following notes before you perform an advanced search:

• You cannot use wildcard characters in the Value field. Instead you can use the operator as startswith
or contains.
• You can use Check Syntax button, when you add or modify a rule manually.
• You must delete the complete rule expression including the logical operator, when you delete a
portion of your rule.
• The search string is case-insensitive.
Device Selector Settings

The devices are categorized under Device Type groups, User Defined groups, Subnet groups,
Application specific groups or under All groups.
You can define the settings of the Device Selector pane to customize the display of devices and the order
of display. These configurations are specific to each user and you can save them.
The devices are displayed in the appropriate category based on your roles and privileges. All the devices
will be listed to the administrator role.
This section has the following information:
• Understanding Device Groups
• Customizing Device Grouping
• Customizing Display Order of Device Groups
Understanding Device Groups

The Device Selector pane displays the following top-level device groups:
• All Devices
• Device Type Groups
• Subnet Groups
• User Defined Groups

4-10 OL-25947-01
All Devices
The All Devices Group displays all the devices in the application in the alphabetical order of their device
names. The device names are defined when you have added the devices in DCR.
Device Type Groups
The Device Type Groups displays all devices in groups and subgroups based on their Device Category,
Series and Model. By default, the device grouping is based on their Device Categories such as Routers,
Switches and Hubs.
The Device Category Groups folder can contain devices in subgroups based on their Device Series. For
example, the Device Category Group Router can contain devices (Routers) in subgroups Cisco 7000
Router Series and Cisco 12000 Router Series.
The Device Series subgroup can contain subgroups of devices based on their Model. For example, the
subgroup Cisco 12000 Router Series can contain the devices Cisco 12012 Router and Cisco 12816
Router.
See Customization of Device Type Groups for information on customizing the display of devices under
Device Type Groups.
Subnet Groups
You can see Subnet Groups, only when Topology and Identity Services functionality is enabled. You can
check the functionality settings at Admin > System Administration > Collection Settings >
Functionality Settings.
In a Multi Server setup, when two or more servers are installed with the Topology and Identity Services,
then the Subnet Groups from all the servers will be aggregated and displayed under the Subnet Groups
folder in the Device Selector pane.
See Customization of Subnet Groups for information on customizing the display of devices under this
group.
User Defined Groups
The User Defined Groups are created by users to administer the applications. The User Defined Groups
are created in Groups Administration window based on defined group rules.
All User Defined Groups (shared groups) from all application group hierarchies are collated and shown
as subgroups under this group. In a Multi Server Setup, the top level User Defined Groups will be named
as User Defined Groups@Server Name.
When there two or more User Defined Groups with the same name, the Device Selector displays all of
them. You have to use the Tooltip to find the source server where the User Defined Group is created.
Tip We recommend you to provide unique and meaningful names to User Defined Groups when you create
them to avoid the display of multiple User Defined Groups with the same name.
See Customization of User Defined Groups for information on customizing the display of devices under
this group.

OL-25947-01 4-11
Customizing Device Grouping

You can customize the device grouping and display the customized device groups in the Device Selector
pane. See Understanding Device Groups for more information on Device Groups.
You can use the Group Customization option to customize the display of device groups.
• Customization of Device Type Groups
• Customization of Subnet Groups
• Customization of User Defined Groups
Customization of Device Type Groups
You can display or hide the Device Type Groups folder in the Device Selector pane using the Group
Customization option. You can customize the Device Type Based Groups folder to display:
• All devices in groups, based on their Device Category only
• All devices in groups and subgroups, based on their Device Category and Series
• All devices in groups and subgroups, based on their Device Category, Series and Model
By default, the Device Type Group folder displays the devices in sub groups based on their category only.
To display the devices in groups based on their Device Category:
Step 1 Select Admin > Network > Display Settings > Group Customization.
The Group Customization page appears.
Step 2 Check the Show Category Groups check box from the Device Type Based Groups panel.
Step 3 Click Apply to save your changes or click Restore Defaults to restore the default values.
To display the devices in groups and subgroups based on their Device Category and Series:
Step 2 Check the Show Series Groups check box from the Device Types Based Groups panel.
When you check the Show Series Groups check box, the Show Category Groups check box will also be
checked automatically and will be disabled.

4-12 OL-25947-01
To display the devices in groups and subgroups based on their Device Category, Series and Model:
Step 2 Check the Show Model Groups check box from the Device Type Based Groups panel.
When you check the Show Model Groups check box, the Show Category Groups and Show Series
Groups check boxes will also be checked automatically and will be disabled to you.
To hide the display of Device Type Based Folders from the Device Selector Pane:
Step 2 Go to the Device Type Based Groups Panel and uncheck all the check boxes.
Step 3 Click Apply to save your changes.
Customization of Subnet Groups
The Subnet Groups contains device groups from the Topology and Identity Services. By default, the
Subnet Based Groups folder is not displayed in the Device Selector pane.
You can customize the Device Selector pane to display the Subnet Based Groups folder using the Group
Customization option.
To display the devices under Subnet Based groups in the Device Selector Pane:
Step 2 Check the Show Subnet Groups at the First Level check box from the Subnet Based Groups Panel.
Customization of User Defined Groups
You can customize the User Defined Groups folder in the Device Selector pane to contain the following:
• Only User Defined Groups created by you in the local server
• Only User Defined Groups created by you in all Peer Servers in a Multi Server setup
• All User Defined Groups created by any user in the local server
• All User Defined Groups created by any user in all Peer Servers in a Multi Server setup
By default, you can view all the User Defined Groups (irrespective of any user) created in the local server
in the Device Selector pane.

OL-25947-01 4-13
To display only the User Defined Groups created by you:
Step 2 Select My User Defined Groups from the Show drop down list box in the User Defined Groups panel.
Step 3 Select either:
• Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
created by you in the local server.
Or
• All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups created by you in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4 Click Apply to save your preferences or click Restore Defaults to restore the default values.
To display all the User Defined Groups created by all users:
Step 2 Select All User Defined Groups from the Show drop down list box in the in the User Defined Groups
panel.
• Local Cisco Prime LMS Server from the From drop down list to display the User Defined Groups
in the local server.
Or
• All Peer Cisco Prime LMS Servers from the From drop down list box to display the User Defined
Groups in all the servers in a Multi-server setup.
In a Standalone Server Setup, the From drop down list box contains only Local LMS Server list item.
Step 4 Click Apply to save your preferences or click Restore Defaults to restore the default values.
Customizing Display Order of Device Groups

You can specify the order in which device groups appear in the Tree view on the Device Selector pane
using the Group Ordering option.
The Group Ordering setup is specific to each user and the changes will be reflected in the Device
Selector panes of all applications.
The default order of the groups displayed in the Device Selector pane is:
1. All Devices
2. Device Type Groups
3. User Defined Groups

4-14 OL-25947-01
Administering Device and Credential Repository
4. Subnet Groups
5. Application Specific Groups
You can change the order and save the configurations.
To change the order of the device groups:
Step 1 Select Admin > Network > Display Settings > Group Ordering.
The Group Ordering page appears.
Step 2 Select a group from the list displayed.
Step 3 Click Up to move the device group up in the displayed order or click Down to move down.
Step 4 Click Apply to save the changes to your system or click Restore Defaults to restore the default settings.

The DCR Administration feature allows you to do the following tasks:
• Changing DCR Mode
• Configuring Device Polling
• Configuring User Defined Fields
• Configuring Default Credentials
To perform these tasks, select Admin > Network > Device Credential Settings. The Admin page
appears with the current DCR Administration settings.
You can change the Mode Settings or modify User Defined fields.
Changing DCR Mode

To change Mode Settings:
Step 1 Select Admin > Network > Device Credential Settings > Mode Settings. The Mode Settings page
appears.
Step 2 Click Change Mode to change the current mode.
The DCR Mode dialog box appears. You can select the required mode from this dialog box.
This section contains information on:

• Master-Slave Configuration Prerequisites
• Changing the Mode to Standalone
• Changing the Mode to Master
• Changing the Mode to Slave

OL-25947-01 4-15
Master-Slave Configuration Prerequisites

Before you set up the Master and Slave, you have to perform certain tasks to ensure that secure
communication takes place between the Master and Slave.
Tip We recommend you to configure the Master and all its Slaves in the management domain with the same
version of LMS software. See Using DCR Features in a Master-Slave Setup section in the Inventory
Management Guide.
If machine M is to be the Master and S is to be the Slave:
Step 1 Add a Peer Server User and password in M

See Setting up Peer Server Account for details.
Step 2 Add a System Identity user and password in S. This should be same as the Peer Server User set up in M.
See Setting up System Identity Account for details.
Step 3 Copy the Self-Signed Certificate of S to M. Also, copy the Self-Signed Certificate of M to S.
See Creating Self Signed Certificates for details on creating Self-Signed Certificate and Setting up Peer
Server Certificate for details on copying Peer Certificate.
Step 4 Configure S as Slave and M as Master.
Changing the Mode to Standalone
Step 1 Select the Standalone radio button.

Step 2 Click Apply to change mode.
The default DCR mode is Standalone.
Changing the Mode to Master

Before you change the mode to Master, ensure that Master-Slave Configuration Prerequisites are in
place.
Step 1 Select the Master radio button.

Step 2 Click Apply to change mode.
Changing the Mode to Slave

Before you change the mode to Slave, ensure that Master-Slave Configuration Prerequisites are in place.
You need to perform the following tasks:
Step 1 Select the Slave radio button.

Step 2 Enter the hostname of the Master in the Master field.
This hostname should exactly match the Hostname field in the Self Signed Certificate of the Master.

4-16 OL-25947-01
Step 3 Specify the SSL port of the master. Default is 443.

Step 4 Select Inform Current slave(s) of new Master Hostname only if you want to change the mode from
Master to Slave.
If you select this check box, all the slaves of the Master (whose mode you currently changed to Slave)
will be informed of the new master hostname. That is, they will become the slaves of the new Master.
Step 5 Select the Add new devices to Master check box to add the devices in Slave to the new Master.
If the devices are already available in the new Master, they will be discarded.
Step 6 Click Apply.
A warning message appears when the Master server has the earlier version of LMS.
Step 7 Click OK to change the mode to Slave.
To cancel the change of mode, click Cancel.
Note You must restart the daemon manager after the mode change to Slave is complete.
Changing the Hostname of a Master

Changing the hostname of a Master is equivalent to pointing Slaves to a new Master.
When you point a Slave/Standalone to a new Master, DCR checks whether the new Master has the same
Domain ID as the current machine.
If Domain ID is the same, DCR displays an error message that Master cannot be configured since the
new Master has the same Domain ID.
In this case, you need to convert the Slave to Standalone, and then register the machine with the new
Master. When you re-register, the applications on Slave will clean up the device list.
When you change the host name of the current Master, you must change the Slave mode to Standalone,
and then re-register the machine as a Slave by providing the new Master hostname. However, when the
machine is re-configured as Slave, the applications will clean up the device list.
For example, if you have a Master M and Slave S, and if you change the hostname of M, you should
change the mode of S to standalone. Then, you have to configure S as the Slave of M. But when you
re-configure S as Slave, the applications on S will clean up their device lists.
Therefore, you have to be aware that while changing the hostname of a Master, application data is
cleaned up on all Slaves.

OL-25947-01 4-17
Configuring Device Polling

In the earlier releases, there was no mechanism to detect the devices that were not reachable for a certain
time period and easily identify the devices to be deleted.
The Device Polling configuration feature overcomes this and helps you to:
• Activate Device Polling to check whether the devices can be reached
• Configure Device Polling policy
• Schedule Device Polling
• Display a list of devices that are not reachable for a certain period of time
• Delete the selected unreachable devices from DCR
You should have the required privileges to configure Device Polling policy.
You should be a Network Administrator, or a System Administrator to perform this task in Local
Authentication mode.
You should have the following privileges to delete the devices:
• Privileges to perform the Delete Devices task
• Device level authorization
• Configuring Device Polling Settings
• Deleting Unreachable Devices from DCR
Configuring Device Polling Settings

You can configure a Device Polling policy and schedule a Device Polling job to check whether the
devices can be reached.
Read the following notes before you configure Device Polling settings:
• You can use any one or more of the following protocols to poll devices:
– ICMP (Ping)
– SNMPv3
– SNMPv2c/SNMPv1
• When you select all protocols, the devices in the network are polled using ICMP (Ping) first
followed by SNMPv3, and later by SNMPv2c/SNMPv1.
• When you select SNMPv2c/SNMPv1 protocol, SNMPv2c is used first to poll the devices. SNMPv1
is used to poll the devices only if the SNMPv2c protocol has failed to query the device.
• If you use more than one protocol for polling and if a device is reachable using the first protocol,
the other protocols will not be used.
• You can configure only one job at a time to detect unreachable devices. You can modify the schedule
later at any point of time.
• You cannot schedule an immediate Device Polling job.
• In a Master-Slave setup, you can configure Device Polling settings and run the Device Polling job
only from Master server.

4-18 OL-25947-01
To configure a Device Polling policy:
Step 1 Select Admin > Network > Timeout and Retry Settings > Device Poll Settings.
The Device Poll Settings page appears.
Step 2 Select the Activate Device Polling to Check Reachability check box to enable Device Polling.
Device Polling is not enabled by default. You must select this check box to activate Device Polling.
Step 3 Configure a Polling Policy. To do so:
a. Enable one or all of the check boxes in the Poll Policy panel to select the protocols to be used for
polling:
– ICMP (Ping)
– SNMPv3
– SNMPv2c/SNMPv1
You must select at least one protocol to activate Device Polling.
b. Enter the timeout value for the selected protocols in the appropriate Timeout fields.
The timeout denotes the time period after which the ICMP or SNMP query of devices times out.
You must enter the timeout value in milliseconds. The minimum timeout value is 1000 milliseconds
and the maximum value is 20000 milliseconds.
Default value is 1000 milliseconds.
You cannot leave this field blank.
c. Enter the value of retries for the selected protocols in the appropriate Retries fields.
The retry denotes the number of attempts made to query the device.
You can specify any value between 0 to 8 as number of retries. The default number of retry is 1 for
both ICMP and SNMP protocols.
You cannot leave this field blank.
d. Enter the number of instances in Notify when devices not reachable for, to receive notifications
when the devices are not reachable for a specific time period.
This is mandatory.
For example, if you enter the number of instances as 2 and the Device Polling job frequency as Daily,
you will receive notifications of devices that are not reachable for two days or more than 2 days.
If you enter the number of instances as 3 and the Device Polling job frequency as 6 hours, you will
receive notifications of devices not reachable for last 18 hours or more than 18 hours.
See Step 4 for details on the job frequencies available.
Step 4 Schedule the Device Polling task. To do this:
a. Select a job frequency from the Run Type drop-down list.
You can schedule only periodic Device Polling. The scheduling can be 6 -Hourly, 12 -Hourly, Daily,
Weekly, or Monthly.
b. Enter a date in the Date field or select a date from the date picker to start the scheduled job.
The current date on the client system is displayed in the Date field by default.
You can edit the schedule at a later point of time. See Step 5 for details.
If you do not want to edit the schedule, go to Step 7.

OL-25947-01 4-19
Step 5 Select the Change Schedule check box if you want to edit the schedule information (Run Type and
Starting Date).
This field does not appear after a fresh or upgrade installation of LMS or if a Device Polling job has not
been scheduled earlier.
If you opt to change the schedule, the existing job schedule is deleted from Job and Resource Manager
(JRM) and a job is scheduled. The device reachability status is also reset.
A warning message appears if you select this check box.
Step 6 Click OK.
Step 7 Enter the Job information. To do this:
a. Select the Report Attachment field if you want to receive the report through e-mail.
b. Select the Attachment Option as either PDF or CSV.
c. Enter a brief description about the Device Polling job in the Job Description field.
d. Enter your e-mail ID in the E-mail field to receive notifications about the status of the Device
Polling job.
Entering an e-mail ID is mandatory when you have selected the Report Attachment field.
Step 8 Click Apply for the Device Polling settings to take effect.
The Device Polling schedule is created and assigned with a job ID.
Notification is sent to the e-mail address you have configured in the Device Polling Settings page.
Deleting Unreachable Devices from DCR

The possible reasons for device unreachability are:
• Connectivity protocols such as SNMP or ICMP may be disabled on the device.
• Incorrect credentials may be configured for the device.
• Invalid timeout and retries may have been configured on the device.
To delete unreachable devices from DCR, select Reports > Inventory > Management Status >
Unreachable Devices.
Configuring User Defined Fields

The User Defined Fields (UDFs) are used to store the additional information about a device. DCR
supports a maximum of ten UDFs.
By default, the user interface provides four UDFs:
• user_defined_field_0

4-20 OL-25947-01
You can add six more UDFs through the user interface. You can rename or delete all the UDFs including
the four default UDFs provided by the user interface.
• Adding User Defined Fields
• Renaming User Defined Fields
• Deleting User Defined Fields
Adding User Defined Fields

To add a User Defined Field (UDF):
Step 1 Select Admin > Network Administration > Device Credential Repository Settings > User Defined
Fields.
The User Defined Fields page appears with the current settings.
Step 2 Click Add to add a UDF.
Step 3 Enter the field label and description in the corresponding fields.
Step 4 Click Apply to apply the changes. To return to the User Defined Fields page, click Cancel.
Renaming User Defined Fields

To rename a UDF:
Step 1 Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2 Select the radio button corresponding to the UDF you want to rename.
Step 3 Click Rename.
The User Defined Field dialog box opens in a new window.
Step 4 Enter the UDF label and description in the corresponding fields.
Step 5 Click Apply. To return to the User Defined Fields page, click Cancel.

OL-25947-01 4-21
Deleting User Defined Fields

By default, you can define four attribute fields for a device. These fields are used to store additional
user-defined data for the device. You can add up to ten UDFs.
To delete a UDF:
Step 1 Select Admin > Network > Device Credential Settings > User Defined Fields.
The User Defined Fields dialog box appears.
Step 2 Select a UDF and click Delete.
A confirmation message window appears.
Step 3 Click OK. To return to the User Defined Fields page, click Cancel.
Configuring Default Credentials

Devices added or imported into DCR do not contain all credentials required by the network management
applications to manage them. Sometimes this could lead to failure of application jobs.
The default credentials feature helps you to add or import devices into DCR with the default credentials
and prevents the management applications from failing when the network management applications
manage the devices added or imported in DCR.
Default credentials are stored in DCR and are not associated with any device.
You can configure multiple default credential sets. You can set these default credential sets for a range
of devices to be added or imported to DCR based on certain policies.
You should be a Network Administrator, a System Administrator, or a Super Admin to configure default
credential sets and default credential set policies.
• Using Default Credentials
• Important Notes on Default Credentials
• Default Credentials Behavior in Multi-Server Setup
• Configuring Default Credential Sets
• Configuring Default Credential Set Policy
Using Default Credentials

You can choose to use the default credentials when you:
• Manually add devices in DCR
When you manually add devices with a similar credential set in DCR, you have to enter the
credentials repetitively for every device addition. Instead, you use the default credentials defined in
default credential sets or default credential set policies to populate DCR.
• Add devices into DCR through Discovery
Discovery populates only the SNMP read community string in DCR during device addition and
leaves the other credentials as blank.

4-22 OL-25947-01
When other applications manage the newly added device, the management operations fail if they
cannot retrieve the required credentials from DCR. To prevent the management operations failing,
you can use the default credentials while adding devices through Discovery.
• Import devices into DCR
Importing devices from a file, NMS or any other third party applications into DCR populates the
SNMP read-only community string and the SNMP read/write community string.
When other applications manage the newly imported devices, the management operations fail if they
could not retrieve the required credentials from DCR. To prevent the management operations from
failing, you can use the default credentials while importing devices from NMS or any other third
party application.
Important Notes on Default Credentials

You should read the following notes about the default credentials before you configure them and choose
to use them in various flows:
• The default credentials you use while adding or importing devices into DCR will not be verified.
• You can configure multiple default credential sets and add or import a set of devices in DCR with
default credentials from a default credential set. Later, you can edit the value of the credentials in a
default credential set and add another set of values with the edited default credentials.
• The devices that are already added or imported into DCR will not be affected if you edit the values
of the default credentials or remove the default credentials from DCR.
• Devices added with default credentials in DCR populates all the credentials you have configured for
the default credential set irrespective of the device management type.
For example, if you have configured the default credential set with Standard credentials, SNMP
credentials, and Auto Update Server Managed Device credentials and if you add a device of
Standard management type in DCR, the Auto Update Server Managed Device credentials are also
populated for that device.
• We recommend you to configure a default credential set with the values common for most of the
devices that are to be added or imported into DCR.
Default Credentials Behavior in Multi-Server Setup

You can configure the default credential sets and policies only in the DCR Master and Standalone modes.
This option is not available in the DCR Slave Server.
However, you can use the default credentials in the Cisco Prime applications in DCR Slave Server while
adding the devices to DCR. If you opt to use the default credentials, the DCR Slave Server uses the
credentials stored at the DCR Master Server.
If you configure a LMS Server from DCR Standalone to DCR Slave mode, the default credentials entered
in the server will not be used after the mode is changed to Slave. However, when you change the DCR
mode back to the Standalone mode from the Slave mode, the default credential sets and policies are
restored as configured earlier.

OL-25947-01 4-23
Configuring Default Credential Sets

You can configure a maximum of 50 default credential sets.
Each default credential set comprises the following credentials:
• Primary Credentials (Username, Password, Enable Password)
• Secondary Credentials (Username, Password, Enable Password)
• SNMPv2c/SNMPv1Credentials (Read-Only Community String, Read-Write Community String)
• SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm,
Privacy Password, Privacy Algorithm)
• HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and
Password, HTTP port, HTTPS port, Current Mode)
• Auto Update Server Managed Device Credentials (Username and Password)
• Rx Boot Mode Credentials (Username, Password)
• Configuring a Default Credential Set
• Editing a Default Credential Set
• Deleting a Default Credential Set
Configuring a Default Credential Set
To configure a default credential set:
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets.
The Default Credentials Sets page appears.
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Click Next or select Credential Sets name from the Default Credentials list panel and enter the
respective credential information.
Step 3 Enter a name of the credential set in the Credential Set Name field. This is mandatory.
The Credential Set Name can contain lower case alphabets, upper case alphabets, and numerals (0 to 9).
You can include the following special characters in the Credential Set Name:
Special Character Description

_ Underscore
- Hyphen
. Period

4-24 OL-25947-01
Step 4 Enter a description of the credential set in the Set Description field.
Step 5 Click Next or select a credential type from the Default Credentials list panel and enter the respective
credential information. You can select any of the credential types from the panel.
• Standard Credentials
• SNMP Credentials
• HTTP Credentials
• Auto Update Server Managed Device Credentials
• Rx-Boot Mode Credential
Step 6 Enter the following credentials as required:
– Primary Credentials (Username, Password, Enable Password)
– Secondary Credentials (Username, Password, Enable Password)
– SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
– SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm)
You must select the SNMPv3 check box to add SNMPv3 default credentials. By default, these
fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode is
AuthPriv.
– Primary Credentials (Username, Password)
– Secondary Credentials (Username, Password)
– Other Information (HTTP Port, HTTPS Port, Current Mode)
• Auto Update Server Managed Device Credentials (Username, Password)
• Rx-Boot Mode Credentials (Username, Password)
Note Re-enter the value of passwords in the respective Verify fields.
You must enter a value for at least one credential before applying the default credentials.
Step 7 Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.

OL-25947-01 4-25
Editing a Default Credential Set
To edit a default credential set:
The Default Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone
LMS Servers. You cannot see this list item in DCR Slave Server.
Step 2 Click Next or select Credential Set Name from the Default Credentials list panel.
Step 3 Select a default credential set name from the Credential Set drop-down list box.
Step 4 Edit the description of the credential set in the Set Description field.
You cannot edit the name of the credential set.
Step 5 Click Next or select a credential type from the Default Credentials list panel.
Step 6 Edit the following credentials as required:
– Primary Credentials (Username, Password, Enable Password)
– Secondary Credentials (Username, Password, Enable Password)
– SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community
String)
– SNMPv3 Credentials (Mode, Username, Password, Authentication Algorithm, Privacy
Password, Privacy Algorithm)
You must select the SNMPv3 check box to add or edit SNMPv3 default credentials. By default,
these fields are disabled. When the SNMPv3 check box is selected, the default SNMPv3 mode
is AuthPriv.
– Primary Credentials (Username, Password)
– Secondary Credentials (Username, Password)
– Other Information (HTTP Port, HTTPS Port, Current Mode)
• Auto Update Server Managed Device Credentials (Username, Password)
• Rx-Boot Mode Credentials (Username, Password)
Note Re-enter the value of passwords in the respective Verify fields.
Step 7 Click Finish after you have entered all the values or click Cancel to cancel the changes. You can also
click Back to navigate to the previous page and click Remove to delete the Default Credential Set and
the credentials configured in this Credential Set, but it will not affect the devices that are already added
or imported with default credentials.

4-26 OL-25947-01
Deleting a Default Credential Set
To delete a default credential set:
The Credentials Sets list item is visible in the TOC only in DCR Master and DCR Standalone LMS
Servers. You cannot see this list item in DCR Slave Server.
Step 2 Select a credential set from Credential Set drop-down list box.
Step 3 Click Remove to delete a default credential set.
The selected default credential set is deleted from the LMS Server.
The default credential set policies that you have configured with this default credential set will also be
deleted.
Configuring Default Credential Set Policy

You can configure default credential set policies and apply the default credentials for a range of devices
to be added or imported to DCR.
We recommend that you create up to 50 default credential set policies.
You can create default credential set policies based on following policy types:
• IP Address
• Hostname
• Device Name
• Before Configuring a Credential Set Policy
• Creating a Default Credential Set Policy
• Patterns in IP Address Default Credential Set Policy Rules
• Regular Expressions in Default Credential Set Policy Rules
• Examples For Default Credential Set Policies
• Deleting Default Credential Set Policies
• Defining the Order of Default Credential Set Policies
Before Configuring a Credential Set Policy
Read the following notes before configuring a default credential set policy:
• You can include patterns when creating rules for IP Address based default credential set policies.
See Patterns in IP Address Default Credential Set Policy Rules for more information.
• Regular expressions are supported for policies based on Hostname and Device Names. IP Address
based policy types do not support regular expressions.
See Regular Expressions in Default Credential Set Policy Rules for more information.

OL-25947-01 4-27
• The expressions in default credential set policy rules are case insensitive.
• You can include the following characters in Device Name and Hostname:
– Lower case alphabets
– Upper case alphabets
– Numerals ( 0 to 9)
– Special characters such as hyphen (-), underscore (_), period (.) and colon (:)
• When you define more than one policy for a default credential set, all these policy rules work
together. The policies will be applied in the same order in which they appear on the Credentials Sets
Policy Configuration page.
See Defining the Order of Default Credential Set Policies for more information.
Creating a Default Credential Set Policy
To create a default credential set policy:
Step 1 Select Admin > Network > Device Credential Settings > Default Credential Sets Policy
Configuration.
The Default Credentials Sets Policy Configuration page appears.
The Default Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master
and DCR Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2 Click Add to add a default credential set policy.
The Add Credentials Policy Configuration dialog box appears.
Step 3 Construct a policy rule. To do so:
a. Select a parameter from the Select a Policy Type drop-down dialog box.
The listed parameters are IP Range, Hostname and Device Name.
Based on the parameter that you have selected, the value field name changes dynamically.
b. Enter a value for the rule parameter.
If you have selected IP Range as the rule parameter, enter a value in the IP Range field.
If you have selected Hostname as the rule parameter, enter a value in the Hostname field.
If you have selected Device Name as the rule parameter, enter a value in the Device Name field.
See Patterns in IP Address Default Credential Set Policy Rules and Regular Expressions in Default
Credential Set Policy Rules for more information.
The expressions in credential set policy rules are case insensitive.
c. Select a credential set name from the Credentials Set drop-down list box to associate the rule
expression with the default credential set.
Select No Default if you do not want to enter a credential set name.
Step 4 Click OK to go back to Credentials Sets Policy Configuration page.
The policy that you have configured is listed in the Credentials Sets Policy Configuration page.
You can edit a default credential set policy later. To do so, you must select a default credential set policy
in the Credentials Sets Policy Configuration page and click Edit.

4-28 OL-25947-01
Patterns in IP Address Default Credential Set Policy Rules
When you define a default credential policy type based on IP Address, you should follow these
guidelines:
• Use the standard IPv4 Address format (4 octets separated by periods) or the IPV6 Address format.
• Any octet can have one of the following:
Any Octet can have.. Example

Numbers between: • 10.77.240.225 (IPv4 Address)
• 0 to 255 for an IPv4 Address • 001:DB8:0:2AA:FF:C0A8:0:640A
(IPv6 Address)
• 0 to FFFF for an IPv6 Address
Asterisk (*) as wildcard denoting all numbers from • 10.*.*.240 (IPv4 Address)
0 to 255 in an IPv4 Address and 0 to FFFF in an
• 001:*:0:2AA:FF:*:*:* (IPv6 Address)
IPv6 Address.
Range of numbers in the • 10.77.[220-240].[210-220] (IPv4
[StartingNumber-EndingNumber] format, where: Address)
– StartingNumber and EndingNumber should • 001:DB8:0:[EE-FF]:FF:C0A8:0:[100-AA
be numbers between 0 to 255 in an IPv4 F] (IPv6 Address)
Address and 0 to FFFF in an IPv6 Address
The following are examples of invalid IP
– StartingNumber should not be greater than Address ranges:
or equal to EndingNumber
• 10.77.[250-200].221
• 10.77.200-250.221
• 001:DB8:0:[EEEE-FF]:FF:C0A8:0:[D-5]
• 001:DB8:0:AA-BB:FF:C0A8:0:[D-5]
• The octets in an IP Address policy type can also contain the combination of wildcard characters and
range of numbers. Some examples of IP Address filter combinations include:
– 10.77.[210-230].*
– 10.77.*.[110-210]
– 001:DB8:*:*:FF:[C0A-DD8]:0:[5-D]
– [10-20]:[10-20]:[A-F]:2:4:*:*:*

OL-25947-01 4-29
Regular Expressions in Default Credential Set Policy Rules
Hostname and Device Name policy types supports regular expressions.

You can use the following characters in regular expressions:
Characte
r Description Purpose
. Period Matches any character
( Opening parenthesis Marks the beginning of a group of matched characters
) Closing parenthesis Marks the end of a group of matched characters
* Asterisk Matches zero or more occurrences of regular expression specified
earlier
+ Plus character Matches zero or more occurrences of regular expression specified
earlier
\ Trailing slash Identifies a special character within a regular expression
Examples For Default Credential Set Policies
Example 1 - IP Range Policy Type

Consider that all devices whose IP Addresses are within the range 10.77.[210-230].*, should be added
or imported to DCR with the default credentials defined in a default credential set IPSet.
You should create a default credential set policy based on the IP Range policy type. To do so:
Configuration.
The Credentials Sets Policy Configuration page appears.
Step 3 Construct the policy:
a. Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b. Enter the IP Range value as 10.77.[210-230].*
c. Select the Default Credential Name as IPSet
Step 4 Click OK to go back to Default Credential Sets Policy Configuration page.
The policy that you have configured will be listed in a table format.
Example 2 - IP Range Policy Type

Consider that all devices whose IP Addresses are within the range
100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15], should be added or imported to DCR with the default
credentials defined in a default credential set IPv6Set.
You should create a default credential set policy based on the IP Range policy type. To do so:

4-30 OL-25947-01
Configuration.
a. Select the policy type as IP Range from the Select a Policy Type drop-down list box.
b. Enter the IP Range value as 100:DB8:*:*:FF:[C0A8-DD88]:0:[10-15]
c. Select the Default Credential Name as IPv6Set
Example 3 - Device Name Policy Type

Consider that all devices whose Device Names end with or contain device, should be added or imported
to DCR with the default credentials defined in a default credential set SetName2.
You should create a default credential set policy based on the Device Name policy type. To do so:
Configuration.
a. Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b. Enter the value as (.)*device
c. Select the Default Credential Name as SetName2
Example 4 - Device Name Policy Type

Consider that all devices whose Device Names contain 1.3.6.1.4.1.9.1.n, should be added or
imported to DCR with the default credentials defined in a default credential set SOIDset.
You should create a default credential set policy based on the Device Name policy type. To do so:
Configuration.

OL-25947-01 4-31

a. Select the policy type as Device Name from the Select a Policy Type drop-down list box.
b. Enter the value as (.)*\.1\.3\.6\.1\.4\.1\.9\.1\.(.)
c. Select the Default Credential Name as SOIDset
Example 5- Host Name Policy Type

Consider that all devices whose Hostnames start with Che, should be added or imported to DCR with
the default credentials defined in a default credential set SetName1.
You should create a default credential set policy based on the Hostname policy type. To do so:
Configuration.
a. Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b. Enter the value as Che(.)*
Example 6- Host Name Policy Type

Consider that all devices whose Hostnames contain lab2, should be added or imported to DCR with the
default credentials defined in a default credential set SetName3.
You should create a default credential set policy based on the Hostname policy type. To do so:
Configuration.
a. Select the policy type as Host Name from the Select a Policy Type drop-down list box.
b. Enter the value as (.)*lab2(.)*.

4-32 OL-25947-01

Deleting Default Credential Set Policies
To delete default credential set policies:
Configuration.
The Credentials Sets Policy Configuration list item is visible in the TOC only in DCR Master and DCR
Standalone LMS Servers. You cannot see this list item in DCR Slave Servers.
Step 2 Select a default credential set policy to delete.
You can also select multiple default credential set policies to delete.
Step 3 Click Delete to remove the default credential set policies.
Defining the Order of Default Credential Set Policies
You can specify the order in which the default credential set policies should be applied for devices that
are added or imported into DCR.
The default credential set policies are applied in the order they appear on the Credentials Sets Policy
Configuration page. The default credential set policies appearing at the top of the list are applied first.
You can create more than one default credential set policy for a default credential set.
When you define more than one policy for a default credential set, all these policy rules work together.
For example, consider 10.77.240.[50-52] as a first IP Address policy associated with a default credential
set name Test1 and 10.77.240.* as the second IP Address policy associated with a default credential set
name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.240.[50-52]
added or imported into DCR. The default credentials defined in Test2 will be applied for all devices in
the IP range 10.77.240.* except the devices with IP Addresses 10.77.240.50, 10.77.240.51 and
10.77.240.52.
For example, consider 10.77.*.* as a first IP Address policy for a default credential set name Test1 and
10.77.210.* as the second IP Address policy for a default credential set name Test2.
The default credentials defined in Test1 will be applied for all devices in the IP range 10.77.*.* added
or imported into DCR. The policy rule 10.77.210.* will never be applied as 10.77.210.* is a subset of
10.77.*.*.
To specify the order of default device credentials policies:
Configuration.
The Credentials Sets Policy Configuration page appears with a list of default credential set policies.

OL-25947-01 4-33
Step 2 Select a default credential set policy.

Step 3 Either:
• Click the Up Arrow icon to move the selected default credential set policy up in the displayed order.
Or
• Click the Down Arrow icon to move the selected default credential set policy down in the displayed
order.
Step 4 Click Apply Settings to save the changes.

4-34 OL-25947-01
CHAPTER 5
Managing Groups
LMS 4.2 combines the device grouping with a new attribute list.
The other grouping services that are available in LMS are:
• Fault Group - supports 50 groups
• IPSLA Collector Group - supports 100 groups
• Port and Module Group - supports 100 groups
The numbers of groups that LMS supports will vary according to the SKU that you use. For more details,
see Application Scaling Numbers section in the Installing and Migrating to Cisco Prime LAN
Management Solution 4.2 guide.
• Groups - Components and Basic Concepts
• Groups in Single-Server and Multi-Server Setup
• Device Group Administration
• DCR Mode Changes and Group Behavior
• Port and Module Group Administration
• Working with Fault System-defined Groups
• Working with Customizable Groups
• Managing Fault Groups
• Viewing Fault Group Details
• Viewing Fault Membership Details
• Refreshing Fault Membership
• Deleting Fault Groups
• Understanding Collector Group Rules
• IPSLA Collector Group Administration Process
• Understanding IPSLA Collector Group Administration
• Working with User-Defined Collector Groups
• Operation-Based Collector Groups (System-Defined)

OL-25947-01 5-1
Chapter 5 Managing Groups
Groups - Components and Basic Concepts
Groups - Components and Basic Concepts

This section explains the components of a group and the basic concepts of a group.
Components
The following are the components of a group:
• Group Server:
Manages groups of devices. It helps you to create, edit, delete, and refresh groups to be shared by
the application. It interfaces with an application service adapter (ASA) to evaluate group rules and
retrieve devices of a particular group.
• Application Service Adapters (ASAs):
Application-specific information repository that serves as source of the devices and attributes that
are grouped by the Groups Server.
Till LMS 3.2, ASA was an interface between applications and Groups Server.
In LMS 4.2, there is only a single ASA.
• Group Admin:
Allows you to interact with the Groups Server to create and manipulate groups using Group Admin.
Basic Concepts
The following are the basic concepts of a group:
• Group Class:
Representation of a set of devices belonging to DCR. In this context a device in Device and
Credential Repository (DCR) is a single instance of a class. Each instance (device) will have a set
of attributes and a unique device ID.
• Group Object:
Device in a group class. Each device in the group will have a set of attributes stored in DCR.
Associated with every device is a unique and immutable device ID.
• Group:
Named aggregate entity comprising a set of devices belonging to a single class or a set of classes,
with a common superclass. Groups can be shared between users or applications, subject to
access-control restrictions. The membership of a group is determined by a rule.
• Group Rule:
Consists of one or more rule expressions combined by operators, which can be AND, OR or
EXCLUDE. A rule always evaluates to objects of a particular class defined in an application schema.

5-2 OL-25947-01
Groups in Single-Server and Multi-Server Setup
Groups in Single-Server and Multi-Server Setup

This section has the following subsections:
• Groups in Single Server Scenario
• Groups in Multi-Server Scenario
Groups in Single Server Scenario

The devices you see in the Group Administration UI in depends on whether the devices are being
managed by LMS or not, and not on any application like CS, RME, CM.
In LMS 3.2, if there are Common Services, LMS, and RME installed on a server, you can see the
following groups in the Groups UIs of the applications.
• CS@hostname
• RME@hostname
• Campus@hostname
In LMS 4.2, there are no separate applications and there are four types of groups:
• Device Groups
The device group name is LMS@hostname, instead of CS@hostname, RME@hostname, and
Campus@hostname. LMS supports 200 device groups.
• Fault Groups
These groups are created by the Fault Management module in LMS, and consist of interface, trunk
port, and access port groups. Each group has a set of properties (such as a name, description, and
permission.), and are defined by the rules associated with the group.
• IPSLA Collector Groups
You can group IPSLA collectors based on a set of criteria such as operation name, operation type,
source address, target address.
• Port and Module Groups
You can group ports and modules for easy port and module selection in various configuration
workflows.
Groups in Multi-Server Scenario

Groups you create in LMS groups UI in the Master get synchronized with the Slave.
If you create a subgroup under LMS@Master hostname in one server, it appears under LMS@Slave
hostname in the peer server.
However, in the Master server, if you create a subgroup under LMS@Master hostname, it will always
appear under LMS@\Slave hostname\, in the Slave. That is, the subgroup created in the Master appears
under the shared group of the application in the Slave.
When the user-defined group under master and the user-defined group under slave has the same group
name, then when doing master slave setup, the master group will be retained in slave. The slaves group
will get deleted.

OL-25947-01 5-3
Device Group Administration
Once the master slave setup is done, when we add a group in master it will be synced with slave only
after OGS process is restarted. The direct sync up will be done only during the setup. After setup, both
the OGS will act as a individual servers.
Note You can create groups in LMS even if the server on which it is installed is in Slave mode.
If you have created a subgroup under LMS@Master hostname , in S, you can see this subgroup under
LMS@Slave hostname.
In a cluster, if you have M as the Master, and S1 and S2 as M’s slaves, and you want to evaluate S1’s
groups from S2, you need to import the certificate of S1 to S2 and vice versa.

The Group Administration UI helps you to create, edit, view, delete, export, import, and refresh groups.
The UI displays a Group Selector that contains the following predefined higher-level groups:
• System-defined Groups
• User-defined Groups
The System-defined Groups shows subgroups only after Device and Credential Repository is populated.
The predefined sub-groups under System-defined Groups are:
• Cisco Interfaces and Modules
• Network Management
• Non Cisco Devices
• Routers
• Switches and Hubs
• Subnet Based Groups
Contains sub folders representing subnets (one folder per subnet) discovered in the network. Each
folder contains the devices corresponding to those subnets.
Note Subnets groups will appear only after a successful Data Collection.
• Voice and Telephony

• Unknown Device Type
• Universal Gateways and Access Servers
• Wireless
You can create subgroups only under User-defined Groups. You cannot create them under
System-defined Groups. However, you can view the details of a subgroup under System-defined Groups
and refresh the group.
Note Group Administration UI will be enabled only on servers in which DCR is in Master or Standalone
mode. The groups created in DCR Master will be copied to Group Administration instances on servers
where DCR is in Slave mode.

5-4 OL-25947-01
The following sections provide information on how to perform group administrative tasks in LMS 4.2:
• Migrating Device Groups from Previous Releases of LMS
• Creating Groups
• Viewing Group Details
• Modifying Group Details
• Refreshing Groups
• Deleting Groups
• Exporting Groups
• Importing Groups
• Overview of Subnet Based Groups
Migrating Device Groups from Previous Releases of LMS

The following table explains migration of device groups from previous releases of LMS, in the table. In
this example, Group A is an application group created separately in CS, RME, and CM, in earlier
versions of LMS:
Common Services
LMS Version UDG/SDG RME UDG/SDG Campus Manager UDG/SDG
3.2.1 Group A Group A Group A
4.2 After migration to After migration to LMS After migration to LMS 4.2,
LMS 4.2, Group A is 4.2, Group A is not Group A is not available
Available available
3.2.1 — Group A Group A
4.2 — After migration to LMS After migration to LMS 4.2,
4.2, Group A will not be Group A will not be available
available
3.2.1 — — Subnet-based groups
4.2 You must create new — After migration to LMS 4.2, CM
subnet-based groups Subnet-based groups will not be
after a successful available.
Data Collection
Creating Groups
• Specifying Group Properties
• Defining Group Rules
• System Defined Attributes
• Assigning Group Membership
You can create device groups using this feature.
To create a new device group:

OL-25947-01 5-5
Step 1 Either:
• Select Admin > System > Group Management > Device.
The Group Administration page appears.
Or
• Select Inventory > Group Management > Device.
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2 Select the group from the groups listed in Group Selector to create a new subgroup.
The Group Info fields on the right, display details of the selected group.
The group you select here is the Parent group for the new group that you are about to create. You can
change the Parent group later, if required. You cannot create groups under System-defined Groups but
you can view details and refresh the group.
Users in admin role have read-write access to User-Defined groups based on the visibility scope (Public
or Private). If you have the required permissions, you can create subgroups under groups.
Step 3 Click Create to create a new group.
The Group Administration Creation wizard is launched and guides you through the process of creating
a new group.
Perform the following tasks using the Groups Create wizard.
a. Specify group properties. See Specifying Group Properties for information.
b. Define group rules. See Defining Group Rules for information.
c. Assign group membership. See Assigning Group Membership for information.
The first page in the wizard is the Properties:Create window. While creating a new group you must complete
all of the above three tasks in this sequence to create a group.
If you exit the wizard at any stage by clicking Cancel, the details you have specified will be lost and the
group will not be created.
The recommended limit for creating User-Defined group is 200, but you are allowed to create upto 600
User-Defined groups in LMS.
Example
To create a group of all Energywise capable devices:
Step 1 Either:
Or
The Group Administration in the Group Administration page provides you with Group Selector.
Step 2 Select User Defined Groups from the groups listed in Group Selector to create a new subgroup.

5-6 OL-25947-01
Step 3 Click Create to create a new group.

The Properties page appears.
Step 4 Enter the name Energywise_capable devices in the Group Name field in the Properties:Create dialog
box.
Note See Specifying Group Properties for more details.
Step 5 Click Next.

The Rule Dialog box appears.
Step 6 Create an expression in the Rules:Create dialog box by entering:
a. Select Variable as EnergyWise.EnergyWisestate
b. Select Operator as =
c. Enter the Value as EnergyWise_capable
You can also check the syntax of the group rule entered.
Note See Defining Group Rules for more details.
Step 8 Click Next.

The Group Membership Assigning page appears.
Step 9 Select one or more devices in Available Objects From Parent Group column.
To select multiple devices, hold the Ctrl or Shift keys down and click on the devices.
Step 10 Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
Note See Assigning Group Membership for more details.
Step 11 Click Next.

The Summary page appears.
Step 12 Click Finish.
Specifying Group Properties

While specifying group properties, you can enter the properties such as name and description, and
modify the parent group, if required, and update membership, and specify the visibility scope.
To complete the tasks in this phase:
Step 1 Either:

OL-25947-01 5-7
• Select Admin > System > Group Management > Device. Click
Or
Step 2 Click the Create button in the Group Administration.
Step 3 Enter a name for the group in the Group Name field in the Properties:Create dialog box.
The group name should be unique within the Parent group. However, it need not be so across groups.
The same group name cannot be used in the same group hierarchy.
For example, if you have a group /LMS@Servername/User Defined Groups/MyView, you cannot create
another group with the same name “MyView” under /LMS@Servername/User Defined Groups.
Step 4 Click Select Group, if you want to copy the attributes of an existing group.
The Replicate Attributes dialog box appears.
Step 5 Select the group you need from the Replicate Attributes list and click OK. To return to the Properties
page, click Cancel.
Step 6 Click Change Parent, to change the Parent group.
The Group Selector page appears.
Step 7 Select the group you need from the Select Parent list.
Step 8 Click OK.
The Group Administration wizard changes the Parent group to the one you selected. To return to the
Properties page, click Cancel.
Step 9 Enter a description for the group.
Typically, you can enter a detailed description of the group that identifies its characteristics in this field.
Step 10 Select the Membership Update mode for the group.
The modes of membership updates available are:
• Automatic:
The membership of the group is updated when you add a new device to the group, and each time the
group is invoked.
• Only Upon User Request:
The membership of the group is recomputed only when an explicit request is made, using the
Refresh option.
If you select Automatic, the group will be a Dynamic group. If you select Only Upon User Request,
the group will be a Static group.
Step 11 Select either Public or Private to specify the visibility scope.
• Private
The group created can be viewed only by user who creates the group.
• Public
The group created can be viewed by all users.

5-8 OL-25947-01
Step 12 Click Next to get to the Rule:Create dialog box. See Defining Group Rules to define simple and
composite group rules.
Defining Group Rules

In the Rules:Create dialog box, you can define the rules for the group. The rules you define in this phase
determine the contents of the group. The rules you specify here determine the devices to be included in
the group.
In the Rules:Create dialog box, you can either enter the rules directly in the Rule Text field, or select the
components of the rule from the Rule Expression fields, and form a rule.
The rule expression has the following components:
Object.Variable operator “value”
If you have created the group by copying the attributes of another group, the rules specified for that group
appear in the Rule Text field. You can retain these and add more rules, or delete these rules and create a
new set of rules.
The Rules:Create dialog box allows you to check the syntax in the Rules Text field. You can use this
facility to validate the rules you have created. If you leave the rule blank, it creates a Container group.
Click View Parent Rules to display the rules defined for its ancestor groups.
• Defining a Group Rule
• Defining Composite Group Rules
• Using IP Address Range Operator
• Examples
• System Defined Attributes
Before you launch the Rule:Create dialog box, ensure that you have completed all the tasks in
Properties:Create dialog box. See Specifying Group Properties for more information.
Defining a Group Rule
To create a group rule:
Step 1 Complete all the tasks in the Properties page. See Specifying Group Properties for more information.
Step 2 Delete the rules displayed in the Rule Text field, if any.
Step 3 Select appropriate parameters for the following:
• Object Type — Denotes the object type used for forming a group. All expressions start with the
string Device.
• Variables — Denotes the device attributes, which are used to form a device group.
See System Defined Attributes for details on the variables.
• Operators — Denotes the various operators to be used with the rule. The list of operators includes
equals, contains, startswith and endswith. The list of operators changes dynamically with the value
of the variable selected.

OL-25947-01 5-9
For the ManagementIpAddress variable, you can select a range operator other than the standard list
of operators. See Using IP Address Range Operator for more information.
• Value — Denotes the value of the variable. The value field changes dynamically based on the value
of the variable and operator selected, and the field type can be a text field or a list box.
The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
For example, the rule type:
Device.DisplayName equals "joe"
will select the device with the DisplayName joe.

The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.
You can form composite rules using the OR, AND, or EXCLUDE options in the Boolean operator field.
See Defining Composite Group Rules for more information.
You can validate rules that are entered directly into the Rules Text field, or rules formed using the Add
Rules Expression option in the dialog box.
• To check whether the syntax is valid, click Check Syntax.
• To view the rules defined for the parent groups, click View Parent Rules.
Step 5 Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
If you have entered an invalid IP Address range or invalid values in the Value field, an error message will
be displayed. You should correct the values and then navigate to the Membership:Create dialog box.
Defining Composite Group Rules
A Composite rule contains more than one rule expression separated by a Boolean operator.
The Boolean Operators OR, AND, or EXCLUDE appear in the Rules:Create dialog box only when you
have entered at least one rule expression.
When the composite rule has more than two simple rule expressions, you can adjust priorities among the
expressions using opening and closing parenthesis.
To create a composite rule:
Step 1 Delete the rules displayed in the Rule Text field and click any other field.
Step 2 Form a simple rule. See Defining a Group Rule for details.
The Group Administration wizard creates the rule based on the parameters you specified and adds the
rule to the Rules Text field.
The Rules:Create dialog box refreshes and displays the Boolean operator field before the Object Type
field in Rules Expression.
Step 4 Select a Boolean Operator from the drop-down list.

5-10 OL-25947-01
Step 5 Select the appropriate parameters for Object Type, Variables, and Operators.
Step 6 Enter a value in the Value field.
You can validate rules that are entered directly into the Rules Text field or rules formed using the Add
Rules Expression option in the dialog box.
• To check whether the syntax is valid, click Check Syntax.
• To view the rules defined for the parent groups, click View Parent Rules.
Step 8 Click Next.
The wizard takes you to the Membership:Create dialog box, where you can further refine the group
definition by adding or deleting specific devices from the group. See Assigning Group Membership for
more information.
Using IP Address Range Operator
The range operator enables you to group the devices of the specified range of IP Addresses. You can
select the range operator only for the ManagementIpAddress and IP.Address variables.
You should enter the range of IP Addresses in the Value field, to create a group rule based on IP Address
ranges.
When you enter the IP Address range in the text field, you should:
• Specify the range with permissible values for one or more octets in the IP Address.
The minimum limit in the range is 0 and the maximum limit is 255.
• Use the hyphen character (-) as a separator between the numbers that indicate a range.
• Specify the range of IP Addresses within the [and] characters to create a group rule.
For example, you can enter 10.10.10.[0-255] or 10.10.[0-255].[0-255] in the Value field.
You should not:
• Enter numbers less than 0 and greater than 255 in the IP Address range.
• Enter any characters other than the range separator (-).
• Enter the value of the highest limit in the range as less than the value of smallest limit number. For
example, you should not enter 10.10.10.[8-4].
See Behavior of IP Address Range Based Device Groups in Multi-Server Setup for more information on
the IP Address Range based device groups in a multi-server setup.
Examples

• Example to Create a Simple Group Rule
• Example to Create a Composite Group Rule
• Example to Create a Group Rule Using Range Operator
Example to Create a Simple Group Rule

To create a group of all devices ending with the hostname Test, you should:

OL-25947-01 5-11

a. Select Variable as HostName
b. Select Operator as endswith
c. Enter the Value as Test
Example to Create a Composite Group Rule

If you want to group all the devices in the network that match the following criteria:
• Device Name of the device should contain TestDevice
• Category of the device should be equal to Routers or IP Address of the device should starts with
10.77
To create this composite rule:

a. Select Variable as DisplayName
b. Select Operator as contains
c. Enter the Value as TestDevice
Step 3 Create another rule expression by entering:
a. Select AND as the Boolean operator
b. Select Variable as Category
c. Select Operator as equals
d. Enter the Value as Routers
The rule is appended into the Rule Text.
Step 5 Create another rule expression by entering:
a. Select OR as the Boolean operator
b. Select Variable as ManagementIPAddress/IP.Address
c. Select Operator as startswith
d. Enter the Value as 10.77
The following composite rule is formed in the Rule Text Area:
Device.DisplayName contains “TestDevice” AND
Device.Category equals “Routers” OR
Device.ManagementIpAddress startswith “10.77”

5-12 OL-25947-01
Step 7 Edit the rule expression in the text area to adjust the priorities among the group expressions.
You should place two rule expressions together within an opening and a closing parentheses. Ensure that
you leave a space between the parenthesis and the group expressions.
The edited composite rule is:
Device.DisplayName contains "TestDevice" AND
( Device.Category equals "Routers" OR
Device.ManagementIpAddress startswith "10.77" )
Step 8 Click Next to proceed further.
Example to Create a Group Rule Using Range Operator

To group all devices whose IP Addresses are within the range 10.10.0.207 to 10.10.212.247, you
should:

a. Select Variable as ManagementIPAddress/IP.Address
b. Select Operator as range
c. Enter the Value as 10.10.[0-212].[207-247]
You can also check the syntax of the group rule entered
System Defined Attributes

The following table provides details on some of the System Defined attributes that are available in LMS.
These are predefined attributes, available by default.
Note In LMS 4.2, the attributes State (Device.State) and System.SystemOID (Device.System.SystemOID) are
not available. If you backup and restore any group created in older versions of LMS using these
attributes, the groups will not be restored.

OL-25947-01 5-13
Table 5-1 Group Attributes in LMS
Attribute Description Example

Asset.CLE_Identifier CLE identifier of the asset. To create a group of all devices having asset
CLE identifier CLE12:
• Select the variable
Asset.CLE_Identifier
• Select the operator equals.
• Enter the value CLE12.
Asset.Part_Number Orderable part number of the asset. To create a group of all devices having asset
part number PN123:
Asset.Part_Number
• Enter the value PN123.
Asset.User_Defined_Identifier User-defined identifier of the asset To create a group of all devices having user
defined asset identifier UD34:
Asset.User_Defined_Identifier.
• Enter the value UD34.
Category Category into which the device falls. The To create a group of all routers in the
first level entries in the Device Type tree network.
in DCR Device Management UI.
• Select the variable Category.
• Select the operator contains.
• Enter the value router.
Chassis.Model_Name Name of the model. To create a group of all devices containig
chassis model name WS-C6506:
Chassis.Model_Name
• Enter the value WS-C6506.
Chassis.Number_Of_Slots Number of slots in that chassis. To create a group of all devices containig 10
chassis slots.
Chassis.Number_Of_Slots
• Select the operator =.
• Enter the value 10.

5-14 OL-25947-01

Chassis.Port_Count Total port count of the chassis. To create a group of all devices having
chassis port count more than 5.
Chassis.Port_Count.
• Select the operator >.
Chassis.Serial_Number Serial number of the chassis. To create a group of all devices containing
chassis serial number SSI1.
Chassis.Serial_Number.
• Enter the value SSI1.
Chassis.Vendor_Type Vendor type of the chassis. To create a group of all devices containing
chassis vendor type cevChassisN5k.
Chassis.Vendor_Type.
• Enter the value cevChassisN5k.
Chassis.Version Version number of the chassis. To create a group of all devices containing
chassis version 0.102.
• Select the variable Chassis.Version.
• Enter the value 0.102.
DeviceName Device name, as you want it to be To create a group of all devices having
represented in reports or graphical Device Name starting with 10.77.132.
displays. This can be derived from Host
• Select the variable DeviceName.
Name, Management IP Address or
Device Identity. • Select the operator startswith
• Enter the value 10.77.132.
DomainName Domain name of the device. To create a group of all Cisco.com devices.
• Select the variable DomainName.
• Enter the value Cisco.com.

OL-25947-01 5-15

EnergyWise.Domain_Name Name of the EnergyWise domain. To create a group of all devices having
EnergyWise Interfaces Information.
EnergyWise.Domain_Name.
• Enter the value Interfaces
Information.
EnergyWise.EnergyWiseState EnergyWise status of the device, for To create a group of all EnergyWise-capable
example, EnergyWise-capable devices, devices.
EnergyWise-enabled devices,
EnergyWise-hardware-incapable devices
EnergyWise.EnergyWiseState.
and EnergyWise-software-incapable
devices. • Select the operator =.
• Enter the value EnergyWise-capable
devices.
EnergyWise.Importance EnergyWise Importance of the device. To create a group of all devices having
EnergyWise importance 2.
This value prioritizes the devices in a
domain based on their power usage. • Select the variable
EnergyWise.Importance.
EnergyWise.Keyword A word that will help you identify a To create a group of all devices having
specific device or group of devices in the EnergyWise keyword switch.
EnergyWise domain.
EnergyWise.Keyword.
• Enter the value switch.
EnergyWise.Role Role or function of the device in the To create a group of all devices having
EnergyWise domain. EnergyWise role router.
• Select the variable EnergyWise.Role.
• Enter the value router.
Flash.File_Name Location of Flash file. To create a group of all devices having Flash
file name /20-oct.cfg.
• Select the variable Flash.File_Name.
• Enter the value /20-oct.cfg.

5-16 OL-25947-01

Flash.File_Size Flash file size in MB. To create a group of all devices having Flash
file size greater than 20 KB.
• Select the variable Flash.File_Size.
Flash.Model_Name Model name of the Flash device. To create a group of all devices having Flash
model name starting with c3725-i.
Flash.Model_Name.
• Select the operator startswith.
• Enter the value c3725-i.
Flash.Partition_Free Free space in MB. To create a group of all devices having Flash
free space greater than 50 MB.
Flash.Partition_Free.
Flash.Partition_Name Flash partition name. To create a group of all devices having Flash
partition name flash:1.
Flash.Partition_Name.
• Enter the value flash:1.
Flash.Partition_Size Flash partition size in MB. To create a group of all devices having Flash
partition size less than or equal to 20 MB.
Flash.Partition_Size.
• Select the operator <=.
Flash.Size Total Flash device size in MB. To create a group of all devices having Flash
size greater than or equal to 50 MB.
• Select the variable Flash.Size.
• Select the operator >=.

OL-25947-01 5-17

HostName Device Host name. To create a group of all devices ending with
the hostname 3750:
• Select the variable HostName
• Select the operator endswith.
Image.ROM_Sys_Version System ROM software version To create a group of all devices having
system ROM software version 12.4(25):
Image.ROM_Sys_Version.
• Enter the value 12.4(25).
Image.ROM_Version Version of ROM. To create a group of all devices having ROM
image version 12.2(8r)T2:
Image.ROM_Version.
• Enter the value 12.2(8r)T2.
Image.Sys_Description Image system description To create a group of all devices having ROM
image version 12.2(8r)T2:
• Select the variable Image.Sys_Version.
• Enter the value 12.2(8r)T2.
Image.Version Running device image version. To create a group of all running devices
having image version 12.4(25):
• Select the variable Image.Version.
• Enter the value 12.4(25).
ImageVersion Software version running on the device. To create a group of all devices having
image version 12.2(52)SE:
• Select the variable ImageVersion.
• Enter the value 2.2(52)SE.
IP.Address Device IP address. To group all devices whose IP Addresses are
within the range 10.10.0.0 to 10.10.50.255
• Select the variable IP.Address.
• Select the operator range.
• Enter the value 10.10.[0-50].[0-255].

5-18 OL-25947-01

IP.Address_Type Version of IP, IPv4 or IPv6 To group all IPv6 devices:
• Select the variable IP.Address_Type.
• Select IPv6.
IP.Network_Mask Network mask address To group all devices having network mask
address starting with 255.255.255:
• Select the variable IP.Network_Mask.
• Enter the value 255.255.255.
IPv4.Subnet IPv4 subnet of a device. To create a group of all devices having
subnet 32:
• Select the variable IPv4.Subnet.
IPv4.SubnetMask IPv4 subnet mask of a device. To create a group of all devices having
subnetmask starts with 255.
• Select the variable IPv4.SubnetMask.
IPv6.Subnet IPv6 subnet of a device. To create a group of all devices having
subnet 32
• Select the variable IPv6.Subnet.
IPv6.SubnetMask IPv6 subnet mask of a device. To create a group of all devices having
subnetmask starts with 255.
• Select the variable IPv6.SubnetMask.
ManagementIpAddress IP Address used to access the device. To group all devices having Management IP
Both IPv4 and IPv6 address types are address starting with 10.77.215:
supported.
ManagementIpAddress.
• Enter the value 10.77.215

OL-25947-01 5-19

MDFId Normative name for the device type as To create a group of all devices having MDF
described in Cisco Meta Data Framework ID 323.
(MDF) database. Each device type has a
• Select the variable MDFID.
unique normative name defined in MDF.
Memory.Free Free memory in MB. To create a group of all devices having free
Memory greater than 83 MB.
• Select the variable Memory.Free.
Memory.Name Name of the memory. To create a group of all devices having
Memory name starting with workspace:
• Select the variable Memory.Name.
• Enter the value workspace.
Memory.Size Total RAM size in MB. To create a group of all devices having
Memory size greater than 512 MB.
• Select the variable Memory.Size
Memory.Type Memory type. To create a group of all devices having
processorMemory.
• Select the variable Memory.Type
• Enter the value processorMemory.
Memory.Used Used memory in MB. To create a group of all devices having
Memory used size less than 30 MB.
• Select the variable Memory.Used
• Select the operator <.
Model Model of the device. The third level To create a group of all Cisco 3101 Routers.
entries in the Device Type tree in DCR
• Select the variable Model
Device Management UI.
For example, the model Cisco 3101
Router falls under the Cisco 3100 • Enter the value Cisco 3101 Routers.
Series Routers, which comes under the
category Routers.

5-20 OL-25947-01

Module.HW_Version Module hardware version. To create a group of all devices having
Module hardware version 3.x
Module.HW_Version.
Module.Model_Name Name of the model. To create a group of all devices having
model name starting with NM-16.
Module.Model_Name.
• Enter the value NM-16.
Module.Port_Count Total ports on that module. To create a group of all devices having 16
port modules.
Module.Model_Count.
Module.Serail_Number Serial number of the module. To create a group of all devices having
module serial number starting with FOC08.
Module.Serail_Number.
• Enter the value FOC08.
Module.Vendor_Type Vendor type of the module. To create a group of all devices having
module vendor type starting with cevPwr.
Module.Vendor_Type.
• Enter the value cevPwr.
Processor.Model_Name Name of the model. To create a group of all devices having
pentium processor.
Processor.Model_Name.
• Enter the value pentium.

OL-25947-01 5-21

Processor.NVRAM_Size Size of the processor NVRAM in MB. To create a group of all devices having
NVRAM greater than 512 KB.
Processor.NVRAM_Size.
Processor.NVRAM_Used Size of the processor NVRAM that has To create a group of all devices with
been utilized, in MB. NVRAM used size greater than 23 KB.
Processor.NVRAM_Used.
Processor.Port_Count Total port count of the processor To create a group of all devices having 24
ports processor.
Processor.Port_Count.
Processor.RAM_Size Size of the processor RAM in MB. To create a group of all devices having
processor RAM of 0f 128 MB.
Processor.RAM_Size.
Processor.Serial_Number Serial number of the processor. To create a group of all devices containing
processor serial number JAE081.
Processor.Serial_Number.
• Enter the value JAE081.
Processor.Vendor_Type Vendor type of the processor. To create a group of all devices containing
processor vendor type cevCpu37252fe.
Processor.Vendor_Type.
• Enter the value cevCpu37252fe.

5-22 OL-25947-01

Series Series to which the device belongs. The To create a group of Cisco 3100 Series
second level entries in the Device Type Routers.
tree in DCR Device Management UI.
• Select the variable Series.
• Enter the value Cisco 3100 Series
Routers.
System.ASP_Capability Groups devices according to their Auto To create a group of all ASP_Enabled
Smartport capability devices.
System.ASP_Capability.
• Select the value ASP_Enabled.
System.Contact Device contact person name. To create an User Defined group whose
member devices have a common system
contact person, J Smith
• Select the variable System.Contact.
• Enter the value J Smith.
System.Description Description of the system. To create a group of all devices having Cisco
IOS software.
System.Description.
• Enter the value Cisco IOS software.
System.DomainName Device domain name. To create a group of all Cisco.com devices.
System.DomainName.
• Enter the value Cisco.com.
System.Identity_Capability Groups devices according to their To create a group of all Identity_Enabled
Identity capability devices.
• Select the variable System.Identity_
Capability.
• Select the value Identity_Enabled.

OL-25947-01 5-23

System.Location Device location information. To create a System Defined Group whose
member devices are located in Bldg 1
Devices
• Select the variable System.Location.
• Enter the value Bldg 1 Devices.
System.Name Name of the device as configured by the To create a group of all devices whose
Administrator. system name has NDX
• Select the variable System.Name.
• Enter the value NDX.
System.OSTYPE Type of the operating system. To create a group of all devices having
UNIX OS.
• Select the variable System.OSTYPE.
• Enter the value UNIX.
System.Smart_Install_Directors Groups devices according to their Smart To create a group of all Smart Install
Install capability software incapable devices.
System.Smart_Install_Directors.
• Enter the value Smart
Install_SW_Incapable.
SystemObjectID SysObjectID of the device as configured To group all devices whose systemObjectID
by the Administrator. It may be starts with 1.3.6.1.4.1.9
UNKNOWN in the case the facility that
• Select the variable SystemObjectID.
populates the repository does not know
the value. • Select the operator startswith.
• Enter the value 1.3.6.1.4.1.9.
The User-Defined Fields (UDFs) available in the variable drop-down list is taken from DCR. You can
create UDFs at Admin > Network > Device Credential Settings > User Defined Fields. For details,
see Adding User Defined Fields.
If you create a UDF that is similar to one of the predefined System Defined attributes, an _UDF suffix is
appended to the User-Defined Field you add, to distinguish these two attributes.
For example if you create a UDF called DisplayName (which is one of the predefined attributes present
in the Variable drop-down list), this will be displayed as DisplayName_UDF.
Note You should not create a UDFs in the format System Defined Field_UDF, where System Defined Field
stands for any attribute listed in the above table.

5-24 OL-25947-01
By default, four UDFs are available. You can create an additional six UDFs in DCR. The maximum
number of UDFs that can be added in the Variable drop-down list is 10.
Assigning Group Membership

You can include more devices or exclude devices using this option. To decide the devices that will be
available to the group you have created, the wizard uses the details of the parent members and rules you
have already specified.
These devices appear in Available Objects From Parent Group column based on the properties and rules
you have already specified in the Properties:Create and Rule:Create dialog boxes. See Specifying Group
Properties and Defining Group Rules for more information.
Note You can add devices from the list of available objects in the parent group even if they do not match
membership criteria.
To add devices to the group you have created:
Step 1 Select one or more devices in Available Objects From Parent Group column.
Step 2 Click Add.
The selected devices are removed from the Available Objects From Parent Group and added to the Object
Matching Membership Criteria column.
Note The newly added devices will not be included in the jobs scheduled prior to their addition to the group.
You must reschedule the job and select the group again.
To remove devices from the group:
Step 1 Select one or more devices in Object Matching Membership Criteria column.
Step 2 Click Remove.
The selected devices are removed from the Object Matching Membership Criteria column and added to
Available Objects From Parent Group.
Step 3 Click Next.
The Summary:Create window appears. It displays the group name, the parent group, description, the
membership update type, group rules, and the visibility scope of the group you created.
If you want to change the parameters, click Back to go back to the previous windows and make changes.
Step 4 Click Finish to create the group based on the parameters specified.

OL-25947-01 5-25
Viewing Group Details

You can view the details of a group using this feature.
To view the details of a group:
Step 1 Either:
Or
Step 2 Select a group from the Group Selector pane.
The Group Info pane on the right side displays the high-level properties of the selected group.
Step 3 Click Details.
The Group Administration wizard displays the details of the group in Properties:Details window.
• Click View Parent Rules to display the rules set for the parent group.
The rules set for the parent group are displayed in the Show Parent Rules window.
• Click Membership Details to display a list of devices and their corresponding object types.
The membership details are displayed in Membership:Details window.
In the Membership:Details window, you can:
– Click on the column headers to sort the entries in the table.
– Select the number of rows to be displayed in the table in the Rows per page option.
• Click Property Details to return to the Property:Details window.
Step 4 Click Cancel to return to the Group Administration and Configuration page.

5-26 OL-25947-01
Modifying Group Details

You can modify some of the details for a group using this feature.
To modify the details of a group:
Step 1 Either:
Or
The Group Info fields on the right side displays details of the selected group.
Step 3 Click Edit.
The Group Administration wizard guides you through the process of editing a group. It displays the
details of the group in Properties:Edit window.
Step 4 Change the Group Name, Description, Membership Update, and Visibility Scope in the Properties:Edit
dialog box.
You cannot change the Parent group or copy attributes from a different group in Edit mode.
Step 5 Click Next.
The wizard takes you to the Rules:Edit window.
Step 6 Change the rules as required. For details on creating the rules, see Defining a Group Rule.
Step 7 Click Next.
The wizard takes you to the Membership:Edit window.
Step 8 Add or remove devices from the list of objects in Objects Matching Membership Criteria as required.
For details on creating the rules, see System Defined Attributes.
Step 9 Click Next.
The wizard takes you to the Summary window.
If you want to change the parameters specified, click Back to go back to the previous windows and make
changes to the properties or rules.
Step 10 Click Finish to modify the group.
Step 11 Click OK.
The Group Administration wizard copies the attributes of the selected group and displays it in the
corresponding fields in Properties:Create window.
Note that the Parent group you have selected for the group does not change even if you are copying
attributes from a group that belongs to a different Parent group.

OL-25947-01 5-27
Refreshing Groups
You can recompute the membership of a group by re-evaluating the group rule. The membership of
Automatic groups is recomputed dynamically.
The membership of Only-upon-user-request groups is recomputed only when explicitly refreshed with
this option.
Note Only users with read-write access can refresh the Only-upon-user-request groups.
To refresh a group:
Step 1 Either:
Or
The Group Info fields on the right pane displays details of the selected group.
Step 3 Click Refresh.
The Group Administration popup window prompts you for confirmation.
Step 4 Click Yes.
The selected group is recomputed and the window, refreshed.
Whenever you delete devices from a group, refresh the group so that group membership is recomputed.
Deleting Groups
You can delete a group from the Group Selector. When you delete a group, all the child groups under the
group are also deleted. You can also delete the stale groups (groups that belong to users removed from
Cisco Prime).
To delete a group:
Step 1 Either:
Or
Step 2 Select the group from the Group Selector.

5-28 OL-25947-01
The Group Info fields on the right pane displays details of the selected group.
The Group Administration prompts you for confirmation.
Step 4 Click Yes.
The selected group is deleted.
See Deleting Stale Groups Using CLI for more information on how to delete stale groups using CLI.
Exporting Groups
This feature helps you to export a User-defined group hierarchy into a file.
You can export a selected User-defined group hierarchy or all User-defined groups in a LMS Server to
an output file.
Private User-defined groups created by other users will not be exported. However, the
privateUser-defined groups created by you will be exported.
You must have Network Administrator, System Administrator or Super Admin privileges to export
groups.
In a Multi-server setup, you can export the User-defined groups installed in all LMS Servers of the same
DCR domain. You can do this from a DCR Master Server and a Slave server.
Grouping Services supports exporting User-defined groups to an XML format only. CSV file formats are
not supported.
See Sample Export Groups Output File for sample XML file generated by the Grouping Services export
utility.
Note We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
• Exports Groups from the User Interface. See Exporting Groups From User Interfacefor details.
or
• Export Groups through the CLI. See Exporting Groups Through CLI for details.
• Sample Export Groups Output File
• Exporting Groups From User Interface
Sample Export Groups Output File

<?xml version="1.0" encoding="UTF-8"?>

<ogs-groups>
<server name="LMS@server-name">
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSDyna</name>

OL-25947-01 5-29
<description> </description>
<rule/>
<evaluation-type>2</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_ID" tag-value="CS$216"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
</tags>
</ogs-group-definition>
<ogs-group-definition>
<name>/CS@server-name/User Defined Groups/CSStat</name>
<description/>
<rule>:CMF:DCR:Device.DisplayName contains "77"</rule>
<evaluation-type>1</evaluation-type>
<scope>PUBLIC</scope>
<tags>
<tag tag-name="__VIRTUAL_ROOT" tag-value="LMS@server-name"/>
<tag tag-name="USER_DEFINED" tag-value="TRUE"/>
<tag tag-name="__GROUP_OWNER" tag-value="admin"/>
<tag tag-name="__GROUP_ID" tag-value="CS$221"/>
</tags>
</ogs-group-definition>
</server>
</ogs-groups>
Exporting Groups From User Interface

To export device groups from the user interface:
Step 1 Select Admin > System > Group Management > Device.
Step 2 Select a User-defined Group hierarchy from the Group Selector.
Step 3 Click Export.
The Export Groups dialog box appears.
Step 4 Select either one of the following options:
• Export the selected User-defined Group hierarchy— Exports the selected User-defined Group and
its child groups.
Or
• Export All Applications User-defined Groups —Exports all User-defined Groups from all
applications installed on all LMS Server in the same DCR domain.
The browser-specific File Download window appears prompting you to open or save the output XML
OGSExport.xml file.
Step 5 Click either of the following buttons:
• Open to open the XML file
Or
• Save to store the file on the client system with the same or a different filename.

5-30 OL-25947-01
Importing Groups
This feature helps you to import User-defined group hierarchies from an input XML file to the LMS
Server.
Note You cannot import User-defined groups from older versions of LMS to LMS 4.0 and later versions.
You can import User-defined groups from an input file to the LMS Server.
The private User-defined groups in the input XML file will be imported as your private User-defined
groups in LMS Server. They will not be visible to other users.
You must have Network Administrator, System Administrator or Super Admin privileges to import
groups.
In a Multi-server setup, you can import User-defined groups from a DCR Master Server and a Slave
server.
Note We recommend that you use the file generated by the Grouping Services export utility for import
operations and do not edit the XML file.
You can:
• Importing Groups From User Interface
Or
• Importing Groups Through CLI
• Important Notes on Importing Groups
• Importing Groups From User Interface
Important Notes on Importing Groups

Read the following notes before importing User-defined groups:
• You must have the required file permissions to select a source XML file for import groups operation.
• After importing groups, the group selector may take some time to refresh and display the latest
groups information.
You must launch the Groups Administration page again to view the newly imported groups.
To launch the Groups Administration page, select Admin > System > Group Management >
Device.
• Importing groups from an input XML file fails if:
– The groups to be imported to the selected Grouping Server locations already exist.
– The User-Defined Fields (UDF) that are configured for the import group rules are not available
in the Grouping Servers to which the groups are to be imported.
Importing Groups From User Interface

To import device groups from the user interface:

OL-25947-01 5-31
Step 1 Either:
Or
Step 2 Click Import.
The Import Groups - File Selection dialog box appears.
Step 3 Enter an input XML file name in the File Name field or click Browse to select a file from the client
system.
The Import Groups dialog box appears with a list of import groups specified in the input XML file.
Step 4 Select the list of groups to be imported from the Import Groups From field.
Step 5 Select a server location to which the groups are to be imported in the Import Groups to Servers field.
You can select multiple Grouping Server locations or All to select all the Grouping Server locations.
This field is disabled on LMS Servers operating in the DCR Standalone mode.
Step 6 Click OK.
A message appears indicating if the groups were imported or not.
See Important Notes on Importing Groupsfor the possible causes of the import job failure.
See Using Group Administration Features Through CLI for more information on using group
administration feature using CLI.
Overview of Subnet Based Groups

Subnet based groups are automatically created when devices are managed. These are a part of System
defined groups. You cannot create, edit or delete them.
Subnet based groups help you work on smaller subsets of devices that are logically grouped. They are
automatically deleted when all the devices in a subnet are deleted.
This topic covers:
• Accessing Subnet Based Groups
• Understanding Subnet Based Groups
• Creating Groups Based on Subnet
Accessing Subnet Based Groups

To access Subnet based groups:
Or

5-32 OL-25947-01
DCR Mode Changes and Group Behavior

This displays the Group Management page. The Group Selector field displays two groups,
System-defined Groups and User Defined Groups. The Subnet Based Groups are created under System
Defined Groups.
Understanding Subnet Based Groups

The Subnet based groups use the following name format:
Subnet -- Subnet Mask.
The rule expression for Subnet Based Groups has the following components:
Class.attribute operator "value"
For example,
Device.IP.Subnet equals "172.20.104.192" AND Device.IP.SubnetMask equals "255.255.255.240"
The rule above will select all devices of subnet 172.20.104.192 and subnet mask 255.255.255.240.
Creating Groups Based on Subnet

When you need to create subnet based groups, you can do it under User defined groups.
For example, the following rules might be used to create two groups based on the IP address subnet:
Device.IP.Subnet equals "172.29.252.32"
Device.IP.Subnet equals "172.29.252.64"
The examples provided here are simple. However, the Grouping Service allows complex rules to be
arbitrarily formed by combining rule expressions with AND, OR or the EXCLUDE operators. This gives
the administrator the power and flexibility to create view partitions tailored to the needs of their site.

The DCR modes have a bearing on how groups are displayed in the Groups UI. Also the DCR mode
decides whether you can perform any operation on the groups.
In Standalone mode, you can create system-defined and user-defined groups.
In Slave mode, LMS allows you to preserve the user-defined groups, and create new system-defined
device groups.
The port and module groups, Fault groups and Collector groups are not affected by the change in the
DCR mode.
All DCR devices in the Slave are removed, and synchronized with the Master server. Therefore, in a
cluster that has several Slaves and a Master, if you need to create LMS group, you need to go to the LMS
Groups UI in the Master and create the group. The group you create there, will be synchronized with the
Slaves.

OL-25947-01 5-33
The following table gives details of DCR mode changes and implications on Groups.
Mode Changed to:

The Initial Standalone Slave Master
Mode
Standalone Not applicable. Slave will get Master’s groups, both No change in the Group
system-defined and user-defined groups. hierarchy.
You can also create new user-defined
groups in the Slave. These groups will not
be shared with the Master or other slaves in
the domain.
Device Allocation Policy gets disabled
(Inventory > Device Administration >
Device Allocation Policy).
Slave Device Allocation Policy gets Not applicable. Device Allocation Policy gets
enabled. The groups pertaining enabled. Groups pertaining to the
to Master and Slaves will be previous Master and the
removed. associated Slaves will be
removed.
The existing Device Allocation
Policy is retained. Local groups will behave in the
same manner.
The existing Device Allocation
Policy is retained.
Master All dependent Slaves will If you select Inform current Slaves of new Not applicable.
switch to Standalone mode. Master Hostname when you change the
mode to Slave, all the Slaves in the domain,
All groups pertaining to other
switch to the new Master.
machines will be removed.
Device Allocation Policy will In this case, the groups in the Master will be
be enabled on all machines in seen in the new Slave. Device Allocation
the cluster. Policy gets disabled.
If this check box is not selected, the new
Slave will pickup the groups of the new
Master. Other Slaves in the domain will
move to Standalone mode.
Unregistering a Slave
The Unregister Slave utility helps you unregister a Slave that is no longer a part of the domain.
The utility is useful in the following scenarios:
• Change in Slave mode because of Backup and Restore. That is, if data is restored from Standalone
or Master belonging to a different domain.
• When you uninstall Cisco Prime from the Slave.
• Change in Slave mode, when master is not reachable. If the Master is down when the Slave mode
changes, the Master will not be aware of the Slave mode change, when it comes up.
The Master will not receive any data from the Slave, but the Slave information will still be in its registry.
A redundant group (such as LMS@Slave) will still appear in the Master Groups UI.

5-34 OL-25947-01
Port and Module Group Administration
In the case of DCR, any device operation on Master will update the Slave list. However, this does not
happen in the case of Groups.
You can run the UnregisterSlave utility to remove any unwanted slave information:
From the CLI, run:
NMSROOT/bin/perl NMSROOT/bin/UnregisterSlave.pl slave host name
You have to enter the hostname of the machine you want to unregister.
For information on effects of backup-restore on data, DCR modes, and Groups, see Effects of
Backup-Restore on DCR and Effects of Backup-Restore on Groups.
Behavior of IP Address Range Based Device Groups in Multi-Server Setup

The range operator allows you to group devices within a specified range of IP addresses.
In a Master-Slave setup:
• When the Master server is using an earlier version of LMS, you cannot create device groups based
on IP Address range.
• When the Slave server is using an earlier version of LMS, the IP Address Range based device groups
information in the Master is synchronized with the Slave.
Even if you change the mode of Slave server to Standalone, the IP address range based device groups
will remain as they were in the Groups Server.
However, you cannot retrieve the device group information from the Standalone LMS Server to view
it in the user interface. To retrieve and view the device group information, you should either:
– Upgrade the LMS in Standalone LMS Server to LMS 4.2.
Or
– Change the mode of the LMS Server that has the earlier version of LMS 4.2 from Standalone to
Slave for a DCR Master with the latest version of the software.

LMS allows you to create groups based on ports and modules for a selected set of devices or device
groups using Port and Module Group Administration.
Notes for Port and Module Configuration

1. Port and Module configuration depends on the data collected by LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
2. You must trigger a fresh inventory collection to update all the port and module attributes.
3. If the data collection is not successful, then data will not be available for some attributes.
4. The following are the recommended number of ports in LMS:
1. The maximum number of ports supported in LMS is 500,000 ports.
2. The maximum number of ports supported in a port group is 100,000 ports.
3. The maximum number of ports supported in an LMS job is 250,000 ports.

OL-25947-01 5-35
4. In some devices, duplicate entries are returned for the ifName MIB. In such cases, only one entry
for the ifName will be considered and the duplicate entries will be dropped.
5. The port information is fetched from the ifXtension MIB. If the ifXtension MIB is not supported in
the device, then port configuration for the device will not work.
For example, if a device supports only SNMPv1, then ifXtension MIB will not be supported in the
device. In this case, the port configuration for the device will not work.
The LMS Port and Module Group Browser window contains these fields. (See Table 5-2)
Table 5-2 Fields on Port and Module Group Browser
Field/Button Description
Group Name Name of the group created.
By default, the following System-defined groups are displayed:
• 1 Gbps Ethernet Ports—Contains all 1 Gbps Ethernet ports in the network.
• 10 Gbps Ethernet Ports—Contains all 10 Gbps Ethernet ports in the network.
• 10 Mbps Ethernet Ports—Contains all 10 Mbps Ethernet ports in the network.
• 100 Mbps Ethernet Ports—Contains all 100 Mbps Ethernet ports in the network.
• Access Ports—Contains all the Access mode ports.
• DMP Ports—Contains all ports connected to DMP.
• End Hosts—Contains all ports connected to End Hosts.
• IP Phones—Contains all ports connected to IP Phones.
• IPVSC Ports—Contains all ports connected to IPVSC.
• Link Ports—Contains all ports connected to other devices.
Description Description of the group created.
Group Type Type of the group created. For example, Port or Module.
Created By User who created the group.
Last Modification Time at which the group settings were last modified.
Time.
Rows per page This page displays the number of rows you have set for display in the Rows per page field.
You can increase the rows to 500 for each page by selecting the Rows per Page drop-down list. You
can navigate through the pages of the report using the navigation icons at the bottom right of this table.
Create Starts the Group Creation Wizard for creating a group, as described in the Creating Port and Module
Groups.
Edit Starts the Group Edit Wizard for editing an existing group, as described in the Editing Port and Module
Groups.
View Allows you to view the group details, as described in the Viewing Port and Module Group Details.
Delete Deletes the group, as described in the Deleting Port and Module Groups.
You can perform the following tasks from the LMS Port and Module Group Browser window:
• Creating Port and Module Groups
• Editing Port and Module Groups

5-36 OL-25947-01
• Viewing Port and Module Group Details

• Deleting Port and Module Groups
Creating Port and Module Groups

Creating a Port and Module Group involves the following steps:
1. Entering the Port and Module Group Properties Details
2. Selecting Group Source
3. Defining Rule Expression for Port or Module Groups
4. Understanding the Summary
You must complete all tasks in this sequence to create a group. If you exit the wizard at any stage using
Cancel, the details you have specified will be lost and the group will not be created.
Note Port and Module configuration depends on the data collected by the LMS Inventory. For the Port and
Module configuration to work properly, the inventory collection for the devices must be successful.
Entering the Port and Module Group Properties Details

In this step, you will enter the name and description for the group.
The Port and Module Group Properties dialog box contains the following fields. (See Table 5-3)
Table 5-3 Fields on the Port and Module Group Properties dialog box
Field Description
Group Name Name of the group you are creating.
Description Text description of the group.
To enter the values in Port and Module Group Properties dialog box:
Step 1 Either:
• Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups. (See Table 5-2).
Or
• Select Inventory > Group Management > Port and Module.
Step 2 Click Create.
The Group Properties page appears.
Step 3 Enter a unique name for the group in the Group Name field.
Step 4 Enter a description for the group in the Description field (optional).
Step 5 Click Next.

OL-25947-01 5-37
The Select Group Source page appears, displaying the Device Selection dialog box.
Selecting Group Source

In this step, you need to select the Group source. This can be either devices or groups (System-defined
or User-defined).
The Select Group Source page displays the Device Selection and Group Selection dialog box. The
Device Selection and Group Selection dialog box contains the following fields. (See Table 5-4)
You must select either devices or device groups from Device Selector or Group Selector, respectively.
Table 5-4 Fields on the Device Selection dialog box
Fields Description
Device Selector Displays all LMS devices in the group.
Search Input Enter the search expression in this field.
You can enter single device names or multiple device names. If you are entering
multiple device names, separate them with a comma. You can also enter the
wildcard characters “*” and "?".
For example: 192.168.10.1*, 192.168.20.*
Search Use this icon to perform a simple search of devices based on the search criteria
you have specified in the Search Input text field.
For information on Search, see Performing Simple Search.
Advanced Search Use this icon to perform an advanced search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Advanced Search, see Performing Advanced Search.
All Lists all User-defined and System-defined groups for all applications that are
installed on LMS Server.
For more information, see Selecting Devices From All Tab.
Search Results Displays all the search results from Search or Advanced Search.
For more information, see Selecting Devices From Search Results.
Selection Lists all the devices that you have selected in the Search Results or All tab.
Using this tab, you can deselect devices from the list.
Group Selector Displays all groups in LMS.
To select the group source:
Step 1 Either:
• Select Device Selector.
• Select the devices.
or
• Select Group Selector.

5-38 OL-25947-01
• Select the groups.

Step 2 Click Next.
The Rule Express page appears.
Defining Rule Expression for Port or Module Groups

In this step, you will define the rules for creating port or module groups. The rules you define in this
phase, determine the contents of the group. The rules you specify here, determine the ports and modules
to be included in the group.
You can either enter the rules directly in the Rule Text field, or select the components of the rule from
the Rule Expression fields, and form a rule.
The Rules Expression page contains the following fields:
Field/Buttons Description
Object Type Select the following object types to form a group:
• Module
• Port
Variable Object type attributes, based on which you can define the group.
See Rule Attributes for Port and Module Creation.
Operator Operator to be used in the rule. The list of possible operators change, based on the variable
selected.
When using the equals operator the rule is case-sensitive.
Value Value of the rule expression. The possible values depend upon the variable and operator that you
select. Depending on the operator selected, the value may be free-form text or a list of values.
Wildcard characters are not supported.
Add Rule Expression Adds the rule expression to the group rules.
(Button)
Rule Text Displays the rule.
Check Syntax Verifies that the rule syntax is correct.
(Button) Use this button to verify the syntax of the rule that you have created before proceeding to the
next step.

OL-25947-01 5-39
Include Include List popup opens and lists all the modules or ports from the selected devices that do not
match the rule. You can choose to include those modules or ports for group creation.
(Button)
The Include List popup will also list the modules or ports that match the rule but will not be
enabled for selection.
Click Include to launch the Include List window. See Table 5-5 for descriptions of the fields in
the Include List window.
You can also include modules or ports for the selected devices, without specifying a rule, by
clicking Include.
Exclude Exclude List popup opens and lists all the modules or ports from the selected devices that match
the rule. You can choose to exclude those modules or ports for group creation.
(Button)
The Exclude List popup will also list the modules or ports that do not match the rule but will not
be enabled for selection.
Click Exclude to launch the Exclude List window. See Table 5-5 for descriptions of the fields
in the Exclude List window.
To define the group rule:
Step 1 Go to the Rules Expression page.

Step 2 Set the parameters for Object Type, Variable and Operator.
Step 3 Enter the desired value for the Variable you have selected.
The LMS Port and Module Group Administration creates the rule based on the parameters you have
specified and adds it to the rules already present in the Rules Text field. You can use the same procedure
to add more rules.
You can manually add or change any text in the Rule Text box.
Step 5 Click Include or Exclude.
• Include—A popup window appears, allowing you to include ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Include List window.
• Exclude—A popup window appears, allowing you to exclude ports or modules for the group. See
Table 5-5 for the descriptions of the fields in the Exclude List window.
Step 6 Click Check Syntax to validate the rules expression syntax.
• If the syntax is correct, an information box appears with a message, The rule syntax is valid.
• If the syntax is incorrect, an error box appears with a message, You have entered an invalid
rule. Enter a valid rule. See the Help for examples of valid rules.
For examples on defining valid rules, see Examples for Port and Module Groups.
Step 7 Click Next.
The Summary page appears, displaying the group properties. See Understanding the Summary.

5-40 OL-25947-01
Note You can also include modules or ports for the selected devices, without specifying a rule, by clicking
Include.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have a higher priority.
Rule Attributes for Port and Module Creation

The following table lists the available attributes that you can use to define rules to create port and module
groups.
Object
Type Attribute Description
Module AdminStatus Administrative status of the module. For example,
Enabled/Commissioned.
FW_Version Firmware version of the module. For example, 12.1(27b)E1
ModuleName Name of the module. For example, Linecard
OperStatus Operational status of the module. For example, Dormant
SlotNumber Slot number of the module. For example, 6
SW_Version Software version of the module. For example, 12.1(27b)E1
VendorType Vendor type of the module. For example, cevAS53004ct1

OL-25947-01 5-41
Object
Port AdminStatus Administrative status of the port. For example, Disabled/Decommissioned
CM.AccessStatus Whether the port is an Access port or not.
CM.Channel Whether the port is a channel port.
CM.Duplex The duplex mode of the port. The values could be unknown-duplex,
full-duplex, half-duplex, default, disagree, auto-duplex.
CM.JumboFrameEnabled Whether the port is JumboFrame enabled or disabled.
CM.L2L3 Whether the port is in switched or routed mode.
CM.LinkStatus Link status of the port. Whether the link is up or down.
CM.Neighbor Whether the port is connected to a device, IP Phone, or End Host.
CM.TrunkStatus Whether the port is a Trunk port. If trunk is configured in the port, then it
is a trunk port.
CM.VLAN_ID The index of the VLAN configured on the port.
CM.VLAN_NAME Name of the VLAN configured on the port.
CM.VTP_DOMAIN Name of the VTP Domain that the port is associated with.
EnergyWise_Importance EnergyWise Importance of the device.
This value prioritizes the devices in a domain based on their power usage.
EnergyWise_Role Role or function of the device in the EnergyWise domain.
EnergyWise_Keyword A word that will help you identify a specific device or group of devices in
the EnergyWise domain.
FlexLink Whether the FlexLink status of the port is enabled or disabled.
IFIndex IFIndex of the port. For example, 10
IsEnergyWisePort Specifies if the port is EnergyWise-enabled.

5-42 OL-25947-01
Object
Port Identity_Security_Mode Specifies the security mode, based on the level of security you wish to
(contd.) implement in your network. The three types of security modes are:
• Monitor Mode
• Low Impact Mode
• High Security Mode
MACsecStatus You can enable or disable MACsec on the interface. MACsec provides
secure, encrypted communication on wired LANs.
OperStatus Operational Status of the port. For example, Stopped/Suspended
PortDescription Description of the port. For example, FastEthernet0/1
PortName Name of the port. For example, Fa0/1
SpanEnabled Whether the port is Span enabled.
Speed Speed of the port. For example, 10000000 (for 10 Mbps)
Type Enter the value for the port type.
For example, if you want to define a rule for the port type ethernetCsmacd,
you need to enter 6 as the value.
For information on the port type values, see
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=ift
ype&translate=Translate&submitValue=SUBMIT&submitClicked=true
Note For the port attributes that start with name “CM.” , the data collection for the attributes must be successful.
Examples for Port and Module Groups

This section shows examples of a valid rule.
The following are some examples for grouping tasks:
• Rule to select all the Ports whose Port Description contains the string: Ethernet
• Rule to select all the Ports that are connected to another device
• Rule to select all the Modules whose Slot number is 1
• Rule with OR Operator
• Rule with AND Operator
Rule to select all the Ports whose Port Description contains the string: Ethernet
This rule filters all ports whose Port description consists of the string Ethernet.
To provide rule expression for this scenario:
From the Create Rules dialog box:
Step 1 Select Port from the Object Type drop down listbox
Step 2 Select PortDescription from the Variable drop down listbox

OL-25947-01 5-43
Step 3 Select contains from the Operator drop down listbox

Step 4 Enter Ethernet in the Value textbox
Step 5 Click Add Rule Expression
The following rule gets added to the Rule Text:
Port.PortDescription contains "Ethernet"
Rule to select all the Ports that are connected to another device
This rule filters all Ports that are connected to another device.
Step 1 Select Port from the Object Type drop down listbox
Step 2 Select CM.LinkStatus from the Variable drop down listbox
Step 3 Select = from the Operator drop down listbox
Step 4 Select Configured in the Value drop down list box.
Port.CM.LinkStatus = "Configured"
Rule to select all the Modules whose Slot number is 1

This rule filters all the modules that are placed in slot number 1.
Step 1 Select Module from the Object Type drop down listbox
Step 2 Select SlotNumber from the Variable drop down listbox
Step 3 Select = from the Operator drop down listbox
Step 4 Enter 1 in the Value textbox
Module.SlotNumber = "1"
Rule with OR Operator

Rule to list all ports whose Port description contains the string as either Ethernet or FastEthernet.

5-44 OL-25947-01
Step 1 From the Create Rules dialog box:

a. Select Port from the Object Type drop down listbox
b. Select PortDescription from the Variable drop down listbox
c. Select StartsWith from the Operator drop down listbox
d. Enter Ethernet from the Value drop down listbox
e. Click Add Rule Expression
Port.PortDescription StartsWith "Ethernet"
Step 2 Select the OR option from the logical operator list box.
a. Select Port from the Object Type drop down listbox
d. Enter FastEthernet in the Value textbox
The following rule gets appended to the Rule Text:
Port.PortDescription StartsWith "Ethernet" OR
Port.PortDescription StartsWith "FastEthernet"
The OR logical operator evaluates if either or both of the conditions are satisfied. The ports are selected
based on either or both of the matching criteria.
Rule with AND Operator

Rule to select all the FastEthernet Ports whose Operational status is up.

a. Select Ports from the Object Type drop down listbox
b. Select OperStatus from the Variable drop down listbox
c. Select = from the Operator drop down listbox
d. Select OK from the Value drop down listbox
Port.OperStatus = "OK"
Step 2 Select the AND option from the logical operator list box.
a. Select Ports from the Object Type drop down listbox

OL-25947-01 5-45
d. Enter FastEthernet in the Value textbox

The following rule gets appended to the Rule Text:
Port.OperStatus = "OK" AND
Port.PortDescription StartsWith "FastEthernet"
The AND logical operator evaluates if both the parameters are satisfied. Only devices that satisfy both
the criteria are selected.
Include and Exclude

Table 5-5 describes the Include and Excludes window fields in the Rule Expression page of Port and
Module Group Administration.
Table 5-5 Include and Exclude Window Fields Description
Window Fields/Buttons Description

Include List Device Selector Devices selected for group creation.
Port Name/Module Name Name of the port or module in the device.
For some of the devices, if ports or module names
are not available in the device, the message Not
Available will be shown.
Description/Vendor Type Description of the port or module.

For some of the devices, if ports description or
module vendor type is not available in the device,
the message Not Available will be shown.
Slot Number Slot number of the module.
This field is available only for modules.
Include The selected ports or modules are included for
group creation.
(Button)
Filter by Port/Module Enter the filter expression and click Filter to filter
Name the port or modules in the device.

5-46 OL-25947-01
Table 5-5 Include and Exclude Window Fields Description
Window Fields/Buttons Description

Exclude List Device Selector Devices selected for group creation.
Port Name/Module Name Name of the port or module in the device.
For some of the devices, if ports or module names
are not available in the device, the message Not
Available will be shown.
Description/Vendor Type Description of the port or module.

For some of the devices, if ports description or
module vendor type is not available in the device,
the message Not Available will be shown.
Slot Number Slot number of the module.
This field is available only for modules.
Exclude The selected ports or modules are excluded from
group creation.
(Button)
Filter by Port/Module Enter the filter expression and click Filter to filter
Name the port or modules in the device.
Understanding the Summary

The final step in creating the port or module group is a summary page that displays the new group
definition.
The Summary page contains the following information. (See Table 5-6):
Table 5-6 Fields on the Summary page.
Field Description
Rule Rules used to filter the group.
Devices/Groups in Rule List of devices or groups to which the rule will be applied.
After reviewing the group summary, either:
Step 1 Click Finish to complete the procedure for Creating Groups.

A confirmation box appears.
Step 2 Click OK.
You can view the newly created group in the Port and Module Group Browser page.
Or
Click Back to change the group properties.

OL-25947-01 5-47
Viewing Port and Module Group Details

To view the existing port or module group details:
Step 1 Either:
Or
Step 2 Select the group name and click View.
The View Group Details page appears, displaying Group: Details dialog box with the following details:
Group Name Name of the group you are viewing.
Parent Group Parent group of the group you are viewing.
Type Type of the objects that belong to the group.
Rule Rules used to create the group.
Created By User who created the group. This also displays the time at which the
group was created.
Last Modified By User who last modified the group. This also displays the time at which
the group was last modified.
Devices/Groups Devices or Device Groups that are part of the port or module group.
Membership Details Used to view the list of devices that belong to the group. See Viewing
Membership Details.
(Button)
Cancel Closes the page and takes you back to the Port and Module Group
Browser page.
(Button)
Viewing Membership Details

You can view a list of the objects that belong to a group by accessing the Group: Details dialog box.
Step 1 Either:
Or

5-48 OL-25947-01
Step 2 Select the group name for which you want to view the membership details and click View.
The Group: Details dialog box appears.
Step 3 Click Membership Details.
The View Group Members dialog box appears with the following information:
Device Selector Devices selected for group creation.
Port Name/Module Name Name of the port or module in the device that are part of the group.
Description Description of the ports or modules in the device that are part of the
group.
Filter by Port/Module Name Enter the filter expression and click Filter to filter the port or modules
in the device that are part of the group.
Close To close the View Group Members dialog box.
(Button)
Editing Port and Module Groups

You can edit all attributes that are defined while creating a group, except Group Name.
To edit a port and module group:
Step 1 Either:
Or
Step 2 Select the group by checking the check box.
Step 3 Click Edit.
The Group Properties page appears, displaying Port and Module Group Properties dialog box. See
Entering the Port and Module Group Properties Details.
You cannot:
• Modify the Group Name field.
• Click Finish to complete the edit flow.

OL-25947-01 5-49
Step 4 Click Next.

The Select Group Source page appears, displaying either Device Selector or Group Selector dialog box.
• Device Selection
– If you have selected devices using Device Selector in the Create flow.
– If you have created the group by including the ports or modules without specifying the rule in
the Create flow. In this case, only the devices for which you selected ports or modules are
displayed.
Or
• Group Selection—If you have selected device groups using Group Selector in the Create flow.
You can modify the devices or groups that you have selected, based on your requirement.
Step 5 Click Next.
The Rules Expression page appears, displaying the rule previously set. See Defining Rule Expression
for Port or Module Groups.
You can modify and define new rules.
If you include the ports or modules for the selected devices, and also exclude the same ports or modules,
the exclude option will have the higher priority.
Step 6 Click Next.
The Summary page appears, displaying the group details. Understanding the Summary.
Step 7 Either:
Click Finish to complete the editing procedure for the group.
Or
Click Back to change the group properties.
Note You can click Finish at any point in the workflow.
Deleting Port and Module Groups

To remove an existing port or module group:
Step 1 Select Admin > System > Group Management > Port and Module.
The Port and Module Group Browser page appears, displaying the list of groups.
Step 2 Select the group to remove from the Port and Module Group Browser dialog box.
A confirmation dialog box shows that the group will be deleted.
Step 4 Click OK.

5-50 OL-25947-01
Working with Fault System-defined Groups

The group selector displays some groups such as Access Port Groups, Trunk Port Groups, and Interface
Port Groups. See Fault System Defined Groups for more information.
You can control the polling and thresholds settings for these groups using Monitor > Threshold
Settings > Fault. See Monitoring and Troubleshooting Online Help for more information.
These system defined groups can be used when searching for devices using the Advanced Search option
in the device selector.
• LMS System-defined Groups
• Fault System Defined Groups
LMS System-defined Groups

The LMS system defined groups are visible to all Cisco Prime users, and are the factory default groups
administered by LMS. Device Groups appear in the group selector when they have device members, that
is, devices in the DCR that belong to that group.
The following are the LMS system defined groups:
• Broadband Cable
• Content Networking
• DSL and LRE
• Interfaces and Modules
• Network Management
• Non Cisco Devices
• Optical
• Routers
• Security and VPN
• Server Fabric Switches
• Storage Networking
• Switches and Hubs
• Server Fabric Switches
• Unknown Device Types
• Wireless

OL-25947-01 5-51
Fault System Defined Groups

The fault system defined groups are visible to all Cisco Prime users, and are the factory default groups
that are administered by the Fault Management module in LMS 4.0.
The following are the Fault Management system defined groups:
• System defined access port groups:
– 1 GB Ethernet
– 10 GB Ethernet
– 10MB-100MB Ethernet
– ATM
– Others
• System defined interface groups:
– 1 GB Ethernet
– 10 GB Ethernet
– ATM
– Backup
– Dial-on-Demand
– FDDI
– ISDN B channel
– ISDN D channel
– ISDN physical interface
– Others
– Serial
– Token Ring
• System defined trunk port groups:
– 1 GB Ethernet
– 10 GB Ethernet
– ATM
– Others
A 10 GB Ethernet interface device, during an upgrade, behaves in the following ways:
• If the 10MB - 100MB group has been set to high priority when compared to 1 GB Ethernet group,
then the 10GB device falls under the 10MB - 100MB group. In order to make it fall under 10 GB
Ethernet Group, you must set the priority of the group to high.
• If the 10MB - 100MB group has been set to low priority when compared to 1 GB Ethernet group,
then the 10GB device falls under 10 GB group.
For more information, see Setting Priorities in Monitoring and Troubleshooting Online Help.

5-52 OL-25947-01
Working with Customizable Groups
Working with Customizable Groups

Customizable groups are the only user-defined groups for which you can set polling and threshold
parameters. They are provided so you can create groups that fit your needs. Fault Management in
LMS 4.0 provides 28 customizable groups, which are divided into four categories:
• Access Port Groups
• Trunk Port Groups
• Interface Groups
• Device Groups
Table 5-7 lists the seven customizable groups that appear in each of the four categories.
Table 5-7 Polling and Thresholds: Customizable Groups
Customizable
Groups Intended Use
A Consider reserving customizable groups A, B, and C to troubleshoot
B Add one device to any of these groups when you need to test. For example, to test a
C changed threshold or interval value for a polling setting.
1 Consider using customizable groups 1, 2, 3, and 4 when you want to override polling
settings and thresholds for more than one device.
2
3
4
You configure a customizable group to have the highest priority. To do so, see Setting Priorities section
in Monitoring and Troubleshooting Online Help. You must add devices to the customizable groups
before you can set polling parameters or threshold values for them. To do so, see Working with
Customizable Groups.
Since you cannot change the rules for system defined groups, Fault Management provides groups that
you can customize so that they contain devices, ports, or interfaces.
Port and interface containment is only seen and used by Polling and Thresholds (Monitor > Threshold
Settings > Fault).
After you edit or create a group, you can determine whether other Cisco Prime users can view the group.
Table 5-8 Fault Management Customizable Groups
Use this group to Settings you can

Group Name monitor... configure for this group:
Customizable Access Port Access ports Thresholds
Groups
Customizable Groups Devices Polling and thresholds
Customizable Interface Groups Interfaces Thresholds
Customizable Trunk Ports Trunk ports Thresholds
Groups

OL-25947-01 5-53
Managing Fault Groups
For each of the parent groups listed in Table 5-8, Fault Management provides seven configurable
subgroups. Table 5-9 describes the restrictions placed on the subgroups.
Table 5-9 Fault Management Customizable Groups—Restrictions
Group Name Restrictions

Customizable Group A • Use to troubleshoot a single device (but can
Customizable Group B contain more than one device)
Customizable Group C • Cannot be deleted

• Cannot have subgroups
• Cannot have name changed
Customizable Group 1 • Can contain multiple devices
Customizable Group 2 • Cannot be deleted
Customizable Group 3 • Cannot have subgroups
Customizable Group 4 • Cannot have name changed

The Fault Group Administration and Configuration page is where all group management activities take
place.
To open the Group Administration and Configuration page:
Either:
Select Admin > System > Group Management > Fault.
Or
Select Inventory > Group Management > Fault.
Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed
when you select an option. Do not proceed without viewing and installing the self-signed
security certificate.
See Editing and Creating Fault Groups for information on how to use Group Administration to create
and edit groups. In addition to creating and editing groups, Group Management provides the following
functions:
• Refreshing Fault Membership
• Deleting Fault Groups

5-54 OL-25947-01
Table 5-10 describes the fields in the Group Administration and Configuration page.
Table 5-10 Fields on Group Administration and Configuration Page
Group Selector Hierarchical display of all available groups.
Group Info When you select an item from the Group Selector, the Group Info pane displays the
following information:
• Group Name—Name of the group you selected.
• Type—Type of objects in the selected group.
• Description—Text description of the group.
• Created By—Person who created the group.
• Last Modified By—Last person to modify the group settings.
Create Starts the Group Creation Wizard for creating a group, as described in Editing a
Fault Group.
Edit Starts the Group Edit Wizard for editing user defined groups, as described in Editing
a Fault Group. Not supported for view groups created from the Alerts and Activities
Defaults page.
Details Opens the Properties: Details page, as described in Viewing Fault Group Details.
Refresh Refreshes a group memberships, as described in Refreshing Fault Membership. Not
supported for port and interface groups.
Delete Deletes a group, as described in Deleting Fault Groups.
Editing and Creating Fault Groups

The processes for editing and creating groups are similar. Keep these points in mind:
• You can edit user defined customizable subgroups. For example, the subgroup Customizable
Group 1 under Customizable Access Port Groups. These subgroups are listed in Working with
Customizable Groups.
• You can create or edit user defined miscellaneous groups. These groups can be used with views in
the Alerts and Activities display, or with notification groups in Notification Services.
You cannot edit or view groups created from the Alerts and Activities Defaults page.
This section contains information on:
• Editing a Fault Group
• Creating a Fault Group
• Understanding Rules
• Finalizing Fault Group Membership
• Viewing the Fault Group Summary

OL-25947-01 5-55
LMS uses the Group Creation Wizard to guide you through the steps required to create or edit a group.
The wizard consist of four steps:
1. Setting properties (for details, see Editing a Fault Group)
2. Creating rules (for details, see Understanding Rules).
3. Modifying group membership (for details, see Finalizing Fault Group Membership).
4. Viewing the summary (for details, see Viewing the Fault Group Summary).
Editing a Fault Group

You can edit the properties of user defined customizable port, interface, and device groups. You can also
edit miscellaneous user defined groups you created using Group administration.
Procedure
Step 1 Either:
• Select Admin > System > Group Management > Fault.
The Fault Group Administration and Configuration page appears.
Or
• Select Inventory > Group Management > Fault.
Step 2 In the Group Selector, select the group you want to edit, click Edit.
The Properties: Edit page appears.
You can modify the following in the Properties: Edit page:
• Group Name
Will be automatically populated when editing customizable subgroups; for example, Customizable
Group 1 under Customizable Access Port Groups.
• Description
• Membership update type (not supported for port and interface groups)
The parent group is displayed, but it cannot be modified.
• Visibility Scope
Step 3 Click Next.
The Rules: Edit page appears. For more information on creating rules, see Understanding Rules.
To return to any of the previous pages in the wizard, click Back.
Note If you edit a device-type group, you can launch the Preview.

5-56 OL-25947-01

• Adding and Deleting Rules from the Rules:Edit Page
• Adding and Removing Objects from the Rules: Edit Page
Adding and Deleting Rules from the Rules:Edit Page
You can add new rules or delete existing rules in the Rules: Edit page.
To add a new rule:
Step 1 From the first list, select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.+
Step 2 From the Object Type list, select an object type.
Step 3 From the Variable list, select a variable.
Step 4 From the Operator list, select an operator.
Step 5 In the Value field, enter a value.
The rule expression appears in the Rule Text box.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
(AccessPort.Mode equals ““ OR
AccessPort.Mode contains “BACKUP” OR
AccessPort.Mode contains “NORMAL”) AND
AccessPort.DuplexMode contains “HALFDUPLEX” OR
AccessPort.DuplexMode contains “FULLDUPLEX”)
Step 7 Verify whether the syntax of the rule is correct by clicking Check Syntax.
A dialog box appears, stating that the syntax is valid.
Step 8 Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.
Step 9 Click Next.
The Membership: Edit page appears.

OL-25947-01 5-57
To delete a rule:
Step 1 In the Rule Text box, select the entire rule text and press the Delete key.
After deleting the rule, you must click the page so that the page can refresh, removing the list of logical
operators.
Step 2 Click Next.
The Membership: Edit page appears.
Adding and Removing Objects from the Rules: Edit Page
You can add or remove specific objects from the group membership. This feature is not supported for
port and interface groups.
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1 In the Available Objects from Parent Group column, select the device you want to add.
Step 2 Click Add.
Step 3 Click Next.
The group’s information appears in the Summary: Create page.
A dialog box appears, stating that changes to the group have been saved.
Step 5 Click OK.
To remove an object:
Step 1 In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 3 Click Next.
Step 5 Click OK.

5-58 OL-25947-01
Creating a Fault Group

Creating fault groups is supported only for user defined miscellaneous groups. Once created, you can
edit these groups.
Note When you create a fault group, at least one device must be in the managed state.
Procedure
Step 1 Either:
Or
Step 2 In the Group Selector, select User Defined Groups.
The Properties: Create page appears.
Step 4 Enter a group name for the new group.
If you do not want to copy the attributes of an existing group to your new group, proceed to Step 6. If
you want to copy the attributes of an existing group to the new group, do the following:
a. Click Select Group.
The Replicate Attributes page appears.
b. Select the group from which you want to copy the attributes.
c. Click OK.
All attributes except the group name are copied to the new group.
If you want to change the parent group (the location where the group will reside in the Group Selector),
do the following:
a. Click Change Parent.
The Select Parent page appears.
b. Select the parent group.
Step 5 Click OK.
Enter a description. This is optional.
Step 6 Choose how you want the group membership updated.
This choice is not displayed for port and interface groups):
• If you want the membership for this group updated automatically, select Automatic.
• If you want the membership for this group updated only when the Refresh button is clicked, select
Only Upon User Request.

OL-25947-01 5-59
Step 7 Select a Visibility Scope:

• Available to Created User Only
• Available to All Cisco Prime Users
Step 8 Click Next.
The Rules: Create page appears. (For more information on creating rules, see Understanding Rules.)
Step 9 Do one of the following:
• To create rules to apply to the group, go to Step 10.
• Click Next and select the objects on the Membership: Create page (not supported for port and
interface groups). Then go to Step 10.
If you need to return to any of the previous pages in the wizard, click Back.
Step 10 Create all rules that you want to apply to the group:
a. Select a logical operator (applicable when there are multiple rule expressions).
The list of logical operators is enabled after at least one rule expression is entered.
b. Select an object type.
c. Select a variable.
d. Select an operator.
e. Enter a value.
f. Click Add Rule Expression.
The rule expression appears in the Rule Text box.
You can manually add or change any of the text in the Rule Text box. If you enter a single backslash (\),
an error is displayed.
To enter a single backslash in the Rule Text box, you must type two backslashes (\\) in place of the single
backslash. You should always check the syntax after changing a rule expression.
If you have added complex rules (containing both AND and OR conditions), you must manually enter
parentheses, as in the following example:
AccessPort.DuplexMode contains “HALFDUPLEX” OR
g. Verify that the rule syntax is correct by clicking Check Syntax.

A dialog box appears, stating the syntax is valid.
h. Click OK.
If you want to view the rules for the parent group, select View Parent Rules.
All rules assigned to a parent group also apply to any of its subgroups.
i. Click Next.
The Membership: Create page appears.

5-60 OL-25947-01
Adding and Removing Objects from the Rules: Create Page
You can add or remove specific objects from the group membership. This feature is not supported for
The group's rule captures the list of objects that are added to or deleted from the group. The rule will
contain an Includelist and an Excludelist section to reflect this.
Although it is acceptable for a rule to have more than one Includelist or Excludelist, the recommended
practice is to consolidate them, forming one Includelist and one Excludelist. Check for duplicates across
both lists and ensure that no device is both included and excluded.
You can add and remove objects from the Parent Group
To add an object:
Step 1 In the Available Objects from Parent Group column, select the device you want to add.
Step 2 Click Add.
Step 3 Click Next.
Step 5 Click OK.
To remove an object:
Step 1 In the Objects Matching Membership Criteria column, select the device you want to remove.
Step 3 Click Next.
Step 5 Click OK.

OL-25947-01 5-61
Understanding Rules
Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
Rules are created to filter in the objects that you want to belong to the group, and to filter out those that
you do not want in the group. When determining the objects that belong to a group, Group Management
compares object information to the rule. If an object information satisfies all of the rule requirements, it
is placed in the group.
One or more rule expressions can be applied to form a rule. Each rule expression contains the following:
Object Type.Variable Operator Value
For example:
Routers.Location equals "San Jose"
Complex rules that contain both OR and AND conditions require you to edit the rule manually. For
example, all parentheses in the following rule must be added in the Rule Text field:
(AccessPort.DuplexMode contains “HALFDUPLEX” OR
Rules are defined through the Group Creation Wizard on the Rules: Create and Rules: Edit pages. You
can define the following:
• Logical Operators
• Object Type
• Variable
• Operator
• Value
Logical Operators
The logical operator field appears when you are defining multiple rules. The logical operators can be:
• OR—Include devices that fulfill the requirements of either rule.
For interface, access port, and trunk port groups, this operator can only be used between the
variables of the same type, as in the following valid rule:
AccessPort.DuplexMode equals “HALFDUPLEX” OR
AccessPort.DuplexMode equals “FULLDUPLEX”
If you used an AND operator in the previous port rule, it would be invalid.
• AND—Include only objects that fulfill the requirements of both rules.
For interface, access port, and trunk port groups, this operator can only be used between the
variables of different types, as in the following example:
AccessPort.Mode equals “” AND
AccessPort.DuplexMode equals “FULLDUPLEX”
If you used an OR operator in the previous rule, it would be invalid.

5-62 OL-25947-01
For device groups, this operator can only be used between variables of the same type, as in the
following example:
Routers.Model equals "12816" AND
Routers.Model equals “12810”
The following would be an invalid rule for a device group:

Routers.Model equals "12816" AND
SwitchesAndHubs.Type equals "6509"
In the previous example, you would have to use the OR operator.

• EXCLUDE—Do not include these devices.
Object Type
The Object Type field lists the available objects that you can use to form a group.
Depending upon the type of group you are creating, the Object Type field may contain the following
choices:
AccessPort
TrunkPort
Interface
Cable
ContentNetworking
Device
DSLAndLRE
Group
InterfacesAndModules
NetworkManagement
Optical
Routers
SecurityAndVPN
ServerFabricSwitches
StorageNetworking
SwitchesAndHubs
UniversalGatewaysAndAccessServers
Unknown
VoiceAndTelephony
Wireless
Variable
The Variable field lists the possible attributes for the selected object type to be used for the rule. The list
of possible variables changes based on the object type that is selected. Some variables for port and
interface groups are described in Table 5-11.
Operator
The Operator field defines the operator to be used in the rule. The list of possible operators changes
based on the object type and the variable selected.
When using the equals operator, the rule is case-sensitive.
Value
The Value field describes the value of the rule expression. The possible values depend upon the object
type, variable, and operator selected. Depending on the operator selected, the value may be free-form
text or a list of values.

OL-25947-01 5-63
Most of the values that can be entered in the Value field of the Rules: Edit page are self-evident, but some
of the objects in the Variables field have special meanings or restrictions on how to enter the related
attribute in the Value field.
Table 5-11 describes the objects that appear in the Variable field of the Rules: Edit page that might need
further explanation.
Table 5-11 Explanations for the Values of Special Variables
Variable Explanation
Description Interface or port description.
DuplexMode Duplex mode (FULLDUPLEX, HALFDUPLEX, or UNSPECIFIED).
InterfaceCode Interface types, protocols, or encapsulations.
MaxSpeed Maximum speed, in bits per second.
MaxTransferSpeed Speed of the largest datagram that can be sent or received, specified in
octets.
For interfaces that use transmitting network datagrams, this is the speed of
the largest network datagram that can be sent.
Mib2ifType Type of interface, distinguished according to the physical or link protocols
immediately below the network layer in the protocol stack, represented as
a digit.
Mode Intended purpose (for example, for interfaces, backup, dial-on-demand, and
so forth).
Name Name of object.
SystemModel Name of the system.
SystemName Name of system containing this element.
SystemObjectID System Object Identifier associated with vendor of system.
SystemVendor Name of system supplier.
Type Type of element (for example, interface), distinguished according to the
physical or link protocols immediately below the network layer in the
protocol stack.
Note After you have defined the rule, you should verify the syntax. You can do this on the Rules: Edit page.
Table 5-12 describes the remaining fields on the Rules: Edit page of the Group Creation Wizard.
Table 5-12 Fields on the Rules: Edit Page
Add Rule Expression Used to add the rule expression to the group rules.
Rule Text Displays the rule. For complex rules (which contain both OR and AND
conditions), you must manually add parentheses in this field. (In Editing a
Fault Group, see Step 10 and Step 6.)

5-64 OL-25947-01
Table 5-12 Fields on the Rules: Edit Page (continued)
View Parent Rules Used to view the parent group rules.
All parent group rules apply to the subgroups.
Examples of Rules
You want to create a group that contains all interfaces using full duplex mode in the Dallas location.
Form the following rule:
Interface.Duplex.Mode contains "FULLDUPLEX" AND Location contains “Dallas”
• Interface
• Variable—Duplex.Mode
• Operator—Contains
• Value—“FULLDUPLEX”
• Logical Operator—And
• Variable—Location
• Operator—contains
• Value—“Dallas”
You want to create a group that contains all of the security and VPN devices in the San Jose location.
Form the following rule:
SecurityAndVPN.Location contains "SanJose"
• Object Type—SecurityAndVPN
• Variable—Location
• Operator—Contains
• Value—“San Jose”
To understand the group rules, see the rules used for system defined groups. These rules appear in the
Properties: Details page. For a description of the Properties: Details page, see Viewing Fault Group
Details.
Finalizing Fault Group Membership

After the group rules have been defined, they are evaluated, and you can view the group members (except
for port and interface groups, which are only used for polling and threshold purposes). In addition, the
group membership can be modified by adding or removing specific objects.
The group rule will be automatically modified to reflect the objects that were added or removed from the
group. You add or remove specific objects from a group membership in the Membership: Edit page of
the Create Group Wizard.

OL-25947-01 5-65
Viewing the Fault Group Summary

The final step in the Create Group Wizard is viewing a summary page that displays the new group
definition. Table 5-13 describes the fields on the Group Summary page of the Group Creation Wizard.
Table 5-13 Fields on the Group Summary Page
Heading/Button Description
Parent Group Parent group of the group you are creating.
Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button).
Rules Rules used to filter group membership.
Visibility Scope Setting that determines whether all Cisco Prime users or only the created user
can view the group.
Polling Overriding Click to display the Preview page. This page displays the priorities of the
Group preview Polling Overriding Groups.
Threshold Click to display the Preview page. This page displays the priorities of the
Overriding Group Threshold Overriding Groups.
preview
Viewing Fault Group Details

Information about a group is displayed on the Properties: Details page.
To view the Fault group details:
Step 1 Either:
Or
Step 2 In the Group Selector, select the group for which you want to view details.
The Properties: Details page appears.

5-66 OL-25947-01
Table 5-14 describes the fields on the Properties: Details page.
Table 5-14 Fields on the Properties: Details Page
Membership Update Automatic (updated whenever the group is accessed) or upon user request
(updated only when you click the Refresh button)
Created By Person who created the group.
Last Modified By Last person to modify the group.
View Parent Rules Used to view the parent group rules. All parent group rules apply to the
subgroups.
Membership Details Used to view the list of devices that belong to the group. Does not apply to
Cancel Closes the page and takes you back to the Group Administration and
Configuration page.
Viewing Fault Membership Details

You can view a list of the objects that belong to a group by accessing the Properties: Details page.
Membership is not displayed for port and interface groups, which are used only for polling and threshold
purposes.
Procedure
Step 1 Either:
Or
Step 2 In the Group Selector, select the group for which you want to view details.
The Properties: Details page appears.
The Membership: Details page appears.

OL-25947-01 5-67
Table 5-15 describes the fields on the Membership: Details page.
Table 5-15 Fields on the Membership: Details Page
Name Name of the device for which you want to view membership details.
Object Type Type of object for which you want to view details.
Property Details Takes you back to the Properties: Details page.
Cancel Closes the page and takes you back to the Group Administration and
Configuration page.
Refreshing Fault Membership

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules
and obtaining membership information from the data collectors. Port and interface group membership
lists are not supported, because these groups are only used for polling and threshold purposes.
Procedure
Step 1 Either:
Or
Step 2 In the Group Selector, select the group you want to refresh.
Step 3 Click Refresh.
Step 4 In the confirmation dialog box, click Yes.
Step 5 In the next dialog box, click OK.

5-68 OL-25947-01
Understanding Collector Group Rules
Deleting Fault Groups

You can only delete user defined groups that are not one of the seven customizable groups.
Procedure
Step 1 Either:
Or
Step 2 In the Group Selector, select the group you want to delete.
Step 4 In the confirmation dialog box, click Yes.
Step 5 In the next dialog box, click OK.
Edit, Refresh, and Delete cause internal processes to start. For this reason, LMS could experience a
period of high CPU utilization after these processes are triggered.

Every group is defined by a set of rules. A rule set contains a Boolean combination of individual rule
expressions.
You can access the IPSLA Collector groups using either:
• Select Admin > System > Group Management > IPSLA Collector.
The IPSLA Collector Group Administration page appears.
Or
• Select Inventory > Group Management > IPSLA Collector.
The IPSLA Collector Group page appears.
Rules are created to filter in the devices that you want to include in the group, and to filter out those that
you do not want in the group.
While determining the devices that belong to a group, Group Management compares device information
to the rule. If the information on a device satisfies all the requirements of the rule, it is placed in the
group.
The devices are filtered based on the data present in the IPSLA Performance database.
One or more rule expressions can be applied to form a rule.
Each rule expression contains the following:
object type.variable operator value

OL-25947-01 5-69

• IPSLA Collector Group Administration Process
• Understanding IPSLA Collector Group Administration
Table 5-16 lists the various operators that can be used to create rules to group Collectors.
Table 5-16 Understanding Collector Group Rules
OR, AND, EXCLUDE, Logical operators.
INCLUDE
• OR—Include objects that fulfill the requirements of either rule.
• EXCLUDE—Do not include these objects.
• INCLUDE— Include these objects
The Rule Text field appears only after a rule expression is added.
Object Type Type of object (collector) that is used to form a group.
Variable Collector components, based on which you can define the group.
For more information, see Collector Components.
Operator Operator to be used in the rule. The list of possible operators changes based on the Variable
selected.
When using the equals operator the rule is case-sensitive.

5-70 OL-25947-01
Table 5-16 Understanding Collector Group Rules
Value Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-from text or a list of
values.
The following are the values for the corresponding operations:
• 1 = echo
• 2 = pathEcho
• 5 = udpEcho
• 6 = tcpConnect
• 7 = http
• 8 = dns
• 9 = jitter
• 10 = dlsw
• 11 = dhcp
• 12 = ftp
• 14 = RTP
• 16 = icmpjitter
• 18 = VoipCallSetupPostDialDelay
• 19 = VoipGKRegDelay
• 1019-Ethernetping
• 1020-Ethernetjitter
• 1119-EthernetPingAutoIPSLA
• 1120-EthernetJitterAutoIPSLA
Check Syntax Verifies if the rule syntax is correct.
Use this button if you have entered the rules manually.

OL-25947-01 5-71
Collector Components
Table 5-17 lists the available group attributes that you can use for defining the User-Defined groups.
Table 5-17 Collector Components
Component Type Description

Source Address Device IP address.
Target Address Device IP address.
Operation Type All IPSLA operations available for LMS
Operation Name Name of a user-defined operation.
VRF Name of the VRF (Virtual Routing and Forwarding).
IPSLA Collector Group Administration Process

The IPSLA Collector Group Administration depends on the IPMOGSServer processes. If these
processes are not running, then an error message appears:
Error in communicating with Group Administration Server.
It may be down or not yet up. Please make sure that the Group Administration Server is
up and running, then refresh the page.
You can resolve this error by starting the IPMOGSServer process.
You can start this process using Admin > System > Server Monitoring > Processes.
The Process Management page appears with all Cisco Prime processes listed. In the Process
Management page, select the IPMOGSServer and click Start.
If the IPMOGS Server is down, do the following:

You can start the IPMOGS Server either from the CLI, or from the LMS UI.
To start IPMOGS Server from the CLI:
Enter NMSROOT/bin/pdexec IPM OGSServer
To start IPMOGS server from the LMS UI:
The Process Management page appears with all Cisco Prime processes listed.
Step 2 Select IPM OGSServer in the Process Management dialog box.
Step 3 Click Start.

5-72 OL-25947-01
If the CMFOGS Server is down, do the following:

You can start the CMFOGS Server either from the CLI, or from the LMS UI.
To start CMF OGS Server from the CLI:
Enter NMSROOT/bin/pdexec CMFOGSServer
To start CMFOGS server from the LMS UI:
Step 2 Select CMFOGSServer in the Process Management dialog box.
Step 3 Click Start.
Understanding IPSLA Collector Group Administration

This section explains the various tasks that you can perform on the IPSLA Collector Group
Administration.
Table 5-18 lists the Fields and buttons available in the Group Administration page.
Table 5-18 IPSLA Collector Group Administration Page
Group Selector Hierarchical display of all available groups.
Group Info Displays the following collector group information:
• Group Name—The name of the group you selected.
• Type—The type of objects in the selected group.
• Description—A text description of the group.
• Created By—The person who created the group. You can also view the time at which the
group was created.
• Last Modified By—The last person to modify the group settings. You can also view the time
at which the group was modified.
Create Starts the Group Creation Wizard for creating a group, as described in the Creating and
Modifying User-Defined Collector Groups.
Edit Starts the Group Edit Wizard for editing an existing group, as described in the Creating and
Modifying User-Defined Collector Groups.
Details Opens the Properties: Details page, as described in the Viewing Collector Group Details and
Viewing Membership Details.
Refresh Refreshes a group membership, as described in the Refreshing User-Defined Collector Group
Membership.
Delete Deletes a group, as described in the Deleting User-Defined Collector Groups.

OL-25947-01 5-73
Working with User-Defined Collector Groups

These are collector groups created by the user based on a set of criteria such as operation name, operation
type, source address, and target address.
For example, if you want to create a location-based collector groups, you must select the devices used
by that location and define the collector groups based on the criteria mentioned above.
You can perform the following tasks on user-defined collector groups:
• Creating and Modifying User-Defined Collector Groups
• Deleting User-Defined Collector Groups
• Viewing User-Defined Collector Groups
• Refreshing User-Defined Collector Group Membership
Creating and Modifying User-Defined Collector Groups

LMS provides a single wizard-based approach that leads you through the procedure to create multiple
user-defined collector groups. This wizard process involves the following four steps:
1. Setting Collector Group Properties
2. Defining Collector Group Rules
3. Assigning Collector Group Membership
4. Viewing the Collector Group Summary
You must complete all the four tasks in this sequence to create collector groups. If you exit the wizard
at any stage using Cancel, the details you have specified will be lost and the collector groups will not be
created.
Setting Collector Group Properties

In this step, you can enter the group properties such as name and description, copy the attributes from
another group, change the parent group, and modify the parent group and membership update details, if
required.

5-74 OL-25947-01
To set or edit the collector group properties:
Step 1 Either:
Or
The IPSLA Collector Group page appears.
Step 2 Select the required group from the Group Selector pane.
For example:
• If you want to create or edit a group, select the User Defined Group folder from the Group Selector
pane.
• If you want to create or edit a subgroup, select the required collector group under the User Defined
Groups folder.
Step 3 You can either:
• Click Create to create a group or subgroup.
Or
• Click Edit to edit a group or subgroup.
Step 4 Specify the collector group name and description in the Group Name and Description fields.
The Group Name must be unique within the parent group. However, you can specify the same name in
some other groups.
For example, if you already have a group named ‘MyGroup’ in a group named ‘Views’ under
User-Defined Groups, you cannot use the same name for another subgroup in the group ‘Views’.
However, you can use the name 'MyGroup' for the subgroup of another group in User-Defined Groups.
After entering the group name and description, you can either copy the attributes of an existing group to
the new group or proceed to Step 5.
To copy the attributes of an existing group to the new group, do the following:
a. Click Select Group.
The Replicate Attributes window appears.
b. Select the required collector group from the User Defined Groups folder.
c. Click OK.
All attributes except the group name are copied to the new group.
The parent group you have selected for the group does not change even if you are copying attributes
from a group that belongs to a different parent group.

OL-25947-01 5-75
To change the parent group, do the following:

a. Click Change Parent.
The Select Parent window appears.
b. Select the required group.
c. Click OK.
The Properties page appears with the new parent group.
Step 5 Select the Membership Update and Visibility Scope for the group.
For more information, see Table 5-19.
Step 6 Click Next.
The Rules page appears.
Table 5-19 Setting Collector Group Properties
Field Description
Copy Attributes from Copy the attributes of an existing group to your new group using Select Group.
Group
Parent Group Parent group of the group you are creating. You can change the parent group using Change
Parent.

Membership Update Group Membership is updated.
• Automatic: Updates whenever the group is accessed.
• Only Upon User Request: Click Refresh.
Visibility Scope • Private Groups: Visible only to users who created the group.
• Public: Visible to all users.
Defining Collector Group Rules

In this step, you can define the rules for the collector groups. This rule determines the contents and the
collectors to be included in the collector group.
This rule allows you to add collectors and VRFname based on the variables such as operation name,
operation type, source address, and target address. You can use one or a combination of variables while
defining the rule. The collectors that satisfy the rule will be added to the collector group.
If you have created the collector group copying the attributes of another group, the rules specified for
that group appears in the Rule Text field. You can retain these and add more rules, or delete these rules
and create a new set of rules.
Note All rules assigned to a parent group also apply to any of its subgroups.

5-76 OL-25947-01
In the Rules page, you can either enter the rules directly in the Rule Text field or select the components
of the rule from the Rule Expression fields and define a rule.
Table 5-20 lists the various Fields and Buttons available in the Rules page.
Table 5-20 Defining Collector Group Rules
OR, AND, EXCLUDE Logical operators.
• OR—Include objects that fulfill the requirements of either rule.
The Rule Text field appears only after a rule expression is added.
Object Type Type of object (Collector) that is used to form a group. All IPSLA Collector group rule
expressions begin with the same Object Type, IPM:Collector Management: Collector.
Variable Collector attributes, based on which you can define the group.
For more information, see Collector Components.
Operator Operator to be used in the rule. The list of possible operators change based on the Variable
selected.
When using the Equals operator, the rule is case sensitive.
Value Value of the rule expression. The possible values depend upon the variable and operator selected.
Depending on the operator selected, the value may be free-form text or a list of values.
For group rule restrictions and examples, see Understanding Collector Group Rules.

OL-25947-01 5-77
To define the collector group rules:
Step 1 Either:
Or
Step 2 Select the Object Type from the drop-down list.
Step 3 Select the required variables from the Variable drop-down list. You can select one or a combination of
variables.
The variables available are Operation Name, Operation Type, Source Address, VRF name, and Target
Address.
Step 4 Select the Boolean operator from the Operator drop-down list.
The Boolean operators change based on the variable you have selected.
Step 5 Specify the Value for the variable you have selected.
The IPSLA Collector Group Administration creates the rule based on the parameters you specified and
adds it to the rules already present in the Rules Text field. You can use the same procedure to add more
rules.
If you want to delete a rule expression, you have to select the complete expression including the logical
operator and press the Delete key on your keyboard.
Step 7 Click Check Syntax to validate the rules expression syntax.
If the Syntax is correct, a confirmation message appears, The rule syntax is valid. If the Syntax is
incorrect, an error message appears with syntax error messages along with the line and column number.
Step 8 Click View Parent Rules to view the parent and group rules.
Step 9 Click Next.
The Membership page appears.
Assigning Collector Group Membership

The Membership page allows you to create a highly customized user-defined collector group. This page
lists the collectors in two panes, namely Objects From Parent Group and Objects Matching Membership.
• Objects From Parent Group—Lists the collectors in the parent group.
• Objects Matching Membership—Lists the collectors that satisfy the rule defined by you. You can
add or delete collectors from this pane. You can also add collectors from the parent group to create
the collector group.

5-78 OL-25947-01
To assign collector group membership:
Step 1 Select the required collectors from the Objects From Parent Group pane.
Step 2 Click Add.
The selected collectors are added to the Objects Matching Membership pane.
Step 3 Click Next.
The Summary page appears with the User-Defined Group properties.
To remove collectors from the group:
Step 1 Select the required collectors from Objects Matching Membership pane.
The selected collectors are removed from the Objects Matching Membership pane and added to the
Objects From Parent Group pane.
Step 3 Click Next.
The Summary page appears with the summary of the user-defined collector group.
Viewing the Collector Group Summary

The final step is the Summary page that displays the new group definition as in Table 5-21.
Table 5-21 Understanding Collector Group Summary
Field Description
Parent Group Parent group of the group you are creating. You can change the parent group using Change
Parent.
You can select only IPSLA Collector User-Defined groups.
You cannot edit this field in the Edit flow.
Membership Update Updates group membership.
Membership updates can be automatic (updated every time the group is accessed) or upon user
request only (updated only when you click Refresh).
Visibility Scope Describes if the group is public (all users) or private (only for the group owner).

OL-25947-01 5-79
To view the collector group summary:
Step 1 Click Finish to complete the procedure for creating collector groups.
A confirmation message appears.
Step 2 Click OK.
You can view the newly created user-defined collector group in the Group Selector pane.
Or
Click Back to modify the group properties.
Deleting User-Defined Collector Groups

In the The IPSLA Collector Group Administration page, you can use the Delete option to delete the
user-defined collector groups. During the deletion process, only the collector group is deleted , and the
associated collectors are not deleted. You cannot delete the system-defined collector groups.
To delete user-defined collector groups:
Step 1 Select the group for which you want to view details from the Group Selector pane.
Viewing User-Defined Collector Groups

This section explains how to view the group and membership details and refresh the same.
• Viewing Collector Group Details
• Viewing Membership Details
• Refreshing User-Defined Collector Group Membership
Viewing Collector Group Details

The Property Details page displays the group details.
To view the collector group details:
Step 1 Either:
Or

5-80 OL-25947-01
The Property Details page appears. For more information, see Table 5-22.
Table 5-22 Viewing Collector Group Details
Membership Update How group membership is updated.
Created By Person who created the group. This also displays the time at which it was created.
Last Modified By Last person to modify the group. This also displays the time at which it was modified.
Visibility Scope Indicates whether the group is Public (visible to all users) or Private (visible only for the group
owner).
View Parent Rules Allows you to view the parent group rules.
Membership Details Allows you to view the membership details.
Cancel Takes you back to the Group Administration page.
Viewing Membership Details

The Property Details page allows you to view a list of the objects that belong to a group.
To view the membership details:
Step 1 Either:
Or
The Property Details page appears.

OL-25947-01 5-81

The Membership Details page appears. For more information, see Table 5-23.
Table 5-23 Viewing Membership Details
Name Name of the device.
Object Type Type of object.
Property Details Takes you back to the Property Details page.
Cancel Takes you back to the Group Administration page.
Refreshing User-Defined Collector Group Membership

Refreshing a group membership forces the group to recompute its membership by reevaluating its rules
and obtaining membership information from the data available.
To refresh the membership of the group:
Step 1 Either:
Or
Step 3 Click Refresh to refresh the membership of the selected group.
The Refresh Group Confirmation dialog box appears.
Step 4 Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.

5-82 OL-25947-01
Operation-Based Collector Groups (System-Defined)

The operation-based collector groups are predefined groups available with IPSLA module in LMS by
default. They are also referred as system-defined collector groups.
The various operation-based collector groups available are Echo, Path Echo, UDP Echo, ICMP Jitter,
UDP Jitter, Call Setup Post Dial Delay, Gatekeeper Registration Delay, RTP, DNS, DHCP, HTTP, FTP,
DLSW, TCP Connect, Ethernet Jitter, Ethernet Ping, Ethernet Jitter Auto IP SLA and Ethernet Ping Auto
IP SLA.
You can perform the following tasks on operation-based collector groups:
• Viewing Operation-Based Collector Details
• Refreshing Operation-Based Collector Groups
To view the details of an operation-based collector group:
Step 1 Either:
Or
Step 2 Select the default operation name from the Group Selector pane for which you want to view the collector
group details.
The system-defined collector group details appear.
Step 4 Click Membership Details to know the membership details of this system-defined collector group.
The Membership Details page appears.
To refresh the membership of an operation-based group:
Step 2 Click Refresh to refresh the membership of the selected group.
The Refresh Group Confirmation dialog box appears.
Step 3 Click OK.
A message appears that the selected group membership has been refreshed.
Or
Click Cancel to return to the Group Administration page.

OL-25947-01 5-83

5-84 OL-25947-01
CHAPTER 6
Administering Data Collection
Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
• Modifying Data Collection SNMP Timeouts and Retries.
• Scheduling Data Collection.
• Data Collection Critical Device Poller.
• Compliance and Audit Settings
Modifying Data Collection SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when Data Collection fails for a particular device with
SNMP timeout exceptions.
The SNMP fallback methodology applicable for Data Collection, UT Acquisition, and Dynamic UT is
as follows:
• If you have configured a device with SNMP v2 or v1 settings in DCR, then the device is initially
queried with SNMP v2. If the query fails, LMS will query the device with SNMP v1.
• If you have configured a device with SNMPv3 settings in DCR, then the device is queried with
SNMP v3. However, if the query fails, the same device will not be queried with SNMP v2 or v1.
To modify SNMP timeouts and retries:
Step 1 Select Admin > Network > Timeout and Retry Settings > Data Collection SNMP Timeouts and
Retries.
The SNMP Timeouts and Retries dialog box appears.
Step 2 Modify the SNMP settings as given in Table 6-1.

OL-25947-01 6-1
Chapter 6 Administering Data Collection
Modifying Data Collection SNMP Timeouts and Retries
Table 6-1 Modify Data Collection SNMP Timeouts and Retries
Field Description
Target Denotes the Target device.
You should enter IPv4 or IPv6 address of the target device in this field.
You can also use wildcard characters or range of numbers to specify the
target device.
For example, you can enter 10.[77-78].*.* or ABCD:EF12:*:*:*:*:[3A-BB]
as the target device
Timeouts Time period after which the query times out.
This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If timeout is increased, discovery time could also increase. Enter the value in
seconds.
For every retry, the timeout value is doubled.
For example, If the timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which LMS stops
querying the device.
Retries Number of attempts made to query the device. The allowed range is 0-8.
Step 3 Click Add to add SNMP settings.

Step 4 Select a row and either:
• Click Edit to edit the timeouts and retries values.
Or
• Click Delete to delete the timeouts and retries values.
Click OK to save the changes or click Cancel to exit.
Step 5 Click Apply.

6-2 OL-25947-01
Scheduling Data Collection
Scheduling Data Collection

Data Collection runs automatically when you add, or delete devices in the Unified Device Manager
(UDM).
You can also schedule the day and time of data collection using this feature.
You can start data collection immediately for all or failed devices and schedule data collection for all
devices. All devices is a default option. You can select the Failed devices option to run data collection
for failed devices.
To schedule data collection:
Step 1 Select Admin > Collection Settings > Data Collection > Data Collection Schedule.
The Data Collection Schedule dialog box appears.
Step 2 Modify the data collection settings as described in Table 6-2.
Table 6-2 Data Collection Schedule Settings
Field Description Usage Notes

Schedule
Days, Hour, Min Days on which and the time at The optimum data collection schedule depends
which data collection is on the size of the network and the frequency of
scheduled. network changes.
The default data collection schedule is every 4
hours, on the 4-hour mark, daily: 04.00, 08.00,
12.00, 16.00, 20.00, 24.00 Note that time is in
the 24-hour format.
• Select a schedule and click Edit to edit the schedule.

• Select a schedule and click Delete to delete the schedule.
• Click Add to add a new schedule.
Step 3 Click OK to save the changes or click Cancel to exit.
Best Practices
Be cautious while scheduling Data Collection:
• Data Collection consumes significant resources on the network management system.
• Use the Polling option to see the device and link status without running data collection. For more
details on polling see, Data Collection Critical Device Poller

OL-25947-01 6-3
Data Collection Critical Device Poller
Data Collection Critical Device Poller

LMS polls the entire network for device and link status periodically.This feature allows you to:
• Configure the time interval at which the network is polled.
• Poll only a critical set of devices.
Use this option to see the device and link status without running Data Collection.
Since Data Collection consumes significant system resources, you can simply poll the network and
view the device and link status in Topology maps.
Adding Critical Devices to the Device Poller

To add a device to the Critical Devices list from Topology Map:
Step 1 Launch a Topology map.

Step 2 Right click a device and select Add device to Critical Poller.
To add a device to the Critical Devices list from N-Hop View Portlet:
Step 1 Launch N-Hop View Portlet.

Step 2 Go to the configuration screen and select Poll devices.
Caution If the critical set of devices is more than 30, the amount of traffic generated as part of the polling cycle
will use a large amount of bandwidth.
To configure Device Poller:
Step 1 Select Admin > Collection Settings > Data Collection > Data Collection Critical Devices Poller.
The Device Poller screen appears.
Step 2 Configure the device poller options as specified in Table 6-3.
Table 6-3 Device Poller Options

Polling Details
All Devices Specifies that all devices in the network will By default the whole network is polled every 2
be polled at the specified interval. hours.
Critical Devices Specifies that only critical devices in the You can configure this option when you need to
network will be polled at the specified poll a few devices in the network more frequently.
interval.
By default, the critical devices are polled every
five minutes.

6-4 OL-25947-01
Compliance and Audit Settings
Table 6-3 Device Poller Options

Time Interval Time interval at which the specified devices Configure this option to change the interval from
are polled. the default value.
The time interval is added to the completion
time of Data Collection.
For example, you have configured the
following:
• Data Collection is scheduled to run at
07:00 hours
• Time interval is set to 4 hours.
If Data Collection completes at 08:00 hours,
the next polling will happen at 12:00 hours
(8 + 4).
Show Devices For Critical Devices: The following information about the Critical
Displays the list of critical devices in the Devices is displayed:
network. • IP Address
• DeviceName
You can choose any device and click Delete to
remove it from the Critical Device poller list.
For All Devices: The following information about the devices in the
Launches the Data Collection report. network is displayed:
• IP Address
• DeviceName
• DeviceType
• Neighbors
Step 3 Click Apply to save the configuration.

The following topics are discussed in this section:
• Compliance Data Collection
• Import Contracts
• Import Policy Updates
Compliance Data Collection

The Compliance Data Collection allows you to schedule the Compliance Data Collection System Job.

OL-25947-01 6-5
The Compliance Data Collection job runs daily by default. The user can schedule a Compliance Data
Collection Job.
To schedule a Compliance Data Collection System Job do the following:
Step 1 Select Admin > Compliance and Audit Settings > Compliance Data Collection > Compliance Data
Collection System Job Schedule.
The Compliance Data Collection System Job Schedule page appears.
Step 2 Enter the information required to scheule a Compliance Data Collection System Job
Field Description
Job Type Command Output Collection Job .
Scheduling
Run Type Specifies the type of schedule for the job:
• Daily—Runs daily at the specified time.
• Weekly—Runs weekly on the day of the week and at the specified time.
• Monthly—Runs monthly on the day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
Date 1. Enter the start date in the dd mmm yyyy format, for example, 06 Oct 2011, or click on the
calendar icon and select the date.
2. Enter the start time by selecting the hours and minutes from the drop-down list.
Job Info
Job Description The default job description is, System-defined job for Compliance data Collection.
E-mail Enter e-mail addresses to which the job sends messages when the job has run.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address,
Step 3 Click Apply.

The scheduled job appears in the Compliance Data Collection Jobs.

6-6 OL-25947-01
Compliance Data Collection Jobs

The Compliance Data Collection Jobs enables you to view the status of all the Compliance Data
collection jobs.
Table 6-4 List of Compliance Data Collection Jobs
Column Description
Job ID Unique number assigned to this task at scheduling time. This
number is never reused. There are two formats:
• Job ID:
Identifies the task. This does not maintain a history. For
Example:1002
• JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1002.1, 1002.2
Status Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Description Description of the job.
Owner Username of the job creator.
Job Type Type of job e.g. system compliance.
Scheduled At Date and time at which the job was scheduled.
Completed At Date and time at which the job was completed.
Schedule Type Frequency of the job. This can be:
• Daily
• Weekly
• Montly.
Work Order Displays information about the Job Description, Owner, Schedule
Type, Schedule Time, E-mail Notification, E-mail IDs and Devices
List.
Device Details Displays the Device IP, Job Status and Message Summary.
Job Summary Displays the Job Status, Job Message, Start Time, End Time and
Device Updates.
Import Contracts
The Import Contracts enables you to import customer contracts into the Compliance and Audit Manager
Database.
The contract summary report can be generated only after importing contracts into the Compliance and
Audit Manager Database.

OL-25947-01 6-7
The following steps should be performed for importing contracts into the Compliance and Audit
Manager Database:
Step 1 Go to
http://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do?method=viewContractMgr.
Note Open the link in Internet Explorer and use your Cisco.com credentials.
Step 2 A contract Manager screen listing the contracts associated with your Cisco.com ID appears.
Note If you do not see the contracts then there are no contracts associated with your Cisco.com ID.
Open a case with Cisco to get access to your contracts.
Step 3 Select Download Contract or Selected Data option from the Action drop-down menu.
Step 4 Select the contracts from the Contract Table.
Step 5 Click Go.
A Download Contract or Selected Data window appears
Step 6 In the Download Contract or Selected Data window, perform the following:
a. Select Products + Configurations.
b. Click Save Now radio button, to save a Zip file containing a CSV file in your local system.
c. Click Send by Email to radio buttion, to receive a zip file containing a CSV file by Email.
Step 7 Go to Import Contracts page and Click Browse to select the downloaded contract file from your local
system.
Step 8 Click Import Contracts File to import the contracts file into the Compliance Engine.
Import Policy Updates

The Import Policy Updates allows a user to manually download policy updates patch file from
cisco.com.
The following steps should be performed for manually downloading the policy updates patch file from
Cisco.com and importing the downloaded policy patch file into the Compliance and Audit Manager
Engine:
Step 1 Go to Admin > Compliance and Audit Settings > Import Policy Updates
Step 2 In Cisco.com, navigate to Home > Products > Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution > Cisco Prime LAN
Management Solution 4.2 > Compliance Policy Updates.
Step 3 You will be prompted to enter your Cisco.com credentials.
Step 4 Login using your Cisco.com credentials to open the LMS Compliance Policy Updates page in the
browser.

6-8 OL-25947-01
Step 5 Download the CompliancePolicyUpdates.vX-y.jar patch file, where X is the major version and y is the
minor version.
Step 6 Save the CompliancePolicyUpdates.vX-y.jar patch file in your local system.
Step 7 Go to Import policy updates page and click Browse to select the downloaded
CompliancePolicyUpdates.vX-y.jar file from your local system
Step 8 Click Import Policy Updates to import the CompliancePolicyUpdates.vX-y.jar patch file into the
Compliance Engine.
A message appears indicating the successful importing of policy into the Compliance Engine.
Note Ensure that the CAAM Server process is re-started to effect the changes.
Restarting CAAM server from User Interface

Perform the following to restart CAAM server from user interface:
Step 1 Go to Admin > System > Server Monitoring > Processes.

Step 2 Select CAAM Server from the Process Management Grid and click stop.
Step 3 After the CAAM server stops, click start to restart the CAAM server.
Restarting CAAM server from CLI

Perform the following to restart the CAAM Server from CLI:
Step 1 Enter NMSRoot/bin/pdterm CAAMServer to stop the CAAM server.

Step 2 Enter NMSRoot/bin/pdexec CAAMServer to start the CAAM server.
where NMSROOT is the root directory of the LMS Server.
Note The policy updates patch file can be automatically downloaded and posted into the CAAM server by
scheduling a system defined job under Admin > Network > Compliance Policy/PSIRT/EOS/EOL
Settings.

OL-25947-01 6-9

6-10 OL-25947-01
CHAPTER 7
User Tracking and Dynamic Updates
User Tracking application of LMS allows you to track end stations. This chapter contains the following
sections:
• Understanding User Tracking
• Using User Tracking Administration
• Understanding Dynamic Updates
• Using User Tracking Utility
Understanding User Tracking

User Tracking helps you to locate and track the end hosts in your network. In this way, you get the
information required to troubleshoot and analyze connectivity issues. The application identifies all end
users connected to the discovered Cisco access layer switches on the network, including printers,
servers, IP phones PCs and wireless hosts.
User Tracking collects the details of the end users and the layer 2 connections, and updates User
Tracking table in the LMS database. This is done through automated polling of the network, by User
Tracking (UT) Major Acquisition process.
In addition to polling the network, the Dynamic UT process receives details from the end users and
updates the database dynamically. User Tracking also computes subnet related data and updates the
database with complete host information. Thus you get latest information about the changes in the
connections on your network.
You can also configure User Tracking to collect usernames of the end hosts connected in the network.
The user names are collected from the UTLite process installed in UNIX hosts, Primary Domain
Controller (PDC), or Novell Directory Services (NDS). This makes it easier for you to locate and track
specific users in your network.
You can sort and query the User Tracking table that contains details such as VLANs, switches and switch
ports to which the end users are connected. Predefined reports such as the reports on duplicate IP
addresses or MAC addresses, multiple MAC addresses enable you to accurately locate the end users.
Switch Port reports give you information on:
• Recently down ports
• Ports that are in unused condition for the specified interval
• Connected ports and Free ports
• Percentage utilization of ports for each device

OL-25947-01 7-1
Chapter 7 User Tracking and Dynamic Updates
These reports give a clear picture of the switch port utilization in the network and help you in doing
capacity planning for the network. To generate Switch Port reports Select Reports > Switch Port from
the megamenu.
This topic covers:
• Using User Tracking
• Accessing UT Data
• Various Acquisitions in User Tracking
Using User Tracking

You can use User Tracking to:
• Display information about the connectivity between the devices, users, and hosts in your network.
For example, you might want to identify all users connected to a particular subnet, or all hosts on a
particular switch.
• Display information about the IP phones registered with discovered Media Convergence Servers.
• Use simple queries to limit the amount of information User Tracking displays.
• Configure or limit the User Tracking acquisition by subnets.
• Create and save simple and advanced queries.
• Modify, add, and delete username and notes.
You can configure User Tracking Acquisition settings to collect usernames during UT Major
Acquisition and update the UT table. The user names are collected from the UTLite process.
• Customize User Tracking table layouts.
For example, you can design a layout that displays only the MAC addresses of hosts on your
network.
• View User Tracking reports that identify Switch Port usage, duplicate IP addresses, duplicate MAC
addresses, duplicate MAC and VLAN names, and ports with multiple MAC addresses.
You can also view History Reports for Switch port utilization, and the connection and disconnection
of endhosts and users from your network.
You can set the schedule for generating the reports, and also generate the reports for a subset of
devices.
• Launch Device Center, host center, phone center.
Accessing UT Data
The following are the ways to access User Tracking data:
Quick Reports
You can generate End hosts or IP Phones report based on the given filter criteria
For example, you can generate reports on end hosts that belong to a specific VLAN.
To generate these reports, Select Reports > Inventory > User Tracking > Quick Report.

7-2 OL-25947-01
Scheduled Reports
You can schedule reports that run at the specified date and time. You can generate immediate reports or
schedule them to run once or at repetitive intervals.
Custom Reports
You can customize the layout and columns displayed in the reports to suit your needs. To generate these
reports select Reports > Report Designer > User Tracking > Custom Reports.
Command Line Interface

You can generate various User Tracking reports from the Command Line Interface also.
For more details, see User Tracking Command Line Interface.
Data Extraction Engine

Data Extraction Engine is a LMS UTility that allows you to generate User Tracking data in XML format.
For more details, see Overview of Data Extraction Engine.
User Tracking Utility

Cisco Prime User Tracking Utility 2.0 is a Windows desktop utility that provides quick access to useful
information about users or hosts discovered by LMS User Tracking application.
You can use UTU search band to search for the users or hosts in your network. You can search using user
name, host name or IP address, or MAC address.
Various Acquisitions in User Tracking

This section explains the various acquisitions that can be done using LMS, to get information about the
end users.
User Tracking Major Acquisition

Discovers all the end hosts that are connected to the devices managed by LMS.
For details on the various options that can be set before starting an acquisition, see Modifying UT
Acquisition Settings.
User Tracking Acquisition can also be initiated from the CLI prompt. To do so, enter the following
command:
NMSROOT/campus/bin/ut –cli performMajorAcquisition –u userid -p password
where NMSROOT is the directory where you have installed Cisco Prime. For more details, see User
Tracking Command Line Interface.
User Tracking Minor Acquisition

Minor acquisition occurs on a device if any of the following changes take place:
• A new endhost or IP phone is added to the network.
• Port state changes (when the port comes up or goes down).
• A new VLAN is added to the network.
• There is a change in the existing VLAN.

OL-25947-01 7-3
Using User Tracking Administration
Minor acquisition updates the LMS database with just the changes that have happened in the network. It
is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the
interval at which the acquisition takes place.
For details on modifying the acquisition interval, see Modifying UT Acquisition Schedule
User Tracking IP Phone Acquisition

Discovers all phones registered in Cisco Call Managers (CCM), that are managed by LMS.
Subnet based User Tracking Major Acquisition

User tracking subnet based acquisition would run only on those subnets that are configured in LMS.
LMS discovers end hosts on all the VLANs available in the configured subnets.
Do subnet based acquisition, when you need details about the end hosts connected to a particular subnet
or a select set of subnets. The acquisition completes faster, since it is not run on all devices managed by
LMS.
For details on running subnet based acquisition, see Configuring UT Subnet Acquisition
Single device on-demand User Tracking Acquisition

This discovers the end hosts on all the VLANs available in the selected device. Hence this acquisition is
useful for collecting information only on end hosts connected to the specified device.
For details on initiating this type of acquisition, see Configuring User Tracking Acquisition Actions

You can perform the following administrative tasks using User Tracking Administration:
• Modify Acquisition settings.
Before you start collecting information about the hosts in your network, you can set various options
that control the way in which Acquisition happens.
For example, you can set LMS to perform DNS lookup, while resolving the IP address of a host.
For complete details, see Modifying UT Acquisition Settings
• Schedule Acquisition.
You can set the day and time of the week when you want to run Major Acquisition. The time interval
at which Minor Acquisition happens in the network can also be set.
For more details, see Modifying UT Acquisition Schedule
• Configure Ping Sweep options for Acquisition.
You can configure LMS to perform Ping Sweep on selected subnets, during Acquisition.
For more details, see Modifying Ping Sweep Options
• Configure Subnet Acquisition.
You can trigger acquisition on a single subnet or a select set of subnets. Subnet based acquisition
collects details about the end hosts that are connected to a particular subnet or a select set of subnets.
This Acquisition completes faster, since it is not run on all devices managed by LMS.
For more details, see Configuring UT Subnet Acquisition

7-4 OL-25947-01
• Configure end host and IP phone data delete interval.

You can modify the time interval for deleting entries from the End Host Table, IP Phone Table, or
the History Table from the database.
For more details, see Deleting User Tracking Purge Policy Details
• Configure UT Acquisition to discover end hosts connected to non-link trunk ports.
Normally UT Acquisition only discovers end hosts that are connected to access ports. If you enable
this feature, UT Acquisition also discovers end hosts that are connected to non-link trunk ports.
For more details, see Configuring UT Acquisition in Trunk for End Host Discovery
• Specify Purge Policy.
You can specify the intervals at which you want old reports and jobs to be purged. You can save the
Purge Policy, so that the older jobs and archives are purged at the specified interval.
For more details, see Specifying User Tracking Report Purge Policy
• Specify Domain Name display.
You can specify the way in which domain names are to be displayed in User Tracking Reports.
For more details, see Specifying Domain Name Display.
• Import information on end hosts.
You can import user names and notes of end hosts that are already discovered by User Tracking,
from a file.
For more details, see Importing Information on End Host Users
• Enable Dynamic User Tracking.
Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps. LMS
tracks changes about the end hosts and users on the network to provide real-time updates, based on
these traps.
For more details, see Understanding Dynamic Updates
• Enable Debugging options.
When you face issues in running User Tracking, logging can be enabled for debugging purposes.
For more details, see Debugging Options for User Tracking Server and Debugging Options for User
Tracking Reports

OL-25947-01 7-5
Viewing User Tracking Acquisition Information

You can view acquisition information.
To view acquisition information:
Step 1 Either:
• Select Admin > Collection Settings > User Tracking > Acquisitions Info.
Or
• Select Inventory > User Tracking Settings > Acquisition Summary.
The acquisition information appears with the following information:
Field Description
Acquisition status Status of the User Tracking Major Acquisition process. It can be
either Idle or Running.
Last acquisition type Type of User Tracking acquisition that you had performed last time.
Types of acquisition are:
• Major—User Tracking Major Acquisition
• Devices—User Tracking Acquisition for a device
• Subnets—User Tracking Acquisition for subnets
• IP Phones—User Tracking Acquisition for IP phones
Acquisition start time Date and time at which User Tracking started the Acquisition
process. This is displayed in the format dd mon yyyy hh:mm:ss.
Acquisition end time Date and time at which User Tracking stopped the Acquisition
process. This is displayed in the format dd mon yyyy, hh:mm:ss
time zone.
Number of acquisitions Number of major and minor acquisitions performed.
Number of host entries Number of hosts found after User Tracking acquisition.
Number of duplicate MAC Number of MAC addresses that have duplicate entries in the list of
hosts found.
Number of duplicate IP Number of IP addresses that have duplicate entries in the list of end
hosts found.
Number of CCM hosts Number of Cisco CallManagers in the list of devices found after
Data Collection.
Number of IP phone entries Number of IP phones available in the LMS managed network.
Last Campus data collection Date and time of the previous LMS Data Collection process. This
completed at is displayed in the following format: dd mon yyyy hh:mm:ss time
zone.
Data collection status Status of the LMS Data Collection process. It can be either Idle or
Running.

7-6 OL-25947-01
Configuring User Tracking Acquisition Actions

You can trigger the following acquisitions from this page:
• Device based Acquisition
• Subnet based Acquisition
• IP Phone Acquisition
To configure the required acquisition:
Step 1 Either:
• Select Admin > Collection Settings > User Tracking > Acquisition Action.
Or
• Select Inventory > User Tracking Settings > Acquisition Actions.
The Acquisition Actions dialog box appears.
Step 2 Configure Acquisition Actions as specified in Table 7-1.
Table 7-1 Acquisition Actions

Select a type You can select the type of acquisition. Type When you select a type of acquisition the appropriate
of acquisition can be: fields are displayed.
• Device
• Subnet
• IP Phones
Scope Selection Select the All hosts and users check box to If you do not select the All hosts and users check box, the
acquire information about all hosts and device selection field is enabled and you can enter the
users in your network. name or IP address of the device for which you require
data.
Device Selection
Device Name or IP Enter the name or IP address of the device Click Select to select the device from the list of available
Address about which data is to be acquired. devices.
Subnets
Type Selection You can choose to get data about a particular If you choose to acquire data about a particular subnet, the
subnet or about all the configured subnets. subnet selection fields are enabled.
Subnet Selection
Subnet ID Select the IDs of the subnets on which you This field is enabled only if you select the Subnet option
need to get data. in the Type Selection area.
Click Select to select the subnet ID from the list of
available subnets.

OL-25947-01 7-7
Table 7-1 Acquisition Actions (continued)

Subnet Mask Enter the subnet mask. If you select the subnet ID, the subnet mask is
automatically entered.
Acquire Only Select this check box to get data only about • If you select this check box, only the work stations
VLAN Specific to the VLANs specific to the subnet. associated with the VLANs that are mapped to the
Subnet selected subnets will be acquired.
• If you do not select this check box, work stations
associated with all the available VLANs in the
selected subnets will be acquired.
You do not have to specify any details for the IP Phones option.
Step 3 Click Start Acquisition.
Using User and Host Acquisition

You can modify the Acquisition settings and Acquisition schedule using the User and Host Acquisition
option.
• Modifying UT Acquisition Settings
• Configuring Rogue MAC List
• Modifying UT Acquisition Schedule
• Modifying Ping Sweep Options
• Configuring UT Subnet Acquisition
• Deleting User Tracking Purge Policy Details
• Configuring UT Acquisition in Trunk for End Host Discovery
• Specifying User Tracking Report Purge Policy
• Importing Information on End Host Users
Modifying UT Acquisition Settings

You can modify User Tracking Acquisition settings.
• Modifying Acquisition Settings from UI
• UT Behaviour in DHCP Environment for Missing IP address
• Configuring Properties That Support Duplicate MAC Addresses
• Configuring User Tracking Properties from the Backend

7-8 OL-25947-01
Modifying Acquisition Settings from UI

To modify acquisition settings:
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The Acquisition Settings dialog box appears.
Step 2 Modify the acquisition settings as specified in Table 7-2.
Table 7-2 Acquisition Settings Field Description

Enable User Tracking for Enables User Tracking for DHCP If you enable this property, it allows you to control
DHCP Environment Environment. inclusion and exclusion of Duplicate MAC addresses in the
Acquisition.
To understand the behavior of User Tracking in case of
missing IP address, see UT Behaviour in DHCP
Environment for Missing IP address.
For details on properties that support Duplicate MAC
addresses, see Configuring Properties That Support
Duplicate MAC Addresses.
Enable User Tracking on Enables User Tracking on Access This is enabled by default and allows UT Major Acquisition
Access Points Points process to collect Access point information. However,
WlseUHIC cannot collect Wlse related end host
information.
If disabled, it precludes Access point acquisition. However,
WlseUHIC collects Wlse related end host information.
Get user names from Select this option to allow Collects information only for users, who are logged into the
UNIX hosts Acquisition to collect the active console port of the UNIX hosts.
usernames of UNIX hosts.
UNIX user names are updated at
the end of major acquisitions.
Get user names from hosts Allows LMS to collect active user This option helps you to:
in NT and NDS names on the Windows or Novell
• Collect information only for users who are currently
Directory Service (NDS) servers.
logged into the network.
• Collect information from NDS hosts. You must use
NDS 5.0 or later.
For this option you need to install the UTLite script.

OL-25947-01 7-9
Table 7-2 Acquisition Settings Field Description (continued)

Use DNS to resolve host Resolves host names using DNS. User Tracking performs DNS Lookup for a host to resolve
names its IP address.
When you choose this option the Advanced button is
enabled. Click on this to launch the Advanced UT
Acquisition Settings window.
The following options are available:
• DNS threads
Number of parallel threads allowed for name
resolution. The default value is 1. Maximum number of
threads allowed is 12.
• DNS Timeout
Time duration for which UT waits for a response from
the DNS server, for name resolution. The value should
be entered in milli seconds. The default value is 2000
milliseconds (2 seconds).
Enter values and click OK to save changes.
User Port Number Specify the UDP port number from You must use the default port number unless it is already in
where logon and logoff messages use. This port number must match the port indicated in the
are received from hosts in login script.
Windows and NDS.
Rogue MAC Detection Enable notification when Rogue LMS sends e-mails to the specified addresses, when
MACs are detected in the network. unauthorized end hosts are detected in the network.
E-Mail Specify the E-mail IDs to be You can enter multiple E-mail IDs separated by commas.
notified when Rogue MACs are This field is enabled only when you check the Rogue MAC
detected in the network. Detection field.
Define Rogue MACs Specify the list of Rogue MACs in For details, see Configuring Rogue MAC List.
the screen that is launched.
New MAC Detection Enable notification when new LMS sends e-mails to the specified addresses, when new
MACs are detected in the network. end hosts are detected in the network.
E-Mail Specify the E-mail IDs to be You can enter multiple E-mail IDs separated by commas.
notified when new end hosts are This field is enabled only when you check the New MAC
detected in the network. Detection field.
Step 3 Click Apply to save the modifications in the settings.

Step 4 Click Start Acquisition to start User Tracking Acquisition with the modified settings.

7-10 OL-25947-01
UT Behaviour in DHCP Environment for Missing IP address

Selecting the Enable User Tracking for DHCP Environment property allows you to control inclusion
and exclusion of Duplicate MAC addresses in UT Acquisition.
LMS will not get the IP address of end hosts, if the Router is not reachable or if it is excluded from DCR. In
such cases, behaviour of User Tracking after enabling Enable User Tracking for DHCP Environment
property, is explained in Table 7-3.
The conventions used in Table 7-3 are:
• MACx — MAC address of the endhost
• IPx — IP address of the endhost
• Device x — Device to which the end host is connected.
• Time in xx:xx format — Time entries in the Last seen column
• NA — Not Available.
Note The explanation given for scenarios 1 and 2 holds good, irrespective of the value set for Enable User
Tracking for DHCP Environment property.
Table 7-3 UT Behaviour in DHCP Environment for Missing IP address
Scenario Explanation What gets Updated in Database

Scenario1: Missing IP Address
MAC1 NA Device 1 6:35 For an endhost, if the IP address is MAC1 IP1 Device 1 6:40
MAC1 IP1 Device 1 6:40 not available in the first UT
acquisition, but is available in the
next, the IP address field in the
database is updated with the value
that is currently discovered.
Scenario 2: Missing IP Address
MAC1 IP1 Device 1 6:45 For an endhost, if the IP address is MAC1 IP1 Device 1 6:50
MAC1 NA Device 1 6:50 available in the first UT acquisition,
but is not available in the next, the
older value for IP address is
retained in the database.
Scenario 3: Single MAC, Multiple IP
Addresses
MAC1 IP1 Device 1 6:55 For an endhost with Single MAC MAC1 IP1 Device 1 7:00
MAC1 IP2 Device 1 6:55 address but multiple IP addresses, if MAC1 IP2 Device 1 7:00
UT does not get the IP address in
MAC1 IP3 Device 1 6:55 the current acquisition, it retains the MAC1 IP3 Device 1 7:00
MAC1 NA Device 1 7:00 older values in the database.
Scenario 4: Dynamic change in IP
Address

OL-25947-01 7-11
Table 7-3 UT Behaviour in DHCP Environment for Missing IP address
Scenario Explanation What gets Updated in Database

MAC1 IP1 Device 1 4:00 MAC1 IP1 Device 1 4:00
MAC1 IP2 Device 1 5:00 For an endhost with different IP MAC1 IP2 Device 1 5:00
MAC1 IP3 Device 1 6:00 addresses at different points of MAC1 IP3 Device 1 7:00
time, if UT does not get the IP
MAC1 NA Device 1 7:00 address in the current acquisition, it
retains the value that was last
discovered.
Scenario 5: Endhost moving between
devices
MAC1 IP1 Device 1 4:00 When an end host moves between MAC1 IP1 Device 1 6:00
MAC1 IP1 Device 2 5:00 devices, if UT does not find the IP
address in the current acquisition, it
MAC 1 NA Device 1 6:00 retains the IP address value that was
last discovered for that device.
Configuring Properties That Support Duplicate MAC Addresses

The following properties can be configured in the ut.properties file stored in
NMSROOT/campus/etc/cwsi/
where NMSROOT is the root directory where you installed Cisco Prime.
Table 7-4 lists the properties that support Duplicate MAC Addresses
Table 7-4 Properties Supporting Duplicate MAC Addresses
Property Description
UT.DuplicateMac.Include_SwitchPorts List of switchports connected to endhosts, for which
duplicate MAC entries need to be included in UT Major,
UT Minor, UT device based, and UT subnet based
Acquisition.
UT.DuplicateMac.Exclude_SwitchPorts List of switchports connected to endhosts, for which
duplicate MAC entries need to be excluded in UT Major,
Acquisition.
UT.DuplicateMac.Include_Switches List of switches connected to end hosts, for which
Acquisition.
UT.DuplicateMac.Exclude_Switches List of switches connected to end hosts, for which
Acquisition.
UT.DuplicateMac.Include_Vlans List of VLANs associated with endhosts, for which
Acquisition.

7-12 OL-25947-01
Table 7-4 Properties Supporting Duplicate MAC Addresses
UT.DuplicateMac.Exclude_Vlans List of VLANs associated with endhosts, for which
Acquisition.
UT.DuplicateMac.Include_Subnets List of subnets associated with endhosts, for which
Acquisition.
UT.DuplicateMac.Exclude_Subnets List of subnets associated with endhosts, for which
Acquisition.
For the above list of properties:

• Values should be separated by commas.
• IP addresses of the devices should be given.
• Port numbers should be given along with the device IP address as deviceip:port.
• The Exclude list takes precedence over the Include list.
The usage scenario for the above lists is as follows:
• If you use the Include list OR the Exclude list alone, the duplicate MAC addresses will be included
or excluded as specified.
For example, if you set the Include list as,
UT.DuplicateMac.Include_Switches=X,Y
Duplicate MAC addresses will be allowed only for endhosts connected to Switches X and Y.
Duplicate addresses will not be allowed for any other endhost.
• If you set both Include and Exclude list as,
UT.DuplicateMac.Include_Switches=X,Y
UT.DuplicateMac.Exclude_Switches=A,B
Duplicate MAC addresses will not be allowed for endhosts connected only to Switches A and B.
Duplicate addresses will be allowed for all other end hosts, even for those connected to switches not
specified in the Include list. Thus when an Exclude list is set, the Include list is ignored.
The above examples hold good for the Include/Exclude lists of Switchports, Subnets and VLANs.
• The order of priority for the property list is as follows:
a. SwitchPorts
b. Switches
c. VLANs
d. Subnets

OL-25947-01 7-13
The SwitchPorts list has the highest priority, followed by Switches, VLANs and Subnets list.
For example, if you set
UT.DuplicateMac.Include_SwitchPorts=10.77.211.33:3/2
UT.DuplicateMac.Exclude_Switches=10.77.211.33
Although the switch 10.77.211.33 is in the Exclude list, a switchport belonging to that switch is also
present in the Include list. So Duplicate MAC addresses will be allowed for that port on the switch.
Thus the SwitchPorts list has higher priority over the Switches list.
Configuring User Tracking Properties from the Backend

This section explains the new user configurable properties that have been added to UT.
You can configure properties that control DNS name resolution and history reports, by editing them in
the file ut.properties, stored in
NMSROOT/campus/etc/cwsi/

7-14 OL-25947-01
Table 7-5 lists the new properties added to UT:
Table 7-5 Configuring User Tracking Properties
Property Default Value Description

HistoryHostPurgeTime 10 days Purges history entries that are older than the specified time.
The value should be provided in minutes.
For example,
If you want to purge entries older than 10 days, set
HistoryHostPurgeTime=14400
UT.nameResolution both Name resolution for end hosts using Java APIs JNDI and
InetAddres.This property can have the following values:
• wins (Use only InetAddress)
• dns (Use only JNDI)
• wins,dns (First InetAddress then JNDI)
• both (JNDI first and InetAddress next)
UT.nameResolution.dnsTimeout 2000 Time duration for which UT waits for response from the DNS
server, for name resolution. The value should be entered in
milliseconds.
UT.nameResolution.winsTimeout 2000 Time duration for which UT waits for response from the DNS
server, for name resolution.The value should be entered in
milliseconds.
This property must be enabled only for windows server.
UTMajorUseDNSCache false Uses cache memory for name resolution in subsequent User
Tracking discoveries.
User Tracking performs DNS Lookup for a host only if the IP
address of the host is being resolved for the first time.It does
not perform DNS Lookup for every Major Acquisition.
This helps the application to reduce the number of queries
during User Tracking Acquisition. This in turn reduces the
time taken for Acquisition process.
UT.RunLookupAnalyzer OFF To analyze the performance of DNS servers and provide the
following information in the NMSROOT\log\ut.log file:
• DNS Server Efficiency for each DNS Server
• Overall Summary of DNS Servers
• Namelookup related settings in ut.properties file
• Issues found and recommendations to overcome them
Set the value to ON to turn on the feature.
You need not enable debugging for UT to get the
LookupAnalyzer data in the ut.log file.
For details on running Lookup Analyzer utility from the
command prompt and example output of the utility, see Using
Lookup Analyzer Utility

OL-25947-01 7-15
Configuring Rogue MAC List

MAC Addresses that are not authorized to exist in your network are termed as Rogue MAC addresses.
When you enable the Rogue MAC notification feature, you need to define the list of MAC addresses that
are to be classified as unauthorized addresses in the network.
You can also import MAC addresses to Acceptable OUI either from a file or directly from UT.
If you import the MAC Addresses from a file or directly from UT, the MAC addresses in the file are
converted to OUIs before you add them to the Acceptable OUI list.
To do so:
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Settings.
The User Tracking Acquisition settings window appears.
Step 2 Click Define Rogue MACs.
The Rogue MAC Configuration window appears. The lists displayed in the window are:
– Rogue MAC/OUI List
– Acceptable MAC/OUI List
Step 3 Click Add MAC/OUI to add new entries to the list.
The Add MAC/OUI window appears.
The Organizationally Unique Identifier (OUI) is a 24-bit number. It is used as an identifier to uniquely
identify the vendor, manufacturer, or a worldwide organization.
An OUI reserves a block of each type of derivative identifier, such as MAC addresses, group addresses,
and Subnetwork Access Protocol identifiers. It is used to identify a network interface controller (NIC),
network protocol, or MAC addresses for Ethernet.
In case of MAC addresses, OUI is combined with a 24-bit number to form the address. The first three
octets of the address are the OUI.

7-16 OL-25947-01
The Add MAC/OUI page is as explained in Table 7-6:

Table 7-6 Populating the MAC/OUI list
Select Mode Provides the following options to add MAC addresses to
MAC/OUI List:
• Manual — Enables you to add MAC/OUI to either the
Acceptable MAC/OUI List or to the Rogue MAC/OUI
list. The Manual Add option is selected by default.
• Import from file — Enables you to import MAC
Addresses from a file to the Acceptable MAC/OUI List
• Import from UT — Enables you to import MAC
Addresses directly from UT to Acceptable MAC/OUI
List
Add MAC/OUI Enter the MAC Address or OUI in the text box provided.
The values should be separated by spaces, tabs, or commas.
You can also enter values on separate lines.
The address can have only hexa decimal numbers separated
by hyphen.
Example:
00-c0-1d-99-06-b6
OUI List Displays predefined values in LMS. You can select values
from the list, to add to the Rogue OUI or Acceptable OUI
list.
To add more values to the list, add them to the Property file:
NMSROOT/campus/etc/cwsi/OUI.properties
where NMSROOT is the directory where you installed
Cisco Prime.
To get the latest OUIs listed by IEEE, see
http://standards.ieee.org/regauth/oui/index.shtml

OL-25947-01 7-17
Step 4 Select any of the following:

• Manual Add
a. Select the required OUIs from the list displayed in OUI List.
b. Click either the Add to Rogue MAC List or the Add to Acceptable MAC List, based on your
requirement.
The MAC or OUIs that you enter in the ADD MAC or in the OUI textbox will be added to the list
that you selected.
• Import From File
a. Click Browse and browse to the folder location and choose the file to be imported
b. Click the Import to Acceptable OUI list.
The MACs are converted to OUIs before you add them to the Acceptable MAC/OUI list.
• Import From UT
Click the Import to Acceptable OUI list. The MACs are converted to OUIs prior to adding them to
the Acceptable MAC/OUI List.
It is mandatory that the file that is imported to Acceptable MAC/OUI list must include the header -
MAC Address followed by MAC Address entries.
For example: In the example, the file to be imported includes a MAC Address column with MAC
Address entries.
MAC Address
MAC 1
MAC 2
MAC 3
The newly added values are reflected in the Rogue MAC Configuration screen.
Step 5 Check Consider unqualified MAC as Rogue
When you check this, LMS treats any new MAC address coming into the network as Rogue MAC. This
is if it is not defined in the Acceptable MAC list.
Step 6 Click any of the following:
• Save
Saves the settings to the server. They come into effect in the next UT Major Acquisition cycle.
– If Dynamic User Tracking is running, notification for new or Rogue MACs detected in the
network, are sent immediately.
– If WLSE is integrated with LMS, notification for wireless MACs detected in the network is sent.
• Delete
Deletes entries.
• Cancel
Cancels changes and closes the window.

7-18 OL-25947-01
Modifying UT Acquisition Schedule

You can modify UT acquisition schedule.
To modify acquisition schedule:
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Schedule.
The Acquisition Schedule dialog box appears.
Step 2 Start the user tracking major acquisition for all or failed devices as specified below:
• Select either All devices or Failed devices .
• Click Start to start the user tracking major acquisition immediately for the selected devices.
The UT Acquisition Confirmation pop up appears.
• Click OK to start user tracking acquisition. A success message appears. Click OK.
To cancel the user tracking acquisition process, click Cancel.
Step 3 Modify the acquisition schedule as specified in Table 7-7.
Table 7-7 Acquisition Schedule Field Description

Minor Acquisition Specify, in minutes, the periodicity at which a None.
minor acquisition should take place.
Major Acquisition Specify the time at which a major acquisition is to None.
take place.
Specify the days of the week on which a major
acquisition is to be scheduled.
Days, Hour, Min Days on which and the time at which a major You can add new schedules and edit or delete
acquisition is to be carried out. existing schedules.
Recurrence Pattern Select the days of the week on which a major This field is available only when you are adding
acquisition is to be scheduled. or editing a schedule.
Step 4 Select the schedule and do any of the following:

• Click Edit to edit the schedule.
• Click Delete to delete the schedule.
• Click Add to add a new schedule.
Step 5 Click OK to save the changes or Cancel to cancel the changes.
Step 6 Click Apply after adding or editing a schedule.

OL-25947-01 7-19
Modifying Ping Sweep Options

A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to determine
the range of IP addresses that map to live end hosts (computers). You can use a single ping to find out
whether a specific end host exists on the network.
A Ping Sweep consists of ICMP (Internet Control Message Protocol) ECHO requests sent to multiple
hosts. If a given address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older
and slower methods used to scan a network.
When Ping Sweep is enabled in LMS, the UTPing program in NMSROOT/campus/bin will be invoked
during acquisition to send out a sweep of pings for each subnet.
Before collecting information from a device, the subnets connected to the device are pinged. This serves
as a connectivity check, as well as loads the ARP table of the layer 3 device with the latest information.
After pinging, acquisition process starts collecting end host information from the device.
To modify Ping Sweep options:
Step 1 Select Admin > Collection Settings > User Tracking > Ping Sweep.
The Ping Sweep dialog box appears.
Step 2 Choose any of the following:
• Disable Ping Sweep
• Perform Ping Sweep on all subnets
• Exclude subnets from Ping Sweep
When you choose Exclude subnets from Ping Sweep, select the subnets that you want to exclude
from Ping Sweep. You can select subnets from the list of available subnets and add to the list of
subnets to be excluded.
Step 3 Specify the Wait Interval, if Ping Sweep is enabled.
Wait Interval is the time duration between pinging subnets. The interval ensures that the network is not
flooded with ping packets.
For example, assume that you have included 4 subnets for pinging, and set the wait interval to 10
seconds.
If Subnets 1 and 2 are connected to Device 1, and Subnets 3 and 4 are connected to Device 2, then 10
seconds lapse between pinging Subnets 1 and 2. After pinging both the subnets, acquisition starts on
Device 1. Same happens with Device 2.
Step 4 Click Apply.
User Tracking does not perform Ping Sweep on large subnets.
For more details, see Notes on Ping Sweep Option.

7-20 OL-25947-01
Notes on Ping Sweep Option
User Tracking does not perform Ping Sweep on large subnets, for example, subnets containing Class A
and B addresses. Hence, ARP cache might not have some IP addresses and User Tracking may not
display the IP addresses.
Ping Sweep will not refresh the ARP cache, if firewall or Access Control List is enabled to block the
ICMP packets to the network devices. Hence, User Tracking will not display the IP addresses of the
associated hosts.
In larger subnets, the Ping process leads to numerous ping responses that might increase the traffic on
your network and result in extensive use of network resources.
You can increase the value of the wait interval. Wait interval helps the ping response traffic to settle,
which may appear as Denial Of Service (DOS) or may affect the functioning of router by high CPU
usage.
To perform Ping Sweep on larger subnets, you can:
• Configure a higher value for the ARP cache time-out on the routers. To configure the value, you
must use the arp time-out interface configuration command on devices running Cisco IOS.
• Use any external software, that will enable you to ping the host IP addresses. This will ensure that
when you run User Tracking Acquisition the ARP cache of the router contains the IP addresses.
Configuring UT Subnet Acquisition

You can configure LMS to perform User Tracking Acquisition on selected subnets. These configurations
are used for User Tracking Major Acquisition and Configured Subnets based acquisition. You can choose
to include or exclude specified subnets to perform User Tracking major acquisition.
To configure Subnet acquisition:
Step 1 Select Admin > Collection Settings > User Tracking > Subnet Acquisition Configuration.
The Configure Subnet Acquisition dialog box appears.
Step 2 Select either of the following options:
• Perform acquisition on all subnets
All the subnets are included for User Tracking Major Acquisition. If you select this option do not
perform steps 4 and 5.
Or
• Perform Subnet-based acquisition
The action depends on the Filter value.
Step 3 Select either of the following Filter values:
• Perform major acquisition on selected subnets
All subnets added to the Selected Subnets list are included for User Tracking acquisition.
Or
• Do not perform major acquisition on selected subnets
All subnets added to the Selected Subnets list are excluded for User Tracking acquisition.

OL-25947-01 7-21
Step 4 Select subnets from the list of Available Subnets and add them to the list of Selected Subnets.
In the User Tracking Acquisition Action page (Admin > Collection Settings > User Tracking >
Acquisition Action), the Acquire Only VLAN Specific to Subnet check box is available.
• If you select this check box, only the work stations associated to the VLANs that are mapped to the
• If you do not select this check box, work stations associated to all the available VLANs in the
For more information, see Configuring User Tracking Acquisition Actions.
Step 5 Click Apply.
Deleting User Tracking Purge Policy Details

Using this option, you can modify the time interval and delete entries from the End Host Table, IP Phone
Table, or the History Table from the database.
To delete user tracking purge policy details:
Step 1 Select Admin > Network > Purge Settings > User Tracking Purge Policy.
The Delete Interval dialog box appears.
Step 2 Specify delete intervals for end host, IP phone and history tables.
Step 3 Either:
• Click Delete now to delete the entries immediately.
If you select this step do not perform Step 4.
Or
• Select Delete After Every Major Acquisition.
If you select this option, LMS will delete records older than the specified interval, after every UT
Major Acquisition.
Step 4 Click Apply.

7-22 OL-25947-01
Configuring UT Acquisition in Trunk for End Host Discovery

Normally UT Acquisition discovers end hosts connected only to access ports. If you enable this feature
UT Acquisition discovers end hosts connected to non-link trunk ports also.
LMS classifies trunk ports as follows:
• Link ports — Trunk ports connected to Cisco devices (Switch or Router).
• Non-link ports— Trunk ports connected to end hosts or IP phones.
Scenarios where a Trunk port is connected to an end host:

In a switched network, many clients from different VLANs might access an enterprise resource, such as
a database server.
If the server has only a standard EthernetNIC, it can belong to only one VLAN. Clients that belong to a
different VLAN would have to send their traffic to a router. The router forwards the frames to the
database server. The problem with this approach is the latency introduced by the router.
To overcome this, a trunk-capable NIC card can be placed in the server that understands multiple VLAN
information. With this arrangement, an end station need not send its frame to the router. Instead it can
directly access the file server. This makes the access much faster.
To configure trunk ports:
Step 1 Select Admin > Collection Settings > User Tracking > Acquisition Configuration in Trunk.
The Configure Trunk for End Hosts Discovery page appears.
Step 2 You can:
– Select Enable End Host Discovery on all Trunks to include all non-link trunk ports in UT
Major Acquisition. After choosing this option, go to Step 8.
– Select Enable End Host Discovery on selected Trunks to include only the required set of
non-link trunk ports in UT Major Acquisition. After choosing this option, go to Step 3.
– Select Disable End Host Discovery on Trunks to disable this feature. For this option, only the
end hosts connected to access ports will be discovered by UT Major Acquisition. After choosing
this option, go to Step 8.
Step 3 Select the list of switches where end hosts are connected to trunk ports, from the device selector.
Step 4 Click Show Trunks.
This displays the list of non-link trunk ports from the selected switches. Non-link trunk ports in down
state are also listed here.
If you have selected devices that do not have non-link trunk ports, a message is displayed indicating the
same. Change your selection to devices that have non-link trunk ports and click Show Trunks, to display
the ports. Link ports are not listed here.
Step 5 Select the list of trunk ports where end hosts are connected from the Available Trunks list.
Step 6 Click Add.
The selected ports are displayed under the Selected Trunks list.

OL-25947-01 7-23
Understanding Dynamic Updates
Step 7 Select either

• Discover End Hosts on Trunks to include the selected ports in UT Major Acquisition.
Or
• Do not Discover End Hosts on Trunks to exclude the selected ports from UT Major Acquisition.
Step 8 Click Apply.
This saves the configuration on the server.
After saving the configuration, run Data Collection. End hosts connected to trunk ports will be
discovered in successive UT Major Acquisitions.
For Dynamic User Tracking to track end hosts connected to trunk ports, enable SNMP traps in these
ports. For details on Enabling SNMP traps, see Enabling SNMP Traps on Switch Ports.
Importing Information on End Host Users

You can import from a file, user names and notes for end hosts already discovered.
To import information in end host users:
Step 1 Select Admin > Collection Settings > User Tracking > Table Import.
The End Host Table Import dialog box appears.
Step 2 Specify the name of the file from which you are importing the end host table data.
Step 3 Click Apply.
Note We recommend that you import a .CSV or .txt file. The imported file must have the following mandatory
headers: MAC Address, User Name and Notes.
For example:
MAC1 Peter Finance department

User Tracking generates reports on various functions and attributes of the end hosts and devices
connected to your network that are managed by LMS. These reports are generated by polling the network
at intervals set by the network administrator.
In addition to polling the network at regular intervals, LMS tracks changes in the end hosts and users on
the network to provide real-time updates.
Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps.
When an endhost is connected to a switch managed by LMS, an SNMP MAC notification trap is sent
immediately from the switch to the LMS Server, indicating an ADD event. This trap contains the MAC
address of the end host connected to the switch.

7-24 OL-25947-01
Similarly if an end host is disconnected from a switchport, an SNMP MAC notification trap is sent from
the switch to the LMS indicating a DELETE event. Thus LMS provides real time data about end hosts
coming into and moving out of the network.
Traps from suspended devices are not processed by LMS.
The difference between a UTMajor Acquisition and a Dynamic UT process is:
LMS collects data from the network at regular intervals for UTMajor Acquisition.
In Dynamic UT, the devices send traps to LMS as and when changes happen in the network.
This implies that you need not wait till next UTMajor Acquisition cycle to see the changes that have
happened in your network. This is an improvement over the earlier versions, where updates on endhost
information happened based on the polling cycle.
As a result of Dynamic updates, the following reports contain up-to-date information:
• End-Host Report
Contains information from UT Major Acquisition and the recently added end-hosts.
• History Report
Contains information from UT Major Acquisition and the recently disconnected end-hosts or
end-hosts that have moved between ports or VLANs.
• Switch Port reports
Contains information about the utilization of switch ports.
SNMP Traps are generated when a host is connected to the network, disconnected from the network or
when it moves between VLANs or ports in the network.
To enable the Dynamic Updates feature:

• Switches must be managed by LMS.
• Configure LMS as a primary or secondary receiver of the MAC notifications. For details, see SNMP
MAC Notification Listener.
• Configure all devices to send traps to the Trap Listener port of the LMS server (This is the port
number that you would have configured on LMS Administration screen). For more details, see
Enabling SNMP Traps on Switch Ports.
• Configure DHCP snooping on the switches
Dynamic Host Configuration Protocol (DHCP) snooping is a security feature that filters untrusted
DHCP message received from outside the network or Firewall, and builds and maintains a DHCP
snooping binding table.
LMS queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected.
For details on configuring DHCP, see
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configurati
on/guide/scg.html
• User Tracking collects username and IP address through UTLite for Windows environment. For
more details, see Understanding UTLite.
In a Windows environment you can either install UTLite or configure DHCP snooping to get IP address
of the end host. They can also co-exist.

OL-25947-01 7-25
If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host
connected will be updated only in the next UT Major Acquisition cycle. The ARP cache of the device
should be populated with the IP address, for UT Major Acquisition to discover it.
The User Tracking Dynamic Updates process includes:
• MAC User-Host Information Collector (MACUHIC) Process
• User Tracking Manager (UTManager) Process
• UTLite
MAC User-Host Information Collector (MACUHIC) Process

MAC User-Host Information Collector tracks wired end users dynamically. It receives MAC
notifications from the switches either directly or through LMS or HPOV.
After receiving the MAC notifications, MACUHIC validates the traps as follows:
• Checks whether the traps are generated from a switch managed by LMS.
• Checks whether the source is an access port.
If the traps are from valid sources:
• Updates LMS database.
• Informs UTManager if the trap is received for an ADD event.
User Tracking Manager (UTManager) Process

UTManager receives the information from MACUHIC about the ADD MAC notification trap that is
received. This information is not complete and can be completed using updates from DHCP or UTLite
or from both.
In the UTLite process, UTLite receives details of changes in username, and the time at which the host
has logged in or logged out of the network.
UTLite
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
For complete information, see Understanding UTLite.
When an end-host is connected to your network, the following happens in the background.
1. The switch to which it is connected sends a MAC notification.
2. The MACUHIC process in LMS receives the MAC notification either directly from the switch or
through other applications like LMS Monitor and Troubleshoot module or HPOV.
3. After processing this MAC notification, MACUHIC informs the UTManager.

7-26 OL-25947-01
4. LMS updates the database with the username and IP Address received from the UTLite. Database
does not contain the complete information about the end host.
5. UTManager finds the following details:
– Subnet, VTP domain, VLAN, Port duplex, and port speed from XML files generated after Data
Collection.
– Hostname from DNS Server
LMS updates the database with the complete User Tracking information for the host.
The User Tracking end host history reports, end host reports, reports on switch ports, wireless clients,
duplicate MAC addresses, and duplicate IP addresses, use this updated information while generating
reports.
Viewing Dynamic Updates Process Status

You can check whether the Dynamic Updates processes are running or not.
To check the status:
Step 1 Select Admin > Collection Settings > User Tracking > Dynamic Update Process Status.
The Dynamic Updates Process Status window appears.
If you have started the process already, the status window shows Dynamic Updates Processes are
RUNNING.
Step 2 Click Stop to stop the Dynamic Updates processes.

The Stop button then toggles to Start, and the status window shows Dynamic Updates Processes are
STOPPED. When you stop these processes, LMS stops processing traps sent by devices.
Step 3 Click Start to restart the Dynamic Updates processes.
The Start button again toggles to Stop.
Enabling SNMP Traps on Switch Ports

You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a
host is connected to or disconnected from that port.
Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
You can configure the ports CLI (see the Appendix Commands to Enable MAC Notification Traps on
Devices ) or Through LMS Interface.
Ensure that you have configured System Identity User under Admin > Trust Management > Multi
Server > System Identity Setup, and the same username and password is configured under Admin >
System > User Management > Local User Setup.
If you do not have Configuration Management functionality enabled on your LMS Server, you have to
manually configure the switches, for the switches to send MAC Notifications to the LMS server.

OL-25947-01 7-27
Note LMS supports only those switches that contain the Management Information Base (MIB) named MAC
Notification, for enabling the SNMP traps.
Through LMS Interface

Prerequisites to enable MAC Notification on switches through LMS UI:
• The switches must be managed by LMS.
If the devices are managed in SNMP version 2 (SNMPv2), you need to configure the Read as well
as the Write community strings to enable MAC Notification in the switches.
• Configure the LMS server secondary credentials in LMS, you can set it up at Admin > Collection
Settings > Config > Secondary Credential Settings. For more details, see Secondary Credentials.
Note LMS configures SNMP MAC Notification version 1 as the default version on switches for Dynamic
Updates.
To enable MAC notification in switches:
Step 1 Select Admin > Collection Settings > User Tracking > Device Trap Configuration.
The Configure Trap on Devices dialog box appears.
Step 2 Select the switches for which you want to enable the traps, from the Device Selector.
Step 3 Click Configure to see the devices that you have selected.
Step 4 Click Configure to configure MAC notification on the ports in the devices.
The Configure MAC-Notification Trap on Ports dialog box appears. Table 7-8 describes the entries in
the Configure MAC-Notification Trap on Ports dialog box.
Table 7-8 Configure MAC-Notification Trap on Ports Field Description
Field Description
Add LMS Server as Trap Check the check box to configure devices, to send SNMP traps to LMS.
Receiver To configure LMS to listen to traps sent from devices, see Configuring
SNMP Trap Listener.
Trap Community Set a community string for the SNMP traps sent by devices. This property
is enabled only when LMS is the Primary receiver for SNMP traps. This
string is added to the list of valid strings in the Dynamic User Tracking
Configuration screen.
Set as Dynamic User Check the check box to make this community string as the default for
Tracking Default future configurations, if LMS is the Primary Trap receiver.
Filter Allows you to filter the ports listed, based on port name, device name and
the device address (IP address of the device).
Trap Receiver Port Port number that you entered for receiving traps.
The default trap receiver port number of the LMS server is 1431.
Port Name of the port.
Access ports as well as Non-link Trunk ports are listed.

7-28 OL-25947-01
Table 7-8 Configure MAC-Notification Trap on Ports Field Description (continued)
Field Description
Device Name Name corresponding to IP address of the switch.
Device Address IP address of the switch.
Rows per page Select to view 10 to 50 rows on a page.
Step 5 Check the check boxes to select the ports that you want to enable SNMP traps.
Step 6 Click Configure to enable the SNMP traps.
An Information window appears.
Step 7 Click OK.
SNMP MAC Notification Listener

You must enable the switches to send SNMP MAC notifications to the listener, to avail the Dynamic
Updates feature. After you enable the switches, you can choose either LMS Monitor and Troubleshoot
module, or HP OpenView (HPOV) as the primary listener for MAC notifications.
• If you select LMS as the Primary listener, the MAC notifications reach the application directly from
the switches.
• If you select LMS as the Secondary listener, (with HPOV or LMS Monitor and Troubleshoot module
as the primary listener), MAC notifications reach LMS through HPOV or LMS Monitor and
Troubleshoot module.
Note Even if the device is managed with SNMPv3, LMS processes only SNMPv1/SNMPv2 traps.
To select the MAC notification listener, see the following sections:

• Configuring SNMP Trap Listener
• HPOV as Primary Listener
• LMS Fault Monitor Module as Primary Listener
Configuring SNMP Trap Listener

LMS receives SNMP traps directly from the switches, unless you configure the port to direct the traps
through HP Open View (HPOV) or Cisco Prime Monitoring Services.
To configure the trap listener:
Step 1 Select Admin > Collection Settings > User Tracking > Trap Listener Configuration.
The Trap Listener Configuration dialog box appears.
Step 2 Check Listen traps from Device to configure the trap reception directly from the devices
This makes LMS as the primary listener for receiving SNMP traps from devices.
OR

OL-25947-01 7-29
Check Listen traps from Fault Monitor/HPOV to receive the traps through these applications.
In this case, LMS Fault Monitor or HPOV act as the primary listener for SNMP traps from devices. They
forward it to LMS which acts as the secondary listener for traps.
If both options are enabled, LMS can receive traps directly from devices, from HPOV and from LMS
Fault Monitor module.
Step 3 Enter the port number of the port through which you want to receive the traps, in the Trap Listener Port
field.
The default trap listener port number of the LMS server is 1431.
Step 4 Click Apply to save the details.
HPOV as Primary Listener

If you select HPOV as the primary listener, you must perform the following to receive the Dynamic
Updates through LMS:
• Install Cisco Works Integration Utility
• Install Trap Adapter for HPOV
The supported versions of HPOV are HPOV 7.50, HPOV 7.51 and HPOV 7.53.
Install Cisco Works Integration Utility

You must have Cisco Prime Integration Utility (Integration Utility) installed on your system. Integration
Utility is a utility that integrates Cisco Prime applications with third-party Network Management
Systems (NMS).
This utility is available as part of the DVD in the LMS 4.0.
This integration utility adds Cisco device icons to topology maps, allows Cisco MIB browsing from
NMS, and sets up menu items on the NMS to launch remotely installed Cisco Prime applications.
See User Guide for Cisco Prime Integration Utility 1.11, for more details on the integration utility.
Note You must install the Integration Utility on the same machine on which you have installed HPOV.
Install Trap Adapter for HPOV

LMS supports Trap Adapter for OpenView on Windows and Solaris operating systems.
To install the adapter on Windows:
Step 1 Locate the TrapListener.conf file in the NMSROOT/campus/hpovadapter/WIN/ directory.

Step 2 Modify the Trap Receiver address and the port number to the LMS values, in the file.
Step 3 Set the LIB environment variable to HP OpenView lib directory.
Step 4 Run the fwdTrap.exe program located in the same directory.
The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.
To install the adapter on Solaris/Soft Appliance:

7-30 OL-25947-01
Step 1 Locate the TrapListener.conf file in the /opt/CSCOpx/campus/hpovadapter/SOL directory.

Step 2 Modify the Trap Receiver address and the port number to the LMS values, in the file.
Step 3 Set the LD_LIBRARY_PATH environment variable to HP OpenView lib directory.
Step 4 Run the fwdTrap program located in the same directory.
The Trap Adapter gets attached to OpenView process and starts sending traps to the LMS server.

OL-25947-01 7-31
Supported Platforms (Operating Systems)

The supported platforms for the HP NNM and HPOV adapters are:
Network Management System Supported Platforms

HP OpenView 9.1 • Solaris 10
• Windows 2008 R2 Standard x 64 Edition
• Windows 2008 R2 Standard x 64 Edition
• Windows Server 2008 x64 with Service Pack 2
• Windows Server 2008 x64 R2 with Service Pack 2
LMS Fault Monitor Module as Primary Listener

If you select Fault Monitor Module as the primary listener, you must perform the following to receive
MAC Notifications.
The default port number of the Fault Monitor Module for receiving Traps from the switches is 9000. You
must configure or verify this port number on the device, for the device to forward the Traps to the Fault
Monitor Module. The trapd.conf file has the details of the port number that receives the Traps from the
Fault Monitor server.
To enable Fault Monitor Module to forward the MAC Notifications, you must modify the trapd.conf file
in the Fault Monitor Module server, at NMSROOT/object/smarts/conf/trapd directory. You can modify
the file through the command line interface or through the application interface.
You can configure the application to forward the MAC Notifications to LMS Server in two ways:
• From LMS
• From the LMS Fault Monitor Server
From LMS
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
The Notification Services page appears.
Step 2 Enter the Hostname and the port number of the LMS server to which you want to forward the MAC
Notifications.
Step 3 Click Apply to configure.
The trapd.conf file is modified and the DFMServer process is restarted.
Note If you configure through Cisco Prime, LMS server receives all Traps including MAC Notification.
From the LMS Fault Monitor Server
Step 1 Access the LMS Fault Monitor server using Telnet.

7-32 OL-25947-01
Step 2 Enter pdterm DfmServer at the command line to stop the LMS Fault Monitor server.
Step 3 Navigate to NMSROOT/object/smarts/conf/trapd directory.
Step 4 Edit the trapd.conf file in the directory to reflect the following changes.
Enter:
FORWARD: address OID generic type specific type \ host [:port] | [:port:community] [host [:port] |
[:port:community] ...], where the explanation for each variable is provided in the trapd.conf file.
Step 5 Enter pdexec DfmServer at the command line to restart the LMS Fault Monitor server.
Configuring Dynamic User Tracking

You can configure certain properties in Dynamic User Tracking to enhance the security of the system.
These properties make the server receive traps only from specified devices and with specified
community strings.
To configure properties for filtering SNMP Traps:
Step 1 Select Admin > Collection Settings > User Tracking > Dynamic User Tracking Configuration.
The Dynamic User Tracking Configuration page appears.
Step 2 Select the Validate SNMP Community check box.
LMS validates the community string in SNMP traps, with the values you have set. You can add
community strings only after checking this check box.
• If you configure a device with SNMP v2 or v1 settings in DCR, then the device is initially queried
with SNMP v2 by LMS. If the query fails, LMS will query the device with SNMP v1.
• If you configure a device with SNMPv3 settings in DCR, then the device is queried with SNMP v3.
However, if the query fails, the same device will not be queried with SNMP v2 or v1.
Step 3 Enter the community string in the Valid Community List text box and click Add.
You can add the community strings one at a time. You can use the Delete button to remove the extra or
erroneous strings.
The default Trap community string that you might have added in the Device Trap configuration screen
is also listed here.
Step 4 Select the Validate Trap Source check box.
LMS validates the source IP Address of the trap. You can add the list of IP Addresses only after checking
this check box.
Step 5 Enter the IP Address in the text box provided and click Add.
You can use the Delete button to delete extra or erroneous entries.
Step 6 Click Apply to save changes to the server.
To revert to the default values, click Reset.
You can use any one of the options to filter SNMP traps.
For example:

OL-25947-01 7-33
Using User Tracking Utility
To process traps from all sources, and that have private or test as the community string, set
Validate SNMP Community = true (by checking the check-box)
Community String = private, test
Validate Trap Source =false
then traps from all sources with community string private or test will be processed by LMS.
To process traps from the listed IP addresses, with the community string private or test set:
Validate SNMP Community =true
Community String = private, test
Validate Trap Source =true
Valid IP Addresses = 10.77.210.211, 10.77.210.212
then traps from the listed IP addresses, with the community string private or test will be processed by
LMS. In this case, LMS first validates the community string, and if it matches, validates the source
address.

Cisco Prime User Tracking Utility (UTU) is a Windows desktop utility that provides quick access to
useful information about users, hosts, or IP Phones discovered by LMS User Tracking application.
• Understanding UTU
• Hardware and Software Requirements for UTU
• Downloading UTU
• Installing UTU
• Accessing UTU
• Configuring UTU
• Searching for Users, Hosts or IP Phones Using UTU
• Uninstalling UTU
• Upgrading to UTU 2.0
• Re-installing UTU 2.0
Understanding UTU
User Tracking Utility (UTU) allows users with Help Desk access to search for users, hosts, or IP Phones
discovered by LMS User Tracking application. UTU comprises a server-side component and a client
utility.
UTU is supported on LMS 3.0 (Campus Manager 5.0.6), LMS 3.1 (Campus Manager 5.1.4), and
LMS 3.2 (Campus Manager 5.2.1). To use UTU in LMS 4.2, Network Topology, Layer 2 Services and
User Tracking must be enabled and accessible through the network.
UTU 2.0 supports silent installation mode for easy deployment. It supports communication with LMS
server in Secure Sockets Layer (SSL) mode.
The following are the list of features supported in the Cisco Prime User Tracking Utility 2.0 release:

7-34 OL-25947-01
Windows Vista Support

Earlier, User Tracking Utility did not work on Windows Vista client systems because of library conflicts.
UTU 2.0 is built on Microsoft .Net Framework and Windows Presentation Foundation (WPF). With this,
UTU 2.0 now works on Windows Vista client systems
Support for Phone Number Search

In this release, UTU supports searching phone numbers in addition to existing search criteria.
Hardware and Software Requirements for UTU

Table 7-9 lists the minimum system requirements for UTU.
Table 7-9 System Requirements for UTU
Requirement
Type Minimum Requirements
System hardware IBM PC-compatible computer with Intel Pentium processor.
System software • Windows 2008
• Windows XP with SP2 or SP3
• Windows Vista
Memory (RAM) 512 MB
Additional • LMS 3.0 (Campus Manager 5.0.6), or LMS 3.1 (Campus Manager 5.1.4), or
required software LMS 3.2 (Campus Manager 5.2.1), or LMS 4.2 (Network Topology, Layer 2
Services and User Tracking)
• Microsoft .Net Runtime 3.5 Service Pack 1
You can download Microsoft .Net Runtime 3.5 Service Pack 1 from
http://www.microsoft.com
Network LMS 3.0 (Campus Manager 5.0.6) or LMS 3.1 (Campus Manager 5.1.4) or LMS
Connectivity 3.2 (Campus Manager 5.2.1) or LMS 4.0 (Network Topology, Layer 2 Services and
User Tracking) must be running, and accessible through the network
Downloading UTU
UTU requires Cisco PrimeUserTrackingUtility2.0.exe file to be downloaded and installed.
To download UTU 2.0:
Step 1 Click http://www.cisco.com/cisco/software/navigator.html.

You must be a registered Cisco.com user to access this Software Download site. The site prompts you to
enter your Cisco.com username and password in the login screen, if you have not logged in already.
Step 2 From the Software Product Category, select Cloud and Systems Management > Routing and
Switching Management > Cisco Prime LAN Management Solution.
Step 3 Select the latest version of Cisco Prime LAN Management Solution.
Step 4 Select the appropriate product software type.

OL-25947-01 7-35
Step 5 Select a product release version from the Latest Releases folder and locate the software update to
download.
Step 6 Locate the file CiscoWorksUserTrackingUtility2.0.zip
This zip file contains CiscoWorksUserTrackingUtility2.0.exe and setup.iss file (required for silent
installation).
Step 7 Click the Download Now button to download and save the device package file to any local directory on
LMS Server.
Step 8 Extract the file using any file extractor such as WinZip.
Installing UTU
You can install UTU 2.0 either in normal installation mode or silent installation mode.
Before you install UTU 2.0, check whether you system meets the requirements mentioned in Hardware
and Software Requirements for UTU.
• Installing UTU in Silent Mode
• Installing UTU in Normal Mode
Installing UTU in Silent Mode

To install UTU in silent mode, run the following command at the command prompt:
exe-location\CiscoWorksUserTrackingUtility2.0.exe –a –s –f1file-location\setup.iss
where
– exe-location is the directory where you have extracted the
CiscoWorksUserTrackingUtility2.0.exe file
– file-location is the directory where you have the setup.iss file.
Do not use space after the -f1 option. Use the complete path for file-location.
For example, if the install directory for UTU is c:\utu, enter the following at the command prompt:
c:\utu\CiscoWorksUserTrackingUtility2.0.exe -a -s -f1c:\utu\setup.iss
Editing Setup.iss File

UTU is installed in the C:\Program Files\CSCOutu2.0 directory, by default.
If you want to install UTU in some other directory, you must edit the content of the setup.iss file. Change
the value of the szDir attribute in the setup.iss file.
For example, if you want to set the installation directory as D:\utu20, change
szDir=C:\Program Files\CSCOutu2.0 to szDir=D:\utu20 in the setup.iss file.
Setup.log File
The setup.log file is created during the installation in the same directory where you have extracted the
setup.iss file.
You should see the setup.log file to check the installation completion status.

7-36 OL-25947-01
The value of the ResultCode attribute in the setup.log informs you whether the installation has completed
successfully. The value 0 denotes that the UTU installation in silent mode is successful.
When the value of the ResultCode attribute is other than 0, you must install UTU again.
Installing UTU in Normal Mode

To install UTU in normal installation mode:
Step 1 Log into the system with local system administrator privileges.
Step 2 Navigate to the directory that contains CiscoWorksUserTrackingUtility2.0.exe.
Step 3 Double-click CiscoWorksUserTrackingUtility2.0.exe to begin installation.
The User Tracking Utility Welcome screen appears.
Step 4 Click Next.
A warning message appears if you have not installed .Net Framework 3.5 SP1.
You can install .Net Framework 3.5 SP1 after terminating the current UTU installation or before
completing the current UTU installation.
Step 5 Click Next.
Step 6 Click Yes.
The Choose Destination Location dialog box appears. By default, UTU is installed in the directory
C:\Program Files\CSCOutu2.0.
Note If you have installed .Net Framework 3.5 SP1 already on the system, the installer directs you to
the Choose Destination dialog box, when you click Next in the User Tracking Utility Welcome
screen.
If you click No in the confirmation message, the warning message appears again stating that you have
not installed .Net Framework 3.5 SP1.
You can download and install .Net Framework 3.5 SP1. and then continue with the UTU installation.
Step 7 Click Next to install UTU in the default directory.
or
a. Click Browse to choose a different directory and click OK.
b. Click Next to continue with the installation.
The installation continues.
Step 8 Click Finish to complete the installation. User Tracking Utility is installed at the destination location
you specified in Step 7 above and a shortcut to UTU is created on the desktop. To access the utility, see
Accessing UTU.

OL-25947-01 7-37
Accessing UTU
To access UTU, click either:
• Start > Programs > Cisco Prime UTU 2.0 > Cisco Prime User Tracking Utility 2.0
Or
• UTU 2.0 shortcut available on the desktop
The UTU band appears. See Figure 7-1 for UTU 2.0 band.
You can also find an icon in the task bar. You can use this icon to restore the UTU band when minimized.
Figure 7-1 User Tracking Utility - Search Band
1 - Settings Icon 2 - Minimize icon

3 - Close icon 4 - UTU task bar icon
After a system restart and during the startup, the system launches the UTU automatically.

7-38 OL-25947-01
Configuring UTU
You must configure UTU to set the Campus Manager (for releases earlier than LMS 4.0), or LMS 4.2
server configurations.
To configure UTU:
Step 1 Click the Settings icon.

Or
a. Right-click the UTU search band.
A popup menu appears.
b. Click Settings.
The Cisco Prime Server Settings dialog box appears.
Step 2 Enter the name or IP Address of the server on which Campus Manager (for releases earlier than LMS
4.0), or LMS 4.2 is installed.
Step 3 Enter the port number of the LMS Server.
The default HTTP port number is 1741.
You can modify the port number if required.
Step 4 Click Enable SSL for communicating with an SSL enabled server.
The port is changed to 443, which is the default port for SSL.
You can modify the port number if required. See Figure 7-2.
Figure 7-2 Enabling SSL
Step 5 Enter a valid Cisco Prime Server user name and password.
This is used to verify the validity of the user when searching for users, hosts, or IP Phones.
Step 6 Confirm the password by re-entering it.
Step 7 Select the Remember me on this computer checkbox if you want the client system to remember your
credentials.
The credentials are preserved only for the current user of Windows system. The credentials are not
available when you log into the Windows system with a different user name.

OL-25947-01 7-39
Searching for Users, Hosts or IP Phones Using UTU

You can use the UTU Search Band to search for the users, hosts, or IP Phones in your network.
Note UTU search is case-insensitive.
To search for users, hosts, or IP Phones:
Step 1 Right-click the UTU search band.

A popup menu appears with the default search criterion Host name/IP Address selected.
Step 2 Select a search criterion from the popup menu.
You can search using:
• User name
• Host name or IP Address
• Device name or IP Address
• MAC Address
• Phone number
The default search criterion is host name or IP Address of the host.
The selected criterion is set for future searches until you change the criterion.
Step 3 Enter any value related to user name, host name, device name, IP Address, Phone number or the MAC
Address in the UTU search field.
For example, you can enter 10.77.208 in the search field.
Step 4 Press Enter.
If your server is not SSL enabled, go to Step 7.
When you query for data from an SSL enabled server, the Certificate Summary dialog box appears.
Step 5 Click Details to view the certificate details.
You can verify the authenticity and correctness of the SSL server here. See Figure 7-3.

7-40 OL-25947-01
Figure 7-3 Certificate Details
You can click Summary to go back to the Certificate Viewer dialog box.
Step 6 Click Yes in the Certificate Viewer dialog box or Certificate Details dialog box to accept and store the
certificate.
SSL connection is established with the server.
If you click No, the certificate is not stored and no connection is established with the server.
Note The Certificate Viewer dialog box appears only for the first time configuration. If you had clicked Yes
the first time, you are not prompted to store the certificate during subsequent sessions.
Step 7 Click the X Record(s) Found button to launch the results window.
X denotes the number of matches found.
For example, if there 4 matches found, the UTU Search band displays 4 Record(s) Found. See
Figure 7-4.

OL-25947-01 7-41
Figure 7-4 UTU Search Band displaying the number of matching records
UTU search returns only the top 500 records if the number of matches exceed 500. You must refine your
search if you want better and more accurate results.
Step 8 Select an entry in the Results window.
UTU displays the search results, which is a list of user names, host names, IP Addresses, or MAC
Addresses, in a Results window.
The Results window has the following options:
• Copy to Clipboard, where you can copy the selected search result record.
• Copy All to Clipboard, where you can copy all the search result records.
• Close, which you can use to close the window.
For a selected search result record, the Results window displays the details as described in:
• Table 7-10 for all search criteria except Phone Number
• Table 7-11 for search based on Phone Number
See Figure 7-5 for MAC Address search results window and Figure 7-6 for IP Phone search results
window.
Table 7-10 Details for Each Entry in Results Window For a User or Host Search
Entry Description
User Name Name of the user logged in to the host.
MAC Address Media Access Control (MAC) address of network interface card in end-user
node.
Host IP Address IP Address of the host.
Host Name Name of the host discovered by User Tracking.
Subnet Subnet to which the host belongs.
Subnet Mask Subnet mask of the host
Device name Name of the switch.
Device IP Address IP Address of the switch
VLAN VLAN to which the port of the switch belongs.
Port Port number to which the host is connected.
Port Description Description of the port number to which the host is connected.
Port State State of the port: Static or Dynamic.
Port Speed Bandwidth of the port of the switch.

7-42 OL-25947-01
Table 7-10 Details for Each Entry in Results Window For a User or Host Search
Entry Description
Port Duplex Port Duplex configuration details on the device.
Last Seen Date and time when User Tracking last found an entry for this user or host
in a switch. Last Seen is displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-5 MAC Address Search Results Window
Table 7-11 Details for Each Entry in Results Window For a Phone Number Search
Entry Description
Phone Number IP Phone number
MAC Address Media Access Control (MAC) address of network interface card on the
phone.
Phone IP Address IP Address of the phone.
CCM Address IP Address of the Cisco Call Manager
Status Status of the phone, as known to Cisco Call Manager
Phone Type Model of the phone. Can be SP30, SP30+, 12S, 12SP, 12SPplus, 30SPplus,
30VIP, SoftPhone, or unknown.
Phone Description Description of the phone.
Device Name Name corresponding to IP Address of device.
Device IP Address IP Address of the device
Port Port number to which the phone is connected.

OL-25947-01 7-43
Table 7-11 Details for Each Entry in Results Window For a Phone Number Search
Entry Description
Port Description Description of the port to which the phone is connected.
Last Seen Date and time when User Tracking last found an entry. Last Seen is
displayed in the format yyyy/mm/dd hh:mm:ss.
Figure 7-6 IP Phone Number Search Results Window
Note The search results for the value you enter in the search field depends on the default search
criteria.
Using Search Patterns for UTU
UTU searches for the users, hosts, or IP Phones that match the search criterion. See Searching for Users,
Hosts or IP Phones Using UTU for more information.
You can search for users, hosts, or IP Phones by entering a search pattern or substring of a search pattern.
For example, entering Cisco displays host names that start with, end with or contain Cisco for a search
on host names.
You do not have to use wildcard character * to match a pattern or substring of the pattern.
To search for a MAC Address, you can use one of the following MAC Address patterns or a substring of
these patterns:
• xxxx.xxxx.xxxx

7-44 OL-25947-01
• xx:xx:xx:xx:xx:xx
• xxxxxxxxxxxx
• xx-xx-xx-xx-xx-xx
Here x denotes a hexadecimal number.
Uninstalling UTU
Ensure that UTU is not running while uninstalling.
If you try to uninstall UTU when it is running, an error message appears and uninstallation terminates.
To uninstall UTU:
Step 1 Select Start > Programs > Cisco Prime UTU 2.0 > Uninstall Cisco Prime User Tracking Utility 2.0
from the windows task bar.
The Uninstallation wizard appears and prompts you to confirm the UTU uninstallation.
Step 2 Click Yes.
The Uninstallation continues.
Step 3 Click Finish to exit the uninstallation wizard.
Upgrading to UTU 2.0

You can install UTU 2.0 on the same system where UTU 1.1.1 is installed.
You can choose to install UTU 2.0 on any directory other than the directory where UTU 1.1.1 is installed.
See Installing UTU for installation instructions.

OL-25947-01 7-45
Re-installing UTU 2.0

Re-installation of UTU 2.0 is supported on the normal mode of installation.
In the normal mode of installation, you are prompted with a confirmation message to continue the
installation. You must provide your inputs to continue the installation.
See Installing UTU for installation instructions.
The user profiles that are created are not lost during re-installation.

7-46 OL-25947-01
CHAPTER 8
Administering Collection Settings
All collection settings like Inventory Collection settings, VRF Lite settings, various SNMP timeout
settings are grouped under the collection settings in the Admin tab in the menu.
• Using the Inventory Job Browser
• Timeout and Retry Settings
• Secondary Credentials
• Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and
PSIRT/EOX System
• PSIRT or End-of-Sale or End-of-Life Data Administration
• Administering VRF Lite
• Modifying Fault Management SNMP Timeout and Retries
• Configuring Fault Management Rediscovery Schedules
• Configuring Event Forensics
• Fault Monitoring Device Administration
• Device Management Functions
• Performance Management SNMP Timeouts and Retry Settings
• IPSLA Application Settings
• Setting Up Archive Management
• Defining the Configuration Collection Settings
• Configuring Transport Protocols
• Overview: Common Syslog Collector
• Viewing Status and Subscribing to a Common Syslog Collector

OL-25947-01 8-1
Chapter 8 Administering Collection Settings
Using the Inventory Job Browser

The Inventory Job Browser displays all user-defined jobs. It also displays the system-defined inventory
collection and polling jobs. You can create and manage inventory jobs using the Job Browser. You can
edit, stop, cancel or delete jobs using this Job Browser.
Note View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform these tasks.
When you install LMS, a default job is defined for Inventory Collection and Inventory Polling.
When the default job runs, LMS evaluates the “all devices” group and executes the job. This way,
whenever new devices are added to the system, these devices are also included in the default
collection/polling job.
For the default system jobs, the device list cannot be edited. You can only change the schedule of those
jobs. Therefore, when a periodic system job for inventory collection or polling is scheduled, the
scheduled job is not displayed in the Inventory Job Browser.
The default system jobs for Inventory Collection and Inventory Polling are created immediately after
installation. However, they may appear in the Inventory Job Browser (Inventory > Job Browsers >
Inventory Collection or Admin > Collection Settings > Inventory > Inventory Jobs) and the LMS Job
Browser (Admin > Jobs > Browser) only after some time has elapsed.
The jobs are displayed in the Job Browser when they are running, or after they are completed, with all
the details such as Job ID, Job Type, and Status.
User-defined jobs, however, are displayed in the Job Browser once they are scheduled, when they are
running, and after they are completed.
You can do the following tasks from the Inventory Job Browser:
• Viewing Job Details
• Creating and Editing an Inventory Collection or Polling Job
• Stopping, Cancelling or Deleting an Inventory Collection or Polling Job

8-2 OL-25947-01
To invoke the Inventory Job Browser, either:

• Select Inventory > Job Browsers > Inventory Collection.
Or
• Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser dialog box appears with a detailed list of all scheduled inventory jobs.
The columns in the Inventory Job Browser dialog box are:
Column Description
Job ID Unique ID assigned to the job by the system, when the job is created. Click on the hyperlink to view the
Job details (see Viewing Job Details.)
Periodic jobs such as 6-hourly, 12-hourly, Daily, Weekly and Monthly, have the job IDs that are in the
number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that
this is the third instance of the job ID 1001.
Job Type Type of job—System Inventory Collection, System Inventory Polling, Inventory Collection and Inventory
Polling.
Status Status of the job—Scheduled, Successful, Failed, Cancelled, Stopped, Running, Missed Start.
The number, within brackets, next to Failed status indicates the count of the devices that had failed for that
job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
This count of failed devices is not displayed for jobs restored from LMS 4.1 or earlier versions.
Description Description of the job entered by the job creator. This is a mandatory field. Accepts alphanumeric values.
The field is restricted to 256 characters.
Scheduled at Date and time at which the job was scheduled.
Completed at Date and time at which the job was completed.
Schedule Type Type of schedule for the job:
• Immediate—Runs the report immediately.
• 6 - hourly—Runs the report every 6 hours, starting from the specified time.
• Once—Runs the report once at the specified date and time.
• Weekly—Runs weekly on the specified day of the week and at the specified time.
• Monthly—Runs monthly on the specified day of the month and at the specified time.
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will
start only at 10:00 a.m. on November 3.
Using the Filter by field in the Inventory Job Browser, you can filter the jobs displayed in the browser.

OL-25947-01 8-3
You can filter the jobs using any of the following criteria and clicking Filter:
Filter
Criteria Description
All Select All to display all jobs in the Job Browser
Job ID Select Job ID and enter the whole or the first part of the Job ID(s) that you want to display.
Job Type Select Job Type and then select any one of the following:
• Inventory Polling
• System Inventory Polling
• Inventory Collection
• System Inventory Collection
Status Select Status and then select any one of these:
• Schedule
• Successful
• Failed
• Cancelled
• Stopped
• Running
• Missed Start
Missed start is the status when the job could not run for some reason at the scheduled time.
For example, if the system was down when the job was scheduled to start, when the system comes up
again, the job does not run. This is because the scheduled time for the job has elapsed. The status for the
specified job will be displayed as Missed Start.
Description Select Description and enter the first few letters or the complete description.
Owner Select Owner and enter the user ID or the beginning of the user ID.
Schedule Type Select the Schedule Type and select any one of these:
• Immediate
• Once
• 6-hourly
• 12-hourly
• Daily
• Weekly
• Monthly
Refresh Click on this icon to refresh the Inventory Job Browser.
(Icon)

8-4 OL-25947-01
To perform the following tasks, use the Inventory Job Browser (Table 8-1)
.
Table 8-1 Inventory Browser Buttons, the Tasks they Perform and their Description
Button Task Description

Create Create jobs You can create a new job.
Edit Edit jobs You can edit only a scheduled job.
You can select only one job at a time for editing. If you select more than one job, the Edit button
is disabled.
Cancel Cancel jobs You can cancel a scheduled job. You can select more than one scheduled job to cancel. You are
prompted to confirm the cancellation.
If it is a periodic job, you are prompted to confirm whether you want to cancel only the current
instance of the job or all future instances.
1. Select a periodic job and click Cancel.
The Cancel Confirmation dialog box appears.
2. Select one of the following options:
– Cancel only this instance
– Cancel this and all future instances
3. Click OK.
Stop Stop jobs You can stop a running job.
However, the job will be stopped only after the devices currently being processed are completed.
This is to ensure that no device is left in an inconsistent state.
Delete Delete jobs You can delete a job that has been scheduled, successful, failed, stopped or cancelled. However,
you cannot delete a running job.
You can select more than one job to delete, provided they are scheduled, successful, failed,
stopped, or cancelled jobs. For instance, if you select a failed job and a running job, the Delete
button is disabled.
If you are deleting a scheduled periodic inventory job, the following message is displayed:
If you delete periodic jobs, or instances of a periodic job, that are yet to be
run, the jobs will no longer run, nor will they be scheduled to be run again. You
must recreate the deleted jobs.
You are prompted to confirm the deletion.
Records for Inventory Collection and Polling jobs need to be purged periodically. You can schedule a
default purge job for this purpose, select Admin > Network > Purge Settings > Config Job Purge
Settings.

OL-25947-01 8-5
Viewing Job Details

In the Inventory Job Browser, click on the Job ID hyperlink to view the following job details for
Inventory collection, or polling jobs:
• Job Details—Expand this node to display Job Summary and Job Results for the inventory collection
or polling job.
• Job Summary—Click on this node to view the following for the inventory collection or polling job:
– Job Summary—Displays information about the job type, the job owner, the status of the job, the
start time, the end time, the schedule type, and details of email notification.
– Device Summary—Displays information about the total devices submitted for the job, the
number of devices that were scanned, the number of devices that were pending, the devices that
were successful with change, successful without change, and the failed devices.
Also, the Device Details and Not Attempted information appears.
Not Attempted displays the number of devices for which the Inventory collection module did
not attempt to collect the data.
• Job Results—Displays information about the number of devices scanned, the names of the scanned
devices, the duration of scanning, the average scan time per device, and the job results description,
for the inventory collection or polling job.
To see more details, expand the Job Results node. You will see the following details:
– Failed—If you click on this node, you will see the collective list of failed devices and the reason
for their failure in the right pane, for the inventory collection or polling job.
If you expand this node, the list of failed devices appears.
If you select a device, the right pane displays the device name and the reason for the failure. For
example, Device sensed, but collection failed, or Device not reachable.
– Successful: With Changes
For a Inventory collection job:
Expand the Successful: With Changes node to display a list of devices.
If you select a device, the right pane displays the device name and a hyperlink: View Changes.
If you click on this hyperlink, the Inventory Change Details report appears for the device. The
report displays information about the attribute, the type of change, the time of change, the
previous value and the current value for the collection job.
If you do not expand this node, you will see the collective list of devices with the status Success:
With changes with their View Changes hyperlinks, in the right pane, for the collection job.
There is a View All Changes hyperlink in the right pane. If you click this hyperlink, all the
changes on the devices are displayed.
For a Inventory polling job:
Click on the Successful: With Changes node to display a list of devices that have changes, as a
comma separated list, in your right pane.
When there is a change in the config of a device and when the device is polled, the information
like Collection initated will appear in the job results. A separate job will be created for the
inventory collection as a result of changes occuring in the inventory .

8-6 OL-25947-01
– Successful: Without Changes

If you click on this, you will see as a comma-separated list in your right pane, the devices that
were successful for the inventory collection or polling job.
Note Inventory Poller creates a Collection job when it detects changes.
Creating and Editing an Inventory Collection or Polling Job

To create or edit an Inventory collection or polling job:
Step 1 Either:
• Select Inventory > Job Browsers > Inventory Collection.
Or
• Select Admin > Collection Settings > Inventory > Inventory Jobs.
The Inventory Job Browser appears.
• Click Create.
The Create Inventory Job dialog box appears.
Or
• Select a job and click Edit.
• Device Selector, if you want to schedule report generation for static set of devices
Or
• Group Selector, if you want to schedule report generation for dynamic group of devices.

OL-25947-01 8-7
Step 4 Enter the information required to create a job:
Field Description
Job Type Select either Inventory Collection or Inventory Polling, as required.
Scheduling
Run Type Specifies the type of schedule for the job:
For periodic jobs, the subsequent instances of jobs will run only after the earlier instance of the
job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of
this job will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job
has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November
2, then the next job will start only at 10:00 a.m. on November 3.
If you select Immediate, the date field option will be disabled.
Date 1. Enter the start date in the dd mmm yyyy format, for example, 02 Jul 2004, or click on the cal-
endar icon and select the date.
2. Enter the start time by selecting the hours and minutes from the drop-down list.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.
Job Info
Job Description Enter a description for the report that you are scheduling. This is a mandatory field. Accepts al-
phanumeric values. This field is restricted to 256 characters.
E-mail Enter e-mail addresses to which the job sends messages when the job has run.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box
box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address,

8-8 OL-25947-01
Timeout and Retry Settings
Step 5 Click Submit.

You get a notification that the job has been successfully created, and it appears in the Inventory Job
Browser.
To edit a job, select a scheduled job from the Inventory Job Browser, and click Edit.
The Edit Inventory Job dialog box appears. The Job Type options are disabled. You can however, change
the Scheduling and Job Info fields as required, and click Submit.
The job is edited.
Stopping, Cancelling or Deleting an Inventory Collection or Polling Job

You can stop, cancel or delete Inventory Collection or Polling jobs.
• Stopping a job, see Stop in Table 8-1.
• Cancelling a job, see Cancel in Table 8-1.
• Deleting a job, see Delete in Table 8-1.

This option enables you to set the default values for Inventory, Config timeout and retry settings. These
values are applicable to all devices in LMS.
• SNMP Retry—Number of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero and the maximum value is 6.
• SNMP Timeout—Amount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the total transaction time of SNMP Packets.
The default value is 2 seconds and the minimum value is zero seconds. There is no maximum value
limit. Changing the SNMP timeout value affects inventory collection.
• Telnet Timeout—Amount of time that the system should wait for a device to respond before it tries
to access it again. It refers to the initial response time required to create a socket.
The default value is 36 seconds and the minimum value is zero seconds. There is no maximum value
limit.
Changing the Telnet timeout value affects inventory collection.
• Natted LMS IP Address—The LMS server ID. This is the translated address of LMS server as seen
from the network where the device resides.
You need to enable support for NAT, in a scenario where LMS tries to contact devices outside the
NAT boundary.
The default value is Not Available.
• TFTP Timeout—Amount of time that the system should wait to get the result status of the copy
operation. Changing the TFTP timeout value affects Config collection.
The default value is 5 and the minimum value is 0 seconds. There is no maximum value limit.
• Read Delay—Amount of time the system will sleep in between each read iteration.
The default read delay is 10 milliseconds.

OL-25947-01 8-9
• Transport Timeout—Amount of time the socket will be blocked for read operation.
The default value is 45000 milliseconds.
• Login Timeout—Amount of time in milliseconds after which it will start reading the user prompt.
• Tune Sleep—Amount of sleep time in milliseconds after sending tune command 3 to 4 times.
• Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will
wait for the set time before doing the next operation.
To edit the Inventory, Config timeout and retry settings:
Step 1 Select Admin > Network > Timeout and Retry Settings > Config Timeout and Retry Settings.
The Inventory, Config timeout and retry settings page appears.
Step 2 Enter the default values for:
• SNMP Retry
• SNMP Timeout
• Telnet Timeout
• Natted LMS IP Address
• TFTP Timeout
• Read Delay
• Transport Timeout
• Login Timeout
• Tune Sleep
• Delay After Connect
Step 3 Click Apply.
Note Modifying the default timeout values will apply to all the devices and impact the work flows of
all devices. To edit per device level attributes, go to Editing Device Attributes.
Step 4 Click OK.

A confirmation message appears:
The settings are updated successfully
Note When you do a back up restore from LMS 3.x/4.x to LMS 4.2, the inventory, config timeout, and retry
values will not be restored by default. To restore the values for all the devices, edit the default values in
Timeout and Retry settings page. To restore the values for specific devices, go to Admin > Collection
Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings

8-10 OL-25947-01
Secondary Credentials
Secondary Credentials
The LMS server polls and receives two types of credentials from each device and populates the Device
Credential Repository (DCR).These credentials are:
• Primary Credentials
• Secondary Credentials
LMS uses either the primary or secondary credentials to access the devices using the following
protocols:
• Telnet
• SSH
The LMS server first uses the Primary Credentials to access the device. The Primary Credentials is tried
out many times and on failure the Secondary Credentials is tried out. Secondary Credentials is used as
a fallback mechanism in LMS for connecting to devices.
For instance, if the AAA Server is down, accessing devices using their primary credentials will lead to
failure.
You can add or edit the Secondary Credentials information through the DCR page (Select Inventory >
Device Administration > Add / Import / Manage Devices) if the Secondary Credential information is
not available for a device.
Note The use of Secondary Credentials fallback is applicable for both Login and Enable connectivity.
You can use the LMS Secondary Credential dialog box to enable or disable Secondary Credentials
fallback when the Primary Credentials for a device fails. This is a global option which you can use to
enable or disable the use of Secondary Credential fallback for all LMS applications.
To enable or disable the Secondary Credentials fallback:
Step 1 Select Admin > Collection Settings > Config > Secondary Credential Settings.
or
Select Admin > Collection Settings > Inventory > Secondary Credential Settings.
The Secondary Credentials dialog box appears.
Step 2 Do either of the following:
• Check Fallback to Secondary Credentials check box if you want to enable the Secondary
Credential fallback.
Or
• Uncheck Fallback to Secondary Credentials check box if you want to disable the Secondary
Credential fallback.
Step 3 Click either Apply to apply the option or click Cancel to discard the changes.

OL-25947-01 8-11
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX System
Changing the Schedule for System Inventory Collection or

Polling, Compliance Policy and PSIRT/EOX System
At the time of LMS installation, system jobs are created for both Inventory collection and polling, with
their own default schedules. A periodic inventory collection job collects inventory data from all managed
devices and updates your inventory database.
Similarly, the periodic polling polls devices and updates the inventory database. You can change the
schedule of these default, periodic system jobs.
For inventory collection or polling to work, your devices must have accurate read community strings
entered. The changes detected by inventory collection or polling, are reflected in all associated inventory
reports.
• Changing the Schedule for System Inventory Collection or Polling Settings
• Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL settings
Changing the Schedule for System Inventory Collection or Polling Settings

Note that the inventory poller allows you to collect inventory less often. The poller detects most changes
in managed devices, with much less impact on your network. If the poller detects changes, it initiates
inventory collection.
To collect inventory or poll devices as a one-time event or for selected devices only, create user-defined
inventory collection or polling jobs (see Creating and Editing an Inventory Collection or Polling Job).
Step 1 Select Admin > Collection Settings > Inventory > Inventory System Job Schedule.
The System Job Schedule dialog box displays the current collection or polling schedule.
Step 2 Set the new Inventory Collection or Inventory Polling schedule in the respective panes, as in Table 8-2.
Inventory data does not change frequently, so infrequent collection is better. However, if you are
installing much new equipment, you may need more frequent collection.
Infrequent collection reduces the load on your network and managed devices. Collection is also best
done at night or when network activity is low.
Also, make sure your collections do not overlap, by checking their duration using the Inventory Job
Browser (see Using the Inventory Job Browser), and scheduling accordingly.
Step 3 Click Apply.
The new schedule is saved.

8-12 OL-25947-01
Changing the Schedule for System Inventory Collection or Polling, Compliance Policy and PSIRT/EOX
Changing the Schedule for Compliance Policy and PSIRT/EOS and EOL
settings
Step 1 Select Admin > Network > Compliance Policy/PSIRT/EOS/EOL Settings > Compliance Policy and
Psirt/Eox System Job Schedule.
The Compliance Policy and PSIRT/EOX System Job Schedule page appears.
Step 2 Set the new Compliance Policy and PSIRT/EOX schedule in the respective panes, as in Table 8-2.
Step 3 Click Apply.
The new schedule is saved.
Table 8-2 Details of Inventory system schedule and CAAM Policy and PSIRT/EOX System Job Schedule
Field Description
Scheduling
Run Type Select the run type or frequency for inventory collection or polling, CAAM Policy and PSIRT/EOX—Daily,
Weekly, or Monthly.
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job
will run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If
the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date Select the date for the collection or polling to begin, using the date picker.
at Enter the time for the collection or polling to begin, in the hh:mm:ss format.
Job Info
Job Descrip- Has a default Job Description:
tion
If the Job Type is Inventory Collection, the description is, System Inventory Collection Job.
If the Job Type is PSIRT and EOX Or Compliance Policy, the description is, System Compliance Policy and
PSIRT/EOX Job.
E-mail Enter e-mail addresses to which the job sends messages when the collection or polling job has run.
You can enter multiple e-mail addresses, separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin >
System > System Preferences).
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box (Admin
> System > System Preferences).
When the job starts or completes, an e-mail is sent with the E-mail ID as the sender’s address.

OL-25947-01 8-13
PSIRT or End-of-Sale or End-of-Life Data Administration
Compliance Policy and PSIRT/EOX Job Report

Perform the following steps to view the Compliance Policy and PSIRT/EOX Job Report:
Step 1 Go to Admin > Jobs > Browser.

Step 2 Select Type in the Filter by field and SystemPsirtJob in the drop-down list.
Step 3 Click Filter.
The SystemPsirtJob will be filtered and displayed.
Step 4 Click the JOB ID e.g 1005.1 to view the Compliance Policy and PSIRT/EOX Job Report.

Product Security Incident Response Team (PSIRT) of Cisco is a dedicated, global team that manages the
receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco
products and networks.
For every security vulnerability, a PSIRT document is created with a PSIRT Document ID. This
document consists of definitions of the vulnerabilities, the IOS image version that is affect by the PSIRT,
as well as the device that is impacted.
Note System PSIRT job should be successful at least once before generating PSIRT/End-of-Sale or
End-of-Life (EoX) reports. Report job will be successful even though there is no data to display for the
selected devices.
The EoS/EoL reports will be successful but might not contain data in the below scenarios:
1. If the system PSIRT job fails because of wrong Cisco.com credentials, or if you have not
configured the Cisco.com credentials.
2. If the system PSIRT job fails due to problems in the downloaded local XML file.
3. If there is no PSIRT/EoX data in the database for the selected devices.
LMS fetches and collects this PSIRT information from Cisco.com whenever the system PSIRT and
End-of-Sale or End-of-Life (EOX) job runs.
LMS uses PSIRT, End-of-Sale and End-of-Life data from Cisco.com to generate various reports. You
can change the Data Source for PSIRT or End-of-Sale or End-of-Life reports. For more information, see
Changing the Data Source for PSIRT/EOS/EOL Reports.
Changing the Data Source for PSIRT/EOS/EOL Reports

You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or
End-of-Sale or End-of-Life report.
To access this option, select Reports > Fault and Event > PSIRT Summary
• Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com
• Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location

8-14 OL-25947-01
When you schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the
data either from Cisco.com or from a local text file with XML data, depending upon the option you have
set.

OL-25947-01 8-15
To change the PSIRT or End-of-Sale/End-of-Life report settings:
Step 1 Select Admin > Network > PSIRT, EOS and EOL Settings > PSIRT/EOX Reports option.
The PSIRT/EOX Reports dialog box appears.
Step 2 Either:
• Select Cisco.com, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data
from Cisco.com
Or
• Select Local, if you want to generate a PSIRT or End-of-Sale or End-of-Life report using data from
local file.
The local file location is shown if you have selected Local.
Step 3 Click Apply
The PSIRT or End-of-Sale or End-of-Life report can be generated based on the settings specified by you.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Cisco.com

You can use the Cisco.com option, if you have access to Cisco.com from the LMS server. When you
schedule a PSIRT or End-of-Sale or End-of-Life report, the Report Generator retrieves the data from
Cisco.com. The report so generated consists of latest data from the system PSIRT and EOX job.
If you have opted to generate a PSIRT or End-of-Sale or End-of-Life report using data from Cisco.com,
you must setup the Cisco.com user account using Admin > System > Cisco.com Settings > User
Account Setup. If you do not configure the Cisco.com user account, the System PSIRT and EOX job
will fail.
Note While you schedule a PSIRT Summary report job or End-of-Sale or End-of-Life job using the Cisco.com
method, the Cisco.com Username, Cisco.com Password are enabled. If you have configured the Proxy
Server (Admin > System > Cisco.com Settings > Proxy Server Setup) then Proxy Username and Proxy
Password fields are also enabled.
Generating PSIRT/End-of-Sale/End-of-Life Report using Data from Local File Location

You can use the Local option, if you do not have an internet connection from the LMS server. The local
file is a text file with XML data in it.
Downloading the text file with XML data from Cisco.com

You can retrieve the PSIRT or End-of-Sale or End-of-Life information from an external server and store
it in the local file location on the LMS server.
To download the text file with XML data from Cisco.com:
1. Use a server other than LMS server with internet connection as the external server.
2. From this external server, access the following link to download the XML data:

8-16 OL-25947-01
For EoS/EoL Hardware Report:

1. Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=l
atest#
2. Login to Cisco.com by entering the Cisco.com user name and password.
3. Download the PSIRT_EOX_OFFLINE.zip file.
4. Extract the text file with XML data to the external server.
5. Copy the text file from the external server into the LMS Server under:
– On Solaris/Soft Appliance,
/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
– On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
The text file with XML data gets saved under local_xml folder.
Where NMSROOT is the default Cisco Prime installation directory.
For EoS/EoL Software Report:
1. Go to
http://www.cisco.com/cisco/software/release.html?mdfid=282253606&flowid=5144&softwar
eid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&rellifecycle=&reltype=l
atest#
2. Login to Cisco.com by entering the Cisco.com user name and password.
3. Download the EOX_SOFTWARE.zip file to the external server.
4. Copy the EOX_SOFTWARE.zip file from the external server into the LMS Server under:
– On Solaris/Soft Appliance,
/var/adm/CSCOpx/files/rme/jobs/inventory/reports/EOX_PSIRT/local_xml
– On Windows, NMSROOT\files\rme\jobs\inventory\reports\EOX_PSIRT\local_xml
Note You must not extract the EOX_SOFTWARE.zip file in the LMS Server.
The EOX_SOFTWARE.zip file gets saved under local_xml folder.

Where NMSROOT is the default Cisco Prime installation directory.
When you schedule a PSIRT or End-of-Sale/End-of-Life report, the Report Generator retrieves the data
from the XML file.
To ensure that the data shown in the PSIRT or End-of-Sale or End-of-Life report is the latest:
1. Retrieve the PSIRT or End-of-Sale or End-of-Life information from Cisco.com using an external
server which has internet connection.
2. Store this retrieved XML information in the local file location.
3. Then generate a PSIRT Summary Report or End-of-Sale or End-of-Life report.
For more information, see:
– Downloading the text file with XML data from Cisco.com

OL-25947-01 8-17
Administering VRF Lite

From the Admin tab in the mega menu you can administer the following features of VRF Lite:
• Provide VRF Lite Collector Settings. For details, see Using VRF Lite Collector Settings.
• Schedule VRF Lite Collection. For details, see Scheduling VRF Lite Collector.
• Modify SNMP Timeouts and Retries. For details, see Modifying VRF Lite SNMP Timeouts and
Retries.
You can specify the debugging options for VRF Lite Server, VRF Lite Collector, and VRF Lite, select
Admin > System > Debug Settings.
You can view the status of VRF Lite jobs, select Admin > Jobs > Browser, and use the filter to view
only VRF Lite jobs.
You can configure purging interval for Virtual Network Manager Report Jobs and Archives, select
Admin > Network > Purge Settings > VRF Management Purge Settings. For details, see Purging
VRF Management Reports Jobs and Archived Reports.
• Using VRF Lite Collector Settings
• Scheduling VRF Lite Collector
• Modifying VRF Lite SNMP Timeouts and Retries
Using VRF Lite Collector Settings

You can perform the following administrative tasks using the VRF Lite Collector Settings page:
• Schedule VRF Lite Collector
You can schedule the VRF Lite Collector process to run after every Data Collection. The VRF Lite
Collector process is scheduled to collect VRF Lite-specific details of the VRF Lite Capable and VRF
Lite Supported devices. You can add, edit and delete VRF Lite Collector Schedule jobs.
To schedule the VRF Lite Collection process, click Schedule VRF Lite Collector link.
For details, see Scheduling VRF Lite Collector.
• VRF Lite SNMP Timeouts and Retries Settings
You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular
device with SNMP timeout exceptions. To modify the VRF Lite SNMP Timeouts and Retries
Settings, click VRF Lite SNMP Timeouts and Retries Settings link.
For details, see Modifying VRF Lite SNMP Timeouts and Retries.

8-18 OL-25947-01
Scheduling VRF Lite Collector

You can schedule the day and the time of VRF Lite Collection using this feature. You can add a new
schedule, edit or delete existing schedules.
To schedule VRF Lite Collector:
Step 1 Select Admin > Collection Settings > VRF Lite > VRF Lite Collector Schedule.
The VRF Lite Collector Schedule dialog box appears.
Step 2 Enter the details as mentioned in Table 8-3.
Table 8-3 VRF Lite Collection Schedule Settings

Schedule
Run VRF Lite Allows you to enable or disable VRF Lite • Enable: Check the check box to enable VRF Lite
Collector After Collection after every Data Collection. Collection after every Data Collection and click Apply.
Every Data The VRF Lite Collection collects VRF • Disable: Uncheck the check box to disable VRF Lite
Collection Lite-specific details. Collection after every Data Collection and click Apply.
Job ID Job ID of the VRF Lite Collector Schedule Display only.
job.
Schedule VRF Lite Collector
Days, Hour, Min Days on which and the time at which VRF The optimum VRF Lite collection schedule depends on the
Lite collection is scheduled. size of the network and the frequency of network changes.
By default, the VRF Lite collection process is scheduled to
run after the Data Collection process has completed.
Recurrence Select the days of the week on which VRF This field is available only when you are adding or editing a
Pattern Lite collection is to be scheduled. schedule.
Job Description Description of the VRF Lite Collector Enter the description of the VRF Lite Collector Schedule job.
Schedule job.
• Select a schedule and click Edit to edit the schedule

• Select a schedule and click Delete to delete the schedule
• Click Add to add a new schedule
Step 3 Click OK to save the details
Or
Click Cancel to exit the VRF Lite Collection Schedule dialog box.
You can view the status of VRF Lite Collector Schedule job, select Admin > Jobs > Browser, and use
the filter to view VRF Lite Collector Schedule job.

OL-25947-01 8-19
Modifying VRF Lite SNMP Timeouts and Retries

You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular device
with SNMP timeout exceptions.
To modify SNMP timeouts and retries:
Step 1 Select Admin > Network > Timeout and Retry Settings > VRF Lite SNMP Timeouts and Retries.
The VRF Lite SNMP Timeouts and Retries dialog box appears.
Step 2 Modify the SNMP settings as given in Table 8-4.
Table 8-4 Modify VRF Lite SNMP Timeouts and Retries
Field Description
Target IP address of the target device. For example, 10.*.*.*
Timeouts Time period after which the query times out.
This also indicates the time interval between the request and the first initial
response from the device.
The SNMP response may be slow for remote devices. If your network has
remote devices connected over a slow link, configure a higher value for
time-out.
If Time out is increased, Discovery time could also increase. Enter the value
in seconds. The allowed range is 0-60.
For every retry, the Timeout value is doubled.
For example, If the Timeout is 10 seconds and retries 4:
LMS waits for 10 seconds for response for the first try, 20 seconds for the
second retry, 40 seconds for the third retry and 80 seconds for the fourth
retry.
150 seconds (10+20+40+80) is the total time lapse after which Virtual
Network Manager stops querying the device.
Retries Number of attempts made to query the device. The allowed range is 0-8.
Step 3 Click Add to add VRF Lite SNMP settings.

Step 4 Select a row and either:
• Click Edit to edit the VRF Lite SNMP Timeouts and Retries value.
Or
• Click Delete to delete the VRF Lite SNMP Timeouts and Retries value.
Click OK to save the changes or click Cancel to exit.
Step 5 Click Apply.

8-20 OL-25947-01
Modifying Fault Management SNMP Timeout and Retries
Modifying Fault Management SNMP Timeout and Retries

If an SNMP query does not respond in time, Fault Management will time out. It will then retry contacting
the device for as many times as displayed when you select Admin > Network > Timeout and Retry
Settings > Fault Management SNMP Timeouts and Retries.
The timeout period is doubled for every subsequent retry. For example, if the timeout value is 4 seconds
and the retries value is 3, LMS waits for 4 seconds before the first retry, 8 seconds before the second
retry, and 16 seconds before the third retry.
The SNMP timeout and retries are global settings.
The default values are:
• Timeout—4 seconds
• Retries—3
Note Changing the settings on this page will modify the settings on all devices managed by LMS.
Note Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
To modify the Fault Management SNMP timeout and retries:
Step 1 Select Admin > Network > Timeout and Retry Settings > Fault Management SNMP Timeouts and
Retries. The SNMP Configuration page appears.
Step 2 Select a new SNMP timeout setting.
Step 3 Select a new Number of Retries setting.
Step 4 Click Apply.
Step 5 In the confirmation box, click Yes.

OL-25947-01 8-21
Configuring Fault Management Rediscovery Schedules

Note Your login determines whether or not you can perform this task. View Permission Report (Reports >
System > Users > Permission) to check if you have the required privileges to perform this task.
LMS rediscovery probes the devices to discover their configuration and verify their manageable
elements in inventory.
LMS contains a default discovery schedule that starts rediscovery on a weekly basis. Although you
cannot modify the default discovery schedule, you can suspend it and add, modify, or delete additional
schedules.
For more information, see
• Suspending and Resuming a Rediscovery Schedule
• Adding and Modifying a Rediscovery Schedule
Suspending and Resuming a Rediscovery Schedule

LMS includes a default rediscovery schedule, Default_Schedule. You cannot edit or delete
Default_Schedule, but you can suspend it. To completely suspend rediscovery for a period of time, you
may have to repeat this procedure to suspend multiple schedules.
To suspend and resume a rediscovery schedule:
Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
The Rediscovery Schedule page appears.
Step 2 You can either:
• Select a schedule that does not have a Suspended status, and click Suspend.
The status for the schedule changes to Suspended and the schedule does not run until you resume
the schedule. The schedule remains listed on the Rediscovery Schedule page until you delete it.
Or
• Select a schedule with a status of Suspended and click Resume.
The status for the schedule changes to Scheduled.

8-22 OL-25947-01
Adding and Modifying a Rediscovery Schedule

See Performing Scheduling Tasks to plan the rediscovery schedule for maximum efficiency and
minimum system impact.
Performing Scheduling Tasks

You should plan the rediscovery schedule for maximum efficiency and minimum system impact.
When LMS is first installed, for the Fault Management module most tasks listed in Table 8-5 are
scheduled by default to ensure that they do not run concurrently. You can configure the schedules for
these tasks to meet the requirements of your site. However, you should still avoid running them
concurrently.
Table 8-5 Scheduling Considerations
Configuration
Task Default Schedule Comments and Notes
Database purging Run daily at The amount of time it takes to purge the database
midnight. depends on the size of the database.
For more information on how to configure the Daily
Fault History Purging Schedule, see Configuring the
Daily Fault History Purging Schedule.
Rediscovery Run weekly on By default, rediscovery starts 2 hours after database
Monday at 2:00 a.m. purging.
In addition to configuring schedules, a system administrator can schedule database backups. Be careful
while coordinating the database backup schedule to avoid running concurrently with the tasks listed in
Table 8-5.
To add or edit a rediscovery schedule:
Step 1 Select Admin > Collection Settings > Fault > Fault Management Rediscovery Schedule.
• Click Add.
Or
• Select a rediscovery schedule with a status of Scheduled and click Edit. You cannot edit
Default_Schedule.
Step 3 Enter a name for the schedule.
Step 4 Select how often the schedule should run:
• Once
• Daily
• Weekly (default)
• Monthly

OL-25947-01 8-23
Configuring Event Forensics
Step 5 Select the date, hour, and minute on which to start the rediscovery schedule and click Next.
Step 6 Review the information on the Schedule Summary page and click Finish. The Rediscovery Schedule
page appears, listing the new schedule.
Deleting a Rediscovery Schedule

To delete a rediscovery schedule:
Step 1 Select a rediscovery schedule and click Delete.

A confirmation dialog box appears.
Note You cannot delete Default_Schedule.
Step 2 Click Yes. The job is removed from this page. However, it will continue to be listed in the main Job
Browser.
Configuring Event Forensics

Event Forensics refer to additional information related to the specific events that are polled by LMS
server. The polled data are stored on the server and you can use this for troubleshooting.
You must enable the Event Forensics collection feature on LMS server to start collecting the event
forensics data.
To enable collection of Event Forensics:
Step 1 Click Admin > Collection Settings > Fault > Fault Event Forensics Configuration. The Event
Forensics Configuration page appears.
Step 2 Select the Event Forensics Enable check box to enable LMS to collect forensics data.
Step 3 Click Apply.
LMS polls for Event Forensics data for the following events only:
• Device unavailability or unresponsiveness
• Flapping
• Operationally Down
To view the event forensics results select Monitor > Monitoring Tools > Fault Monitor. You can see
the event forensics results when you move your mouse over the Annotations in the Faults table of Fault
Monitor Device Fault Summary view tab.

8-24 OL-25947-01
Fault Monitoring Device Administration
Fault Monitoring Device Administration

To rediscover and delete specific devices, select Admin > Collection Settings > Fault > Fault
Monitoring Device Administration.
The Fault Monitoring Device Administration page contains two panes.
• The left pane displays a device selector, from which you select the device or group that you want to
rediscover or delete. The left pane includes a search option
• The right pane displays the information for the selected object.
Click the Refresh button to refresh the view.
Note If the IP addresses of the device and its components such as interface or port are added separately in
DCR then only device IP will be managed in fault Management and the components IP will not be
managed separately as the components are already managed under the device IP.
The devices that appear in the device selector are organized in folders by device state as shown in the
Table 8-6. The folders appear only if there is a device to go in the folder.
Table 8-6 Device Summary and Device States
Heading Description
Status Lists the state the devices are in, from the following possibilities:
Known The device has been successfully imported, and is fully managed by Fault
Management.
Learning Fault Management is discovering the device. This is the beginning state,
when the device is first added or is being rediscovered. Some of the data
collectors may still be gathering device information.
Questioned Fault Management cannot successfully manage the device.
Pending The device is being deleted. (Fault Management is waiting for
confirmation from all of its data collectors before purging the device and
its details.)
Unknown IPv6 device or the selected algorithm is not supported in Fault
Management.
Rediscovering Devices
When rediscovery takes place, if there are any changes to a device or group configuration, the new
settings will overwrite any previous settings.
Rediscovery occurs only for managed devices, and not suspended devices.
Rediscovery also occurs when:
• Inventory collection occurs. This is controlled by the Rediscovery Schedule (Admin > Collection
Settings > Fault > Fault Management Rediscovery Schedule)
• A device is added to the DCR, or a change is made to a device in the DCR, and LMS is configured
to import that device type (or LMS automatically imports all DCR devices). Such DCR changes
include a device being deleted or having its credentials (IP address, SNMP credentials, MDF type)
changed in the DCR.

OL-25947-01 8-25
Device Management Functions
• A device is manually added to LMS using the Device Import page.
Note Do not confuse the LMS discovery process with the DCR synchronization process. LMS Discovery and
Rediscovery is a process that affects only the LMS inventory.
To rediscover devices:
Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2 Select the device or group that you want to rediscover.
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the device selector.
Note If you are connecting to the LMS server for the first time, a Security Alert window is displayed
after you select nearly any option. Do not proceed without viewing and installing the security
certificate. You should contact a user with System Administrator privileges to create a
self-signed security certificate, and then install it. If you do not install the self-signed security
certificate, you may not be able to access some LMS application pages.
Step 3 Click Rediscover.

Rediscovery starts. To view rediscovery status, select Inventory > Device Administration > Manage
Device State.
Note If the number of components managed by fault management exceeds 40000/domain then the remaining
devices will be moved to Question State with the error message “Network Adapter Limit Exceeded”.
Question State Device Report

Creating a question state device report involves the following steps:
Step 1 Select Admin > Collection Settings > Fault > Fault Monitoring Device Administration. The Fault
Monitoring Device Administration page appears.
Step 2 Click Question State Devie Report.
The question state device report containing the device name, device IP, discovery start time and error
details is displayed.
Device Management Functions

Till LMS 3.2 there were 8 different applications like Common Services, Portal and applications covering
functionalities in FCAPS model.

8-26 OL-25947-01
Performance Management SNMP Timeouts and Retry Settings
LMS 4.2 removes application boundaries and provides tighter integration among the components. It
groups all the related functionalities in one place, thus making the product more user friendly.
LMS 4.2 consists of the following five functionalities:
To view the functionality settings:
Select Admin > System > Device Management Functions.
By default, all the functions will be enabled.
If you have a 10K license, only Inventory, Config and Image Management will function. You should
disable all functions except Inventory, Config and Image Management from this page.
Note If you disable a function, the function will stop collecting device information. For IPSLA Management,
history data will be deleted.
Performance Management SNMP Timeouts and Retry

Settings
Cisco Prime LMS allows you to configure the Performance Management SNMP timeout and SNMP
retries using the Poll Settings option. The Performance Management SNMP timeout and SNMP retries
are based on the device and network response time.
• SNMP timeout is the duration of time that LMS waits for the device to respond before it retries to
query the device again.
• SNMP retry is the maximum number of times LMS retries to query the device.
You can also set the notification interval time in case of poller failures and the e-mail ID to which the
notification should be sent.
You can also configure Poll Settings to send the polling failure report as an e-mail.
To configure Poll Settings:
Step 1 Select Admin > Network > Timeout and Retry Settings > Performance Management SNMP
timeouts and retry settings.
The Poll Settings dialog box appears.
Table 8-7 describes the fields in the Poll Settings dialog box.

OL-25947-01 8-27
IPSLA Application Settings
Table 8-7 Poll Settings Fields
Field Description
Poll Details
SNMP Timeout Specify the SNMP timeout interval in seconds.
The default SNMP timeout value is 3 seconds. You can change the default
SNMP timeout value to a value between 1 to 15 seconds.
SNMP Retries Specify the SNMP retries count.
The default SNMP retry count value is 1. You can set the default SNMP retry
count to a value from 0 to 3.
Polling Failure
Notification Interval Specify the polling failure notification interval.
You can select any of these predefined values. The default option is 6 hours.
• 01 - Hour—Polling failures notified every 1 hour.
• 06 - Hours—Polling failures notified every 6 hours.
• Weekly—Polling failures notified every week.
Polling failure notification report is generated periodically based on
notification interval. This report contains information on the SNMP polling
failures with device details.
E-mail ID Enter the e-mail address.
The E-mail address must be in the format: user@domain.com.
The poll failure report is send to the E-mail address based on the Notification
Interval.
Step 2 Update the necessary fields in the following panes:

• Poll Details
• Polling Failure
See Table 8-7 for the description of fields that appear in the Poll Settings dialog box.
Step 3 Click Apply to update the poll settings or Reset to cancel the poll settings.
A message appears confirming that poll settings are updated successfully.

The IPSLA Application Settings page allows you to copy IP SLA (Internet Protocol Service Level
Agreement) configuration to running-config, and set managed source interface.
• Copying IPSLA Configuration to Running-Config
• Managed Source Interface Setting

8-28 OL-25947-01
Copying IPSLA Configuration to Running-Config

You can see the IPSLA (Internet Protocol Service Level Agreement) probes for the collectors that you
configure in LMS at the command line interface of the router in the running configuration by selecting
the Copy IP SLA Configuration to running-config option on the Application Settings page.
This option is not selected by default. You cannot view the IPSLA probes in the running configuration
of the source router if this option is not set.
Note The IP SLA probes are automatically reconfigured when you reboot if you have selected this option and
saved the IP SLA probes of the LMS collectors in the startup configuration.
To view the configured collectors in the running configuration:
Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings.
The IPSLA Application Settings page appears.
Step 2 Select the Copy IPSLA Configuration to Running-config check box.
Step 3 Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4 Click OK.
Managed Source Interface Setting

Managed Source Interface configures the source router with appropriate IP address for sending/receiving
the IPSLA (Internet Protocol Service Level Agreement) operation packets.
You can set a source interface address for the source router by selecting the Use Managed Source
Interface Address option on the Application Settings page. After this option is set, the source router uses
the managed interface address while configuring the collectors on the source device.
However, you can also specify a source interface address while configuring a collector. In this case, the
source router uses the specified interface. If the Use Managed Source Interface option is not set, then by
default, the source router selects the source interface for the collector from the Routing Table based on
the IP address of the destination.
To set a source interface address:
Step 1 Select Admin > Collection Settings > Performance > IPSLA application settings.
The Application Settings page appears.
Step 2 Select the Use Managed Source Interface Address check box.
Step 3 Click Apply. A message appears that the application settings have been modified successfully.
Click Default to retain the default settings.
Step 4 Click OK.

OL-25947-01 8-29
Setting Up Archive Management

You can move the directory for archiving the LMS device configuration and enable and disable the usage
of Shadow directory. You can also list the commands that need to be excluded while comparing
configuration
To do this select Configuration > Configuration Archive > Summary.
• Preparing to Use the Archive Management
• Entering Device Credentials
• Modifying Device Configurations
• Modifying Device Security
• Moving the Configuration Archive Directory
• Enabling and Disabling the Shadow Directory
• Configuring Exclude Commands
• Configuring Fetch Settings
Preparing to Use the Archive Management

Before you start using the Archive Management, you must:
• Enter Device Credentials (See Entering Device Credentials for details)
• Modify Device Configurations (See Modifying Device Configurations for details)
• Modify Device Security (See Modifying Device Security for details)
Entering Device Credentials

Enter the following device credentials in the Device and Credentials window (Admin > Network >
Configuration Job Settings > Config Job Policies):
• Read and write community strings
• Primary Username and Password
• Primary Enable Password
If you have enabled the Enable Job Password option in the Config Job Policy dialog box (Admin >
Network > Configuration Job Settings > Config Job Policies) when you scheduled the Config jobs,
you are prompted for the following device credentials:
• Login User name
• Login Password
• Enable Password

8-30 OL-25947-01
The supported Device authentication prompts are:

• Routers
“Username:”, “Username: ”
“Password:”, “Password: ”
• Switches
“username: ”, “Username: ”
“password: ”, "Password: ”
• Cisco Interfaces and Modules—Network Analysis Modules
“login: ”
“Password: ” “password: ”
• Security and VPN—PIX
“username: ”, “Username: ”
“passwd: ”, “password: ”, “Password: ”
• Content Networking—Content Service Switch
“Username: ”, “username: ”, “login: ”,“Username:” , “username:” , “login:”
“Password: ”, “password: ”, “passwd: ”,”Password:” , “password:” , “passwd:”
• Content Networking—Content Engine
“Username: ” ,”login: ”
“Password: ”
• Storage Networking—MDS Devices
“Username:”, “Username: ”
“Password:”, “Password: ”
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you
may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See Handling Custom Telnet Prompts for more
information.
Handling Custom Telnet Prompts

To handle custom telnet prompts in applications, you must configure the TacacsPrompts.ini file located
at:
NMSROOT/objects/cmf/data (on Solaris/Soft Appliance)
NMSROOT \objects\cmf\data (on Windows)
where NMSROOT is the location where you have installed Cisco Prime LMS.
The format of this ini file is:
[TELNET]
USERNAME_PROMPT=
PASSWORD_PROMPT=

OL-25947-01 8-31
For example, if you have configured username and password prompts as MyUserName: and
MyPassword: for a few devices and SecretUserName: and Secrect Password: for a few devices, the ini
file must be configured as:
[TELNET]
USERNAME_PROMPT=MyUsername:, Secret Username:
PASSWORD_PROMPT=MyPassword:, Secret Password:
Note You need not add the default Username prompt and Password prompt in the TacacsPrompts.ini file. Only
the custom prompts need to be added.
Modifying Device Configurations

To enable the configuration archive to gather the configurations, modify the device configurations for
the following:
• Enabling rcp
• Enabling scp
• Enabling https
• Configuring Devices to Send Syslogs
Enabling rcp
To enable the configuration archive to gather the configurations using the rcp protocol, modify your
device configurations.
Make sure the devices are rcp-enabled by entering the following commands in the device configurations:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
Where ip_address | host is the IP address/hostname of the machine where LMS is installed.
Alternatively, you can enter the hostname instead of the IP address. The default remote_username and
local_username are cwuser.
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS
server. To do this, use the command,
no ip rcmd domain-lookup for rcp to fetch the device configuration.

8-32 OL-25947-01
Enabling scp
To enable the configuration archive to gather the configurations using the scp protocol, modify your
device configurations.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authentication enable default none
aaa authorization exec default local
username admin privilege 15 password 0 system

ip ssh authentication-retries 4
ip scp server enable
To configure TACACS User name:
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
User on the TACACS Server should be configured with priv level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
Enabling https
To enable the configuration archive to gather the configurations using https protocol you must modify
your device configurations.
To modify the device configuration, follow the procedure as described in this URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notices_list.html
Configuring Devices to Send Syslogs

Configure your devices for Syslog Analysis if you want the device configurations to be gathered and
stored automatically in the configuration archive when Syslog messages are received.
After you perform these tasks and the devices become managed, the configuration files are collected and
stored in the configuration archive.

OL-25947-01 8-33
Modifying Device Security

Configuration Management must be able to run certain commands on devices to archive their
configurations.
You must have the required permissions to run these Configuration Management commands:
• Router Commands
• Switches Commands
• Content Networking—Content Service Switch Commands
• Content Networking—Content Engine Commands
• Cisco Interfaces and Modules—Network Analysis Modules
• Security and VPN—PIX Devices
For example, you can use the LMS server to access the devices using Telnet or SSH to archive their
configurations. Ensure that the user credentials provided by you in DCR has the required permissions to
access the devices and execute the above mentioned configuration CLI commands on the devices to fetch
the configurations.
These configuration information fetched from the devices by the LMS server is stored in the LMS
database.
Router Commands
Command Description
terminal length 0 Sets the number of lines on the current terminal screen for the
current session
terminal width 0 Sets the number of character columns on the terminal screen for the
current line for a session
show privilege Displays your current level of privilege
Show running Gets running configuration.
Show startup Gets startup configuration
Show running-brief1 Gets the running configuration in brief by excluding the encryption
keys.
1. This is applicable for the IOS release 12.3(7)T release or later.
The commands in the above tables also apply to the following device types:
• Optical Networking
• Broadband Cable
• Wireless
• Storage Networking

8-34 OL-25947-01
Switches Commands
The switches commands are:
Command Description
set length 0 Configures the number of lines in the terminal display screen
set logging session Disables the sending of system logging messages to the current login
disable session.
write term Gets running configuration.
Content Networking—Content Service Switch Commands

The Content Service Switch commands are:
Command Description
no terminal more Disables support for more functions with the terminal.
show running-config Gets all components of the running configuration.
show startup-config Gets the CSS startup configuration (startup-config).
Content Networking—Content Engine Commands

The Content Engine commands are:
Command Description
terminal length 0 Sets the number of lines on the current terminal screen for the current
session
show run Gets running configuration.
show config Gets startup configuration.
Cisco Interfaces and Modules—Network Analysis Modules

The Network Analysis Modules commands are:
Command Description
terminal length 0 Sets the number of lines on the current terminal screen for the current
session
show autostart Displays autostart collections
show configuration Gets startup configuration.

OL-25947-01 8-35
Security and VPN—PIX Devices

The PIX devices commands are:
Command Description
terminal width 0 Sets the number of character columns on the terminal screen for the
current line for a session
show config Gets startup configuration.
show running Gets running configuration.
show curpriv View the current logged-in user.
no pager Removes paging control
Moving the Configuration Archive Directory

You can move the directory where the configuration of the devices can be archived on the LMS server.
The default Configuration Archive directory is:
On LMS Solaris/Soft Appliance server,
/var/adm/CSCOpx/files/rme/dcma
On LMS Windows server,
NMSROOT\files\rme\dcma
Where NMSROOT is the Cisco Prime installed directory.
The new archive directory location should have the permission for casuser:casusers in Solaris and
casuser should have Full Control in Windows. The new archive directory location should not be the root
of any drive (F:\) and must be a subdirectory (F:\LMSarchives).
Note View Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
The following is the workflow for moving the configuration archive location:
Step 1 Stop the ConfigMgmtServer process. To do this:

a. Select Admin > System > Server Monitoring > Processes.
The Process Management dialog box appears.
b. Select the ConfigMgmtServer process.
c. Click Stop.
Step 2 Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3 Enter the new location in the Archive Location field, or click Browse to select a directory on your
system.

8-36 OL-25947-01
Step 4 Click Apply.

A message appears confirming the changes.
Step 5 Restart the ConfigMgmtServer process. To do this:
c. Click Start.
Enabling and Disabling the Shadow Directory

The configuration archive Shadow directory is an image of the most recent configurations gathered by
the configuration archive.
The Shadow directory contains subdirectories that represent each device class and the latest
configurations supported by the configuration archive.
Each file name is DeviceName.cfg, as defined in the Device and Credential Repository. Each time the
archive is updated, the Shadow directory is updated with the corresponding information.
The Shadow directory can be used as an alternative method to derive the latest configuration information
programmatically by using scripts or other means.
To access to the Shadow directory, you must be root or casuser on Solaris, or in the administrator group
for Windows.
You can find the Shadow directory in the following locations:
• On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
• On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which LMS
is installed (the default is C:\Program Files\CSCOpx).
You can enable or disable the use of Shadow directory by following this workflow:
Step 1 Stop the ConfigMgmtServer process. To do this:

c. Click Stop.
Step 2 Select Admin > Collection Settings > Config > Config Archive Settings.
The Archive Settings dialog box appears.
Step 3 Select the Enable Shadow Directory check box.

OL-25947-01 8-37
Step 4 Click Apply.

A message shows that the changes were made.
Step 5 Restart the ConfigMgmtServer process. To do this:
c. Click Start.
Configuring Exclude Commands

You can list the commands that have to be excluded while comparing configuration. To do this select
Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
You can enter multiple commands separated by commas.
LMS provides default exclude commands for some Device Categories.
For example, the default exclude commands for Router device category are,
end,exec-timeout,length,width,certificate,ntp clock-period
You can specify Exclude Commands at all these levels:
• Device Category (For example, Routers, Wireless, etc.)
• Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
• Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
While comparing configurations, if you have specified exclude commands in the Device Type, Device
Family and Device Category, these commands are excluded only at the Device Type level. The
commands in the Device Family and Device Category are not excluded.
Example 1:
If you have specified these commands at,
• Routers (Device Category) level
• Cisco 1000 Series Routers (Device Family) level
banner incoming,snmp-server location
• Cisco 1003 Router (Device Type) level
ip name-server,banner motd,snmp-server manager session-timeout
While comparing configurations, only the Cisco 1003 Router (Device Type) level commands are
excluded.

8-38 OL-25947-01
Example 2:
If you have specified these commands only at Device Family and Device Category,
• Routers (Device Category) level
• Cisco 1000 Series Routers (Device Family) level
banner incoming,snmp-server location
• Cisco 1003 Router (Device Type) level
No commands specified.
While comparing configurations, only the Cisco 1000 Series Routers (Device Family) level commands
are excluded.
If the commands are specified only at the Device Category level, these commands are applicable to all
devices under that category.
To configure Exclude Commands:
Step 1 Select Admin > Collection Settings > Config > Config Compare Exclude Commands Configuration.
The Configure Exclude Commands dialog box appears.
Step 2 Select one of these from the Device Type Selector pane:
• Device Category (For example, Routers, Wireless, etc.)
• Device Family (For example, Cisco 1000 Series Routers, Cisco 1400 Series Routers, etc.)
• Device Type (For example, Cisco 1003 Router, Cisco 1401 Router, etc.)
Step 3 Enter the command in the Exclude Commands pane to add new commands.
You can enter multiple commands separated by commas.
You can also edit or delete the existing commands in the Exclude Commands pane.
Step 4 Click Apply.
A message appears, The commands to be excluded are saved successfully.

OL-25947-01 8-39
Understanding Configuration Retrieval and Archival
Configuring Fetch Settings

You can configure the Job Result Wait Time per device for the Sync Archive Jobs. The default value is
120 seconds. The minimum value can be set to 60 seconds.
Job Result Wait Time is the maximum wait time that Archive Management waits to get the
configurations from the device during the sync-archive job execution.
To configure the Job Result Wait Time:
Step 1 Select Admin > Collection Settings > Config > Config Job Timeout Settings.
The Fetch Settings dialog box appears.
Step 2 Provide the Job Result wait time in seconds in the Maximum time to wait for Job results per device
(seconds) field.
Step 3 Click either of these:
• Click Apply, if you want to submit the Job Result Wait Time entered.
• Click Cancel if you want to cancel the changes made to the Job Result Wait Time.

LMS supports different ways to trigger the retrieval of configuration files from the device for archival
purposes.
• Schedule Periodic Configuration File Archival
• Schedule Periodic Configuration Polling
• Manual Updates (Sync Archive function)
• Using Version Summary
• Timestamps of Configuration Files
• How Running Configuration is Archived
• Change Audit Logging
Schedule Periodic Configuration File Archival

LMS will archive both the startup and running configuration files for all devices at the scheduled time
(6-hourly, 12-hourly, daily, weekly, monthly), as configured by the user.
Since this method collects the full running configuration and startup configuration files for the entire
network, we recommend that you schedule this to run at no more than once per day, especially if the
network is large and outside the LAN.
See Defining the Configuration Collection Settings for further details.

8-40 OL-25947-01
Schedule Periodic Configuration Polling

LMS can be configured to periodically poll configuration MIB variables on devices that support these
MIBs according to a specified schedule, to determine if either the startup or running configuration file
has changed.
If it has, LMS will retrieve and archive the most current configuration file from the device.
Polling uses fewer resources than full scheduled collection, because configuration files are retrieved only
if the configuration MIB variable is set.
On IOS devices the variables ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged
from the CISCO-CONFIG-MAN-MIB MIB, and on CATOS the variable sysConfigChangeTime from
CISCO-STACK-MIB are used to detect the change.
Any change in the value of these variables causes the configuration file to be retrieved from the device.
SNMP change polling works only in case of IOS and CATOS devices which support these MIBs.
If these MIBs are not supported on the devices, then by default, configuration fetch will be initiated
without checking for the changes.
By default, the Periodic Collection and Polling are disabled.
See Defining the Configuration Collection Settings for scheduling the periodic polling.
Note The Syslog application triggers configuration fetch, if configuration change messages like
SYS-6-CFG_CHG, CPU_REDUN-6-RUNNING_CONFIG_CHG etc., are received.
Manual Updates (Sync Archive function)

This feature allows the LMS user to force the configuration archive to check specified devices for
changes to the running configuration file only. Use Sync Archive if you need it to synchronize quickly
with the running configuration.
You can also poll the device and compare the time of change currently on the device with the time of last
archival of the configuration to determine whether the configuration has changed on a device.
The Startup configuration is not retrieved during manual update archive operation. However, you can
retrieve the Startup configuration by enabling the Fetch startup Config option while scheduling Sync
Archive job. To use this function select Configuration > Configuration Archive > Synchronization.
Using Version Summary

You can trigger a configuration file retrieval by clicking on the Running or Startup configuration in the
Configuration Version Summary report (select Configuration > Configuration Archive > Views >
Version Summary).
After a configuration file is fetched from the device, as described above, LMS submits the configuration
file for archival.

OL-25947-01 8-41
Timestamps of Configuration Files

These are timestamps of a running configuration file, or the change time (in change audit), indicate the
time at which LMS system archived the configuration file.
This is not the time at which the configuration actually changed on the device. If changes are detected
immediately using Syslog messages, the timestamp should be very close to the actual configuration
change time on the device.
Startup configurations are handled differently by LMS. Startup configs are simply saved into the system,
as they are retrieved from the device (unlike running configurations, which are compared and saved in
versioned archives, if different).
The timestamps of Startup Configuration files are just the archival times, and do not indicate the change
time.
In the version summary reports, the Running and Startup are links, which when clicked will retrieve in
real time, the respective configuration from the device. This column does not have a timestamp
associated with it.
In the Out-Of-Sync report (select Configuration > Compliance > Out-of-Sync Summary), the Startup
configuration column indicates the last archived startup configuration along with its timestamp, and the
Running configuration column indicate the last archived running config along with its timestamp.
How Running Configuration is Archived

The workflow for archiving the Running configuration is:
1. If LMS detects an effective change, the new configuration is queued for Archival.
2. The archiver, calculates the exact effective changes, assigns a new version number for the newly
collected archive, and archives it in the system.
3. The archiver, at the end, logs a change audit record that the configuration of the device has changed,
along with other Audit information.
4. If you have enabled the Enable Shadow Directory option in the Archive Settings dialog box (select
Admin > Collection Settings > Config > Config Archive Settings) the latest running configuration
file is also stored in a raw format for manual TFTP purposes to restore the configuration on the
device, in the directory location:
– On Solaris/Soft Appliance, /var/adm/CSCOpx/files/rme/dcma/shadow
– On Windows, NMSROOT/files/rme/dcma/shadow. Where NMSROOT is the directory in which
LMS is installed (the default is C:\Program Files\CSCOpx)
Note Startup configurations are not ‘versioned’ and only one copy of the startup configuration of devices
(which supports startup configuration), is saved in the system. No change audit records are logged for
changes in the ‘Startup Configuration’ files.
LMS first compares the collected configuration file, with the latest configuration in the archive, and
checks to see if there are effective configurations changes from what was previously archived.

8-42 OL-25947-01
Defining the Configuration Collection Settings
Change Audit Logging

Config change audit records include information about, who changed (which user) the configuration,
when the configuration change was identified by LMS, and other change information.
• Any configuration change made through the LMS system (example, using Config Editor or
Netconfig), will have the user name of the user who scheduled the change job.
• Any configuration change that was done outside of LMS and detected through the configuration
retrieval process, has the same user name as reported by the device through the CONFIG-MAN-MIB
variable (ccmHistoryEventTerminalUser).
• Changes identified through syslog messages, contain the user name identified in the Syslog
message, if present.

The configuration archive can be updated with configuration changes in two ways:
• Periodic configuration archival (with and without configuration polling). To do this select Admin >
Network > Collection Settings > Config > Config Collection Settings.
• Manual configuration archival. To do this select using Configuration > Configuration Archive >
Synchronization.
You can modify how and when the configuration archive retrieves configurations by selecting one or all
of the following:
Periodic Polling
The configuration archive performs a SNMP query on the device. If there are no configuration changes
detected in the devices, no configuration is fetched.
Periodic Collection
The configuration is fetched without checking for any changes in the configuration.
By default, the Periodic Collection and Polling are disabled.
The following is the workflow for defining the configuration collection setting:
Step 1 Select Admin > Config > Config Collection Settings.

The Config Collection Settings dialog box appears.
Step 2 Select one or all of the following options:
Periodic Polling
a. Select Enable for Configuration archive to performs a SNMP query on the device to retrieve
configuration.
b. Click Schedule.
The Config Collection Schedule dialog box appears.

OL-25947-01 8-43
c. Enter the following information:
Field Description
Scheduling
Run Type You can specify when you want to run the configuration polling job.
To do this, select one of these options from the drop-down menu:
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
Date You can select the date and time (hours and minutes) to schedule.
Job Information
Job Description The system default job description, Default config polling job is displayed.
You cannot change this description.
E-mail Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
We recommend that you configure the E-mail ID in the View / Edit System Preferences dialog box
(Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the E-mail ID as the sender's address.
d. Click OK.
Periodic Collection
a. Select Enable for Configuration archive to perform a periodic check on the device to retrieve
configuration.
b. Click Schedule.
The Config Collection Schedule dialog box appears.

8-44 OL-25947-01
c. Enter the following information:
Field Description
Scheduling
Run Type You can specify when you want to run the configuration collection job.
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
Job Information
Job Description The system default job description, Default config collection job is displayed.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
d. Click OK.
VLAN config Collection
a. Check the Disable VLAN config collection check box.
b. Click Apply.
The VLAN config collection will be disabled for both manual and system config collection jobs. By
default the Disable VLAN Config collection checkbox is unchecked.
Step 3 Either click Apply to accept the new values provided.
Or
Click Cancel if you want to discard the changes and revert to previously saved values.
If you had clicked Apply, a message appears:
New settings saved successfully.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

OL-25947-01 8-45
Configuring Transport Protocols

You can set the protocol order for Configuration Management features such as Archive Management,
Config Editor, and NetConfig jobs to download configurations and to fetch configurations. For NetShow
and VLAN Fetch, you can set the protocol order to download configurations.
This setup allows you to use your preferred protocol order for fetching and downloading the
configuration.
The available protocols are:
• Telnet
• TFTP (Trivial File Transport Protocol)
• RCP (remote copy protocol)
• SSH (Secure Shell)
• SCP (Secure Copy Protocol)
• HTTPS (Hyper Text Transfer Protocol Secured)
This section also explains:
• Requirements to Use the Supported Protocols
• Defining the Protocol Order
Requirements to Use the Supported Protocols

If the following requirements are not met, an error message appears.
To use this
Protocols You must...
Telnet Know Telnet passwords for login and Enable modes for device. If device is configured for TACACS authen-
tication, enter Primary Username and Primary Password.
TFTP Know read and write community strings for device.
RCP Configure devices to support incoming rcp requests. To make sure the device is rcp-enabled, enter the
following commands in the device configuration:
# ip rcmd rcp-enable
# ip rcmd remote-host local_username {ip-address | host} remote_username [enable]
where ip_address | host is the IP address/hostname of the machine where LMS is installed. The default re-
mote_username and local_username are cwuser. For example, you can enter:
# ip rcmd remote-host cwuser 123.45.678.90 cwuser enable
Disable the DNS security check for rcp if your LMS server and devices are not registered with the DNS server.
To do this, use the command,
no ip rcmd domain-lookup for RCP to fetch the device configuration.

8-46 OL-25947-01
To use this
SSH Know the username and password for the device. If device is configured for TACACS authentication, enter the
Primary Username and Primary Password.
Know password for Enable modes.
When you select the SSH protocol for the LMS applications (Configuration Archive, NetConfig, ConfigEditor,
and NetShow) the underlying transport mechanism checks whether the device is running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2.
If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for the
device that is being accessed.
Some useful URLs on configuring SSHv2 are:
• Configuring Secure Shell on Routers and Switches Running Cisco IOS:
http://www.cisco.com/warp/public/707/ssh.shtml
• How to Configure SSH on Catalyst Switches Running Catalyst OS:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml
• Configuring the Secure Shell Daemon Protocol on CSS:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/c
onfiguration/security/guide/sshd.html
• Configuration Examples and TechNotes:
– http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples
_list.html
– http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

OL-25947-01 8-47
To use this
SCP Know the SSH username and password for the device.
To make sure the device is scp-enabled, enter the following commands in the device configuration.
To configure local User name:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username admin privilege 15 password 0 system

To configure TACACS User name:
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
User on the TACACS Server should be configured with privilege level 15:
user = admin {
default service = permit
login = cleartext "system"
service = exec {
priv-lvl = 15
}
}
HTTPS Know the username and password for the device. Enter the Primary Username and Password in the Device and
Credential Repository.
To enable the configuration archive to gather the configurations using https protocol you must modify your
device configurations:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_installation_and_configura-
tion_guides_list.html
This is used for VPN 3000 device.
The configuration archive uses Telnet/SSH to gather the module configurations of Catalyst 5000 family
devices and vlan.dat file in case of Catalyst IOS switches. Make sure you enter the correct Telnet and
Enable passwords.

8-48 OL-25947-01
If you enabled TACACS for a device and configured custom TACACS login and passwords prompts, you
may experience Telnet problems, since LMS may not recognize the prompts. To make your prompts
recognizable, you must edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom
Telnet Prompts.
For module configs, the passwords on the module must be same as the password on the supervisor.
This section also explains Supported Protocols for Configuration Management Applications.
Supported Protocols for Configuration Management Applications

For supported protocol at individual device-level, you can either see:
• The LMS device packages Online help. You can launch the LMS device packages Online help using
Help > Device Packages.
or
• The Supported Protocols for Configuration Management table on Cisco.com:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Defining the Protocol Order

The following is the workflow for defining the protocol order for Configuration Management
applications to perform either Config fetch or Config update:
Step 1 Select Admin > Collection Settings > Config > Config Transport Settings.
The Config Transport Settings dialog box appears.
Step 2 Go to the first drop-down list box, select the application for which you want to define the protocol order.
Step 3 Select a protocol from the Available Protocols pane and click Add.
If you want to remove a protocol, select the protocol and click Remove.
The list of protocols that you have selected appears in the Selected Protocol Order pane. The order of
protocols in the Selected Protocol Order pane can be changed using the Up and Down Buttons.
When a configuration fetch or update operation fails, an error message appears. This message displays
details about the supported protocol for the particular device and it modules, if there are any.
For the list of supported protocols, see Supported Device Table for Configuration Management
application on Cisco.com.
Step 4 Click Apply.
A message appears, New settings saved successfully.
Step 5 Click OK.

OL-25947-01 8-49
Overview: Common Syslog Collector
Overview: Common Syslog Collector

Common Syslog Collector (CSC) is a service to receive, filter and forward syslogs to one or more Syslog
Servers, thus reducing traffic on the network as well as processing load on the server.
The Common Syslog Collector can be installed on the LMS Server, or on a remote UNIX or Windows
machine, to process Syslog messages. You can uninstall the Syslog Collector later if you no longer want
to run it on a remote UNIX or Windows server.
Common Syslog Collector is a service that runs independently, listens for syslogs and forwards them to
the registered applications after necessary filtering. This way, the parsing/filtering is taken away from
the applications and each device sends only one copy of the processed, valid syslogs to the Common
Syslog Collector. Although CSC runs independently, it can run either remotely or locally on the machine
where an application is running.
The LMS server and the Syslog Collector exchange updates such as status, and filters.
You can configure the service to read syslogs from a specified file. This can be provided in a properties
file located at:
NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/
Collector.properties
On Windows:
NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\
Collector.properties
See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the complete details.
In a scenario where the devices and the CSC may run in two different time zones, the syslogs will be
marked with timestamp of the CSC if they do not have a timestamp when they are received, or if the
format is not correct.
The device considers day-light-saving settings appropriately while putting the timestamps. CSC
supports all the time zones that LMS supports, and alternatively you can provide the time zone
information. See the Installing and Migrating to Cisco Prime LAN Management Solution 4.2, for the
complete details.
After the Syslog Analyzer has been registered with the Collector, it:
• Receives the filters it needs from the LMS server to filter Syslog messages.
• Sends status to the Syslog Analyzer process about the collected Syslog messages upon request from
the Analyzer, including the number of messages read, number of messages filtered, and number of
messages with bad syntax. It also forwards unfiltered messages to the Syslog Analyzer process.
If the Syslog Analyzer does not send any filters, then the Collector sends all the syslogs to the
Analyzer without filtering.
If you restart the LMS server, Syslog Collector will lose communication to the LMS server. Based on
the current filters, it continues to filter the syslogs and stores them in a local file:
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\server
name_port\DowntimeSyslogs.log
The Syslog Analyzer will automatically restore the connection after LMS server restart.
For the complete instructions on installing the Common Syslog Collector, see the Installing and
Migrating to Cisco Prime LAN Management Solution 4.2.

8-50 OL-25947-01
Viewing Status and Subscribing to a Common Syslog Collector
Viewing Status and Subscribing to a Common Syslog

Collector
Using the Syslog Collector Status dialog box you can:
• View the status of your Common Syslog Collector (see Viewing Common Syslog Collector Status)
• Subscribe/Unsubscribe a Common Syslog Collector (see Subscribing to a Common Syslog
Collector)
• Test Syslog Collector Subscription (see Testing Syslog Collector Subscription)
• Understanding the Syslog Collector Properties File
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the required
Viewing Common Syslog Collector Status

To view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed to,
follow this procedure:
Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears, with this information:
Column Description
Name Hostname or the IP address of the host on which the Collector is installed.
Forwarded Number of forwarded Syslog messages
Invalid Number of invalid Syslog messages.
Filtered Number of filtered messages. Filters are defined with the option Message Filters option (Admin > Network >
Notification and Action Settings > Syslog Message Filters, see Defining Syslog Message Filters.)
Dropped Number of Syslog messages dropped.
Received Number of Syslog messages received.
Up Time Time duration for which the Syslog Collector has been up.
Update Time Date and time of the last update.
Time and time zone are those of the LMS Server.
Test Click to test a Syslog collector that’s already subscribed or that’s going to be subscribed.
Collector
Subscription
Subscribe Click to subscribe a Syslog collector.
Unsubscribe Select the Syslog collector and click Unsubscribe to unsubscribe the Syslog collector.
If you want to refresh the information in this dialog box, click Update.

OL-25947-01 8-51
If you have restarted the LMS daemon manager, the Syslog Collector Status processes (under Admin >
Network > Syslog Collection Settings) may take 6-10 minutes to come up, after the Syslog Analyze
processes come up. In this interval you may see the following message:
Collector Status is currently not available.
Check if the SyslogAnalyzer process is running normally.
Wait for the Syslog Collector status process to come up and try again.
To subscribe to a Common Syslog Collector using the Subscribe button, see Subscribing to a Common
Syslog Collector.
Subscribing to a Common Syslog Collector

Before you subscribe to a Common Syslog Collector, ensure these pre-requisites are met:
Check whether:
1. The Self-signed Certificates are valid. For example, check for the expiry date of the certificates on
both the servers.
2. The Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa.
To do this, select Admin > Trust Management > Multi Server > Peer Server Certificate Setup.
See Setting up Peer Server Certificate for more information.
3. The SyslogCollector process on Syslog Collector server and SyslogAnalyzer process on this server,
are restarted after Step 2.
4. Both hosts are reachable by host name.
To subscribe to a Common Syslog Collector:
Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
The Collector Status dialog box appears. For the information in the columns in the dialog box, see
Viewing Common Syslog Collector Status:
Step 2 Click Subscribe.

The following message appears:
Check if:
Self-signed Certificates from this server are copied to the Syslog Collector server and
vice-versa. You can perform this operation from Admin > System Administration >
Multiserver Management > Peer Server Certificate Setup screen.
2. Syslog Collector process on SyslogCollector server and SyslogAnalyzer process on this
server is restarted after step 1.
3. Both hosts are reachable by host name.
4. Certificates are valid.
The Subscribe Collector dialog box appears.
Step 3 Click OK. Enter the address of the Common Syslog Collector to which you want to subscribe to.
Step 4 Click OK.
The Syslog Analyzer server is subscribed to the specified Common Syslog Collector.

8-52 OL-25947-01
If you are already subscribed to a Syslog collector, and you want to unsubscribe, select the collector and
click the Unsubscribe button.
If you want to test the Syslog collector subscription, select the collector and click Test Collector
Subscription. For more information see Testing Syslog Collector Subscription.
Testing Syslog Collector Subscription

You can test the status of the Syslog Collector that you have already subscribed or that you are going to
subscribe using the Test Collector Subscription button.
To test a Syslog collector:
Step 1 Select Admin > Collection Settings > Syslog > Syslog Collection Settings.
Step 2 The Collector Status dialog box appears. For the information on the dialog box, see Viewing Common
Syslog Collector Status.
Step 3 Either:
• Select a Syslog collector and click Test Collector Subscription.
• Test Collector Subscription popup window appears with the Syslog collector address.
Or
• Click Test Collector Subscription.
• Enter the Syslog collector in the Test Collector Subscription popup window.
Step 4 Click OK.
The Test Collector Subscription Status popup window appears, displaying the following status of the
Syslog collector:
• SSL certificate status—Status of the SSL Certificates. For example, SSL certificates are valid and
are properly imported. For more information see Syslog Collector Subscription Messages.
• Collector status—Status of the Syslog collector. For example, Collector is up and reachable. For
more information see Syslog Collector Subscription Messages.

OL-25947-01 8-53
Syslog Collector Subscription Messages

The following table provides the Syslog collector subscription status messages shown when you test the
subscription of a Syslog Collector:
Subscription
Status Problem/Info Message
SSL Certification When there is an SSL certificate issue occurred, check if:
issue with SSL 1. The Self-signed Certificates are valid. For
Certificate example, Check the certificate expiry date on the
servers.
2. The Self-signed Certificates of this server are
copied to the Syslog Collector server and
vice-versa.
To do this, go to Admin > System Administration >
Multiserver Management > Peer Server Certificate
Setup and add the certificate. See the
Administration User Guide for LMS for more
details.
3. The SyslogCollector process on Syslog Collector
server and the SyslogAnalyzer process in the
current working server are restarted after Step
2.
4. Both hosts are reachable by hostname.
When the SSL SSL certificates are valid and properly imported.
certificates are
valid
Collector When the Unknown host address. Check if the host is DNS
hostname is not resolvable.
DNS resolvable
If the SyslogCollector process is down. Check if the
SyslogCollector SyslogCollector process is running on the port
<<port number>>.
process is down
If the Syslog Cannot check SSL connectivity because the Syslog
Collector is down Collector is down.
If the Syslog Syslog Collector <<collector name> is up and
Collector is reachable.
reachable

8-54 OL-25947-01
Understanding the Syslog Collector Properties File

After installing the Syslog Collector on a remote system, you need to check the Syslog Collector
Properties file to ensure that the Collector is configured properly.
The Syslog Collector Properties file is available at this location:
$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/csc/data/Collector.pr
operties
On Windows:
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.
properties
The following table describes the Syslog Collector Properties file:
Timezone-Related Properties Description

TIMEZONE The timezone of the system where the Syslog Collector is running. Enter
the correct abbreviation for the timezone. For example, the time zone for
India is IST.
For the correct Timezone abbreviation, see the Timezone file in the
following location:
On Solaris/Soft Appliance,
/opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/n
m/LMSng/fcss/data/TimeZone.lst
On Windows,
%NMSROOT%\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\
nm\LMSng\fcss\data\TimeZone.lst
See Timezone List Used By Syslog Collector.
COUNTRY_CODE Country code for the Syslog Collector.
We recommend that you set the country code variable with the appropriate
country code, to make sure that the Syslog timestamp conversion works
correctly.
For example, if you are in Singapore, you must set the country code
variable as COUNTRY=SGP.

OL-25947-01 8-55

TIMEZONE_FILE The path of the Timezone file. This file contains the offsets for the time
zones.
After installing the Syslog Collector, ensure that the offset specified in this
file is as expected. If it is not present or is incorrect, you can add the
Timezone offset as per the convention.
The default path is:
opt/CSCOpx/MDC/tomcat/webapps/rme/WEB-INF/classes/com/
cisco/nm/rmeng/fcss/data/TimeZone.lst
On Windows,
nm\rmeng\fcss\data\TimeZone.lst
General Properties
SYSLOG_FILES Filename and location of the file from which syslog messages are read.
The default location is:
/var/log/syslog_info
On Windows:
%NMSROOT%\log\syslog.log
DEBUG_CATEGORY_NAME Name Syslog Collector uses for printed ERROR or DEBUG messages.
The default category name is SyslogCollector.
We recommend that you do not change the default value.
DEBUG_FILE Filename and location of the Syslog Collector log file containing debug
information:
The default location is:
/var/adm/CSCOpx/log/CollectorDebug.log
On Windows,
%NMSROOT%\log\CollectorDebug.log
DEBUG_LEVEL Debug levels in which you run the Syslog Collector.
We recommend that you retain the default INFO, which reports
informational messages. Setting it to any other value might result in a
large number of debug messages being reported.
If you change the debug level, you must restart the Syslog Collector.
The values for the Debug levels are:
• Warning
• Debug
• Error
• Info

8-56 OL-25947-01

DEBUG_MAX_FILE_SIZE Maximum size of the log file containing the debug information.
The default is set to 5 MB.
If the file size exceeds the limit that you have set, Syslog Collector writes
to another file, based on the number of backup files that you have specified
for the DEBUG_MAX_BACKUPS property.
For example, if you have specified the number of backups as 2, besides the
current log file, there will be two backup files, each 5MB in size. When
the current file exceeds the 5 MB limit, Syslog Collector overwrites the
oldest of the two backup files.
DEBUG_MAX_BACKUPS The number of backup files that you require. The size of these will be the
value that you have specified for the DEBUG_MAX_FILE_SIZE
property.
Miscellaneous Properties
READ_INTERVAL_IN_SECS Interval at which the Collector polls the syslog file.
The default is set to 1 second.
QUEUE_CAPACITY Size of the internal buffer, for queuing syslog messages.
The default is set to 100000
PARSER_FILE File that contains the list of parsers used while parsing syslog messages.
The default path of the parser file:
cisco/nm/LMSng/fcss/data/FormatParsers.lst
On Windows,
nm\rmeng\fcss\data\FormatParsers.lst
SUBSCRIPTION_DATA_FILE Syslog Collector data file that contains the information about the Syslog
Analyzers that are subscribed to the Collector.
The default path of the data file:
cisco/nm/rmeng/csc/data/Subscribers.dat
On Windows,
nm\rmeng\csc\data\Subscribers.dat
FILTER_THREADS Number of threads that operate at a time for filtering syslog messages. The
default is set to 1.
COLLECTOR_PORT Default port of the Syslog Collector. The default is set to 4444.
The port where the collector listens for registration requests from Syslog
Analyzers.

OL-25947-01 8-57
Timezone List Used By Syslog Collector

The timezone of the system where the Syslog Collector is running. In the Syslog Collector Properties
file, you must enter the correct abbreviation for the timezone. See Understanding the Syslog Collector
Properties File.
For the correct Timezone abbreviation, see the Timezone file in the following location:
$NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/fcss/data/TimeZone.l
st
Each entry in the TimeZone.lst file represents a timezone abbreviation, and its offset from GMT. Each
offset here is 10 multiplied by the actual offset. For example, the actual offset for IST is 5.5 hours, and
the corresponding entry here is 55.
You must use the same method while modifying it.
The following is the timezone list used by Syslog Collector:
Time Zone List Used by Syslog Collector

ACT=95 ADT=30 AET=100 AEST=100 AGT=-30
AHST=-100 ART=20 AST=-90 AT=-20 BET=-30
BST=10 BT=30 CAT=10 CCT=80 CDT=-50
CEST=20 CET=10 CNT=-35 CST=-60 CTT=80
EADT=-110 EAST=100 EAT=30 ECT=10 EDT=-40
EET=20 EST=-50 FST=-20 FWT=10 GMT=0
GST=100 HDT=90 HST=-100 IDLE=120 IDLW=-120
IET=-50 IST=55 JST=90 MDT=-60 MEST=-20
MESZ=-20 MET=10 MEWT=10 MIT=-110 MST=-70
MYT=80 NET=40 NST=120 NT=-110 NZDT=130
NZST=120 NZT=120 PDT=-70 PLT=50 PNT=-70
PRT=-40 PST=-80 SST=110 SWT=10 UTC=0
VST=70 WADT=-80 WAST=70 WAT=-10 YDT=-80
YST=-90 ZP4=40 ZP5=50 ZP6=50

8-58 OL-25947-01
CHAPTER 9
Monitoring and Troubleshooting Settings
Monitoring and Troubleshooting Settings in the Admin menu groups all the administrative tasks that you
need to perform to monitor and troubleshoot your network using LMS.
• Configuring Fault Poller Settings For Topology
• Loading MIB Files
• Configuring RMON
• Configuring Topology Settings
Configuring Fault Poller Settings For Topology

To display Fault Poller information in Topology Maps and N-Hop view portlet, you have to enable
polling as follows:
Step 1 Select Admin > Network > Monitor / Troubleshoot > Fault Poller settings for topology.
The Fault Monitor Poller Settings page appears.
Step 2 Select the Poll Fault Monitor Server for alerts check box.
If you try to apply the settings when Fault Monitor module is not installed on a local or remote server,
you will get an error message indicating the same.
If Fault Monitor module is enabled, the list of LMS servers detected is displayed above this check box.

OL-25947-01 9-1
Chapter 9 Monitoring and Troubleshooting Settings
Loading MIB Files
You can enable this option, only if:

– Fault Monitor module is installed in the local LMS Server or on a remote LMS Server in the
master slave mode.
AND
– LMS has detected the Fault Monitor server.
If Fault Monitor module is installed after running Data Collection, either run Data Collection or restart
ANI Server before enabling the above setting.
Step 3 Set the time interval at which the polling should occur.
Fault Monitor updates the latest event information every 6 minutes. So the time interval can be a value
between six minutes and fifty nine minutes, fifty nine seconds.
Step 4 Click Apply. The settings are saved to the server and polling starts within six minutes of the
configuration.
In addition to this, you can restrict the type of LMS event displayed in your machine. For example you
can choose to display only critical events in Topology maps.
The event information fetched from Fault Monitorserver can be launched from Topology Maps and
N-Hop view portlet, by right clicking on the required device.
Loading MIB Files

You can load a new MIB file into LMS using the Load MIB option. The new MIB file is compiled and
stored in LMS. You can use the new MIB file to create new templates by grouping MIB variables, to do
this select Monitor > Performance Settings > Setup > Templates. For more information, see Creating
a Template in Monitoring and Troubleshooting Online Help.
You can load MIB files with the file extension .my.
To load a MIB file:
Step 1 Select Admin > Network > Monitor / Troubleshoot > Load MIB.
The Load MIB dialog box appears.
Table 9-1 describes the field in the Load MIB dialog box.
Table 9-1 Load MIB Fields
Field Description
MIB file Use the Browse button to load a MIB file from a directory location.
For example, RFC1213-MIB.my
You are allowed to load a MIB file only from the following directory path:
• In Windows, $NMSROOT\hum\mibmanager\mibcompiler\mibs
• In Solaris/Soft Appliance, $NMSROOT/hum/mibmanager/mibcompil-
er/mibs
$NMSROOT is the default Cisco Prime LMS installation directory.

9-2 OL-25947-01
Loading MIB Files
Step 2 Click Browse to select the MIB file from a directory location.
The Server Side File Browser dialog box appears.
Step 3 Double-click the MIB file from the directory location.
Step 4 Click Apply to load the MIB file into LMS or Cancel to cancel the operation.
You will be able to load and compile a new MIB file into LMS only when its dependent MIB files are
available in the directory location.
For example,
To load and compile RFC1213-MIB, the dependent MIB files for RFC1213-MIB (RFC1155-SMI and
RFC-1212) must also be available at the same directory location. If the dependent MIB files are not
available, an appropriate error message is displayed and RFC1213-MIB does not compile.
The dependent MIB files are case sensitive, the names of these dependent MIB files should be the same
as the MIB files names present in the definition files. Load only version2 MIB.
The following is the list of basic dependent MIBs that will be required for loading other MIBs in LMS:
• RMON2-MIB.my
• BRIDGE-MIB.my
• RFC-1215.my
• INET-ADDRESS-MIB.my
• P-BRIDGE-MIB.my
• Q-BRIDGE-MIB.my
• CISCO-NETFLOW-MIB.my
• CISCO-STACK-MIB.my
• TOKEN-RING-RMON-MIB.my
• RFC-1212.my
• RMOM-MIB.my
• RFC1155-SMI.my
• RFC1213-MIB.my
• SNMP-FRAMEWORK-MIB.my
• CISCO-SMI.my
• ENTITY-MIB.my
• FDDI-SMT73-MIB.my
• CISCO-VTP-MIB.my
• SNMPv2-TC.my
• SNMPv2-SMI.my
• SNMPv2-MIB.my
• SNMPv2-CONF.my
• IF-MIB.my
• IANAifType-MIB.my
• EXPRESSION-MIB
• CISCO-CLASS-BASED-QOS-MIB

OL-25947-01 9-3
Loading MIB Files
• CISCO-VOICE-DIAL-CONTROL-MIB
• CISCO-IPSEC-MIB
• HOST-RESOURCES-MIB
• CISCO-POP-MGMT-MIB
• RMON-MIB
• CISCO-PORT-QOS-MIB
• DIAL-CONTROL-MIB
• CISCO-DIAL-CONTROL-MIB
• CISCO-VOICE-COMMON-DIAL-CONTROL-MIB
• CISCO-VOICE-DNIS-MIB
• PerfHist-TC-MIB
• CISCO-QOS-PIB-MIB
• INT-SERV-MIB
• CISCO-ENERGYWISE-MIB
• CISCO-FRAME-RELAY-MIB
• CISCO-POWER-ETHERNET-EXT-MIB
• CISCO-TC
• CISCO-VTP-MIB
• DS1-MIB
• RFC1271-MIB
To view the list of more dependent MIBs go to:
http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 The compiled MIB file
appears in the Show MIB drop-down list in Select MIB Variables page.

9-4 OL-25947-01
Configuring RMON
Configuring RMON
You can enable RMON to measure Bandwidth Utilization for Topology.
Bandwidth Utilization is the measure of traffic flowing across a link. LMS highlights bandwidth
utilization across links, in the Topology maps. It computes the bandwidth utilization by taking the best
estimate of the mean physical layer network utilization on the links, during the sampling time interval.
In Topology Map, LMS can differentiate the links using colors, based on the bandwidth utilized by them.
You can customize the filters to display bandwidth utilization.
For more details, see Customizing Bandwidth Utilization Filters in Monitoring and Troubleshooting
Online Help.
• Modifying the Parameters
• Enabling RMON on All Ports in Selected Devices
• Enabling RMON on Selected Ports in Selected Devices
• Disabling RMON
Note LMS computes bandwidth utilization only on ethernet links, and not on any other type of link.
To compute bandwidth utilization in Campus Manager , you must enable Remote Monitoring (RMON).
Enabling RMON depends on two parameters.
Parameters to Compute Bandwidth Utilization

Enabling RMON depends on the following parameters:
• Bucket Size—Number of samples (incoming and outgoing packets) that will be examined for a
given point of time.
• Interval—Duration for which samples are to be collected.
The default values for Bucket Size and Interval are 10 and 300 respectively. Though you cannot edit the
values through the user interface of Campus Manager , you can reconfigure these values through
command line interface. For more details see Modifying the Parameters.
Campus Manager computes bandwidth utilization only for those devices that have the same parametric
values as configured and displayed in the RMON Settings page. This application allows you to configure
only the same parametric values on all link ports. This is to avoid conflicts in computation.
Enabling RMON on Ports

LMS allows you to enable RMON on:
• All Ports in selected devices. For details, see Enabling RMON on All Ports in Selected Devices
• Selected Ports in selected devices, see Enabling RMON on Selected Ports in Selected Devices
Campus Manager highlights links in the Topology Map even if the devices are managed by other
applications such as HPOV, or CiscoView.

OL-25947-01 9-5
Configuring RMON
Modifying the Parameters

The default Bucket Size is 10 and the Interval is 300 seconds. Campus Manager does not compute
bandwidth utilization for the links whose ports have different Interval values.
You can configure new values for the parameters in the ANIServer.properties file. To reconfigure the
values, you must restart the ANI server so that the file takes the new value.
For computing bandwidth utilization, Campus Manager takes only the latest values in the
ANIServer.properties file. You must reconfigure the link ports according to the values set in the
properties file for Topology Map to highlight the links.
You must reconfigure the parametric values before you enable RMON on ports.
Note You must configure the same value for Interval across the devices.
To reconfigure the values:
Step 1 Enter pdterm ANIServer at the command line to stop the ANI server.
Step 2 Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 3 Modify the values of the properties, RMON.interval for Interval and RMON.bucketSize for the Bucket
Size.
The maximum value that you can enter for RMON.interval is 3600 seconds (One hour).
Step 4 Enter pdexec ANIServer at the command line to start the ANI server.
After modifying the bucket size and interval, enable RMON in devices as explained in Enabling RMON
on All Ports in Selected Devices or Enabling RMON on Selected Ports in Selected Devices.
You can use RMON.percentageTolerance property in the ANIServer.properties file to provide a value for
the Interval in a range. This is a hidden property that creates a range for the Interval value.
The property adds a value to the current interval that forms the upper limit and subtracts a value from
the current interval that forms the lower limit of the range. The default hidden value is 10 percent of the
interval.
For example, if the value provided in the ANIServer.properties file is 300, the range will be 270-330.
Thus, the samples are collected for the range of 270 to 330 seconds.
If you want to change this default value, you must:
Step 1 Stop the ANI server.

Step 2 Enter pdterm ANIServer at the command line to stop the ANI server.
Step 3 Go to NMSROOT/campus/etc/cwsi/ANIServer.properties.
Step 4 Enter RMON.percentageTolerance=value.
Step 5 Start the ANI server.
Step 6 Enter pdexec ANIServer at the command line to start the ANI server.

9-6 OL-25947-01
Configuring RMON
Enabling RMON on All Ports in Selected Devices

To enable RMON on all ports in selected devices:
Step 1 Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays a list of all devices.
Step 2 Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, LMS collects 10 samples of bandwidth utilization
across links over a period of 50 minutes, with an interval of 5 minutes (300 seconds).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3 Check the Configure on all links check box to configure all the ports of the selected devices in the
Device Selector.
Step 4 Click Configure to enable RMON on all the ports in the selected devices.
The following command is configured on the selected ports:
rmon collection history integer owner ownername buckets bucket-number interval seconds
Example:
rmon collection history 4 owner campusmanager buckets 10 interval 300
Enabling RMON on Selected Ports in Selected Devices

To enable RMON on selected ports in selected devices:
Step 1 Select Admin > Network > Monitor / Troubleshoot > RMON Configuration.
The Enable RMON dialog box appears. The Device Selector pane displays the list of devices.
Step 2 Select the check box corresponding to the devices for which you want to enable RMON.
The RMON Settings area displays the default Bucket Size required as 10; and the Interval in seconds as
300.
For a Bucket Size of 10, and interval of 300 seconds, Campus Manager collects 10 samples of bandwidth
utilization across links over a period of 50 minutes, with an interval of 300 seconds (5 minutes).
To modify the Bucket Size and Interval, see Modifying the Parameters. If you modify the parameters,
repeat all the steps listed in this section, for enabling RMON with the new parameters.
Step 3 Uncheck the Configure on all Links check box since it is checked by default.
Step 4 Click Select links to select the ports for which you want to enable RMON.
It displays the list of ports in the selected devices. For details on the list displayed, see Table 9-2.
The Select Links check box is enabled only when you uncheck the Configure on all links check box.

OL-25947-01 9-7
Configuring Topology Settings
Table 9-2 Select Links for RMON Configuration Column Description
Column Description
Port Name of the port.
Device Name Name of the device where the port is connected.
Device Address The IP address of the device.
isLink True is displayed for link ports and False for a non-link port.
Step 5 Select check boxes corresponding to the ports for which you want to enable RMON.
Step 6 Click Configure to enable RMON on the selected ports.
The following command is configured on the selected ports:
rmon collection history integer owner ownername buckets bucket-number interval seconds
Example:
rmon collection history 4 owner campusmanager buckets 10 interval 300
Disabling RMON
After you have enabled RMON on a device through LMS, you can disable it using Command Line
Interface (CLI) only.
Commands to Disable RMON

For a device running Cisco IOS, enter the following command at the CLI prompt:
no rmon
For a device running Catalyst operating system, enter the following command at the CLI prompt
set snmp rmon disable

You can configure the following Topology Settings:
• Restrict Topology Maps to display only authorized devices.
For details, see Viewing Restricted Topology.
• Configure LMS to fetch event information from Fault Monitor, and display it in Topology Maps.
For details, see Configuring Fault Poller Settings For Topology.

9-8 OL-25947-01
Viewing Restricted Topology

Topology Maps display all the devices discovered by LMS.
To view the Restricted Topology:
Step 1 Select Admin > Network > Monitor / Troubleshoot > Restricted Topology View.
The configuration screen is displayed.
Step 2 Select Display Only the Authorized devices in Topology Maps.
Step 3 Click Apply.
Topology Maps display only the devices you are authorized to view. If Topology Services is already
launched, close it and relaunch for the change to take effect.
Important Notes
If you change the management IP address of an authorized device:
• It becomes an unauthorized device.
• The device is not shown in Topology maps in the consecutive relaunches.
• When the changed IP address is given as root in N-hop view portlet, it results in an error.

OL-25947-01 9-9

9-10 OL-25947-01
CHAPTER 10
Notification and Action Settings
The Notification and Action Settings groups all the administrative tasks involved in setting up
notification, syslog settings. You can also customize the names and event severity, create and activate a
notification subscriptions, and setup up automated actions for Change Audit tasks and syslogs.
• Understanding Notifications and Subscriptions
• Customizing LMS Events
• Configuring Event Sets and Notification Groups for Subscriptions
• Managing Fault SNMP Trap Notifications
• Managing Fault E-Mail Configurations
• Managing Fault Syslog Notifications
• Configuring Fault SNMP Trap Receiving and Forwarding
• Performance SNMP Trap Notification Groups
• Performance Syslog Notification Groups
• Defining Automated Actions
• Defining Syslog Message Filters
• Inventory and Config Collection Failure Notification
• IPSLA Syslog Configuration

OL-25947-01 10-1
Chapter 10 Notification and Action Settings
Understanding Notifications and Subscriptions

To use Notification Services, you must create and activate a notification subscription. The subscription
requires a Notification group component. This component specifies the notification criteria (the devices
to monitor, how severe an event must be to be reported, and so forth).
Optionally the notification group can also contain an Event set listing the events you want to monitor;
this is useful when you do not want to monitor all events that occur on a device. Notification groups can
be static or dynamic. The Fault Management module in LMS 4. 0 can be set up to have either static
notification groups or dynamic notification groups.
• If you work with static groups, no further devices can be added to those groups.
• If you set up dynamic groups, then any device that fits the criteria for the groups will be added to
those groups.
After you have configured your subscription, you can name it according to your needs. Regardless of
whether you configure SNMP Trap, E-Mail, or Syslog notifications, you must always create a
subscription containing a notification group. The final step in configuring your notification subscription
is specifying the notification recipients.
Note If a subscription is monitoring all events on a device (by not using an event set), and another subscription
is monitoring only specific events on a device, you will receive duplicate notifications.
Notification Services tracks events on device types, not on device components.

For details on Notifications and Subscriptions, see the following topics:
• Creating a Notification Subscription
• Notification Types
• Notification Replay
• Subscriptions
• Events
Creating a Notification Subscription

To create a notification subscription, perform the following steps:
1. If you want to monitor a specific set of events, create an event set that contains the events you want
to monitor. Otherwise, all events will be monitored.
2. Create a notification group that specifies the criteria the Fault Management module should use when
generating notifications:
• One or more event sets (if no event set is specified, all events are monitored)
• Devices, event severity and status
You can specify the notification group name, along with entering identifying information (using the
Customer ID and Customer Revision fields).

10-2 OL-25947-01
3. Create a subscription by doing the following:

a. Select the notification type (SNMP Trap, E-Mail, or Syslog).
b. Name the subscription and apply a notification group to it.
c. Specify the recipients (hostname, e-mail address).
d. Save the subscription. It will automatically start running.
4. Customize the subject of the e-mail by doing the following:
a. Select the subject from the available list
b. Add to the selected list
c. Arrange the order of the subjects
d. Save the customization of the e-mail subject
Notification Types
The Fault Management module in LMS 4.2 provides three types of notifications:
• SNMP Trap Notification—Fault Management module generates traps with information about the
events that caused it. CISCO-EPM-NOTIFICATION-MIB defines the trap message format. For
more information, see Notification MIB in Monitoring and Troubleshooting Online Help. LMS can
also generate SNMP trap notifications for specified events.
Using SNMP trap notification is different from forwarding raw traps to another server before they
have been processed by LMS.
• E-mail Notification—LMS generates e-mail messages containing information about the events that
caused it. CISCO-EPM-NOTIFICATION-MIB defines the message, which is included in the e-mail
in text format. You can specify that you want the e-mail to only contain an informational subject line
or can customize the e-mail subject. For information on the customizing the e-mail subject, see
Managing Fault E-Mail Subject Customization.
• Syslog Notification—LMS generates Syslog messages that can be forwarded to Syslog daemons on
remote systems.
All notifications have a default maximum message size of 250 characters. You can reset this variable to
any value between 250 and 1024 characters by editing the notification properties file.
To do this:
Procedure
Step 1 Open the configuration file NMSROOT/objects/nos/config/nos.properties.

Step 2 Locate the following lines and change the value to any value up to 1024 characters:
MAX_TRAP_DES=250
MAX_EMAIL_DES=250
MAX_SYSLOG_DES=250

OL-25947-01 10-3
Step 3 Stop and restart the Cisco Prime daemon manager on the LMS server.
a. Stop the daemon manager:
On Windows:
net stop crmdmgmt
b. Restart the daemon manager:

On Windows:
net start crmdmgmt
Notification Replay
You can configure LMS to replay notifications in the event that LMS has to be restarted. Edit the file
/opt/CSCOpx/objects/nos/config/nos.properties as follows:
To do this, set the value SEND_NOTIF_ON_START=1 to enable this feature. When the value is set to
the default value (0), the notifications will not be replayed.
Subscriptions
LMS sends notifications based on user-defined subscriptions. You can create up to 32 notification
subscriptions. A subscription for SNMP trap notification or e-mail notification includes the following
common elements, as determined by the CISCO-EPM-NOTIFICATION-MIB:
• Devices—The devices or device groups of importance to the recipients.
• Event severity and status—One or more event severity levels and status. You can also customize the
names of the events used by Notification Services, and Fault History. See Customizing LMS Events.
• Recipients—One or more hosts to receive SNMP traps or users to receive e-mail. For Syslog
notifications, the recipient would be the remote host containing a Syslog daemon configured to
listen for Syslog messages.
• Name—A user-defined name to identify the subscription.
Subscriptions are based on user-configured event sets and notification groups. See Configuring Event
Sets and Notification Groups for Subscriptions for more information.
Events
LMS sends notifications whenever an event occurs that matches a subscription. For each event, LMS
compares the device, severity, and state against subscriptions and sends a notification when there is a
match. Matches can be determined by user-configured event sets and notification groups.
The procedure for configuring notification groups is described in Configuring Event Sets and
Notification Groups for Subscriptions.

10-4 OL-25947-01
Customizing LMS Events
LMS assigns one severity to each event and changes the state of an event over time, responding to user
input and changes on the device. Table 10-1 lists values for severity and explains how the state of an
event changes over time.
Note You can change event names to names that are more meaningful to you. See Customizing LMS Events.
Table 10-1 Event Severity and Status
LMS categorizes events by severity and status…

Severity Critical
Informational
Status • Active—The event is live.
• ACK—A user has manually acknowledged the event. A user can
acknowledge only active events.
• Cleared—The event is no longer active.
• Events that have been cleared either expire or, if associated with a suspended
device, remain in LMS until a user resumes or deletes the device.
Customizing LMS Events

Notification Services allows you to customize the names and event severity in LMS.
• Customizing Names: When you customize an event name, that name is reflected in all notifications,
and in Fault History. The new event name is used for all instances of an event, regardless of the
component on which the event occurs. You can easily revert to the default event names as needed.
The Notification Customization page also lists the new name and default name, so you can easily
check which names have been changed.
• Customizing Event Severity: The event severity can be customized using the New Event Severity
feature. You can select Critical or Warning or Informational from the drop-down list.
To customize names and event severity:
Step 1 Select Admin > Network > Notification and Action Settings > Fault Notification Customization.
The Notification Customization page appears.
Step 2 Select the event names you want to customize by clicking the check box beside each event name.
Step 3 Enter your new names in the New Event Description fields.
Step 4 Select the event severity from the New Event Severity drop-down list.
You can select Critical or Informational.
Step 5 Enter any notes for information in the Troubleshooting Information field.
Step 6 Click Save to save your changes locally.
Step 7 Click Apply for the saved settings to take effect.
The confirmation window appears.

OL-25947-01 10-5
Configuring Event Sets and Notification Groups for Subscriptions
Step 8 Click Yes.

The changes are applied to LMS.
To revert to default event names:
a. From the Notification Customization page, select the events you want to restore to their default
names, and click Restore factory settings.
b. Apply your changes by clicking Yes when the confirmation window appears.
Configuring Event Sets and Notification Groups for

Subscriptions
Before you can create an SNMP trap or an e-mail or Syslog notification subscription, you must create a
notification group. Creating event sets is optional.
• Event sets list the events you want monitored for notifications
• Notification groups contain the criteria that LMS should use when generating a notification:
– One or more event sets, or all events
– Devices
– Event status and severity
– Fields for user-specified additional information you want to include with the subscription
Creating event sets and notification groups are described in the following topics:
• Configuring Event Sets
• Configuring Fault Notification Groups
Configuring Event Sets

Event sets are groups of the events you want to monitor. You can create up to nine event sets, labeled A
through I.
After you have created an event set, you can apply as many of them as you want to a notification group,
thereby tracking the specific events in which you are interested. If you do not specify an event set, LMS
will monitor all events for notifications.
Note If a subscription is monitoring all events on a device (by not using an event set), and another subscription

10-6 OL-25947-01
To configure event sets:
Step 1 Select Admin > Network > Notification and Action Settings > Event Sets:
The Event Sets page appears. The page contains the following information:
Field Description
Select/Unselect All for Event Set Select an Event Set from the drop-down list.
Event Code Notification Services code for the event. This number cannot be
changed and is used to map default names to customized names.
Description Event description (user-defined or default).
Severity Event severity.
A-I Event set label. If an X appears in this column, the corresponding
event belongs to that event set.
Step 2 For each event set you want to configure, select events by doing either of the following:
• Select specific events by clicking the editable field under the label, and selecting X.
• Select or deselect all events for an event set using the Select or the Deselect button.
Step 3 Click Apply.
If you want to create a notification subscription, first create a notification group that uses your event set.
See Configuring Fault Notification Groups.
Configuring Fault Notification Groups

When you set up a subscription, LMS lets you choose from existing notification groups. You can then
configure an SNMP trap or an e-mail or Syslog notification to use a specific notification group. The
notification groups contains the following information:
• One or more event sets, if desired (otherwise, the notification group will contain all events)
• Devices
• Event status and severity
• Fields for user-specified additional information you want to include with the subscription
• Whether the group is static or dynamic
You can configure a maximum of 64 notification groups.
Notification Services will not refilter the devices if there is a change in the device list you may access.
This section contains: Setting Up a Fault Notification Group as Static or Dynamic
Note You cannot delete a notification group that is being used by a running subscription.

OL-25947-01 10-7
To configure Fault Notification groups:
Step 1 Select Admin > Network > Notification and Action Settings > Fault Notification Group.
Step 2 Click Add to create a notification group.
The Notification Group Save: Add page appears. (If you want to edit or delete a notification group, click
the appropriate button and follow the instructions.)
Step 3 Specify the devices, event sets (if desired), and event severity and status. Click Next.
If a subscription is monitoring all events on a device (by not using an event set), and another subscription
With many devices in LMS, it can sometimes be difficult to locate the devices you are interested in. To
assist you in locating devices, use the search option in the mega menu.
Step 4 Specify the notification group name, and enter any desired identifying information in the Customer ID
and Customer Revision fields.
• For e-mail and Syslog notifications, if you leave these fields blank, they are left blank in the
notification.
• For SNMP trap notifications, if you leave these fields blank, they are displayed as followed in any
notifications:
Customer ID: -
Customer Revision: *
Step 5 Click Next.

Step 6 Create the notification group by clicking Finish.
Step 7 To create a notification subscription, follow the instructions in one of these topics:
• Adding an SNMP Trap Notification Subscription
• Adding and Editing an E-Mail Notification Subscription
• Adding a Syslog Notification Subscription
Setting Up a Fault Notification Group as Static or Dynamic

Fault Notification groups in LMS can be static or dynamic. If you set up LMS to include static groups,
mappings between the list of the devices and the notification events for those devices are generated. You
cannot add devices to or delete devices from a static group.
If you set up LMS to have dynamic groups, then any device that fits the criteria for a group will be added
to that group. You can also delete devices from a dynamic group.
When a device is added to a group, all similar devices are also added. For example, if you have ten
routers in the network and create a dynamic group that contains five of these routers, when you add an
eleventh router, that router is added to the group along with the other five routers. The group would then
contain all eleven routers.
Note Notification groups can be static or dynamic; you cannot have a mix of group types.

10-8 OL-25947-01
Managing Fault SNMP Trap Notifications
To set up LMS to include dynamic groups, edit the file /opt/CSCOpx/objects/nos/config/nos.properties

and set the following value:
DYNAMIC_NOTIF_GROUPS=1
For additional information, see the following topics:
• Customizing LMS Events
• Configuring Event Sets

The SNMP Trap Notifications page displays the following information:
• Subscription—The name of the user-defined request for notification.
• Status—The subscription status; can be either of the following:
– Running—LMS is using the subscription while monitoring events to determine when to send a
notification.
– Suspended—LMS will not use the subscription unless you resume it.
• Notification Group—The name of notification group that is applied to the subscription.
You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances.
From the SNMP Trap Notifications page, you can perform the tasks listed in Table 10-2.
Table 10-2 SNMP Trap Notification Subscriptions
Task Sample Usage Reference

Add • Add a subscription that will send SNMP trap notification Adding an SNMP Trap
for one device with an event of any severity (critical or Notification Subscription
informational) and any status (active, acknowledged, or
cleared).
Edit • View the notification group and hosts that comprise the Editing an SNMP Trap
subscription. Notification Subscription
• Change the trap recipients/notification groups that
comprise the subscription.
Suspend • Temporarily stop sending SNMP trap notifications to a Suspending an SNMP
host. Trap Notification
Subscription
• Temporarily stop sending SNMP trap notifications about
a device group.
Resume • Start sending SNMP trap notifications to a host again. Resuming an SNMP Trap
Notification Subscription
• Start sending SNMP trap notifications about a device
group using a previously suspended subscription.
Delete • Remove SNMP trap notification subscriptions that are no Deleting an SNMP Trap
longer useful. Notification Subscription
• Remove redundant SNMP trap notification
subscriptions.

OL-25947-01 10-9
Adding an SNMP Trap Notification Subscription

After you add a subscription for SNMP trap notification, generated SNMP traps are forwarded to the
hosts you specify until you change, suspend, or delete the subscription.
Note Adding a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Before You Begin

You must create a notification group before you can create an SNMP trap notification subscription. Refer
to Configuring Fault Notification Groups.
To add an SNMP trap notification subscription:
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap notification.
The SNMP Trap Notification Subscriptions page appears.
Step 2 Click Add.
Step 3 Complete the Trap Subscription Save: Add window:
a. Enter a subscription name.
b. Select a notification group.
If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)
c. Click Next.
Step 4 Enter one or more hosts as recipients for traps:
a. For each host, enter:
• An IP address or DNS name for the hostname.
Restart the NOSServer to pick up the change in the host name when host name is used for the
trap server and there is a change in that host name.
• A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 5.)
• A comment. (This is optional).
b. Click Next.
Step 5 Review the information that you entered and click Finish.
The SNMP Trap Notifications page is displayed, showing the new subscription.
Note No information is saved until you complete Step 5.

10-10 OL-25947-01
Editing an SNMP Trap Notification Subscription

You can edit an SNMP trap notification subscription regardless of its status (Running or Suspended).
After you edit an SNMP trap notification subscription, if the subscription status is Running, traps are
forwarded as specified until you edit, suspend, or delete the subscription. Editing a suspended
subscription automatically resumes it.
Note Editing a subscription is a multi-step process. Your changes are not saved until you click the Finish
button on the final page.
Step 2 Select the subscription you want to edit by clicking the radio button beside it.
Step 3 Click Edit.
No information is saved until you complete Step 5.
Step 4 Edit the Trap Subscription Save: Edit window:
a. Change the subscription name.
b. Select another notification group.
If you are upgrading LMS and want to use the trap recipients from an earlier configuration, activate
the Recipients from Upgrade check box. (This choice is only available for systems that have been
upgraded from earlier versions of LMS.)
c. Click Next.
Step 5 Add or delete a recipient host or change the port number for a host:
a. To add one or more recipients, for each host, enter:
• A port number on which the host can receive traps. If the port number is unspecified (empty),
the port defaults to 162. (You can verify this in Step 6.)
• A comment. This is optional.
b. To delete a recipient, delete the hostname, port number, and comment, if any.
c. Click Next.
Step 6 Review the information that you entered and click the Finish.
The SNMP Trap Notifications page is displayed.
Suspending an SNMP Trap Notification Subscription

After you suspend an SNMP trap notification subscription, LMS stops using the subscription to select
and forward traps. The subscription status changes to Suspended.
To do this:

OL-25947-01 10-11
Step 2 Select the subscription you want to suspend by clicking the radio button beside it.
Step 3 Click Suspend.
Step 4 Click OK in the confirmation dialog box.
The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Suspended.
Resuming an SNMP Trap Notification Subscription

You can resume an SNMP trap notification subscription only when the subscription status is Suspended.
After you resume a subscription, LMS starts using it to identify events for which to forward traps. The
subscription status changes to Running.
To do this:
Step 2 Select the subscription you want to resume by clicking the radio button beside it.
Step 3 Click Resume.
The SNMP Trap Notification Subscriptions page is displayed. The subscription status is Running.
Deleting an SNMP Trap Notification Subscription

You can delete an SNMP trap notification subscription regardless of the subscription status. Deleting a
subscription removes it permanently from LMS.
Note You can also suspend a subscription. Suspending a subscription causes the subscription to not be used
until a user resumes it.
To delete an SNMP trap notification subscription:
Step 2 Select the subscription you want to delete by clicking the radio button beside it.
The SNMP Trap Subscriptions page appears. The subscription is no longer displayed.

10-12 OL-25947-01
Managing Fault E-Mail Configurations

• Managing Fault E-Mail Notification Subscriptions
• Managing Fault E-Mail Subject Customization
You can use the E-Mail Configuration page to configure E-mail notification subscription and to
customize the E-mail subject.
The E-Mail Configuration page displays the following information:
• E-Mail Notification: Forwards events as e-mail to specified e-mail recipients. Forwarded traps are
based on Notification Groups.
• E-Mail Subject Customization: Customizes the e-mail subject for forwarded events.
Note You may not be able to use some of these functions if you do not have the required privileges.
Managing Fault E-Mail Notification Subscriptions

The E-Mail Notification Subscription page displays the following information:
– Running—LMS is using the subscription while monitoring events to determine when to send a
notification.
– Suspended—LMS will not use the subscription unless you resume it.
You are completely in control of subscriptions. LMS does not delete subscriptions under any
circumstances. From the E-Mail Notifications page, you can perform the tasks listed in Table 10-3.
Table 10-3 E-Mail Notification Subscriptions
Task Sample Usage

Add Add a subscription that will send e-mail notification to a user for one device with
an event of any severity (critical or informational) and any status (active,
acknowledged, or cleared).
See Adding and Editing an E-Mail Notification Subscription for more information.
Edit • View the notification group and e-mail recipients that comprise the
subscription.
• Change the e-mail recipients/notification group that comprise the subscription.
Suspend • Temporarily stop sending e-mail notifications to a user.
• Temporarily stop sending e-mail notifications about a device group.

OL-25947-01 10-13
Table 10-3 E-Mail Notification Subscriptions (continued)
Task Sample Usage

Resume • Start sending e-mail notifications to a user again.
• Start sending e-mail notifications about a device group using a previously
suspended subscription.
Delete • Remove e-mail notification subscriptions that are no longer useful.
• Remove redundant e-mail notification subscriptions.
Adding and Editing an E-Mail Notification Subscription

After you add or edit a subscription for e-mail notification, LMS sends e-mail to the users you specify
whenever an event occurs that matches the subscription.
Note Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin

You must create a notification group before you can create an E-Mail Notification subscription. Refer to
Configuring Fault Notification Groups.
To add or edit a subscription for e-mail notification:
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Email notification.
The E-Mail Notification Subscriptions page appears.
Step 2 You can do one of the following:
• Click Add.
• Click Edit.
You can edit an e-mail notification subscription regardless of its status (Running or Suspended).
After you edit an e-mail notification subscription, if the subscription status is Running, e-mail is
forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
• Click Delete.
Click OK in the confirmation dialog box.
The E-Mail Subscriptions page appears. The subscription is no longer displayed.
• Select the subscription you want to suspend by clicking the radio button beside it and click Suspend.
The E-Mail Notification Subscriptions page is displayed. The subscription status is Suspended.
After you suspend an e-mail notification subscription, LMS stops using the subscription to send
e-mail notification.
• Select the subscription you want to resume by clicking the radio button beside it and click Resume.

10-14 OL-25947-01
The E-Mail Notification Subscriptions page is displayed. The subscription status is Running. After
you resume an e-mail notification subscription, LMS starts using the subscription to determine when
e-mail notification should be sent in response to an event.
Step 3 When you add or edit a subscription for e-mail notification, a page appears with the following fields:
Field Description
Subscription Name Enter a subscription names.
Notification Group Select a notification group.
If you are upgrading LMS and want to use the
e-mail recipients from an earlier configuration,
activate the Recipients from Upgrade check box.
(This choice is only available for systems that
have been upgraded from earlier versions of
LMS.)
Step 4 Click Next.

Step 5 Enter the following e-mail information:
Field Description
SMTP Server The name of the default Simple Mail Transfer Protocol (SMTP) server
may already be displayed. The server is specified using Admin >
System > SMTP Default Server. You may also enter a fully qualified
DNS name or IP address for an SMTP server.
To select from any non-default SMTP servers in use by existing
subscriptions, click the SMTP Servers button.
Sender Address Enter the e-mail address that notifications should be sent from. If the
sender’s e-mail service is hosted on the SMTP server specified, you need
enter only the username. You do not need to enter the domain name.
Recipient Addresses Enter one or more e-mail addresses that notifications should be sent to,
separating multiple addresses with either a comma or a semicolon. If a
recipient’s e-mail service is hosted on the SMTP server specified, you
need to enter only the username. You do not need to enter the domain
name.
Headers Only (check box) By default, e-mail notification supplies a fully detailed e-mail message.
To omit the message body and send only a subject line, select the
Headers Only check box.
Step 6 Click the Next button located at the bottom of the page.
The E-Mail Notification Subscriptions page is displayed, showing the new subscription.

OL-25947-01 10-15
Managing Fault E-Mail Subject Customization

You can use the E-Mail Subject Customization page to customize the e-mail subject for forwarded
events. You need to select the subject attributes and the order in which they are to be displayed. When
you apply and save the selections, the e-mails are sent in the customized order.
The E-Mail Subject Customization page displays the following information:
• Available Subjects for E-mail: The additional subjects that are fetched from the LMS database. You
can use these subjects along with the default available subjects while sending e-mail notifications.
By default, following list of e-mail subject attributes are displayed in the Available Subjects for
E-Mail box:
– ifAlias
– sysLocation
– sysContact
– user_defined_field_0
When you import devices from DCR, the subject information gets updated into LMS database and
they are displayed as available subjects for e-mails.
• Selected Subjects for E-mail: The selected subjects including the default ones in the selected order
displayed by the side of the available subjects.
To customize the e-mail subject:
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Email subject customization.
The available and selected lists of the subject attributes for e-mail are displayed.
To customize the e-mail subject, you can add and remove subjects from the current e-mail subjects list.
By default, following list of e-mail subject attributes are displayed in the Selected Subjects for E-Mail
box.
• Event ID
• Device Name
• Time
• Severity
• Event Name
• Status
To add a subject:
a. Select the subject attribute from Available Subjects for E-Mail.
b. Click Add.
The selected subject attribute is added to the Selected Subjects for E-Mail list.
You can add a subject attribute only from the Available Subjects list to the Selected Subjects list.
You cannot add a subject attribute from the Selected subject list to the Available Subject list.

10-16 OL-25947-01
Managing Fault Syslog Notifications
To remove a subject attribute:

a. Select the subject attribute from Selected Subjects for E-Mail.
b. Click Remove.
The selected subject attribute is removed from the Selected list and added to the Available subjects
for E-Mail list.
You can remove a subject attribute only from the Selected Subjects list and not from the Available
Subjects list.
Step 2 Click Up or Down to rearrange the order of the selected e-mail subject attributes.
Step 3 Click Apply to save the customized e-mail subject attributes.

The Syslog Notifications page displays the following information:
– Running—Fault Management module is using the subscription while monitoring events to
determine when to send a notification.
– Suspended—Fault Management module will not use the subscription unless you resume it.
You are completely in control of subscriptions. Fault Management module does not change or delete
subscriptions under any circumstances. From the Syslog Notifications page, you can perform the tasks
listed in Table 10-4.
Table 10-4 Syslog Notification Subscriptions

Add • Add a subscription that will send a Syslog notification to Adding a Syslog
a remote machine for one device with an event of any Notification Subscription
severity (critical or informational) and any status (active,
acknowledged, or cleared).
Edit • View the notification group and Syslog recipient that Editing a Syslog
comprise the subscription. Notification Subscription
• Change the Syslog recipients/notification group that
comprise the subscription.
Suspend • Temporarily stop sending Syslog notifications to a Suspending a Syslog
remote host. Notification Subscription
• Temporarily stop sending Syslog notifications about a
device group.

OL-25947-01 10-17
Table 10-4 Syslog Notification Subscriptions (continued)

Resume • Start sending Syslog notifications to a remote host again. Resuming a Syslog
Notification Subscription
• Start sending Syslog notifications about a device group
using a previously suspended subscription.
Delete • Remove Syslog notification subscriptions that are no Deleting a Syslog
longer useful. Notification Subscription
• Remove redundant Syslog notification subscriptions.
Adding a Syslog Notification Subscription

After you add a subscription for Syslog notification, LMS sends a Syslog message to the specified
remote hosts whenever an event occurs that matches the subscription.
Note Adding a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Before You Begin

• You must create a notification group before you can create a Syslog Notification subscription. Refer
to Configuring Fault Notification Groups.
• A remote machine’s Syslog daemon must be configured to listen on a specified port, and you must
enter this information in Step 3 of the following procedure. LMS uses the default port 514.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - Syslog notification.
The Syslog Notification Subscriptions page appears.
Step 2 Click Add.
a. Enter a subscription name.
b. Select a notification group.
c. Select a facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity are used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
• Critical = 2
• Information = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d. Click Next.
Step 3 Enter one or more hosts as recipients for Syslog notifications.
a. For each host, enter:

10-18 OL-25947-01
• A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 5.)
b. Click Next.
Step 4 Enter the name of the subscription in the Save As field and click Next.
The Syslog Notification Subscriptions page is displayed with the new subscription.
Editing a Syslog Notification Subscription

You can edit a Syslog notification subscription regardless of its status (Running or Suspended).
After you edit a Syslog notification subscription, if the subscription status is Running, Syslog messages
are forwarded as specified until you change, suspend, or delete the subscription. Editing a suspended
Note Editing a subscription is a multistep process. Your changes are not saved until you click the Finish button
on the final page.
Step 2 Select the subscription you want to edit by clicking the radio button beside it.
Step 3 Click Edit.
Step 4 Edit the Syslog Subscription Save: Edit window:
a. Change the subscription name.
b. Select a different notification group.
c. Select a Facility from the drop-down list (the default is Local Use 0). The Facility field and the event
severity is used for the PRI portion of the Syslog message, as follows:
[Facility*8][Severity]
Event severity values are as follows:
• Critical = 2
• Informational = 6
You can enter location information (up to 29 characters). This information will be populated in the
Syslog message. This is optional.
d. Click Next.
Step 5 Add or delete a recipient host or change the port number for a host:
a. To add one or more recipients, for each host, enter:

OL-25947-01 10-19

• A port number on which the Syslog daemon is listening. If the port number is unspecified
(empty), the port defaults to 514. (You can verify this in Step 7.)
b. To delete a recipient, delete the hostname, port number, and comment, if any.
c. Click Next.
Step 6 Click the Next button located at the bottom of the page.
The Syslog Notification Subscriptions page is displayed.
Suspending a Syslog Notification Subscription

After you suspend a Syslog notification subscription, LMS stops using the subscription to send Syslog
notifications. The subscription status changes to Suspended.
Step 2 Select the subscription you want to suspend by clicking the radio button beside it.
Step 3 Click Suspend.
The Syslog Notification Subscriptions page is displayed. The subscription status is Suspended.
Resuming a Syslog Notification Subscription

After you resume a Syslog notification subscription, LMS starts using the subscription to determine
when Syslog notifications should be sent in response to an event. The subscription status changes to
Running.
To resume a syslog notification subscription:
Step 2 Select the subscription you want to resume by clicking the radio button beside it.
Step 3 Click Resume.
The Syslog Notification Subscriptions page is displayed. The subscription status is Running.

10-20 OL-25947-01
Configuring Fault SNMP Trap Receiving and Forwarding
Deleting a Syslog Notification Subscription

You can delete a Syslog notification subscription regardless of the subscription status. Deleting a
subscription removes it permanently from LMS.
Note You can also suspend a subscription. Doing so causes the subscription to not be used until a user resumes
it.
To delete a syslog notification subscription:
Step 2 Select the subscription you want to delete by clicking the radio button beside it.
The Syslog Subscriptions page appears. The subscription is no longer displayed.

LMS can receive traps on any available port and forward them to a list of devices and ports. This
capability enables LMS to work with other trap processing applications.
• Enabling Devices to Send Traps to LMS
• Enabling Cisco IOS-Based Devices to Send Traps to LMS
• Enabling Catalyst Devices to Send SNMP Traps to LMS
• Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs
• Updating the SNMP Trap Receiving Port
• Configuring SNMP Trap Forwarding
LMS will only forward SNMP traps from devices in the LMS inventory.
It will not change the trap format—it will forward the raw trap in the format in which the trap was
received from the device. However, you must enable SNMP on your devices and you must do one of the
following:
• Configure SNMP to send traps directly to LMS
• Integrate SNMP trap receiving with an NMS or a trap daemon
Note The ports and protocols used by Cisco Prime are listed in Installing and Migrating to Cisco Prime LAN
Management Solution 4.2.

OL-25947-01 10-21
Enabling Devices to Send Traps to LMS
Note If your devices send SNMP traps to a Network Management System (NMS) or a trap daemon, see
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs.
Since LMS uses SNMP MIB variables and traps to determine device health, you must configure your
devices to provide this information. For any Cisco device that you want LMS to monitor, SNMP must
be enabled and the device must be configured to send SNMP traps to the LMS server.
Make sure your devices are enabled to send traps to LMS by using the command line or GUI interface
appropriate for your device:
• Enabling Cisco IOS-Based Devices to Send Traps to LMS
• Enabling Catalyst Devices to Send SNMP Traps to LMS

10-22 OL-25947-01
Enabling Cisco IOS-Based Devices to Send Traps to LMS

For devices running Cisco IOS software, enter the following commands:
(config)# snmp-server [community string] ro
(config)# snmp-server enable traps
(config)# snmp-server host [a.b.c.d] traps [community string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
To enable Cisco IOS-Based devices to send traps to LMS:
Step 1 Log into Cisco.com.

Step 2 Select Products & Services > Cisco IOS Software.
Step 3 Select the Cisco IOS software release version used by your IOS-based devices.
Step 4 Select Technical Documentation and select the appropriate command reference guide.
Enabling Catalyst Devices to Send SNMP Traps to LMS

For devices running Catalyst software, provide the following commands:
(enable)# set snmp community read-only [community string]
(enable)# set snmp trap enable all
(enable)# set snmp trap [a.b.c.d] [community string]
where [community string] indicates an SNMP read-only community string and [a.b.c.d] indicates the
SNMP trap receiving host (the LMS server).
For more information, see the appropriate command reference guide.
Step 1 Log into Cisco.com.

Step 2 Select Products & Services > Cisco Switches.
Step 3 Select the appropriate Cisco Catalyst series switch.
Step 4 Select Technical Documentation and select the appropriate command reference guide.

OL-25947-01 10-23
Integrating SNMP Trap Receiving with Other Trap Daemons or NMSs

You might need to complete one or more of the following steps to integrate SNMP trap receiving with
other trap daemons and other Network Management Systems (NMSs):
• If you are integrating LMS with a remote version of HP OpenView or NetView, you must install the
appropriate adapter on the remote HP OpenView or NetView (see Installing and Migrating to Cisco
Prime LAN Management Solution 4.2. This guide also provides information on supported versions).
You do not need to install any adapters if HP OpenView or NetView is installed locally.
• Add the host where LMS is running to the list of trap destinations in your network devices. See
Enabling Devices to Send Traps to LMS. Specify port 162 as the destination trap port. (If another
NMS is already listening for traps on the standard UDP trap port (162), use port 9000, which LMS
will use by default.)
• If your network devices are already sending traps to another management application, configure that
application to forward traps to LMS.
Table 10-5 describes scenarios for SNMP trap receiving and lists the advantages of each.
Table 10-5 Configuration Scenarios for Trap Receiving
Scenario Advantages
Network devices send traps to port 162 of the host where • No reconfiguration of the NMS is required.
LMS is running. LMS receives the traps and forwards
• No reconfiguration of network devices is required.
them to the NMS.
• LMS provides a reliable trap reception and forwarding
mechanism.
• NMS continues to receive traps on port 162.
• Network devices continue to send traps to port 162.
NMS receives traps on default port 162 and forwards • No reconfiguration of the NMS is required.
them to port 162 on the host where LMS is running.
• No reconfiguration of network devices is required.
• LMS does not receive traps dropped by the NMS.
Updating the SNMP Trap Receiving Port

By default, LMS receives SNMP traps on port 162 (or, if port 162 is occupied, port 9000). If you need
to change the port, you can do so. LMS supports SNMP V1, V2, and V3 traps for trap receiving.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap receiving settings.
Step 2 Enter the port number in the Receiving Port text box.
Step 3 Click Apply.
For a list of ports that are already in use, see Installing and Migrating to Cisco Prime LAN Management
Solution 4.2. If you have two instances of the DfmServer process running, traps will be forwarded from
the first instance to the second instance.

10-24 OL-25947-01
Performance SNMP Trap Notification Groups
Configuring SNMP Trap Forwarding
Note Your login determines whether or not you can perform this task. View the Cisco Prime Permission
Report (Reports > System > Users > Permission) to determine which tasks are permitted for each user
role.
LMS will only forward SNMP traps from devices in the LMS inventory. LMS will not change the trap
format—it will forward the raw trap in the format in which it was received from the device. All traps are
forwarded in V1 (SNMP Version) format. In LMS 4.2, trap support is provided for SNMPv3 configured
devices, unknown devices and non-Cisco devices.
Step 1 Select Admin > Network > Notification and Action Settings > Fault - SNMP trap forwarding.
Step 2 For each host, enter:
• A port number on which the host can receive traps.
Step 3 Click Apply.

Cisco Prime LMS allows you to create SNMP Trap Receiver Groups using the Trap Receiver Groups
option.This is group of hosts that receives specified trap notifications, when any TrendWatch or
Threshold violation occurs in LMS.
The Trap destination is defined by the IP address or it can be a host name. From the Trap Receiver
Groups page, you can create a Trap Receiver Group, modify the configuration of a Trap Receiver Group,
and delete a Trap Receiver Group.
To access the Trap Receiver Group page, Admin > Network > Notification and Action Settings >
Performance - SNMP Trap notification. The Trap Receiver Groups page appears.
Table 10-6 describes the fields in the Trap Receiver Groups.
Table 10-6 Trap Receiver Groups Fields
Field Description
Trap Group Name Name of the Trap Receiver Group.
Click on the Name hyperlink to view the details of the Trap Receiver Group
created.
Number of Receivers Number of Trap Receivers added to the Trap Receiver Group.
Create Creates a Trap Receiver Group. See Creating a Trap Receiver Group.
(button)
Edit Modifies an existing Trap Receiver group. See Editing a Trap Receiver
(button) Group.

OL-25947-01 10-25
Table 10-6 Trap Receiver Groups Fields
Field Description
Delete Deletes an existing Trap Receiver Group. See Deleting a Trap Receiver
Group.
(button)
Filter Filters information based on the criteria that you select from the drop-down
(button) list. The drop-down list contains the following criteria:
• All
• Group Name
See Filtering Trap Receiver Groups
You can perform the following tasks from the Trap Receiver Groups dialog box:
• Creating a Trap Receiver Group
• Editing a Trap Receiver Group
• Deleting a Trap Receiver Group
• Filtering Trap Receiver Groups
Creating a Trap Receiver Group

To create a Trap Receiver group
Step 1 Select Admin > Network > Notification and Action Settings > Performance - SNMP Trap
notification.
The Trap Receiver Groups page appears.
The Create Trap Receiver Group page appears, displaying the Trap Group Configuration dialog box.
Table 10-7 describes the fields in the Trap Group Configuration dialog box.
Table 10-7 Trap Group Configuration
Field Description
Group Name Enter the name of the Trap Receiver Group. For example, Trap Receiver
Group 1.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Host Enter the host name or IP address. For example 10.77.201.52
Enter the IP address or hostname of the destination to which the trap message
should be delivered.
Port Enter the Port Number on which Trap Receiver is listening for traps.
The default port value is 162. This field is optional.

10-26 OL-25947-01
Field Description
Community Enter the community string that appears in the trap message.
The default community string is public. This field is optional.
Create Creates the Trap Receiver Group.
(button)
Add More Adds more hosts to the present Group.
(button)
Cancel Cancels the creation of Trap Receiver Group.
(Button)
Step 3 Enter a descriptive name for the Trap Group name in the GroupName field.
Step 4 Enter the IP address or hostname of the destination to which the trap should be delivered in the Host
field.
Step 5 Enter the Port Number on which Trap Receiver is listening for traps in the Port field.
Step 6 Enter the community string that appears in the trap message in Community field.
The community string will be displayed as asterisks.
Note You can add as many as five hosts or devices to the Trap Group by default.
To add more than five hosts to the Trap Group,
Step 1 Click Add More to add another host information to the Trap Group. Go to Step 4 to continue.
Step 2 Click Create to create the Trap Group.
Or
Click Cancel to cancel the operation.
The Trap Receiver Group dialog box appears, displaying the Trap Groups.
Editing a Trap Receiver Group

You can edit a Trap Receiver Group to update or change the hosts, ports and community string of the
selected Trap Receiver Group using the Edit button in the List of Trap Receiver Groups.
You can edit only one Trap Receiver Group at a time. If you select multiple Trap Receiver Groups using
the check box, the Edit button is disabled. You cannot edit the Trap Receiver Group Name field.
To edit a Trap Receiver Group:

OL-25947-01 10-27
notification.
The Trap Receiver Groups dialog box appears.
Step 2 Select the Trap Receiver Group by checking the corresponding check box against the Trap Receiver
Group Name.
Step 3 Click Edit.
The Edit Trap Receiver Group dialog box appears, displaying the earlier settings.
Table 10-8 describes the fields in the Trap Group Configuration dialog box.
Field Description
Group Name Name of the Trap Receiver Group.
For example, Trap Receiver
Receiver Details
Enter the IP address or hostname of the destination to which the trap message
should be delivered.
Port Enter the Port Number on which Trap Receiver is listening for traps.
For example, 162
Community Enter the community string that appears in the trap message.
The default community string is public.
Update Updates the Trap Receiver Group.
(button)
(button)
Cancel Cancels the modification of the Trap Receiver Group.
(Button)
Step 4 Make the necessary changes to the Receiver Details.

To add more receivers to the present configuration,
Step 1 Click AddMore in the Trap Group Configuration dialog box.

Step 2 Make necessary changes to the Receiver Details.
Step 3 Click Update in the Trap Group Configuration dialog box to complete updating the Trap Receiver
Group.
Or
The Trap Receiver Group dialog box appears, displaying the Trap Groups.

10-28 OL-25947-01
Deleting a Trap Receiver Group

You can delete one or more Trap Receiver Groups using the Delete button on the List of Trap Receiver
Groups dialog box.
You cannot delete a Trap Receiver Group that is associated with any Threshold or TrendWatch. If you
want to delete such Trap Receiver Groups, first remove the Trap Receiver Group from the associated
Threshold or TrendWatch.
Before a Trap Receiver Group is deleted, you are prompted to confirm the deletion because you cannot
restore a Trap Receiver Group that you have deleted from the database.
To delete a Trap Receiver Group:
notification.
The List of Trap Receiver Groups dialog box appears.
Step 2 Select the Trap Group Name by checking the appropriate check box.
You can select multiple Trap Receiver Groups by checking their respective check boxes.
A message appears, prompting you to confirm the deletion,
Step 4 Click OK to delete the Trap Receiver Groups.
Or
If you choose to click OK, a message appears that the Trap Receiver Group is deleted successfully.
The Trap Receiver Groups dialog box appears.
Filtering Trap Receiver Groups

This section describes how you can use the filter option to display the Trap Receiver Group information
based on a specific criteria.
To filter a Trap Receiver Groups:
notification.
The List of Trap Receiver Group dialog box appears.
Step 2 Select a criteria for filtering from the drop-down list.
Step 3 Enter the data to be filtered.
Step 4 Click Show.
The List of Trap Receiver Groups dialog box appears, displaying the Trap Receiver Group information
based on the filter criteria.
Table 10-9 describes the criteria to filter.

OL-25947-01 10-29
Table 10-9 Trap Receiver Groups Field Description
Filter Criteria Description

Group Name Select Group Name and enter the data. You can use either of the following
methods to filter by entering:
• Complete Group name
• Any wildcard characters of the Trap Receiver Group name (such as
*trap, trap*)

10-30 OL-25947-01
Performance Syslog Notification Groups

Cisco Prime LMS allows you to create Syslog Receiver Groups using the Syslog Receiver Groups
option. Syslog Receiver Groups is a group of hosts that receives Syslog messages when any TrendWatch
or Threshold violation occurs in LMS.
From the Syslog Receiver Groups page you can create a Syslog Receiver Group, modify the
configuration of a Syslog Receiver Group, and delete a Syslog Receiver Group.
To access the Syslog Receiver Group page, select Admin > Network > Notification and Action
Settings > Performance - Syslog notification. The List of Syslog Receiver Groups dialog appears.
Table 10-10 describes the fields in the Syslog Receiver Groups.
Table 10-10 Syslog Receiver Groups Fields
Field Description
Syslog Group Name Name of the Syslog Receiver Group.
For example, Syslog Group
Number of Receivers Number of Syslog Receivers added to the Syslog Receiver Group.
Create Creates a Syslog Receiver Group. See Creating a Syslog Receiver Group.
(button)
Edit Modifies an existing Syslog Receiver group. See Editing a Syslog Receiver
Group.
(button)
Delete Deletes an existing Syslog Receiver Group. See Deleting a Syslog Receiver
(button) Group.
Filter Filters information based on the criteria that you select from the drop-down
(button) list. The drop-down list contains the following criteria:
• All
• Group Name
See Filtering Trap Receiver Groups
Update Facility Sends the Syslog message to the receiver, based on the facility level selected
in the drop-down list. The drop-down list contains the following criteria:
(button)
• local 0
• local 1
• local 2
• local 3
• local 4
• local 5
• local 6
• local 7

OL-25947-01 10-31
You can perform the following tasks from the Syslog Receiver Groups dialog box:
• Creating a Syslog Receiver Group
• Editing a Syslog Receiver Group
• Deleting a Syslog Receiver Group
• Filtering Syslog Receiver Groups
Creating a Syslog Receiver Group

To create a Syslog Receiver group:
Step 1 Select Admin > Network > Notification and Action Settings > Performance - Syslog notification.
The Syslog Receiver Groups dialog appears.
The Create Syslog Receiver Group page appears, displaying the Syslog Group Configuration dialog box.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Table 10-11 Syslog Groups Configuration
Field Description
Group Name Enter the name of the Syslog Group name. For example, Syslog Group.
The name can contain a mix of alphabets, numerals, and some special
characters (such as - _ . # @ $ &).
Receiver Details
Enter the IP address or hostname of the destination to which the syslog
message should be delivered. This IP address should be DNS resolvable.
Port Enter the Port Number on which Syslog Receiver is listening for syslog
messages.
The default port value is 514. This field is optional.
Create Creates the Syslog Receiver Group
(button)
Add More Adds more hosts to the present Group
(button)
Cancel Cancels the creation of Syslog Receiver Group
(Button)
Step 3 Enter a descriptive name for the Syslog Group name in the GroupName field.
Step 4 Enter the IP address or hostname of the destination to which the Syslog messages should be delivered in
the Host field.
Step 5 Enter the Port Number on which Syslog Receiver is listening for Syslog Messages in the Port field.

10-32 OL-25947-01
Note You can add as many as five hosts or devices to the Syslog Group by default.
To add more than five hosts to the Syslog Group,
Step 1 Click AddMore to add another host information to the Syslog Group. Go to Step 4 to continue.
Step 2 Click Create to create the Syslog Group.
Or
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Editing a Syslog Receiver Group

You can edit a Syslog Receiver Group to update or change the hosts and ports of the selected Syslog
Receiver Group using the Edit button in the List of Syslog Receiver Groups.
You can edit only one Syslog Receiver Group at a time. If you select multiple Syslog Receiver Groups
using the check box, the Edit button is disabled. You cannot edit the Syslog Receiver Group Name field.
To edit a Syslog Receiver Group:
The Syslog Receiver Groups dialog box appears.
Step 2 Select the Syslog Receiver Group by checking the corresponding check box against the Syslog Receiver
Group Name.
Step 3 Click Edit.
The Edit Syslog Receiver Group dialog box appears, displaying the earlier settings.
Table 10-11 describes the fields in the Syslog Group Configuration dialog box.
Field Description
Group Name Name of the Syslog Group name.
For example, Syslog Group.
Receiver Details
Host Enter the host name or IP address. for example 10.77.201.52
Enter the IP address or hostname of the destination to which the Syslog
message should be delivered.
Port Enter the Port Number on which Syslog Receiver is listening for Syslog
messages.
The default port number is 512.

OL-25947-01 10-33
Field Description
Update Updates the Syslog Receiver Group.
(button)
(button)
Cancel Cancels the modification of the Syslog Receiver Group.
(Button)

To add more receivers to the current configuration:
Step 1 Click AddMore in the Syslog Group Configuration dialog box.

Step 3 Click Update in the Syslog Group Configuration dialog box to complete updating the Syslog Receiver
Group.
Or
The Syslog Receiver Group dialog box appears, displaying the Syslog Groups.
Deleting a Syslog Receiver Group

You can delete one or more Syslog Receiver Groups using the Delete button on the List of Syslog
Receiver Groups dialog box.
You cannot delete a Syslog Receiver Group which is associated with any Threshold or TrendWatch. If
you want to delete such Syslog Receiver Groups, first remove the Syslog Receiver Group from the
associated Threshold or TrendWatch.
Before a Syslog Receiver Group is deleted, you are prompted to confirm the deletion because you cannot
restore a Syslog Receiver Group that you have deleted from the database.
To delete a Syslog Receiver Group:
Step 2 Select the Syslog Group Name by checking the appropriate check box.
You can select multiple Syslog Receiver Groups by checking their respective check boxes.
A message appears, prompting you to confirm the deletion.
Step 4 Click OK to delete the Syslog Receiver Groups.
Or

10-34 OL-25947-01

If you choose to click OK, a message appears that the Syslog Receiver Group is deleted successfully.
Filtering Syslog Receiver Groups

You can use the Filter option to display the Syslog Receiver Group information based on a specific
criteria.
To filter a Syslog Receiver Groups:
The List of Syslog Receiver Group dialog box appears.
Step 2 Select a criteria for filtering from the drop-down list.
Step 3 Enter the data to be filtered.
Step 4 Click Show.
The Syslog Receiver Groups dialog box appears, displaying the Syslog Receiver Group information
based on the filter criteria.
Table 10-13 describes the criteria to filter.
Table 10-13 Syslog Receiver Groups Field Description
Filter Criteria Description

Group Name Select Group Name and enter the data. You can use any of the following
methods to filter by entering:
• Complete Group name
• Any wildcard characters of the Syslog Receiver Group name (such as
*Syslog, Syslog*)

OL-25947-01 10-35
Defining Automated Actions

You can create automated actions to be executed automatically whenever Syslog Analyzer receives a
specific message type.
• Creating an Automated Action
• Editing an Automated Action
• Guidelines for Writing Automated Script
• Enabling or Disabling an Automated Action
• Exporting or Importing an Automated Action
• Deleting an Automated Action
• Automated Action: An Example
When you select Admin > Network > Notification and Action Settings > Syslog Automated Actions,
a list of automated actions appears in the dialog box on the Automated Actions page. Of these, there are
two system-defined automated actions (the rest are user-defined). The system-defined automated actions
are:
• Inventory Fetch—To fetch inventory from the device.
• Config Fetch—To fetch configuration from the device.
You can edit these system-defined automated actions, but you cannot delete them. These actions are
enabled by default. You can choose to disable them by selecting them and clicking Enable/Disable.
Config Fetch might loop if SYS-6-CFG_CHG-*SNMP* message is received from a Catalyst operating
system device. You can then edit Config Fetch automated action and you can delete
SYS-6-CFG_CHG-*SNMP* message type.
In the Automated Actions dialog box, you can choose whether to include interfaces of selected devices
or not.
The columns in the Automated Actions dialog box are:
Column Description
Name Name of the automated action.
Status Status of the automated action at creation time—Enabled, or disabled
Type Type of automated action—E-mail, script or URL.

10-36 OL-25947-01
Using the automated actions dialog box, you can do the following tasks:
Task Button
Create an automated action (see Creating an Automated Action). Create
Edit an automated action (see Editing an Automated Action). Edit
Enable or Disable an automated action (see Enabling or Disabling an Automated Action) Enable/Disable
Import or Export an automated action (see Exporting or Importing an Automated Action) Import/Export
Delete an automated action (see Deleting an Automated Action). Delete
If you are creating an automated action, see the example (Automated Action: An Example) of how to set
up an automated action that sends an e-mail when a specific Syslog message is received.
On Windows, you cannot set up an automated action to execute an.exe file that interacts with the
Windows desktop. For example, you cannot make a window pop up on the desktop.
Related Topics
• Defining Automated Actions

• Enabling or Disabling an Automated Action
• Exporting or Importing an Automated Action
• Automated Action: An Example
• Guidelines for Writing Automated Script
Creating an Automated Action

To create an automated action:
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Automated Actions.
A dialog box, with a list of automated actions, appears in the Automated Actions page. Here, you can
choose whether to include interfaces of selected devices or not. For the description of the columns in the
Automated Actions dialog box, see Defining Automated Actions.
A dialog box appears for device selection.
Step 3 Select All Managed Devices or Choose Devices.
If you select the All Managed Devices option:
• You cannot select the individual devices or device categories from the device selector.
• All managed devices are considered.
• The syslog messages from the various device interfaces are considered for creating automated
actions.

OL-25947-01 10-37
If you select Choose Devices option, you must select the required devices.
Step 4 Click Next.
A dialog box appears in the Define Message Type page.
Step 5 Enter a unique name for the automated action that you are creating.
Step 6 Select either Enabled or Disabled as the status for the action at creation time.
Step 7 Select the Syslog message types for which you want to trigger the automated action from the Define New
Message Type section of the dialog box.
Step 8 Click Next.
The Automated Action Type dialog box appears.
Step 9 Select a type of action (E-mail, URL, or Script) from the Select a type of action drop-down list box.
• If you select E-mail, enter the following information in the Automated Action Type dialog box:
Field Description
Send to List of comma separated e-mail addresses. Mandatory field.
Subject Subject of the e-mail.
Content Content that you want the e-mail to contain.
• If you select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action
type dialog box. In the URL, you can use the following parameters:
– $D (for the device)
– $M (for the complete syslog message).
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
hostname or IP address and $M is substituted with the syslog message.
For example, if the URL is
http://hostname/script.pl?device=$D&mesg=$M
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
• If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
The script files must be available at this location:
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog

10-38 OL-25947-01
To select the script file:

a. Click Browse.
b. Select the file (*.sh on Unix and *.bat on Windows).
Step 10 Click OK.
If the executable program produces any errors or writes to the console, the errors will be logged as Info
messages in the SyslogAnalyzer.log.
This file is available at:
On UNIX,
/opt/CSCOpx/log directory
On Windows,
NMSROOT\log directory (where NMSROOT is the root directory of the LMS Server).
Editing an Automated Action

To edit an automated action:
A dialog box, displaying the list of automated actions, appears in the Automated Actions page.
For the description of the columns in the Automated Actions dialog box, see Defining Automated
Actions.
Step 2 Select an automated action from the drop-down list and click Edit.
The Select Devices dialog box appears.
Step 3 Select the required devices and click Next.
This dialog box allows you to:
• Change the Message Filter Type—From Enabled to Disabled, or vice, versa.
• Add a message type
• Edit a message type
• Delete a message type
• Select a message type from system-defined message types
Step 4 Click Next.
Step 5 The Automated Action Type dialog box appears.
This dialog box allows you to change the type of action. For example, you can change from E-mail to
URL or Script.
• For E-mail, enter or change the following information in the Automated Action type dialog box:

OL-25947-01 10-39
Field Description
Send to List of comma separated e-mail addresses.
Subject Subject of the e-mail (optional).
(Admin > System > System Preferences). When the job completes, an e-mail is sent with the
E-mail ID as the sender's address
• For URL, enter or change the URL to be invoked, in the Automated Action type dialog box. If you
select URL, enter the URL to be invoked, in the URL to Invoke field of the Automated Action type
dialog box. In the URL, you can use the following parameters:
When the URL is invoked, If you have specified $D or $M, then, $D is substituted with the device
When invoked, $D is replaced with 10.68.12.2 and $M is replaced with the URL-encoded syslog
message.
• If you select Script, enter the script to be used, in the Script to execute field of the Automated Action
type dialog box.
Either enter or select the script file. You can run only shell scripts (*.sh) on Unix and batch files
(*.bat) on Windows. The shell script or batch file should have only write/execute permissions for
casuser:casusers in UNIX and casuser/Administrator in Windows.
The other users should have only read permission. You must ensure that the scripts contained in the
file have permissions to execute from within the casuser account.
On Windows:
NMSROOT/files/scripts/syslog
On UNIX:
/var/adm/CSCOpx/files/scripts/syslog
a. Click Browse.
The External Config Selector dialog box appears.
b. Select the file (*.sh on Unix and *.bat on Windows).
The edited automated action appears in the dialog box on the Automated Action page.

10-40 OL-25947-01
Guidelines for Writing Automated Script

To write an automated script:
Step 1 Copy the sampleEmailScript.pl from RME 3.5 or older to the new LMS 4.2 server and put this file in:
/var/adm/CSCOpx/files/scripts/syslog directory
For Windows:
NSMROOT/files/scripts/syslog
Step 2 Write a shell script for Solaris/Soft Appliance or .bat file for Windows in the same directory.
Here is an example shell script (called syslog-email.sh) for UNIX:
#!/bin/sh
/opt/CSCOpx/bin/perl /var/adm/CSCOpx/files/scripts/syslog/sampleEmailScript.pl
-text_message "MEssage:
$2 from device: $1" -email_ids nobody@nowhere.com -subject "Syslog Message: $2" -from
nobody@nowhere.com -smtp mail-server-name.nowhere.com
For Windows, replace $1 and $2 with %1 and %2 and change the directory accordingly.
Enabling or Disabling an Automated Action

To enable or disable an automated action:
A dialog box, displaying the list of automated actions, appears in the Automated Action page. For the
description of the columns in the Automated Actions dialog box, see Defining Automated Actions.
Step 2 Select the required automated action from the list in the dialog box.
Step 3 Click Enable/Disable to toggle its status.
The dialog box in the Automated Action page is refreshed and it displays the changed state for the
specified automated action.
Exporting or Importing an Automated Action

You can export an automated action to a flat file and use this file on any Syslog Analyzer, using the
import option.
To export or import an automated action:
A dialog box, displaying the list of automated actions, appears in the Automated Action page.

OL-25947-01 10-41
Actions.
Step 2 Select an automated action. You can select more than one automated action.
If you do not select an automated action before clicking the Export/Import button, then only the Import
option will be available. The Export option will be disabled
Step 3 Click Export/Import.
The Export/Import Automated Actions dialog box appears with the Export or Import options.
Step 4 Select either Export or Import.
Step 5 Either:
• Enter the location of the file to be exported or imported.
Or
• Click Browse.
The Server Side File Browser appears. You can select a valid file, and click OK.
The file location appears in the Export/Import dialog box.
Step 6 Click OK.
Deleting an Automated Action

To delete an automated action:
A dialog box, displaying the list of automated actions, appears in the Automated Action page.
Actions.
Step 2 Select the required automated action from the list in the dialog box.
You will be asked to confirm the deletion. If you confirm the deletion, the action will be deleted.
Automated Action: An Example

This is an example of how to set up an automated action that sends an e-mail when a specific Syslog
message is received. This example assumes that devices have been imported and are sending Syslog
messages to the LMS Server.

10-42 OL-25947-01
A dialog box, with a list of automated actions, appears in the Automated Action page. For the description
of the columns in the Automated Actions dialog box, see Defining Automated Actions.
The Devices Selection dialog box appears.
The Define Message Type dialog box appears.
Step 4 Enter a unique name for the automated action that you are creating.
Step 5 Select either Enabled, or Disabled as the status for the action at creation time.
Step 6 Click Select.
The Select System Defined Message Types dialog box appears.
Step 7 Select the SYS folder, then select the SYS-*-5-CONFIG_I message from the Select System Defined
Message Types list, and click OK.
The dialog box on the Define Message Type page appears.
Step 8 Click Next.
Step 9 Select the type of action—E-mail, Script, or URL.
If you had selected Email in Step 9: Enter the following information:
Field Description
Send to List of comma-separated e-mail addresses.
Subject Subject of the e-mail (optional).
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
(Admin > System > System Preferences). If a syslog is found with the matching type for managed
(normal) devices, an e-mail is sent with the E-mail ID as the sender's address. Then go to Step 10.
If you had selected Script in Step 9: Choose the appropriate bat file for Windows, or shell script for
Solaris, from the File Selector. For details about these files, see the topic Creating an Automated Action.
Then go to Step 10.
If you had selected URL in Step 9: Enter the URL to be invoked. If you select URL, enter the URL to
be invoked, in the URL to Invoke field of the Automated Action type dialog box. In the URL, you can
use the following parameters:
When the URL is invoked, if you have specified $D or $M, then, $D is substituted with the device

OL-25947-01 10-43
Defining Syslog Message Filters
When invoked, $D is replaced with 10.68.12.2 (where 10.68.12.2 is the IP address of the device) and
$M is replaced with the URL-encoded syslog message.
Also see Verifying the Automated Action.
Verifying the Automated Action

To verify the automated action:
Step 1 Select a managed router that is already sending Syslog messages to the LMS server and generate a
SYS-5-CONFIG_I message by changing the message-of-the-day banner as follows:
a. Connect to the managed router using Telnet and log in.
b. In enable mode enter enable, then enter a password.
c. At the config prompt enter configure terminal.
d. Change the banner by entering:
banner motd z
This is a test banner z
end
e. Exit the Telnet session.
Step 2 Make sure that the SYS-5_CONFIG_I message is sent to the LMS Server as follows:
• On UNIX systems, open the syslog_info file located in the /var/log directory, or whichever file has
been configured to receive Syslog messages.
• On Windows systems, open the syslog.log file located in the NMSROOT\log\ directory.
Where NMSROOT is the LMS installation directory.
Step 3 Verify that there is a message from the managed router whose banner-of-the-day was changed.
This message appears at the bottom of the log.
• If the message is in the file, an e-mail is mailed to the e-mail ID specified.
• If the message is not in the file, the router has not been configured properly to send Syslog messages
to the LMS Server.

• Creating a Filter
• Editing a Filter
• Enabling or Disabling a Filter
• Exporting or Importing a Filter

10-44 OL-25947-01
• Deleting a Filter
You can exclude messages from Syslog Analyzer by creating filters.
Note View the Permission Report (Reports > System > Users > Permission) to check if you have the
required privileges to perform this task.
To launch the message filters dialog box:
Step 1 Select Admin > Network > Notification and Action Settings > Syslog Message Filters.
A dialog box appears in the Message Filters page.
A list of all message filters is displayed in this dialog box, along with the names, and the status of each
filter—Enabled, or Disabled.
Step 2 Specify whether the filters are for dropping the Syslog messages or for keeping them, by selecting either
Drop or Keep.
• If you select Drop, the Common Syslog Collector drops the syslogs that match any of the Drop
filters from further processing.
• If you select Keep, Collector allows only the syslogs that match any of the “Keep” filters, for further
processing.
Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.
Step 3 Specify whether interfaces of selected devices should be included.

In the dialog box that displays the message filters, you can do the following tasks:
Task Button
Create a filter (see Creating a Filter). Create
Edit a filter (see Editing a Filter). Edit
Enable or disable a filter (see Enabling or Disabling a Filter). Enable/Disable
Export or import a filter. (see Exporting or Importing a Filter). Export/Import
Delete a filter (see Deleting a Filter). Delete
Creating a Filter
You can create a filter for Syslog messages by:
A dialog box with a list of filters, appears in the Message Filter page.
Step 2 Specify whether the filter should be a dropped or kept, by selecting either Drop or Keep.

OL-25947-01 10-45
• If you select Drop, the Common Syslog Collector drops the Syslogs that match any of the Drop
filters from further processing.
• If you select Keep, Collector allows only the Syslogs that match any of the Keep filters, for further
processing.
Note The Drop or Keep options apply to all message filters. They do not apply to individual filters.

The dialog box appears for device selection.
Step 4 Select All Managed Devices or Choose Devices.
If you select the All Managed Devices option:
• You cannot select the individual devices or device categories from the device selector.
• All managed devices are considered.
• The syslog messages from the various device interfaces are considered for creating message filters.
If you select the Choose Devices option, you must select the required devices.
Step 5 Click Next.
.A dialog box appears in the Define Message Type page.
Step 6 Enter a unique name for the filter.
Step 7 Select either the Enabled, or the Disabled status for the filter at creation time.
Step 8 Select the Syslog message types for which you want to apply the filter.
The list of filters in the message filter dialog box on the Message Filters page is refreshed.
Editing a Filter
To edit a filter:
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2 Select a filter by clicking on its check box, and click Edit.
The Select Devices dialog box appears.
This dialog box allows you to:
• Change the filter Status—From Enabled to Disabled, or vice, versa.
• Add a message type
• Edit a message type
• Delete a message type

10-46 OL-25947-01
• Select a message type from system-defined message types

Step 4 Click Finish after you make all your changes.
The edited filter appears in the dialog box on the Message Filter page.
Enabling or Disabling a Filter

To enable or disable a filter:
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2 Select the required filter from the list in the dialog box.
Step 3 Click Enable/Disable to toggle its status.
The dialog box in the Message Filter page is refreshed and it displays the changed state for the specified
filter.
Exporting or Importing a Filter

You can export a filter to a flat file and use this file on any Syslog Analyzer, using the import option.
To export or import a filter:
A dialog box, with the list of filters, appears in the Message Filter page.
Step 2 Select a filter. You can select more than one filter.
The Export/Import dialog box appears with the Export or Import options.
Step 4 Select either Export or Import.

OL-25947-01 10-47
Inventory and Config Collection Failure Notification
Step 5 Either:
• Enter the location of the file to be exported or imported.
Or
a. Click Browse.
The Server Side File Browser appears.
b. Select a valid file location, and click OK.
The file location appears in the Export/Import dialog box.
Step 6 Click OK.
Deleting a Filter
To delete a filter:
A dialog box, displaying the list of filters, appears in the Message Filter page.
Step 2 Select the required filter from the list in the dialog box.
When you confirm the deletion, the filter is deleted.

• Configuring Trap Notification Messages
• Examples for Collection Failure Notification
• Fields in a Trap Notification Message
You can use the Collection Failure Notification option to configure the destination Server and Port to
receive trap notification on Inventory Collection or Config Fetch failure. This failure trap is sent per
device from the LMS server whenever the collection does not happen.
Other network management stations can use this trap to know about LMS Inventory or Config collection
failure status. You can check or uncheck the options available in this page to enable or disable the
sending of trap notifications to other servers on Inventory Collection or Config Fetch failure.

10-48 OL-25947-01
Table 10-14 lists the various fields and buttons available in the Notification on Failure Window:
Table 10-14 Collection Failure Notification
Field Description
All Check this option, if you require both the Config Fetch Failure and Inventory Collection Failure trap
notification to be sent to the listed servers.
The listed servers are those servers that you have configured to receive trap notifications. See the
description for List of Destination field for more information.
Config Collection Check this option, if you require the Config Fetch Failure trap notification to be sent to the listed
servers.
Uncheck this option if you do not want the Config Fetch Failure trap notification to be sent to the listed
servers.
Inventory Check this option, if you require the Inventory Collection Failure trap notification to be sent to the listed
Collection servers.
Uncheck this option if you do not want the Inventory Collection Failure trap notification to be sent to
the listed servers.
Trap Destination Information
Server The name or IP address of the destination server.
Port The port number of the destination server.
List of The names of the destination servers along with their ports which are configured to receive the trap
Destinations notifications.
Buttons
Add Use the Add button to add the destination server and port information. On clicking Add, the server and
port information get reflected in the List of Destinations list.
Delete Use the Delete button to remove server and port information from the List of Destinations. To do so,
select one or more server and port entry from the list of Destinations list and click on Delete to remove
the entries from the list.
Apply Click to accept the changes made.

OL-25947-01 10-49
Configuring Trap Notification Messages

To configure the distribution of trap notification messages from LMS to the connected hosts:
Step 1 Select Admin > Network > Notification and Action Settings > Inventory and Config collection
failure notification.
The Notification on Failure dialog box appears. Refer to to further complete the selection in this dialog
box.
Step 2 Click Apply to accept the changes made.
Examples for Collection Failure Notification

Example for Config Fetch Failure
You are providing the following information in the Collection Failure Notification screen:
Destination Server: 10.77.153.47
Destination Port: 162
You are also enabling the Send Notification on Config Fetch Failure option. By enabling this option you
are allowing trap notifications to be sent to the specified destination server on Config Fetch Failure using
the specified port.
After that you add few new devices to LMS and schedule a job to fetch the configurations for all the
devices. There is a Config Fetch Failure as the scheduled job is unable to fetch the configurations for the
new devices. The server 10.77.153.47 receives trap notifications for each Config Fetch Failure per
device.
Example for Inventory Collection Failure

You are providing the following information in the Collection Failure Notification screen:
Destination Server: 10.77.153.47
Destination Port: 162
You are also enabling the Inventory Collection option. By enabling this option you are allowing trap
notifications to be sent to the specified destination server on Inventory Collection Failure using the
specified port.
After that you add few new devices to LMS and schedule a job to fetch the inventory information for all
devices. There is a Inventory Collection Failure as the scheduled job is unable to fetch the inventory
details for the new devices. The server 10.77.153.47 receives trap notifications for each Inventory
Collection Failure per device.
Fields in a Trap Notification Message

Table 10-15 lists the various fields that constitute a Configuration Fetch or Inventory Collection Failure
trap notification message.

10-50 OL-25947-01
IPSLA Syslog Configuration
Table 10-15 Fields in a Trap Notification Message

Field Description
Application Name LMS application that caused this change or identified the change and generated the notification.
Device Name Network device for which the inventory or configuration collection has failed.
Collection Failure Time at which the inventory or configuration collection job failed.
Time
Error Message The message that describes the reason for the collection failure. Some examples of trap error messages:
Inventory Collection Failed due to SNMP TimeOut Exception.
Config Collection Failed due to authentication failure.

Syslog is a trap message that is sent from the device if any changes occur to the device. You can either
enable or disable the IPSLA Syslog. However the IPSLA Syslog can be configured only by a Network
Administrator or System Administrator.
The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any
Target devices.
To enable or disable IPSLA Syslog:
Step 1 Select Admin > Network > Notification and Action Settings > IPSLA Syslog Configuration.
The IPSLA Syslog Configuration page appears.
Step 2 Click Enable
If you click Enable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server. This enables the generation of the IPSLAs specific traps through the system
logging (Syslog process). Immediate job will be created in LMS and the Job ID link appears. Clicking
the link will display the Syslog details.
Or
If you click Disable, LMS will run the IPSLA CLI Command on the selected device, through the config
job on the LMS server.
(LMS will run the IPSLA CLI Command on the selected device, through the config job on the LMS
server). Immediate job will be created in LMS and the Job ID link appears. Clicking the link will display
the Syslog details.
Note In a Multi-server setup among different versions, IPSLA Syslog enables supported version will be
greater than LMS 4.2

OL-25947-01 10-51

10-52 OL-25947-01
CHAPTER 11
Administering Change Audit and Software
Management
Change Audit tracks and reports changes made in the network. Change Audit allows other LMS to log
change information to a central repository. Device Configuration, Inventory, and Software Management
changes can be logged and viewed using Change Audit.
LMS writes change records to Change Audit. Change Audit stores these records in the log tables
(summary and details) for later use with reports.
For example, Software Management records a change for each completed device upgrade. If a job has
ten devices, then Software Management writes ten entries to the Change Audit log, but the Change Audit
report shows only one job with ten devices. You can then access individual device information.
Each application writes its own change records to Change Audit. For example, in Inventory you can set
inventory change filters to filter out all kinds of information for different device types. Change Audit
record maintenance is controlled by the Change Audit Delete Change History option.
You can convert change records into SNMP V1 traps and forward them to a destination of your choice.
This allows system administrators to forward critical network change data to their own NMS.
You can define automated actions (e-mail and automated scripts) on creation of change audit record. The
automated action gets triggered on creation of the change audit record.
• Setting Up Preferences
• Performing Change Audit Tasks
• Performing Maintenance Tasks
• Defining Exception Periods
• Defining Change Audit Automated Actions
• Software Management Administration Tasks
• Setting Change Report Filters

OL-25947-01 11-1
Chapter 11 Administering Change Audit and Software Management
Setting Up Preferences
Setting Up Preferences
You can use this feature to set up your editing preferences. Config Editor remembers your preferred
mode, even across different invocations of the application.
You can change the mode using the Device and Version, Pattern Search, Baseline or External
Configuration option but the changes do not affect the default settings.
To set up preferences:
Step 1 Select Configuration > Tools > Config Editor > Edit Mode Preference.
The User Preferences dialog box appears.
Step 2 Set the default edit mode:
• Select Processed to display the file in the Processed mode.
The configuration file appears at the configlet level (a set of related configuration commands). The
default is Processed.
• Select Raw to display the file in the Raw mode.
The entire file appears as shown in the device.
Step 3 Click Apply to apply the set preferences.
Performing Change Audit Tasks

Change Audit allows you to:
• Determine changes being made in the network during critical operations time
System administrators can define the start and end times during the day when network changes
should not be made. Based on this selection you can quickly see, for a given day, whether changes
were made when they should not be.
See Defining Exception Periods for defining the exception periods.
• Define automated actions on creation of change audit record
Automated action gets triggered on creation of the change audit record. You can define any number
of automated actions. The supported automated actions are, E-mail, Traps, and Automated scripts
See Defining Change Audit Automated Actions for defining the Change Audit automated actions.
• Monitor your software image distribution and download history for software changes made using
the Software Management application.
Software Management automatically sends network change data to the Change Audit summary and
details tables.
• Track any configuration file changes
Device Configuration automatically sends data on configuration file changes to the Change Audit
log.
See Generating 24 Hours and Standard Change Audit Reports for generating the Change Audit
reports.

11-2 OL-25947-01
Performing Maintenance Tasks
• Monitor inventory additions, deletions, or changes

Inventory tracks specific messages or monitors any and all changes in your network inventory. To
set inventory filters, use the Inventory Change Filter option.
reports.
• View all the latest changes that occurred in the network over the last 24 hours
24-Hour Reports provides a quick way to access the latest changes in the Change Audit log.
reports.
• Purging the Change Audit records
Frees disk space and maintains your Change Audit records at a manageable size. You can either
schedule for periodic purge or perform a forced purge of Change Audit data.
See Performing Maintenance Tasks for scheduling a periodic purge.
• Generating change audit data in XML format
cwcli export changeaudit is a command line tool that also provides servlet access to change audit
data. This tool uses the existing Change Audit log data and generates the Change Audit log data in
XML format.
• Set the debug mode for Change Audit application
You can set the debug mode for Change Audit application in the Log Level Settings dialog box
(Select Admin > System > Debug Settings > Config and Image Management Debugging
settings; select Change Audit from the Application drop-down list.).
Generating 24 Hours and Standard Change Audit Reports

To generate 24 Hours and Standard Change Audit Reports:
Step 1 Select Reports > Audit.

Step 2 Select Change Audit from the first drop-down list box.
Step 3 Select Standard from the second drop-down list box.

You can either schedule for periodic purge or perform a forced purge of Change Audit data. This frees
disk space and maintains your Change Audit data at a manageable size.
You can perform these tasks:
• Setting the Purge Policy
• Performing a Forced Purge
• Config Change Filter

OL-25947-01 11-3
Setting the Purge Policy

You can specify a default policy for the periodic purging of Change Audit data.
To set the Change Audit Purge Policy:
Step 1 Select Admin > Network > Purge Settings > ChangeAudit Purge Policy.
The Purge Policy dialog box appears in the Periodic Purge Settings pane.
Field Description
Purge change audit Enter the number of days. Only Change Audit records older than the number of days that you
records older than specify here, will be purged.
The default is 180 days.
Purge audit trail records Enter the number of days. Only Audit Trail records older than the number of days that you
older than specify here, will be purged.
The default is 180 days.
Scheduling
Run Type You can specify when you want to run the Purge job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
The subsequent instances of periodic jobs will run only after the earlier instance of the job is
complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1
job has completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, then the next job will start only at 10:00 a.m. on November 3.
at Enter the start time, in the hh:mm:ss format (23:00:00).

11-4 OL-25947-01
Field Description
Job Info
Job Description The system default job description, ChangeAudit Records - default purge job is displayed.
E-mail Enter e-mail addresses to which the job sends messages at the end of the job.
box (Admin > System > System Preferences). When the job starts or completes, an e-mail is
sent with the E-mail ID as the sender's address.
Caution You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
Step 3 Click either Save to save the Purge policy that you have specified, or click Reset to reset the changes
made to a Purge policy.
Performing a Forced Purge

You can perform a Forced Purge of Change Audit, as required.
To perform a Change Audit Forced Purge:
Step 1 Select Admin > Network > Purge Settings > ChangeAudit Force Purge.
The Purge Policy dialog box appears.
Step 2 Enter the information required to perform a Forced Purge:
Field Description
Purge change audit Enter the number of days. Only Change Audit records older than the number of days that you specify
records older than here, will be purged.
Purge audit trail Enter the number of days. Only Audit Trail records older than the number of days that you specify
records older than here, will be purged.

OL-25947-01 11-5
Field Description
Scheduling
Run Type You can specify when you want to run the Force Purged job for Change Audit and Audit Trail records.
To do this select one of the following options from the drop-down menu:
• Immediate—Runs this task immediately.
• Once—Runs this task once at the specified date and time.
Date Enter the start date in the dd-mmm-yyyy format, for example, 02-Dec-2003, or click on the Calendar
icon and select the date.
The Date field is enabled only if you have selected Once as the Run Type.
The At field is enabled only if you have selected Once as the Run Type
Job Info
Job Description Enter a description for the job. This is mandatory.
E-mail Enter e-mail addresses to which the job sends messages at the end of the job.
Step 3 Click Submit for the Forced Purge to become effective.

11-6 OL-25947-01
Defining Exception Periods
Config Change Filter

You can use this option to enable or disable VLAN Change audit filtering. When there is a change to the
device configuration, a change record is created. By default, the VLAN change audit record is not
created for those devices that have a VLAN configuration.
To enable or disable the VLAN Change Audit Filter option:
Step 1 Select Admin > Network > Change Audit Settings > Config Change Filter.
The Config Change Filter dialog box appears.
Step 2 Check or uncheck the Enable VLAN Change Audit Filter option.
• Check Enable VLAN Change Audit Filter, if you do not want the change audit record to be created
for devices that have a VLAN configuration. By default, this option is checked.
• Uncheck Enable VLAN Change Audit Filter, if you want the change audit record to be created for
devices that have VLAN configuration.
Step 3 Click either Apply to apply the option or click Cancel to discard the changes.

An Exception period is a time you specify when no network changes should occur. This period does not
prevent you from making any changes in your network. The set of Exception periods is known as an
Exception profile.
You can have only one Exception period for a day.
You perform the following tasks for Exception profiles:
Tasks Description
Creating an Exception Period Creating an exception profile.
Enabling and Disabling an Enabling and disabling a set of exception profiles.
Exception Period
Editing an Exception Period Editing an exception profile.
Deleting an Exception Period Deleting a set of exception profiles.

OL-25947-01 11-7
Creating an Exception Period

To create an Exception profile:
Step 1 Select Admin > Network > Change Audit Settings > Exception Periods.
The Define Exception Period dialog box appears.
Step 2 Select:
• Days of the week from the Day drop-down list box
• Start and end times from the Start Time and the End Time drop-down list box.
Step 3 Click Add.
The defined exception profile appears in the List of Defined Exception Periods pane.
To enable the exception period, see Enabling and Disabling an Exception Period.
Enabling and Disabling an Exception Period

To enable and disable a set of exceptions periods:
Step 2 Select one or more exception profiles in the List of Defined Exception Periods pane.
Step 3 Click Enable/Disable.
• If you have selected Enabled, then the exception period report is generated for that specified time
frame.
• If you have selected Disabled, then the exception period report is not generated for that whole day.
For example: If you have disabled exception period for Monday from 10:00 am to 12:30 pm, then
there will not be any exception period report generated for Monday.

11-8 OL-25947-01
Editing an Exception Period

To edit an exception profile:
Step 2 Select a day from the Day drop-down list box for which you want to change the exception period.
Step 3 Change the start and end times in the Start Time and the End Time drop-down list box.
If required you can also enable or disable the status for the exception period.
Step 4 Click Add.
The edited exception profile appears in the List of Defined Exception Period dialog box. This will
overwrite the existing exception profile for that day.
Deleting an Exception Period

To delete a set of Exceptions Periods:
Step 2 Select one or more exception profiles in the List of defined Exception Periods pane.

OL-25947-01 11-9
Defining Change Audit Automated Actions

You can define automated actions on creation of change audit record. This automated action gets
triggered on creation of the change audit record. You can define any number of automated actions. The
supported automated actions are:
• E-mail
• Traps
• Automated scripts
• Understanding the Automated Action Window
• Enabling and Disabling an Automated Action
• Exporting and Importing an Automated Action
Understanding the Automated Action Window

This window contains the following entries:
Field Description
Name Name of the automated action.
Status Status of the automated action—Enabled, or disabled.
Type Type of automated action—Email, Script or Trap.
You perform the following tasks from this window:
Tasks Description
Creating an Automated Action Creating an automated action.
Enabling and Disabling an Enabling and disabling a set of automated actions.
Automated Action
This button gets activated only after selecting an automated
action.
Editing an Automated Action Editing an automated action.
action.
Exporting and Importing an Exporting and importing a set of automated actions.
Automated Action
Deleting an Automated Action Deleting a set of automated actions.
action.

11-10 OL-25947-01
Creating an Automated Action

To create an automated action:
Step 1 Select Admin > Network > Notification and Action Settings > ChangeAudit Automated Actions.
The Automated Action dialog box appears.
The Define Automated Action dialog box appears.
Step 3 Enter the following:
Field Description
Name Name for the automated action.
Status Select either Enabled or Disabled For the automated action to trigger.
Application Select the name of the application on which the automated action has to
be triggered.
Category Select the types of the changes, for example, configuration, inventory, or
software on which the automated action has to be triggered.
Mode Select the connection mode on connection modes on which the
automated action has to be triggered.
User Select the user name on which the automated action has to be triggered.
Step 4 Click Next.

Step 5 Select either E-mail or Trap or Script. Based on your selection, enter the following data:
Field Description
If you have selected E-mail, enter:
Send To Enter the E-mail ID for which the trigger has to be notified.
(Admin > System > System Preferences). You will receive the e-mail with the E-mail ID as the
sender's address.
Subject Enter the subject of the e-mail.
Content Enter the content of the e-mail.

OL-25947-01 11-11
Field Description
If you have selected Trap, perform:
Enables configuration of a single or dual destination port numbers and hostnames for the traps generated by Change Audit.
Ensure that you have copied these files:
• CISCO-ENCASE-MIB.my
• CISCO-ENCASE-APP-NAME-MIB.my
into the destination system to receive the traps.
These files are available in the following directories on LMS server:
On UNIX:
/opt/CSCOpx/objects/share/mibs
On Windows:
NMSROOT\objects\share\mibs. Where NMSROOT is the root directory of the LMS Server.
a. Enter the Server and Port details in the Define Trap field.
b. Click Add.
The server and port information appears in the List of Destinations text box.
If you want delete, the server and port information, select the server and port information from the List of Destinations
text box and click Delete.
If you have selected Script, enter...
You can run only shell scripts (*.sh) on Unix and batch files (*.bat) on Windows. The shell script or batch file should have
only write/execute permissions for casuser:casusers in Solaris/Soft Appliance and casuser/Administrator in Windows. The
other users should have only read permission. You must ensure that the scripts contained in the file has permissions to execute
from within the casuser account.
The following are the parameters for change audit automated action that will appear in the script:
– Application Name
– Category
– User Name
– Description
– Connection Mode
– Host Name
On UNIX:
/var/adm/CSCOpx/files/scripts/changeaudit
On Windows:
NMSROOT/files/scripts/changeaudit
a. Click Browse.
The Server Side File Browser dialog box appears with the predefined location.
b. Select the script file (*.sh on Unix and *.bat on Windows)
c. Click OK.

11-12 OL-25947-01

The Automated Action window appears with the defined automated action.
Editing an Automated Action

To edit an automated action:
Step 1 Select Admin > Network > Notification and Action Settings > Change Audit Automated Actions.
Step 2 Select an Automated Action.
Step 3 Click Edit. (See step 3 to step 5 in Creating an Automated Action.).
The Automated Action window appears with the updated data.
Enabling and Disabling an Automated Action

To enable or disable a set of automated actions:
Step 2 Select one or more Automated actions.
Step 3 Click Enable/Disable.

OL-25947-01 11-13
Exporting and Importing an Automated Action

To export or import an automated action:
Step 2 If you want to export an Automated action, then select the automated actions else go to next step.
The Export/Import dialog box appears.
Step 4 Select the task to be performed—Export or Import.
Step 5 Either:
• Enter the filename along with the absolute path.
Or
• Click Browse,
a. Select a folder.
b. Click OK.
c. Enter the filename.
Step 6 Click OK.
Deleting an Automated Action

To delete a set of automated actions:
Step 2 Select a or a set of Automated actions.

11-14 OL-25947-01
Software Management Administration Tasks

You can set your preference to download images. To do this, select Admin > Network > Software
Image Management.
The following section explains how to set the Software Management preferences:
• Viewing/Editing Preferences
Viewing/Editing Preferences
Edit Preferences helps you to set or change your Software Management preferences.
The options you specify here are applicable to Software Management tasks such as image distribution,
image import, etc.
• Selecting and Ordering Protocol Order
• How Recommendation Filters Work for an IOS Image
To view and edit the preferences:
Step 1 Select Admin > Network > Software Image Management > View/Edit Preferences.
The View/Edit Preferences dialog box appears.
Step 2 Enter the following:

Repository Management
Image Location New directory to store software If you enter a new name, all existing files are moved to this
images. directory. If the directory does not have enough space, the files are
not moved and an error message appears.
By default the software images
are stored at this location: If the specified directory does not exist, Software Management
creates a new directory before moving the files to the new
directory.
/var/adm/CSCOpx/files/rme/
The new directory should be empty.
repository/
The new directory specified by you should have the permission for
On Windows:
casuser:casusers in Solaris/Soft Appliance and casuser should
NMSROOT/files/rme/repository have Full Control in Windows.
Where NMSROOT is the Cisco
Prime installed directory.

OL-25947-01 11-15

Distribution
Script Location You can specify only shell On UNIX, the scripts should have read, write, and execute
scripts (*.sh) on UNIX and batch permissions for the owner (casuser) and read and execute
files (*.bat) on Windows. permissions for group casusers. That is, the script should have 750
permission.
The script files must be available
at this location: On Windows, the script should have read, write, and execute
permissions for casuser/Administrator.
On UNIX:
The other users should have only read permission. You must
/var/adm/CSCOpx/files/scripts/
ensure that the scripts contained in the file have permissions to
swim
execute from within the casuser account.
On Windows:
This script is run before and after completing each device software
NMSROOT/files/scripts/swim upgrade for all scheduled jobs.
a. Click Browse.
The Server Side File
Browser dialog box appears
with the predefined location.
b. Select the script file (*.sh on
Unix and *.bat on Windows)
c. Click OK.
You can use Clear to clear your
selections for Script Location.
This clears all previous values.
Script Timeout Number of seconds the user’s Software Management waits for the time specified before
(seconds) script can run (default = 90). concluding that the script has failed.
Protocol Order Specify an order of preferred This preferred protocol order is followed only for those devices
protocol for image that permit more than one protocol for image transfer.
import/distribution. The
In devices, where multiple protocol option is not available for
supported protocols are:
image transfers, Software Management uses its own knowledge
• RCP and selects the relevant protocol to upgrade the device.
• TFTP For fetching configuration from device, the protocol settings of
Configuration Management is used. Software Management uses
• SCP
the same protocol for fetch and download of configurations.
• HTTP
You can set the Configuration Management protocol order using
See Selecting and Ordering Admin > Collection Settings > Config > Config Transport
Protocol Order for further Settings.
details.

11-16 OL-25947-01

Use SSH for software Uses this protocol to connect to The device must support SSH for Software Management to use this
image upgrade and the devices. protocol.
software image By default, Telnet is used to Software Management uses command line interface to upgrade
import through CLI connect to the devices. software images and to import software images.
(with fallback to
TELNET). If SSH fails, then Telnet is used When you select the SSH protocol for the Software Management,
to connect to the devices. the underlying transport mechanism checks whether the device is
running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it
connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the
device using SSHv2.
If a problem occurs while connecting to the device using SSHv2,
then it does not fall back to SSHv1 for the device that is being
accessed and Telnet is used to connect to the device.
See the Software Management Functional Supported Device tables
on Cisco.com for SSH and CLI device support information.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod
ucts_device_support_tables_list.html
Recommendation Filters (See How Recommendation Filters Work for an IOS Image.)
Include Cisco.com During image distribution,
images for image recommend Cisco.com images
recommendation for Cisco devices.
Include General Includes only GD images. For Cisco IOS devices only.
deployment images
Include latest Includes the latest major releases For Cisco IOS devices only.
maintenance release of IOS images.
(of each major For example, if Release 12.2(5)
release). was latest maintenance version
in the 12.2 major release, the
recommended image is IOS
12.2(5).
Include images higher Includes the images that are For Cisco IOS devices only.
than running image. newer than the images running
on your device.
For example, if the device is
running Release 11.2(3), the
recommended images are
11.2(4) and later.

OL-25947-01 11-17

Include same image Include only images that have For Cisco IOS devices only.
feature subset as the same feature subset as the
running image. current image.
For example, if you want IOS
images with the ENTERPRISE
IPSEC feature, the
recommended images contain
the latest version. This version
contains feature subset that fits
the Flash.
Password Policy
Enable Job Based Enter a username and password • If you have enabled User Configurable option, you can disable
Password for running a specific Software this option while scheduling the distribution jobs.
Management job.
• If you have disabled User Configurable option, you must enter
If you enter a username and the username and password while scheduling the distribution
password, Software jobs.
Management application uses
These passwords are used only to connect to devices for which
this username and password to
Software Management uses CLI, Telnet, and SSH.for software
connect to the device, instead of
upgrades.
taking these credentials from the
Device and Credential See the Software Management Functional Supported Device tables
Repository. on Cisco.com for CLI, Telnet and SSH device support information.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod
ucts_device_support_tables_list.html
Step 3 Either:
• Click Apply to save your changes.
• Click Defaults to display the default configuration.
• Click Cancel to discard the values entered and revert to previously saved values.

11-18 OL-25947-01
Selecting and Ordering Protocol Order

In the View/Edit Preferences dialog box (Admin > Network > Software Image Management >
View/Edit Preferences) you can define the protocol order that Software Management has to use for
software image download.
Software Management tries to download the software images based on the specified protocol order.
While downloading the images, Software Management uses the first protocol in the list. If the first
protocol in the list fails, these jobs use the second protocol and so on, until Software Management finds
a transport protocol for downloading the images.
To Enable the Protocols:
Step 1 Select a protocol from the Available Protocols pane.

Step 2 Click Add or double click the mouse.
To Disable the Protocols:
Step 1 Select a protocol from the Selected Protocol Order pane.

Step 2 Click Remove or double click the mouse.
To Reorder the Protocols
Step 1 Select the protocol from the Selected Protocol Order pane.
Step 2 Click Up or Down to reorder the protocols.

OL-25947-01 11-19
How Recommendation Filters Work for an IOS Image

This section describes how the recommendation filters that you select in the View/Edit Preferences
dialog box (Admin > Network > Software Image Management > View/Edit Preferences) work for a
Cisco IOS image.
If you have selected the option, Include Cisco.com Images for image recommendation, Software
Management checks for the images that are available on Cisco.com and the Software repository.
If the same image is available in the Software repository and Cisco.com, the image is recommended from
the Software repository.
If you have not selected the option, Include Cisco.com Images for image recommendation, the Software
Management checks and recommends images only from Software repository.
Table 11-1 Recommending Images for an Cisco IOS Image
Include Include
Latest Same
Mainten Include Image
Include ance Images Feature
General Release Higher Subset
Deploy- (of Each Than as
Option ment Major Running Running
Number Images Release) Image Image Recommendation
1 Not Not Not Not The recommendation image list includes:
selected selected selected selected
• All available images.
• In case of,
– Multiple images with the same version as that of the running
image version are present, the image with a higher compatible
feature than the running image is recommended.
– Similar images in Cisco.com and Software Management
repository, the image from the repository is recommended.
• The image feature can be the same or a superset of the running
image.
If a higher version is not available, then no recommendation is made.
2 Not Not Not Selected The recommended list contains images that have the same feature set
selected selected selected as that of the running image.
The images with the highest version among the recommended image
list are recommended.
3 Not Not Selected Not The recommend list contains all types of releases (deployment status).
selected selected selected
The images with the highest version among recommended image list
are recommended.
The feature set of the recommended image may be superior than the
running image.
4 Not Selected Not Not The latest maintenance version in each release is available in the
selected selected selected recommend image list. The latest image version is recommended.

11-20 OL-25947-01
Table 11-1 Recommending Images for an Cisco IOS Image (continued)
Include Include
Latest Same
Mainten Include Image
Include ance Images Feature
General Release Higher Subset
Deploy- (of Each Than as
Option ment Major Running Running
Number Images Release) Image Image Recommendation
5 Selected Not Not Not The images with deployment status identified as GD are available in
selected selected selected the recommended image list and other recommendation flow remains
the same as the option 1.
6 Selected Not Not Selected Same as option5. However, the recommended list contains images that
selected selected have the same feature set as that of running image.
7 Selected Not Selected Not Same as option 5. However, the image with the highest version in the
selected selected recommended image list is recommended.
The feature set of the recommended image may be superior than the
running image.
8 Selected Not Selected Selected Same as option 6. However, the image with the highest version in the
selected recommended image list is recommended.
All recommend images will have the same feature subset as the
running image.
9 Selected Selected Not Not The images with the highest version among recommended image list
selected selected are recommended.
The images of GD types of releases are available in the recommended
image list.
10 Selected Selected Not Selected The images with the same feature as that of running image is available
selected in the recommended list and the latest maintenance version of all
release is available in the recommended list.
Only an image with higher version than running image is
recommended. The recommended images can have only GD status.
11 Selected Selected Selected Not Same as option 9. In addition to this, an image with the higher version
selected than running image is also recommended.

OL-25947-01 11-21
Setting Change Report Filters

Using the Inventory Change Filter dialog box, you can select the attributes that you do not wish to log
using Change Audit. The history of inventory changes are logged by and viewed through Change Audit.
The attributes that you select in the Inventory Change Filter dialog box, are monitored for Inventory
changes like other variables. However, they are not logged using Change Audit. Consequently, these
changes are not displayed in your inventory change reports.
For example, for Stack devices, if you do not want to log the operational status for changes in Change
Audit, select the Operational Status option in the Inventory Change Filter dialog box.
The Inventory Change Filter dialog box, displays each attribute group and the corresponding filters for
the attribute group, for your selection.
• To view all inventory change reports, select Reports > Inventory. In the Report Generator dialog
box, first select the application, Change Audit, and then select the Exception Period Report from the
respective drop-down lists.
• To view inventory changes from the last 24 hours, select Reports > Inventory. In the Report
Generator dialog box, first select the application, Inventory, and then select report 24 Hour Inventory
Change report from the respective drop-down lists.
To set Inventory change filters:
Step 1 Select Admin > Network > Change Audit Settings > Inventory Change Filter.
The Inventory Change Filter dialog box appears.
Step 2 Select a group from the Select a Group drop-down list. See Table 11-2.
The dialog box refreshes to display the filters available for the attribute group that you selected.
Step 3 Select the attributes that you do not want to monitor for changes.
Step 4 Click Save.
A confirmation dialog box appears.
Step 5 Click OK to save the details.
You can use Reset All to reset your selections for all groups. This resets all previous values to blanks.

11-22 OL-25947-01
Table 11-2 Inventory Change Filters
Report Inventory Group Custom Report Group/Attribute Description

Asset Orderable Part Number Orderable part number of asset.
Tag Asset tag.
CLE Identifier Represents CLIE (Common Language Equipment
Identifier) code for the physical entity.
Mfg Assembly Revision Manufacturing assembly revision of asset.
Mfg Assembly Number Manufacturing assembly number of asset.
Physical Index Physical index of asset
Back Plane Operational Status Operational status of backplane.
Parent Relative Position Indicates the relative position of this child component
among all its sibling components.
Manufacturer Name Name of manufacturer.
Physical Entity Name Name of physical entity.
Slot Configuration Configuration of backplane slots
Model Name Name of model.
Vendor Type Type of vendor.
Serial Number Serial number of backplane.
Description Description of backplane.
Component Type Type of component.
Index Index of backplane.
Field Replaceable Unit FRU of backplane. Field-replaceable unit is a
hardware component that can be removed and
replaced on site.
Alias Name Alias name of backplane.
Bridge Bridge Type Type of bridge.
Number of Ports Number of ports in the bridge.
Base Bridge Address Base address of bridge.

OL-25947-01 11-23
Table 11-2 Inventory Change Filters (continued)

Chassis Chassis Model Name Name of the chassis model.
Chassis Serial Number Serial number of the chassis.
Chassis Vendor Type Type of vendor.
Chassis Version Version number of the chassis.
Report Published Indicates whether Report is published or not.
Displays the value as True or False.
Description Description of chassis.
Field Replaceable Unit FRU of chassis.
Alias Name Alias name of chassis.
Index Physical index of chassis.
Free Slots Free slots in chassis.
Slot Capacity Slot capacity of chassis.
Power Available (Watts) Power available at chassis level
Power Consumption (Watts) Power consumption at chassis level
Power Consumption (%) Percentage of power consumption at chassis level.
Power Remaining (Watts) Power remaining at chassis level.
Operational Status Operational status of chassis.
Slot Configuration Slot configuration of chassis.
Component Index Physical index of component.
Field Replaceable Unit FRU of component.
Alias Name Alias name of component.
Operational Status Operational status of component.
Name Name of component.
Slots Configured Slot configuration of component.
Model Name Name of model.
Vendor Type Vendor type of component.
Serial Number Component serial number.
Description Description of component.

11-24 OL-25947-01

Container Alias Name Alias name of container.
Operational Status Operational status of container.
Manufacturer Name Name of manufacturer of container.
Slot Configuration Slot configuration of container.
Container Model Name Model name of container.
Container Vendor Type Vendor type of container.
Parent Relative Position Parent Relative Position of container.
Container Serial Number Serial number of container.
Physical Entity Name Physical entity name of container.
Description Description of container.
Component Type Type of container component.
Index Index of container.
Field Replaceable Unit FRU of container.
Fan Fan Model Name Name of model of fan.
Fan Vendor Type Vendor type of fan.
Parent Relative Position Parent Relative Position of fan.
Fan Serial Number Serial number of fan.
Description Description of fan.
Physical Entity Name Physical entity name of fan.
Component Type Component type of fan.
Index Index of fan.
Field Replaceable Unit FRU of fan.
Alias Name Alias name of fan.
Operational Status Operational status of fan.
Manufacturer Name Name of manufacturer of fan.
Slot Configuration Slot configuration of fan.
Flash Module Index Module index of flash.

OL-25947-01 11-25

Flash Device Removable Indicates whether the flash device removable.
Jumper Jumper of the flash device.
Controller Flash device controller.
Chip Count Flash device chip count.
Size (MB) Total flash device size in MB.
Partition Count Partition count of flash device.
Maximum Partitions Maximum partitions in flash device.
Minimum Partition Size (MB) Minimum partition size of flash device.
Name Name of the flash device.
Index Index of flash device.
Description Description of flash device.
Flash File Index Flash file index.
Status Flash file status.
Checksum Checksum of flash file.
Size (MB) Size of flash file.
Name Name of flash file.
Flash Partition Algorithm Algorithm of the flash partition
Filename Length Flash filename length.
Erase Needed Whether an erase is needed.
Upgrade Method Method of upgrade of flash partition.
Status Status of flash partition.
Free (MB) Free space in MB.
Size (MB) Flash partition size in MB.
Name Name of flash partition.
Index Flash partition index.

11-26 OL-25947-01

IP Address IP Address IP Address of the device.
Index IP Address index.
Address State IP Address state.
Address Type Type of IP Address.
Protocol of Address Protocol of IP Address.
Max Re-assemble Size Maximum re-assemble size.
Broadcast Address Broadcast address.
Network Mask Network mask of IP Address.
Image ROM Sys Version ROM system software version.
ROM Version Version of ROM.
System Boot Variable System Boot Variable
System Image File System image file.
Minimum Boot Flash (MB) Minimum Boot Flash in MB.
Minimum NVRAM (MB) Minimum NVRAM in MB.
Minimum DRAM (MB) Minimum DRAM in MB.
Media Media of image.
Feature Image feature
Module Image module.
Image Software image present on the device.
Build Time Build time of image.
Family Image family.
System Description Image system description.
Version Version of the software image on the device.
Description Description of image.
Processor Index Processor index of image.
Interface MTU Maximum transmission unit. Maximum packet size,
in bytes, that this interface can handle.
Alias Interface alias.
Last Changed Time of last change.
Operational Status Operational status of interface.
Admin Status Administrative status of interface.
Speed (Mbps) Speed of interface in Mbps.
Type Type of interface.
Description Description of interface.
Name Name of interface
Physical Address Physical address of interface.

OL-25947-01 11-27

Index Index of interface.
Identifier Identifier of interface.
FlexLink Enabled FlexLink status of the interface.
SPAN Enabled Whether the interface is Span enabled
Memory Processor Index Processor index.
Total Memory (MB) Total memory in MB.
Memory Pool Lowest Free Block (MB) Lowest free block of memory in MB.
Largest Free Block (MB) Largest free block of memory in MB.
Free (MB) Free memory in MB
Used (MB) Used memory in MB.
Validity Validity of memory pool.
Alternate Pool Alternate memory pool.
Name Name of the memory pool.
Type Memory pool type.

11-28 OL-25947-01

Module Parent Relative Position Parent Relative Position of module.
Field Replaceable Unit FRU of module.
Alias Name Alias name of module.
Reset Reason Module reset reason.
Admin Status Administrative status of module
Additional Status Additional status of module
Module IP Address IP Address of module
Hardware Encryption Hardware encryption of module
Slot Number Slot number of module
Inline Power Capable Inline power capability of module
Parent Type Module parent type.
Multiservice Is this a multiservice module
Parent Index Parent index of module
Number of Slots Number of slots in module
FW Version Firmware version of module
SW Version Software version of module
HW Version Module hardware version.
Operational Status Operational status of module
Manufacturer Name Name of manufacturer of module
Physical Entity Name Physical entity name of module
Slot Configuration Slot configuration of module
Model Name Name of module.
Vendor Type Vendor type of the module.
Serial Number Serial number of module.
Description Description of module
Component Type Component type of module
Index Index of module

OL-25947-01 11-29

Port Manufacturer Name Port manufacturer name.
Slot Configuration Slot configuration of port.
Port Model Name Model name of port.
Port Vendor Type Port vendor type.
Port Serial Number Serial number of port.
Parent Relative Position Parent Relative Position of port.
Description Description of port.
Component Type Port component type.
Physical Entity Name Physical Entity Name of port.
Port Index Port index.
Field Replaceable Unit FRU of port.
Alias Name Alias name of port.
Status Status of port
Operational Status Operational Status of port
POE Admin Status The POE Port Admin Status.
POE Power Allocated The amount of power allocated from the Power
Sourcing Equipment (PSE) for the Powered device.
This is a POE device specific attribute.
POE Maximum Power The maximum amount of power that the PSE makes
available to the Powered device connected to the Port
interface.
This is a POE device specific attribute.
Power Consumption (%) Power consumption percentage of the port.
Power Consumption Power consumption of the port.
Power Available Power available for a powered device connected to the
port.
Power Remaining Power remaining for a powered device connected to
the port.
Port Interface Number Port interface number.

11-30 OL-25947-01

Power Supply Parent Relative Position Parent Relative Position of power supply.
Physical Entity Name Physical Entity Name of power supply.
Admin Status Administrative status of power supply.
Operational Status Operational status of power supply.
Manufacturer Name Manufacturer Name of power supply.
Field Replaceable Unit FRU of power supply.
Slot Configuration Slot configuration of power supply.
Alias Name Alias name of power supply.
Power Supply Model Name Model name of power supply.
Power Supply Vendor Type Vendor type of power supply.
Power Supply Serial Number Serial number of power supply.
Description Description of power supply.
Component Type Component type of power supply.
Index Index of power supply.

OL-25947-01 11-31

Processor Field Replaceable Unit Processor FRU.
Alias Name Alias name of processor.
Slot Number Slot number of processor.
Parent Type Parent type of processor.
Parent Index Parent index of processor.
Reboot Config Register Value Reboot configuration register value.
Config Register Value Configuration register value
NVRAM Used (KB) Size of the processor NVRAM that has been utilized,
in KB.
NVRAM Size (KB) Size of the processor NVRAM in KB.
RAM Size (MB) Size of processor RAM in MB.
Operational Status Operational status of processor.
Manufacturer Name Manufacturer name of processor.
Slot Configuration Slot configuration of processor.
Model Name Name of the processor model.
Reset Reason Processor reset reason.
Vendor Type Processor vendor type.
Admin Status Administrative status of processor.
Serial Number Serial number of processor.
Additional Status Additional status of processor.
Description Description of processor.
Module IP Address Module IP Address of processor.
Component Type Component type of processor.
Hardware Encryption Hardware encryption.
Index Index of processor.
Inline Power Capable Inline power capability of processor.
Multiservice Multiservice.
Number of Slots Number of slots in processor.
FW Version Firmware version of processor.
SW Version Software version of processor.
HW Version Hardware version of processor.
Parent Relative Position Parent Relative Position of processor.

11-32 OL-25947-01

Sensor Parent Relative Position Parent Relative Position of sensor.
Physical Entity Name Name of physical entity of sensor.
Operational Status Operational status of sensor
Manufacturer Name Manufacturer name of sensor
Field Replaceable Unit FRU of sensor
Alias Name Alias name of sensor
Slot Configuration Slot configuration of sensor
Sensor Model Name Model name of sensor
Sensor Vendor Type Vendor type of sensor
Sensor Serial Number Serial number of sensor
Description Description of sensor
Component Type Component type of sensor
Index Index of sensor
Slot Serial Number Serial number of slot.
Description Description of slot.
Component Type Component type of slot.
Index Index of slot.
Parent Relative Position Parent Relative Position of slot.
Physical Entity Name Physical Entity Name of slot.
Operational Status Operational Status of slot.
Manufacturer Name Name of manufacturer of slot.
Field Replaceable Unit FRU of slot.
Slot Configuration Configuration of slot.
Alias Name Alias name of slot.
Model Name Model name of slot.
Vendor Type Vendor type of slot.
Stack Field Replaceable Unit FRU of stack.
Operational Status Operational status of stack.
Alias Name Alias name of stack
Manufacturer Name Manufacturer name of stack
Slot Configuration Slot configuration of stack
Stack Model Name Model name of stack
Stack Vendor Type Vendor type of stack
Stack Serial Number Serial number of stack
Description Description of stack
Parent Relative Position Parent Relative Position of stack

OL-25947-01 11-33

Component Type Stack component type.
Index Index of stack.
Physical Entity Name Physical Entity Name of stack.
Sys Application Index Index of system application
Software Serial Number Software serial number of system application.
Software Version Software version of system application
Software Product Name Name of software product.
Software Manufacturer Software manufacturer of system application
System SysUpTime System Up Time.
Host Name Host name of the system
Management Type Management type of system.
Modular Modularity of system.
OSI Layer Services OSI layer services of system.
System Name System name.
System Object ID System Object ID of the device.
Last Updated At Date and time of last system update.
Location System location.
Contact System contact.
Domain Name Domain name of the system.
Description Description of the system.

11-34 OL-25947-01
CHAPTER 12
Managing Jobs
In LMS, there is a Job Browser which enables you to view the status of all the LMS admin-related Jobs.
LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management
allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group
of users designated as job Approvers approves each job before it can run.
• Using Job Browser
• Configuring Default Job Policies
• Configuring NetShow Job Policies
• Enabling Approval and Approving Jobs Using Job Approval
• Job Approval Workflow
• Using Device Selector
Using Job Browser

In LMS 4.0, there is a Job Browser which enables you to view the status of all the LMS admin-related
Jobs.
The job details that you can view here include the job ID, the job type, the job status, the job description,
the job owner, the time the job is scheduled to run at, the time of job completion, and the schedule type.
To open the job browser, select Admin > Jobs > Browser.
The Job Browser appears.

OL-25947-01 12-1
Chapter 12 Managing Jobs
Using Job Browser
Table 12-1 displays the fields in the LMS Job Browser.
Table 12-1 LMS Job Browser
Column Description
Job ID Unique number assigned to this task at creation time. This number
is never reused. There are two formats:
• Job ID:
Identifies the task. This does not maintain a history. For
Example:1001
• JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1001.1, 1001.2
Type Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Run Status Job states include:
• Running
• Waiting for approval
• Scheduled (pending)
• Succeeded
• Succeeded with Info
• Failed
• Crashed
• Cancelled
• Suspended
• Rejected
• Missed Start
• Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type Frequency of the job. This can be:
• Once
• Immediate
• Periodic (calendar/time based).
Run Sched Schedule details of the job.

12-2 OL-25947-01
Using Job Browser
Table 12-1 LMS Job Browser (continued)
Column Description
Status Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Scheduled At Date and time at which the job was scheduled.
Completed At Date and time at which the job was completed.
Filtering Jobs
You can filter the jobs by any specified criteria using the Filter by drop-down list. Select your criteria,
enter the corresponding value in the text box next to the drop-down list and click Filter. The jobs
pertaining to that category are displayed.
Column Description
All Displays all jobs in Job Browser.
This is the default filter type.
Job ID Unique ID of the job. For example, 1007.0.
Job IDs have N.x format, where x stands for the number of instances
of that job.
For example, 1007.4 indicates that the Job ID is 1007 and it is the
fifth instance of that job.
You should enter a valid Job ID as filter value. You can also:
• Enter multiple Job IDs separated by commas
• Include the wildcard character * (asterisk) in the Job ID value
• Enter a range of Job IDs
Examples of valid Job IDs are:
• 1002
• 1010.5
• 1004,1008.8, 1004
• 1007*
• 1001-1010
• 1019.20-1019.100
Type Type of job. The jobs include User Tracking jobs, LMS reports,
Inventory Collection, Identity provisioning, Identity monitoring and
so on.
Filters and displays all jobs that match a job type value in Job
Browser.
You must select a job type from the list of available types.

OL-25947-01 12-3
Using Job Browser
Column Description
Run Status Job states include:
• Running
• Waiting for approval
• Scheduled (pending)
• Succeeded
• Succeeded with Info
• Failed
• Crashed
• Cancelled
• Suspended
• Rejected
• Missed Start
• Failed at Start
Select a job state from the Run Status drop-down list box to view the
details of the all jobs that match the job state.
If there are no jobs with any of these job states, the Run Status
drop-down list box will not display the respective job state.
Sched Type Frequency of the job. This can be:
• Once
• Immediate
• Periodic (calendar/time based).
Filters and displays all jobs with a specified description.
You cannot leave the description field blank when you select this
filter type.
Filters and displays all jobs that are scheduled by a user.
You can select a user from the drop-down list of users as a filter
value.
Click the Refresh icon to refresh the job browser. Use the Stop and Delete buttons to stop or delete jobs:
• Stop button—Stops or cancels a running job. You will be prompted to confirm the cancellation of
the job. However, the job is stopped only after the devices currently being processed are successfully
completed. This is to ensure that no device is left in an inconsistent state.
• Delete button—Deletes the selected job from the job browser. You can select more than one job to
delete. You will be asked to confirm the deletion.
Note You cannot delete a running job.

12-4 OL-25947-01
Configuring Default Job Policies

Each Configuration Management job has properties that define how the job will run. You can configure
a default policy for these properties that applies to all future jobs. You can also specify for each property
whether users can change the default when creating a job.
You have the option of entering a username and password for running a specific Archive Management,
Config Editor, NetConfig, or NetShow job.
If you enter a username and password, Archive Management, Config Editor, or NetConfig applications
use this username and password to connect to the device, instead of taking these credentials from the
Device and Credential Repository.
While the job is running, the password is retrieved from the Device and Credential Repository for each
of the selected devices.
For example, if the TACACS server is managing the devices, the passwords in the TACACS server and
the passwords in the Device and Credential Repository should be synchronized (with every password
change).
This option of entering the username and password for running a job is useful in high security
installations where device passwords are changed at frequent intervals. In such instances, the passwords
may be changed every 60-90 seconds.
To use this option of entering a username and password for running a specific job, you should enable the
job password policy for Archive Management, Config Editor, NetConfig, or NetShow jobs.
You can do this by using the Enable Job Password option in the Config Job Policies window.
If you have enabled Enable Job Password option, you can enter these credentials while scheduling a job:
• Login Username
• Login Password
• Enable Password
This section also explains about Defining the Default Job Policies.

OL-25947-01 12-5
Defining the Default Job Policies

The following is the workflow for defining the default job policies for Configuration Management
applications like NetConfig, ArchiveMgmt, ConfigEditor, Netshow:
Step 1 Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Config Job Policies dialog box appears.
Step 2 Select one application from the drop-down list. You can select one of the following options:
• NetConfig
• ArchiveMgmt
• ConfigEditor
• Netshow
Step 3 Based on your selection, enter the following information:
Field Name Description Usage Notes

Failure Policy Select what the job should do if it fails to run on the You can create rollback commands for a job in
device. You can stop or continue the job, and roll the following ways:
back configuration changes to the failed device or to
• Using a system-defined template.
all devices configured by the job.
Rollback commands are created
You can select one of the options:
automatically by the template.
• Stop on failure—Stops the job on failure.
The Banner system-defined template does
• Ignore failure and continue—Continues the job not support rollback. You cannot create
on failure. rollback commands using this template.
• Rollback device and stop—Rolls back the • Creating a user template.
changes on the failed device and stops the job.
Allows you to enter rollback commands into
This is applicable only to NetConfig application.
the template.
• Rollback device and continue—Rolls back the When you use the Adhoc and Telnet
changes on the failed device and continues the Password templates, you cannot create
job. This is applicable only to NetConfig
rollback commands.
application.
• Rollback job on failure—Rolls back the changes
on all devices and stops the job. This is
applicable only to NetConfig application.
Note This field appears only if you select either
Config Editor or NetConfig application.

12-6 OL-25947-01

E-mail Notification Enter e-mail addresses to which the job sends Notification is sent when the job is started and
messages at the beginning and at the end of the job. completed.
You can enter multiple e-mail addresses separated by Notification E-mails include a URL to enter to
commas. display job details. If you are not logged in, do so
using log in panel.
Configure the SMTP server to send e-mails in the
View / Edit System Preferences dialog box
We recommend that you configure the E-mail ID in
the View / Edit System Preferences dialog box
When the job starts or completes, an e-mail is sent
with the E-mail ID as the sender's address.
Sync Archive The job archives the running configuration before None.
before Job making configuration changes.
Execution
Note This field appears if you select either Config
Editor or NetConfig application.
Copy Running The job writes the running configuration to the Does not apply to Catalyst OS devices.
Config to Startup startup configuration on each device after
configuration changes are made successfully.
Note This appears if you select either Config
Enable Job The Job Password Policy is enabled for all the jobs. None.
Password
The Archive Management, Config Editor, and You can use this option even if you have
NetConfig jobs use this username and password to configured only the Telnet password (without
connect to the device, instead of taking these configuring username) on your device.
credentials from the Device and Credential You must enter a string in the Login Username
Repository. field. Do not leave the Login Username field
These device credentials are entered while blank.
scheduling a job. The Login Username string will be ignored while
connecting to the device since the device is
configured only for the Telnet password.
See Usage Scenarios When Job Password is
Configured on Devices.
Fail on Mismatch The job is considered a failure when the most recent None.
of Config Versions configuration version in the configuration archive is
not identical to the most recent configuration version
that was in the configuration archive when you
created the job.
Note This appears if you select either Config
Delete Config after The configuration file is deleted after the download.
download Note This appears if you select Config Editor.

OL-25947-01 12-7

Execution Policy Allows you to configure the job to run on multiple If you select sequential execution, you can select
devices at the same time (Parallel execution) or in Device Order in the Job Schedule and Options
sequence (Sequential Execution). dialog box to set the order of the device.
1. Select a device in the Set Device Order
dialog box.
2. Either:
• Click the Move Up or Move Down arrows to
change its place in the order. Click Done to
save the current order.
Or
• Close the dialog box without making any
changes.
You cannot alter the device sequence for Archive
Management application jobs such as Sync
Archive, Check Compliance and Deploy, etc.
Sequential Execution is not supported for the
following jobs:
• Manual Sync Archive
• Periodic Config Collection and Polling
• cwcli config get
User Configurable Select this check box next to any field to make You can configure a user-configurable policy
corresponding policy user configurable. while defining job. You cannot modify
non-user-configurable policies.
Step 4 Click Apply.

A message appears, Policy values changed successfully.
Step 5 Click OK.
Usage Scenarios When Job Password is Configured on Devices

The following tables list the usage scenarios and their implications for Configuration application when
job password is configured on devices.
• Table 12-2When Device Access is Only Through Job Password and No Access is Available Through
Regular Telnet/SSH and SNMP (Read or Write)
• Table 12-3When Devices are Configured for Job Password and Access is Available Through SNMP
(Read or Write)
• Table 12-4When Devices are not Configured for Job Password and Access is Available Through
Regular Telnet/SSH but no SNMP
• Table 12-5When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled.
Access is Available Only Through SNMP (Read or Write)

12-8 OL-25947-01
Table 12-2 When Device Access is Only Through Job Password and No Access is Available Through Regular Telnet/SSH and SNMP
(Read or Write)
Scenario Archive Mgmt cwcli config NetConfig Config Editor

Device is added into Fails Not applicable Not applicable Not applicable
LMS
Update archive request Fails Not applicable Not applicable Not applicable
through user interface
Update archive request Not applicable Fails Not applicable Not applicable
through command line
Config update when Fails Not applicable Not applicable Not applicable
Syslog message is
received
Config update through Fails Not applicable Not applicable Not applicable
periodic scheduled
process
Config update through Fails Not applicable Not applicable Not applicable
SNMP poller based
scheduled process
Config upload/restore Not applicable Fails Not applicable Not applicable
through cwcli config
NetConfig Job Not applicable Fails Succeeds Not applicable
Config Editor job Not applicable Not applicable Not applicable Succeeds
Table 12-3 When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write)

Device is added into LMS Succeeds for Not applicable Not applicable Not applicable
SNMP supported
devices
Update archive request through user Succeeds for Not applicable Not applicable Not applicable
interface SNMP supported
devices
Update archive request through Succeeds for Succeeds for Not applicable Not applicable
command line SNMP supported SNMP supported
devices devices
Config update when Syslog message is Succeeds for Not applicable Not applicable Not applicable
received SNMP supported
devices
Config update through periodic Succeeds for Not applicable Not applicable Not applicable
scheduled process SNMP supported
devices

OL-25947-01 12-9
Table 12-3 When Devices are Configured for Job Password and Access is Available Through SNMP (Read or Write) (continued)

Config update through SNMP poller Succeeds for Not applicable Not applicable Not applicable
based scheduled process SNMP supported
devices
Config upload/restore through cwcli Not applicable Succeeds for Not applicable Not applicable
config SNMP supported
devices
NetConfig Job Not applicable Fails Succeeds Not applicable
Table 12-4 When Devices are not Configured for Job Password and Access is Available Through Regular Telnet/SSH but no SNMP

Device is added into LMS Succeeds Not applicable Not applicable Not applicable
Update archive request through user Succeeds Not applicable Not applicable Not applicable
interface
Update archive request through Succeeds Succeeds Not applicable Not applicable
command line
Config update when Syslog message is Succeeds Not applicable Not applicable Not applicable
received
Config update through periodic Succeeds Not applicable Not applicable Not applicable
scheduled process
Config update through SNMP poller Succeeds Not applicable Not applicable Not applicable
based scheduled process
Config upload/restore through cwcli Succeeds Succeeds Not applicable Not applicable
config
NetConfig Job Not applicable Not applicable Succeeds Not applicable

Table 12-5 When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only
Through SNMP (Read or Write)

Device is added into LMS Succeeds for Not applicable Not applicable Not applicable
SNMP supported
devices
Update archive request through user Succeeds for Not applicable Not applicable Not applicable
interface SNMP supported
devices
Update archive request through Succeeds for Succeeds for Not applicable Not applicable
command line SNMP supported SNMP supported
devices devices

12-10 OL-25947-01
Configuring NetShow Job Policies
Table 12-5 When Devices are not Configured for Job Password and Regular Telnet/SSH is Disabled. Access is Available Only
Through SNMP (Read or Write) (continued)

Config update when Syslog message is Succeeds for Not applicable Not applicable Not applicable
received SNMP supported
devices
Config update through periodic Succeeds for Not applicable Not applicable Not applicable
scheduled process SNMP supported
devices
Config update through SNMP poller Succeeds for Not applicable Not applicable Not applicable
based scheduled process SNMP supported
devices
Config upload/restore through cwcli Succeeds for Succeeds for Not applicable Not applicable
config SNMP supported SNMP supported
devices devices
NetConfig Job Not applicable Fails Fails Not applicable
Config Editor job Not applicable Not applicable Not applicable Fails

Each NetShow job has properties that define how the job runs. You can configure a default policy for
these properties that apply to all future jobs. For each job property you can specify whether users can
change the default property when creating a job.
NetShow supports the following Job Policies:
• Defining Default Job Policies
The default job policies that NetShow support are E-Mail Notification, Enable Job Password, and
Execution Policy.
• Purging Configuration Management Jobs
The Job Purge option provides a centralized location for you to schedule purge operations.
• Defining Protocol Order
You can define the protocol order for NetShow through the Protocol Ordering option in the Config
Management feature in LMS.
This section also gives details on Masking Credentials

OL-25947-01 12-11
Defining Default Job Policies

NetShow supports E-Mail Notification, Enable Job Password, and Execution Policy.
To define these default Job Policies:
Step 1 Select Admin > Network > Configuration Job Settings > Config Job Policies.
The Job Policy dialog box appears.
Step 2 Select NetShow from the Application drop-down list:
Step 3 Enter the following information in the Job Policy dialog box:

E-mail Notification Enter e-mail addresses to which the job sends messages at Notification is sent when job is started
the beginning and at the end of the job. and completed.
You can enter multiple e-mail addresses separated by Notification e-mails include a URL to
commas. enter to display job details. If you are not
logged in, log in using the login panel.
Configure the SMTP server to send e-mails in the View / Edit
System Preferences dialog box (Admin > System > System
Preferences).
We recommend that you configure the E-mail ID in the View
/ Edit System Preferences dialog box (Admin > System >
System Preferences). When the job starts or completes, an
e-mail is sent with the E-mail ID as the sender's address.
Enable Job The Job Password Policy is enabled for all the jobs. You can use this option even if you have
Password NetShow jobs use this username and password to connect to
configured only the Telnet password
(without configuring username) on your
the device, instead of taking these credentials from the
device.
Device and Credential Repository.
You must enter a string in the Login
These device credentials are entered while scheduling a job.
Username field. Do not leave it blank.
The Login Username string is ignored
while connecting to the device since the
device is configured only for the Telnet
password.
Execution Policy Allows you to configure the job to run on multiple devices at None.
the same time (Parallel Execution) or in sequence
(Sequential Execution).

12-12 OL-25947-01
Step 4 Click Apply.

A message appears, Policy values changed successfully.
Step 5 Click OK.
Purging Configuration Management Jobs

The Job Purge option provides a centralized location for you to schedule purge operations for certain
Configuration Management jobs including NetShow jobs.
Select Admin > Network > Purge Settings > Config Job Purge Settings to invoke the Job Purge
option.
The Job Purge window contains the following information:
Column Description
Application Lists the application for which the purge is applicable.
Status Whether a purge job is enabled or disabled.
Policy This value is in days. Data older than the specified value, will be purged. You can change this
value as required. This is a mandatory field. The default is 180 days.
Job ID Unique ID assigned to the job by the system, when the purge job was created. This Job ID does
not change even if you disable or enable or change the schedule of the purge job.
For the Purge Now task, a Job ID is not assigned. Also, if a Job ID already exists for that
application, this Job ID is not updated for the Purge Now tasks. That is, the job scheduled for
purging is not affected by the Purge Now task.
Scheduled At Date and time that the job was scheduled at. For example: Nov 17 2004 13:25:00.
Schedule Type Specifies the type of schedule for the purge job:
• Daily—Daily at the specified time.
• Weekly—Weekly on the day of the week and at the specified time.
• Monthly— Monthly on the day of the month and at the specified time. (A month comprises
30 days).

OL-25947-01 12-13
To purge Configuration Management Jobs:
Step 1 Select Admin > Network > Purge Settings > Config Job Purge Settings.
The Job Purge dialog box appears. You can perform the following tasks in the Job Purge window:
Button Description
Schedule Schedule a job purging.
Enable Enable a job for purging after you schedule it.
Disable Disable the purge after enabling a job for purging.
Purge Now Purge a job immediately.
Defining Protocol Order

You can define the protocol order for NetConfig, Archive Mgmt, Config Editor, and NetShow through
the Protocol Ordering option in the Config Management feature in LMS.
To define the protocol order for NetShow:
Step 1 Select Admin > Collection Settings > Config > Config Transport Settings.
The Transport Settings dialog box appears.
Step 2 Select NetShow from the Application drop-down list:
Step 3 Select a protocol from the Available Protocols pane and click Add.
NetShow supports only Telnet and SSH.
If you want to remove a protocol or change the protocol order, you can remove the protocol using the
Remove button and then add it again.
The protocols that you have selected appear in the Selected Protocol Order pane.
Step 4 Click Apply.
Step 5 Click OK.
The protocol used for communicating with the device is based on the order in which the protocols are
listed here.

12-14 OL-25947-01
Enabling Approval and Approving Jobs Using Job Approval
Masking Credentials
You can mask the credentials shown in the output of show commands. If you want to mask the credentials
of a particular command, you must specify the command in the
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\netshow\NSCre
dCmds.properties file.
In this file you can specify all the commands whose output should be processed to mask the credentials.
We recommend that you enter the complete command in the file. For example, you must enter show
running-config, not show run. This file contains some default commands like show running-config.
Enabling Approval and Approving Jobs Using Job Approval

LMS applications, such as NetConfig, Config Editor, Archive Management, and Software Management
allow you to schedule jobs to perform their tasks. Job Approval allows you to require that one of a group
of users designated as job Approvers approves each job before it can run.
See Job Approval Workflow for more information.
Job Approval sends job requests through e-mail to users on a job’s Approver list. If none of the
Approvers approve the job before its scheduled run time, or if an Approver rejects the job, the job is
moved to the rejected state and will not run.
When Job Approval is enabled, applications that use it, require you to schedule the job to run in the
future, rather than immediately. Job approval cannot be enabled for jobs that run immediately.
A user with the appropriate privileges uses a Cisco Prime application to schedule jobs.
When you use Job Approval, different people can perform different tasks:
required privileges to perform job approval tasks.
Role Responsibilities
System Administrator Creates and maintains the Approver lists
Approver Approves/rejects a job, or changes the schedule for a job.
To select the log level settings for the Job Approval application, select Admin > System > Debug
Settings > Config and Image Management Debugging settings.
Job Approval is also referred to as Maker Checker in a few places within LMS. For example, in Loglevel
Settings and Permission Report (Reports > System > Users > Permission) it is mentioned as Maker
Checker.

OL-25947-01 12-15
Job Approval Workflow

A typical job approval workflow may look like this:
A system administrator does the following:
1. Specifies user/Approver information (see Specifying Approver Details.)
2. Creates one or more job Approver lists (see Creating and Editing Approver Lists).
3. Assigns Approver lists (see Assigning Approver Lists).
4. Sets up Job Approval (see Setting Up Job Approval).
The planner analyzes the network and prompts the network engineer to schedule a job to perform a
needed network change.
The job creator uses a Cisco Prime application to create a job.The application must have an Approver
list assigned to it before Job Approval is enabled. Also, it must be scheduled to run in the future (not
immediately).
All Approvers on the Approver list receive an automatic email notification. The job Approvers approve
or reject the job (see Approving and Rejecting Jobs) and give their comments.
The job creator and all Approvers on the Approver list receive an automatic e-mail notification.
A job that is not approved or rejected before its scheduled time is automatically moved to the Rejected
state. E-mail notification is sent to all Approvers and the user who scheduled the job. If the job is
approved, it runs as scheduled.
Specifying Approver Details

Use the option, Approver Details, to maintain information about users with Approver roles.
To specify Approver details:
Step 1 Select Admin > Network > Configuration Job Settings > Approver Details.
The Approver Details dialog box appears.
Step 2 Click Synchronize with Local User Database.
All the approvers in with valid E-mail IDs, will appear in theApprovers list. The E-mails of the approvers
will be the same as that added in LMS.
(You can create a valid Cisco Prime user using the Local User Setup option under Admin > System >
User Management > Local User Setup).
If you want to change the E-mail ID of any of the Approvers, select the Approver from the Approvers
list, and change specifying the new e-mail ID in the E-mail Address field. You can add more than one
e-mail, separated by commas

12-16 OL-25947-01
Step 3 Click Save to save your changes.

All approvers, have to be manually added to LMS.
To do this, enter the name of the Approver that you want to add in the New Approver field, enter a valid
e-mail ID for that user in the E-mail Address field, and click Save.
The Approver that you added, appears in the Approvers box.
Creating and Editing Approver Lists

You can use the option Create/Edit Approver Lists to create, edit, or delete Approver lists. Before you
create an Approver list, ensure that users have been added, through the Approver Details option (see
Specifying Approver Details).
To create and edit Approvers lists:
Step 1 Select Admin > Network > Configuration Job Settings > Create/Edit Approver Lists.
The Create/Edit Approver List dialog box appears.
Step 2 Go to the Approver List field and enter a name for an Approver list that you are creating. It can be an
alphanumeric name.
Step 3 Click Add.
A message appears:
List Listname has no users. To save the list successfully, add users and click Save.
Step 4 Click OK to proceed.
The newly-created list appears in the lists box.
(If previously-created lists exist, you can highlight a list to see the List Members in the Users group of
fields.)
Step 5 Add users to the newly-created list, by highlighting the list.
In the Users group of fields, the Available Users box lists users who have Approver permissions. Only
these users can be added to Approver lists to approve jobs.
• To add a user to the Approver List, select the name from the Available Users list box, and click Add.
The name appears in the List Members list box.
• To remove a user from the Approver list, select the name from the List Members list box, then click
Remove.
The name is removed from the List Members list box.
Step 6 Click Save.
The Approver Lists box displays the name of the new Approver list and the users on this list appear in
the box below Approver Lists.

OL-25947-01 12-17
To edit an Approver List:

a. Select the list.
The approvers of the list appear in the List Members list box.
b. Add new approvers, or remove existing ones in using the Add and Remove buttons in the Users
group of fields.
To delete an Approver List:
a. Select the list.
b. Click Delete.
A message appears:
Are you sure you wish to delete? Approval will be disabled for applications to which
the Listname is assigned!
c. Click OK to delete the list.
Assigning Approver Lists

You can assign an Approver list to each of the LMS applications, from the available Approver lists.
To assign an Approver list:
Step 1 Select Admin > Network > Configuration Job Settings > Assign Approver Lists.
The Assign Approver Lists dialog box appears.
Step 2 Select the required Approver list from the drop-down list box for that application. Repeat this for each
of the applications listed here.
Step 3 Click Assign.
The selected Approver lists are assigned to the applications.
Setting Up Job Approval

The Approval Policies dialog box allows you to set up Job Approval for all applications for which you
can set up job approval. The applications are:
• NetConfig
• NetShow
• Config Editor
• Archive Management. See Using Job Approval for Archive Management for details.
• Software Management. See Using Job Approval for Software Management for details

12-18 OL-25947-01
Prerequisite
Make sure the approver list is assigned to the application, before you enable approval for the application.
To set up Job Approval:
Step 1 Select Admin > Network > Configuration Job Settings > Approval Policies.
The Approval Policies dialog box appears. You can enable or disable Job Approval for the following
applications:
• NetConfig
• NetShow
• Config Editor
• Archive Management.
• Software Management.
Step 2 Set up Job Approval for the various applications that support job approval, by doing one of the following:
• Select the Enable check box that corresponds to an application, to enable Job Approval.
• Deselect the Enable check box that corresponds to an application, to disable Job Approval.
• Select the All check box to enable Job Approval, for all applications to which it is applicable.
• Deselect the All check box to disable Job Approval, for all applications to which it is applicable.
Step 3 Click Apply to apply your changes.
After you enable Job Approval, two additional fields appear in the job schedule wizard of the
applications. These are:
• Maker Comments—Job creator’s comments.
• Maker E-mail—Job creator’s e-mail address.
Using Job Approval for Archive Management

You can enable Job Approval for Archive Management tasks, (Admin > Network > Configuration Job
Settings > Approval Policies). This means all jobs require approval before they can run.
Only users with Approver permissions can approve Archive Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
For more details on enabling job approval see Setting Up Job Approval.
The following Archive Management tasks require approval if you have enabled Job Approval:
Out-of-Sync (Configuration > Compliance > Out-of-Sync Summary)
Sync Archive jobs do not have Job Approval enabled because this job only archives the configuration
from the device and there is no change to the device configuration.

OL-25947-01 12-19
If you have enabled Approval for Archive Management tasks, these options appear in the Job Schedule
and Options dialog box:
• Approval Comment—Approval comments for the job approver.
• Maker E-Mail—E-mail-ID of the job creator.
Using Job Approval for Software Management

You can enable Job Approval for Software Management tasks, (Admin > Network > Configuration Job
Settings > Approval Policies) which means all jobs require approval before they can run.
Only users with Approver permissions can approve Software Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
The following Software Management tasks require approval if you have enabled Job Approval:
• Adding images to Software Repository (Configuration > Tools > Software Image Management >
Software Distribution) using:
– Cisco.com
– Device
– URL
– Network
• Distribution software images (Configuration > Tools > Software Image Management > Software
Distribution) using any one of these methods:
– Distributing by Devices [Basic]
– Distributing by Devices [Advanced]
– Distributing by Images
– Remote Staging and Distribution
If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options
dialog box, you get these two options:
• Maker Comments—Approval comments for the job approver.
• Maker E-Mail—E-mail ID of the job creator.
Approving and Rejecting Jobs

Use the Approve or Reject Jobs option to approve or reject a job for which you are an Approver. The job
will not run until you or another Approver approves it. If no Approver approves the job by its scheduled
run time, or an Approver rejects it, the job is moved to the rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved all other
instances are considered approved, and vice-versa.
When a job for which you are an Approver is created, you are notified by email.
An Approver can edit the job schedule at the time of approving the job.

12-20 OL-25947-01
The e-mail displays these details:
Details Description
Job ID ID of the job that has been put up for approval.
Job Description Description of the job.
Job Schedule Date and time for which the job has been scheduled.
Server Name Name of the server.
Server Time-zone: Time zone of the server.
Maker Comments Comments for the Approver, entered by the job creator.
URLS Two URLs to launch dialog boxes for:
• Viewing job details.
• Approving or rejecting jobs.
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task. You need to be a user with an Approver role.
Note You will be able to select only those jobs for which you are a part of the Approver List. The other jobs,
for which you are not a part of the Approver List, will be disabled.
To approve or reject jobs:
Step 1 Select Admin > Jobs > Approval.

The Jobs Pending Approval dialog box appears with the following information about the scheduled jobs
on the system:
Column Description
Job ID Unique number assigned to the job when it is created.
For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x
represents the number of instances of the job. For example, 1001.3 indicates that this is the third
instance of the job ID 1001.
Click the Job ID hyperlink to view the details of the job.
Owner Job owner.
Job Type Application that registered job.
Scheduled to Run at When job is scheduled to run.
Approver List Name of Approver list whose members can approve job.
Description Job description, entered by job creator.
You can filter the pending jobs by any specified criteria using the Filter By drop-down list. Select your
criteria and click Filter.

OL-25947-01 12-21
Step 2 Either:
• Select the job and click Approve to approve the job.
The job is approved.
Or
• Select Next.
The Job Details dialog box appears (For example, if the ID of the job awaiting approval is 1025, then
the title of the dialog box appears as Job Details For Job 1025). You can view/ change the job details
before approving or rejecting it.
Fields in the Job Details box are:
Field Description
Job
ID ID of the job (display only).
To see the detailed description of the job, click the View Job Details hyperlink.
Schedule Options
Run Type Select the frequency at which the job should be run:
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
completed. If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the
next job will start only at 10:00 a.m. on November 3.
To change, select the required run type from the drop-down list.

12-22 OL-25947-01
Using Device Selector
Field Description
Current Schedule
Date Scheduled date and time of the job. Click Change Schedule to change the schedule of the job.
You must click the Change Schedule button for the changed schedule to take effect. If you do not click
this button, the changed schedule will not be set.
Approver
Comments Enter your comments. This field is mandatory only if you are rejecting a job.
Step 3 Click Approve.

The job is approved.
If you want to reject the job, enter comments in the Comments text box and then click Reject.

The Device Selector pane is used to select devices to perform LMS tasks. This pane lists all devices in
a group. The devices are listed in the appropriate groups based on Device type groups and User-defined
group rules.
The devices name that you see in this pane is the Device Name that you have entered at the time of adding
the devices in Device and Credential Repository.
You can use the following search options to search for devices:
• Using Simple Search
• Using Advanced Search
• Using the All Tab
• Using the Search Results Tab
• Using the Selection Tab
Note If you have configured Cisco Prime login mode to work under ACS mode, the devices listed for you
while performing the tasks are based on your role and associated privileges that are defined in Cisco
Secure ACS.
The Device Selector pane contains the following field/buttons:
Search Input Enter the search expression in this field.
You can enter single device names or multiple device names. If you are
entering multiple device names, separate them with a comma. You can
also enter the wildcard characters “*” amd "?".
For example: 192.168.10.1*, 192.168.20.*
Search Use this icon to perform a simple search of devices based on the search
criteria you have specified in the Search Input text field.
For information on Search, see Using Simple Search.

OL-25947-01 12-23
Advanced Search Use this icon to perform an advanced search of devices based on the
search criteria you have specified in the Search Input text field.
For information on Advanced Search, see Using Advanced Search.
All Lists all User-defined and System-defined groups for all applications that
are installed on LMS Server.
For more information, see Using the All Tab.
Search Results Displays all the search results from Search or Advanced Search.
For more information, see Using the Search Results Tab.
Selection Lists all the devices that you have selected in the Search Results or All
tab.
Using this tab, you can deselect devices from the list.
For more information, see Using the Selection Tab.
Figure 12-1 shows the new device selector.
Figure 12-1 Device Selector
Tool-tips are provided for long device names so that you do not have to scroll to see the complete device
name.
Using Simple Search

You can search for devices by entering the devices name in the Search Input field.
The search is based on the Device Name that you view in the Device Selector pane. This Device Name
is entered when you add devices to Device and Credential Repository.
Usage Notes
The following are the usage notes for Simple Search:

12-24 OL-25947-01
Using Advanced Search
• You can enter multiple device names separated with a comma. You can also enter wildcard character,
“*” or “?” for selecting multiple devices.
For example:
You can enter device names in these many ways to select multiple devices:
– 192.168.80.140, 192.168.135.101, rtr805
– 192.168.80.*, 192.168.*
– 192.168.22.?
You cannot enter multiple wildcard characters for selecting the devices
For example, 192.*.80.*. This is not allowed.
• You must enter either the complete device name or enter the partial device name appended with
wildcard character *. That is,
– No devices are selected, if you enter only 192.168 in the Device Name text box.
– You have to enter either 192.168* or 192.168.10.10.
• The search is not case-sensitive.
• The devices that are selected is a unique list. There are no duplicate entries of devices.
For example:
If you have these devices in All Devices and Normal devices nodes: 192.168.10.10, 192.168.10.20,
192.168.10.21, 192.168.10.30, and 192.168.10.31 then,
a. Select the devices 192.168.10.20, 192.168.10.21, and 192.168.10.30 in the Normal devices
node.
b. Enter the search criteria 192.168.10.2*
c. The final selected devices that is displayed is, 192.168.10.20, 192.168.10.21, and 192.168.10.30
in the Normal devices node and 192.168.10.20 and 192.168.10.21 in All Devices node.
However, the selected devices count that is displayed in the Device Selector is only three and
not five.
• The All Devices node is expanded without selecting any devices, if the search criteria is not
satisfied. The objects selected text displays 0 (zero) device selected.

You can use the Advanced Search icon to specify a set of rules for advanced search. Advanced search is
based on the Grouping Services attributes of Grouping Services Server. In the Advanced Search dialog
box, you can create rules to search for devices.

OL-25947-01 12-25
Figure 12-2 shows the Advanced Search dialog box.
Figure 12-2 Device Selector Advanced Search
This dialog box contains the following fields and buttons (See Table 12-6):
Table 12-6 Advanced Search Dialog Box
OR, AND, EXCLUDE Logical operators.
• OR—Include objects that fulfill the requirements of either
rule.
• AND—Include only objects that fulfill the requirements of
both rules.
This field appears only after a rule expression is added in the Rule
Text box.
Object Type Type of object (device) that is used to form a group.
All rule expressions begin with the same Object Type,
RME:INVENTORY:Device.
Variable Device attributes, based on which you can define the group.
See Advanced Search Rule Attribute.
Operator Operator to be used in the rule. The list of possible operators
changes based on the Variable selected.
Value The value of the rule expression. The possible values depend upon
the variable and operator selected. Depending on the operator
selected, the value may be free-form text or a list of values.
The wildcard characters are not supported.

12-26 OL-25947-01
Table 12-6 Advanced Search Dialog Box (continued)
Search Used to search for devices based on the defined rule.
Usage Notes
The following are the usage notes for Advanced Search:
• If you have not selected any device nodes, then advanced search is applied only for All Devices
node.
• You can either enter the rules directly in the Rule Text field, or select the components of the rule
from the Rule Expression fields, and form a rule.
Each rule expression contains the following:
Object Type—The type of object (device) that is used to form a group. All rule expressions begin
with the same Object Type, RME:INVENTORY:Device.
Variable—Device attributes, based on which you can define the group. See the Advanced Search
Rule Attribute.
Operator—Operator to be used in the rule. The list of possible operators changes based on the
Variable selected.
Value—Value of the rule expression. The possible values depend upon the variable and operator
selected. Depending on the operator selected, the value may be free-form text or a list of values.
• If you are entering the rule expressions manually, the rule expression must follow this syntax:
• If you are entering more than one rule expression, you must enter logical operators OR, AND or
EXCLUDE after every rule expression.
You must use Check Syntax button only when you add a rule manually or when you modify a rule
expressions in the Rule Text.
• The advanced search operation is not case-sensitive.
• To delete the rules in the Rule Text box, select the complete rule including the logical operator and
press the Delete key on your keyboard.
• If you want to perform a new search, click Clear All before selecting any new devices.

OL-25947-01 12-27
Advanced Search Rule Attribute

Table 12-7 lists the available device advanced search rule attributes that you can use for defining
advanced search.
Table 12-7 Advanced Search Rule Attribute
Attribute Group Attribute Type Description

Asset Asset.CLE_Identifier CLE identifier of the asset.
Asset.Part_Number Orderable part number of the asset.
Asset.User_Defined_Identifier User-defined identifier of the asset
Chassis Chassis.Model_Name Name of the model.
Chassis.Number_Of_Slots Number of slots in that chassis.
Chassis.Port_Count Total port count of the chassis.
Chassis.Serial_Number Serial number of the chassis.
Chassis.Vendor_Type Vendor type of the chassis.
Chassis.Version Version number of the chassis.
Flash Flash.File_Name Name of the flash file.
Flash.File_Size Flash file size in MB.
Flash.Model_Name Model name of the flash device.
Flash.Partition_Free Free space in MB.
Flash.Partition_Name Flash partition name.
Flash.Partition_Size Flash partition size in MB.
Flash.Size Total flash device size in MB.
Image Image.ROM_Sys_Version ROM system software version
Image.ROM_Version Version of ROM.
Image.Sys_Description Image system description
Image.Version Running image version.
IP Address IP.Address Device IP address.
IP.Address_Type Version of IP, IPv4 or IPv6
IP.Network_Mask Network Mask address
Memory Memory.Free Free memory in MB.
Memory.Name Name of the memory.
Memory.Size Total RAM size in MB.
Memory.Type Memory type.
Memory.Used Used memory in MB.
Module Module.HW_Version Module hardware version.
Module.Model_Name Name of the model.
Module.Port_Count Total ports on that module.
Module.Serial_Number Serial number of the module.
Module.Vendor_Type Vendor type for the module.

12-28 OL-25947-01
Table 12-7 Advanced Search Rule Attribute (continued)
Attribute Group Attribute Type Description

Processor Processor.Model_Name Name of the model.
Processor.NVRAM_Size Size of the processor NVRAM in MB.
Processor.NVRAM_Used Size of the processor NVRAM that has been utilized, in
MB.
Processor.Port_Count Total port count of the processor
Processor.RAM_Size Size of the processor RAM in MB.
Processor.Serial_Number Serial number of the processor.
Processor.Vendor_Type Vendor type of the processor.
State State Device state such as Normal, Alias, etc.
System System.Contact Device contact person name.
System.Description Description of the system.
System.DomainName Device domain name.
System.Location Device location information.
System.SystemOID System Object ID of the device (sysObjectID).
Using Advanced Search—An Example

The following example describes the procedure for selecting devices whose IP address starts with
192.168 or Network Mask is 255.255.255.0. Also, these devices are assumed to be in Normal state.
The devices in your network are:
• 192.168.101.200 with network mask 255.255.255.128
Use the following procedure for advanced search:
Step 1 Click the Advanced Search icon in the Device Selector pane.
The Define Advanced Search Rule dialog box appears.
Step 2 Select,
a. State as Variable
b. = as Operator
c. Normal as Value

OL-25947-01 12-29
Step 4 Select,
a. And as Logical Operator
b. IP.Address as Variable
c. Contains as Operator
d. Enter 192.168.101 for Value.
Step 6 Select,
a. OR as Logical Operator
b. IP.Network_Mask as Variable
c. Equals as Operator
d. Enter 255.255.255.0 for Value.
Step 8 Click Search.
The Device Selection dialog box appears.
The devices that satisfied the search condition are selected. That is these two devices are selected.
Using the All Tab

The All tab lists all the devices that are available in the LMS. The list is based on the Device Name that
you entered in the Device Properties dialog box when you added devices to Device and Credential
Repository.
List of Device Folders

The following is the list of device folders under the All tab:
• The All Devices folder lists all devices. That is, this includes devices in Normal, Alias, Pending, and
Pre-deployed states. This folder does not include devices in Suspended and Conflicting states.
• The Normal Devices folder lists devices that has been successfully contacted by LMS or the device
has contacted LMS at least once (polling, successful job completion, Syslog receipt etc.).
• The Pre-deployed folder lists Device has never ever been reachable by LMS (by protocol such as
SNMP).
• The Previous selection folder lists LMS devices that were selected in previous LMS task in the same
session.
• Saved device list folder lists devices that are saved explicitly by you while generating the Inventory
Reports, View Credential Verification Report and Error Report.

12-30 OL-25947-01
Only one Saved device list is created within the device selector. If concurrent users have created
Saved device list, only the last created Saved device list appears in the Device Selector. The previous
Saved device list is overwritten with the latest.
Note You can use the Previous selection and Saved device groups only when you are working on a application.
You cannot use these device groups when you are working on another Cisco Prime application. That is,
if you are working on the Campus Manager application, these groups must not be used.
• The User Defined Groups folder lists devices that satisfy the group rules. The group rules are defined
by you at the time of creating the User-defined groups.
• Based on the applications that are installed on your LMS Server, you will also view device folders
related to other Cisco Prime applications:
CiscoWorks_ApplicationName@CiscoWorks_ServerHostName
For example: For Cisco Prime Common Services, you will see:
CS@CiscoWorks_ServerHostName.
In a stand-alone system, server name is not appended. For example, for Common Services, you will
see CS.
• Other application folders are displayed in LMS based on the settings. For more details, see Common
Services Online Help.
• In Device Selector, the other Cisco Prime application device folders will list only devices.
For example: If you have devices, A, B, C and D in Cisco Prime Common Services and you have
devices A, B, and C in LMS then in the Device Selector under Common Services device folder, you
will view on device list, A, B, and C.
• The device appears in a disabled (greyed out) state when:
– Device type is Unknown in Device and Credential Repository. In all applications device is
shown as disabled except in Inventory job creation and reports.
– Device type is known and correct in Device and Credentials (that is, the SysObjectID is correct
and is available in Device and Credentials). However, that device is not supported by
applications. (Inventory, Software Management, and Configuration Management).
There are two types of device selectors in LMS:
• Single Device Selector
• Multiple Device Selector
Single Device Selector

In the single device selector, you can select a device only at the leaf-level (device-level). The radio
buttons at the node-level (folder-level) are grayed out.

OL-25947-01 12-31
Multiple Device Selector

In the multiple device selector, you can select devices at both the node-level and leaf-level.
The following are the usage notes for the multiple device selector:
• If you select devices at the node-level, all devices listed under this node are selected.
For example, if you select the All Devices node, all devices under this node are selected.
• If you expand a device node, you cannot select devices at the node-level. You need to select devices
individually at the leaf-level.
For example, if you expand the All Devices node, you cannot select devices at the All Devices
node-level (the check-box is grayed out). You need to select devices individually under the All
Devices node.
• If you select devices at a node-level and expand that particular node, you can deselect the devices
only at the leaf-level and not at the node-level.
For example, if you select the Normal Devices node and expand the same, you can deselect the
devices only at the leaf-level. You cannot deselect all the devices at the Normal Devices node-level
(the check-box is grayed out), when it is expanded. However, you can use Clear All to deselect all
the devices.
• You can select multiple device nodes to perform the tasks.
For example, you can select the Previous selection and the Saved device list nodes together to
perform the tasks.
Using the Search Results Tab

The Search Results Tab lists all the results of Simple search or advanced search operations. It displays
a flat list of devices and you can do a select all , clear all , or select a few devices from the list.
Using the Selection Tab

The Selection Tab serves as a repository of all the devices that you select from the Search Results tab or
the All Tab.
There are three ways to select devices in the Device Selector:
• Selection Using All Tab
• Selection Using Search
• Selection Combining All and Search
Selection Using All Tab

You can select devices using the tree view in the All tab. This tab displays all devices that are available
in LMS.
Selection Using Search

You can search devices using Search or Advanced Search. The list of devices matching the search criteria
is shown under the Search Results tab. You can select the required devices from the Search Results tab.
The Selection tab reflects whatever you selected from Search Results.
If you click the All tab now, the devices selected from Search Results will be shown in the All Devices
group.

12-32 OL-25947-01
Selection Combining All and Search

After you select devices using the All tab, you can add a few more devices using Search. You can enter
the search criteria and search using Search or Advanced Search and the Search Results tab displays the
devices matching the criteria.
You can select the required devices from the Search Results tab. The Selection tab displays the
accumulated list from both All and Search Results tabs. If you click the All tab, it displays the selected
devices from Search Results under the All Devices group also.
You can enter another search criteria and select more devices. The selected devices are accumulated in
the All tab from the Selection tab, as you select more devices.
Note The (n) Devices Selected message at the bottom left of the Device Selector screen shows the number of
devices you have selected. It launches the Selection tab when you click on it.
Editing Device Attributes

To edit the device attributes for a single device
Step 1 Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
or
Select Admin > Collection Settings > Config > Edit the Inventory, Config Timeout, and Retry
settings.
The Edit Devices dialog box appears.
Step 2 Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information.
Step 3 Click Edit Device Attributes.
The Device Attributes dialog box appears.
Step 4 Click Inline Edit.
The Device Attributes Information dialog box appears.
Step 5 Select a device from the Devices pane.
Step 6 Edit the device attributes in the Device Information pane.
You can check the Apply to all Devices checkbox to apply the device attributes of one device to all other
devices that are listed in the Devices pane.
Step 7 Click Modify in the Device Attributes Information dialog box.
Step 8 Click Apply in the Device Attributes dialog box.
To edit the device attributes for the bulk of devices
Step 1 Select Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry
settings.
The Devices dialog box appears.

OL-25947-01 12-33
Step 2 Select the devices for which you want to edit the device attributes. See Using Device Selector for further
information
Step 3 Click Edit Device Attributes.
The Device Attributes dialog box appears.
Step 4 Click Export.
The Export Device Attributes to File dialog box appears.
a. Enter the folder name and the filename on the server.
or
– Browse to select a folder on the server.
– Select a folder and enter the filename on the server.
– Click OK in the Server Side File Browser dialog box.
b. Click OK in the Export Device Attributes to File dialog box.
The notification window displays Data exported successfully.
c. Click OK in the notification window.
Step 5 Edit the exported file.
You can edit only the device attributes, Serial Number, SNMP Retry, SNMP Timeout, Telnet Timeout,
and Natted IP Address. You cannot edit the Device Name (device_identity) and add new device entries.
See Device Attributes Export File Format for more information.
Step 6 Click Import in the Device Attributes dialog box.
The Import Device Attributes to File dialog box appears.
We recommend that you import the same file that you have exported after editing. If any new device
entries are added, these device entries are ignored. Only device entries that match the existing device
entries are imported.
a. Enter the folder name and the filename on the server.
or
– Browse to select a folder on the server.
– Select a folder and file on the server.
– Click OK in the Server Side File Browser dialog box.
b. Click OK in the Import Device Attributes to File dialog box.
The notification window displays Data imported successfully.
c. Click OK in the notification window.
The Device Attributes window refreshes to display the updated device attributes.
While importing the edited device attributes file an error message may appear,
Attribute values for some selected devices are invalid. See Attribute Error Report for
details.
See Editing Device Attributes section to know the minimum and maximum values for the device
attributes. Also see Attribute Error Report for more information.
Step 7 Click Apply.

12-34 OL-25947-01
The Devices window appears.
The device attributes are:

• Device Name
Name of the device.
• Serial Number
Cisco manufacturing serial number from chassis. You can enter alphanumeric characters up to 255.
The default value is Default Not Defined.
This attribute is available when you either export or edit the device attributes from the Devices
window.
• SNMP Retry
Number of times that the system should try to access devices with SNMP options.
The default value is 2. The minimum value is zero.
• SNMP Timeout
Duration of time that the system should wait for a device to respond before it tries to access it again.
The default value is 2 seconds. The minimum value is zero seconds. There is no maximum value
limit.
Changing the SNMP timeout value affects inventory collection.
• Telnet Timeout
The default value is 36 seconds. The minimum value is zero seconds. There is no maximum value
limit.
Note The Telnet timeout and SSh timeout are the same. Modifying the Telnet Timeout also changes the SSH
Timeout.
• Natted IP Address
The server ID. This is the translated address of server as seen from the network where the device
resides. This is used when LMS tries to contact devices outside the NAT boundary, you need to
enable support for NAT. The default value is Default Not Defined.
• TFTP Timeout
The default value is 5 seconds and the minimum value is 0 seconds. There is no maximum value
limit. This attribute is available only when you edit the device attributes from the Device Attributes
window.
• Read Delay—Amount of time the system will sleep in between each read iteration. Read Delay sets
the client to sleep for few milliseconds. During the delay time, the client accumulates the device
content in buffer and keeps it ready to be read. The default read delay is 10 milliseconds.
• Transport Timeout—Amount of time the socket will be blocked for read operation. The client waits
for a response from the device after which it will get timed out. The default value is 45000
milliseconds.

OL-25947-01 12-35
• Login Timeout—Amount of time the system should wait for a client’s input after which the client
gets disconnected from the device. The default value is 2000 milliseconds.
• Tune Sleep—Amount of sleep time in milliseconds set before and after sending a new line to the
device. The default value is 50 milliseconds.
• Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It will
wait for the set time before doing the next operation. The default value is 300 milliseconds.
Do any one of the following to edit the device attributes:
• Set the device attributes value for a single device using Admin > Collection Settings > Inventory
> Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes > Inline
Edit. See To edit the device attributes for a single device
• Set the device attributes value for the bulk of devices using Admin > Collection Settings >
Inventory > Edit the Inventory, Config Timeout, and Retry settings > Edit Device Attributes >
Export. See To edit the device attributes for the bulk of devices
Note View Permission Report to check if you have the required privileges to perform this task.
Attribute Error Report

The Attribute Error report is generated when the attribute values imported for some selected devices are
invalid. This error occurs when the device attributes that are imported as a CSV file contain invalid
attributes.
You can click on the Attribute Error Report link that is displayed in the error message, to open the
Attribute Error Report.
You can also view the Attribute Error Report by clicking on the Attribute Error Report button from:
Admin > Collection Settings > Inventory > Edit the Inventory, Config Timeout, and Retry settings
> Edit Device Attributes
Note The Attribute Error Report link is available only if importing of device attributes causes error.
Device Attributes Export File Format

The device attributes are exported in CSV 3.0 format. The exported file format is:
; This file is generated by DM Export utility
Cisco Systems NM Data import, Source=DM Export; Type=DMCSV; Version=3.0
;
;Start of section 0 - DM Export
;
;HEADER:
device_identity,serial_number,SNMPRetryCount,SNMPTimeout,TelnetTimeout,TFTPTimeout,Natt
edIPAddress,ReadDelay,TransportTimeout,LoginTimeout,TuneSleep,DelayAfter Connect
;
192.168.8.4,Default Not Defined,2,2,36,5,Default Not Defined,10,45000,2000,50,300

12-36 OL-25947-01
;End of CSV file

Where,
• device_identity—Device Name of the device as entered in Device and Credential Repository.
• serial_number—Cisco manufacturing serial number from chassis. You can enter 0 to 255
alphanumeric characters. The default value is Default Not Defined.
• SNMPRetryCount—Number of times, system should try to access devices with SNMP options. The
default value is 2. The minimum value is zero.
• SNMPTimeout—Duration of time the system should wait for a device to respond before it tries to
access it again. The default value is 2 seconds. The minimum value is zero seconds. There is no
maximum value limit.
Changing the SNMP timeout value affects inventory collection.
• TelnetTimeout—Duration of time the system should wait for a device to respond before it tries to
access it again. The default value is 36 seconds. The minimum value is zero seconds. There is no
maximum value limit.
• Natted IP Address—server ID. This is the translated address of server as seen from the network
where the device resides. This is used when LMS tries to contact devices outside the NAT boundary.
The default value is not defined.
• Read Delay—Amount of time the system will sleep in between each read iteration.
The default read delay is 10 milliseconds.
• Transport Timeout—Amount of time the socket will be blocked for read operation.
• Login Timeout—Amount of time in milliseconds after which it will start reading the user prompt.
• Tune Sleep—Amount of sleep time in milliseconds after sending tune command 3 to 4 times.
• Delay After Connect—Amount of waiting time in milliseconds after initial socket connection. It
will wait for the set time before doing the next operation.

OL-25947-01 12-37

12-38 OL-25947-01

OL-25947-01 12-39

12-40 OL-25947-01

OL-25947-01 12-41

12-42 OL-25947-01
CHAPTER 13
Working With Software Center
Software Center helps you to check for software and device support updates, download them to their
server file system along with the related dependent packages, and install the device updates.
Software Center allows you to look for software and device updates from Cisco.com, and download them
to a server location. You can install the updates from this location. In the case of device updates,
Software Center helps you to install the updates using a web based user interface, and command line
interface, wherever possible.
Most of the device family-based packages can be installed directly from the web interface while the
device support packages such as IDU have to be installed based on the installation instructions in the
respective Readme files.
You may also uninstall a device support package. Software Center does not support installation and
uninstallation of software updates.
To backup what is installed on the server, Software Center maintains a package and device map in the
installed packages directory of the respective applications. The package map is a list of all device
packages installed on the server and device map is a list of all the supported devices on the server.
Software Center also provides a Command Line Interface to download device updates and software
updates, and install or uninstall device packages.
• Performing Software Updates
• Performing Device Update
• Scheduling Device Package Downloads
• Point Patch Update
• Using the Software Center CLI Utility

OL-25947-01 13-1
Chapter 13 Working With Software Center
Performing Software Updates

You can view a list of all Cisco Prime related bundles and products currently installed on your system
using this option. For software updates the default site is Cisco.com.
The Software Updates link under Software Center takes you to the Software Updates page. The Software
Updates page has two dialog boxes:
• Bundles Installed dialog box that lists the bundles installed.
• Products Installed dialog box that lists the applications installed.
These dialog boxes display the bundle or product name, the version, and the date on which the software
was installed. To sort the table by version or date of installation, click on the Version / Installed Date link.
You can click the product name links to view the Applications and Packages Installed with the Product
page that gives the details of the installed applications, patches, and packages of the product. See
You can navigate further down for each product to get a detailed list of all individual OS level packages
installed on the system, along with the versions.
The Software Updates page provides two options:
• Select Software Updates
• Download Software Updates
• Viewing the List of Installed Applications and Packages
• Selecting Software Updates
• Downloading Software Updates
Viewing the List of Installed Applications and Packages

You can view the information on all the applications, patches, and packages installed for a selected
product.
To do so:
Step 1 Select Admin > System > Software Center > Software Update.
The Software Updates page appears.
Step 2 Go to the Products Installed dialog box and click the link provided on a product.
A new window displays the details of:
• Patches Installed—Provides details about the patches installed on the product, the patch version and
the date on which the patches were installed.
• Application Installed—Provides details of the applications installed, the application version, and the
date on which the applications were installed.
• Packages Installed—Provides details about the packages installed on the product, the package
version with patch level, and the date on which the packages were installed.

13-2 OL-25947-01
Selecting Software Updates

You can select new software packages to update the applications or products.To select updates from
Software Center:
Step 2 Go to the Products Installed dialog box and select the check box corresponding to the product for which
you want to select update.
You can select multiple products by selecting the corresponding check boxes.
Step 3 Click Select Updates.
The Cisco.com and Proxy Server Credentials dialog box appears.
Step 4 Enter your Cisco.com username and password to connect to Cisco.com, for software updates.
If you have configured proxy settings under Admin > System > Cisco.com Settings > Proxy Server
Setup, you must enter the Proxy server username and password.
Step 5 Click Next.
A list of available Software Updates for the selected product appears.
Step 6 Select the Software Update you need to download and click Next.
You can filter the required images based on Type, Package Name, Product Name, and Available Version
With Patch Level. To filter the images, choose the filter source from the drop-down list and specify the
filter pattern in the text box.
For example, if you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 7 Select a destination location or browse to the location and click Next.
The destination location should not be the location where Cisco Prime is installed or any of the OS
directories. Software Center does not support downloading device or software updates in the same
directory where you have installed Cisco Prime LMS, or any of its sub-directories.
By default, the destination location is:
• /opt/psu_download (On Solaris/Soft Appliance)
• System Drive:\psu_download (On Windows)
The Download Summary window appears.
Step 8 Click Finish to confirm download of the selected packages.
If you do not want to add the selected packages, click Back to reselect packages or click Cancel to exit.

OL-25947-01 13-3
Performing Device Update
Downloading Software Updates
Note The support for downloading LMS software and device packages from Admin > System > Software
Center > Software Update is not currently available. You must manually download the LMS software
and packages from the Software download page.
You can download the selected updates from Software Center.

To download updates from Software Center:
Step 2 Go to the Products Installed table and select the check box corresponding to the product for which you
want to download the update.
You can select multiple products by selecting the corresponding check boxes.
Step 3 Click Download Updates.
The Cisco.com and Proxy Server Credentials dialog box appears.
Step 4 Enter your Cisco.com username and password. Both are mandatory.
Setup, you must enter Proxy server username and password.
Step 5 Select a destination location or browse to the location and click Next.
directory where you have installed Cisco Prime LMS, or any of its sub- directories.
Step 6 Click Finish to confirm the download operation.
To return to the Software Update page, click Cancel.

You can view a list of all Cisco Prime related devices packages on your system using this option. It
displays a count of devices supported for each product installed in the system. For device updates the
source location could be Cisco.com or the Server Side Directory.
The Device Updates link under Software Center takes you to the Device Updates page. The Device
Update page lists the product name and the device type count.
The default summary screen shows the number of devices supported for each product installed in the
system. You can view a package map and a device map for each product installed.

13-4 OL-25947-01
You can also check for the device updates and delete the device packages using the Device Update page.
• Viewing Package Map
• Viewing Device Map
• Checking for Updates
• Deleting Packages
Viewing Package Map

A package map is a snap shot of the currently installed device packages for a Product. The
backup-restore framework uses Package map during data backup.
To view a package map for an installed product, click the product name link. A popup window appears
with the information on the packages installed. The package name, version, and description are
displayed.
You can filter the device packages based on Package Name and Version. To filter the packages, choose
the filter source from the drop-down list and specify the filter pattern in the text box.
For example, if you specify the Filter Source as Package Name and Pattern as Cat, all package names
starting with Cat will be listed.
A package name identifies the device package. For example, the package name AP350 represents Cisco
Aironet 350 Device Package. You have to use package name while specifying the download policy, and
while performing other Software Center operations where you have to specify the package name.
Viewing Device Map

To view a device map for an installed product, click the device type count link. A popup window appears
with the information on the devices installed. The device map lists the sysObjectID, Device Name,
Package Name, and Version.
You can filter the packages based on sysObjectID, DeviceName, Package Name, and Version. To filter
the packages, choose the filter source from the drop-down list and specify the filter pattern in the text
box.
For example, if you specify the Filter Source as sysObjectID and pattern as 1.3.6.1.4.1.9, details of all
devices with SysobjectID starting with 1.3.6.1.4.1.9 will be listed.

OL-25947-01 13-5
Checking for Updates

You can check for updates using this option. To check for the updates:
Step 1 Select Admin > System > Software Center > Device Update.
The Device Updates page appears.
Step 2 Select the check box corresponding to the product for which you want to check for updates and click
Check for Updates.
The Source Location page appears. You can check for updates at Cisco.com or a server.
• To check for updates at Cisco.com, select the Cisco.com radio button.
• To check for updates from a server, select the Enter Server Path radio button and enter the path or
browse to the location using the Browse tab.
Step 3 Click Next.
The Cisco.com and Proxy Server Credentials dialog box appears, if you have selected to check for
updates at Cisco.com.
Step 4 Enter your Cisco.com username and password.
Setup, you must enter Proxy server username and password.
Step 5 Click Next.
The Available Packages and Installed Packages page appears. It displays:
• Package Name: Name of the package.
• Type: Type of the update. For example, whether the update is a device package or IDU package.
• Product Name: Product for which the update is available.
• Installed Version: Current version of that product installed in the server.
• Available version: Version of the product that is available (Other than the installed version).
• Readme Details: Links to the Readme files associated with the update.
• Posted date: Date on which the update was posted on Cisco.com.
• Size: Size of the update.
Step 6 Select the check box corresponding to the package that you wish to update and click Next.
The Device Update page appears. You can either install the device packages or download them.
• To install device packages, select the Install Device Packages radio button.
• To download device packages, select the Download Device Packages radio button.

13-6 OL-25947-01
If you select Download Device Packages:

a. Enter the folder in File Selection field or click Browse to select the destination directory.
– /opt/psu_download (On Solaris/Soft Appliance)
– System Drive:\psu_download (On Windows)
b. Set the frequency of downloads, select the run type from the Run Type drop-down list. The options
are:
– Immediate
– Once
If you choose any of the options other than Immediate, set the date and time.
– Select the date from the date picker. The date picker displays the date from the client system.
– Specify the time from the drop-down lists.
c. Enter a description for the download job in the Job Description field. This is mandatory.
d. Enter an e-mail ID in the E-mail field.
You can enter multiple e-mail addresses separated by comma.
e. Click Next.
The Summary window displays the details.
f. Click Finish to confirm.
If you select Install Device Packages:
a. Click Next.
The Summary window displays the details.
b. Click Finish to confirm.
A message that the daemons are restarted, appears.
Step 7 Click OK to continue.
Deleting Packages
You can also delete packages that are outdated or you no longer use.
To delete a package:
Step 1 Select Admin > System > Software Center > Device Update.
The Device Update page appears.
Step 2 Select the check box corresponding to the product and click Delete Packages.
The wizard displays a window that has the Package name, the Product name, and the Installed version
details.
Step 3 Select the check box corresponding to the Package you want to delete.

OL-25947-01 13-7
Scheduling Device Package Downloads
You can filter the available device packages based on Package Name, Product Name, Installed Version.
To filter the packages, choose the filter source from the drop-down list and specify the filter pattern in
the text box.
For example, If you select the Filter Source as Package Name and Pattern as cmfSw001, all packages
with name starting as cmfSw001 will be listed.
Regular expressions are not supported for the patterns. Patterns are case sensitive.
For example, if the list of available packages are CatGL3, Cat4000, Cat3560, Pix, cigesm, and
CAT2900XL, then a filter pattern Cat will list the CatGL3, Cat4000 and Cat3560 packages:
Step 4 Click Next.
The Summary window appears with the details of the Product and the Packages selected.
Step 5 Click Finish to confirm deletion.
• To make changes in the previous windows, click Back.
• To cancel the operation, click Cancel.
After you have confirmed the Delete Packages operation, a message that the daemons are restarted
appears.
Step 6 Click OK to continue.
Scheduling Device Package Downloads

You can schedule device package downloads and specify the time, frequency of the downloads.
You can also specify download policies. Software Center supports the following download policies:
• Download all latest device packages of products installed in the machine.
• Download newer versions of currently installed packages.
• Download the specified packages (comma separated).
You have to provide your Cisco.com credentials and the location to which the packages should be
downloaded.
To schedule device package downloads:
Step 1 Select Admin > System > Software Center > Schedule Device Downloads.
The Schedule Device Downloads dialog box appears.
Enter the Proxy server username and password only if you have configured proxy settings under Admin
> System > Cisco.com Settings > Proxy Server Setup.
Step 3 Enter the destination location, or browse to the location using the Browse tab.

13-8 OL-25947-01
Scheduled Job
Step 4 Specify the download policy you require:

• Download the latest versions of all packages
• Download only the latest versions of currently installed packages
• Download specified packages
Note You must enter the device package name without any filename extension. The package name is
case-sensitive.
Step 5 Select the run type from the Run Type drop-down list, to set the frequency of downloads.
Step 6 Select the date from the drop-down calendar, and specify the time using the drop-down lists.
The calendar displays the date from the client system.
Step 7 Enter a description for the download job in the Job Description field. This is mandatory.
Step 8 Enter an e-mail ID in the E-mail field.
You can enter multiple e-mail addresses separated by comma.
Step 9 Click Apply to apply the changes.
Or
Click Cancel to exit without saving changes.
Note You can schedule only one download at a time.
You can view the scheduled job status and details from the Job Browser window (Admin > Jobs >
Browser).
Scheduled Job
The Scheduled Job Details page displays the activities that are performed using Software Center. The
Scheduled Job table records and displays the downloads to the server. You can view the log from the
server or any client workstation.
To view Scheduled Job Details:
Select Admin > System > Software Center > Scheduled Job Details.
The Scheduled Job Details page appears with the following information:
• Job—Job ID of the job that is scheduled by Cisco Prime user.
• Date—Time and the date on which the job was run.
• Applicable Products—Products to which the download is applicable.
You can delete the information on a job from the list.

To delete a job information, select a job from the list, and click Delete. The job information is deleted
only from this page. However, this remains in the Job Browser page.

OL-25947-01 13-9
Event Log
Event Log
The Event log page displays the activities that are performed using Software Center. The Event Log table
shows the list of immediate downloads, installations and un-installations of device packages carried out.
You can view the log from the server or any client workstation.
To view the Event Log:
Select Admin > System > Software Center > Event Log.
The Event Log page appears with the following information:
• Product Name—Name of the product.
• Description—Summary of the activity.
• Date—Date and time when the operations were carried out.
• Event Type—Shows one of the following:
– Device Package Downloads
– Software Download
– Install Device Packages / Uninstall Device Packages
• Status—Status of the event (Completed Successfully, Failed or Executed). Click on the Status link
to get more details on the operation.
You can delete either all the event logs or specific event logs from the list.
Select the log entries and click Delete to delete the selected entries.
Point Patch Update

The Point patch update allows you to download and install the point patches released after LMS 4.2.
To download the Point patches:
Step 1 Select Admin > System > Software Center > Point Patch Update.
The Point Patch Update page appears.
Enter the Proxy server username and password only if you have configured proxy settings under Admin
> System > Cisco.com Settings > Proxy Server Setup.
Note The Download option in the Point Patch Update page will be enabled only after entering the
Cisco.com username and password.
Step 3 Enter the download location, or browse to the location using the Browse tab.
By default, the download location is:
Step 4 Select Download Patches radio button.
or

13-10 OL-25947-01
Using the Software Center CLI Utility
Select View the list of available point patches to download radio button.
A point patch list containing the defect ID, point patch revision number and patch description is
displayed.
Step 5 Click Download to download all the latest point patch versions that are not installed in your system.
Related Topics
• Downloading Point Patch Updates
• Installing Point Patch Updates

LMS provides a command line utility that supports most of the Software Center features.
The utility is available at NMSROOT/bin/, as:
• PSUCli.bat (on Windows)
• PSUCli.sh (on Solaris/Soft Appliance)
The utility helps you do the following:
• Download Software Updates.
• Download Device Package Updates.
• Download Point Patch Updates.
• Install Device Packages.
• Uninstall Device Packages.
• Query Updates on the LMS Server.
• List Dependent Device Packages.
• List Device Packages Version.
To install new device packages from Cisco.com, you have to first download the packages from
Cisco.com, save them to a directory in your computer, and then install them, specifying the directory.
To get help on command usage, enter:
• NMSROOT\bin\PSUCli.bat -h (On Windows)
• NMSROOT/bin/PSUCli.sh -h (On Solaris/Soft Appliance)
This lists the commands, options, and valid product names.
• Querying Updates on the LMS Server
• Installing Device Packages
• Uninstalling Device Packages
• Downloading Software Updates
• Downloading Device Updates
• Downloading Point Patch Updates
• Installing Point Patch Updates
• Listing Dependent Device Packages

OL-25947-01 13-11
• Listing Device Packages Version
Querying Updates on the LMS Server

To get a list of installed packages, enter:
NMSROOT\bin\PSUCli.bat -p product -query [-src dir] {-all |PackageNames} (On Windows)
NMSROOT/bin/PSUCli.sh -p product -query [-src dir] {-all |PackageNames} (On Solaris/Soft
Appliance)
You have to use either the -all option or specify the package names.
• -p product —Product for which packages are to be downloaded. This must be short names of the
products. Invoking the CLI utility with the -h option lists the valid product names.
• -query (-q) —Lists the packages (default source location is installed repository of the product).
• -all—Selects all packages available at the source location.
• -src dir—Source location of the packages
• PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -q -all
This lists all the installed packages for LMS in the installed repository for LMS.
To list all packages in the specified directory for LMS, enter:
NMSROOT\bin\PSUCli.bat -p rme -src dir -q
Installing Device Packages

To install device packages from the directory you specify, enter:
NMSROOT\bin\PSUCli.bat -p product -install -src dir {-all |PackageNames}[-noprompt] (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -install -src dir {-all |PackageNames} [-noprompt] (On
You have use either the -all option or specify the package names.
products. Invoking the CLI utility with the -h option lists the valid product names.
• -install (-i)—Installs packages (from user specified directory).
• -src dir—Source location of the packages

13-12 OL-25947-01
case-sensitive.
• -noprompt—Flag to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -i -src dir Cat6000 Cat4000
This installs the specified packages (Cat6000, Cat4000) for LMS, from the specified directory.
Uninstalling Device Packages

To uninstall device packages, enter:
NMSROOT\bin\PSUCli.bat -p product -uninstall {-all |PackageNames} [-noprompt] (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -uninstall {-all |PackageNames} [-noprompt](On
products. Invoking the CLI utility with -h option lists the valid product names.
• -uninstall (-u) —Uninstalls packages (from user specified directory).
case-sensitive.
• -noprompt—Flag to turn off the prompt that appears to restart the daemon services during device
packages installation
Example
NMSROOT\bin\PSUCli.bat -p rme -u -all
This uninstalls all packages of LMS, from the installed repository.
Downloading Software Updates

To download the Software Updates, enter:
NMSROOT\bin\PSUCli.bat -p product -software -dst download directory {-all |PackageNames}
(On Windows)
NMSROOT/bin/PSUCli.sh -p product -software -dst download directory {-all |PackageNames}
(On Solaris/Soft Appliance)

OL-25947-01 13-13
• -p product—Specify the Product for which you want to download the Software Update. Invoking
CLI with -h option lists the valid product names.
• -software (-s) —Download Software packages for the specified product or products.
• -dst download directory—Specify the directory to which you want to download the Software
Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
• -all—Selects all the available software updates on Cisco.com for download.
• PackageNames—Names of the software update package available on Cisco.com, for example,
cwcs3_0_4_win, cwcs3_0_6_sol_k9.
Note You must enter the software update package name without any extension. The package name is
case-sensitive.
You will be prompted to enter Cisco.com User Name and Password. If you have configured Proxy
settings, you will be prompted for Proxy Server User credentials.
The destination location should not be the location where Cisco Prime is installed or any one of the OS
Downloading Device Updates

To download the Device Updates, enter:
NMSROOT\bin\PSUCli.bat -p product -download -dst download directory {-all |PackageNames}
(On Windows).
NMSROOT/bin/PSUCli.sh -p product -download -dst download directory {-all |PackageNames}
(On Solaris/Soft Appliance).
• -p product—Specify the Product for which you want to download the Device Update. Invoking CLI
with -h option lists the valid product names.
• -download (-d)—Download Device packages for the specified product or products.
• -dst download directory—Specify the directory to which you want to download the Device Update.
Do not specify the same directory where you have installed Cisco Prime LMS, or any of the sub
directories in it.
• -all—Selects all available device packages for download from Cisco.com.
• PackageNames—Names of the device packages, for example Cat5000, Cat6000, AS5850.
case-sensitive.

13-14 OL-25947-01
Downloading Point Patch Updates

To download the Point Patch Updates, enter:
NMSROOT\bin\PSUCli.bat -p product -pointpatch -dst download directory {-all
|PointpatchName}
(On Windows).
NMSROOT/bin/PSUCli.sh -p product -pointpatch -dst download directory {-all |PointpatchName}
(On Solaris/Soft Appliance).
• -pproduct—Specify the Product for which you want to download the Point Patch Update. Invoking
CLI with -h option lists the valid product names.
• -pointpatch (-pp)—Download Point Patch for the specified products.
• -dst download directory—Specify the directory to which you want to download the Point Patch
Update
Note The directory name should not contatin spaces.
• -all—Select all available device packages for download from Cisco.com.

• PointpatchName—Name of the point patch updates, for example CSCto49627, CSCtw65965.
Note You must enter the point patch update name without any filename extension and revision
number. The point patch update name is case-sensitive.
directories. Software Center does not support downloading device, point patch or software updates in
the same directory where you have installed Cisco Prime LMS, or any of its sub-directories.
Installing Point Patch Updates

To install point patch updates using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\PatchInstall.pl <source directory>
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/PatchInstall.pl <source directory>
Source directory—The directory in which the point patches are available.
Note The source directory name should not contatin spaces.

OL-25947-01 13-15
The downloaded point patch revisions that are not installed in your system are installed and an
installation successful message is displayed.
Listing Dependent Device Packages

To list the dependent packages of one or more device packages, or all device packages, enter:
NMSROOT\bin\PSUCli.bat -p product -pkgDependents -src dir {-all |PackageNames} (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -pkgDependents -src dir {-all |PackageNames} (On
• -pkgDependents (-pdep)—List the base or dependent packages for the specified packages present
in the source location.
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pdep Cat5000
This lists all dependent packages of LMS Cat5000 device package installed.

13-16 OL-25947-01
Listing Device Packages Version

To list the versions of one or more device packages, or all device packages, enter:
NMSROOT\bin\PSUCli.bat -p product -pkgVersion -src dir {-all |PackageNames} (On
Windows)
NMSROOT/bin/PSUCli.sh -p product -pkgVersion -src dir {-all |PackageNames} (On Solaris/Soft
Appliance)
• -pkgVersion (-pver)—List theversions of all or specified packages present in the source location.
case-sensitive.
Example
NMSROOT\bin\PSUCli.bat -p rme -pver Cat5000
This lists the version of the LMS Cat5000 device package installed.

OL-25947-01 13-17

13-18 OL-25947-01
CHAPTER 14
Discrepancies and Best Practices Deviations
The Discrepancies Reporting module of LMS allows you to view the discrepancies and best practices
deviations in your network. This chapter contains the following:
• Understanding Discrepancies and Best Practices Deviations
• Interpreting Discrepancies
• Interpreting Best Practices Deviations
• Customizing Discrepancies Reporting and Syslog Generation
Understanding Discrepancies and Best Practices Deviations

LMS provides reports on discrepancies, such as network inconsistencies and anomalies or
misconfiguration in the discovered network. This makes it easy to identify configuration errors such as
link-speed mismatches on either end of a connection. Discrepancies are computed at the end of each data
collection schedule.
LMS also reports Best Practices Deviations. These are variations from the normal or recommended
practices in a network. These do not have any serious impact on the functioning of the network.
LMS allows you to:
• View Reports on Discrepancies. Select Reports > Fault and Event > Best Practices >
Discrepancies.
• View Reports on Best Practices Deviations. Select Reports > Fault and Event > Best Practices >
Deviation.
• Acknowledge Discrepancies.
• Acknowledge Best Practices Deviations.
• Resolve Discrepancies and Best Practices Deviations.
• Customize Discrepancies Reporting. For details, see Customizing Discrepancies Reporting and
Syslog Generation.

OL-25947-01 14-1
Chapter 14 Discrepancies and Best Practices Deviations
Interpreting Discrepancies
Fixing Discrepancies and Best Practices Deviations through LMS

The following Discrepancies can be fixed through LMS:
• Link Duplex Mismatch
• Link Speed Mismatch
• Link Trunk/NonTrunk Mismatch
• Port Fast Enabled on Trunk Port
The following Best Practices Deviations can be fixed through LMS:
• BPDU Filter Disabled on Access Ports
• BPDU-Guard Disabled on Access Ports
• Loop Guard and Port Fast Enabled on Ports
• UDLD Disabled on Link Ports
• CDP Enabled on Access Ports
• High Availability not Operational
This section contains information on each of the discrepancy reported in LMS. It describes the
discrepancy, the impact it has on the network, and ways to resolve it.
The user interface in LMS displays commands you can use to make configuration changes on devices to
resolve discrepancies.
• Trunking Related Discrepancies
• VLAN-VTP Related Discrepancies
• Link Related Discrepancies
• Port Related Discrepancy
• Device Related Discrepancy
• Spanning Tree Related Discrepancy
Trunking Related Discrepancies

The trunking related discrepancies that LMS reports are:
• Trunk Negotiation Across VTP Boundary
• Native VLANs Mismatch
• Trunk VLANs Mismatch
• Trunk VLAN Protocol Mismatch

14-2 OL-25947-01
Trunk Negotiation Across VTP Boundary

LMS reports a discrepancy when the trunk mode on any end of the trunk link is set to Auto or Desirable.
Dynamic Trunking Protocol (DTP) cannot be used for trunk negotiation across VTP domain boundary.
This occurs when trunk mode on both sides has any of the following combinations:
• On/Auto
• On/Desirable
• Desirable/Auto
• Desirable/Desirable
• Off/Desirable
Impact
Trunk negotiation across VTP boundary (that is, trunk link connecting two devices that are part of
different VTP domains) fails.
Fix
You cannot fix this discrepancy using LMS.
To fix the discrepancy on switches using Cisco IOS:
Step 1 Make sure that the Trunk mode is ON, on both sides of the link.
Step 2 Enter the following command:
switchport trunk encapsulation dot1q | isl
switchport mode trunk
end
Step 3 Enter the following command to check the status:
show interfaces trunk
Or
show interface mod interface_id trunk
To fix the discrepancy on switches using Catalyst operating system:
Step 1 Make sure that the Trunk mode is ON, on both sides of the link.
Step 2 .Enter the following command:
set trunk mod/port on Dot1Q | ISL
Step 3 Enter the following command to check the status:
show trunk mod/port

OL-25947-01 14-3
Native VLANs Mismatch

LMS reports a discrepancy when the native VLANs of all ports in a trunk do not match.
This mismatch occurs when you have created a trunk port to connect another switch, and both ends are
in different native VLANs.
Note This discrepancy is applicable only for trunks that use 802.1q encapsulation.
Impact
The native VLAN must match on both sides of the trunk link, otherwise the traffic flow across the link
is affected. The trunk continues to remain operational.
Fix
If you have altered the default native VLAN configuration, ensure that all trunks have the same native
VLAN. Use the set vlan command for Cisco Catalyst operating system switches or the switchport
trunk native vlan command for Cisco IOS switches to specify the native VLAN.
You cannot fix this discrepancy through LMS.
Trunk VLANs Mismatch

LMS reports a discrepancy when the list of active or allowed VLANs between the two ends of a trunk
do not match.
Impact
The trunk remains operational but the network traffic across the link is affected.
Fix
You can resolve this by modifying the list of allowed VLANs between the two ends of a trunk and
ensuring that there is no mismatch. You cannot fix this discrepancy through LMS.
Trunk VLAN Protocol Mismatch

LMS reports a discrepancy when different trunk encapsulations are set on the two ends of a trunk.
For example, when one end of a trunk is configured as ISL and the other as 802.1q, LMS reports a
discrepancy.
ISL and 802.1q are the different encapsulation types that you can configure in a trunk VLAN.
Impact
The trunk remains operational when the trunk mode is set to On or No-negotiate with mismatching
encapsulation types. However, the network traffic across the link is affected because of the mismatch.
Fix
Configure the same encapsulation type on both ends of the trunk. You cannot fix this discrepancy
through LMS.

14-4 OL-25947-01
VLAN-VTP Related Discrepancies

The VLAN-VTP related discrepancies that LMS reports are:
• VTP Disconnected Domain
• No VTP Server in Domain with at least One VTP Client
VTP Disconnected Domain

LMS reports a discrepancy if the devices that are part of the same VTP domain have different VTP
configuration revision numbers. When a switch in the same VTP domain has a higher configuration
revision number compared to the other switches, it could overwrite your server-configured switch with
incorrect information.
Impact
The VLAN information is not dynamically shared across the VTP domain.
Fix
Ensure that you configure VTP Configuration Revision number consistently across devices of the same
VTP domain. You cannot fix this discrepancy through LMS.
No VTP Server in Domain with at least One VTP Client

LMS reports a discrepancy when there is no VTP Server configured in a VTP domain.
You can configure a switch to operate in any one of these VTP modes—Server, Client, Transparent, and
Off. Primary and secondary servers are two types of servers that may exist on an instance in the VTPv3
domain.
A VTP client cannot store VLAN information. When a VTP client boots, it needs to reacquire the entire
configuration that is propagated by VTP.
The primary server can initiate or change the VTP configuration. The main purpose of a VTP secondary
server is to back up the configuration that is propagated over the network.
Impact
LMS reports a discrepancy when an existing VTP server or primary server goes down and there is no
alternative or backup server.
This can occur in a VTPv2 or VTPv3 domain that has only client mode devices. This could happen when
the existing primary server or server mode device has gone down temporarily and if the server mode
device does not come up.
If you do not configure at least one server, the devices become unreachable. LMS discovers only the
client-mode devices in the domain and ignores the rest.
Fix
Configure at least one device as server in a VTP domain. If the device you have configured as server is
temporarily down, configure another device as server. You cannot fix this discrepancy through LMS.
For more information on VTP domain, see the document Configuring VTP at the following location:
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_eol_notices_list.html

OL-25947-01 14-5
Link Related Discrepancies

The link related discrepancies that LMS reports are:
• Link Duplex Mismatch
• Link Speed Mismatch
• Link Trunk/NonTrunk Mismatch
Link Duplex Mismatch

LMS reports a discrepancy when there is a duplex mismatch between links.
Duplex mismatch on 10/100Mb Ethernet links occurs when one port on the link is operating at
half-duplex while the other port is operating at full-duplex.
This happens when one or both ports on a link are reset and the auto-negotiation process does not cause
both partners to have the same configuration. It also happens when you reconfigure one side of a link
and do not reconfigure the other side.
Impact
Half-duplex device waits until no other devices are transmitting on the same LAN segment. However a
full-duplex device transmits whenever it has something to send, regardless of other devices.
If this transmission occurs while the half-duplex device is transmitting, the half-duplex device will
consider this either a collision (during the slot time), or a late collision (after the slot time). Since the
full-duplex side does not expect collisions, it does not realize that it must retransmit that dropped packet.
A low percentage rate of collisions are normal with half-duplex, but not with full-duplex. If the switch
port receives many late collisions, it usually indicates a duplex mismatch problem. See Figure 14-1.
Figure 14-1 Duplex Mismatch
A (root)
Half-Duplex
Half-Duplex: Still
runs carrier sense Does not do
and collision carrier sense
detection
Collision
A
C BPDU lost Full-Duplex
to be retransmitted
130876
Fix
LMS provides commands to resolve link duplex mismatch. LMS displays commands to set the port
speed to Auto. Setting the port speed to Auto will automatically make the link duplex to be negotiated
between devices.

14-6 OL-25947-01
Step 1 Go to the Discrepancy report and click the hyperlink in the Summary field.
The Discrepancy Detail dialog box appears. The Recommended Fix field displays the following
command:
duplex auto
end
where auto enables the autonegotiation capability.
Step 2 Click Fix.
A message appears indicating whether the discrepancy was successfully fixed or not.

OL-25947-01 14-7
To fix the discrepancy on switches using Catalyst operating system:
command:
set port speed mod/port auto
where:
• mod/port refers to the number of the module and the port on the module
• auto specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2 Click Fix.
Link Speed Mismatch

LMS reports a discrepancy when there is a mismatch in the link speeds, that is, different link speeds on
either side of a link (for 10/100 ports or for any group of links).
The IEEE 802.3u autonegotiation protocol manages the switch settings for speed (10 Mbps or 100 Mbps)
and duplex (half or full). There are situations when this protocol can incorrectly align these settings,
reducing performance. A mismatch occurs under these circumstances:
• A manually-set speed or duplex parameter is different from the manually set speed or duplex
parameter on the connected port.
• A port is in Autonegotiate mode and the connected port is set to full duplex with no autonegotiation.
Impact
Link speed mismatch results in reduced performance of the link.
Fix
LMS displays commands to resolve link speed mismatch.
command:
speed auto
end
where auto enables the autonegotiation capability.
Step 2 Click Fix.

14-8 OL-25947-01
To fix the discrepancy on switches using the Catalyst operating system:
command:
set port speed mod/port auto
where:
• mod/port refers to the number of the module and the port on the module
• auto specifies autonegotiation for transmission speed and duplex mode on 10/100 Fast Ethernet
ports
Step 2 Click Fix.
Link Trunk/NonTrunk Mismatch

LMS reports a discrepancy when there are trunking ports and non-trunking ports on either side of a link.
This happens when one end of the trunk is set to On, and the other end is set to Off.
Impact
This results in the trunk not coming up, and there would be no traffic flow across the link.
Fix
LMS resolves the discrepancy by setting the trunk modes on the switches to Desirable mode.
command:
set trunk mod/port desirable
where:
• desirable causes the port to negotiate actively with the neighboring port to become a trunk link
• mod/port specifies the number of the module and the port or ports on the module
Step 2 Click Fix.

OL-25947-01 14-9
command:
switchport mode dynamic desirable
end
where dynamic desirable specifies an interface that actively attempts to convert the link to a trunk link.
Step 2 Click Fix.
Port Related Discrepancy

The port related discrepancy that LMS reports is Port is in Error Disabled State. See Port is in Error
Disabled State
Port is in Error Disabled State

LMS reports a discrepancy when one or more of the switch ports in the discovered network have a status
of errDisable.
Causes of errDisable
A port enters errdisable state for any of the following reasons:
• Channel misconfiguration
• Duplex mismatch
• BPDU port-guard
• UDLD
Impact
When a port is error-disabled, it is effectively shut down and no traffic is sent or received on that port.
The port LED is set to the color orange and when you enter the show port command, the port status
shows errdisable.
Fix
To recover from errDisable:
Step 1 Identify and fix whatever caused the ports to become error-disabled (cable, NICs, EtherChannel, and so
on).
Step 2 Re-enable the port.

14-10 OL-25947-01
You cannot fix this discrepancy through LMS.

For more information on the errDisable state, see the document Recovering From errDisable Port State
on the CatOS Platforms at the following location:
http://www.cisco.com/en/US/tech/tk389/tk214/technologies_tech_note09186a0080093dcb.html
Device Related Discrepancy

The device related discrepancy that LMS reports is Devices With Duplicate Sysname. See Devices With
Duplicate SysName, page 14-11
Devices With Duplicate SysName

LMS reports a discrepancy when it discovers two devices with the same SysName. LMS stores the
device details of only one of the two devices.
Impact
LMS manages only one of these devices.
Fix
Assign unique SysName for all devices in the network. You cannot fix this discrepancy through LMS.
Spanning Tree Related Discrepancy

The spanning tree related discrepancy that LMS reports is PortFast Enabled on Trunk Port. See Port Fast
Enabled on Trunk Port
Port Fast Enabled on Trunk Port

LMS reports a discrepancy when PortFast is enabled on trunk ports.
PortFast causes a spanning tree port to immediately enter the forwarding state, bypassing the listening
and learning states.
You must disable STP PortFast for switch-switch links. This is because, if you enable PortFast on a port
that is connected to another Layer 2 device, such as a switch, you might create network loops.
Impact
If you enable PortFast on ports that connect two switches, spanning tree loops can occur if Bridge
Protocol Data Units (BPDUs) are being transmitted and received on those ports.

OL-25947-01 14-11
Interpreting Best Practices Deviations
Fix
LMS provides commands for disabling PortFast on ports.
command:
set spantree portfast mod/port disable
where disable disables the spanning tree PortFast-start feature on the port.
Step 2 Click Fix.
command:
no spanning-tree portfast
end
This command disables PortFast on the given port.
Step 2 Click Fix.

This section contains information on each of the Best Practice Deviation reported in LMS. It gives a
description of the Best Practice Deviation, the impact (if any) it has on the network, and ways to resolve
it.
The user interface in LMS displays commands to make configuration changes on devices, to resolve
some Best Practices deviations.
• Channel Ports Related Best Practices Deviations
• Spanning Tree Related Best Practices Deviations
• Trunk Ports Related Best Practices Deviations
• VLAN Related Best Practices Deviations
• Link Ports Related Best Practice Deviation
• Access Ports Related Best Practice Deviation
• Cisco Catalyst 6000 Devices Related Best Practice Deviation

14-12 OL-25947-01
Channel Ports Related Best Practices Deviations

The channel ports related best practices deviations that LMS reports are:
• Non-channel Port in Desirable Mode
• Channel Port in Auto Mode
Non-channel Port in Desirable Mode

LMS reports a Best Practice Deviation when a non-channel port is in the Desirable mode.
There are four user-configurable channel modes:
• On
• Off
• Auto
• Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable
modes. Ports configured in on or off mode do not exchange PAgP packets.
To form EtherChannel between, it is best to have both switches set to the Desirable mode. This gives the
most robust behavior if one side or the other encounters error situations or is reset. The default mode of
the channel is Auto.
Both Auto and Desirable modes allow ports to negotiate with connected ports to determine whether they
can form a channel. The determination is based on criteria such as port speed, trunking state, and native
VLAN.
Ports can form an EtherChannel when they are in different channel modes if the modes are compatible.
Examples of ports that can form an EtherChannel are:
• A port in desirable mode can successfully form an EtherChannel with another port that is in
Desirable or Auto mode.
• A port in the Auto mode can form an EtherChannel with another port in the Desirable mode.
• A port in the Auto mode cannot form an EtherChannel with another port that is also in the Auto
mode, since neither port initiates negotiation.
• A port in the On mode can form a channel only with a port in the On mode because ports in On mode
do not exchange PAgP packets.
• A port in Off mode cannot form a channel with any port.
Impact
When a non-channel port is in the Desirable mode, the links will not be efficiently used.

OL-25947-01 14-13
Fix
To fix the Best Practice Deviation on switches using Catalyst operating system:
Step 1 Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel mod/port mode auto
Step 2 Click Fix.
A message appears indicating whether the Best Practice Deviation was successfully fixed or not.
To fix the Best Practice Deviation on switches using Cisco IOS:
Step 1 Go to the Best Practice Deviation report and click the hyperlink in the Summary field.
The Best Practice Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode auto
Step 2 Click Fix.
Channel Port in Auto Mode

LMS reports a Best Practice Deviation when a channel port is in Auto mode.
There are four user-configurable channel modes:
• On
• Off
• Auto
• Desirable
Port Aggregation Protocol (PAgP) packets are exchanged only between ports in Auto and Desirable
mode. Ports configured in On or Off mode do not exchange PAgP packets.
For switches to which you want to form an EtherChannel, it is best to have both switches set to Desirable
mode. This gives the most robust behavior if one of the sides encounters error situations or is reset. The
default mode of the channel is Auto.
Both Auto and Desirable modes allow ports to negotiate with connected ports to determine if they can
form a channel. The determination is based on criteria such as port speed, trunking state, and native
VLAN.
Ports can form an EtherChannel when they are in different channel modes if the modes are compatible.
Examples of ports that can form an EtherChannel are:
• A port in Desirable mode can successfully form an EtherChannel with another port that is in
Desirable or Auto mode.
• A port in Auto mode can form an EtherChannel with another port in Desirable mode.

14-14 OL-25947-01
• A port in Auto mode cannot form an EtherChannel with another port that is also in Auto mode, since
neither port initiates negotiation.
• A port in On mode can form a channel only with another port also in On mode, because ports in this
mode do not exchange PAgP packets.
• A port in Off mode cannot form a channel with any port.
Impact
Channel port set to Auto mode is considered a Best Practice Deviation because it is not the recommended
configuration. Cisco recommends that you set the channel port to Desirable mode. There is no serious
impact on the network.
Fix
To fix the Best Practise Deviation on switches using the Catalyst operating system:
Step 1 Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
set port channel mod/port mode desirable
which sets the port to desirable mode.
Step 2 Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
To fix the Best Practise Deviation on switches using Cisco IOS:
Step 1 Go to the Best Practise Deviation report and click the hyperlink in the Summary field.
The Best Practise Deviation Detail dialog box appears. The Recommended Fix field displays the
following command:
channel-group Channel group number mode desirable
which sets the port to desirable mode.
Step 2 Click Fix.
A message appears indicating whether the Best Practise Deviation was successfully fixed or not.
Spanning Tree Related Best Practices Deviations

The spanning tree related best practices deviations that LMS reports are:
• BPDU Filter Disabled on Access Ports
• BPDU-Guard Disabled on Access Ports
• BackboneFast Disabled in Switch
• UplinkFast not Enabled
• Loop Guard and Port Fast Enabled on Ports

OL-25947-01 14-15
BPDU Filter Disabled on Access Ports

LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports.
Impact
BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to
an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding
state immediately, instead of going through the listening, learning, and forwarding states.
By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled.
BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies
to all PortFast-enabled ports on the switch.
When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled
port is also disabled.
Fix
LMS provides commands for enabling BPDU Filter on access ports.
Step 1 Go to the Best Practices Deviations report and click the hyperlink in the Summary field.
The Best Practice Deviation Details dialog box appears. The Recommended Fix field displays the
following command:
set spantree bpdu-filter mod/port enable
where:
• mod/port specifies the number of the module and the port on the module
• enable enables BPDU packet filtering
Step 2 Click Fix.
following command:
spanning-tree bpdufilter enable
end
where enable enables BPDU Filtering on the particular interface.
Step 2 Click Fix.

14-16 OL-25947-01
BPDU-Guard Disabled on Access Ports

LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port.
BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is
received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the
interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state.
Impact
Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts).
The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU
is received on those ports.
BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies
to all PortFast-enabled ports on the switch.
Fix
LMS displays commands for enabling BPDU Filter on access ports.
following command:
set spantree bpdu-guard mod/port enable
where:
• mod/port specifies the number of the module and the port on the module
• enable enables BPDUGuard
Step 2 Click Fix.
following command:
spanning-tree bpduguard enable
end
where enable enables BPDUGuard on the particular interface.
Step 2 Click Fix.

OL-25947-01 14-17
BackboneFast Disabled in Switch

LMS reports a Best Practice Deviation when BackboneFast is enabled on one of the switches and not
enabled on all other switches in a switch cloud.
Cisco recommends that BackboneFast be enabled on all switches running STP. It can be added without
disruption to a production network.
Impact
If you do not enable BackboneFast on all devices, it might lead to undesirable effects on the spanning
tree operation.
BackboneFast provides rapid convergence from indirect link failures. By adding functionality to STP,
you can reduce convergence times from the default of 50 seconds to 30 seconds.
Figure 14-2 shows an example topology with no link failures. Switch A, the root switch, connects
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that connects
directly to Switch B is in the blocking state.
Figure 14-2 BackboneFast Example Before Indirect Link Failure
Switch A
Switch(Root)
A Switch B
(Root) L1 Switch B
L1
L2 L3
L2 L3
Blocked port
Blocked port
11241
Switch C
11241
Switch C
If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to
link L1.
Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to
move immediately to the listening state without waiting for the maximum aging time for the port to
expire.
BackboneFast then transitions the port on Switch C to the forwarding state, providing a path from Switch
B to Switch A.
This switchover takes approximately 30 seconds. Figure 14-3 shows how BackboneFast reconfigures the
topology to account for the failure of link L1.

14-18 OL-25947-01
Figure 14-3 BackboneFast Example After Indirect Link Failure
Switch A
(Root) Switch B
L1
Link failure
L2 L3
BackboneFast transitions port

through listening and learning
11244
states to forwarding state
Switch C
Fix
Enable BackboneFast on all switches in a switch cloud.
To enable BackboneFast Globally on a Catalyst operating system:
Step 1 Enter the command:

set spantree backbonefast enable
Step 2 Enter this command to check the status:
show spantree backbonefast
To enable BackboneFast Globally on Cisco IOS:

spanning-tree backbonefast
show spanning-tree backbonefast
You cannot fix this Best Practice Deviation through LMS.

For more information on Spanning Tree related configuration, see the document Configuring Spanning
Tree PortFast, UplinkFast, and BackboneFast at the following location:

OL-25947-01 14-19
UplinkFast not Enabled

LMS reports a Best Practice Deviation when UplinkFast is not enabled on switches.
Note This Best Practice Deviation is not applicable if the device is not an access layer switch.
Cisco recommends that you enable UplinkFast for switches with blocked ports, typically at the access
layer. Do not use on switches without the implied topology knowledge of a backup root link—typically,
distribution and core switches in Cisco's multilayer design. It can be added without disruption to a
production network.
Impact
UplinkFast provides fast STP convergence after a direct link failure in the network access layer. It
operates without modifying STP, and its purpose is to speed up convergence time in a specific
circumstance to less than three seconds, rather than the typical 30-second delay.
Figure 14-4 shows an example topology with no link failures. Switch A, the root switch, is connected
directly to Switch B over link L1 and to Switch C over link L2. The port on Switch C that is connected
directly to Switch B is in the blocking state.
Figure 14-4 UplinkFast Example Before Direct Link Failure
Switch A
(Root) Switch B
L1
L2 L3
Blocked port
11241
Switch C
If Switch C detects a link failure on the currently active link L2 (a direct link failure), UplinkFast
unblocks the blocked port on Switch C and transitions it to the forwarding state without going through
the listening and learning states, as shown in Figure 14-5. This switchover takes approximately 1 to 5
seconds.

14-20 OL-25947-01
Figure 14-5 UplinkFast Example After Direct Link Failure
Switch A
(Root) Switch B
L1
L2 L3
Link failure
UplinkFast transitions port
directly to forwarding state
11242
Switch C
Fix
Enable UplinkFast on all access layer switches.
To enable Uplink Fast on Catalyst operating system:

set spantree uplinkfast enable
show spantree uplinkfast
To enable Uplink Fast on Cisco IOS:

spanning-tree uplinkfast
show spanning-tree uplinkfast

For more information on Spanning Tree related configuration, see the document Configuring Spanning
Tree PortFast, UplinkFast, and BackboneFast at the following location:

OL-25947-01 14-21
Loop Guard and Port Fast Enabled on Ports

Loop Guard
Assume that a switch port is receiving BPDUs, and is in the blocking state. The port makes up a
redundant path. It is blocking because it is neither a Root Port nor a Designated Port. If, the flow of
BPDUs stops, the last known BPDU is retained until the Max Age timer expires.
When the Max Age timer expires, that BPDU is flushed, and the switch thinks there is no longer a need
to block the port. The port moves through the STP states until it begins to forward traffic. The switch
then forms a bridging loop. In its final state, the port becomes a Designated Port.
To prevent this situation, you can use the loop guard STP feature. When you enable this feature, loop
guard keeps track of the BPDU activity on nondesignated ports. While BPDUs are received, the port is
allowed to behave normally.
When BPDUs are missing, loop guard moves the port into the loop-inconsistent state. The port is
effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role.
After BPDUs are received on the port again, loop guard allows the port to move through the normal STP
states and become active. In this way, Loop Guard automatically governs ports without the need for
manual intervention.
STP PortFast
STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes
up, STP calculation occurs on that port. The result of the calculation is the transition of the port into
forwarding or blocking state. The result depends on the position of the port in the network and the STP
parameters.
This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data
passes through the port. Owing to this, some user applications can time out during the period.
To allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast
immediately transitions the port into STP forwarding mode upon linkup. This way the port still
participates in STP. So if the port is to be a part of the loop, the port eventually transitions into the STP
blocking mode.
Impact
Enabling both the above features in a port, gives unpredictable results. Hence LMS flags it as a Best
Practice Deviation.
Fix
If you fix the above Best Practice Deviation through LMS, it disables the Port Fast feature in the port.
To fix the Best Practice Deviation on switches using the Catalyst operating system:
following command:
set spantree portfast disable
Step 2 Click Fix.

14-22 OL-25947-01
Step 1 Select Reports > Fault and Event.

Step 2 Select Best Practices Deviation Report from the TOC.
Step 3 Click the hyperlink in the Summary field.
following command:
spanning-tree portfast disable
Step 4 Click Fix.
Trunk Ports Related Best Practices Deviations

The trunk ports related best practices deviations that LMS reports are as follows:
• Non-trunk Ports in Desirable Mode
• Trunk Ports in Auto Mode
Non-trunk Ports in Desirable Mode

LMS reports a Best Practice Deviation when non-trunk ports are set to Desirable mode.
Impact
Cisco recommends that you set trunk to Off on all non-trunk ports. This helps eliminate wasted
negotiation time when bringing host ports up. If a non-trunk port is set to Desirable, it attempts to
become a trunk port if the neighboring port is in Desirable or Auto mode, although that is not the
intended behavior.
Fix
To fix the Best Practice Deviation, set the trunk mode to Off on all non-trunk ports.
To fix it through LMS, on switches using the Catalyst operating system:

following command:
set port host mod/port
Step 4 Click Fix.

OL-25947-01 14-23
To fix it through LMS, on switches using Cisco IOS:

following command:
switchport mode access
Step 4 Click Fix.
Table 14-1 lists all possible combinations of trunk mode configurations and when LMS reports a Best
Practice Deviation.
Table 14-1 Trunking Configuration 1
Modes On Auto Desirable Nonegotiate Off

On None. Reports None. None. Reports Best Practice
Best Deviation.
(Trunking) (Trunking) (Trunking)
Practice
(Not Trunking)
Deviation.
(Trunking)
Auto Reports Best None. Reports Best Reports Best None.
Practice (Not
Practice Practice (Not Trunking)
Deviation. Trunking) Deviation. Deviation.
(Trunking) (Trunking) (Not Trunking)
Desirable None. Reports None. Reports Best Reports Best Practice
(Trunking) Best (Trunking)
Practice Deviation.
Practice Deviation.
(Not Trunking)
Deviation.
(Not Trunking)
(Trunking)
Nonegotiate None. Reports Reports Best None. Reports Best Practice
Best Practice Deviation.
(Trunking) (Trunking)
Practice Deviation. (Not Trunking)
Deviation. (Not Trunking)
(Not
Trunking)
Off Reports Best None. Reports Best Reports Best None.
Practice (Not
Practice Practice (Not Trunking)
Deviation. Trunking)
Deviation. Deviation.
(Not (Not Trunking) (Not Trunking)
Trunking)
1. Information in brackets indicate the trunking state of the interface.

14-24 OL-25947-01
Trunk Ports in Auto Mode

LMS reports a Best Practice Deviation when trunk ports are set to Auto mode.
Impact
Cisco recommends an explicit trunk configuration of Desirable at both ends. Auto mode indicates a static
property and the port will not initiate the trunking link, if the neighbor does not initiate it. See Table 14-1
for different trunk mode combinations.
Fix
To fix the Best Practice Deviation on switches using the Catalyst operating system:

following command:
set trunk mod/port desirable
Step 4 Click Fix.

following command:
switchport mode dynamic desirable
Step 4 Click Fix.
VLAN Related Best Practices Deviations

The VLAN related best practices deviations that LMS reports are as follows:
• VLAN Index Conflict
• VLAN Name Conflict

OL-25947-01 14-25
VLAN Index Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Index. A VLAN Index
conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices,
where a same VLAN index has different VLAN name in transparent and server mode devices in the
domain.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain where the same VLAN index has different VLAN names in
transparent and server mode devices.
Fix
Assign the same name for a VLAN Index in both the transparent and server modes of the VTP domain.
VLAN Name Conflict

LMS reports a Best Practice Deviation when there is a conflict in the VLAN Name. A VLAN Name
conflict occurs in case of a VTP domain which has Server mode and Transparent or Off mode devices,
where a VLAN part of the transparent mode device in the domain has the same name as VLAN part of
the server mode device in the domain.
Impact
There is no serious impact on the network connectivity. It is considered as a Best Practice Deviation
because LMS cannot manage a VTP domain with devices where a VLAN part of the transparent mode
device in the domain has the same name as VLAN part of the server mode device in the domain.
Fix
Resolve the conflict by assigning different names for the VLAN part of the transparent mode and the
server mode devices. You cannot fix this Best Practice Deviation through LMS.
Link Ports Related Best Practice Deviation

The link port related Best Practice Deviation that LMS reports is UDLD Disabled on Link Ports. See
UDLD Disabled on Link Ports

14-26 OL-25947-01
UDLD Disabled on Link Ports

LMS reports a Best Practice Deviation if UniDirectional Link Detection (UDLD) is disabled on link
ports.
Impact
If you disable UDLD, it could result in Spanning Tree loops.
Unidirectional links are often caused by a failure not detected on a fiber link, or by a problem with a
transceiver.
Figure 14-6 Unidirectional Links
B
A Blocking
X
X
BPDU lost this way B unblocks its port and can forward
130877
traffic this way......
In Figure 14-6, suppose the link between A and B is unidirectional and drops traffic from A to B while
transmitting traffic from B to A. Suppose that B should be blocking. It has previously been stated that a
port can only block if it receives BPDUs from a bridge that has a higher priority. In this case, all these
BPDUs coming from A are lost and bridge B eventually forwards traffic, creating a loop.
To detect the unidirectional links before the forwarding loop is created, Cisco designed and implemented
the UniDirectional Link Detection (UDLD) protocol. This feature is able to detect improper cabling or
unidirectional links on Layer 2 and automatically break resulting loops by disabling some ports.
For maximum protection against symptoms resulting from uni-directional links, we recommend that you
enable aggressive mode UDLD on point-to-point links between Cisco switches, where you have set the
message interval to the default 15 seconds.
Fix
LMS provides commands to enable UDLD on link ports.
following command:
set udld enable mod/port
where enable enables the UDLD information display.
Step 2 Click Fix.

OL-25947-01 14-27

The Best Practice Deviation Details dialog box appears. The Recommended Fix displays the following
command:
udld port
end
This command enables UDLD in normal mode by default on all interfaces.
Step 4 Click Fix.
Access Ports Related Best Practice Deviation

The access ports related Best Practice Deviation that LMS reports is CDP Enabled on Access Ports. See
CDP Enabled on Access Ports
CDP Enabled on Access Ports

LMS reports a Best Practice Deviation when Cisco Discovery Protocol (CDP) is enabled on the access
port of a switch.
CDP is enabled by default and is essential to gain visibility of adjacent devices and for troubleshooting.
It is also used by network management applications to build Layer 2 topology maps.
Impact
In parts of the network where a high level of security is required (such as Internet-facing de-militarized
zones), you should turn off CDP.

14-28 OL-25947-01
Fix
LMS provides commands to disable CDP on switches.
To fix the Best Practice Deviation on switches running Catalyst operating system:

following command:
set cdp disable mod/port
Step 4 Click Fix.
To fix the Best Practice Deviation on switches running Cisco IOS:

following command:
no cdp enable
Step 4 Click Fix.
Cisco Catalyst 6000 Devices Related Best Practice Deviation

The Cisco Catalyst 6000 devices related Best Practice Deviation that LMS reports is High Availability
not Operational. See High Availability not Operational
High Availability not Operational

Enabling High Availability on switches is applicable only for Cisco Catalyst 6000 devices. LMS reports
a Best Practice Deviation when there are two supervisor engines in Cisco Catalyst 6000 devices and High
Availability is not enabled.
Impact
High Availability:
• Is a critical requirement for most networks. Switch downtime must be minimal to ensure maximum
productivity in a network.
• Allows you to minimize the switch-over time from active supervisor engine to the standby
supervisor engine, if the active supervisor engine fails.

OL-25947-01 14-29
Customizing Discrepancies Reporting and Syslog Generation
• Allows the active supervisor engine to communicate with the standby supervisor engine, keeping
feature protocol states synchronized.
• Provides a versioning option that allows you to run different software images on the active and
standby supervisor engines.
You can enable High Availability using Command Line Interface (CLI).
Fix
As a general practice with redundant supervisors, we recommend that you enable High Availability
feature for normal operation.
LMS provides commands for enabling High Availability.
following command:
set system highavailability enable
Step 2 Click Fix.
For more information on Supervisor engines and High Availability, see the document Configuring
Redundancy at the following location:
Customizing Discrepancies Reporting and Syslog

Generation
You can customize the Discrepancies Report and Best Practices Deviations Report to display only those
discrepancies and Best Practice Deviations about which you want to be notified.
To customize the reports:
Step 1 Select Admin > Network > Best Practices Deviation Settings.
The discrepancies page appears. You can view the list of Network discrepancies, and Discrepancies
configured to send Syslog messages by clicking the corresponding View Details link.
Step 2 Click Configure.
The Configuring Discrepancies dialog box appears.
• To include a Discrepancy or Best Practice Deviation in the Reports, check the check box next to it.
Checking all the check boxes results in a report displaying all discrepancies and Best Practice
Deviations in the network.
• To exclude a Discrepancy or Best Practice Deviation from the Reports, uncheck the corresponding
check box.

14-30 OL-25947-01
Step 3 Generate Syslog messages for the selected Discrepancies and Best Practice Deviations. To do this, check
Configure Syslog and click Next.
A list of the selected Discrepancies and Best Practice Deviations appears.
Step 4 Check Send Syslogs and enter the name of the server in the Syslog Server field.
Step 5 Select the Discrepancies and Best Practice Deviations for which you want to generate Syslog messages
and click Next.
A summary of the selected Discrepancies and Best Practice Deviations appears.
You can use the filters to display discrepancy reports for specific devices, link or network types. This
makes it easy to find a particular discrepancy for a particular type.
You can use more than one filter at the same time, but results will vary.
• If you select more than one filter in the same top-level category, Boolean OR is used.
For example, if you select Duplex, Speed under Link, any link or port that fulfils at least one filter
criteria will be displayed in the report.
• If you select more than one filter from different top-level categories, Boolean AND is used.
For example, if you select both a Link type and a Port type filter from the discrepancy filter, any link
that fulfils both filter criteria will appear in the report.

OL-25947-01 14-31

14-32 OL-25947-01
CHAPTER 15
Report Setting
Describes how to configure some settings for generating reports and set a report publish location.
This section contains the following sections:
• Specifying User Tracking Report Purge Policy
• Specifying Domain Name Display
• Set Report Publish Location
Specifying User Tracking Report Purge Policy

You can specify the intervals at which old reports and jobs are to be purged, using the Purge Policy
option. You can save the Purge Policy, so that the older jobs and archives are purged at the specified
interval.
To specify the Purge Policy:
Step 1 Select Admin > Network > Purge Settings > User Tracking Report Purge Policy.
The Report Settings dialog box appears.
Step 2 Check the relevant check box:
• Purge Archives Older than
• Purge Jobs Older than
You must specify in days, or weeks, or months the period for which you want to retain the report archives
or jobs.
Step 3 Click Save.

OL-25947-01 15-1
Chapter 15 Report Setting
Specifying Domain Name Display
Specifying Domain Name Display

You can specify the way in which domain names are to be displayed in User Tracking Reports, using the
Domain Name Display option.
To specify the Domain Name display:
Step 1 Select Admin > Network > Display Settings > Domain Name Display.
The Domain Name Display window appears.
Step 2 Select the format for displaying the domain names in User Tracking Reports. You can:
• Show full domain name suffix
• Hide full domain name suffix
• Hide specified domain name suffix
If you want to hide the specified domain name suffix, enter the domain name suffix in the field.
Step 3 Click Save.
Set Report Publish Location

Cisco Prime LMS allows you to publish the PDF, HTML and CSV format of all the reports to a directory
location of your choice. This is done by setting a default directory path.
Note Ensure that the casuser is assigned the required write permission to publish the PDF format of the report
to the directory path.
To set a report publish location:
Step 1 Select Reports > Report Settings > Report Publish Path.
Step 2 Select Report Location.
The Default Report Publish Location page appears, displaying Default Location Settings dialog box.
Table 15-1 describes the field in the Default Location Settings dialog box.
Table 15-1 Default Location Settings Fields
Report Location Directory path where the PDF format of the reports are published.
Use the Browse button to select a directory path.
The Server Side File Browser dialog box is launched. You can select the
directory path in this dialog box.
Step 3 Click Browse.


15-2 OL-25947-01
Step 4 Select the directory path from the Server Side File Browser dialog box.
Step 5 Click OK.
The directory path is displayed in the Report Location field.
Step 6 Click Apply to save the default directory path settings or Cancel to reset the directory path.

OL-25947-01 15-3

15-4 OL-25947-01
CHAPTER 16
Purge Settings
Describes how to configure the purge settings of all modules in LMS.

This section contains the following sections:
• Purging Reports Jobs and Archived Reports
• Purging VRF Management Reports Jobs and Archived Reports
• Purging Configurations from the Configuration Archive
• Syslog Administrative Tasks
• Setting the Syslog Purge Policy
• Performance Purge Jobs
• Performance Purge Data
• View Performance Purge Details
• IPSLA Data Purging Settings
• Configuring the Daily Fault History Purging Schedule
Purging Reports Jobs and Archived Reports

You can purge Layer2 services jobs or report archives in LMS. By default, purging is disabled.
To enable the purge option for Layer2 services report jobs and archives:
Step 1 Select Admin > Network > Purge Settings > Layer2 Services Purge Settings.
The Network Reports Purge Settings dialog box appears. Under Report Settings, you can specify the
Purge Policy for archives or jobs here.
Step 2 Check the Purge Archives Older Than check box to specify the periodicity at which to purge archives.
For instance, if you select 44 days, LMS purges archives that are older than 44 days.
Step 3 Check the Purge Jobs Older Than check box to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, LMS purges jobs that are older than 2 weeks.
Step 4 Click Save.

OL-25947-01 16-1
Chapter 16 Purge Settings
Purging VRF Management Reports Jobs and Archived Reports
Purging VRF Management Reports Jobs and Archived

Reports
You can purge VRF Management jobs or report archives in LMS. By default, purging is disabled.
To enable the purge option for VRF Management report jobs and archives:
Step 1 Select Admin > Network > Purge Settings > VRF Lite Purge Settings.
The Purge Settings dialog box appears.
Step 2 Specify the Purge Policy for archives or jobs.
Step 3 Check the Purge Archives Older Than to specify the periodicity at which to purge archives.
For instance, if you select 44 days, VRF Management purges archives that are older than 44 days.
Step 4 Check the Purge Jobs Older Than to specify the periodicity at which to purge jobs.
For instance, if you select 2 weeks, VRF Management purges jobs that are older than two weeks.
Step 5 Click Save.
Purging Configurations from the Configuration Archive

You can specify when to purge archived configurations. Purging archives frees disk space and keeps your
archive at a manageable size.
By default, the purging jobs are disabled.
You can purge configurations based on two criteria:
• Number of versions to retain. Maximum number of versions of each configuration to be retained.
The oldest configuration is purged when the maximum number is reached. For example, if you set
the maximum versions to retain to 10, when the eleventh version of a configuration is archived, the
earliest (first version) is purged to retain total number of latest archived versions at 10.
• Age. Configurations older than the number of days that you specify are purged.
The Labeled configuration files are not purged even if they satisfy either of the purge conditions
(Maximum versions to retain and Purge versions older than options in the Archive Purge Settings
window) unless you enable the Purge labeled files option in the Archive Purge Settings window.
The labeled files are purged only if they satisfy the conditions given in the Maximum versions to
retain and Purge versions older than options.
Archive Management will not purge the configuration files, if there are only two versions of these files
in the archive.
Archived configurations that match the purge criteria that you set are purged from the system. This purge
policy applies to Running configuration only.
Caution Ensure that the configuration change detection schedule does not conflict with purging, since both
processes are database-intensive. Also backup your system frequently to prevent losing versions.

16-2 OL-25947-01
Purging Configurations from the Configuration Archive
The workflow to define the Configuration Archive purge policy is:
Step 1 Select Admin > Network > Purge Settings > Config Archive Purge Settings.
The Archive Purge Setup dialog box appears.
Step 2 Select Enable.
Step 3 Click Change to schedule a Purge job.
The Config Purge Job Schedule dialog box appears.
Field Description
Scheduling
Run Type You can specify when you want to purge the configuration archive files.
• Monthly—Runs monthly on the specified day of the month and at the specified time.
completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job
will start only at 10:00 a.m. on November 3.
Date You can select the date and time (hours and minutes) to schedule the job.
Job Information
Job Description The system default job description, Default archive purge job is displayed.
(Admin > System > System Preferences)). When the job starts or completes, an e-mail is sent from
the E-mail ID.

OL-25947-01 16-3
Syslog Administrative Tasks
Step 5 Specify when to purge configuration files from the archive by selecting one or all of the following purge
policies:
• Click Maximum versions to retain and enter the number of configurations to be retained.
• Click Purge versions older than and enter the number of days, weeks, or months.
• Click Purge labeled files to delete the labeled configuration files.
The Purge labeled files option must be used either with the Maximum versions to retain or Purge
versions older than options. You cannot use this option without enabling either Maximum versions
to retain or Purge versions older than options.
The labeled files are purged only if they satisfy the conditions given in the Maximum versions to
retain and Purge versions older than options.
The Labeled configuration files are not deleted even if they satisfy either of the purge conditions
(Maximum versions to retain and Purge versions older than) unless you enable the Purge labeled
files option.
These purge policies are applied sequentially. That is, if you have enabled all the three purge
policies, LMS applies the Purge policies in this sequence:
a. Maximum versions to retain
b. Purge versions older than
c. Purge labeled files
Archive Management does not purge the configuration files, if there are only two versions of these files
in the archive.
Step 6 Click Apply.
Step 7 Click OK.
You can check the status of your scheduled job by selecting Admin > Jobs > Browser.

You can perform the following Administrative tasks:
• Back up Syslog messages (see Setting the Syslog Backup Policy).
• Purge Syslog messages (see Setting the Syslog Purge Policy).
• Perform a Forced Purge (see Performing a Syslog Forced Purge).

16-4 OL-25947-01
Setting the Syslog Backup Policy

The Backup Configuration feature allows you to save the Syslog messages to a flat file. The syslog data
that is trimmed from the database will be moved to the flat file.
• In Solaris/Soft Appliance, the backup file is created with -rw-r----- casuser casusers
irrespective of the permissions given to the directory for backup on purge.
• In Windows, the backup file inherits the permission and ownership of the directory it is created in,
which is the directory selected as the backup location (on purge).
View the Permission Report (Reports > System > Users > Permission) to check if you have the
privileges required to perform this task.
To set up the backup policy:
Step 1 Select Admin > Network > Purge Settings > Syslog Backup Settings.
The Backup Policy dialog box appears.
By default, the backup policy is set to disabled.
Step 2 Select Enable to enable the backup process for Syslog messages, after configuring backup.
Step 3 Click Browse to select the backup file location.
In the Server Side File Browser dialog box:
a. Specify the external directory.
The external directory must be under the syslog directory, or a sub-directory within the syslog
directory. For example, $NMSROOT/files/rme/syslog/sysbackup.
The external directory cannot be outside the syslog directory. If you attempt to navigate outside the
syslog directory, an error message appears.
b. Select Directory Content,
c. Click OK.
Step 4 Enter the maximum size that you want to set for the backup file. By default this is set to 100 MB.
Step 5 Enter the e-mail ID of the user who should receive a notification, if the backup fails. You can enter
multiple e-mail addresses separated with commas. This is a mandatory field.
Configure the SMTP server to send e-mails in the View/Edit System Preferences dialog box (Admin >
(Admin > System > System Preferences). When the job completes, an e-mail is sent from the E-mail
ID.)
If you also want a notification to be sent when the backup is a success, select Also Notify on Success.
Step 6 Either click Save to save the backup configuration details that you have specified or click Reset to clear
the values that you specified and reset to the previously saved values in the dialog box.
If you have clicked Save, the backup will continue to save the data even after the data has exceeded the
specified size of the backup file. However, the system will send an e-mail asking you to cleanup the
backup file.

OL-25947-01 16-5
Setting the Syslog Purge Policy

You can specify a default policy for the periodic purging of Syslog messages.
If you access a table either through immediate reports, report jobs or by any other means, the database
locks the table and therefore the table will not be successfully purged. However, during the successive
purge operations such a table will be purged.
A purge job is enabled by default, and is scheduled to run at 1:00 AM daily.
This section contains: Performing a Syslog Forced Purge
To specify your default purge policy:
Step 1 Select Admin > Network > Purge Settings > Syslog Purge Settings.
The Purge Policy dialog box appears.
Step 2 Specify the number of days in the Purge records older than field.
Only the records older than the number of days that you specify here, will be purged. The default value
is 7 days. This is a mandatory field.
Caution You might delete data by changing these values. If you change the number of days to values lower than
the current values, messages over the new limits will be deleted.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or by any
other means, it will not be purged. However, during the successive purge operations this data will be
purged.
Step 3 Specify the periodicity of the purge in the Run Type field. This can be monthly, daily, or weekly.
Step 4 Select the start date using the calendar icon, to populate the date field in the dd-mmm-yyyy format (For
example, 02-Dec-2004). This is a mandatory field.
Step 5 Enter the start time in the At field, in the hh:mm:ss format (23:00:00). This is a mandatory field.
The Job Description field has a default description—Syslog Records - default purge job.
Enter the e-mail ID of the user who should be notified when the scheduled purge is complete. You can
enter more than one e-mail ID separated by commas. This is a mandatory field. Configure the SMTP
server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System
Preferences).
(Admin > System > System Preferences). When the job completes, an e-mail is sent from E-mail ID.
Step 6 Either click Save to save the purge policy that you have specified or click Reset. to clear the values that
you specified and reset the defaults in the dialog box.
You can view the scheduled purge job in the Job Browser (Admin > Jobs > Browser).

16-6 OL-25947-01
Performing a Syslog Forced Purge

You can perform a forced purge of Syslog messages, as required.
If you access a table through Immediate reports, Report jobs, or by any other means, the database locks
the table and therefore the table will not be successfully purged. However, during successive purge
operations the locked table will be purged.
To perform a Forced Purge:
Step 1 Select Admin > Network > Purge Settings > Syslog Force Purge.
The Force Purge dialog box appears.
Step 2 Enter the information required to perform a Forced Purge:
Field Description
Purge records older than Enter the number of days. Only the records older than the number of days that you specify here,
will be purged. This is a mandatory field.
If the data of a particular day is being accessed either through Immediate reports, Report jobs, or
by any other means, it will not be purged. However, during the successive purge operations this
data will be purged.
Scheduling
Run Type Specify whether the purge is to be Immediate or Once.
• If you select Immediate, all the other options will be disabled for you.
• If you select Once, you can specify the start date and time and also provide the job
description (mandatory) and the e-mail ID for the notification after the scheduled purge is
complete.
We recommend that you configure the E-mail ID in the View / Edit System Preferences
dialog box (Admin > System > System Preferences). When the job completes, an e-mail is
sent from E-mail ID.
Date Select the start date using the calendar icon, to populate the Date field in the dd-mmm-yyyy
format, for example, 02-Dec-2004. This is a mandatory field.
The Date field is enabled only if you have selected Once as the Run Type.
The at field is enabled only if you have selected Once as the Run Type.

OL-25947-01 16-7
Field Description
Job Info
Job Description Enter a description for the forced purge job.
The Job Description field is enabled only if you have selected Once as the Run Type. This is a
mandatory field.
E-mail Enter the e-mail ID of the user who should be notified when the Forced Purge is complete. You
can enter more than one e-mail ID separated by commas.
The e-mail field is enabled only if you have selected Once as the Run Type.
Configure the SMTP server to send e-mails in the View/ Edit System Preferences dialog box
We recommend that you configure the E-mail ID in the View/Edit System Preferences dialog box
(Admin > System > System Preferences). When the job completes, an e-mail is sent from
E-mail ID.
Step 3 Click Submit for the Forced Purge to become effective.

To clear the values that you specified and reset the defaults in the dialog box, click Reset.
You can view the scheduled Force Purge job in the Job Browser (Admin > Jobs > Browser).

You can periodically purge the Configuration Management jobs from Admin > Network > Purge
Settings > Config Job Purge Settings.
• Scheduling a Configuration Management Purge Job
• Enabling a Configuration Management Purge Job
• Disabling a Configuration Management Purge Job
• Performing an Immediate Purge for Configuration Management Jobs
The Job Purge option provides a centralized location for you to schedule Purge operations for the
following Configuration Management jobs:
• Credential Verification Jobs—Purge all Credential Verification jobs. This also includes credential
verification edit jobs.
• Software Management Jobs—Purge all Software Management jobs such as Image Import, Image
Distribution, etc.
• Netconfig Jobs—Purge all NetConfig jobs.
• Archive Management Jobs—Purge Archive Management jobs such as Compliance Check, and
Deploy Compliance Results.
• Archive Update Jobs—Purge Archive Management collection jobs, Default config collection job.
• Archive Poller Jobs—Purge Archive Management polling jobs, Default config polling job.
• Archive Purge Jobs--Purge Archive Management purge jobs, Default archive purge job.

16-8 OL-25947-01
• Config Editor Jobs—Purge all Config Editor jobs.

• CwConfig Jobs—Purge all cwcli config jobs such as Get Config, Put Config, etc.
• TrustSec Jobs - Purge all TrustSec jobs.
• Identity Jobs - Purge all Identity jobs.
Note TrustSec was known as Identity in the versions of LMS earlier than 4.2. Identity jobs will be
available for purging only if they have been backed up from the versions of LMS earlier than 4.2
and restored.
• Inventory Collector Jobs—Purge Inventory collection jobs.

• Inventory Poller Jobs—Purge Inventory polling jobs.
• Reports Jobs—Purge all Reports jobs
• Reports Archive Jobs—All reports that are archived are purged. You can view all reports that are
archived in the Archives window (Reports > Report Archives > Inventory and Syslog).
• NetShow Jobs—Purge all NetShow jobs.
You cannot purge the jobs that are in the running state.
The Job Purge contains the following information:
Column Description
Application Lists the application for which the Purge is applicable.
Status Whether a Purge job is enabled or disabled.
Policy This value is in days. Data older than the specified value, will be purged. You can change this value
as required. This is a mandatory field. The default is 180 days.
Job ID Unique ID assigned to the job by the system, when the Purge job was created. This job ID does not
change even when you disable or enable or change the schedule of the Purge job.
For Purge Now task, job ID is not assigned. Also, if a Job ID already exists for that application, the
job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge
Now task.
Scheduled At Date and time for which the job is scheduled. For example: Nov 17 2004 13:25:00.
Schedule Type Specifies the type of schedule for the Purge job:
• Monthly—Runs monthly on the specified day of the month and at the specified time. (A month
comprises 30 days).
You can select the applications by checking the check boxes next to the application to perform the
following tasks using the Job Purge window:
Button Description
Schedule Schedules a Purge job.
Enable After you schedule a job, you can enable Purge.

OL-25947-01 16-9
Button Description
Disable After you schedule a job, if you have enabled the Purge job, you can choose to disable it.
Purge Now Perform Immediate Purge.
You can select more than one application to purge in a single step. After selecting the applications,
click on this button to purge jobs.
Scheduling a Configuration Management Purge Job

To schedule a Purge job:
The Job Purge dialog box appears.
To create a Purge job,
Step 2 Select Schedule.
The Purge Schedule dialog box appears for the selected application.
Field Description
Scheduling
Run Type Select the frequency at which the job should be run:
• Monthly—Runs monthly on the specified day of the month and at the specified time. (A month comprises
30 days).
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will
run at 10:00 a.m. on November 2, only if the earlier instance of the November 1 job has completed. If the
10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, then the next job will start
only at 10:00 a.m. on November 3.
Date 1. Click on the date picker icon and select the date, month and year.
Your selection appears in the Date field in this format:
dd Mmm yyyy (example: 14 Nov 2004).
2. Select the time (hh and mm) from the drop-down lists in the at fields.
Job Info
Days The default setting for purging archived data is 180 days. That is, data older than 180 days will be purged.
You can change this value as required. This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of days.
Job Based on the option that you selected, you see a default job description.
Description
For example, for Software Management Purge jobs the default description is:
Purge - Software Management Jobs.
For Reports Archive Purge, the default description is: Purge - Reports Archive Purge.

16-10 OL-25947-01
Step 3 Click Done. The Purge job appears in the Job Purge dialog box.
Note You cannot purge the jobs that are in the running state.
Enabling a Configuration Management Purge Job

You can enable only a scheduled Purge job.
To schedule a Purge job, see Scheduling a Configuration Management Purge Job.
To enable a Purge job:
Step 2 Click Enable.
There is a purge schedule and it is enabled.
Step 3 Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.
Disabling a Configuration Management Purge Job

You can only disable a Purge job that is scheduled and enabled.
To schedule a Purge job, see Scheduling a Configuration Management Purge Job and to enable a Purge
job, see Enabling a Configuration Management Purge Job.
To disable a Purge job:
Step 2 Click Disable.
There is a purge schedule and it is disabled.
Step 3 Click OK.
The Status column in the Job Purge window displays Enabled for the selected application Purge job.

OL-25947-01 16-11
Performance Purge Jobs
Performing an Immediate Purge for Configuration Management Jobs

Using this option you can purge application jobs immediately. That is, you can purge Configuration
Management jobs without scheduling and enabling the Purge job.
For the Purge Now task, the Job ID is not assigned. Also, if a Job ID already exists for that application,
the Job ID is not updated for Purge Now tasks. That is, the scheduled Purge job is not affected by Purge
Now task.
To perform an immediate purge:
Step 2 Click Purge Now.
The Explorer User Prompt dialog box appears.
Step 3 Enter the number of days jobs that have to be purged.
The default setting for purging archived data is 180 days. That is, data older than 180 days will be
purged. You can change this value as required.
You can enter only whole numbers for days. You cannot enter fractions of days.
Step 4 Click OK.
The Purge Job Details window appears displaying the purged job details.
Note You cannot purge the jobs that are in the running state.

You can configure LMS to periodically purge job data that you no longer need. This is done using Job
Purge.
Job Purge provides a centralized location for you to schedule purging for the following LMS jobs:
• Quick Report Jobs—Purge all Quick Report jobs older than the specified number of days.
• Custom Report Jobs—Purge all Custom Report jobs older than the specified number of days.
• Threshold Report Jobs—Purge all Threshold Report jobs older than the specified number of days.
• Poller Report Jobs—Purge all Poller Report jobs older than the specified number of days.
• Failure Tracker Jobs—Purge all Failure Tracker jobs older than the specified number of days.
• TrendWatch jobs—Purge all TrendWatch jobs older than the specified number of days.
• TrendWatch Summary jobs—Purge all TrendWatch summary jobs older than the specified number
of days.
• Summarizer Jobs—Purge all Summarizer jobs older than the specified number of days.
• Data Purge jobs—Purge all Data Purge jobs older than the specified number of days.

16-12 OL-25947-01
• Job Purge jobs—Purge all Job Purge jobs older than the specified number of days.
• Maintenance jobs—Purge all Maintenance jobs older than the specified number of days.
To schedule Job Purge:
Step 1 Select Admin > Network > Purge Settings > Performance Job Purge Settings.
Step 2 Select Job Purge.
The Job Purge Settings page appears, displaying Job Purge Schedule dialog box.
Table 16-1 describes the fields in the Job Purge Schedule dialog box.
Table 16-1 Job Purge Schedule Fields
Scheduling
Run Type Specify the type of schedule for job purge:
• Weekly—Runs weekly on the specified day of the week and at the
specified time.
• Monthly—Runs monthly on the specified day of the month and at the
specified time. (A month comprises 30 days).
For Daily jobs, the subsequent instances of jobs will run only after the earlier
instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November
1, the next instance of this job will run at 10:00 a.m. on November 2, only if
the earlier instance of the November 1 job has completed. If the 10.00 a.m.
November 1 job has not been completed before 10:00 a.m. November 2, then
the next job will start only at 10:00 a.m. on November 3.
Date Specify the date and time for which the purge is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.
Purge Policy
Days The default setting for purging archived job data is 30 days. That is, job data
older than 30 days will be deleted. You can change this value as required.
This is a mandatory field.
You can enter only whole numbers for days. You cannot enter fractions of
days.
Apply Job purge is scheduled at the specified Run Type and Date for the job data
older than the days specified in the Days field.
(button)
Purge Now Job purge is done immediately for the job data older than the days specified
in the Days field.
(button)

OL-25947-01 16-13
Performance Purge Data

• Scheduling
• Purge Policy
See Table 16-1 for the description of fields that appear in the Job Purge Schedule dialog box.
Step 4 Click Apply to schedule job purge or Purge Now to immediately perform job purge.
• If you click Apply, a message appears confirming that the purge settings are applied successfully.
• If you click Purge Now, a message appears confirming that purge is done successfully and the Job
ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note We recommend that you wait for any activity currently running in the system to stop before purging jobs.
By default, all Job Purge jobs older than seven days are purged by Cisco Prime LMS.

You can configure LMS to periodically purge polled data that you no longer need in the database. You
can purge data records such as summarization records, Poller failure records, threshold violation records,
audit trail records.
Cisco Prime LMS polls the device and stores the polled data in the database. Over a period of time, the
polled data occupies a large amount of space in the database.
To prevent this, LMS stores only the last 24 hours data in the database. Background tasks in LMS
summarizes this polled data and categorizes the data as 5-minute summarization record, 30-minute
summarization record, 3-hour summarization record and 12-hour summarization record.
The summarization of polled data happens every one hour. The summarized data can be purged at regular
intervals using the Data Purge option.
Data Purge allows you to schedule purging for the following LMS data records:
• 30 Minute Summarization records—Purge all 30-minute summarization data records older than the
specified number of days.
• 3 Hour Summarization records—Purge all 3-hour summarization data records older than the
• 12 Hour Summarization records—Purge all 12-hour summarization data records older than the
• Poller failure records—Purge all failure data records older than the specified number of days.
• Threshold violation records—Purge all threshold violation data records older than the specified
number of days.
• Audit trail records—Purge all audit trail data records older than the specified number of days.
• TrendWatch violation records—Purge all TrendWatch violation data records older than the specified
number of days.
• Status change details records—Purge all status change details data records older than the specified
number of days.

16-14 OL-25947-01
Note It is recommended to keep the LMS view in LMS Portal closed, when the data purge job is running.
To schedule Data Purge:
Step 1 Select Admin > Network > Purge Settings > Performance data purge settings.
Step 2 Select Data Purge.
The Data Purge Settings page appears, displaying the Data Purge Schedule dialog box.
Table 16-2 describes the fields in the Data Purge Schedule dialog box.
Table 16-2 Data Purge Schedule Fields
Purge Schedule
Run Type Specify the type of schedule to perform Data Purge:
• Hourly—Runs hourly.
• Weekly—Runs weekly on the specified day of the week and at the
specified time.
• Monthly—Runs monthly on the specified day of the month and at the
specified time. (A month comprises 30 days).
By default, Daily is set as the default Run Type schedule for Data Purge.
For example, if you have scheduled Run Type as Daily for Data Purge job at
10:00 a.m. on November 1, the next instance of this Data Purge job will run
at 10:00 a.m. on November 2, only if the earlier instance of the November 1
job has completed.
If the 10.00 a.m. November 1 Data Purge job has not been completed before
10:00 a.m. November 2, then the next Data Purge job will start only at 10:00
a.m. on November 3.
Date Specify the date and time for which the Data Purge job is scheduled.
Select the date by clicking the calendar icon and time from the drop-down
list.

OL-25947-01 16-15
Table 16-2 Data Purge Schedule Fields (continued)
Purge Policy
Days The following are the default settings for purging the following data:
• 5 Minute's Summarization records—3 days
• 30 Minute's Summarization records—15 days
• 3 Hour Summarization records—90 days
• 12 Hour Summarization records—365 days
• Poller failure records—1 day
• Threshold violation records—180 days
• Audit trail records—90 days
• TrendWatch violation records—180 days
• Status change details records—15 days
The default data purge settings provides optimal performance of Cisco Prime
LMS. You can also change the default purge settings as required. However,
the performance of Cisco Prime LMS may not be as expected.
You can enter only whole numbers for days. You cannot enter fractions of
days.
This is a mandatory field.
Apply Data purge is scheduled at the specified Run Type and Date for the data older
than the days specified in the Days field.
(button)
Purge Now Data purge is done immediately for the data older than the days specified in
(button) the Days field.

• Purge Schedule
• Purge Policy
See Table 16-2 for the description of fields that appear in the Data Purge Schedule dialog box.
Step 4 Click Apply to schedule the data purge or Purge Now to immediately perform the data purge.
• If you click Apply, a message appears confirming that data purge settings are applied successfully.
• If you click Purge Now, a message appears confirming that purge is done successfully and the Job
ID appears.
You can see the job details in the Job Browser at Admin > Jobs > Browser.
Note By default, all Summarization jobs older than seven days are purged by Cisco Prime LMS.

16-16 OL-25947-01
View Performance Purge Details
View Performance Purge Details

Cisco Prime LMS allows you to view the details of the data purged using the option Purge Details.
To view Data Purge details:
Step 1 Select Admin > Network > Purge Settings > Performance Data Purge Summary.
Step 2 Select Purge Details.
The Purge Details page appears, displaying Show Purge Details dialog box.
Table 16-3 describes the fields in the Show Purge Details dialog box.
Table 16-3 Show Purge Details Fields
Field Description
Details Displays the purge details of the Data Purge job.
The following purge information is displayed:
• Next Data Purge Job scheduled at
• No. of Poll Failure records purged
• No. of Audit Trail records purged
• No. of Threshold Violation records purged
• No. of Polled records purged
• Last Job Purge completed at
• No. of TrendWatch violation records purged
Value Details the number of records purged and purge schedule.

OL-25947-01 16-17
IPSLA Data Purging Settings

The Purge Settings page allows you to set the Purge period for Historical and Audit reports. You can also
set the Purge period from the Setup Center.
To access Purge Settings page:
Select Admin > Network > Purge Settings > IPSLA data Purge Settings.
You can use the Purge Settings option to purge Historical data as well as Audit reports.
Purging Historical Data

LMS purges IPSLA-related historical data automatically everyday, based on the Purge period specified
on the Purge Settings page. It purges historical data that is older than the specified Purge period. If the
Purge period is not specified, it purges the historical data based on the default values.
The minute-based reports are purged daily by default.
To purge Historical reports:
Step 1 Select Admin > Network > Purge Settings > IPSLA data Purge Settings.
The Purge Settings page appears.
Step 2 Specify the Purge period. For more information, see Table 16-4.
Step 3 Click Apply.
A message appears that the Purge settings are updated successfully.
Step 4 Click OK.

16-18 OL-25947-01
Table 16-4 Purging Reports
Granularity Purge Period

Minute Specify the number of days for which you want to keep the
minute historical data in the database.
The default value is 1 day.
Hourly Specify the number of days for which you want to keep the
hourly historical data in the database.
The default value is 32 days.
Daily Specify the number of days for which you want to keep the
daily historical data in the database.
The default value is 180 days.
Weekly Specify the number of weeks for which you want to keep the
weekly historical data in the database.
The default value is 12 weeks.
Monthly Specify the number of months for which you want to keep the
monthly historical data in the database.
The default value is 12 months.
Audit Reports Purge Period Allows you to purge the Audit reports.The audit reports older
than the number of days you specify will be purged. The
default purge period for Audit reports is 180 days. This frees
disk space and maintains your audit reports at a manageable
size.

OL-25947-01 16-19
Configuring the Daily Fault History Purging Schedule
Configuring the Daily Fault History Purging Schedule

Data for Fault History remains in the LMS database for 31 days. Purging occurs every day to maintain
only 31 days of data. You can select the time of day that purging begins. By default, purging begins at
00:00.
Before You Begin

Review the information in Performing Scheduling Tasks to ensure that daily purging does not conflict
with the other scheduled jobs listed there.
Do not use the LMS Job Browser to manage Rediscovery Schedules; use the LMS Daily Purging
Schedule interface. If you suspend the Fault History:DataPurge job using the Job Manager, the job is
deleted from the LMS Daily Purging Schedule interface, which can be confusing to users.
Step 1 Select Admin > Network > Purge Settings > Fault History Purging Schedule.
Step 2 Select the Purge Time:
• Hour—From 0 to 23
• Minute—From 0 to 50 in ten-minute intervals
The default purge time is 00:00.
Step 3 Click Apply.
You can check the status of the Fault History data purge job from the Job Manager page each day after
the job runs. To do so select Admin > Jobs > Browser and find DFM:DataPurge under Job Type.
For more information, see Configuring Fault Management Rediscovery Schedules.

16-20 OL-25947-01
CHAPTER 17
Debugging Options
Debugging Settings menu allows the administrator to set the debugging settings of various modules in
LMS.
• Configuring Discovery Logging
• Maintaining Log Files
• Performance Debugging Settings
• Config and Image Management Debugging Settings
• Configuring Logging
• Fault Debugging Settings
• Setting Debugging Options for Topology and User Tracking
• Setting VRF Lite Debugging Options
Configuring Discovery Logging

You can enable the debugging option for components or modules of LMS Device Discovery without
restarting the services. When you enable the debugging option for a selected component, the log levels
in the csdiscovery.properties file is changed to DEBUG and the debug messages are recorded into the
CSDiscovery.log file and ngdiscovery.log.
You can only enable or disable the debugging option. You cannot choose to set different log levels such
as INFO,WARNING, FATAL and ERROR.
The following Device Discovery components can be enabled or disabled for debugging:
• Discovery Framework
• Data Collector
• Discovery Util
• System Module
• Cluster Module
• ARP Module
• AUS Module
• Credential Module

OL-25947-01 17-1
Chapter 17 Debugging Options
Maintaining Log Files
• Neighbor Module
• Pingsweep Module
• RouterPeer Module
• RT Module
• CSDiscoveryAdaptor
• Discovery DeviceInfo
The debugging option for all the Device Discovery components is disabled by default.
To enable the debugging option for the LMS Device Discovery components:
Step 1 Select Admin > System > Debug Settings > Discovery Logging Configuration. The Discovery
Logging Configuration page appears.
Step 2 Select one or more Discovery modules or components from the Disabled Modules list box.
Step 3 Click Add to add the components to the Enabled Modules list box.
Step 4 Click Apply.
Debugging is enabled for all the components listed in the Enabled Modules list box. The changes will
come into effect after 60 seconds.
To disable the debugging option, move the selected component from the Enabled Modules list box to
Disabled Modules list box using the Remove button.

Log files can expand and fill up disk space. You must maintain the log files disk space usage by:
• Deleting the unwanted log files from the Cisco Prime installation directory
• Using the logrot functionality. See Configuring Log Files Rotation for more information.
Most log files are located in directories in the following locations:
• On Solaris/Soft Appliance—var/adm/CSCOpx/log
• On Windows—NMSROOT\log
Caution As part of the file back-up procedure, Cisco Prime Daemon Manager is shut down and restarted. To
prevent loss of data, make sure you are not running any critical tasks.

• Maintaining Log Files on Solaris/Soft Appliance
• Maintaining Log Files on Windows
• About Cisco Prime Common Services Log Files
• Viewing and Maintaining LMS Log File Details
• Fault Management Log Files

17-2 OL-25947-01
Maintaining Log Files on Solaris/Soft Appliance

To maintain log files on Solaris/Soft Appliance:
Step 1 Make sure the new location has sufficient disk space.
Step 3 Stop all processes, and enter /etc/init.d/dmgtd stop.
Step 4 Perform log maintenance by running logrot.
See Configuring Logrot Utility and Running Logrot Script for more information.
Step 5 Verify the procedure was successful by examining the contents of the log files in this location:
/var/adm/CSCOpx/log/*.log
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6 Restart the system, and enter /etc/init.d/dmgtd start
Step 7 Select Reports > System > Status > Log File to view your log changes.
Maintaining Log Files on Windows

To maintain log files on Windows:
Step 1 Make sure the new location has sufficient disk space.
Step 2 Go to the command line and make sure you have the correct permissions.
net stop crmdmgtd
Step 4 Perform log maintenance by running logrot.
See Configuring Logrot Utility and Running Logrot Script for more information.
Step 5 Verify the procedure was successful by examining the contents of the log files in the following location:
NMSROOT\log\
Only log files that reach 90% of their size limits are backed up, and the original log file is emptied.
Step 6 Restart the system by entering:
net start crmdmgtd
Step 7 Select Reports > System > Status > Log File to view your log changes.

OL-25947-01 17-3
About Cisco Prime Common Services Log Files

The table below lists the filenames and locations of all logs produced by components of Common
Services.
The normal top-level log file directories refer to /var/adm/CSCOpx/log on Solaris/Soft Appliance and
NMSROOT\log on Windows. For example, the path to license.log is C:\Program Files\CSCOpx\log on
Windows, /var/adm/CSCOpx/log on Solaris/Soft Appliance.
Paths to log files other than those in the normal log directories are listed relative to NMSROOT on each
platform. For example, the path to stdout.log is mentioned as /MDC/tomcat/logs/ in the table.
Component
/Module Directory Path File Description
AAA Serivces /MDC/log/ core* Logs for Authentication,
Authorization and
Accounting process
Backup and Normal top-level log directories dbbackup.log, Backup and restore logs
Restore restorebackup.log,
restorebackup.log.old
Cico Prime /MDC/Apache/logs/ error.log Log for General Cisco Prime
LMS General LMS errors
Log Files Normal top-level log directories perlerr.log Log for Perl interpreter errors
Normal top-level log directories Proxy.log Log for Proxy activity
Normal top-level log directories event.log Log for Cisco Prime LMS
events
Normal top-level Solaris/Soft Appliance log daemons.log Log for all Daemon
directory only Manager-controlled
processes (On Solaris/Soft
Appliance only).
Cisco Prime Normal top-level Windows log directory syslog.log Syslogs received from
Syslog Service only device/machine (On
Windows only).
Normal top-level Windows log directory syslog_debug.log CRMLogger debugging
only information and messages
from device/machine (On
Windows only).
Database Normal top-level log directories CmfDbMonitor.log Log for Sybase database
Services operations
Normal top-level log directories dbpwdChange.log Log for Database password
changes
Normal top-level log directories dbrestoreorig.log Log to restore the database to
factory settings
Normal top-level log directories dmgtDbg.log Log for Daemon Manager
interactions with Sybase
database
/objects/db/win32/ dbcond8.log Database condition log

17-4 OL-25947-01
Component
Device and Normal top-level log directories dcr.log Logs for Device and
Credentials Credentials Administration
Administration activities
Normal top-level log directories DCRDevPoll.log Logs to detect and delete
Unreachable devices
Device and Normal top-level log directories dcrimpexp.log, Logs to import and export
Credentials DCRServer.log (Windows Device and Credentials
Administration Only), Administration
— Import and daemons.log (Solaris/Soft
Export Module Appliance Only)
Device Center Normal top-level log directories SnmpWalk* Log for SNMP Walk
Normal top-level log directories SnmpSet* Log for SNMP Set
Device Normal top-level log directories CSDiscovery.log, Device discovery logs
Discovery ngdiscovery.log
Device Selector Normal top-level log directories CSDeviceSelector.log Device Selector log file
Role /MDC/log/ cam.log Role Management log file
Management
Disk Space Normal top-level log directories diskWatcher.log Logs storing the disk space
Monitoring information
Services
Event Normal top-level log directories EDS-GCF.log, EDS.log Logs for Event Distribution
Distribution Services activities
Services
Event Services Normal top-level log directories ESS.log, JavaDebug.log Logs for Event Services
Grouping Normal top-level log directories CMFOGSClient.log Log for Grouping Service
Service client
Normal top-level log directories CMFOGSServer.log Log for Grouping Service
server
JacORB Normal top-level Windows log directory NameServiceMonitor.log, Logs for
only NameServer.log NameServiceMonitor from
JacORB package
(On Windows only)
Job Services Normal top-level Windows log directory daemons.log (Solaris/Soft Logs for various Jobs
only Appliance Only), jrm.log
(Windows Only)
Licensing Normal top-level log directories LicenseServer.log License Server activity
Normal top-level log directories license.log Product license changes
Messaging Normal top-level log directories lwms.log Lightweight Messaging
Service Service activity
Software Center Normal top-level log directories psu.log Log for Software Center
related activities

OL-25947-01 17-5
Component
Web Services /MDC/Apache/logs/ access.log, error.log, Logs for Apache activity
mod_jk.log
Normal top-level log directories ssl.log Log for Apache activity
/MDC/tomcat/logs/ jasper-YYYYMMDD.log, Logs for all Tomcat activities
servlet-YYYYMMDD.log,
stderr.log, stdout.log,
Normal top-level log directories changeport.log Port change information
Logs for Normal top-level log directories CSRegistryServer.log Log for CSRegistryServer
Common process
Services Normal top-level log directories TomcatMonitor.log Log for TomcatMonitor
backend process
processes
Viewing and Maintaining LMS Log File Details

Each LMS module writes log files within the NMSROOT/log folder. Table 17-1 lists the name of the log
file, LMS module for which log file is written, the location in Windows where log files is stored, the
location in Solaris/Soft Appliance where log files is stored and the purpose of the log file.
Table 17-1 List of Topology and Identity Services Log File Details
Location in
Location in Solaris/Soft
Log File Module Windows Appliance Purpose
ani.log Data Collection NMSROOT/log/ani. /var/adm/CSCOpx/l Debugs Data
log og/ani.log Collection
process.
AniServer.log ANIServer NMSROOT/log/AN /var/adm/CSCOpx/l Debugs
IServer.log og/dmgtd.log ANIServer
process
Campus.log LMS NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
Configuration mpus.log og/Campus.log Topology and
and reports Layer 2 Services
module of LMS
CampusOGSSer Topology and NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
ver.log Layer 2 Services mpusOGSServer.log og/CampusOGSSer Topology and
OGSServer ver.log Layer 2 Services
OGSServer
process
CampusOGSCli OGS client NMSROOT/log/Ca /var/adm/CSCOpx/l Debugs
ent.log mpusOGSClient.log og/CampusOGSClie Topology and
nt.log Layer 2 Services
OGSClient

17-6 OL-25947-01
Table 17-1 List of Topology and Identity Services Log File Details (continued)
Location in
Location in Solaris/Soft
Log File Module Windows Appliance Purpose
campusportal.lo Portal NMSROOT/log/cam /var/adm/CSCOpx/l Debugs the
g pusportla.log og/campusportal.lo Topology and
g Layer 2 Services
portlets.
Cmapps.log User Tracking NMSROOT/log/Cm /var/adm/CSCOpx/l Debugs all the
UI apps.log og/Cmpapps.log UI pages for
User Tracking
macuhic.log MACUHIC NMSROOT/log/mac /var/adm/CSCOpx/l Debugs
uhic.log og/macuhic.log MACUHIC
process for
Dynamic UT
ut.log User Tracking NMSROOT/log/ut.l /var/adm/CSCOpx/l Debugs the User
og og/ut.log Tracking module
utlite.log UTLITE NMSROOT/log/utlit /var/adm/CSCOpx/l Debugs UTLite
e.log og/utlite.log.log Server.
UTMajorAcquis User Tracking NMSROOT/log/ /var/adm/CSCOpx/l Debugs
ition.log UTMajorAcquisitio og/dmgtd.log UTMajorAcquisi
n.log tion process.
utm.log UTManager NMSROOT/log/ /var/adm/CSCOpx/l Debugs
Utm.log og/utm.log UTManager
process of
Dynamic UT
Vnmclient.log VRF Lite UI NMSROOT/log/ /var/adm/CSCOpx/l Debugs VRF
Vnmclient.log og/Vnmclient.log Lite UI
Vnmcollector.lo VRF Lite NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs VRF
g Collector mCollector.log og/Vnmcollector.lo Lite Collector
g process.
VNMDeviceSel VRF Lite NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs the
ector.log Device selector mDeviceSelector.lo og/VNMDeviceSele device selector
g ctor.log provided by VRF
Lite.
Vnmserver.log VRF Lite Server NMSROOT/log/Vn /var/adm/CSCOpx/l Debugs VRF
merver.log og/Vnmserver.log Lite Server
process
Vnmutils.log VRF Lite UI and NMSROOT/log/Vn /var/adm/CSCOpx/ Debugs utility
Server mutils.log Vnmutils.log classes used by
VRF Lite client
and server.

OL-25947-01 17-7
Fault Management Log Files

Each Fault Management module writes log files to its own folder within the NMSROOT/log/dfmLogs
folder. Table 17-2 lists each Fault Management module, the name of the folder where the log files are
stored, the related log files, the maximum log size, and the number of backup logs that are saved.
Note NMSROOT is the folder where LMS is installed on the server. If you selected the default directory during
installation, it is C:\Program Files\CSCOpx. On Solaris/Soft Appliance it is /opt/CSCOpx.
When a log file reaches its maximum size, the module backs up the file and starts writing to a new log
file. The module appends a number to the backup file, until it reaches the maximum allowed backups.
In the following example, the oldest file is TISServer.log.2, and TISServer.log is the current log file.
02:42 PM 4,481,607 TISServer.log
10:22 AM 5,120,447 TISServer.log.1
03:17 AM 5,120,105 TISServer.log.2
By default, Fault Management writes error messages only to log files. You can change the logging level
and thereby affect the amount of information stored in log files. To do so, see Fault Debugging Settings.
If there are two instances of the DfmServer running, each will have a log file, DFM.log and DFM1.log.
Table 17-2 Fault Management Log Files by Module
Folder in No. of
NMSROOT\log\dfmLo Maximum Backu
Function/Module gs Log Files Size (KB) p Files
Alerts and Activities Display AAD AAD.log 1000 3
Inventory Interactor cfi Interactor.log/Interactor1.log 1000 5
Inventory Collector cfi InventoryCollector.log/Inventory 35000 5
Collector1.log
Polling and Threshold Adapter cfi PollingThresholdAdapter.log/Poll 10000 5
ingThresholdAdapter1.log
Detailed Device View DDV DDV.log 1000 2
Daily Purging Schedule DPS DPS.log 100 2
Event Processing Adapters epa adapterServer.log/adapterServer1. 1000 5
log
dfmEvents.log/dfmEvents1.log
Event Promulgation Module EPM EPM.log 15000 5
Fault History FH FHCollector.log 1000 2
FHUI.log
Logging Services LogService DfmLogService.log 500 2
Processes with multiple threads LogService MultiProcLogger.log 10000 5
License (device limit) license licenseCheck.log 100 2
Notification Services NOS nos.log 5000 2
1 2
Fault Management Object Grouping N/A DFMOGSServer.log 30000 152
Service Server

17-8 OL-25947-01
Performance Debugging Settings
Table 17-2 Fault Management Log Files by Module (continued)
Folder in No. of
NMSROOT\log\dfmLo Maximum Backu
Function/Module gs Log Files Size (KB) p Files
Polling and Threshold Manager PTM PTMClient.log 1000 5
PTMServer.log
Polling and Threshold Manager PTM PTMDB.log 1000 5
(database)
Polling and Threshold Manager PTM PTMOGS.log 1000 5
(grouping services)
Polling and Threshold Manager (Polling PTM PTMPTA.log 1000 5
and Threshold Adapter)
Rediscovery Schedule Rediscovery Rediscovery.log 100 2
Device and Credentials Repository TIS DCRAdapter.log 1000 2
Adapter
Device Management TIS DeviceManagement.log 1000 2
Inventory Service TIS TISServer.log 1000 2
View Group Management VGM vgm.log 1000 3
1. The DFMOGSServer.log file is not stored in NMSROOT/log/dfmLogs with the other Fault Management log files. It is stored in NMSROOT/log on
Windows, and /var/adm/CSCOpx/log on Solaris/Soft Appliance.
2. On Windows, there is no limit setting for the log size or number of backup log files for DFMOGSServer.log.
Table 17-3 Incharge Log Files
Function/Module Folder in NMSROOT\obj\smarts\local\logs Log Files

Inventory Incharge engine DFM.log/DFM1.log

You can use this option to configure and manage log level settings in Device Performance Management
function of LMS. You can set log level modes (such as Fatal, Error, Warn, Info, Debug) either for all
Device Performance Management modules or at a module level.
Device Performance Management module log files are stored at these locations:
• On Windows: $NMSROOT\log\, where $NMSROOT is the Cisco Prime LMS installation directory.
• On Solaris/Soft Appliance: /var/adm/CSCOpx/log/
When a log file reaches its maximum file size of 10000 KB, the module backs up the file and starts
writing to a new log file. The maximum number of backup log files stored for each application is two.

OL-25947-01 17-9
This section contains IPSLA Debugging Settings

To set log levels:
Step 1 Select Admin > System > Debug Settings > Performance Debugging Settings.
Step 2 Select Log Level Settings.
The Set Application Logging Levels dialog box appears.
Step 3 Select the application module from the drop-down list.
The sub-module for the selected application module appear in the Module field.
Step 4 Select an appropriate log level from the Logging Level drop-down list. Changes to Device Performance
Management modules are logged with appropriate log level message. The logging levels are:
• Fatal
• Error
• Warn
• Info
• Debug
The logging level is set as Info, by default.
Table 17-4 describes the fields in the Set Application Logging Levels dialog box and also provides
information on the files to which these logs are stored.
Table 17-4 Set Application Logging Levels Fields
Application Module Sub-module Log File Description

All — — Set logging level for the
entire system
UI Poller Management upm_ui.log Set logging level for Device
Template Management Performance Management
User Interface modules
Threshold Setup
TrendWatch Setup
Report Management
Report Job Browser
Admin Pages
Trap Group
Management
Syslog Group
Management
Live Graph LMSLiveGraph.log
LMS Portlets LMSPortal.log
Device Center upm_ui.log

17-10 OL-25947-01
Table 17-4 Set Application Logging Levels Fields
Application Module Sub-module Log File Description

UPMProcess Polling Engine upm_process.log Set logging level for Device
Instance Querying Performance Management
(UPMProcess) modules
Threshold Monitor
Device Access Layer
Device Management
UPMProcess UPMProcess.log
PollerUPMProcess upm_process.log
TemplateUPMProcess
ThresholdUPMProcess
IfAdmin Status IfAdminStatus.log
JOBS Report Jobs HumReportJob_<JobId>_<InstanceId>.log Set logging level for Device
For example, HumReportJob_1003_479.log
Job modules
Summarization Job upm_summarizer.log
Purge Job upm_purge.log
Failure Tracker Job HumReportJob_<JobId>_<InstanceId>.log
For example, HumReportJob_1003_479.log
UPMCTMOperations UPM CTM Operations upm_ctm.log Set logging level for
UPMCTMOperations
modules
Step 5 Click Apply to set the logging level or Reset to apply the default logging level.
A message appears confirming that the logging levels are successfully updated.
IPSLA Debugging Settings

You can use the Log Level Settings option to set the log levels for IPSLA Performance Management.
You can either set the log levels for all the modules at a time or individual modules in IPSLA
Performance Management. By default, the log level is ‘INFO’ for all the modules after installation.
The log files are stored at the following location:
• Windows: NMSROOT\log, where NMSROOT is the Cisco Prime installation directory.
• Solaris/Soft Appliance: /var/adm/CSCOpx/log.
To set the log level:
Step 1 Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The Log Level Settings page appears.
Step 2 Select either All or Module Level from the Application drop-down list.

OL-25947-01 17-11
Step 3 Select the appropriate log level from the Logging Level drop-down list.
Step 4 Click Apply to set the log levels.
A message appears that the log levels have been successfully updated.
To clear the settings, click Cancel.
Step 5 Click OK.
Table 17-5 IPSLA Log Level Settings
Field Description
Set Application Logging Levels
Module Select one of the following from the drop-down list.
• All
• Module Level
Logging Level Select one of the following logging levels from the drop-down list.
• FATAL
• ERROR
• WARN
• INFO
• DEBUG
Table 17-6 lists the IPSLA Performance Management modules and the corresponding log file details.
Table 17-6 Modules and Log File Names
Modules in IPSLA Performance Management Log File Names

IPMCLI ipmcli.log
IPMServer ipmserver.log
IPMClient ipmclient.log
IPMJob jobid.log, jobid.subjobid.log
IPM OGS collectorGroup.log, IPMOGSClient.log,
IPMOGSServer.log
IPM CTM Operations ipm_ctm.log
IPMPortal ipmportal.log
IPMPoller ipmpoller.log
IPMBase ipm_base.log
IPM TS TS_IPSLA.log

17-12 OL-25947-01
Config and Image Management Debugging Settings

You can use this option to set the logging levels for LMS packages. You can set the log levels for all
LMS packages, or at a package (application) level.
Log files are stored at these locations:
• On Windows: NMSROOT/log, where NMSROOT is the Cisco Prime installation directory.
• On Solaris/Soft Appliance: /var/adm/CSCOpx/log
To set the log levels:
Step 1 Select Admin > System > Debug Settings > Config and Image Management Debugging settings.
The Set Application Logging Levels dialog box appears.
Step 2 Select the Application from the drop-down list.
Step 3 Select the appropriate log level from the Logging Level drop-down list.
The fields in the Set Application Logging Levels dialog box are:
Application Module Log File Names Description

All - - Changes the logging level for the
entire system.
ArchiveMgmt • Archive Service dcmaservice.log Changes the logging level for Archive
• Archive Client dcmaclient.log Management.
BugToolkit Bug Toolkit bugtoolkit.log Changes the logging level for Bug
Toolkit.
ChangeAudit • Change Audit ChangeAudit.log Changes the logging level for Change
Audit.
• Change Audit User ChangeAuditUI.log Changes the logging level for Change
Interface Audit UI.
CLIFramework CLI Framework cli.log Changes the logging level for CLI
Framework.
ConfigCLI • Config CLI ConfigCLI.log Changes the logging level for Config
CLI.
• Netconfig CLI netcfgcli.log Changes the logging level for
NetConfig CLI.
ConfigEditor Config Editor CfgEdit.log Changes the logging level for Config
Editor.
ConfigJob Config Jobs logs under Changes the logging level for
%NMSROOT%\files\rme\jobs\Net Configuration Jobs.
ConfigJob
ConfigJobManager Config Job Manager cjp.log Changes the logging level for
Configuration Job Browser.
This log file is used for config purge
jobs

OL-25947-01 17-13

ContractConnection Contract Connection contractcon.log Changes the logging level for
Contract Connections
CTMJRrmServer CTM Jrm Server CTMJrmServer.log Changes the logging level for CTM
JRM Server.
CRI CRI • cri.log Changes the logging level for
• criarvpurge.log Common reporting Infrastructure.
• crijobpurge.log
DeviceManagement • Device • EssentialsDM.log Changes the logging level for Device
Management User Management.
Interface
• Check Device • cda.log Changes the logging level for Check
Attributes User Device Attributes User Interface
Interface
• Device Credential • log files under Changes the logging level for Device
Verification Jobs %NMSROOT%\files\rme\jobs\ Credential Verification jobs.
cda\
• Device • EssentialsDM_Server.log Changes the logging level for Device
Management Management Operations.
Operations
DeviceSelector Device Selector RMEDeviceSelector.log Changes the logging level for Device
Selector.
ICServer • Inventory IC_Server.log Changes the logging level for the IC
Collection Service Server.
• Inventory ICServerUI.log Changes the logging level for
Collection User Inventory Collection User Interface.
Interface
• Inventory Creates job logs under Changes the logging level for
Collection Jobs %NMSROOT%\files\rme\jobs\ICSe Inventory Collection jobs.
rver
Install • Restore Config and CCRImport.log Changes the logging level for the
Image Management Installation modules.
CCR
• Config and Image
Management PSU
Adapter
• Migration
InventoryPoller Inventory Poller Creates job logs under Changes the logging level for
%NMSROOT%\files\rme\jobs\InvP Inventory Poller.
oller
InvReports Inventory Reports invreports.log Changes the logging level for
Inventory Reports.
MakerChecker Maker Checker MakerChecker.log Changes the logging level for the Job
Approval module.

17-14 OL-25947-01

NetConfig Netconfig Client netconfigclient.log Changes the logging level for
rmeextnserver.log Netconfig client.
Tracks the backend functionalities

when VRF Lite or IPSLA
Performance Management invokes
the extension API.
NetShow NetShow Client NetShowClient.log Changes the logging level for
NetShow client.
Portlets Config and Image RMEPortlets.log Changes the logging level for
Management Portlets Inventory, Config & Image
Management Portlets.
RMECommon Common Config and rme.log Changes the logging level for the
Image Management common Inventory, Config & Image
Functions Management functions such as, Job
Management tasks, purge tasks, etc.
RMECSTMServer Config and Image rme_ctm.log Changes the logging level for CSTM
Management CSTM Server.
Server
SoftwareMgmt • Software swim_debug.log Changes the logging level for the user
Management User interface of Software Management
Interface and the Software Management job
creation workflows.
• Software swim_debug.log files under Changes the logging level for
Management Jobs %NMSROOT%\files\rme\jobs\swi Software Management jobs.
m folder
SyslogAnalyzer • Syslog Analyzer SyslogAnalyzer.log Changes the logging level for Syslog
Analyzer.
AnalyzerDebug.log
• SyslogAnalyzer.log—for
Windows
• AnalyzerDebug.log—for
Solaris/Soft Appliance
• Syslog Analyzer SyslogAnalyzerUI.log Changes the logging level for Syslog
User Interface Analyzer User Interface.
VirtualSwitch • Virtual Switch VirtualSwitchClient.log Changes the logging level for Virtual
Client Switching System.

OL-25947-01 17-15

EnergyWise • EnergyWise UI EnergyWiseUI.log Changes the logging level for the user
interface of EnergyWise
• EnergyWise EnergyWiseConfiguration.log Log for provisioning EnergyWise
Provisioning Device and EndPoints.
• EnergyWise EnergyWiseMonitoring.log Log for EnergyWise Monitoring jobs.
Monitoring
• EnergyWise Device EnergyWiseCollection.log Log for EnergyWise Device
Endpoint, and EnergyWiseNative.log Endpoint, and Domain collection.
Domain collection
• EnergyWise Policy EnergyWiseComplianceCheck.log Log for EnergyWise Policy
Compliance EnergyWiseNativeCompliance.log Compliance check.
• EnergyWise Data EnergyWise_Purge.log Log for EnergyWise Data Purge

Purge Settings Settings
• Applying EnergyWiseNativePolicy.log Log for applying EnergyWise to
EnergyWise Endpoints.
Policies to
Endpoints
To track the port and module group backend evaluation exceptions and changes, the following logs are
maintained:
• PMCOGSServer.log
• PMCOGSClient.log
Step 4 Click Reset to apply the default logging levels.
Step 5 Click Apply after you set the log levels,
A message appears, that the log levels have been successfully updated.

17-16 OL-25947-01
Configuring Logging
Configuring Logging
You can enable the debugging option LMS components without restarting the services. When you enable
the debugging option for the selected component, the log levels in the respective properties file is
changed to DEBUG and the debug messages are recorded in the corresponding log files
You can only enable or disable the debugging option. You cannot choose to set different log levels such
as INFO,WARNING, FATAL and ERROR.
To debug Faults, see Fault Debugging Settings
To enable the debugging option for the Common Services components:
Step 1 Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box displays the following details:
Item Description
Component List of components for which you can enable or disable the debug option
Log File(s) Location Directory of the log files for the selected application
Description Brief description about the selected application
Debug Mode Option to enable or disable the debug mode
Step 2 Select the component from the Component drop-down list box.
You can select to enable the debugging option for the available Common Services components. The
available components include:
• CS Device Groups
• CS Device Selector
• CS Home
• CS Portlets
This component is listed in the drop-down list box only when you have installed the LMS Portal
application in LMS Server.
• Core Admin Module
• DCR Bulk Import and Export
• Device Center
• Device and Credentials Repository
• Home Page Admin
• Licensing
• LMS Setup Center
• Getting Started
This component is listed in the drop-down list box only if LMS Setup Center is installed in LMS
Server.
• Product Instance Device Mapping
• SMTP
• Software Center

OL-25947-01 17-17
Fault Debugging Settings
Step 3 Select the Enable option to enable debugging for the selected application. By default, the Debug Mode
is set to disabled.
Note You can only choose the enable or disable option. You cannot change the log levels to some other
value.

The changes will come into effect after 60 seconds.
You can enable the debugging option for only one component at a time.
To disable the debug mode for all the Common Services components:
Step 1 Select Admin > System > Debug Settings > Common Services Log Configurations.
The CS Log Configurations dialog box appears.
Step 2 Click Reset All to disable the debug mode for all the Common Services components.
The log levels are restored as they are before enabling the debugging option.

Fault Management module writes application log files for all major functional modules. By default, Fault
Management writes only error and fatal messages to these log files; Fault Management saves the
previous three logs as backups. You cannot disable logging. However, you can:
• Collect more data when needed by increasing the logging level
• Return to the default logging level as the norm
This task can be performed by a user logged in to Fault Management in any of the following roles:
• System Administrator
• Network Administrator
• Network Operator
You can also enable debug of the Incharge engine, and execute Incharge Commands. See Enable
Incharge Debugging for more information.
To set the Fault Management debug settings:
Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging Settings
page is displayed.
Note You cannot disable logging. Fault Management will always write error and fatal messages to application
log files.
For each Fault Management functional module, the Error check box is always selected; you cannot
deselect it.

17-18 OL-25947-01
To set all modules to Error, the default logging level:
Step 1 Click the Default button.

A confirmation page is displayed.
Step 2 Click OK.
To change the logging level for individual modules:
Step 1 For each module that you want to change, select one (or deselect all) of the following logging levels:
• Warning—Log error messages and warning messages
• Informational—Log error, warning, and informational messages
• Debug—Log error, warning, informational, and debug messages
Note Deselecting all check boxes for a module returns it to Error, the default logging level.
Step 2 Review your changes.

To cancel your changes, click the Cancel button. Otherwise, click the Apply button.
When you click Apply it starts to reset the changed logging levels for the Fault Management functional
modules.
Enable Incharge Debugging

To do this:
Step 1 Click the Enable Incharge Debugging, and execute Incharge Commands link in the Fault Debugging
Settings page.
The Incharge Command Execution page appears.
Step 2 Select Enable Incharge Debugging check box to enable Incharge logs for the Fault Management module
in LMS.
The logs are available at:
• On Windows:
– NMSROOT\objects\smarts\local\logs\DFM.log
– NMSROOT\objects\smarts\local\logs\DFM1.log
– /opt/CSCOpx/objects/smarts/local/logs/DFM.log
– /opt/CSCOpx/objects/smarts/local/logs/DFM1.log

OL-25947-01 17-19
Setting Debugging Options for Topology and User Tracking
Step 3 You can execute any Incharge command in the Command text box, click Run and view the results in the
Result column.
Some sample commands that you can exceute are:
• sm_server
• brcontrol
• dmctl –s <domain name> geti Routers

If you face issues while running LMS, you can enable logging to debug the same. You can set debugging
options for the following functions:
• Data Collection (see Setting up Debugging Options for Data Collection)
• Configuration and Reports (see Setting up Debugging Options for Network Reports)
• Device Groups (see Setting Debugging Options for Device Groups)
• Topology (see Setting Debugging Options for Topology)
• User Tracking Server (see Debugging Options for User Tracking Server)
• Dynamic User Tracking (see Debugging Dynamic Updates)
• User Tracking Reports (see Debugging Options for User Tracking Reports)
• Dynamic User Tracking Console (see Debugging Options for Dynamic User Tracking Console)
• CiscoView (see Debugging Options for CiscoView)
Setting up Debugging Options for Data Collection

You can set the trace, and debugging, for Data Collection as follows:
Step 1 Select Admin > System > Debug Settings > Data Collection.
The Debugging Options dialog box appears.
Step 2 Modify the debugging options as specified in Table 17-7.
Table 17-7 Data Collection Debugging Options for Data Collection

Enable Debug Select this option to enable You can select the modules for debugging
logging for Data Collection. only if you select this option.
Modules Specify the modules on Click Select to view the available modules
which you need to enable and select the modules in which you want to
debugging. enable debug.
For details on Debug modules, see Selecting
Data Collection Debug Modules

17-20 OL-25947-01
Table 17-7 Data Collection Debugging Options (continued) for Data Collection

File Name Name of the log file in The default log file is NMSROOT\log\ani.log
which the trace messages are
to be recorded.
Maximum File Size Maximum size of the log file None
(lines) in lines
Enable Device Level Debugging
Device IP(s) IP Addresses (IPv4 or IPv6 This field is enabled only when the Device
Addresses) of devices for Level Debugging option is enabled.
which you need to log
debugging messages.
You can enter multiple IP
addresses, separated by
commas.
Step 3 Click Apply.

OL-25947-01 17-21
Selecting Data Collection Debug Modules
Table 17-8 describes the debug modules available for Data Collection in LMS.
Table 17-8 Data Collection Debug Modules
Module Description
framework • Constructs and maintains data in the memory.
• Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
topo Provides network topology computation and layouts.
Enable debugging for this module if you have problems with Topology
computation of devices.
vlad • Discovers VTP domains, VLANs, port-in-VLAN configurations
• Performs VLAN configuration tasks
• Determines Spanning Tree state
Enable debugging for this module if you have problems with VTP, VLAN
reports, and configuration.
ccm Discovers Cisco CallManager (CCM).
Enable debugging for this module if you encounter issues with data collected for
CCM.
vmpsadmin • Discovers end-user hosts on the network
• Records end-user host information in the ANI database
• Manages requests for scheduling user and host discoveries, ping sweeps,
database queries, and updates to user and notes information
Enable debugging for this module if you have problems with User Tracking.
dcrp Provides computation of network discrepancies.
Enable debugging for this module if you have problems in Discrepancy reports.
status Enables status polling on previously discovered devices.
Enable debugging for this module if you have problems with device and link
status polling.
apps Discovers application hosts such as MCS.
Enable debugging for this module if you encounter issues with data collected on
application hosts.
stp Discovers all STP related information from the network.
Enable debugging for this module if you have problems with STP reports and
configuration.

17-22 OL-25947-01
Table 17-8 Data Collection Debug Modules (continued)
Module Description
stpeng • Performs STP configuration tasks
• Provides basic STP analysis for migration from one STP type to another
Enable debugging for this module if you have problems with STP reports and
configuration.
devices Provides specific information, if any, available for device categories.
Enable debugging for this module if you have problems specific to a particular
device type.
Click OK to save the selected modules or click Cancel to exit.
Setting up Debugging Options for Network Reports

If you need information on Network Reports in LMS, you can enable debugging for the same. To do this:
Step 1 Select Admin > System > Debug Settings > Layer2 Configuration and Reports
The debugging page appears.
Step 2 Select the level of debugging. It can be any one of the following:
• INFO
Only informational messages are recorded in the log file.
• DEBUG
All messages related to Configuration and Reports are recorded in the log file.
• FATAL
Messages related to fatal errors are recorded in the log file. This is the default option.
The Log File Name field specifies the location and name of the log file. The default log file is
NMSROOT\log\Campus.log
Step 3 Click Apply.

OL-25947-01 17-23
Setting Debugging Options for Device Groups

If there are errors related to System-defined or User-defined groups in LMS, you can enable debugging
for the same. Its done as follows:
Step 1 Select Admin > System Administration > Debug Settings > Device Groups.
• INFO
Only informational messages are recorded in the log file. This is the default option.
• DEBUG
All client side messages are recorded in the log file.
• FATAL
Messages related to fatal errors are recorded in the log file.
NMSROOT\log\CampusDeviceSelector.log
Step 3 Click Apply.
Setting Debugging Options for Topology

You can enable debugging for Topology Services client side activities. The debugging information will
be available in the Java Console.
To display Java Console:
Step 1 Select Start > Settings > Control Panel > Java.
Step 2 Select the Advanced tab.
The corresponding tree structure is displayed.
Step 3 Go to the tree and select Java Console > Show Console.
Step 4 Click Apply and then OK.
The Java console is displayed when you launch Topology Services.
Note In case you close the Java Console, to reopen it, close the Topology window and relaunch it.

17-24 OL-25947-01
To enable debugging:
Step 1 Select Admin > System > Debug Settings > Topology.
• TRACE
Only informational messages are displayed in the Java Console.
• DEBUG
All Topology Services client side messages are displayed in the Java Console.
• ERROR
Messages related to all errors are displayed in the Java Console. This is the default option.
Step 3 Click Apply.
To change log level settings:
Step 1 Close the Topology Services window.

Step 2 Change the settings in the LMS Administration page.
Step 3 Re-launch Topology services.
Debugging Options for User Tracking Server

To debug events related to all User Tracking server side processes:
Step 1 Select Admin > System > Debug Settings > User Tracking Server.
The debugging page appears. See Table 17-9 for a description of the fields:
Table 17-9 User Tracking Server Side Debugging Options

Enable Debug Check this option to enable You can select the modules for debugging
logging for User Tracking only after you select this option.
Server side activities.
Modules Specify the modules on Click Select to view the available modules
which you need to enable and select the modules in which debug is to be
debugging. enabled. Table 17-8 lists the debug modules
available for User Tracking Server.
File Name Name of the log file in The default log file is NMSROOT\log\ut.log
which the trace messages are
to be recorded.

OL-25947-01 17-25
Table 17-9 User Tracking Server Side Debugging Options (continued)

Maximum File Size Maximum size of the file in
(lines) lines
Enable Device Level Debugging
Device IP(s) IP addresses of devices for This field is enabled only when the Device
which you need to log Level Debugging option is enabled.
debugging messages.
You can enter multiple IP
addresses, separated by
commas.
Step 2 Click Apply.
Selecting User Tracking Server Side Debug Modules
Table 17-8 describes the debug modules available for User Tracking Server in LMS.
Table 17-10 User Tracking Debug Modules
Module Description
user tracking Provides user tracking functionality. Enable debugging for this if user tracking
fails to discover end hosts as expected.
framework • Constructs and maintains data in the memory.
• Provides framework for LMS features.
Enable debugging for this module only when requested by TAC. This is because
enabling debugging for this module creates huge logs.
devices Provides specific information, if any, available for device categories.
Enable debugging for this module if you encounter issues specific to a particular
device type.
Click OK to save the selected modules or click Cancel to exit.
Debugging Dynamic Updates

You can set the debugging options required for Dynamic Updates. Enabling debugging, records all the
required information to the log files.
To enable debugging Dynamic Updates:
Step 1 Select Admin > System > Debug Settings > Dynamic User Tracking.
Step 2 Check Enable Debug to set the options.

17-26 OL-25947-01
Step 3 Select the Service Name from the drop down list in the Service Name field.
The framework modules appear in the Module Name column. The framework modules depend on the
service that you select.
Step 4 Select the debug level for each module.
The debug level options are INFO, DEBUG, and TRACE.
INFO logs minimum information required for debugging and is the default option. DEBUG is the next
level of debugging. TRACE provides complete debugging information and creates huge logs.
Step 5 Enter the filename for the log file in the Log Filename field.
• The default log file for UT LITE is NMSROOT\log\utlite.log
• The default log file for MACUHIC is NMSROOT\log\macuhic.log
• The default log file for UTManager is NMSROOT\log\utm.log
The default value for Log file size is 1,000,000 lines. You can give values between 1 and 2,147,483,647.
Giving zero or negative values or alphabets results in errors.
Step 6 Click Apply to save the settings.
Dynamic User Tracking modules available for debugging are explained in Table 17-11:
Note Enabling debugging for these modules creates huge logs, which interferes with the Trap processing
capability of LMS. We recommend that you enable debugging for this module only when requested by
TAC.
Table 17-11 Dynamic User Tracking Debug Modules
Module Description
UT Lite
control plane Handles configuration events related to:
• Log level Settings
• Log file
• Port number
For example:
If you changed the log file from X to Y, but logging still happens in X , enable debugging
for this module.
listener Listens to data sent by the UTLite script installed in the Windows or Novell server.
Checks for the integrity of the data received.
execution framework Handles code level execution of the data received.
Enable debugging for this module to debug Java related errors.
execution Processes and validates the data received.
UTLite receives MACAddress, IPAddress and User logged in for the end host. This
information is updated to the database only if the endhost has been discovered in last UT
Major Acquisition cycle or through Dynamic User Tracking.

OL-25947-01 17-27
Table 17-11 Dynamic User Tracking Debug Modules (continued)
Module Description
MACUHIC
• Log file
• Port number
listener Listens to SNMP traps sent by devices.
execution framework Handles code level execution of data received by MACUHIC.
decoder Validates the traps sent by devices by checking whether:
• The trap is sent by a device managed by LMS.
• The SNMP version is correct
execution Checks whether:
• The data received is duplicate data
• If the data is sent by a Link port or Access port.
Dynamic UT does not process traps sent from link ports.
Updates the database with information received and forwards it to UTManager for further
processing.
UTManager
• Log file
• Port number
listener Listens to data sent by UTLite and MACUHIC.
execution framework Handles code level execution of data received by UTManager.
decoder Validates the data received from UTLite, MACUHIC, SNMP data from DHCP Snooping
MIB and the other data sent by external systems.
execution Processes the data received and updates the database.
es framework Handles queries sent to External Systems.
es.snmp Handles SNMP queries sent to External Systems.
es.subnet Performs subnet calculation based on the information sent by External Systems.
es.db Handles database operations.

17-28 OL-25947-01
Debugging Options for User Tracking Reports

You can debug events related to User Tracking client side activities as follows:
Step 1 Select Admin > System > Debug Settings > User Tracking Reports. The debugging page appears.
• INFO
Only informational messages are recorded in the log file. This is the default option.
• FATAL
Messages related to fatal errors are recorded in the log file.
• DEBUG
All User Tracking client side messages are recorded in the log file.
NMSROOT\log\Cmapps.log
Step 3 Click Apply.
Debugging is enabled for UT client side activities and the messages are recorded in the corresponding
log file.
Debugging Options for Dynamic User Tracking Console

This feature helps you to troubleshoot Dynamic User Tracking updates in a detailed way. Dynamic UT
consists of three major processes:
• UTLite
• UTManager
• MACUHIC
Each process monitors different error conditions using circular buffers in the memory. For each error
condition, the buffer will have the count of error occurrences and the conditions under which the error
occurred.
You can write this information from the memory to a file if you need to, and troubleshoot based on that.
To enable Dynamic User Tracking Console:
Step 1 Select Admin > System > Debug Settings > Dynamic User Tracking Console.
Step 2 Select the Service name from one of the following:
• UTLite
• UTM
• MACUHIC
The error conditions related to that process are listed under the Error Details section.

OL-25947-01 17-29
Setting VRF Lite Debugging Options
Step 3 Select the error condition for which you need details and click Generate.
A new file is generated with all the error details and stored in the LMS server. It is also listed under the
File list pane.
Step 4 Select a file and:
• Click View to see the file contents.
• Click Download to save the file in your local machine.
• Click Delete to delete the file from the server. You can delete multiple files at the same time.
Debugging Options for CiscoView

You can set an SNMP and activity trace and/or view the trace log. This option records trace information
into the cv.log file, which is located at %NMSROOT%/MDC/tomcat, where %NMSROOT% is the
directory in which CiscoView is installed.
Step 1 Select Inventory > Tools > CiscoView.

Step 2 Select a device from the device selector, and select Administration > Debug Options And Display
Log.
The Trace Settings dialog box appears.
Step 3 Select either or both of the following and then click Apply:
• SNMP Trace — Displays SNMP request and response pairs, MIB instance ID, data value, data type,
request method, and time stamp.
• Activity Trace — Displays server activity such as which device and dialog boxes are open.
Step 4 Click View Trace to see the trace activity in a separate window.

If you face issues while running VRF Lite, you can enable logging to debug the same. You can set
debugging options for the following functions:
• VRF Lite Server (see VRF Lite Server Debugging Settings)
• VRF Lite Collector (see VRF Lite Collector Debugging Settings)
• VRF Lite Client (see VRF Lite Client Debugging Settings)
• VRF Lite Utility (see VRF Lite Utility Debugging Settings)
You can click Reset All on the Debugging Settings page to reset the debug levels of functions listed.

17-30 OL-25947-01
VRF Lite Server Debugging Settings

VRF Lite Server is used to serve all the requests for VRF Lite configurations tasks. The VRF Lite Server
effectively controls and handles all VRF Lite configuration tasks that include deployment of VRF Lite
configuration details to the selected devices and interfaces using LMS. The VRF Lite Server also fetches
the data from the VRF Lite database for report generation.
To apply the debugging level to the VRF Lite Server:
Step 1 Select Admin > System > Debug Settings > VRF Lite Server Debugging.
The VRF Lite Server Debugging dialog box appears. The default location of the log file for VRF Lite
Server Debugging Settings is NMSROOT\log\Vnmserver.log.
The Debug levels in the VRF Lite Server Debugging Settings dialog box is as described in Table 17-12.
Table 17-12 Settings in VRF Lite Server Debugging
Field Description
Debug Level
INFO Only informational messages are recorded in the log file.
DEBUG All messages related to VRF Lite Server are recorded in the log file.
ERROR Error is the default logging level. Messages related to fatal errors
are recorded in the log file. This is the default option.
Reset Click Reset to reset the debug levels applied to VRF Lite Server, to
default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Server.

OL-25947-01 17-31
VRF Lite Collector Debugging Settings

VRF Lite Collector collects all the VRF Lite related information from the managed devices on your
network. You can get the information on readiness details of the devices on which VRF Lite can be
configured.
To apply the debugging level to the VRF Lite Collector:
Step 1 Select Admin > System > Debug Settings > VRF Lite Collector Debugging.
The VRF Lite Collector Debugging Settings dialog box appears.The default location of the log file for
VRF Lite Collector Debugging Settings is NMSROOT\log\Vnmcollector.log.
The Debug levels in the VRF Lite Collector Debugging Settings dialog box are as given in Table 17-13:
Table 17-13 Settings in VRF Lite Collector Debugging
Field Description
Debug Level
DEBUG All messages related to VRF Lite Collector are recorded in the log
file.
are recorded in the log file.
Reset Click Reset to reset the debug levels applied to VRF Lite Collector,
to default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Collector.

17-32 OL-25947-01
VRF Lite Client Debugging Settings

VRF LiteVRF Lite Client refers to the Graphical User Interface (GUI) pages used to perform VRF Lite
tasks. When you use the GUI pages to perform a task, the logs specific to the tasks are recorded. The
recorded logs can be debugged using VRF Lite client debugging settings.
To apply the debugging level to the VRF Lite Client:
Step 1 Select Admin > System > Debug Settings > VRF Lite Client Debugging.
The VRF Lite Client Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmclient.log.
The Debug levels in the VRF Lite Client Debugging Settings dialog box is as described in Table 17-14:
Table 17-14 Settings in VRF Lite Client Debugging
Field Description
Debug Level
DEBUG All messages related to VRF Lite Client are recorded in the log file.
Reset Click Reset to reset the debug levels applied to VRF Lite Client, to
default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Client.
VRF Lite Utility Debugging Settings

VRF LiteVRF Lite Client refers to the utility classes used in VRF Lite like DB, JRM and so on. When
the utility classes are executed, the logs specific to the utility classes are recorded. The recorded logs can
be debugged using VRF Lite utility debugging settings.
To apply the debugging level to the VRF Lite Utility:
Step 1 Select Admin > System > Debug Settings > VRF Lite Utility Debugging.
The VRF Lite Utility Debugging Settings dialog box appears.The default location of the log file for VRF
Lite Client Debugging Settings is NMSROOT\log\Vnmutility.log.
The Debug levels in the VRF Lite Utility Debugging Settings dialog box is as described in Table 17-15:
Table 17-15 Settings in VRF Lite Utility Debugging
Field Description
Debug Level

OL-25947-01 17-33
Table 17-15 Settings in VRF Lite Utility Debugging (continued)
Field Description
DEBUG All messages related to VRF Lite Utility are recorded in the log file.
Reset Click Reset to reset the debug levels applied to VRF Lite Utility, to
default value.
Step 2 Select a debug level and click Apply to apply the selected debug level to the VRF Lite Utility.

17-34 OL-25947-01
CHAPTER 18
Understanding LMS Tasks
This section briefly describes all the LMS tasks. See the Online help for further details.
This section explains the following LMS task groups:
• Understanding Admin Tasks
• Understanding Report Tasks
• Understanding Configuration Tasks
• Understanding Monitor Tasks
• Understanding Inventory Tasks
• Understanding Work Center Tasks
Note You should enable the Browse Jobs task to schedule any job across LMS.
Understanding Admin Tasks

This section explains the following Admin task groups:
• Understanding System Tasks
• Understanding Trust Management Tasks
• Understanding Network Tasks
• Understanding Collection Tasks
• Light Weight Messaging System
• Jobs
• Getting Started
• Manage Portal

OL-25947-01 18-1
Chapter 18 Understanding LMS Tasks
Understanding System Tasks

This section explains the following System task groups:
• Log Rotation
• Cisco.com Settings
• Licensing
• Software Center
• Debug Settings
• System Preferences/Device Management Functions
• User Management
• Server Monitoring
• DBReader Access
• Group Management
• Authentication Mode Setup
• Backup
• SMTP Default Server
Log Rotation
You can configure log rotation settings and schedule log rotation jobs.
Cisco.com Settings
You can configure Cisco.com Settings like:
• Proxy Server Setup
You can update the proxy server configuration.
– Apply Proxy Server Settings:
You can set up the proxy server details.
– Remove Proxy Server Settings:
You can remove the proxy server settings that are already set up.
• Cisco.com User Account Setup
You can add and modify Cisco.com user login names and password.
Licensing
You can register your software and obtain a product license.

18-2 OL-25947-01
Software Center
This section explains the following Software Center task groups:
• Schedule Device Downloads
You can schedule device package downloads and specify the time, frequency of the downloads, and
specify download policies if you have permissions.
• Device Update
You can view a list of all Cisco Prime related devices packages on your system, and the count of
devices supported. The source location could be Cisco.com or the Server Side Directory.
– Check For Updates
You can check for new device updates.
– Delete Device Packages
You can delete packages that are outdated or no longer used.
• Software Update
You can perform the following tasks:
– Download Updates
You can download the selected updates from Software Center.
– Select Updates
You can select new software packages to update the product.
Debug Settings
This section explains the following Debug Settings tasks:
• Layer2 Configuration/Reports and User Tracking Debug Options
You can configure the debug options for Layer2 Configuration and Reports and User Tracking.
• Config and Image Management debugging settings
– Loglevel Settings - Defaults/Apply
You can set different logging levels such as Fatal, Error, Warn, Info, or Debug for individual
Config and Image Management packages.
• IPSLA Debugging Settings
You can view, set or reset the log levels for all the modules of IPSLA Performance Management.

OL-25947-01 18-3
• VRF Lite Debug Settings

You can set debugging options for:
– VRF Lite Server
– VRF Lite Collector
– VRF Lite Client
– VRF Lite Utility
• Common Services Log Configurations
You can enable or disable the debugging option for Common Services components without
restarting the services.
• Fault Debugging Settings
You can change the logging level of all the functional modules of Fault Management.
• Performance Debugging Settings
You can configure and manage log level settings of Device Performance Management function of
LMS.
System Preferences/Device Management Functions

You can configure system-wide information on the LMS Server.
You can also enable or disable LMS functions like:
User Management
This section explains the following User Management tasks:
• Local User Setup
– Edit User
You can modify a local user in LMS Server, assign roles, and specify the authorization type.
– Delete User
You can delete a local user profile from the LMS Server.
– Modify My Profile
You can modify your local user profile in LMS Server.
– Add User
You can add a local user in LMS Server.
– Import/Export Users
You can import local users from the client or from ACS. You can import local users from ACS
only through CLI and not from the UI.
You can export the local users.

18-4 OL-25947-01
• Notify Users
You can broadcast messages to online users.
• Local User Policy Setup
You can setup username and password policies for local authentication users in LMS.
• Role Management Setup
The Role Management tasks are listed below:
– Delete Role
You can delete user-defined roles.
– Add Role
You can add user-defined roles.
– Edit Role
You can edit user-defined roles.
– Import/ Export Roles
You can import roles in the XML format from the client.You can export roles in the XML
format. The file will be saved in the client.
– Copy Role
You can use this option to copy a role.
– Default Role
You can set a role as a default role. When multiple roles are set as default role, the user will be
assigned with all the roles selected as default roles.
Server Monitoring
This section explains the following Server Monitoring task groups:
• Process
– Start Processes
You can start the Cisco Prime processes.
– Stop Processes
You can stop the Cisco Prime processes.
• Collect Server Information
– Create Collect Server Information
You can get the required information about the server.
This includes system information, environment, configuration, logs, web server information,
device and credentials administration information, and grouping services information.
– Delete Collect Server Information
You can delete the collected server information.
• DiskWatcher Configuration
You can configure disk space threshold level.

OL-25947-01 18-5
• Selftest
You can view self test reports to test some basic functions of the server.
– Create Self test
You can test the basic functions of server.
– Delete Self test
You can delete the collected self test information.
DBReader Access
You can run the DBReader utility from a Cisco Prime client to access the database and troubleshoot
database issues.
Group Management
The Groups feature helps you to group devices managed by LMS. It helps to create, manage and share
groups of devices. This section explains the following Group Management task groups:
• Device Groups
– Delete Group
You can delete a group from the Group Selector.
When you delete a group, all the child groups under the group are also deleted. You can also
delete the stale groups (groups that are belonging to users removed from Cisco Prime).
– Edit Group
You can modify some of the device groups.
– Export Group
You can export a selected group or all user-defined groups from all applications, to an output
file.
– Group Refresh
You can recompute the membership of a group by re-evaluating the group's rule. The
membership of Automatic groups is recomputed dynamically.
– Create Group
You can create device groups.
– Import Group
You can import user-defined device groups from an input XML file.
– Group Details
You can view the details of a group.
Authentication Mode Setup

You can use your current authentication database for Cisco Prime authentication and select a login
module (Kerberos, TACACS+, RADIUS, and others), and set their options.
Backup
Allows you to backup the database regularly. It also lets you schedule immediate, daily, weekly, or
monthly automatic database backups.

18-6 OL-25947-01
SMTP Default Server

You can specify the default SMTP server.
Understanding Trust Management Tasks

This section explains the following Trust Management task groups:
• Multi Server
• Local Server
Multi Server
You can perform the following multi-server management tasks:
• Peer Server Certificate Setup
You can add the certificate of another LMS Server into its trusted store. This allows LMS Servers
to communicate with one another using SSL.
– Delete Peer Certificate
You can delete the peer certificate.
– View Peer Certificate
You can view the details of an existing peer certificate.
– Add Peer Certificate
You can add the certificate of a peer LMS Server into its trusted store.
• System Identity Setup
You can setup a System Identity user on servers that are part of a multi-server setup. This user
enables communication among servers that are part of a domain.
• Peer Server Account Setup
You can create users who can log into LMS Servers and perform certain tasks.
– Peer Server Accounts Delete
You can delete a secret user set up in the LMS Servers.
– Peer Server Accounts Add
You can add a secret user who can programmatically login to multiple LMS Servers and perform
certain tasks.
– Peer Server Accounts Edit
You can edit a secret user setup in the LMS Servers.
• Single Sign-On Setup
You can use your browser session to transparently navigate to multiple LMS Servers without
authenticating to each server.

OL-25947-01 18-7
Local Server
• Certificate Setup
You can create a self-signed certificate from the user interface.
• Browser-Server Security Mode Setup
You can enable browser-server security.
Understanding Network Tasks

This section explains the following Network task groups:
• Best Practices Deviation Settings
• Monitor/ Troubleshoot
• Notification and Action Settings
• CAAM Policy and PSIRT/EOS and EOL Settings
• Discovery Settings
• Purge Settings
• Configuration Job Settings
• Device Credential Settings
• Change Audit Settings
• Resource Browser
Best Practices Deviation Settings

You can customize the Discrepancies Report and Best Practices Deviations Report to display only those
discrepancies and Best Practice Deviations about which you want to be notified.
Monitor/ Troubleshoot
This section explains the following Monitor and Troubleshoot tasks:
• NAM Configuration
You can view, add, edit, or delete the NAM configuration details.
• Load MIB
You can load a MIB file.
• RMON Configuration
You can enable RMON on all ports in selected devices.
• Fault Poller settings for topology
You can configure fault poller settings for Topology.

18-8 OL-25947-01
Notification and Action Settings

This section explains the following Notification and Action Settings tasks:
• Performance - Syslog notification
You can update, create, edit, or delete a syslog receiver group.
• IPSLA Syslog Configuration
You can view, enable or disable IPSLA syslog configuration.
• Performance - SNMP Trap notification
You can create, edit, or delete a trap receiver group.
• Fault Syslog Notification
You can add, edit, suspend, resume, or delete a syslog notification subscription.
• Fault - SNMP trap notification
You can add, edit, suspend, resume, or delete an SNMP trap notification subscription.
• ChangeAudit Automated Actions
You can define automated actions on creation of change audit record. You can create, edit, delete,
enable, disable, export, or import an automated action.
• Event Sets
You can configure a set of events that you want to monitor.
• Fault - SNMP trap forwarding
You can forward SNMP traps from devices in the LMS inventory
• Fault - SNMP trap receiving settings
You can update SNMP trap receiving port.
• Fault - Email notification
You can add, edit, suspend, or resume a subscription for e-mail notification.
You can also delete e-mail notification subscriptions that are no longer useful or are redundant.
• Syslog Message Filters
You can create, edit, delete, enable, disable, export, or import syslog message filter.
• Fault Notification Customization
You can customize names and event severity.
• Fault - Email subject customization
You can customize the e-mail subject for forwarded events.
• Inventory and Config collection failure notification
You can configure the destination server and port to receive trap notification on inventory collection
or config fetch failure.
• Syslog Automated Actions
You can create, edit, delete, enable, disable, export, or import a syslog automated action.
• Fault Notification Group
You can add, edit, or delete fault notification groups.

OL-25947-01 18-9
CAAM Policy and PSIRT/EOS and EOL Settings

This section explains the following CAAM Policy and PSIRT/EOS and EOL Settings task:
• PSIRT/EOX reports option
You can use the PSIRT/EOX Reports option to change the data source for generating a PSIRT or
End-of-Sale or End-of-Life report.
Discovery Settings
This section explains the following Discovery Settings tasks:
• Settings
You can:
– View Discovery Settings
You can view the summary of device discovery settings.
– Configure Discovery Settings
You can configure the settings required to run a discovery job.
– Discovery Status
You can view the status of device discovery.
– Start Stop Discovery
You can also start or stop a device discovery.
• Schedule
You can add a device discovery schedule.
Purge Settings
This section explains the following Purge Settings tasks:
• Config Job purge settings
You can configure the following config job settings:
– Job Purge - Schedule/Enable/Disable/Purge Now
You can schedule, enable, or disable purging of configuration management jobs.
You can also immediately purge the jobs.
– Job Purge
You can purge the config jobs.
• Syslog Backup Settings
You can set the syslog backup policy.
• IPSLA data Purge Settings

18-10 OL-25947-01
You can set the purge period for IPSLA historical data and for audit reports. You can configure the
following IPSLA data Purge settings:
– Apply IPSLA Purge Settings
You can apply IPSLA purge settings.
– IPSLA Purge Settings
You can view IPSLA purge settings
– Default IPSLA Purge Settings
You can apply default IPSLA purge settings.
• Syslog Force Purge
You can perform a forced purge of syslog messages
• Performance Job Purge Settings
You can configure the following performance Job purge settings:
– Do Immediate Job Purge
You can immediately purge the performance jobs.
– Schedule Job Purge
You can schedule a performance job purge.
• Fault History Purging Schedule
Configure the daily fault history purging schedule.
• VRF Lite Purge Settings
You can purge VRF Lite jobs or report archives.
• ChangeAudit Force Purge
You can perform a forced purge of change audit.
• Config Archive Purge Settings
You can define the configuration archive purge policy.
• ChangeAudit Purge Policy
You can set the change audit purge policy.
• Performance data purge settings
You can configure the following performance data purge settings:
– Do Immediate Data Purge
You can immediately purge the performance data .
– Schedule Data Purge
You can schedule a performance data purge.
• Syslog Purge Settings
You can specify a default policy for the periodic purging of syslog messages.
• Layer2 Services and User Tracking Report Purge
You can purge Layer2 services jobs or report archives.

OL-25947-01 18-11
Software Image Management

This section explains the following Software Image Management task:
• View/Edit Preferences
You can set or change software management preferences
Configuration Job Settings

This section explains the following Configuration Job Settings tasks:
• Assign Approver Lists
You can assign an approver list to the applications
• Create/Edit Approver Lists
You can create, edit, or delete approver lists
• Approver Details
You can specify approver details
• Approval Policies
You can set up job approval for the applications
• Config Job Policies
You can define the default job policies for configuration management applications
Device Credential Settings

This section explains the following Device Credential Settings tasks:
• User Defined Fields
You can add, rename, or delete the user-defined fields used to store additional information about a
device.
– Register/Unregister 3rd Party Application in DCR
You can register or unregister third party applications in DCR.
– Add User Defined Fields in DCR
You can add a User Defined Field to to store the additional information about a device.
– Rename User Defined Fields in DCR
You can rename a User Defined Field.
– Delete User Defined Fields from DCR
You can delete a User Defined Field.
• Mode Settings
You can change DCR mode settings to master, slave or standalone.
• Verification Settings
You can select the credentials that need to be verified while adding devices.

18-12 OL-25947-01
Change Audit Settings

This section explains the following Network Administration tasks:
• Inventory Change Filter
You can set inventory change filters.
• Exception Period
You can specify the time when no network changes should occur.
Resource Browser
This section explains the following Resource Browser tasks:
• Browse Resources
You can view the details of resources and manage resources.
• Free Resources
You can free-up locked resources.
Understanding Collection Tasks

This section explains the following Collection task groups:
• Inventory Collection Settings
• Config Collection Settings
• Data Collection Settings
• Syslog Collection Settings
• Performance Collection Settings
• User Tracking Collection Settings
• Fault Collection Settings
• VRF Lite Collection Settings
Inventory Collection Settings

You can set the default values for inventory, config timeout, and retry settings. This section explains the
following Inventory Collection Settings tasks:
• Inventory Jobs
You can view the Inventory job browser, and view, create, stop, delete, or edit an inventory collection
or polling job.
• Inventory, Config Timeout and Retry Settings
You can edit the inventory, config timeout, and retry settings.

OL-25947-01 18-13
Config Collection Settings

This section explains the following Config Collection Settings tasks:
• Config Archive settings
You can configure the Config Archive settings. You can move the configuration archive location,
archive the running configuration, or enable or disable the use of shadow directory.
• Config Collection Settings
You can define the configuration collection setting. You can modify how and when the configuration
archive retrieves configurations.
• Secondary Credentials Settings
You can enable or disable the secondary credentials fallback.
• Config Transport Settings
You can view or define the protocol order for configuration management applications
• Config Job Timeout Settings
You can configure the Job Result Wait Time per device for the Sync Archive jobs.
Data Collection Settings

This section explains the following Data Collection Settings tasks:
• Data Collection schedule
You can schedule the day and time of Data Collection.
• Start Data Collection
You can start Data Collection.
• Layer2 Administration Settings
You can configure Layer2 administration settings.
Syslog Collection Settings

This section explains the following Syslog collection tasks:
• Subscribe/Unsubscribe Collector
You can subscribe or subscribe to a Common Syslog Collector.
• Collector Status/Update
You can view the status of the Common Syslog Collector to which the Syslog Analyzer is subscribed
to.

18-14 OL-25947-01
Performance Collection Settings

This section explains the following Performance collection tasks:
• IPSLA application settings
You can configure the following IPSLA application settings:
– Copy IPSLA Configuration to Running-config
You can view the configured collectors in the running configuration. You can also retain the
default settings.
– Set a source interface address
You can set a source interface address for the source router. You can also retain the default
settings.
• Performance Management SNMP timeouts and retry settings
You can configure the Performance Management SNMP timeout and SNMP retries. You can also
configure other Poll Settings.
User Tracking Collection Settings

This section explains the following User Tracking collection tasks:
• User Tracking device trap configuration
You can configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when
a host is connected to or disconnected from that port.
• User Tracking Acquisition Action
You can trigger the following acquisitions:
– Device based Acquisition
– Subnet based Acquisition
– IP Phone Acquisition
• User Tracking trap listener configuration
You can configure the trap listener to direct the traps through HP Open View (HPOV) or LMS Fault
Monitor.
• User Tracking Acquisition Settings
You can configure User Tracking Acquisition settings to collect usernames during UT Major
Acquisition and update the UT table.
• User Tracking Acquisition Schedule
You can modify UT acquisition schedule.
• User Tracking Administration Settings
You can configure the various User Tracking administration settings.

OL-25947-01 18-15
Fault Collection Settings

This section explains the following Fault collection tasks:
• Fault Management Rediscovery Schedule
You can suspend, or resume the Fault Management rediscovery schedule, and add, modify, or delete
additional schedules.
• Fault Monitoring Device Administration
You can rediscover specific devices.
• Fault Management SNMP timeouts and retries
You can modify the Fault Management SNMP timeout and retries.
• Collection Summary Portlet
You can view the report of successful and failed devices for fault discovery in this portlet.
• Fault Event Forensics Configuration
You can enable the Event Forensics collection feature on LMS server to start collecting the event
forensics data.
VRF Lite Collection Settings

This section explains the following VRF Lite collection tasks:
• VRF Lite SNMP Timeouts and Retries
You can modify the SNMP timeouts and retries when VRF Lite Collection fails for a particular
device with SNMP timeout exceptions.
• VRF Lite Collector Schedule
You can schedule the VRF Lite Collector process to run after every Data Collection. You can also
add, edit and delete VRF Lite Collector Schedule jobs.
Light Weight Messaging System

The Light Weight Messaging system allows you to perform the following task:
• Event Listener
You can use this tool to send and receive events.
Jobs
You can perform the following Job tasks:
• Browse Jobs
You can use the job browser and view the details of individual jobs.
Note You should enable the Browse Jobs task to schedule any job across LMS.
• Delete Job
You can use the job browser to delete the jobs.
• Stop Job
You can stop the jobs using the job browser.

18-16 OL-25947-01
Understanding Report Tasks
Getting Started
You can perform the Getting Started tasks.
Manage Portal
You can manage all the portlets.

This section explains the following Report task groups:
• Understanding Fault and Event Report Tasks
• Understanding Report Archives Tasks
• Understanding Report Designer Tasks
• Understanding Inventory Report Tasks
• Understanding Audit Report Tasks
• Understanding Technology Report Tasks
• Understanding Performance Report Tasks
• Understanding System Report Tasks
• Understanding Switch Port Report Tasks
• Schedule Reports in Layer2 Services and User Tracking
• User Tracking Job Archives
• Layer2 Services Job Archives
• Inventory/Syslogs/Change Audit Generate Reports
• Inventory/Syslogs/Change Audit View All Reports
• Inventory/Syslogs/Change Audit View Own Reports

OL-25947-01 18-17
Understanding Fault and Event Report Tasks

This section explains the following Fault and Event report task groups:
• Threshold Violation
• Best Practices
• Syslogs
• History
Threshold Violation
You can generate this report which displays threshold violations details for each device based on the
polled data.
• Thresholds
You can create reports based on the threshold configured for the MIB variable. You can create, or
view reports for specific threshold MIB variables. These reports are called IPSLA Threshold
Violation reports.
• TrendWatch Summary
You can create consolidated reports based on the TrendWatches configured for the MIB variable.
You can create, view summary reports of TrendWatch MIB variables.
Best Practices
You can generate the following Best Practices and Discrepancy reports:
• Acknowledge/Unacknowledge Discrepancy
You can acknowledge a Best Practice Deviation that you no longer want to see in the Best Practices.
You can also unacknowledge the acknowledged Best Practise Deviations to reappear in the Best
Practise Deviations Report.
• Discrepancies
You can fix the discrepancies detected in the network.
• Fix Best Practice Deviation
You can the fix Best Practice Deviation detected in the network.
• Fix Discrepancy
You can the fix discrepancies detected in the network.
• Deviation
You can view best practice deviation report.
Syslogs
You can use Custom Reports along with Syslogs to generate GOLD test reports.
You can also use Custom Reports along with Syslogs to generate Embedded Event Manager reports.

18-18 OL-25947-01
History
You can search fault history database for device issues.
• Event History
You can view the fault history report for a given event ID.
• Event Monitor/ Device Fault
You can view information on events in device for the past 31 days.
Event Monitor is a centralized place where in you can view the event details of all devices and device
groups.
Understanding Report Archives Tasks

This section explains the following Report Archives task groups:
• IPSLA
• Inventory and Syslog
• Layer2 Services and User Tracking
IPSLA
You can manage IPSLA archived reports. You can perform the following tasks:
• List Report Archives
You can list the IPSLA report archives.
• Delete Report
You can delete the IPSLA report archives.
Inventory and Syslog

You can view the list of the completed report jobs that you own or all report jobs.
Layer2 Services and User Tracking

You can view and delete archived Layer2 Services and User Tracking reports.
Understanding Report Designer Tasks

You can view, modify, or create new report templates for:
• User Tracking
• Syslog and Inventory
User Tracking
• Custom Layouts
You can view the list of Custom layouts.
• Custom Reports
You can customize the layout and columns displayed in the UT reports to suit your needs.

OL-25947-01 18-19
Syslog and Inventory

• Custom Report Template
You can create new report templates customized according to your requirements. You can also view,
add and edit, delete existing custom templates, view your own templates or view all templates.
Understanding Inventory Report Tasks

You can generate inventory reports and this section explains the following Inventory Report task groups:
• Device Attributes
• User Tracking
• Management Status
Device Attributes
You can view device attributes report.
User Tracking
You can create, schedule, and view various UT reports like:
• End Host History
You can view the login and logout information of the endhosts
• User Tracking System and Custom Reports
You can view User Tracking system and custom reports
Management Status
You can generate device credentials, device and credentials admin reports, and inventory and config
Collection Status report.
• Inventory and Config Collection Status
You can generate the Inventory and Config Collection Status Report which helps you to identify
possible causes for Inventory and Configuration collection failure and take timely corrective action.
Understanding Audit Report Tasks

You can generate audit reports like:
• System
• Performance
• Inventory and Config
System
You can generate system audit report.

18-20 OL-25947-01
Performance
You can generate performance audit report.
Inventory and Config

You can generate inventory and config audit report.
Understanding Technology Report Tasks

You can generate the following technology reports:
• VLAN
• VRF Lite
VLAN
You can generate VLAN reports for devices, switch clouds, or VTP domains.
VRF Lite
You can generate the following VRF Lite Reports:
• VRF Lite and VRF Lite Readiness report
You can generate Device Based VRF-Lite reports and VRF Based reports. You can also generate the
VRF Lite Readiness report which provides the devices details that comply with the basic hardware
and software support available, in contrast to the required support on the devices to configure VRF.
Understanding Performance Report Tasks

This section explains the following Performance Report task groups:
• Create Performance Report
• View Performance Report
• Poller
• Device
• Create IPSLA Report
• View IPSLA Job Details
• View IPSLA Report
• Custom
Create Performance Report

You can generate, or view performance reports like:
• Interface Report
Displays the Interface availability information of a device during the last 24 hours. It also displays
Interface utilization and error rate information for a device interface during the last 24 hours.
• IPSLA Detailed Report
You can generate various IPSLA detailed reports.

OL-25947-01 18-21
• IPSLA Summary Report

You can generate system reports for all collectors based on the report types and granularity after the
consolidation of the statistical data.
• EnergyWise Device Power Usage
Displays the power usage data for each device that is polled for the EnergyWise Device Power Usage
template.
• EnergyWise Port Power Usage
Displays the power usage data for each port that is polled for the EnergyWise Port Power Usage
template.
• PoE Port Utilization Report
Displays the port level utilization for each device polled for the Power Over Ethernet (PoE) Port
Utilization template.
• PSE Consumption report
Displays the power utilization and losses for each device polled for the Power Over Ethernet PSE
Consumption template.
• IPSLA Audit report
Displays all IPSLA related audit changes that occurred in the network during a specified time
period.
View Performance Report

You can view performance reports like:
• Interface Report
• IPSLA Detailed Report
• IPSLA Summary Report
• EnergyWise Device Power Usage
• EnergyWise Port Power Usage
• PoE Port Utilization Report
• PSE Consumption report
• IPSLA Audit report
Poller
You can:
• View Poller Report
You can view Poller Reports based on the template added in a given Poller.
• Create Poller Job
You can create Poller Reports based on the template added in a given Poller.
Device
You can view device availability and performance parameters of a device.
• Device Performance
You can view performance parameters of a device.

18-22 OL-25947-01
Create IPSLA Report

You can create IPSLA Reports and IPSLA Threshold Violation Reports. You can also reset the values
you entered.
View IPSLA Job Details

You can view details of IPSLA jobs.
View IPSLA Report

You can view IPSLA Reports, IPSLA Report Archives and IPSLA Threshold Violation Reports.
You can list and create IPSLA Audit Report.
Custom
You can create, or view custom reports.
Understanding System Report Tasks

You can generate administration and system reports. This section explains the following System task
groups:
• Data Collection Metrics and Device Support
• Users
• ANI Server Analysis
• Status
Data Collection Metrics and Device Support

You can view the duration of each data collection, and the device count. You can also view the icon,
name, and object ID of the supported devices.
Users
You can view information about users currently logged into LMS.
• Who is Logged on
You can view information on users currently logged into LMS.
• Permission Report
You can view information on roles and privileges.
ANI Server Analysis

You can analyze the ANI server performance.
Status
You can view the status of the processes running on the LMS Server.
• Log File
You can view information on log file size and file system utilization.
• Process
You can view the status of the processes running on the LMS Server.

OL-25947-01 18-23
Understanding Switch Port Report Tasks

You can generate reports based on switch port status. This section explains the following Switch Port
Report task groups:
• User Tracking Switch Port Usage
• Ports
User Tracking Switch Port Usage

You can view reports on:
• Connected Ports—The ports that are administratively UP and are connected to a device will be listed
here.
• Free Ports—The Ports that are administratively UP but are not connected to a device will be listed
here.
• Free Down Ports—The ports that are administratively down will be listed here.
You can also view the following reports:
• Switch Port Capacity Report
Lists switches that have crossed utilization threshold limits, along with the value of percentage port
utilization.
• Recently Down Ports
Displays:
– Link ports that were connected to a device in the previous Data collection, but found
unconnected in the current Data Collection.
– Access ports that were connected to an endhost in the last UT Major Acquisition cycle, but
found unconnected in the current Data Collection
• Reclaim Unused Down Ports Report
Displays ports that have been in Unused Down state for a specified interval of time.
• Reclaim Unused Up Ports Report
Displays ports that have been in Unused Up state for a specified interval of time.
• Switch Port Summary Report
Displays the number of Connected, Free, and Free down ports in each switch.
Ports
You can view status of the ports.
• Port Attributes
You can view information about the status of ports in the network
Schedule Reports in Layer2 Services and User Tracking

You can schedule reports of the Network, Layer 2, and User Tracking function of LMS.
User Tracking Job Archives

You can view archived reports of UT jobs.

18-24 OL-25947-01
Understanding Configuration Tasks
Layer2 Services Job Archives

You can view archived reports of Layer 2 services jobs.
Inventory/Syslogs/Change Audit Generate Reports

You can generate all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View All Reports

You can view all Inventory, Syslog, and Change Audit reports.
Inventory/Syslogs/Change Audit View Own Reports

You can view all Inventory, Syslog, and Change Audit reports which you have generated.

This section explains the following Configuration task groups:
• Understanding Configuration Archive Tasks
• Understanding Configuration Tools Tasks
• Understanding ConfigCLI Tasks
• Understanding Configuration Workflows Tasks
• Understanding Configuration Job Browsers Tasks
• Understanding Compliance Tasks
Understanding Configuration Archive Tasks

This section explains the following Configuration Archive tasks:
• Label Configs
• Summary
• Views
Label Configs
You can select configuration files from different devices, group and label them. You can manage Label
Configs.
Summary
You can view the configuration archival status and summary.

OL-25947-01 18-25
Views
You can search archives using version tree and version summary. The tasks in Views are the following:
• Custom Queries
You can create a custom configuration query that searches information about the specified
configuration files.
• Search Archive
You can search the archive for configuration containing text patterns for selected devices.
• Version Summary
You can view all archived configurations for selected devices.
Understanding Configuration Tools Tasks

This section explains the following Configuration Tools tasks:
• NetConfig/Template Center
• Config Editor
Software Image Management

• Software Repository
You can view, add, delete, or update the images that are available in the Software Management
repository.
• Repository Synchronization
You can update the software repository.
• Software/Patch Distribution
You can distribute software images in the network. You can also distribute patches simultaneously
to applicable devices.
• Jobs
You can check the status of a scheduled Software Image Management job. You can view, edit, stop,
delete, retry or undo the job.
• Upgrade Analysis
You can analyze images before distribution.

18-26 OL-25947-01
NetConfig/Template Center
This section explains the following NetConfig and Template Center tasks:
• Assign Tasks
You can assign tasks to a valid Cisco Prime user.
• User Defined Tasks
You can create and edit user-defined tasks.
• Adhoc Configuration-Template Center
You can deploy and import Adhoc Configuration template.
• Jobs
– View
You can view all NetConfig and Template Center jobs.
– Create/Configure/Deploy/Import
You can deploy and import configuration templates in LMS. You can also create NetConfig
jobs.
Config Editor
This section explains the following Config Editor tasks:
• Private Configs
You can view changes made to a configuration file in the private work area.
• Edit Private Configs
You can save an edited configuration file in the private work area on the server and retrieve the saved
file when required.
• Edit Public Configs
You can save an edited configuration file in the public work area on the server and retrieve the saved
file when required.
• Delete Private Configs
You can remove a configuration file from the private work area on the server.
• Delete Public Configs
You can remove a configuration file from the public work area on the server.
• Public Configs
You can view changes made to a configuration file in the public work area.
• Edit Mode Preference
You can set up the default editing mode.
• Config Editor
You can open, edit, or print configuration files.
• Jobs
You can create, edit, delete, copy, or stop Config Editor jobs.

OL-25947-01 18-27
Understanding ConfigCLI Tasks

This section explains the following ConfigCLI tasks:
Delete
You can delete configurations older than a specified date from the configuration archive.
Compare With Baseline and Deploy

You can create a job that compares the given Baseline template with the latest version of the
configuration for a device and download the configuration to the device if there is a non-compliance.
List Version
Lists the different versions of configuration files archived in the archival system.
Create Parameter file

You can create a parameter file if the Baseline template containing the parameters is specified.
Compare With Baseline

You can compare the given Baseline template with the latest version of the configuration for a device.
Deploy Baseline
You can deploy the given Baseline template to a device.
Reload
You can reboot the devices, to load the running configuration with their startup configuration.
Get Configuration
You can retrieve the running configuration from the devices and push it to the configuration archive if
the running configuration is different than the latest version in the archive.
Run2Start
You can create a job that overwrites the startup configuration of device with running configuration.
Get Change Audit Data

You can get Change Audit data.
Write2Run
You can compare the latest running configuration for the device in the configuration archive with the
configuration in the file, to generate a new configuration that is downloaded to the device, so that the
configuration specified in the file is available on the running configuration of the device.
Export Configuration
You can retrieve the configuration for a device from the archive and write it to a specific file.
Compare
You can list the difference between versions of a device configuration.

18-28 OL-25947-01
write2Start
You can erase the contents of the device's startup configuration and then write the contents of the given
file as the device's new startup configuration.
Export Configuration-xml
You can retrieve the configuration for a device from the archive and write it to a XML file.
Import Configuration
You can retrieve the configuration from a file, and push it to the device, adding to the device's running
configuration.
Get Inventory Data

You can get the inventory data for the devices.
Start2Run
You can merge the running configuration of any devices with their startup configuration to give a new
running configuration.
Put Configuration
You can retrieve the configuration from the configuration archive and push it to the device.
Understanding Configuration Workflows Tasks

This section explains the following Configuration Workflows tasks:
• VLAN
• VRF Lite
VLAN
This section explains the following VLAN Workflows tasks:
• Configure Port Assignment
You can manage ports on your network VLAN.
• Create/Delete Private VLAN
You can create and delete private VLANs
• Configure Promiscuous Ports
You can configure a promiscuous port
• Create/ Modify Trunk
You can create a trunk for a port, or modify trunk attributes.
• Configure/ Delete VLAN
You can create and delete VLANs configured on the devices in the network.
VRF Lite
This section explains the following VRF Lite Workflows tasks:
• VRF Configuration
You can create, edit, extend, delete and assign Edge VLAN to VRF.

OL-25947-01 18-29
Understanding Configuration Job Browsers Tasks

This section explains the following Configuration Job Browsers tasks:
• Job Approval
• NetConfig
• Config Editor
Job Approval
You can approve or reject a job for which you are an Approver. The job will not run until you or another
Approver approves it.
NetConfig
You can manage NetConfig jobs.
Config Editor
You can manage Config Editor jobs.
Understanding Compliance Tasks

This section explains the following Configuration Compliance tasks:
• Out-of-Sync Summary
• Compliance Templates
Out-of-Sync Summary
You can generate Out-of-Sync report for device groups.
Compliance Templates
This section explains the following Compliance Templates tasks:
• Compliance Check
You can run a compliance check.
• Direct Deploy
You can deploy a baseline template using a file system or UI.
• Templates
You can manage a baseline template.

18-30 OL-25947-01
Understanding Monitor Tasks

This section explains the following Monitor task groups:
• Understanding Performance Settings Tasks
• Understanding Fault Settings Tasks
• Understanding Threshold Settings Tasks
• Understanding Troubleshooting Tools Tasks
• Understanding Monitoring Tools Tasks
Understanding Performance Settings Tasks

You can configure performance settings like:
• IPSLA
• Setup
IPSLA
You can manage IPSLA devices, collectors, operations and outage settings
• Devices
You can add devices to manage IPSLA functionality. You can:
– Enable IPSLA Responder
You can enable IPSLA responder for the selected devices.
– Update IPSLA Config
You can update the IPSLA responder enable or disable status. You can also save the latest
information configured in a device to the database.
– View Devices
You can view all the IPSLA devices managed by LMS.
– Edit Device Attributes
You can edit the device attributes like SNMP Retry and SNMP Timeout.
– Delete devices
You can delete Adhoc target devices.
– Add Adhoc Target
You can add adhoc target devices to the IPSLA Performance Management function in LMS if
you want to manage devices from an external source. The Adhoc devices may be either Cisco
devices or devices with a unique IP address.
• Collectors
You can create, edit, delete, monitor, start, list, view, or stop collectors.
When you have the authorization to create collectors you can import, export and reconfigure
collectors.

OL-25947-01 18-31
• Operations
You can analyze IP service levels for IP applications and services. You can view operation details,
list, create, edit, or delete operations.
• Outage Settings
You can view, list, create, edit, or delete planned outages.
Setup
You can setup auto monitoring, poller and template management
• Automonitor
You can change the polling intervals.
• Pollers
You can create and manage pollers. You can:
– Edit Poller
You can edit pollers.
– Clear Failures
You can clear all the failures recorded in the database for a Poller.
– Clear Missed Cycle
You can clear all the polling interval cycles missed for a Poller.
– Activate and Deactivate Poller
You can activate an inactive Poller to poll, or stops a Poller from polling.
– View Failures
You can view failures that occurred during polling.
– Create Poller
You can create a Poller.
– List Performance Devices
You can view performance devices.
– Delete Poller
You can delete a Poller.
– Debug Performance Polling Engine
You can debug performance polling engine.
– List / View Pollers
You can list or view Pollers.
• Templates
You can create, copy, edit, list, delete, export, or import templates to monitor performance
parameter.
• Device Performance Management Summary
You can view the Device Performance Management Summary portlet details. To access any custom
role, you should select Device Performance Management Summary.

18-32 OL-25947-01
Understanding Fault Settings Tasks

You can set up the following fault settings tasks:
• Setup
You can setup polling parameters, group priorities, and view device fault details.
– Apply Changes
You can apply polling and threshold changes.
– Polling Parameters
You can configure polling parameters.
– Fault Device Details
You can view component details of a device.
– Priority Settings
You can set priority for polling and thresholds.
Understanding Threshold Settings Tasks

You can configure pollers, manage templates, configure trendwatch.
This section explains the following Threshold Settings tasks:
• TrendWatch
• Performance
• Fault
TrendWatch
You can create, activate, list and view, edit, copy, deactivate, or delete trendwatch for a MIB variable.
Performance
You can create, edit, delete, access, or, list and view thresholds for a MIB variable.
Fault
You can view the thresholds that are associated with device groups, trunk port groups, access port
groups, and interface groups.

OL-25947-01 18-33
Understanding Troubleshooting Tools Tasks

You can troubleshoot network devices using various tools like NetShow and VRF-Lite. This section
explains the following Troubleshooting Tools tasks:
• VRF Lite
• NetShow
• Connectivity Tools
• Troubleshooting Workflows
VRF Lite
• Ping and Traceroute/Show Commands
You can troubleshoot VRFs using Ping or Traceroute, or view the result of the VRF-specific show
commands
NetShow
• Job Operations
You can perform tasks such as viewing job details, creating jobs, editing jobs, copying jobs, retrying
failed jobs, stopping jobs, and deleting jobs.
• Command Set Operations
You can create, edit, or delete user-defined Command Sets.
• Assigning Command Sets
You can assign command sets to network operators.
• Command Sets
You can view the details of an existing Command Set.
• NetShow Jobs/Show Commands
You can run NetShow commands and view NetShow jobs.
Connectivity Tools
You can use the following tools:
• Device Center
You can launch the troubleshooting page by clicking device IPs.
• Packet Capture
You can capture live data from the Cisco Prime machine to aid in troubleshooting.
• SNMP Walk
You can trace the MIB tree of a device starting from a given OID for troubleshooting, or gathering
information about a certain device.
• SNMP Set
You can set an SNMP object or multiple objects on a device for controlling the device.
Troubleshooting Workflows
You can troubleshoot network problems using the troubleshooting workflows. You can diagnose network
connectivity problems, or diagnose devices.

18-34 OL-25947-01
Understanding Monitoring Tools Tasks

You can use fault and event monitor tools like:
• Fault Monitor
• Configure Inter-VLAN Routing
• View Link Bandwidth utilization
• Configure EtherChannel
• Device Operation Discover Devices
• View Trunk Attributes
• Time Domain Reflectometer Report
• Device Operation Delete Link
• Spanning Tree Reports
• Device Operation Delete Devices
• Topology Services
• Spanning Tree Configuration
• Device Operation Change management IP
• View Data Extraction Engine
Fault Monitor
You can view all the faults in a common place. It collects information of fault in devices in real-time and
display the information by a selected group of devices. You can clear or annotate faults.
It allows you to own the fault or clear them.
Configure Inter-VLAN Routing

You can configure Inter-VLAN Routing.
View Link Bandwidth utilization

You can view bandwidth utilization across links, in the Topology maps.
Configure EtherChannel
You can configure EtherChannel.
View Devices at Fault and Event Monitor

You can view devices available at Fault and Event Monitor.
Device Operation Discover Devices

You can discover devices for device operation.
View Trunk Attributes

You can view trunk attributes.
Time Domain Reflectometer Report

You can generate the TDR report that detect faults in a cable. TDR checks and locates open circuits, short
circuits, sharp bends, crimps, kinks, impedance mismatches, and other such defects.

OL-25947-01 18-35
Understanding Inventory Tasks
Device Operation Delete Link

You can remove a link from the Network Topology View.
Spanning Tree Reports

You can generate Spanning Tree reports
Device Operation Delete Devices

You can delete devices.
Topology Services
You can access the LAN Edge, Layer 2, and Unconnected Devices network views of managed domains
discovered in your network, and you can filter, access, or view network information or status.
Spanning Tree Configuration

You can configure Spanning Trees on the network.
Device Operation Change management IP

You can set a preferred management address to be used by LMS for devices which can have multiple IP
addresses.
View Data Extraction Engine

You can view Data Extraction Engine.

This section explains the following Inventory task groups:
• Understanding Group Management Tasks
• Understanding Job Browsers Tasks
• Understanding Device Administration Tasks
• Understanding Inventory Tools Tasks
Understanding Group Management Tasks

You can create and manage fault groups, IPSLA collectors groups, or ports and modules groups.
• Fault groups
You can view, create, edit, delete fault groups, or refresh groups.
• IPSLA Collector
You can view, create, edit, delete or refresh IPSLA collector groups.

18-36 OL-25947-01
Understanding Job Browsers Tasks

You can view, create, edit, stop, retry, or delete device credentials verification jobs. You can also verify
device credentials.
Understanding Device Administration Tasks

You can manage devices and auto update the server. This section explains the following Device
Administration tasks:
• Add / Import / Manage Devices
• Add Managed Devices
• Manage Device State
• Device Allocation Policy
Add / Import / Manage Devices

You can manage devices in DCR. You can:
• View Credentials
You can view device information for a single device or for multiple devices.
• Export Devices
You can export a list of device and their credentials.
• View Reports
You can generate the following reports:
– Unreachable Devices
Displays the list of devices that are unreachable.
To generate this report, select Reports > Inventory > Management Status > Unreachable
Devices.
– Excluded Devices
Displays the list of devices that should not be added in DCR.
To generate this report, select Reports > Inventory > Management Status > Excluded
Devices.
– Imported Device Status
Displays the information about the devices that are imported into DCR.
To generate this report, select Reports > Inventory > Management Status > Imported Device
Status.
– Known Device List
Displays the complete list and information of all devices in the repository.
To generate this report, select Reports > Inventory > Management Status > Known Device
List.
– Device Administration
Displays the complete device list in DCR.
To generate this report, select Reports > Audit > Device Administration.

OL-25947-01 18-37
Understanding Work Center Tasks
• Add Devices
You can add devices, device properties or attributes, and device credentials to the DCR.
• View Devices
You can view devices in DCR.
• Delete Devices
You can delete devices from DCR. You can also schedule device polling job and view the
Unreachable device report.
• Bulk import
You can import multiple devices into DCR. You can also view the Imported device report.
• Edit Devices
You can edit device information for a single device or for multiple devices.
Add Managed Devices

You can manually add managed devices without using the Device Allocation Policy.
Manage Device State

You can view the states of the devices.
Device Allocation Policy

You can configure the device management policy for Device Management.
Understanding Inventory Tools Tasks

You can use tools like:
• CiscoView
Provides real-time views of networked Cisco Systems devices
• Mini-RMON
Provides web-enabled, real-time, remote monitoring (RMON) information to users to facilitate
troubleshooting and improve network availability.

This section explains the following Work Center task groups:
• Understanding Smart Install Tasks
• Understanding Auto Smartports Tasks
• Understanding Identity Tasks
• Understanding EnergyWise Tasks

18-38 OL-25947-01
Understanding Smart Install Tasks

You can configure and manage images using this plug-and-play configuration and image management
feature that provides zero-touch deployment for new switches.
• Jobs
You can view the status, delete, stop or manage Smart Install jobs.
• Readiness Assessment
You can assess the readiness of your network for Smart Install.
• Getting Started
You can provision Smart Install for Day 1 operations.
• Configure
You can configure, and manage the Smart Install director.
Understanding Auto Smartports Tasks

You can configure, apply and manage Auto Smartports macros on the ASP-capable devices
• Getting Started
You can provision Auto Smartports for day 1 operations.
• Jobs
You can view the status, delete, stop or manage Auto Smartport reports.
• Configure
You can configure, and enable Auto Smartports on selected interfaces.
You can view Auto Smartports based device details after assessing the network.
Understanding Identity Tasks

You can create authentication, access control, and user policies to secure network resources and
connectivity.
• Configure
You can configure Identity on Identity-capable devices.
• Jobs
You can view the status, delete, stop or manage Identity jobs.
• Reports
You can generate Identity reports.
• Getting Started
You can provision Identity for Day 1 operations.
You can view Identity-based device details after assess the network.

OL-25947-01 18-39
Understanding EnergyWise Tasks

You can manage and automate the energy management lifecycle of network.
You can view EnergyWise-based device details after assessing the network.
• Jobs
You can view the status, delete, stop or manage EnergyWise jobs.
• Getting Started
You can provision EnergyWise for Day 1 operations.
• Reports
You can generate EnergyWise reports like:
– Power Usage
You can generate EnergyWise power usage report.
– Cost Savings
You can configure EnergyWise cost savings.
• EnergyWise portlets
You can view EnergyWise portlets like:
– EnergyWise Savings Trend Graph
– EnergyWise Total Savings Graph
– EnergyWise Power Consumption Graph
• Manage Domains/General Settings
You can manage the configured EnergyWise domains.
You can configure the time to perform EnergyWise device collection, EnergyWise endpoint
collection, and EnergyWise compliance check.
• Configure
You can configure energy management policies on devices and configure endpoints.
– Manage Policies
You can manage the EnergyWise policies.
– Manage Endpoint Groups
You can create an endpoint group of IP phones.
– Configure Attributes on Endpoints
You can configure EnergyWise attributes.
• Settings
You can configure EnergyWise collection, cost settings, and data purge settings.
– Cost Savings
You can configure EnergyWise cost savings.
– Purge
You can configure EnergyWise data purge settings.

18-40 OL-25947-01

OL-25947-01 18-41

18-42 OL-25947-01

OL-25947-01 18-43

18-44 OL-25947-01

OL-25947-01 18-45

18-46 OL-25947-01
A P P E NDIX A
CLI Tools
This section explains all the CLI utilities that are available for the administrator in LMS 4.2.
• Setting Up Local Users Through CLI
• Changing Cisco Prime User Password Through CLI
• Managing Processes Through CLI
• Working With Third Party Security Certificates
• Setting up Browser-Server Security
• Backing up Data Using CLI
• Using LMS Server Hostname Change Scripts
• Using DCR Features Through CLI
• Using Group Administration Features Through CLI
• Deleting Stale Groups Using CLI
• User Tracking Command Line Interface
• Using Lookup Analyzer Utility
• Understanding UTLite
• User Tracking Debugger Utility
• Configuring Switches to Send MAC Notifications to LMS Server
• Administration Command Line Interface

OL-25947-01 A-1
Appendix A CLI Tools
Setting Up Local Users Through CLI

You can set up the local users through CLI. This feature helps you in:
• Adding Local Users
• Importing Local Users
• Importing Users From ACS
• Migrating User Details from LMS 3.2 to LMS 4.x versions
Adding Local Users

You can add bulk local users through CLI. This feature allows you to specify a file that has information
about the local users as an input. The input file you use should be a plain text file.
Note You can use this CLI command for both system and user-defined roles.
Each local user information should be represented in the following format in the text file:
Username:Password:E-mail:Roles:DeviceUname:DevicePassword:DeviceEnPassword
where,
• Username — Local username. The local username is case-insensitive.
• Password — Password for the local user account name.
You can leave this field blank in the text file and enter the password in the command line when you
run the CLI utility.
Note that you should enter the password either in the command line or in the input text file. If you
mention the password in both the places, the local user will be added with the password specified in
the command line. On adding the user by giving password in the command line prompt, default role
will be assigned to the user if the role is missing in the input file.
• E-mail — E-mail address of the local user.
This is mandatory if you assign the approver role to the local user. Otherwise, this is optional.
• Roles — Roles to be assigned to the local user. You should assign one or more of the following roles
to the user separated by comma.
– Help Desk
– Approver
– System Administrator
– Network Administrator
– Network Operator
– Super Admin
• DeviceUname—Device login username
• DevicePassword—Device login password
• DeviceEnPassword —Device enable password.
The following is an example of local user information to be represented in input text file:

A-2 OL-25947-01
admin123:admin123:admin123@cisco.com:Help Desk,System
Administrator:admin:roZes123:roZes

OL-25947-01 A-3
To add local users through CLI, enter the following commands:

• NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -add Filename Password (on Solaris/Soft
Appliance)
• NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -add Filename Password (on Windows)
where,
• Filename — Absolute path of the filename containing local users information.
• Password — Common password for all user accounts specified in the input text file.
This command line parameter is optional if you have specified the passwords for local users in the
input text file. Note that you should enter the password either in the command line or in the input
text file.
If you specify this parameter, the local users are added to Cisco Prime only with this password
irrespective of the password entries specified in the input text file.
For example, enter the following command to add local users mentioned in the input file localuser.txt
with the password admin:
C:\progra~1\CSCOpx\bin\perl C:\progra~1\CSCOpx\bin\AddUserCli.pl -add
C:\files\localuser.txt admin
Even if you have entered password for the local users in the localuser.txt file, the local users are added
with the password mentioned in the command line.
Importing Local Users

This feature allows you to import local user information to the local server from a remote LMS Server.
You can import local users from ACS through CLI. See, Importing Users From ACS for more
information.
You should have the privileges to import local users from remote LMS Server through CLI.
Before you import users from a remote server, you should install the peer certificate of the remote server
in the local LMS Server, if the LMS Server is in HTTPS mode. See Setting up Peer Server Certificate
for more information.
To import users from a remote server, enter the following commands:
• NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -import Protocol Hostname Portnumber
Username Password (on Solaris/Soft Appliance)
• NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import Protocol Hostname Portnumber
Username Password (on Windows)
where,
• Protocol — Protocol of the remote LMS Server.
The supported values are HTTP or HTTPS.
• Hostname — Hostname or IP Address of the remote LMS Server.
• Portnumber — Port Number of the remote LMS Server.
• Username — Remote LMS Server Login Username.
• Password — Remote LMS Server Login Password.

A-4 OL-25947-01
For example, enter the following command to import the local users from the remote LMS Server
lmsdocpc:
NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -import HTTP lmsdocpc 1741 admin admin
Importing Users From ACS

To import users from ACS through CLI, enter the following commands:
• NMSROOT/bin/perl NMSROOT/bin/AddUserCli.pl -importFromAcs Filename Password (on
• NMSROOT\bin\perl NMSROOT\bin\AddUserCli.pl -importFromAcs Filename Password (on
Windows)
where,
• Filename — Ouput of executing CSUtil.exe.
• Password — ACS password which is the default password assigned to all users.
Migrating User Details from LMS 3.2 to LMS 4.x versions

To migrate user details from LMS 3.2 to LMS 4.x:
Step 1 Enter the command given below:

For Solaris and Soft Appliance:
/NMSROOT/lib/jre/bin/java -cp
/NMSROOT/lib/classpath:/NMSROOT/www/classpath:/NMSROOT/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar:/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration <cwpass file location> <output file name with .xml
extension>
where, NMSROOT is the directory where you have installed Cisco Prime.
Example:
/opt/CSCOpx/lib/jre/bin/java -cp
/opt/CSCOpx/lib/classpath:/opt/CSCOpx/www/classpath:/opt/CSCOpx/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar:/opt/CSCOpx/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration /cwpass /output.xml
For Windows:
/NMSROOT/lib/jre/bin/java -cp
/NMSROOT/lib/classpath;/NMSROOT/www/classpath;/NMSROOT/MDC/tomcat/shared/lib/
castor-0.9.5-xml.jar;/NMSROOT/MDC/tomcat/shared/lib/castor-0.9.5.jar
com.cisco.nm.cmf.servlet.CWPassMigration <cwpass file location> <output file name with .xml
extension>

OL-25947-01 A-5
Changing Cisco Prime User Password Through CLI
Example:
C:/Progra~1/CSCOpx/lib/jre/bin/java -cp
C:/Progra~1/CSCOpx/lib/classpath;C:/Progra~1/CSCOpx/www/classpath;C:/Progra~1/CSCOpx/MD
C/tomcat/shared/lib/castor-0.9.5-xml.jar;C:/Progra~1/CSCOpx/MDC/tomcat/shared/lib/
castor-0.9.5.jar com.cisco.nm.cmf.servlet.CWPassMigration C:/cwpass C:/output.xml
Step 2 Move the output file to the client machine to import the user details.
Step 3 Go to Admin > System > User Management > Local User Setup.
Step 4 Click Import Users.
Step 5 Click Browse and select the output file from the client machine.
Migrating User Details using Selective Backup Method

The user details can be migrated from LMS 3.2 to LMS 4.x versions by remote upgrade procedure. The
inline upgrade does not support the direct migraiton of user details from LMS 3.2 to LMS 4.2.
Step 1 Take selective backup from LMS 3.2 using the command given below:
NMSROOT\bin>perl NMSROOT\bin\backup.pl -dest= <Backup Directory> –system
Step 2 Move the backup to LMS 4.x server where data has to be restored.
Step 3 Stop the daemons on 4.x server
Step 4 Restore backup using the command given below:
NMSROOT\bin>perl NMSROOT\bin\restorebackup.pl -d <Backup Directory>
Step 5 Check for any errors on Restorebackup.log
Step 6 Start the daemons and check the user details once all the processes are up.
Note Selective backup includes system settings, user details and jobs.

You can change the Cisco Prime user password using the Cisco Prime user password recovery utility.
To change the user password on Solaris/Soft Appliance:
Step 1 Enter /etc/init.d/dmgtd stop to stop the Daemon Manager.

Step 2 Set the LD_LIBRARY_PATH manually. The path is to be set as follows:
setenv LD_LIBRARY_PATH /opt/CSCOpx/MDC/lib:/opt/CSCOpx/lib
This environment variable set is applicable to the current working shell only.

A-6 OL-25947-01
Now, you can change the password using the Cisco Prime user password recovery utility.
Step 3 Enter NMSROOT/bin/resetpasswd username at the command prompt.
Here NMSROOT refers to the Cisco Prime Installation directory.
A message appears:
Enter new password for username:
Step 4 Enter the new password.
Step 5 Enter /etc/init.d/dmgtd start to start the Daemon Manager.

OL-25947-01 A-7
Managing Processes Through CLI
To change the user password on Windows:
Step 1 Enter net stop crmdmgtd to stop the Daemon Manager.

Step 2 Enter NMSROOT\bin\resetpasswd username at the command prompt.
A message appears:
Enter new password for username:
Step 3 Enter the new password.
Step 4 Enter net start crmdmgtd to start the Daemon Manager.

You can also manage the Cisco Prime processes through CLI. You can perform the following activities
through CLI:
• Viewing Process Details Through CLI
• Viewing Brief Details of Processes
• Viewing Processes Statistics
Viewing Process Details Through CLI

The pdshow command displays the details of the specified processes or all processes in the CLI prompt.
• To display the details of all processes, enter:
– /opt/CSCOpx/bin/pdshow (on Solaris/Soft Appliance)
– pdshow (on Windows)
• To display the details of one or more specified processes, enter:
– /opt/CSCOpx/bin/pdshow ProcessName1 ProcessName2 (on Solaris/Soft Appliance)
– pdshow ProcessName1 ProcessName2 (on Windows)
where ProcessName1 and ProcessName2 are the name of the processes.
The command displays the process details of one or more processes. See Viewing Process Details for
description of each of these items.
• Process Name
• Process State
• Process ID
• Process Return Code
• Process Signal Number
• Process Start Time
• Process Stop Time

A-8 OL-25947-01
The pdshow command additionally displays the following process details.
Process Details Description

Core Not applicable means the program is running normally.
CORE FILE CREATED means the program is not running normally and the
operating system has created a file called core*.
The core file stores important data about processes.
core* refers to the name of the core file.
The core file name contains the executable file name of the program and the process
ID.
For example, the name of the core file created for the Perl module is:
core.perl.51234
Information Describes what the process is doing and how it is started.
Not applicable means the program is not running normally.
During the startup of Daemon Manager, sometimes the pdshow command may display information
message requesting you to wait and enter the command again.
This happens particularly when the Daemon Manager is busy in running the tasks one by one in the
queue. You must enter the command again to view the process details.
Viewing Brief Details of Processes

The pdshow -brief command displays the brief status of all processes or specified processes in tabular
format in the CLI prompt.
• To display the brief details of all processes, enter:
– /opt/CSCOpx/bin/pdshow -brief (on Solaris/Soft Appliance)
– pdshow -brief (on Windows)
• To display the details of one or more specified processes, enter:
– /opt/CSCOpx/bin/pdshow -brief ProcessName1 ProcessName2 (on Solaris/Soft Appliance)
– pdshow -brief ProcessName1 ProcessName2 (on Windows)
The command displays the following details in tabular format:
• Process Name
• Process State
• Process ID
For example, if you enter /opt/CSCOpx/bin/pdshow -brief Tomcat Apache in the command prompt,
the following output is displayed:
ProcessStatePid
***************
Tomcat Program Started - No mgt msgs received13824
Apache Running normally 13847

OL-25947-01 A-9
Viewing Processes Statistics

The pdshow -stat command displays the statistics of all processes or specified processes in tabular
format.
Note You can enter this command only on Solaris systems.
To display the brief details of all processes, enter:

/opt/CSCOpx/bin/pdshow -stat (on Solaris/Soft Appliance)
To display the details of one or more specified processes, enter:
/opt/CSCOpx/bin/pdshow -stat ProcessName1 ProcessName2 (on Solaris/Soft Appliance)
The command displays the following details in tabular format in the command line.
Process Details Description

Pid Process ID
%CPU CPU usage of a process at a particular time expressed in terms of percentage
RSS Resident set size displayed in terms of KB
VSZ Virtual memory size of process displayed in terms of KB
%MEM Ratio of resident set size and physical memory expressed in terms of
percentage
NLWP Number of light weight processes of the specified process
Process Name of the process
Starting a Process
You must enter the following commands to start a process through CLI:
• /opt/CSCOpx/bin/pdexec ProcessName (on Solaris/Soft Appliance)
• pdexec ProcessName (on Windows)
The dependent processes are started first before the specified process is started.
If the process is being restarted after a shutdown, any dependent processes registered with the Daemon
Manager is not automatically restarted. Dependent processes are automatically restarted only when the
Daemon Manager itself is restarted.
Stopping a Process
You must enter the following commands to stop a process through CLI:
• /opt/CSCOpx/bin/pdterm ProcessName (on Solaris/Soft Appliance)
• pdterm ProcessName (on Windows)
The dependent processes are also shut down using this CLI command.

A-10 OL-25947-01

Cisco Prime provides an option to use security certificates issued by third party certificate authorities
(CAs). You may want to use this option in cases where your organizational policy prevents you from
using Cisco Prime self-signed certificates or requires you to use security certificates obtained from a
particular CA.
You can use these certificates to enable SSL when you need secure access between LMS Server and your
client browser. You can do the following:
• Uploading Third Party Security Certificates to LMS Server
• Using the SSL Utility Script to Upload Third Party Security Certificates
Uploading Third Party Security Certificates to LMS Server

You can upload Third Party Security Certificates using the SSL Utility Script.
Note Cisco Prime does not support third-party certificates with “Subject Alternative Names”.
This utility is available at:

• NMSROOT\MDC\Apache (On Windows)
• NMSROOT/MDC/Apache/bin (On Solaris/Soft Appliance)
Note The maximum supported public key value is 1024 bits.
This utility has the following options:
Numbe
r Option What it Does...
1 Display LMS Server • Displays the Certificate details of the LMS Server.
certificate
For third party issued certificates, this option displays the details
information
of the server certificate, the intermediate certificates, if any, and
the Root CA certificate.
• Verifies if the certificate is valid.
2 Display the input This option accepts a certificate as an input and:
certificate
• Verifies whether the certificate is in encoded X.509 certificate
information
format.
• Displays the subject of the certificate and the details of the
issuing certificate.
• Verifies whether the certificate is valid on the server.
3 Display Root CA Generates a list of all Root CA Certificates.
certificates trusted by
LMS Server

OL-25947-01 A-11
Numbe
r Option What it Does... (continued)
4 Verify the input Verifies whether the server certificate issued by third party CAs, can
certificate or be uploaded.
certificate chain
When you choose this option, the utility:
• Verifies if the certificate is in Base64 Encoded X.509Certificate
format.
• Verifies if the certificate is valid on the server
• Verifies if the server private key and input server certificate
match.
• Verifies if the server certificate can be traced to the required
Root CA certificate using which it was signed.
• Constructs the certificate chain, if the intermediate chains are
also given, and verifies if the chain ends with the proper Root
CA certificate.
After the verification is successfully completed, you are prompted to
upload the certificates to LMS Server.
The utility displays an error:
• If the input certificates are not in required format
• If the certificate date is not valid or if the certificate has already
expired.
• If the server certificate could not be verified or traced to a root
CA certificate.
• If any of the intermediate Certificates were not given as input.
• If the server private key is missing or if the server certificate that
is being uploaded could not be verified with the server private
key.
You must contact the CA who issued the certificates to correct these
problems before you upload the certificates to Cisco Prime.

A-12 OL-25947-01
Numbe
5 Upload single server You must verify the certificates using option 4 before you select this
certificate to LMS option.
Server
Select this option, only if there are no intermediate certificates and
there is only the server certificate signed by a prominent Root CA
certificate.
If the Root CA is not one trusted by Cisco Prime, do not select this
option.
In such cases, you must obtain a Root CA certificate used for signing
the certificate from the CA and upload both the certificates using
option 6.
When you select this option, and provide the location of the
certificate, the utility:
• Verifies whether the certificate is in Base64 Encoded X.509
certificate format.
• Verifies whether the certificate is valid on the server.
• Verifies whether the server private key and input server
certificate match.
• Verifies whether the server certificate can be traced to the
required Root CA certificate that was used for signing.
After the verification is successfully completed, the utility uploads
the certificate to LMS Server.
• If the input certificates are not in required format
expired.
CA certificate.
key.
problems before you upload the certificates in Cisco Prime again.

OL-25947-01 A-13
Numbe
6 Upload a certificate You must verify the certificates using option 4 before you select this
chain to LMS Server option.
Select this option, if you are uploading a certificate chain. If you are
also uploading the root CA certificate also, you must include it as
one of the certificates in the chain.
When you select this option and provide the location of the
certificates, the utility:
• Verifies whether the certificate is in Base64 Encoded X.509
Certificate format.
• Verifies whether the certificate is valid on the server
• Verifies whether server private key and the server certificate
match.
• Verifies whether the server certificate can be traced to the root
CA certificate that was used for signing.
• Constructs the certificate chain, if intermediate chains are given
and verifies if the chain ends with the proper root CA certificate.
After the verification is successfully completed, the server certificate
is uploaded to LMS Server.
All the intermediate certificates and the Root CA certificate are
uploaded and copied to the Cisco Prime TrustStore.
• If the input certificates are not in required format.
expired.
CA certificate.
• If any of the intermediate certificates were not given as input.
key.
problems before you upload the certificates in Cisco Prime again.
7 Modify Certificate This option allows you to modify the Host Name entry in the LMS
Certificate.
You can enter an alternate Hostname if you wish to change the
existing Host Name entry.

A-14 OL-25947-01
Using the SSL Utility Script to Upload Third Party Security Certificates
To upload the certificates:
Step 1 Stop the Daemon Manager from the Cisco Prime CLI:
On Windows:
• Enter net stop crmdmgtd
• Enter /etc/init.d/dmgtd stop
Step 2 Navigate to the directory where the SSL Utility script is located.
On Windows:
a. Go to NMSROOT\MDC\Apache
b. Enter NMSROOT\bin\perl SSLUtil.pl
a. Go to NMSROOT/MDC/Apache/bin
b. Enter NMSROOT/bin/perl SSLUtil.pl
Step 3 Select option 4, Verify the input Certificate or Certificate Chain.
Step 4 Enter the location of the certificates (server certificate and intermediate certificate).
The script verifies if the server certificate is valid. After the verification is complete, the utility displays
the options.
If the script reports errors during validation and verification, the SSL Utility displays instructions to
correct these errors. Follow the instructions to correct those errors and then try to upload the certificates.
Step 5 Select option 5, if you have only one certificate to upload, that is if you have a server certificate signed
by a Root CA certificate.
Or
Select option 6, if you have a certificate chain to upload, that is if you have a server certificate and
intermediate certificates.
Cisco Prime does not allow you to proceed with the upload if you have not stopped the Cisco Prime
Daemon Manager.
The utility displays a warning message if there are hostname mismatches detected in the server
certificate being uploaded, but you can continue to upload the certificate.
Step 6 Enter the following required details:
• Location of the certificate
• Location of intermediate certificates, if any.
SSL Utility uploads the certificates, if all the details are correct and the certificates meet Cisco Prime
requirements for security certificates.
Step 7 Restart the Daemon Manager for the new security certificate to take effect.
Enable SSL to establish a secured connection between LMS Server and your client browser, if you have
not enabled already.

OL-25947-01 A-15
Note Cisco Prime does not support third-party certificates with “Subject Alternative Names”.

• Enabling Browser-Server Security From the Command Line Interface (CLI) On Windows Platforms
• Enabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft
Appliance Platforms
• Disabling Browser-Server Security From the Command Line Interface (CLI) On Windows
Platforms
• Disabling Browser-Server Security From the Command Line Interface (CLI) On Solaris/Soft
Appliance Platforms
Enabling Browser-Server Security From the Command Line Interface

(CLI) On Windows Platforms
To enable Browser-Server Security from CLI:

Step 2 Navigate to the directory NMSROOT\MDC\Apache.
Step 3 Enter NMSROOT\bin\perl ConfigSSL.pl -enable
Step 4 Press Enter.
• If you have the required security certificates available on the server, Cisco Prime enables SSL.
• If you do not have the security certificates on the server, Cisco Prime prompts you to create your
own self-signed certificate and enter the details required to create a self-signed certificate.
Step 5 Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA).
The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS
Server from your client browser.

A-16 OL-25947-01
changes:
If you do not make the above changes, LMS Server will automatically redirect you to HTTPS mode with
port number 443. The port numbers mentioned above are applicable for LMS Server running on
Windows.
Enabling Browser-Server Security From the Command Line Interface

(CLI) On Solaris/Soft Appliance Platforms
To enable Browser-Server Security from CLI:

Step 2 Navigate to the directory NMSROOT\MDC\Apache\bin.
Step 3 Enter ./ConfigSSL.pl -enable
Step 4 Press Enter.
• If you have the required security certificates available on the server, Cisco Prime enables SSL.
• If you do not have the security certificates on the server, Cisco Prime prompts you to create your
own self-signed certificate and enter the details required to create a self-signed certificate.
Step 5 Create a self-signed certificate or use certificates you obtained from a Certification Authority (CA).
The LMS Server creates the security certificate. You can use this certificate to enable SSL in the LMS
Server from your client browser.
changes:
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the integration utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see the Integration Utility Online Help.

OL-25947-01 A-17
Disabling Browser-Server Security From the Command Line Interface

(CLI) On Windows Platforms
To disable Browser-Server Security from CLI:

Step 2 Navigate to the directory NMSROOT\MDC\Apache.
Step 3 Enter NMSROOT\bin\perl ConfigSSL.pl -disable
Step 4 Press Enter.
following changes:
The port numbers mentioned above are applicable for LMS Server running on Windows.
Disabling Browser-Server Security From the Command Line Interface

(CLI) On Solaris/Soft Appliance Platforms
To disable Browser-Server Security from CLI:

Step 2 Navigate to the directory NMSROOT\MDC\Apache\bin.
Step 3 Enter ./ConfigSSL.pl -disable
Step 4 Press Enter.
following changes:

A-18 OL-25947-01
If your LMS Server is integrated with any Network Management Station (NMS) in your network using
the Integration Utility (NMIM), you must perform the integration every time you enable or disable SSL
in the LMS Server. This is required to update the application registration in NMS.
For more information, see Integration Utility Online Help.

OL-25947-01 A-19
Backing up Data Using CLI
Backing up Data Using CLI

To back up data using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl BackupDirectory [LogFile]
email=[comma_separated_email_ids] [Num_Generations]
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl BackupDirectory [LogFile]
email=[comma_separated_email_ids] [Num_Generations]
where,
• BackupDirectory—Directory that you want to be your backup directory. This is mandatory.
• LogFile— Log file name that contains the details of the backup
• comma_separated_email_ids—Email IDs seperated by comma
• Num_Generations—Maximum backup generations to be kept in the backup directory.
To back up only selective data using CLI on Windows and Solaris/Soft Appliance:
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl -dest=BackupDirectory -system
[-log=LogFile] -gen=Num_Generations]
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl -dest=BackupDirectory -system
[-log=LogFile] [-gen=Num_Generations]
where,
• -dest=BackupDirectory—Directory where the backed up data to be stored. This is mandatory.
• -system—Command line option that allows you to back up only the selected system configurations
from all applications instead of backing up the complete databases. This is mandatory.
• -log=LogFile— Log file name that contains the details of the backup.
• -gen=Num_Generations—Maximum backup generations to be retained in the backup directory.
Using LMS Server Hostname Change Scripts

When you change the hostname of the LMS Server, you need to change the hostname related entries in
the Cisco Prime directories and files, registry entries, and databases.
LMS provides a CLI utility to update the new hostname information in the LMS related directories and
files, registry entries, and databases, after you have changed your hostname.
You can use the hostnamechange.pl script to update the hostname changes in all files, database entries
and registry entries.
Caution Make sure that you run this command after you have changed your hostname and the appropriate entries
specific to the operating system are updated.

A-20 OL-25947-01
Prerequisites
Before running the hostname change script, you should do the following:
Step 1 Update the hostname entries specific to operating system in your machine.
On Solaris:
• /etc/hosts - Modify loghost to the new hostname.
• /etc/hostname.hm0 or the appropriate interface file - Modify the file to the new hostname.
• /etc/nodename or the appropriate interface file - Modify nodename to the new hostname.
For Solaris/Soft Appliance, the sys-unconfig command erases the hostname and IP addresses
pertaining to the Solaris/Soft Appliance system (not the LMS or SMS software) and guides you
through the server-renaming process. You can also do this when you change the hostname in the
hosts, hostname.hme0, and nodename files in the /etc directory.
On Soft Appliance:
To change the hostname in Soft Appliance operating system:
a. Login to vSphere client.
b. Select the server where you want to Run hostnamechange.pl.
c. Login to the selected server as system admin.
d. Stop the daemons before changing the hostname in CARS CLI, by runing the command
/etc/init.d/dmgtd stop in shell mode.
e. Enter “config terminal” in the console.

Config prompt appears. Enter “hostname <new host name>”
f. Exit from the configure prompt.
g. Enter “write memory”.
On Windows:
To change the hostname in Windows operating system:
a. Right-click the My Computer icon from the desktop and click System Properties.
Or
Click Start > Settings > Control Panel > System.
The System Properties dialog box opens.
b. Click the Computer Name tab.
c. Click Change... on the Windows 2008 machine to open the Computer Name Changes dialog box.
d. Enter the new hostname in the Computer Name field.
e. Click OK to go back to System Properties dialog box.
f. Click Apply to apply the changes.
Step 2 Restart the machine.
You must restart the machine when you:
• Update the operating system specific hostname entries.
Step 3 Stop the Daemon Manager by entering the following commands:
• /etc/init.d/dmgtd stop (on Solaris/Soft Appliance)

OL-25947-01 A-21
• net stop crmdmgtd (on Windows)

Step 4 Run the hostname script without command line options. See Running the Hostname Change Script for
more information.
Step 5 Start the Daemon Manager by entering the following commands:
• /etc/init.d/dmgtd start (on Solaris/Soft Appliance)
• net start crmdmgtd (on Windows)

A-22 OL-25947-01
Running the Hostname Change Script

You can either:
• Run the hostname change script without specifying any command line options
After you have restarted your system, ensure that you stop the Daemon Manager and then enter the
following command to run the hostname change CLI utility.
– NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl (on Windows)
– NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl (on Solaris/Soft Appliance)
Or
• Run the hostname change script with command line options
Use this option to change the hostname only if the previous attempt of running this script had failed
and the hostname changes were unsuccessful.
You need not restart your machine to run the hostnamechange.pl CLI utility with command line
options
Enter the following command to run the hostnamechange.pl CLI utility:
– NMSROOT\bin\perl NMSROOT\bin\hostnamechange.pl -ohost Old_ Hostname -nhost
New_Hostname -domain Domain (on Windows)
– NMSROOT/bin/perl NMSROOT/bin/hostnamechange.pl -ohost Old_Hostname -nhost
New_Hostname -domain Domain (on Solaris/Soft Appliance)
where,
Old_ Hostname —Old Hostname of the LMS Server
New_Hostname —New Hostname of the LMS Server
Domain —Domain name of the LMS Server. Entering domain name is optional.
The hostnamechange.pl script performs the following:

1. Updates the new hostname of LMS Server in the following files:
– /opt/CSCOpx/lib/classpath/md.properties (on Solaris/Soft Appliance)
– /var/sadm/pkg/CSCOmd/pkginfo (on Solaris)
– NMSROOT\lib\classpath\md.properties (on Windows)
2. Changes ASName to the new hostname of LMS Server in the following files:
– /opt/CSCOpx/lib/classpath/sso.properties (on Solaris/Soft Appliance)
– NMSROOT\lib\classpath\sso.properties (on Windows)
3. Updates the hostname in the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Resource Manager\CurrentVersion\Environment
The CLI utility looks for all the instances of hostname under these registry entries, and replaces
them with the new hostname.
4. Changes the hostname in regdaemon.xml (NMSROOT/MDC/etc/regdaemon.xml).
5. Changes the hostname in web.xml (NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml).

OL-25947-01 A-23
6. Creates a file NMSROOT/conf/cmic/changehostname.info, with the information on the updated

hostname in the format:
OldhostName:NewhostName
OldhostName—Previous hostname as registered with CCR(regdaemon.xml)
NewhostName—Current hostname as registered with CCR(regdaemon.xml)
The entries for hostname in regdaemon.xml and changehostname.info should be identical.
The changehostname.info file resides in the LMS Server until you restart the Daemon Manager. This
file will not be available in LMS Server after the Daemon Manager is restarted.
7. Deletes NS_Ref file on the following directories:
– NMSROOT\lib\csorb (on Windows)
– /opt/CSCOpx/lib/csorb (on Solaris/Soft Appliance)
The NS_Ref file is restored in LMS Server after the Daemon Manager is restarted.
8. Starts the LMS 4.0 database and updates the database table entries with the new hostname. After
updating the database table entries, it stops the LMS 4.0 database.
9. Detects and displays the details of the certificate in the LMS Server.
– If the certificate is a third party certificate, you should regenerate your certificate with the new
hostname.
Or
– If the certificate is a self-signed certificate, the script allows you to regenerate the certificate.
You can enter y to re-generate the certificate with the new hostname or n to re-generate the
certificate later. See Creating Self Signed Certificates for details.
After you have completed running the script, ensure that you:
• Start the Daemon Manager by entering the following commands:
– /etc/init.d/dmgtd start (on Solaris/Soft Appliance)
– net start crmdmgtd (on Windows)
• Redo the integration, if you have integrated any third party network management application to
Cisco Prime, using Integration Utility.
• Re-import the certificates and redo the Multi-Server setup if the machine is part of a Multi-Server
setup.
For example, if you are changing the hostname of a machine that is configured as a Slave, then it
needs to reregister with the Master. If you are changing the hostname of a machine that is configured
as a Master, then all its Slaves need to be updated with the new Master hostname.
If the hostname of the machine changes, the stability of the system is not guaranteed and it fails in some
cases.

A-24 OL-25947-01
Using DCR Features Through CLI

Using Command Line Interface, you can add, delete, and modify devices, and change the DCR modes.
You can also view the list of attributes that can be stored in DCR, and view the current DCR mode. The
dcrcli provided with LMS helps you perform these tasks using CLI.
The Device Name and the Host Name/Domain Name combination must be unique for each device in
DCR. A device will be considered duplicate if:
• The Device Name of a device is the same as that of any other device
• The Host Name/Domain Name combination of a device is the same as that of any other device
• Auto Update Device ID is the same as that of any other device (in case of AUS managed device)
• Cluster and Member Number, together is same as that of any other device (in case of Cluster
managed device)
dcrcli operates in both the Shell and Batch modes. The Shell mode is interactive whereas the Batch mode
runs the specified command and exits to the prompt after the command is run.
You can set DCRCLIFILE environment to point to the file where LMS password is present. If you set
DCRCLIFILE variable, password will not be asked when you run dcrcli in shell or batch mode.
The password file should contain an entry in the format username password. Make sure that there is only
one blank space between the username and the password in the password file. For example, if admin is
the username and the password for the Cisco Prime user, the password file must contain the following
entry:
admin admin
This section has the following:
• Viewing the Current DCR Mode Using CLI
• Viewing Device Details
• Changing DCR Mode Using CLI
Viewing the Current DCR Mode Using CLI

To view the current DCR mode in Shell mode:
Step 1 Enter NMSROOT/bin/dcrcli -u username.

Step 2 Enter the password corresponding to the username.
Step 3 Enter lsmode
It lists the DCR ID, the DCR Group ID, the current DCR mode, and the associated Master and Slaves.
To view the current DCR mode in Batch mode:
Step 1 Go to NMSROOT/bin
Step 2 Enter dcrcli -u Username cmd=lsmode

OL-25947-01 A-25
Viewing Device Details

To view device details using dcrcli in Shell mode:

Step 2 Enter the password corresponding to the username.
Step 3 Enter details id=DeviceID
This lists all the details about the device with the ID you have specified. For example,
detail id=54341 lists the details for the device with device ID 54341.
To view device details using dcrcli in Batch mode:
Step 2 Enter dcrcli -u Username cmd=detail id=DeviceID
Changing DCR Mode Using CLI

To change mode to Master in Shell mode:

Step 2 Enter the password corresponding to the username
Step 3 Enter setmaster
The DCR mode gets changed to Master.
To change mode to Master in Batch mode:
Step 2 Enter dcrcli -u Username cmd=setmaster
To change mode to Standalone in Shell mode:

Step 3 Enter setstand
The DCR mode gets changed to Standalone.

A-26 OL-25947-01
Using Group Administration Features Through CLI
To change mode to Standalone in Batch mode:
Step 2 Enter dcrcli -u Username cmd=setstand
To change mode to Slave in Shell mode:

Step 3 Enter setslave master=value
You have to specify the Master for this slave.
The DCR mode gets changed to Slave. For example,
setslave master=1.2.1.3 port=443
To change mode to Slave in Batch mode:
Step 2 Enter dcrcli -u Username cmd=setslave master=value

You can use OGSCli command line utility to:
• Export Groups to an output XML file
• Import Groups to Grouping Server from an input XML file
You should have Network Administrator, System Administrator, or Super Admin privileges to use
OGSCli command line utility.
OGSCli runs in only Batch mode. It runs the specified command and exits to the prompt after the
command is run.
• Exporting Groups Through CLI
• Importing Groups Through CLI

OL-25947-01 A-27
Exporting Groups Through CLI

To export groups through CLI:

Step 2 Enter either one of the following:
• NMSROOT/bin/OGSCli.sh -u CiscoPrime_Username (on Solaris/Soft Appliance)
Or
• NMSROOT\bin\OGSCli -u CiscoPrime_Username (on Windows)
where,
CiscoPrime_Username is the login username of a Cisco Prime user.
For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems.
The system prompts you to enter your Cisco Prime password.
Step 3 Enter your Cisco Prime password.
The system prompts you to enter a task name, import or export. The default task is export.
Step 4 Enter export.
The system prompts you to enter an output file name.
Step 5 Enter a file name for export output file with its absolute path name.
If you do not enter file name with its absolute path name, the export file will be stored on \nmsroot\bin.
A warning message appears indicating that the selected file will be overwritten with the new information
on exported groups.
The system uses the file name that you have entered to generate the output XML file irrespective of
whether the file exists on the server.
You should have the required directory-level permissions where you want to save the output XML file.
You must either enter y to continue or n to exit.
The system prompts you to enter an export group hierarchy.
Step 6 Enter All or the export group hierarchy name.
Default value is All.
For example, you can enter the group hierarchy name as /CS@doc-pc2/User Defined Groups/Group1.
The system generates an export format XML file and stores on the specified directory on the server.

A-28 OL-25947-01
Importing Groups Through CLI

To import groups through CLI:

Step 2 Enter either one of the following:
• NMSROOT/bin/OGSCli.sh -u CiscoPrime_Username (on Solaris/Soft Appliance)
Or
• NMSROOT\bin\OGSCli -u CiscoPrime_Username (on Windows)
where,
CiscoPrime_Username is the login username of a Cisco Prime user.
For example, you can enter /opt/CSCOpx/bin/OGSCli.sh -u admin on Solaris/Soft Appliance systems.
The system prompts you to enter your Cisco Prime password.
Step 3 Enter your Cisco Prime password.
The system prompts you to enter a task name, import or export. The default task is export.
Step 4 Enter import.
The system prompts you to enter the input XML filename.
Step 5 Enter the input XML filename with its absolute path name.
The system lists the groups to be imported from the source XML file.
Step 6 Enter your choices using the item numbers displayed for the listed groups.
You can enter one or more item numbers separated by comma.
The system lists the Grouping Server locations where you can import the groups.
Step 7 Enter your choices using the item numbers displayed for the listed Grouping Servers.
You can enter one or more item numbers separated by comma. You must enter 1 to import the selected
groups to all listed servers.
A message appears indicating whether the import of groups is successful.
See Exporting Groups for the possible causes for the import groups job to fail.

OL-25947-01 A-29
Deleting Stale Groups Using CLI
Deleting Stale Groups Using CLI

You can delete groups that belonged to users removed from Cisco Prime. To delete a stale group, you
must run the DeleteStaleGroups utility.
To run the DeleteStaleGroups utility:
On Windows:
Step 1 Enter NMSROOT\bin

Step 2 Enter DeleteStaleGroups -user username -pfile passwordfile -staleuser StaleUser
Step 1 Enter NMSROOT/bin

Step 2 Enter DeleteStaleGroups.sh -user username -pfile passwordfile -staleuser StaleUser
The explanation for these optional entries are as follows:

-user: Current user who has the necessary privileges to delete groups.
-pfile: Absolute Path of the text file with Cisco Prime login password of the current user, in one line.
-staleuser: The user whose group has to be deleted.
If you run the DeleteStaleGroups utility without specifying any of these optional entries, all the stale
groups will be deleted.
User Tracking Command Line Interface

You can run User Tracking commands from the command line in Solaris/Soft Appliance and
Windows 2000.
Enter ut -cli options -u username -p password.
The options can be one or more of those shown in Table A-1.
• Use the -prompt command if you do not want to enter your password from the command line. Using
-prompt prevents other users from running ps and seeing your password.
• The -host option is required when you run the CLI command on a remote LMS Server.

A-30 OL-25947-01
Table A-1 User Tracking CLI Commands
Option Arguments Function

-prompt No keywords or This command is required if you do not enter your
arguments. password from the command line.
If -prompt is specified, User Tracking prompts you to
enter your password.
-help No keywords or Prints the command line usage.
arguments.
-ping {enable | disable} Enables the Ping Sweep option so that the ANI Server
pings every IP address on known subnets before
discovery. The default is the last setting used.
User Tracking does not perform Ping Sweep on large
subnets, for example, subnets containing Class A and B
addresses.
Hence, ARP cache might not have some IP addresses
and User Tracking may not display the IP addresses.
In larger subnets, the ping process leads to numerous
ping responses that might increase the traffic on your
network and result in extensive use of network
resources.
To perform Ping Sweep on larger subnets, you can:
• Configure a higher value for the ARP cache
time-out on the routers.
To configure the value, you must use the
arp time-out interface configuration
command on devices running Cisco IOS.
• Use any external software, which will enable you to
ping the host IP addresses.
This ensures that when you run User Tracking
Acquisition, the ARP cache of the router contains
the IP addresses.
-performMajorAcquisition No keywords or Acquires data about all users and hosts on the network
arguments. and updates the LMS database.
This option starts an acquisition but does not wait for it
to complete.

OL-25947-01 A-31
Table A-1 User Tracking CLI Commands (continued)

-query This option takes one of Queries the Topology and Layer 2 services module
the following database and updates the User Tracking table.
arguments:
all Gets all User Tracking entries. Similar to “All Host
Entries” or a simple query in the GUI.
name Runs the named advanced or simple query, created
earlier in the GUI.
dupMAC Finds duplicate MAC addresses.
dupIP Finds duplicate IP addresses.
hub Finds ports with multiple MAC addresses (hubs).
-queryPhone all Gets all IP Phone entries.
name Runs the named advanced query, created earlier in the
GUI.
-layout layout_name Uses the specified main table layout while performing a
query to fetch User Tracking display entries.
-layoutPhone layout_name Uses the specified IP phone table layout while
performing a query to fetch IP phone display entries.
-host ANI Server device name Specifies the host name or IP address of the LMS
or IP Address Server.
Use this argument when you need to run the CLI
command on a remote LMS Server.
-port ANI Server web port Specifies the web server port number of the ANI Server.
number The default is 1741.
-export filename Exports data to a text file.
You must first specify the -query option to fetch the
data that you want to export.
-import filename Imports lost or deleted UserName and Notes fields from
the last exported file.
-importMACToAcceptableOUI filename Imports MACs and converts them to OUI and adds the
MACs to the Acceptable OUI List.
For example:
cd NMSROOT/bin ut -cli
-importMACToAcceptableOUI filename -u username
-p password
-stat No keywords or Displays statistical information, such as time of last
arguments. acquisition, acquisition status, number of records in the
User Tracking database, and so on.
-debug No keywords or Enables trace and debug messages for the User Tracking
arguments. client application.

A-32 OL-25947-01
Table A-1 User Tracking CLI Commands (continued)

-wireless No keywords or Displays detailed information on Wireless clients
arguments. connected to the network.
If you enter this option along with the export option,
data can be exported to a text file.
For example:
NMSROOT/campus/bin ut -cli -wireless -export
c:/sample -u username -p password
-switchPortCapacity For complete details on this, see Exporting Switch Port Usage Report.
-switchPortreclaimreport For complete details on this, see Exporting Switch Port Usage Report
-switchPortSummary For complete details on this, see Exporting Switch Port Usage Report
For details on Lookup Analyzer Script, see Using Lookup Analyzer Utility

OL-25947-01 A-33
Exporting Switch Port Usage Report

Switch Port Capacity report lists switches whose utilization percentage falls in the specified range.
Switch Port Reclaim reports lists:
• Ports that are administratively up or down
and
• Ports that were previously connected to an endhost or a device but are unconnected at least for a
period of one day.
Switch port usage reports can be generated from the command prompt as given in Table A-2:
Table A-2 Switch Port Reports from the Command Prompt
Purpose Command
Switch Port Capacity Report
To generate reports where the utilization is NMSROOT/campus/bin ut -cli
less than the specified percentage (for all -switchPortCapacity lessthan 60 -devices all
devices managed by LMS) -export c:/sample -u username -p password
less than the specified percentage (for -switchPortCapacity lessthan 60 -devices
specific devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
username -p password
greater than the specified percentage (for all -switchPortCapacity greaterthan 60 -devices all
devices managed by LMS) -export c:/sample -u username -p password
greater than the specified percentage (for -switchPortCapacity greaterthan 60 -devices
specific devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli
between the specified range (for all devices -switchPortCapacity between 10 60 -devices all
managed by LMS) -export c:/sample -u username -p password
To generate reports where the utilization falls NMSROOT/campus/bin ut -cli

between the specified range (for specific -switchPortCapacity between 10 60 -devices
devices) 10.77.2.1,10.77.3.4,10.77.5.6 -export c:/sample -u

A-34 OL-25947-01
Using Lookup Analyzer Utility
Table A-2 Switch Port Reports from the Command Prompt
Purpose Command
Switch Port Reclaim Report Generates reports for unused ports that are in up or
down state.
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli
(for all devices managed by LMS) -switchPortReclaimReport type up days 2
-devices all -export c:/sample -u username -p
password
To generate Reclaim Unused Up Ports report NMSROOT/campus/bin ut -cli
(for specific devices) -switchPortReclaimReport type up days 2
-devices 10.77.1.2,10.77.3.4 -export c:/sample -u
To generate Reclaim Unused Down Ports NMSROOT/campus/bin ut -cli
report (for all devices managed by LMS) -switchPortReclaimReport type down days 2
-devices all -export c:/sample -u username -p
password
To generate Reclaim Unused Down Ports NMSROOT/campus/bin ut -cli
report (for specific devices) -switchPortReclaimReport type down days 2
-devices 10.77.1.2,10.77.3.4 -export c:/sample -u
Switch Port Summary Report Generates reports that gives the number of Connected,
Free, and Free down ports in each switch.
To generate Switch Port Summary report for NMSROOT/campus/bin ut -cli
all devices -switchPortSummary -devices all -export
c:/sample -u username -p password
To generate Switch Port Summary report for NMSROOT/campus/bin ut -cli
select devices -switchPortSummary -devices 10.77.1.2,10.77.3.4
-export c:/sample -u username -p password
where NMSROOT is the directory where you installed Cisco Prime.
Note The above commands can be run in a Solaris/Soft Appliance machine. To run the same commands in
Windows, replace all forward slash (/) with reverse slash (\).
The report generated by the above options is saved as a file in the CSV format, at the specified location.
You can generate various Switch Port Usage reports, select Reports > Switch Port.

Lookup Analyzer is a utility used to analyze the performance of DNS servers and provide the following
information:
• DNS Server Efficiency for each DNS Server
• Overall Summary of DNS Servers

OL-25947-01 A-35
• Namelookup related settings in ut.properties file

• Issues found and recommendations to overcome them
The utility file is NMSROOT/campus/bin/LookupAnalyzer.sh
If dir is the directory where the file is present, run the following command to run the utility:
dir# ./LookupAnalyzer
For Windows:
The utility file is NMSROOT\campus\bin\LookupAnalyzer.bat
If dir is the directory where the file is present, run the following command to run the utility:
dir> LookupAnalyzer
Example output of the Lookup Analyzer script:
Host IP: 172.20.123.74, DNS Server: 64.104.76.247, Time taken: 35, Status: FAILURE
Host IP: 172.20.123.74, DNS Server: WINS, Time taken: 22, Status: FAILURE
Host IP: 10.77.209.254, DNS Server: 64.104.128.248, Time taken: 18, Status: FAILURE
..
..
DNS Server : 64.104.128.248
Success Count: 12
Failure Count: 76
Failure % : 86 %
Total Time : 1 secs 561 ms
Min Time : 0 ms
Max Time : 52 ms
Avg Time : 17 ms
Server Efficiency(successCount/totalTime): 7.0
--------------------------------
DNS Server : 64.104.76.247
Success Count: 0
Failure Count: 76
Failure % : 100 %
Total Time : 2 secs 729 ms
Min Time : 0 ms
Max Time : 61 ms
Avg Time : 35 ms
--------------------------------
DNS Server : WINS
Success Count: 0
Failure Count: 76
Failure % : 100 %
Total Time : 750 ms
Min Time : 0 ms
Max Time : 23 ms
Avg Time : 9 ms
--------------------------------
Overall Summary
-----------------
Success Count: 12
Failure Count: 76
Failure % : 86 %
-----------------
Current Namelookup Related Settings
---------------------------------
UTMajorUseDNSSeperateThread: false
UT.nameResolution: both

A-36 OL-25947-01
Understanding UTLite
UT.nameResolution.threadCount: 1
UT.nameResolution.winsTimeout: 2000
UT.nameResolution.threadThresholdPercentage: 10
UT.nameResolution.dnsTimeout: 2000
UTMajorUseDNSCache: false
nameserver.usednsForUT: true
DB.dsn: ani
---------------------------------
ISSUES/RECOMMENDATIONS
-----------------------
Issue #1: Failure Percent is greater than 20%
Recommendation: Check all DNS/WINS entries and ensure proper hostnames are configured
Issue #2: DNS reverse lookup is NOT done as separate process

Recommendation: Enable UTMajorUseDNSSeperateThread=true in ut.properties
Issue #3: Name Resolution DNS server order is not optimal

Recommendation: Change dns server order as 64.104.128.248=7.0, 64.104.76.247=0.0,
WINS=0.0,
Other Recommendations:
* If hostnames in your network are less likely to change often, set
UTMajorUseDNSCache=true
* If reverse lookup failure % is more, try increasing UT.nameResolution.winsTimeout,
UT.nameResolution.dnsTimeout and UT.nameResolution.threadThresholdPercentage
* Optimal timeout values are: UT.nameResolution.winsTimeout=0,
UT.nameResolution.dnsTimeout=48
The script can also be run by setting properties in the ut.properties file.
UTLite is a utility that allows you to collect user names from Primary Domain Controllers, Active
Directory, and Novell servers.
To do this you need to install UTLite in the Windows Primary Domain Controllers and in the Novell
servers. You can also install UTLite in an Active Directory server.
UTLite sends traps to LMS whenever a user logs in or logs out. UTLite traps are processed by LMS at
the rate of 150 traps per second, with a default buffer size of 76800.
If you need a higher trap processing rate, say 300 traps per second, increase the buffer size to 102400.
To increase the buffer size:
Step 1 Enter pdterm UTLITE at the command line to stop the UTLite process.
Step 2 Open utliteuhic.properties located at
NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\
Step 3 Set Socket.portbuffersize=102400
Step 4 Enter pdexec UTLITE at the command line to start the UTLite process.
Caution Increasing the buffer size beyond 102400 results in performance degradation of UTLite.

OL-25947-01 A-37
To receive UTLITE events:
Step 1 Open utliteuhic.properties located at

NMSROOT\campus\lib\classpath\com\cisco\nm\cm\ut\uhic\utlite\properties\
Step 2 Change the property of URTlite state by changing the value from "URTlite.state=disable" to
"URTlite.state=enable".
Or
You can change the property of URTlite state by launching LMS. Select the Acquisition Settings option
from Admin > Collection Settings > User Tracking > Acquisition Settings. The Acquisition Settings
page appears. In the Acquisition Settings page, check the Get user names from hosts in NT and NDS
domains and click Apply.
Note The servers should be DNS resolvable to get the events from the clients. Else we have to make entry in
%WINDIR%\system32\drivers\etc\hosts.
The UTLite script is supported on these platforms:

• Windows NT
• Windows 2000
• Windows XP
• Windows 2003
• Windows Vista
• Novell Directory Services (NDS)
• Windows 7 (Client OS support)
The UTLite script is not supported on these UNIX hosts:
• Solaris
• HP-UX
• AIX
• Installing UTLite Script on Active Directory/Windows
• Installing UTLite Script on NDS
• Uninstalling UTLite Scripts From Windows
• Uninstalling UTLite Scripts From Active Directory
• Uninstalling UTLite Scripts From NDS
Installing UTLite Script on Active Directory/Windows

You must install the UTLite script on the Active Directory server and update the server’s logon script to
get user logon information from Active Directory hosts.

A-38 OL-25947-01
You must have Administrator privileges on the Active Directory server to install the UTLite logon script.
To install the script:
Step 1 Copy the required files to the Active Directory server:

a. Log into the Active Directory server as Administrator.
b. Obtain the UTLite files from the Server Configuration:
NMSROOT\campus\bin\UTLite33.exe
NMSROOT\campus\bin\UTLiteNT.bat
where NMSROOT is the directory in which you installed Cisco Prime.
c. Copy the UTLiteNT.bat and UTLite33.exe files into the NETLOGON folder.
NETLOGON is located at:
%SystemRoot%\sysvol\sysvol\domain DNS name\scripts,
where %SystemRoot% is usually c:\winnt and domain DNS name is the DNS name of the domain
Note For Windows 2000 and NT servers, the NETLOGON folder is located at:
%SYSTEMROOT%\system32\Repl\Import\Scripts
Step 2 Edit the UTLiteNT.bat file:

a. Open the UTLiteNT.bat file.
b. Locate the following line and replace domain and ipaddress with the domain name of the Windows
domain controller and IP address of the computer running the Campus Manager server:
start %WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236
For example:
start %WINDIR%\UTLite33 -domain cdiclab.cisco -host 192.168.152.228 -port 16236
If port 16236 is already in use, enter a different number. This port number must match the number
that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page
(Select Admin > Collection Settings > User Tracking > Acquisition Settings).
For more details, see Modifying UT Acquisition Settings.
Step 3 Edit the user profile on the Active Directory server to run the UTLiteNT.bat file when users log in to the
network by editing the profile of the user as shown in Figure A-1:

OL-25947-01 A-39
Figure A-1 Active Directory User Profile
Here, in the User profile section of the window, the Profile path is set to be:
C:\windows\sysvol\sysvol\domain\scripts
The Logon script is set to be:
UTLiteNT.bat
Step 4 Update the domain controller logon script for each Windows domain that you add.
The first time users log into the network after you edit this script, UTLite33.exe is copied to the local
WINDIR directory on their Windows client system.
Installing UTLite Script on NDS

You must install the UTLite script on the Novell Server and update the domain controller logon script,
to get user logon information from Windows hosts. You only need to do this once for each domain.
You must have ZenWorks installed and running on the Novell Server, and you must be using NDS 5.0 or
later.
To install the script:
Step 1 Copy the required files to the Novell Server.

Step 2 Log into the Novell Server as Administrator.

A-40 OL-25947-01
Step 3 Obtain the UTLite files from the LMS Server:

• NMSROOT\campus\bin\UTLite33.exe
• NMSROOT\campus\bin\UTLiteNDS.bat
where NMSROOT is the directory in which you installed Cisco Prime.
Step 4 Create a folder in \\Novell Server Name\SYS\public and copy UTLiteNDS.bat and UTlite33.exe to the
folder.
Step 5 Edit the UTLiteNDS.bat file:
Step 6 Open the UTLiteNDS.bat file.
Step 7 Locate the following line and replace domain and ipaddress with the domain name of the Windows
domain controller and IP address of the computer running the LMS server:
start %WINDIR%\UTLite33 -domain domain -host ipaddress -port 16236
If port 16236 is already in use, enter a different number. This port number must match the number
that you entered in the Use Port Number field, in the User Tracking Acquisition Settings page
(Select Admin > Collection Settings > User Tracking > Acquisition Settings).
For more details, see Modifying UT Acquisition Settings.
Edit the logon scripts.
Step 8 Enter \\Novell_Server_Name\SYS\public\NaL.exe at the command prompt.
Step 9 Click NWAdmin32 to run the Novell Netware Administrator program.
Step 10 Right-click on the users or organizational units whose logon scripts you want to modify and select
Details.
Step 11 Click Login Script and enter:
@\\%FILE_SERVER%\sys\public\your_folder_name\UTLiteNDS.bat where your_folder_name is
the name of the folder you created in Step 1.
Uninstalling UTLite Scripts From Windows

If you choose not to have LMS server automatically collect user names, follow these instructions to
properly remove the UTLite scripts. To uninstall the script:
Step 1 Remove UTLiteNT.bat and UTLite33.exe files from each primary domain controller.
Step 2 Remove the call to run UTliteNT.bat from users' logon scripts.
Step 3 Delete UTLite33.exe from the WINDIR directory of all Windows clients.
To quickly locate the WINDIR directory, enter set windir from a command prompt window on each
client.
Uninstalling UTLite Scripts From Active Directory

If you choose not to have LMS server automatically collect user names, follow these instructions to

OL-25947-01 A-41
User Tracking Debugger Utility
Step 1 Remove UTLiteNT.bat and UTLite33.exe files from each Active Directory server.
Step 2 Remove the call to run UTliteNT.bat from users' logon scripts.
Step 3 Delete UTLite33.exe from the WINDIR directory of all Windows clients.
client.
Uninstalling UTLite Scripts From NDS

If you choose not to have LMS server automatically collect user names, you must perform these steps to
Step 1 Remove UTLiteNDS.bat and UTLite33.exe files from the Novell Server.
Step 2 Remove the line added to the login scripts for all users and organizational units.
Step 3 Delete UTLite33.exe from the WINDIR directory of all clients.
client.
User Tracking Debugger Utility

The User Tracking Debugger Utility is a command line tool to help debug common problems with User
Tracking. This section contains:
• Understanding Debugger Utility
• Using Debugger Utility
Understanding Debugger Utility

The utility displays a report on the reasons why User Tracking failed to discover end hosts on specific
ports.
In many cases, User Tracking may not perform as expected. This may be because of problems in other
LMS applications. For instance LMS Server may have devices that are not discovered or inadequate
VLAN discovery in Topology Services.
You can run the utility to troubleshoot problems, or provide the report and log generated by the utility
when you contact TAC for help in diagnosing problems.
The debugger utility uses the data collected by LMS Server and reports the reasons for the missing ports
in User Tracking.
This tool also has an SNMP component embedded which runs an SNMP query for the table as a part of
verification for SNMP failure. For example, SNMP bugs in Catalyst operating system because of which
User Tracking may fail to discover devices.
This generates an Action Report that you can use to analyze the data.

A-42 OL-25947-01
Configuring Switches to Send MAC Notifications to LMS Server
The Debugger Utility:

1. Checks the switch ports in a sequential order.
2. Reports violation of basic rules for each of the missing ports such as link ports and trunk ports.
3. Checks for SNMP retrieval of data, if the ports pass the validity check.
4. Generates an Action Report suggesting possible remedial actions to retrieve the valid missing ports.
Using Debugger Utility

The Debugger Utility is available at $NMSROOT/campus/bin/ (where $NMSROOT is the directory where
you have installed Cisco Prime).
To run the Debugger Utility, run the command:
utdebug -switch switch-ip -port port1[,port2 ...] [-export filename]
where,
switch is the switch to which the end hosts are connected.
ports are the ports on the switch which have missing end hosts User Tracking.
-export filename specifies that the debug messages be stored in the file specified. If this option is not
used, the messages are displayed on the console.
For example,
utdebug -switch 10.29.6.12 -port 5/12
utdebug -switch 10.29.100.10 -port Fa0/10
utdebug -switch 10.29.6.14 -port Gi6
Configuring Switches to Send MAC Notifications to LMS

Server
You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification Traps when a
host is connected to or disconnected from that port. Even if the device is managed with SNMPv3,
Network Topology, Layer-2 Services, and User Tracking, it processes only SNMPv1/SNMPv2 traps.
You can configure the ports only through Command Line Interface (CLI). If you do not have
Configuration Management functionality enabled on your LMS Server, you have to manually configure
the switches for the switches to send MAC Notifications to the LMS server. Ensure that you have
configured System Identity User under Admin > Trust Management > Multi Server > System Identity
Setup and the same username and password is configured under Admin > System > User Management
> Local User Setup.
For a list of commands to be run on each device, see the Appendix Commands to Enable MAC
Notification Traps on Devices.
For complete list of devices supported by LMS, see
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/device_suppo
rt/table/lms42sdt.html

OL-25947-01 A-43
Administration Command Line Interface

This section describes how to administer LMS database from the command line. This is explained in the
following topics:
• Replacing Corrupted Database
• Re-initializing the Database
• Deleting all Active Entries from User Tracking, and Restarting Servers
• Deleting all Inactive Entries from User Tracking, and Restarting Servers
• Deleting all History Entries from User Tracking, and Restarting Servers
• Deleting all User Tracking Entries, and Restarting Servers
• Restoring the Original Data in the Server
• Restoring Data from Another Server
• Performance Tuning Tool
This section also explains SNMP Configuration on Devices
Replacing Corrupted Database

If you have a corrupted database, you can use the database administration tools to restore the database
from a previous backup. However, if you do not have a previous backup, you must re-initialize the
database.
When you run this command, if Data Collection is running, it is automatically stopped and then restarted
when the database initialization is complete.
Caution If you re-initialize the database, information from discovered devices will be lost. However, user and
host information is retained. Replace the database only if recommended by a Cisco technical
representative.
Note Your login determines whether you can use this option.
Re-initializing the Database

From the command prompt or shell window, enter:
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl
The following message appears:
This will erase all data from the database. Are you sure [y/n] ?
If you enter y, it erases all data (database tables Wbu*...) from the server.

A-44 OL-25947-01
Deleting all Active Entries from User Tracking, and Restarting Servers
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -active
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -active
where active entries are hosts that are currently logged in
Deleting all Inactive Entries from User Tracking, and Restarting Servers
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -inactive
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -inactive
where inactive entries are hosts that are currently not logged in
Deleting all History Entries from User Tracking, and Restarting Servers
• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -history
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -history
where history entries are complete entries. That is, hosts that have a login and logout in the past.
Deleting all User Tracking Entries, and Restarting Servers

• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -ut -all
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -ut -all
Restoring the Original Data in the Server

• On Solaris/Soft Appliance: NMSROOT/campus/bin/reinitdb.pl -restore
• On Windows: perl NMSROOT\campus\bin\reinitdb.pl -restore
Note Before executing the -restore command, you should stop the daemon manager and start again
manually. For details, see Using Daemon Manager.
Restoring Data from Another Server

When you take database backup for LMS in one server and restore it in another server, the NMSROOT
logfile location may not be the same in both servers.
In that case, LMS will log messages to the log file stored in the default NMSROOT location in the
restored machine.

OL-25947-01 A-45
Performance Tuning Tool

When you get out of memory errors in LMS, the following command can be used to tune the
performance:
NMSROOT/bin/perl NMSROOT/campus/bin/CMPTT.pl ProcessName HeapSize MaxPermSize
• ProcessName should be either one of the following:
– ANIServer
– UTMajorAcquisition
• Heap size should be multiples of 512 and should not exceed 1536 MB.
Ensure you have enough swap space in the server before tuning the heap size.
• MaxPermSize will set the JVM MaxPermSize option to 64m.
SNMP Configuration on Devices

SNMP v3 Device Configuration Settings
LMS supports the following Authentication protocols for SNMP v3:
• md5
• SHA
LMS supports the following Privacy protocols for SNMP v3:
• des
• 3des
• aes128
• aes192
• aes256.
For using various LMS features in devices running SNMPv3, you must make specific configurations on
the devices. The commands that need to be configured are:
• Configuring MIB Views
• Configuring Access Groups
• Configuring Device with Context Name
• Configuring a New User
• Configuring Password for a User
• Relating a User to a Group
• Configuring Privacy Protocol
Configuring MIB Views

For Catalyst devices, enter the following command:
set snmp view campusview 1.3.6.1 included nonvolatile
For IOS devices, enter the following command:

snmp-server view campusview oid-tree included

A-46 OL-25947-01
Configuring Access Groups

You must set the access rights for a group with a certain security model in different security levels.
set snmp access campusgroup security-model v3 authentication read campusview write
campusview nonvolatile

snmp-server group campusgroup v3 auth read campusview write campusview access access-list
Configuring Device with Context Name

For Catalyst devices, enter the following commands:
campusview context vlan- prefix nonvolatile
Context exact is also supported. The following is an example:

campusview context vlan-1 exact nonvolatile

snmp-server group campusgroup v3 auth context vlan-1 read campusview write campusview
IOS image versions prior to12.4 support only exact context name.
IOS image versions 12.4 or higher, support both exact or prefix context names.
You need to configure the device with and without context name, since Data Collection manages the
device without context name and User Tracking requires context name to contact the device.
Configuring a New User

set snmp user campususer authentication md5

snmp-server user campususer campusgroup v3 auth md5 password1
Configuring Password for a User

set snmp user campususer authentication md5 password1

snmp-server user campususer campusgroup v3 auth md5 password1

OL-25947-01 A-47
Relating a User to a Group

Using a specified security model you can relate a user to a group.
set snmpw group campusgroup user campususer security-model v3 nonvolatile

snmp-server user campususer campusgroup v3
Configuring Privacy Protocol

For Catalyst devices:
set snmp user campususer authentication md5 password1privacy des password2
For IOS devices:

snmp-server user campususer campusgroup v3 auth md5 password1 priv des password2
Configuring SNMP view to prevent %SNMP-3-AUTHFAIL Syslog due to polling of shutdown VLANs
Due to the limitation of stpxPVSTVlanEnable mib object, data collection polls shut down VLANs for
fetching STP related data which will enable the device to trigger %SNMP-3-AUTHFAIL Syslogs. In
order to avoid the polling of shut down VLAN, SNMP-VACM-MIB view has to be created in the device,
associated with SNMP credential and the property vacmContextNameEnabled has to be set to 1 in LMS.
You can enable it by creating a view and by including and excluding MIBs. To create a SNMP view:
Step 1 Create a SNMP view as follows in device x:

snmp-server view <view-name> iso included
snmp-server view <view-name> internet included
snmp-server view <view-name> internet.6.3.15 excluded
snmp-server view <view-name> w1 internet.6.3.16 excluded
snmp-server view <view-name> internet.6.3.18 excluded
snmp-server view <view-name> cTapMIB excluded
snmp-server view <view-name> internet.6.3.16.1.1 included
Step 2 Associate the view with SNMP v2 RO community string.
snmp-server community <community string> view <view-name> RO
Step 3 Shut down a vlan in device x.
Step 4 In ANIServer.properties, set vacmContextNameEnabled=1 and restart ANIServer.
Step 5 Run DC for device x.
Note During data collection LMS is quering vacmContextName variable of SNMP-VACAM-MIB. From this
MIB variable LMS can find out which vlans are in shut down state so that LMS will try to connect to
that vlan context. This MIB will be not supported by the device by default.

A-48 OL-25947-01
In LMS, by default the property vacmContextNameEnabled in ANIServer.properties under

NMSROOT/campus/ect/cwsi has the value 0. This value has to be changed to 1 and then restart the
daemons.
Note The device side configuration has to be done on all the devices in the network before changing the
property in LMS. Otherwise some of the features will not work in Topology and Layer2 Services.

OL-25947-01 A-49

A-50 OL-25947-01
A P P E NDIX B
Troubleshooting and FAQs
This section provides the following information for the Administration module of LMS:
• Troubleshooting Guidelines
• Frequently Asked Questions
Troubleshooting Guidelines
This section provides guidelines on the following:
• Troubleshooting User Tracking
• Troubleshooting the Cisco Prime LMS Server
Troubleshooting User Tracking

Use the information in Table B-1 to troubleshoot the User Tracking application.
Table B-1 Troubleshooting User Tracking
Symptom Probable Cause Possible Solution

User Tracking cannot discover any There may not be information in the For more details, see
users or hosts LMS database.
• Discovering Devices in Inventory
or The device might not be part of DCR and Management with Cisco Prime LAN
you must run Device Discovery and Management Solution 4.2
User Tracking cannot display any
Data Collection.
IP phones. • Administering Data Collection
User Tracking cannot discover The LMS server might not have 1. Check the Topology services for the
certain users or hosts. discovered one or more devices to which missing devices
users and hosts are connected.
2. Ensure that CDP and SNMP are enabled
on the devices, rediscover these devices,
3. Verify that they appear on the topology
view.

OL-25947-01 B-1
Appendix B Troubleshooting and FAQs
Table B-1 Troubleshooting User Tracking (continued)
Symptom Probable Cause Possible Solution

User Tracking cannot discover The LMS server might not have 1. Check the Topology services for the
certain IP phones. discovered the specific Media missing MCS that runs the instance of
Convergence Server (MCS) that runs the Cisco CallManager to which the phones
instance of Cisco CallManager to which are registered.
the IP phones are registered.
2. Ensure that Cisco CallManager is shown
as a service running on the MCS and is
discovered by the LMS Server.
3. Rediscover all IP phones.
User Tracking table does not User Tracking cannot find the most Enable Ping Sweeps when User Tracking
contain device name, IP address, recent network information. performs Discovery. Ping Sweeps are enabled
and subnet information for some Network changes are not currently
by default.
hosts. reflected in ARP information (routers) To perform Ping Sweep on larger subnets, you
or bridge tables (switches). can either:
User Tracking does not perform Ping • Configure a higher value for the ARP
Sweep on large subnets; for example, cache time-out on the routers.
subnets containing Class A and B
To configure the value, you must use the
addresses.
arp time-out interface configuration
Hence, ARP cache might not have some command on devices running Cisco IOS.
IP addresses and the User Tracking may
Or
not display the IP addresses.
• Use any external software, which will
In larger subnets, the ping process leads
enable you to ping the host IP addresses.
to numerous ping responses that might
increase the traffic on your network and This will ensure that when you run User
result in extensive use of network Tracking Acquisition, the ARP cache of
resources. the router contains the IP addresses.
You have: A complete Device Discovery process 1. Run Device Discovery.
has not run since you added your
• Made changes to the network. 2. Run a complete Data collection.
changes.
• Run User Tracking Major 3. Generate a new report after data
User Tracking Major Acquisition is not
Acquisition. collection is complete to see the changes.
a full network discovery. The process
The changes do not appear in discovers only the user and host data in
the User Tracking display. your network.
Changes that you make to your network
might not appear after a User Tracking
Major Acquisition.
Troubleshooting the Cisco Prime LMS Server

Use these tools and suggestions to diagnose problems with the Cisco Prime LMS server:
• Verifying Server Status
• Troubleshooting Suggestions

B-2 OL-25947-01
Verifying Server Status

There are several tools that enable you to gather and analyze information about your Cisco Prime LMS
Server. See Table B-2 and Table B-4.
Table B-2 Server Status
Task Purpose Action

Administrative Tasks
Perform self test. Runs self-tests and Select Admin > System > Server Monitoring >
generates a report with the Selftest.
results.
All Users
Check process Checks whether back-end Select Admin > System > Server Monitoring >
status. processes are in an interim Processes.
state.
Collect server Provides system Select Admin > System > Server Monitoring >
information. information, environment, Collect Server Information
configuration, logs, and Or
web server information.
• NMSROOT\bin\perl
NMSROOT\bin\collect.info (on Windows)
• NMSROOT/bin/perl
NMSROOT/bin/collect.info (on
where NMSROOT is the directory where you
installed Cisco Prime.

OL-25947-01 B-3
Table B-2 Server Status
Task Purpose Action

MDC Support The MDC Support utility For Windows go to,
collects:
NMSROOT\MDC\bin and run the command:
• Log files MDCSupport.exe
• Configuration settings The utility creates a tar file in NMSROOT\MDC\etc
• Memory information directory.
• Complete system If \etc directory is full, or if you want to preserve the

related information data collected previously by not over writing the tar
file, you may create another directory by running the
• Process status following command:
• Host environment MDCSupport.exe Directory
information
For Solaris/Soft Appliance,
It also collects any other
relevant data, into a 1. Set the LD_LIBRARY_PATH environment
deliverable tar variable to /opt/CSCOpx/MDC/lib:
(compressed form) file to /opt/CSCOpx/lib:
support the MDCs 2. Go to /opt/CSCOpx/MDC/bin and run the
installed. command:./mdcsupport
The MDC Support utility The utility creates a tar file in
also queries CCR for any CSCOpx/MDC/etc directory.
other support utilities
registered, and run them. If \etc directory is full, or if you want to preserve the
data collected previously by not over writing the tar
Other MDCs need to file, create another directory by running the
register their own support following command:
utilities that will collect
their relevant data. ./mdcsupport Directory
Before you close the command window, ensure that
the MDC Support utility has completed its action.
If you close the window prematurely, the subsequent
instances of MDCSupport Utility will not function
properly.
If you happen to close the window, delete the
mdcsupporttemp directory from
NMSROOT\MDC\etc directory, for subsequent
instances to work properly.

B-4 OL-25947-01
Troubleshooting Suggestions
Use the suggestions in Table B-3 to resolve errors or other problems with the Cisco Prime LMS Server.
Table B-3 Troubleshooting Suggestions
Symptom Probable Cause Possible Solutions

Authorization Incompatible browser Verify that you have Accept all cookies enabled. Refer to the installation
required. Please causing cookie failure documentation for supported Internet Explorer and Mozilla Firefox
log in with your (unable to retrieve software and setup procedures.
username and cookie).
password.
Daemon Manager The operating system has Make sure all Cisco Prime processes are terminated (/usr/ucb/ps -auxww
could not start. not yet reallocated the | grep CSCO). Wait five to ten minutes, then try to restart the Daemon
The port is in
use.
port. Manager.
User has forgotten LMS cannot recover A system administrator-level user must either change the password or
his password. forgotten passwords. delete the user account and add it again.
You are logged out of Changes in the login 1. Log into Cisco Prime LMS Server.
the Cisco Prime module configuration file
2. Enter the following commands:
Server. might not be correct.
– NMSROOT\bin\perl NMSROOT\bin\ResetLoginModule.pl
Authentication server
(on Windows)
might be down and there
were no fallback logins – NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl
set. (on Solaris/Soft Appliance)
3. Restart Daemon Manager.
The Log File Status Files need to be backed up 1. Stop all processes.
window displays so that file size will be
2. Enter the log file maintenance commands:
files that exceed their reset to zero.
limit. – NMSROOT\cgi-bin\admin\ (on Windows)
– NMSROOT/cgi-bin/admin/ (on Solaris/Soft Appliance)
3. Restart all processes.
Error message in the Device is not SSH enabled 1. Check whether the device is up or not.
logfile: Connection or the server is not
2. Try connecting to the device with a commercial SSH client.
Refused. Check the authorized to initiate SSH
Device is SSH connection. If you are able to connect, go to step 3.
supported or not. If you are not able to connect, check whether the device is running
SSH enabled (K2 or K9) image.
• If it is not the correct image, download the appropriate image to
the device.
• If you have the correct image, check whether you have created
RSA key pairs in the device. Creating RSA keys will enable SSH
in the device.
3. Check whether your server or network is authorized to initiate SSH
connections to device.

OL-25947-01 B-5
Frequently Asked Questions
Table B-3 Troubleshooting Suggestions (continued)
Symptom Probable Cause Possible Solutions

While launching the The Group Administration Start the Group Administration server from the user interface or from the
Group server is either not running CLI.
Administration page, or yet to be up.
To start the server from the user interface:
the following error
message is 1. Select Admin > System > Server Monitoring > Processes.
displayed: The Process Management Dialog Box appears.
Error in
2. Check the CMFOGSServer check box in the Process Management
communicating with
Group dialog box
Administration 3. Click Start.
Server.
To start the server from the CLI, enter:
NMSROOT/bin/pdexec CMFOGSServer
where NMSROOT is the Cisco Prime LMS Installation directory.
DCRServer is down Check wheter Make sure the following two files have proper content by checking the
and services are not ctm_config.txt file is contents with the sample ctm_config.txt:
starting properly. corrupted.
• /NMSROOT/MDC/tomcat/shared/lib/ctm_config.txt
• /NMSROOT/MDC/tomcat/webapps/cwhp/WEB-INF/lib/ctm_config.tx
t
where NMSROOT is the Cisco Prime LMS Installation directory.
Sample ctm_config.txt
SERVER_PORT=40050
MAX_VM_PORTS=20
MAX_THREADS=100
CTM_SSL=1
CTM_URL=:443/cwhp/CTMServlet
MAX_VM_CLIENT_CONNECTION=25
REGISTRY_LOCATION=NMSROOT\\MDC\\tomcat\\webapps\\cwhp\\W
EB-INF\\lib
See Installing and Migrating to Cisco Prime LAN Management Solution 4.2 for troubleshooting tips on
Cisco Prime installation.

This section provides FAQs on the following:
• User Tracking FAQs
• VRF Lite FAQs
• Cisco Prime LMS Server FAQs
• Fault Management FAQs

B-6 OL-25947-01
• Device Performance Management FAQs

• IPSLA Performance Management FAQs
User Tracking FAQs

This section lists the FAQs on User Tracking:
• Q.Why are outdated entries appearing in my User Tracking table?
• Q.How does User Tracking acquisition process differ from that of the LMS Server?
• Q.How does User Tracking user and host acquisition process work?
• Q.Why is User Tracking not performing Ping Sweeps on some subnets?
• Q.How long does User Tracking maintain data?
• Q.Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
• Q.Where does User Tracking log errors?
• Q.Why am I getting a parse error when trying to parse some of the output files?
• Q.Why is user tracking not discovering end hosts that are connected to port-channels?
Q. Why are outdated entries appearing in my User Tracking table?

A. Outdated entries result when:
– A user or host is assigned to new VLAN/port/VTP domain.
– A power failure occurred.
– A workstation has been switched off or removed from the network.
User Tracking does not automatically delete outdated end-user host entries. To delete these entries:
– Manually delete selected entries.
Or
– Configure delete interval for purging old records more than the given number of days.
– Select Admin > Network > Purge Settings > User Tracking Purge Policy
Q. How does User Tracking acquisition process differ from that of the LMS Server?
A. User Tracking is a LMS client application. The LMS Server provides several types of global
discoveries, including:
– Device and physical topology acquisition, resulting in baseline network information such as
device identity, module and port information, and physical topology. This type of acquisition is
required for logical, user, and path acquisition.
– User acquisition, resulting in information about users and hosts on the network.
The LMS Server stores this information in the database. User Tracking discovers the host and user
information in the LMS server database, correlates this information, and displays it in the User
Tracking Reports.
For more information about the various acquisition processes, see Various Acquisitions in User
Tracking.

OL-25947-01 B-7
Q. How does User Tracking user and host acquisition process work?
A. Before collecting user and host information, LMS must complete Data Collection. After the
completion of Data Collection User Tracking performs steps described in Table B-4.
Table B-4 User Tracking User and Host Acquisition Process
Process Description
Performs Ping Sweeps Pings all IP addresses on all known subnets, if you have Ping Sweeps
enabled (the default).
This process updates the switch and router tables before User Tracking
reads those tables. This ensures that User Tracking displays the most
recent information about users and hosts.
Obtains MAC addresses from Reads the switch's bridge forwarding table.
switches
The bridge forwarding table provides the MAC addresses of end
stations, and maps these MAC addresses to the switch port on which
each workstation resides.
Obtains IP and MAC Reads the Address Resolution Protocol (ARP) table in routers to
addresses from routers obtain the IP and corresponding MAC addresses.
Obtains hostnames Performs a Domain Name Service (DNS) lookup to obtain the
hostname for every IP address.
Obtains usernames Attempts to locate the users currently logged in to the hosts and tries
to obtain their username or login ID.
Records discovered Records the discovered information in the LMS database.
information
Q. Why is User Tracking not performing Ping Sweeps on some subnets?

A. The criterion for whether or not User Tracking performs Ping Sweeps on a subnet is the number of
hosts in the subnet:
You must check if you have excluded the subnets from Ping Sweep.
If a subnet has 256 or fewer hosts, User Tracking performs Ping Sweeps on that subnet. User
Tracking does not perform Ping Sweeps on the subnets, which have more than 256 hosts.
If Ping Sweeps are not performed, User Tracking still obtains information from the router and switch
mapping tables during a discovery. For more details on Ping Sweep, see Notes on Ping Sweep
Option.
Q. How long does User Tracking maintain data?

A. It depends on the delete interval you have set. For more details, see Deleting User Tracking Purge
Policy Details.
Q. Does User Tracking discover users and hosts connected to non-Cisco Discovery Protocol (CDP)
devices?
A. LMS does not manage non-CDP devices. Hence User Tracking will not discover users and hosts in
the network connected to non-CDP devices.

B-8 OL-25947-01
Q. Where does User Tracking log errors?

A. User Tracking major acquisition errors are logged in the User Tracking error log. Data Collection
errors are logged in the respective log file. The log files are located at
Solaris/Soft Appliance : /var/adm/CSCOpx/log
Windows: NMSROOT\log
Where NMSROOT is the directory where you have installed Cisco Prime.
Q. Why am I getting a parse error when trying to parse some of the output files?
A. A few classes in Optical switches contain special characters with ASCII code higher than 160. Most
of the XML parsers do not support these characters and hence fail to parse them.
To overcome this, you have to manually search for those elements with special characters and
append CDATA as given in the example below:
If there is an element
<checksum> ¢Úo </checksum>
Change it to:
<checksum> <![CDATA[¢Úo ]]> </checksum>
Q. Why is user tracking not discovering end hosts that are connected to port-channels?
A. LMS supports only PAgP protocol configured ether-channel ports. User tracking discovers only
those end hosts that are connected to port-channels which are configured with PAgP protocol. LMS
does not support LACP protocol for IOS devices.
Nexus devices do not support the PAgP protocol. Hence LMS supports LACP protocol only for
Nexus devices. Devices using LACP protocol ether channel do not support topology view and user
tracking end discovery and other LMS features.
VRF Lite FAQs

This section lists the FAQs on VRF Lite:
• Q.What is VRF Lite ?
• Q.What is Network Virtualization?
• Q.What are the pre-requisites to manage a device using VRF Lite?
• Q.The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
• Q.What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
• Q.Sometimes, while performing VRF Lite configuration, I get the following message:
• Q.What are the details of the VRF Lite log files? In which location are the VRF Lite log files
located?
• Q.When is the VRF Lite Collection process triggered?
• Q.After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?
• Q.How can I configure SNMP timeout and retries details for VRF Lite?

OL-25947-01 B-9
• Q.What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in
the Create VRF Lite and Extend VRF Lite workflows ?
• Q.How do I enable the debug messages for Virtual Network Manager?
• Q.Why are some port-channels not discovered in VRF Lite?
• Q.What are the processes newly introduced for VRF Lite ?
• Q.What is tested number of devices support in VRF Lite?
• Q.What are the property files associated with VRF Lite?
• Q.In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow,
why are values for the IP Address and SubnetMask fields empty?
• Q.What is protocol order for configuration workflows?
• Q.What is protocol ordering for troubleshooting?
• Q.If you configure commands to be deployed to two different devices, will the commands be
deployed parallelly or serially?
• Q.Which VRF Lite configuration jobs that are failed can be retried?
• Q.Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
• Q.Why the FHRP and DHCP configurations are not shown in VRF Lite?
Q. What is VRF Lite ?

A. Virtual Routing and Forwarding Lite (VRF Lite) is the one of the simplest form of implementing
virtualization technology in an Enterprise network. A Virtual Routing and Forwarding is defined as
VPN routing/forwarding instance. A VRF Lite consists of an IP Routing table, a derived forwarding
table, a set of interfaces that use the forwarding table and set of routing protocols that determine
what goes into the forwarding table. VRF Lite is an application that allows you to pre-provision,
provision and monitor Virtual Routing and Forwarding-Lite (VRF Lite) technology on an enterprise
network.
Q. What is Network Virtualization?

A. Virtualization deals with extending a traditional IP routing to a technology that helps companies
utilize network resources more effectively and efficiently. Using virtualization, a single physical
network can be logically segmented into many logical networks. The virtualization technology
supports multiple virtual routing instances of a routing table to exist within a single routing device
and work simultaneously.
Q. What are the pre-requisites to manage a device using VRF Lite?

A. The pre-requisites to manage a device in VRF Lite are:
1. The device must be managed by LMS.
2. The device must either be L2/L3 or L3 device
3. The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite.
The device must have the necessary hardware support. For more information on hardware support,
see
http://www.cisco.com/en/US/products/sw/cscowork/ps563/products_device_support_tables_list.ht
ml.
If the device hardware is not supported then the device will be classified as Other devices
4. If a device supports MPLS VPN MIB, it is classified as a capable device.

B-10 OL-25947-01
5. VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB,
VRF Lite will not manage VTP Clients.

OL-25947-01 B-11
Q. The device must be managed by LMS to exercise all the functionality of VRF Lite. The desired
device is not listed in the device selector for the VRF Lite configuration workflows. What is the
reason for a device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF Lite and Edge VLAN
Configuration.
A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as
mentioned in the Configuring Virtual Routing and Forwarding (VRF) in Configuration Management
with Cisco Prime LAN Management Solution 4.2.
If VRF Lite Configuration workflow is either Edit VRF Lite, or Delete VRF Lite or Edge VLAN
Configuration then a device will not be listed in the Device Selector, if a device is not participating
in the selected VRF Lite.
In the Readiness Report, a device listed as a supported device may be because it is not managed by
LMS. You can check if a device is managed by using the Device Management State Summary
(Inventory > Device Administration > Manage Device State).
In Extend VRF Lite workflow, the devices listed in the Device Selector are the devices that are not
participating in the selected VRF Lite.
In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3
devices that are not participating in the selected VRF Lite.
Q. What are the different categories in which the devices are managed by Virtual Network Manager?
Or what criteria are used by Virtual Network Manager to categorize the devices in the network?
A. Virtual Network Manager identifies the devices based on the minimum hardware and software
support required to configure VRF Lite on the devices.
Based on the available hardware and software support in the devices, Virtual Network Manager
classifies the devices into following categories:
– VRF Lite Supported Devices– Represents the devices with required hardware and software
support available to configure VRF Lite on the devices.
– VRF Lite Capable Devices – Represents the devices with required hardware support available.
But the device software must be upgraded to support MPLS VPN MIB. For information on the
IOS version that supports MPLS VPN MIB, refer
http://tools.cisco.com/ITDIT/MIBS/MainServlet.
VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Lite
Capable devices as these devices do not have the required MPLS VPN MIB support.
– Other – Represents the devices without required hardware support to configure VRF Lite.
SysOID of the device needs to be checked.

B-12 OL-25947-01
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with device name(s) are already locked as they are used by configuration workflows.
You cannot configure these devices. Wait for some time Or Ensure the devices are not used by
configuration workflows and free the devices from Admin > Network > Resource Browser.
Or
Selected Device(s) are locked as they are used by configuration workflows. You cannot configure
these devices. Wait for some time OR Ensure the devices are not used by configuration workflows
and free the devices from Admin > Network > Resource Browser.
Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations.
Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located?
A. The following are the details of the VRF Lite log files:
1. Vnmserver.log – This log file logs the messages pertaining to the VRF Lite Server process.
2. Vnmcollector.log – This log file logs the messages pertaining to the VRF Lite collection.
3. Vnmclient.log – This log file logs the messages related to the User Interface.
4. Vnmutils.log – This log file logs the messages pertaining to the utility classes used by VRF Lite
client and server.
The above-mentioned VRF Lite log files are located in the following location:
In Solaris/Soft Appliance : /var/adm/CSCOpx/log/
In Windows: NMSROOT\logs
Q. When is the VRF Lite Collection process triggered?

A. Manually:
You can manually schedule to run the VRF Lite Collection process by:
Providing the setting details using Admin > Collection Settings > VRF Lite > VRF Lite Collector
Schedule option.
Automatically:
If you enable the Run VRF Lite Collector After Every Data Collection in the VRF Lite Collector
Schedule page. The VRF Lite Collection process will be automatically triggered after the
completion of Data Collection.
You can reach the VRF Lite Collector Schedule page using Admin > Collection Settings > VRF
Lite > VRF Lite Collection Settings page.
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?
A. Check if the Run VRF Lite Collector After Every Data Collection option is enabled in the VRF
Lite Collector Schedule page. You can reach the VRF Lite Collector Schedule page from Admin >
Network > VRF Lite Collection Settings page.
Q. How can I configure SNMP timeout and retries details for VRF Lite?
A. The SNMP timeout and retries details are configured using Admin > Collection Settings > VRF
Lite > VRF Lite SNMP Timeouts and Retries. By default, all the devices have a timeout of six
seconds and retry attempt of 1 second.

OL-25947-01 B-13
Q. What is the reason for VLANs not getting populated in the VLAN to VRF Lite Mapping page in the
Create VRF Lite and Extend VRF Lite workflows ?
A. The VLAN to VRF Lite Mapping page lists the links connecting the source and the destination
device. The VLANs are not listed in fields displaying the links in the VLAN to VRF Lite Mapping
page because VRF Lite tries to find a free VLAN in the devices connected using a link based on the
following procedure
1. An SVI, VRF Lite searches for free VLANs in the range 1- 1005
2. An SI, VRF Lite searches for free VLANs in the range 1006-4005
Q. How do I enable the debug messages for Virtual Network Manager?

A. You can enable the debugging levels for a particular module using
• Admin > System > Debug Settings > VRF Lite Client Debugging Options.
• Admin > System > Debug Settings > VRF Lite Collector Debugging
• Admin > System > Debug Settings > VRF Lite Server Debugging
• Admin > System > Debug Settings > VRF Lite Utility Debugging
You can manually change the name and the size of the log file. The configuration log files are
available under NMSROOT/MDC/tomcat/webapps/vnm/WEB-INF/classes. The changes made will
be reflected after approximately 60 seconds.
Q. Why are some port-channels not discovered in VRF Lite?

A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only
802.1Q
Q. What are the processes newly introduced for VRF Lite ?

A. To run VRF Lite , VRF Lite Server process is newly introduced in the application. The VRF Lite
Collector process is executed as a Job.
Q. What is tested number of devices support in VRF Lite?

A. In an Enterprise network, VRF Lite is tested to support the configuration of 32 VRFs with VRF Lite
configuration supported in 550 devices in your network. However, at a given time, you can select up
to 20 devices and configure VRF Lite using the Create, Edit and Extend VRF Lite workflow.
Q. What are the property files associated with VRF Lite?

A. The following property files are associated with VRF Lite:
1. NMSROOT/vnm/conf/VNMClient.properties – This property file is used to provide the settings for
Purge and Home page auto Refresh
2. NMSROOT/vnm/conf/VNMServer.properties – This property file is used to provide the SNMP and
VRF Lite Server settings.
3. NMSROOT/vnm/conf/VRFCollectorSnmp.conf – This property file stores the SNMP Timeout and
Retries that you have configured.
Q. In the Interface to VRF Lite Mapping page for the Create, Edit and Extend VRF Lite workflow, why
are values for the IP Address and SubnetMask fields empty?
A. If the physical interface that links two devices is not configured with an IP Address, then the IP
Address and the SubnetMask fields are empty.

B-14 OL-25947-01
Q. What is protocol order for configuration workflows?

A. Configuration workflow uses the protocol order similar to ordering used by NetConfig in Resource
Manager Essentials.
Choose the NetConfig as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. What is protocol ordering for troubleshooting?

A. Troubleshooting VRF Lite workflow uses the protocol ordering similar to ordering used by NetShow
in Resource Manager Essentials.
Choose the NetShow as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. If you configure commands to be deployed to two different devices, will the commands be deployed
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
with-in a single device, will be deployed in serial manner.
Q. Which VRF Lite configuration jobs that are failed can be retried?
A. You can retry all the VRF Lite Configuration jobs which are failed. VRF Lite Configuration jobs are
the jobs pertaining to Create, Edit, Extend, Delete VRF Lite and Edge VLAN Configuration
workflow.
Q. Why is the Monitor Real Time button disabled in the Ping or Traceroute VRF Lite page?
A. The functionality for Monitor Real Time button is provided by IPSLA Performance Management.
This button is enabled only when IPSLA Performance Management is enabled in the local server.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite?
A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also, VRF
Lite won’t put the list of VLANs allowed on a trunk
The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the
selected devices.
Cisco Prime LMS Server FAQs

The following sections lists the Frequently Asked Questions (FAQs) of Cisco Prime LMS application.
• General
• Security
• Important URLs
• Software Center
• Event Distribution Services and Event System Services
• Backup and Restore
• Database
• Apache and Tomcat

OL-25947-01 B-15
General
The section lists you the general FAQs on LMS:
• Q.Which version of the Java Plug-in should I use for Cisco Prime to function properly?
• Q.Why cannot I start my Cisco Prime application?
• Q.Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
• Q.I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
• Q.Do I need to change the Cisco Prime configuration after changing the IP address?
• Q.How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running
it for a while?
• Q.How do I change the port for osagent in Windows?
• Q.How do I change port for osagent in Solaris?
• Q.How do I ensure that jrm is running fine?
• Q.How do I change the casuser password in Windows?
• Q.How do I change the Cisco Prime user password?
• Q.How do I enable debugging for Session Management Services?
• Q.What does a diskWatcher process do?
• Q.Cisco Prime Time is not synchronized with System time. What should I do?
• Q.How do I change the configuration details of the server after installing LMS Soft Appliance?
• Q.How can I increase the timeout value of Cisco Prime LMS user interface?
• Q.How should I change the syslog port of Cisco Prime from 514 to another number?
• Q.What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
• Q.How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
• Q.Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
• Q.In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
• Q.What are the specific ports required for Internet HTTP features?
• Q.Why is the device name not available in the home page after importing?
• Q.How do you ensure to register using a template and launch the links properly?
• Q.I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
• Q.What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC
tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
• Q.I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?
Q. How do I change the IP address of the Cisco Prime LMS Server after installing it, or after running
it for a while?
A. You can change the IP address on the server, and then access it using the new IP address.

B-16 OL-25947-01
To change the IP address on Windows:
Step 1 Click Start > Settings > Network and Dial-up Connections > Local Area Connection.
The Local Area Connection Status dialog box appears.
Step 2 Click Properties.
The Local Area Connection Properties dialog box appears.
Step 3 Select Internet Protocol (TCP/IP) and click Properties.
The Internet Protocol (TCP/IP) Properties dialog box appears.
Step 4 Select the radio button Use the following IP address.
Step 5 Change the IP address as required, in the IP address field.
For the subnet mask and default gateway values, enter the ipconfig command at the command prompt.
The subnet mask and default gateway values appear.
Step 6 Enter these values in the Subnet mask and Default gateway fields.
Step 7 Click OK to go back to Local Area Connection Status dialog box.
Step 8 Click OK.
Step 9 Restart the server.
To change the IP address on Solaris, use the command ifconfig at the command prompt to change the IP
address of the required interface.
For example, at the command prompt, you can enter:
ifconfig interfacename inet ipv4address
where the variable interfacename represents the name of the interface and ipv4address represents the
new IP address.
Q. Why do I get the Java Script Not Enabled error after logging into Cisco Prime?
A. This could be because Java Script is disabled in Internet Explorer. You should enable it in IE.
To do so:
Step 1 Launch Internet Explorer and click Tools > Internet Options.
Step 2 Click the Security tab and select Trusted Sites.
Step 3 Add the Cisco Prime LMS Server to the trusted zone.
Step 4 Clear the selection in Require server verification for all sites in this zone.
Step 5 Click OK to return to the Security tab.
Step 6 Click the Custom level button from the Security level for this zone panel.
Step 7 Select the Enable option for scripting of Java applets.
Step 8 Click OK to return to the Security tab.
Step 9 Click Apply.

OL-25947-01 B-17
Q. In IE 7.0 and IE 8.0, an error message appears when I choose the Telnet option in some portlets?
A. In Microsoft Internet Explorer 7.0 and 8.0 browsers, the Telnet protocol handler is disabled by
default. To re-enable the Telnet protocol:
Step 1 Click Start > Run. The Run dialog box opens.
Step 2 In the Open box, enter: Regedit, then click OK. The Registry Editor opens.
Step 3 Go to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl.
Step 4 Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl, create a new key named
FEATURE_DISABLE_TELNET_PROTOCOL.
Step 5 Add a DWORD value named iexplore.exe and set the value to 0 (decimal).
Step 6 Close the Registry Editor.
Step 7 Restart the browser, the Telnet protocol is enabled
Q. What are the specific ports required for Internet HTTP features?
A. Only port number 80 is required for all HTTP interactions between Cisco Prime LMS Server and
Cisco.com, including the Software Center interactions.
Q. Why is the device name not available in the home page after importing?
A. The probable causes for this problem could be:
– There is a mismatch between the hostname in the template imported and the hostname specified
in the UI during importing.
– The application imported from a remote server does not belong to the server from which it is
imported.
Q. How do you ensure to register using a template and launch the links properly?
A. Before you register through a template, you should ensure that:
– The host is reachable.
– Port information specified is correct and reflects the current port of the bundle.
– The application is available and can be launched by entering the application URL in the browser.
Q. Which version of the Java Plug-in should I use for Cisco Prime to function properly?
A. Cisco Prime supports Java Plug-in 1.6.0_19 in all the supported clients and operating systems. We
recommend that you do not install any other plug-ins other than this one, for Cisco Prime to function
properly.

B-18 OL-25947-01
Q. Why cannot I start my Cisco Prime application?

A. If you cannot start your Cisco Prime application and see error messages, it may be because the web
server may not be running. This may occur although pdshow indicates that those processes are
running. You need to check how your machine resolves its server name and IP address.
The Cisco Prime CORBA applications require name resolution to work properly. Domain Name
Service (DNS) is mandatory for Cisco Prime CORBA applications to work properly.
Configure the name resolution mechanism and restart the Cisco Prime LMS Server to access the
application correctly.
Q. Why am I unable to launch Cisco Prime from a Windows 2008 client machine?
A. This is caused by the default security settings in the browsers. Sometimes, the META-REFRESH
tag is disabled in the browser.
To enable the META-REFRESH tag in the browser:
Step 1 Click Tools > Internet Options. The Internet Options dialog box opens.
Step 2 Click the Security tab.
Step 3 Select the Internet zone.
Step 4 Click Custom level... The Security Settings dialog box opens.
Step 5 In the Miscellaneous options, select the Enable option for Allow Meta Refresh field.
Step 6 Click OK, and then Apply to update the settings.
Step 7 Close the IE 7 or IE 8 open windows.
Step 8 Launch a new IE 7 or IE 8 window and login into LMS.
Q. I am locked out of the Cisco Prime LMS Server. Why did this happen, and how do I regain access?
A. There are several reasons why you are locked out. It is probably caused by the changes made using
the Select Login Module option. You must replace the incorrect login module with a default
configuration, log into Cisco Prime, and return to the login module to correct one or more of the
following:
– Session Time out
– Change from SSL mode to non-SSL mode
– Change from non-SSL mode to SSL mode
– Log out from any other Cisco Prime application
– Visit other sites and then return to Cisco Prime
Do not alter the existing technologies in the default configuration file.
If all of the parameters listed are correct, see Troubleshooting Suggestions.
Q. Do I need to change the Cisco Prime configuration after changing the IP address?
A. You need not change the Cisco Prime configuration whenever you change the IP address. Cisco
Prime uses hostname for most of the communication. Only devices need to point to the new IP
address. However, after changing the IP address, you must reboot the system on a Solaris server and
restart the Daemon Manager on a Windows server. This is to make the changes effective.

OL-25947-01 B-19
Q. How do I change the hostname of the Cisco Prime LMS Server after installing it, or after running it
for a while?
A. To change the hostname of the Cisco Prime LMS Server, you need to update several files and
windows registry entries.
You can use the hostnamechange.pl CLI utility to update the new host name information in files and
windows registry entries.
See Using LMS Server Hostname Change Scripts for more information.
Q. How do I change the port for osagent in Windows?

A. Before you change the port for osagent in Windows:
– Ensure that the daemons are not running.
Enter the following command to stop the Daemon Manager:
net stop crmdmgtd
– Backup your Windows registry.

To change the port for osagent in Windows, run the following script at the command prompt:
NMSROOT\bin\perl NMSROOT\bin\ChangeOSAGENTPort.pl Port_Number
where, Port_Number refers to any unused port number between 1026 to 65535.
The script completes the following:
• Updates the value of the following registry entries with the new port numbers.
– HKEY_LOCAL_MACHINE > SOFTWARE > Cisco > Resource Manager > Current
Version > Daemon > RmeOrb
Version > Daemon > RmeGatekeeper
Version > Environment
• Changes the value of the port number to new port number in NameServer and NameServiceMonitor
processes.
• Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file
with the new port numbers.
Reboot the server and start the Daemon Manager after you have completed running the script.
Q. How do I change port for osagent in Solaris?

A. Before you change the port for osagent in Solaris:
– Ensure that the daemons are not running.
Enter the following command to stop the Daemon Manager:
– Make sure that no CSCO processes are running.
– Back up NMSROOT/objects/dmgt/dmgtd.conf file.
To change the port for osagent in Solaris, run the following script at the command prompt:
NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_Number
where, Port_Number refers to any unused port number between 1026 to 65535.

B-20 OL-25947-01
The script completes the following:

• Changes the value of the port number to new port number in NameServer and NameServiceMonitor
processes.
• Changes the value of OSAGENT_PORT and PX_OSA_PORT port numbers in the md.properties file
with the new port numbers.
• Updates the new port number in /etc/services file.
• Updates the entry in /var/sadm/pkg/CSCOmd/pkginfo file.
Reboot the server and start the Daemon Manager after you have completed running the scripts.
Q. How do I ensure that jrm is running fine?

A. To check whether jrm is working on Windows, at the command prompt enter:
cwjava -cw NMSROOT com.cisco.nm.cmf.jrm.jobcli
To check whether jrm is working on Solaris, at the command prompt enter:

cwjava -cw NMSROOT com.cisco.nm.cmf.jrm.jobcli
– If you get a message Established connection with JRM, then EDS, EDS-GCF and jrm are
running.
– If you do not get the above message, contact the technical assistance center with the error
message.
– If your jrm in down or inaccessible, you’ll get a message while accessing the UIs.
Q. How do I change the casuser password in Windows?

A. You can change the casuser password using resetCasuser.exe. It can be run only by an administrator
or casuser. To change the casuser password:
Step 1 Enter NMSROOT\setup\support resetCasuser.exe at the command prompt

You can:
1. Randomly generate the password
2. Enter the password
3. Exit.
Step 2 Enter 2, and press Enter.
It prompts you to enter the password.
Step 3 Confirm the password.
Note You must know the password policy. If the password entered does not match the password policy,
it exits.
Q. How do I change the Cisco Prime user password?

A. See Changing Cisco Prime User Password Through CLI for details.

OL-25947-01 B-21
Q. How do I enable debugging for Session Management Services?

A. To enable debugging for Session Management Services:
Step 1 Go to NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml.
You should edit the following section of the file:
<context-param>
<param-name>DEBUG</param-name>
<param-value>false</param-value>
<description>mice debug enabling</description>
</context-param>
Step 2 Change <param-value>false</param-value> to <param-value>true</param-value>.
Q. What does a diskWatcher process do?

A. The diskWatcher process monitors disk space availability on the Cisco Prime LMS Server.
This process calculates the disk space information of a drive (in Windows machine) or a file system
(in Solaris machine) at regular intervals and stores them in diskWatcher.log file.
See Configuring Disk Space Threshold Limit for more information.
Q. Cisco Prime Time is not synchronized with System time. What should I do?
A. You should complete the following:
a. Edit the TIMEZONE file using the vi /etc/TIMEZONE command on a Solaris machine.
b. Set the TZ=standard_timezone. For example, you can specify TZ=MET.
c. Save the TIMEZONE file.
d. Reboot the machine.
Now the system displays the modified time zone information. If you need to change the time zone
to daylight, you change only the time and date but not the TIMEZONE.
Q. How can I increase the timeout value of Cisco Prime LMS user interface?
A. You can configure the timeout value in the following file.
NMSROOT/MDC/tomcat/webapps/classic/WEB-INF/web.xml
You should change the value of an XML tag by name session-timeout. You should specify the value
in minutes. The default timeout value is set to 2 hours.
You cannot disable this option as this may increase the load in the server.
Q. How do I change the configuration details of the server after installing LMS Soft Appliance?
A. To change the configuration details of the server after installation:
Step 1 Login with Soft Appliance console administrator user account.

This is the sysadmin username that you provided during installation.
Step 2 Enter the password.

B-22 OL-25947-01
Step 3 Enter the command shell.

Step 4 Enter the following command to stop the Daemons:
Step 5 Enter exit to go to the sysadmin mode.
Step 6 Enter the following command, in sysadmin view:
<HOSTNAME>/sysadmin# config terminal
Enter the configuration commands, one per line. End with CNTL/Z.
In all the examples, sysadmin represents the sysadmin username that you provided during installation.
Step 7 Change the required configuration details of the server.
You can change the hostname, Default DNS Domain, IP Address, IP Netmask, IP Default Gateway,
Primary Name Server, Primary NTP Server, Time Zone, Username or Password. See Table B-5 for more
details.
Step 8 Enter the command end. The following will be displayed:
<HOSTNAME>/sysadmin#
Step 9 Enter the following command to update the changes:
<HOSTNAME>/sysadmin# write memory
Step 10 Right-click the server and select Power > Reset to start the server.
Or
<HOSTNAME>/sysadmin# reload
Save the Current ADE-OS running configuration ?(yes/no)[yes]?yes
Note You should reboot the server only if you change the following configuration details:
• Hostname
• Default DNS Domain
• IP Address, IP Netmask
• IP Default Gateway
• Primary Name Server
• Primary NTP Server
• Time Zone
The Daemons Manager will start automatically.

Step 11 Enter the following command to run the hostnamechange file:
<HOSTNAME>/sysadmin# shell
Enter shell password:
[<HOSTNAME>/root-ade ~]# /opt/CSCOpx/bin/perl /opt/CSCOpx/bin/hostnamechange.pl
-ohost <OLD_HOST_NAME> -nhost <NEW_HOST_NAME>

OL-25947-01 B-23
Note You should execute this command only when you change the hostname. Each time you change the
hostnameof the server, you must perform, steps 1 to 9 to reflect the hostname changes in LMS.
Step 12 Enter the following command to start the Daemons:

sysadmin#/etc/init.d/dmgtd start
Note You must restart the Daemon Manager before and after you change the hostname.
Note You must change the server configuration details only through Soft Appliance admin console.
Table B-5 lists the examples of how to change the Soft Appliance server configuration details.
Table B-5 Soft Appliance Server Configuration Details
Tasks Configuration Details

Change the HostName <OLD HOSTNAME>/sysadmin(config)# hostname <NEW HOSTNAME>
Changing the hostname may result in undesired side effects
on any installed application(s).
Are you sure you want to proceed? [y/n] y
LNX-LMS-05/admin(config)#
Change the Domain, LNX-LMS-05/sysadmin(config)# ip domain-name <DOMAIN NAME>
Gateway and Name server Changing the domain name may result in undesired side effects
on any installed application(s).
Are you sure you want to proceed? [y/n] y
LNX-LMS-05/sysadmin(config)# ip default-gateway
<DEFAULT_GATEWAY_ADDRESS>
LNX-LMS-05/sysadmin(config)# ip name-server
<PRIMARY_NAME_SERVER>
Change the NTP Server LNX-LMS-05/sysadmin(config)# ntp server <PRIMARY_NTP_SERVER>
Change the IP address and LNX-LMS-05/sysadmin(config)# interface GigabitEthernet 0

Subnet Mask LNX-LMS-05/sysadmin(config-GigabitEthernet)#
LNX-LMS-05/sysadmin(config-GigabitEthernet)# ip address
<IP_ADDRESS> <MASK_ADDRESS>
Change the TimeZone LNX-LMS-05/sysadmin(config)# clock timezone
<TIME_ZONE_VALUE>
See Supported Server Time Zones and Offset Settings for more details.
Change the Username/ LNX-LMS-05/sysadmin(config)# username <USERNAME> password
Password plain <PASSWORD> role admin
LNX-LMS-05/sysadmin(config)# end
Q. How should I change the syslog port of Cisco Prime from 514 to another number?
A. You can change the syslog port by modifying the value of CrmLogPort registry key located under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmlog\Parameters.

B-24 OL-25947-01
After you have changed the syslog port, you need to restart the syslog service.

OL-25947-01 B-25
Q. What should I do when Daemon Manager and multiple processes are not started on a Windows
machine?
A. Sometimes, Windows may prevent to run some processes for security reasons.
You should do the following on a Windows 2003 Operating system:
Step 1 Right-click the My Computer icon on your desktop and click Properties to open the System Properties
dialog box.
Step 2 Click the Advanced tab.
Step 3 Click Settings from the Performance panel to open the Performance Options dialog box.
Step 4 Click the Data Execution Prevention tab.
Step 5 Check whether the java.exe and cwjava.exe are available in the list of blocked programs. If so, remove
the programs from the blocked list.
Step 6 Click OK to close the Performance Options dialog box.
Step 7 Click OK to close the System Properties dialog box.
Step 8 Reboot the server.
Q. I am getting timeout exception in cmdsvc (command service library) during a device

connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available
in the following directory: $NMSROOT/objects/cmf/data
To change the default timeout and delay values:
Step 1 Go to the directory $NMSROOT/objects/cmf/data

Step 2 Open the cmdsvc.properties file.
Various timeout and delay values are listed in the file.
Step 3 Remove the Hash symbol (#) to uncomment a particular timeout or delay value.
Step 4 Remove the existing timeout or delay value.
Step 5 Enter new timeout or delay value.
Step 6 Save the cmdsvc.properties file.
Q. What should I do when the TAC Service Requests feature that displays my current Cisco.com TAC
tickets does not use the proxy to connect, even after setting the proxy in proxy server setup?
A. Check whether the following production urls are reachable in the server, where product is installed.
• SASI_SERVER—https://wsgx.cisco.com
• RSR_SERVER—https://wsgx.cisco.com
• CSC_SERVER—https://supportforums.cisco.com
• CCOLOGINURL—https://sso.cisco.com/autho/apps/nmtgSSapp/index.html
• CCOLOGOUTURL—https://sso.cisco.com/autho/logout.html

B-26 OL-25947-01
• CASE_QUERY_URL—https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest&method=doQueryByCase&SRNumber=
• LOGIN_REDIRECT_URL—https://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.c
om&TargetResource=
• CSC_REDIRECT_URL—https://supportforums.cisco.com
Q. I am unable to access LMS running on Windows 2008 Server, when I use IE, but it works properly
in FF, what could be the reason?
A. You are not able to access LMS in IE because of the cache issue. Clear the browser cookies and
cache from IE.
Important URLs
Q. What are the URLs that are most commonly used in LMS?
A. The following URLs are most commonly used in LMS and should be added in the proxy server:
General
http://www.cisco.com
Device update/Software update/Point Patch update
• https://tools.cisco.com/software/catalog/swcs/softwaremetadata
• https://tools.cisco.com/software/catalog/swcs/image
• https://www.cco.cisco.com
IOS image download
• http://www.cisco.com/cgi-bin/smarts/swim/crmiosbridge.pl
• http://www.cisco.com/techsupport
Smart Services
• SASI_SERVER—https://wsgx.cisco.com
• RSR_SERVER— https://wsgx.cisco.com
• CSC_SERVER—https://supportforums.cisco.com
• CCOLOGINURL—https://sso.cisco.com/autho/apps/nmtgSSapp/index.html
• CCOLOGOUTURL— https://sso.cisco.com/autho/logout.html
• CASE_QUERY_URL—https://tools.cisco.com/ServiceRequestTool/query/QueryCaseSearchAction.
do?caseType=ciscoServiceRequest
• LOGIN_REDIRECT_URL—https://fed.cisco.com/idp/startSSO.ping?PartnerSpId=csc.jivesoftware.c
om
• CSC_REDIRECT_URL—https://supportforums.cisco.com
PSIRT
• EoS/EoL Hardware Report—http://www.cisco.com/cisco/software/release.html?mdfid=282253606
&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE
&rellifecycle=&reltype=latest#
• EoS/EoL Software Report—http://www.cisco.com/cisco/software/release.html?mdfid=282253606
&flowid=5144&softwareid=280775123&os=Windows&release=4.1.1&relind=AVAILABLE&
rellifecycle=&reltype=latest#

OL-25947-01 B-27
Bug Toolkit
• http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
• http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do??method=getAllBugs
• http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getAffectedBugdata&bu
gid=
• http://tools.cisco.com/Support/BTKNotifications/getBugDetails.do?method=getBugsReport
Contract Connection
• http://www.cisco.com/cgi-bin/front.x/cconx/conx_userinfo.pl
• https://www.cisco.com/cgi-bin/front.x/cconx/conx_recv_data.pl
• https://www.cisco.com/cgi-bin/front.x/cconx/conx_sortdetail_js.pl
Compliance and Audit Management
• Download Contracts—https://apps.cisco.com/CustAdv/ServiceSales/contract/viewContractMgr.do
?method=viewContractMgr
• Download Compliance Policy Updates—http://www.cisco.com/cisco/software/release.html?mdfid
=284259296&flowid=31102&softwareid=284270571&release=1.0.0&relind=AVAILABLE&
rellifecycle=&reltype=latest
Security
The following are the FAQs on LMS Security:
• Q.When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
• Q.When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?
• Q.My server certificate for Cisco Prime has expired. What should I do?
• Q.I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
• Q.What are the minimum and maximum length of user account names? How do I control them?
• Q.What are the rules to enter a valid username and password?
• Q.Where is the SSL log present?
• Q.Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
Q. When I invoke Cisco Prime in the secure mode (HTTPS), there are too many dialog boxes. This
makes the process tedious. Is there a way to reduce the number of dialog boxes and steps?
A. Yes. You have the following options:
– If you are using Self-signed certificates in Internet Explorer, install the certificate in the
browser’s trusted certificate stores, if you are confident about the identity of the server.
– Use a server certificate issued by a prominent third party certificate authority (CA).
– Configure the hostname in your server certificate properly, and use the same hostname to invoke
Cisco Prime.
Q. When I invoke Cisco Prime, I am unable to get to the login page directly. Instead, I am facing a
security alert related to the site's security certificate. It asks for my input to proceed further. Why?

B-28 OL-25947-01
A. Cisco Prime does not have any control over this behavior. This is an expected browser behavior
(Microsoft Internet Explorer or Mozilla Firefox), to ensure proper security.
This appears if any of the following conditions is not satisfied:
– The certificate of the server (Cisco Prime Server in this case) must be issued by trusted
Certificate Authority.
– The date of the certificate must be valid. (Each certificate is assigned a validity period. It can
range from 21 days to 5 years).
– The name of the certificate and name of the page (or the name typed in the address bar of the
browser) are the same.
To view the certificate information:
– Click View Certificate, in the alert box for Internet Explorer.
– Click Examine Certificate in the alert box for Mozilla Firefox.
The server should be invoked with the name same as the Issued to' field of the certificate.
To install the certificate in Internet Explorer:
Step 1 Click View Certificate in the alert box.

The Certificate dialog box displays the Certificate information.
Step 2 Click Install Certificate.
Q. My server certificate for Cisco Prime has expired. What should I do?
A. If you are using a self-signed certificate, you can create a new certificate using the Create Self
Signed Certificate option. For more information, see Creating Self Signed Certificates.
If you are using a third party issued certificate, you must contact the certificate authority (CA) and renew
the certificate. You can use a self-signed certificate till you get the certificate renewed by the CA.
Note Before you perform any certificate management operations—creating or modifying certificates, back up
the certificate files, the server private key in particular, and keep them in a safe location.
Q. I have configured the Active Directory Login Module but it does not work. How can I analyze the
problem?
A. To analyze the problem, enable the Debug mode for the Active Directory Login module. To do this:
Step 1 Login as Admin.

The Select Login Module dialog box appears.
Step 3 Select a login module from the Available Login Modules list box and Click on Edit Options.
The Login Module Options dialog box appears.
Step 4 Select the radio button True and click Finish.
This enables the Debug option. Enabling debug mode allows the login module to add the detailed
progress and failure information to log files. The log files are located at:

OL-25947-01 B-29
NMSROOT/MDC/Tomcat/logs/stdout.log
For all failed login attempts, the log files contain LDAP error messages, which specify the reason for the
failure.
For example, if the Usersroot configuration is incorrect, then the login module cannot match the
complete DN string with any entries in the Active Directory database.
It indicates which portion of the DN matched and which portion did not match. You can verify your
Active Directory setup and the entries for the Usersroot.
In some cases, the log file contains error messages with NameError. This indicates that either you
entered a wrong user ID or there is some spelling error in the Usersroot configuration.
Q. What are the minimum and maximum length of user account names? How do I control them?
A. The minimum length of a user account name is 5 characters. The maximum length of a user account
name is 255 characters.
You can control the length of user account names using the Local User Policy Setup page. See
Setting up Local User Policy for more information.
Q. What are the rules to enter a valid username and password?

A. The username can contain the alphabets in lower and upper cases, numerals, hyphens (-),
underscores (_), periods (.), tilde (~), commercial At character (@), number sign (#),
Apostrophe ('), solidus or leading slash (/), trailing slash (\), and space.
The username should start with alphabets, numerals and underscore characters.
The password can contain the alphabets, numerals, leading and trailing spaces, and any special
characters.
The length of username and password can span from 5 to 256 characters.

B-30 OL-25947-01
Q. Where is the SSL log present?

A. The SSL log is present in the NMSROOT directory, where NMSROOT is your Cisco Prime
Installation directory.
Q. Why am I getting a 403 forbidden error while trying to access Cisco Prime pages?
A. You should check whether the casuser is assigned with the required local security policies.
To check whether the casuser is assigned with the required policies:
Step 1 Click Start > Settings > Control Panel> Administrative Tools.
Step 2 Click the Local Security Policy shortcut from the Administrative Tools folder.
The Local Security Policy window opens.
Step 3 Click Local policies > User Rights Assignment in the Local Security Policy window.
Step 4 Check whether the casuser is assigned with the following privileges:
• Access this computer from the network
• Log on as a batch job
If the casuser is not assigned with the required privileges, you should run the resetCasuser utility again.
Enter the following commands to run the resetCasuser utility:
• NMSROOT/CSCOpx/setup/support/resetCasuser (On Solaris/Soft Appliance)
• NMSROOT\CSCOpx\setup\support\resetCasuser.exe (On Windows)
where NMSROOT refers to the Cisco Prime Installation directory.
The other possible solutions are:
• Remove or disable the anti-virus software
• Restart Daemon Manager
• Uninstall or disable IIS
• Log on as a batch job
• Disable Cisco Security Agent
• Stop the Daemon Manager and check if there are any Apache or Tomcat processes running. If so,
kill the stray processes from the Task Manager or stop them from the Services panel.
• Ensure that the casuser or administrator has the read permission for the CSCOpx,
CSCOpx/MDC/tomcat/webapps/cwhp directories, and their inner directories.
Software Center
The following are the FAQs on Software Center:
• Q.How do I find out which devices are supported by a particular application?
• Q.What are the prerequisites for downloading Software Updates from Cisco.com?
• Q.Does the Software Center list only the software updates that are not installed in this machine?
• Q.What should I do if I see errors when using Software Center or having issues with LMS not
correctly working with supported devices?

OL-25947-01 B-31
Q. How do I find out which devices are supported by a particular application?

A. Select Admin > System > Software Center > Software Update. Under Applications Installed,
click the application name to see a list of the supported devices.
See Selecting Software Updates for more information.
Q. What are the prerequisites for downloading Software Updates from Cisco.com?
A. You should check for the following:
– Valid Cisco.com credentials are configured during Server administration
– Valid proxy details are configured and Cisco Prime support basic authentication of proxy server.
See Downloading Software Updates for more information.
Q. Does the Software Center list only the software updates that are not installed in this machine?
A. The Software Center module lists all software updates including those that are installed. However,
it performs the filtering for device updates.
Q. What should I do if I see errors when using Software Center or having issues with LMS not correctly
working with supported devices?
A. Under rare circumstances, internal LMS files that contain information on which device support
packages are installed and which devices are supported, become corrupted.
If such files become corrupted, you may notice one or more of the following symptoms:
– "HTTP 500" error occurs while trying to view package information from Admin > System >
Software Center > Device Update. One possible exception is:
java.util.NoSuchElementException at
java.util.StringTokenizer.nextToken(StringTokenizer.java:259) at
com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.getPackageMap(Unknown Source) at
com.cisco.nm.xms.psu.ui.gui.model.action.DevUpdate.perform(Unknown Source)
– The following errors will be seen in NMSROOT\log\psu.log:
[ <date time > ] ERROR [CreateMaps : removeDupEntries] :String index out of
range: -1
– Devices shown as supported in "Supported Devices Table for Cisco Prime LAN Management
Solution" and may have been working previously, show as not supported/unknown and displays
device icons in Device Selectors with a question mark (?) in one or more areas of LMS.
– Various forms of Inventory/Configuration Collection from devices (Inventory > Dashboards
> Device Status > Collection Summary) fails for all devices of a particular model, but
succeeds for other devices with identical configuration, yet different models.
– Specific models of devices are not available in Device Selectors to have reports, jobs or other
functionality run on them, however Inventory Collection and/or Config Archive has succeeded
for them. This is frequently seen with Configuration related functionality.
To resolve such issues, you can run the NMSROOT/bin/reCreatePkgMap.pl script and recreate files
which store information on which device support packages are installed and devices they support.
Run the following script:
NMSROOT/bin/perl NMSROOT/bin/reCreatePkgMap.pl (Solaris/Soft Appliance)
or
NMSROOT\bin\perl NMSROOT\bin\reCreatePkgMap.pl (Windows)

B-32 OL-25947-01
where NMSROOT is your Cisco Prime installation directory.

If issues persist after running this script, contact the Cisco Technical Asssistance Center for further
assistance.
Event Distribution Services and Event System Services

The following are the FAQs on Event Distribution Services and Event System Services:
• Q.How do I change the ESS port?
• Q.Why do the EDS process is not starting?
• Q.How should I configure EDS in a multi-homed machine?
Q. How do I change the ESS port?

A. You can change the ESS port by running the following commands:
– NMSROOT/objects/ess/conf/Ports2Alternate.pl
– NMSROOT/objects/ess/conf/Ports2Primary.pl
where NMSROOT is the default installation directory of Cisco Prime.
Q. Why do the EDS process is not starting?

A. You should check:
– If the hostname is correct and is not changed recently.
– If the osagent is in use in port 42342.

OL-25947-01 B-33
If the osagent is not in use, you should:
Step 1 Stop the Daemon Manager.

Step 2 Run the ChangeOSAGENTPort.pl script to change the port number. Enter the following command:
NMSROOT/bin/perl NMSROOT/bin/ChangeOSAGENTPort.pl Port_number
where,
NMSROOT — Cisco Prime Installation directory
Port_number— Osagent port
Step 3 Restart the Daemon Manager.
Q. How should I configure EDS in a multi-homed machine?

A. To run Cisco Prime LMS and configure EDS on a multi-homed machine, you must all the IP
Addresses in DNS.
Q. Sometimes, I am not able to access CORBA services in Cisco Prime LMS Server from other
network?
A. This could because the domain name of the Cisco Prime LMS server may not be resolved.
To access the CORBA services in a server that is not DNS resolvable, you must:
Step 1 Change the value of attribute jacorb.dns.enable in orb.properties file from on to off.
Step 2 Regenerate the self-signed certificate with IP address instead of hostname.
Step 3 Restart the Daemon Manager.
Backup and Restore

The following are the FAQs on Backup and Restore:
• Q.What kind of directory structure does Cisco Prime use when backing up data?
• Q.What should I do when backup fails and displays a Backup.LOCK file exists error
message?
• Q.Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
Q. What kind of directory structure does Cisco Prime use when backing up data?
A. Cisco Prime uses a standard database structure for backing up all suites and applications. See
Table B-6 for a sample directory structure on Cisco Prime LMS Server.
Table B-6 Sample Backup Directory
Directory Path Description Usage Notes

/tmp/1 Number of backups 1, 2, 3...
/tmp/2/cmf Application or suite Backs up Cisco Prime LMS Server applications.

B-34 OL-25947-01
Table B-6 Sample Backup Directory (continued)
Directory Path Description Usage Notes

/tmp/1/cmf/fileb Cisco Prime LMS Server Application data is stored in the datafiles.txt which are
ackup.tar application tar files compiled into the tar file.
/tmp/1/cmf/data Cisco Prime LMS Server Includes the following files for each database:
base database directory
• xxx_DbVersion.txt
• xxx.db (database files)
• xxx.log (database log files)
• xxx.txt (database backup manifest file)
where xxx is the name of the database.
Q. What should I do when backup fails and displays a Backup.LOCK file exists error message?
A. You should try removing the Backup.LOCK file from the Cisco Prime installation directory and start
backup again. You can use the CLI program to back up the data. See Backing up Data Using CLI for
more information.
Q. Do I need to stop the Daemon Manager before running backup.pl and restorebackup.pl scripts?
A. Daemons should be stopped only before you run restorebackup.pl scripts. You need not stop the
Daemon Manager to run the backup.pl scripts.
See Backing up Data Using CLI and Restoring Data for more information.
Database
The following are the FAQs on Database:
• Q.How can I find the version of a Sybase Database?
• Q.What if the database is inaccessible?
Q. How can I find the version of a Sybase Database?

A. Run the following command:
opt/CSCOpx/objects/db/bin64/dbsrv10 –v
Q. What if the database is inaccessible?

A. If the server is not able to connect to the database, the database might be corrupt or inaccessible.
This can occur if processes are not running. Try the following:
Step 1 Log in to Cisco Prime LMS server as admin.

A list of Cisco Prime back-end processes appears.
You can check if there are any failed process appear in the list.
Step 3 Select Admin > System > Server Monitoring > Selftest.
• Click Create to create a report.
• Click Display to display the report.

OL-25947-01 B-35
Step 5 Click Product Database Status to get detailed database status.
Step 6 Contact the Cisco TAC or your customer support to get the information you need to access the database
and find out details about the problem.
After you have the required information, perform the following tasks for detecting and fixing database
errors.
Depending upon the degree of corruption, the database engine may or may not start. For certain
corruptions, such as bad indexes, the database can function normally until the corrupt index is accessed.
Database corruptions, such as index corruptions, can be detected by the dbvalid utility, which requires
the database engine to be running.
To detect database corruption:
Step 1 Log on as root (on Solaris/Soft Appliance) or with administrator privileges (on Windows).
Step 2 Stop the Daemon manager if it is already running:
• /etc/init.d/dmgtd stop (on Solaris/Soft Appliance)
• net stop crmdmgtd (on Windows)
Step 3 Make sure no database processes are running and there is no database log file.
For example, if the database file is /opt/CSCOpx/databases/rme/rme.db, the database log file is
/opt/CSCOpx/databases/rme/rme.log. This file is not present if the database process shuts down cleanly.
Step 4 Check if the database files and the transaction log file (*.log) are owned by user casuser if you use Solaris
machines. If not, change the ownership of these files to user casuser and group casusers.
Step 5 Run the commands on the command prompt:
cd NMSROOT/objects/db/conf
NMSROOT/bin/perl configureDb.pl action=validate dsn=cmf
The dbvalid command displays a list of tables being validated. The Validation utility scans the entire
table, and looks up each record in every index and key, defined on the table. If there are errors, the utility
displays a message such as:
Validating DBA.xxxx
run time SQL error -- Foreign key parent_is has invalid or duplicate index
entries 1 error reported
If the above command reports any error, you may try:

• Restoring from a previous good backup
or
• Reinitializing database
Caution All the current data will be lost.
To do this, you have to run the following command:

NMSROOT\bin\perl NMSROOT\bin\dbRestoreOrig.pl dsn=dsn dmprefix=dmprefix

B-36 OL-25947-01
For LMS, dsn is cmf and dmprefix is Cmf.
Apache and Tomcat

The following are the FAQs on Apache and Tomcat:
• Q.How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
• Q.Why does the Apache process not come up after installation or why does the process go down
suddenly?
• Q.How do I change web server port numbers?
• Q.How should I enable or disable web server SSL mode from the command line?
• Q.How do I increase Tomcat heap size?
• Q.How do I validate a Server certificate?
• Q.How do I modify a certificate which is not self-signed?
• Q.What is the maximum number of connections allowed by Cisco Prime to access the web interface?
• Q.What version of Tomcat is installed on my server?
• Q.Why does Apache server does not start during reboot process?
Q. How do I avoid the SSL port conflict between HPOV and LMS servers and run them both on the
same system?
A. The new installer detects IIS web server running on the machine and prompts you to enter a different
port number for Cisco Prime LMS Server to avoid the conflict.
Q. Why does the Apache process not come up after installation or why does the process go down
suddenly?
A. This could be a problem with the Apache configuration syntax or the validity of the server
certificate. You should first check the Apache configuration syntax.
To do this:
On Windows:
Go to NMSROOT\MDC\Apache\bin and run the command Apache.exe -t -d .
Note Do not omit the .
Go to NMSROOT/MDC/Apache/bin and run the command ./web_server –t
If the Apache configuration syntax is correct, a message appears:
Syntax OK
If the Apache configuration syntax is fine, check the validity of the Server Certificate using the SSL
Utility Script.

OL-25947-01 B-37
Q. How do I change web server port numbers?

A. To change the web server port numbers, you must run separate commands for both Windows and
Solaris.
On Solaris:
You can change the web server port numbers for the webservers. You can also change both the HTTP
and HTTPS port numbers. To change the port numbers you must login as Cisco Prime LMS Server
administrator, and run the following command at the prompt:
NMSROOT/MDC/Apache/bin/changeport
If you run this command without any command line parameter, Cisco Prime displays:
*** CiscoWorks Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where
port number—The new port number that should be used
-s—Changes the SSL port instead of the default HTTP port
-f—Forces port change even if Daemon Manager detection FAILS.
Note Do not use this option by default. Use it only when Cisco Prime instructs you to.
For example, you can enter:

changeport 1744—Changes the Cisco Prime web server HTTP port to use 1744.
Or,
changeport port number -s—Changes the Cisco Prime web server HTTPS port to use the specified port
number.
If you change the port after installation, Cisco Prime will not launch from Start menu
(Start > Programs > Cisco Prime).
You have to manually invoke the browser, and specify the URL, with the changed port number.
The restrictions that apply to the specified port number are:
• Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number.
• The specified port should not be used by any other service or daemon. The utility checks for active
listening ports, and ports listed in /etc/services. If there is any conflict, it rejects the specified port.
• The port number must be a numeric value in the range 1026 – 65535. Values outside this range, and
non-numeric values are not allowed.
• If port 443 is specified for any of the web servers, that web server process is started as root. This is
because ports lower than 1026 are allowed to be used only by root in Solaris.
However, according to Apache behavior, only the main web server process run as root, and all the
child processes run as casuser:casusers. Only the child processes serve the external requests.
The main process that runs as root monitors the child processes. It does not accept any HTTP
requests. Owing to this, Apache ensures that a root process is not exposed to the external world, and
thus ensures security.
• If you do not want Cisco Prime processes to run as root, do not use the port 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.

B-38 OL-25947-01
This utility lists all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed
port, a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
• If you do not want Cisco Prime processes to run as root, do not use the ports 80 and 443.
When you run the utility with the appropriate options, it displays messages on the tasks it performs.
This utility lists out all the files that are being updated. Before updating, the utility will back up all
affected files in /opt/CSCOpx/conf/backup and creates appropriate unique sub-directories.
It also creates a new file index.txt. This text file contains information about the changed port and a
list of all files that are backed up and their actual location in the Cisco Prime directory.
A sample backup maybe similar to:
/opt
|
`--/CSCOpx
|
`--/conf
|
`--/backup
|
|--README.txt (Note the purpose of this directory as it is initially empty)
|
`--/AAAtpaG03_Ciscobak (Autogenerated unique backup directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml (Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
|--rootapps.conf (CiscoWorks daemons using privileged ports)
|--services (The system /etc/services file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note All of the above files and the unique directories are stored with read only permission to casuser:casusers.
To ensure the security of the backup files, only the Cisco Prime LMS Server administrator has write
permissions.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
/var/adm/CSCOpx/log/changeport.log
This file contains the date and time stamps to indicate when the log entries were created.
On Windows:
You can change the web server port numbers for the LMS Webserver. You can also change both the
HTTP and HTTPS port numbers.
To change the port numbers you must have administrative privileges. Run the following command at the
prompt:
NMSROOT\MDC\Apache\changeport.exe

OL-25947-01 B-39
If you run this utility without any command line parameter, Cisco Prime displays the following usage
text:
*** Common Services Webserver port change utility ***
Usage: changeport <port number> [-s] [-f]
where:
port number—The new port number that should be used
-s—Change the SSL port instead of the default HTTP port
-f—Force port change even if Daemon Manager detection fails.
Note Do not use this option by default. Use it only when Cisco Prime instructs you to.
For example, you can enter:

changeport 1744—To change the Cisco Prime web server HTTP port to use 1744.
Or,
changeport port number -s—Changes the Cisco Prime web server HTTPS port to use the specified port
number.
If you change the port after installation, Cisco Prime will not launch from Start menu (Start > Programs
> Cisco Prime). You have to manually invoke the browser and specify the URL, with the changed port
number.
The restrictions that apply to the specified port number are:
• Port numbers less than 1026 are not allowed. However, you can use 443 as the HTTPS port number.
• The specified port should not be used by any other service or daemon. The utility checks for active
listening ports, and if any conflict is found, the utility rejects the specified port.
There is no reliable way to determine whether any other service or application is using a specified
port. If the service or application is running and actively listening on a port, it can be easily detected.
However, if the service is currently stopped, there is no way that the utility can determine what port
it uses. This is because on Windows there is no common port registry equivalent to /etc/services as
in Solaris.
• The port number must be a numeric value in the range 1026 – 65535. Values outside this range, and
non-numeric values are not allowed.
When you run the utility with the appropriate options, it displays messages on the actions it is
performing.Cisco Prime
It lists out all the files that are being updated. Before updating, the utility backs up all the affected files
in CSCOpx\conf\backup, and creates, appropriate, unique, sub-directories.
It also creates a new file called index.txt. This text file contains information about the changed port,
a list of all the files that are backed up, and their actual location in the Cisco Prime directory.
A sample backup may be similar to:
[drive:]
|
`--\Program Files
|
`--\CSCOpx
|
`--\conf
|

B-40 OL-25947-01
`--\backup
|
|--README.txt (Notes the purpose of this dir as it is initially empty)
|
`--\skc03._Ciscobak (Autogenerated unique backup directory).
|
|--index.txt (The backup file list)
|--httpd.conf (Webserver config file)
|--md.properties (CiscoWorks config elements)
|--mdc_web.xml (Common Services application config file)
|--regdaemon.key (Common Services config registry key file)
|--regdaemon.xml (Common Services config registry data file)
`--ssl.properties (CiscoWorks config elements for SSL mode)
Note All the above files and the unique directories are stored with read only permissions. Only the
administrator and casuser have write permissions, to ensure the security of the backup files.
The change port utility displays messages to the console during execution. These messages contain
information about the directory where the backup files are being stored. These messages are also logged
to a file, changeport.log.
This file is saved to the directory:
NMSROOT\log\changeport.log
This log file contains the date and time stamps to indicate when the log entries were created.
Q. How should I enable or disable web server SSL mode from the command line?
A. To enable or disable the web server SSL mode:

Step 2 Run the ConfigSSL.pl script. Enter the commands:
• NMSROOT/bin/perl ConfigSSL.pl -enable (to enable the web server SSL mode from the
command line)
• NMSROOT/bin/perl ConfigSSL.pl -disable (to disable the web server SSL mode from the
command line)
Step 3 Start the Daemon Manager.
Q. How do I increase Tomcat heap size?

A. To increase Tomcat heap size:

Run /etc/init.d/dmgtd stop
• On Windows:
Run net stop crmdmgtd
Step 2 Run NMSROOT/bin/perl NMSROOT/bin/ModifyTomcatHeap.pl max heap in MB

OL-25947-01 B-41
Step 3 Start the Daemon Manager.

Run /etc/init.d/dmgtd stop
• On Windows:
Run net start crmdmgtd
If Tomcat is already configured for higher memory than what you specify when you run the command,
the following message is displayed:
INFO: Tomcat is already configured with a higher heap value.
Q. How do I validate a Server certificate?

A. To do this:
Step 1 Navigate to the directory where the SSL Utility Script is located.
On Windows:
a. Go to NMSROOT\MDC\Apache
b. Enter NMSROOT\bin\perl SSLUtil.pl
a. Go to NMSROOT/MDC/Apache/bin
b. Enter NMSROOT/bin/perl SSLUtil.pl
After you have entered this command, the system displays a set of options.
Step 2 Select the fourth option Verify the input Certificate/Certificate Chain by entering 4.
Step 3 Enter the location of the server certificate NMSROOT/MDC/Apache/conf/ssl/server.crt
The script verifies if the server certificate is valid. If the script reports errors during validation and
verification, you have to regenerate the certificate by running SignTool.pl from the above directory.
Step 4 Enter NMSROOT/bin/perl SignTool.pl [-SSL=true | -SSL=false]
Note NMSROOT is the directory where Cisco Prime is installed.
Q. How do I modify a certificate which is not self-signed?

A. LMS does not allow modifying certificates other than the self-signed certificates.
Q. What is the maximum number of connections allowed by Cisco Prime to access the web interface?
A. Tomcat, the servlet engine, shipped with Cisco Prime handles a maximum of 500 connections or http
requests.

B-42 OL-25947-01
Q. What version of Tomcat is installed on my server?

A. To find out the version of Tomcat installed on your server, you should:
Step 1 Navigate to the NMSROOT/MDC/tomcat/server/lib directory.

Step 2 Unzip the catalina.jar file available in this directory.
Step 3 Navigate to the location where you have extracted this jar file.
Step 4 Open the Serverinfo.properties file under the orgapachecatalinautil directory.
This file displays the version of Tomcat installed on the Cisco Prime LMS Server.
Q. Why does Apache server does not start during reboot process?
Anti-virus causes the processes to come up slowly after reboot. Delay the anti-virus during startup to
solve the issue. Ensure that the NMSROOT folder is excluded correctly from anti-virus and reboot the
server after shutting down the anti-virus completely.
Fault Management FAQs

The following section lists the frequently asked questions about Fault Management.
• Q.How do I enable Incharge debugging, and execute Incharge commands?
• Q.What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap
alert/event Trap Forwarding? Does LMS support both of these methods?
• Q.How can I receive Syslog messages from the LMS server?
• Q.How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
Q. How do I enable Incharge debugging, and execute Incharge commands?

A. Select Admin > System > Debug Settings > Fault Debugging Settings. The Fault Debugging
Settings page appears. Click the Enable Incharge Debugging, and execute Incharge Commands
link. See, Enable Incharge Debugging for more information.
Q. What is the difference between SNMP Raw Trap Forwarding and Processed SNMP Trap alert/event
Trap Forwarding? Does LMS support both of these methods?
A. Yes, LMS supports both ways of Trap forwarding.
Raw Trap is forwarded by the Device to Fault Management and Fault Management has to process
it. To configure Raw Trap Forwarding, select Admin > Network > Notification and Action
Settings > Fault - SNMP trap forwarding.
When LMS receives certain SNMP traps, it analyzes the data found in fields such as
Enterprise/Generic trap identifier, Specific Trap identifier, and variable-bindings of each SNMP trap
message.
If needed, LMS changes the property value of the object property. These are Processed Traps. To
configure Processed event/alert trap forwarding, select Admin > Network > Notification and
Action Settings > Fault - SNMP trap forwarding. This configuration can also send trap
notifications if there is a threshold violation in the LMS managed devices.
For more information, refer to the Monitoring and Troubleshooting with Cisco Prime LAN
Management Solution 4.2

OL-25947-01 B-43
Q. How can I receive Syslog messages from the LMS server?

A. To receive Syslog messages from a LMS server:
Step 1 Enable Syslog from Admin > Network > Notification and Action Settings > Fault - Syslog
notification
Step 2 Point it to any Solaris machine and run the following:
• /etc/init.d/syslog start
• tail -f /var/adm/messages
Q. How can I create a link to the Java Plug-in in Netscape7.x and Mozilla 1.7.x?
A. Create a symbolic link to the Java Plug-in libjavaplugin_oji.so file in the Netscape 6.x/7.x or Mozilla
Plugins directory. To create the link, go to the command prompt and enter:
Step 1 cd /plugins
Step 2 ln -s /plugin/sparc/ns610/libjavaplugin_oji.so .
Include the period at the end.

For Netscape 6.x/7.x or Mozilla browsers, restart your browser.
In Netscape, go to Help > About Plug-ins to confirm that the Java Plug-in is loaded.
Device Performance Management FAQs

Q. Can I set log levels for individual application modules? Where are these log files stored?
A. Yes. You can set log levels for all Device Performance Management modules. Log files are stored
at these locations:
• On Windows: NMSROOT\log\, where NMSROOT is the Cisco Prime DPM installation directory.
• On Solaris/Soft Appliance: /var/adm/CSCOpx/log/
Report specific logs are stored under DPMReportJobs under the log directory.

B-44 OL-25947-01
IPSLA Performance Management FAQs

This section provides the FAQs on IPSLA Performance Management:
• Q.How can I enable debugging in IPSLA Performance Management?
• Q.I have problems while migrating the IPSLA Performance Management data. What should I do?
Q. How can I enable debugging in IPSLA Performance Management?

A. Do the following:
Step 1 Select Admin > System > Debug Settings > IPSLA Debugging Settings.
The IPSLA Debugging Settings page appears.
Step 2 Select the module and log level from the Module and Logging Level drop-down lists.
The various log levels available are FATAL, ERROR, WARN, INFO, and DEBUG.
Step 3 Click Apply.
Q. I have problems while migrating the IPSLA Performance Management data. What should I do?
A. Check the following log files for information:
– restorebackup.log
– migration.log
– ipmclient.log
– ipmserver.log

OL-25947-01 B-45

B-46 OL-25947-01
A P P E NDIX C
Data Extraction Engine
Cisco Prime Data Extraction Engine (DEE) is a utility to export User Tracking, Topology, and
Discrepancy application data.
This utility provides servlet and command line access to User Tracking, Topology and Discrepancy) and
allows you to extract data in Extensible Markup Language (XML) format.
This appendix contains:
• Overview of Data Extraction Engine
• The cmexport Command
• cmexport User Tracking
• cmexport Topology Command
• cmexport Discrepancy Command
• cmexport Manpage
Overview of Data Extraction Engine

Data Extraction Engine (DEE) is a utility that provides servlet access to User Tracking, Layer 2
topology, and discrepancy data.
It also includes a command line utility that you can use to fetch user tracking data, Layer 2 topology, and
discrepancy data for devices discovered by LMS server.
This utility supports the following features:
• Generating user tracking data in XML format:
Allows you to access servlet and command line utilities that can generate user tracking data for
devices discovered by LMS Server.
• Generating Layer 2 topology data in XML format:
Allows you to generate the latest Layer 2 topology data including information on neighbor devices.
Elements in XML file are created at the device level.
• Generating discrepancy data in XML format:
Allows you to use discrepancy APIs to retrieve latest discrepancy data from LMS server.

OL-25947-01 C-1
Appendix C Data Extraction Engine
The cmexport Command
• Archiving XML Data:

Data generated through CLI is archived at the following locations:
Table C-1 Data Archive Locations
For… Location
User Tracking PX_DATADIR/cmexport/ut/timestamput.xml
Layer 2 Topology PX_DATADIR/cmexport/L2Topology/
timestampL2Topology.xml
Discrepancy PX_DATADIR/cmexport/Discrepancy/
timestampDiscrepancy.xml
where PX_DATADIR is either %NMSROOT%/files folder (on Windows) or /var/adm/CSCOpx/files

directory (on Solaris/Soft Appliance).
NMSROOT is the directory where you installed LMS; timestamp is the time at which the log was
written in YearMonthDateHourOfDayMinuteSecond format.
You can also specify a directory to store the output. This utility does not delete the files created in
the archive. You should delete these files when necessary. While generating data through the servlet,
the output appears at the client terminal.
• Generating user tracking and configuration data in XML format using the Servlet:
Allows you to generate and download the user tracking, topology and discrepancy XML files using
the servlet.
You must upload a payload XML file, which contains the cmexport and utexport command options
and Cisco Prime user credentials.
You should write your own script to invoke the servlet with a payload of this XML file. If the
credentials are correct and options are valid, the servlet returns the exported file in XML format.

cmexport is the Cisco Prime LMS command line interface for exporting discrepancy and Layer 2
topology data details into XML format.
• Running cmexport Command
• cmexport Arguments and Options
Running cmexport Command

• Command Line Syntax
• Commands

C-2 OL-25947-01
Command Line Syntax

The command line syntax of the utility is in the following format:
cmexport command arguments options
where:
• cmexport is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
• command specifies the core operation that is to be performed.
• arguments are the additional parameters required for each core command.
• options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options are not important. However, you must enter the core command
immediately after cmexport.
Commands
Table C-2 lists the command part of the cmexport syntax.
Table C-2 Command Descriptions
Core Command Description

ut Generates User Tracking data in XML format.
l2topology Generates layer 2 topology data in XML format.
discrepancy Generates discrepancy data in XML format.
You must invoke the cmexport command with one of the core commands specified in the above table. If
you do not specify any core commands, cmexport can only execute the -v or -h options:
• Option -v displays the version of the cmexport utility
• Option -h (or null option) lists the usage information for this utility.
cmexport Arguments and Options

• Mandatory Arguments
• Optional Arguments
• Function-Specific Options
• Displaying Help
• Uses of cmexport

OL-25947-01 C-3
Mandatory Arguments
The arguments that must be specified with all functions are:
• -u userid: Specifies the Cisco Prime userid.
• -p password: Specifies the password for Cisco Prime userid.
– If you want to avoid the -p option, which will reveal the password in clear text in CLI, you must
store your userid and password in a file and set a variable CMEXPORTFILE which points to this
file.
You must maintain this file and control access permissions to prevent unauthorized access. cmexport
looks for current working directory if CMEXPORTFILE is set only to the file name instead of to the
full path.
– If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we
recommend that you do not use this option.
You must enter the password in the file in the following format:
userid password
where userid is the Cisco Prime user name given in the command line. The delimiter between the
userid and password is a single blank space.
You must provide the delimiter if the password is blank. Otherwise, cmexport will not validate the
password.
The password file can contain multiple entries with different user names. If there are duplicate
entries the password that matches the first user name is considered.
Note If -p password is used, the password is read from the command line instead of
CMEXPORTFILE. This is not secure and we recommend that you do not use this option.
Optional Arguments
The arguments you can specify with any function are:
• -d debuglevel
Sets the debug level based on which debug information is printed. There are two levels of
debugging—TRACE and DEBUG. If you do not specify the -d option, logging will not occur.
• -l logfile
Logs the results of the cmexport command to the specified log file name. By default the command
output is displayed in the standard output.

C-4 OL-25947-01
Function-Specific Options
DEE supports the following function-specific option:
-f filename
If used with:
• User Tracking function
Specifies the name of the file to which the user tracking information is to be exported.
• Topology function
Specifies the name of the file to which the layer 2 topology information is to be exported.
• Discrepancy function
Specifies the name of the file to which the discrepancy information is to be exported.
Displaying Help
To display help for cm export Enter the following at a CLI prompt: cmexport -h.
This displays a list of options for cmexport.
On Solaris, you can also enter the following at a CLI prompt:
man cmexport
Uses of cmexport
If you enter:
cmexport ut {–u userid} –p password –host -f filename.xml
User Tracking XML output for host will be generated and it is stored in the file filename.xml.
If you want to export the latest topology details for all Layer 2 devices enter:
cmexport L2Topology {–u userid} –p password -f filename.xml
If you want to export the latest discrepancy details, enter:
cmexport Discrepancy { –u userid} –p password -f filename.xml
Notations
The notations followed in describing the command line arguments are explained below:
{argument}—Argument is a mandatory parameter.
[argument]—Argument is an optional parameter.
argument—Argument is a variable.
argument 1 | argument 2—Either argument 1 or argument 2 may be specified but not both.
Table C-3 lists the notations part of the cmexport syntax.

OL-25947-01 C-5
cmexport User Tracking
Table C-3 Notations Descriptions
Command Description
ut cmexport ut {-u userid} [ -p password ] -host [
host-options ] | -phone [ phone-options ] [ options ]
l2topology {-u userid} [-p password] [-f filename]
discrepancy {-u userid} [-p password] [-f filename]
empty [-v | -h]
-v—Displays the version of the cmexport utility.

-h—Lists the options available and function of each option.

This topic describes the cmexport User Tracking command, and the various options available to you. It
contains the following sections:
• Name
• Synopsis
• Description
• Accessing Help
• Examples
Name
cmexport ut: CiscoWorks cmexport user tracking function
Synopsis
cmexport ut: { -u userid} [ -p password ] -host [ host-options ] | -phone [ phone-options ] [ options ]

C-6 OL-25947-01
Table C-4 Command Descriptions
Argument Can be one of the Following…

host-options -query queryname
-query queryname -view viewname
-layout layoutname
-layoutlayoutname -view viewname
-query queryname -layout layoutname
-query queryname -layout layoutname -view viewname
phone-options -queryPhone queryname
-layoutPhone layoutname
-queryPhone queryname --layoutPhone layoutname
options -f filename
-d debuglevel
-l logfile
Description
User Tracking (specified by ut) exports the user tracking data into an XML file based on a predefined
schema.
Mandatory Arguments
The options that must be specified with the cmexport ut function are:
• -p password: Specifies the password for Cisco Prime userid.
If you want to avoid -p option, which will reveal the password in clear text in CLI, you must store
your userid and password in a file and set a variable CMEXPORTFILE which points to this file.
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken
from the command line instead of from CMEXPORTFILE. This is not secure and we recommend
that you do not use this option.
The password must be provided in the file in the following format:
userid password

OL-25947-01 C-7
password. The password file can contain multiple entries with different user names. The password
that matches the first user name is considered in case of duplicate entries.
• -host: Specifies host data to be exported.

• -phone: Specifies phone data to be exported.
Options
The options you can specify with the ut function are:
• -d debuglevel
debugging—TRACE and DEBUG. If you do not specify the -d option, no logging will occur.
• -l logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
output will be displayed in the standard output.
• -f filename
The file option specifies the filename where the XML output is to be stored. If the filename is not
specified with -f option, an XML file of the format timestamput.xml is stored in the following
directory: PX_DATADIR/cmexport/ut
• -view
Specifies the format in which the user tracking XML data is to be presented. It supports two optional
arguments:
a. switch: User Tracking data is displayed based on the type of switch.
b. subnet: User Tracking data is displayed based on the subnet in which they are present.
The -view options are not case sensitive.
• -query queryname
User Tracking host data is exported in XML format for the query provided in queryname. This
option must be used with the -host argument. For this option:
– Create a Custom report for end hosts from the mega menu:
Reports > Report Designer > User Tracking > Custom Reports.
– Use the Custom report name as a value here.
• -layout layoutname
User Tracking host data is exported in XML format for the layout provided in layoutname. This
option must be used with the -host argument. For this option:
– Create a Custom layout for end hosts in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
– Use the Custom layout name as a value here.

C-8 OL-25947-01
cmexport Topology Command
Note The Custom layouts are defined per user. An invalid layout name error message will be
displayed if layout name created by another user is entered as custom layout name.
• -queryPhone queryname
User Tracking phone data is exported in XML format for the query given in queryname. This option
must be used with the -phone argument. For this option:
– Create a Custom report for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Reports.
– Use the Custom report name as a value here.
• -layoutPhone layoutPhone
User Tracking phone data is exported in XML format for the layout given in layoutPhone. This
option must be used with the -phone argument. For this option:
– Create a Custom layout for IP phones in the following screen:
Reports > Report Designer > User Tracking > Custom Layouts.
– Use the Custom layout name as a value here.
Accessing Help
Enter the following in the CLI:
• cmexport -h: Displays a list of options for cmexport.
• cmexport ut -h: Displays a list of options for the cmexport ut command.
On Solaris, you can also enter the following in the CLI:
man cmexport
Examples
Considering userid: admin, password: admin, queryname: host1Query, layoutname: host1Layout,
queryphone: phone1Query, layoutphone: phone1Layout, filename: file1.xml, we can have the following:
cmexport ut -u admin -p admin -host
cmexport ut -u admin -p admin -phone
cmexport ut -u admin -p admin -host -query host1Query -layout all
cmexport ut -u admin -p admin -host -query host1Query -layout layoutname
cmexport ut -u admin -p admin -phone -queryPhone phone1Query -layoutPhone phone1Layout
cmexport ut -u admin -p admin -host -f file1.xml
cmexport ut -u admin -view switch -host

• Name
• Synopsis
• Description
• Accessing Help

OL-25947-01 C-9
• Examples
Name
cmexport L2Topology: Cisco Prime cmexport layer 2 topology function
Synopsis
cmexport l2topology {-u userid} [ -p password ] [ options ]
Table C-5 Command Description
Argument can be one of the following…

options -f filename
-d debuglevel
-l logfile
where cmexport l2topology -h lists the options available and function of each option.
Description
Layer 2 Topology (specified by l2topology) exports the Layer 2 topology data into an XML file based
on a predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport L2Topology function are:
The options that you must specify with the cmexport L2Topology function are:
• -u userid: Specifies the Cisco Prime user ID.
• -p password
Specifies the password for Cisco Prime user ID.
full path.
userid password

C-10 OL-25947-01
Options
The options you can specify with the layer 2 topology function are:
• -d debuglevel
• -l logfile
Logs the results of the cmexport command to the specified logfile name. By default the command
• -f filename
specified with -f option an XML file of the format timestampL2Topology.xml is stored in the
following directory: PX_DATADIR/cmexport/L2Topology
Accessing Help
cmexport -h: Displays a list of options for cmexport.
cmexport l2topology -h: Displays a list of options for the cmexport l2topology command.
On Solaris, you can also enter the following at a CLI:
man cmexport
Examples
Considering userid: admin, password: admin, filename: file1.xml, you can have the following:
cmexport L2Topology -u admin -p admin
cmexport L2Topology -u admin -p admin -f file1.xml
cmexport L2Topology -u admin -l file.log

OL-25947-01 C-11
cmexport Discrepancy Command

• Name
• Synopsis
• Description
• Accessing Help
• Examples
Name
cmexport Discrepancy: Cisco Prime cmexport Discrepancy function.
Synopsis
cmexport discrepancy {-u userid} [ -p password ] [ options ]
where
Argument Can be one of the Following

options -f filename
-d debuglevel
-l logfile
cmexport discrepancy -help lists the options available and the function of each option.
Description
Discrepancy (specified by Discrepancy) exports the Discrepancy data into an XML file based on a
predefined schema.
Mandatory Arguments
The options that you must specify with the cmexport Discrepancy function are:
• -p password
Specifies the password for Cisco Prime userid.
full path.
If you use the -p option, even after setting the CMEXPORTFILE variable, the password is taken from
the command line instead of from CMEXPORTFILE. This is not secure and we recommend that you
do not use this option.

C-12 OL-25947-01

userid password
Options
The options you can specify with the Discrepancy function are:
• -d debuglevel
• -l logfile
• -f filename
specified with -f option an XML file of the format timestampDiscrepancy.xml is stored in the
following directory: PX_DATADIR/cmexport/Discrepancy
Accessing Help
cmexport -h: Displays a list of options for cmexport.
cmexport discrepancy -h: Displays a list of options for the cmexport discrepancy command.
man cmexport
Examples
Considering userid: admin, password:admin, filename: file1.xml, you can have the following:
cmexport Discrepancy -u admin -p admin
cmexport Discrepancy -u admin -p admin -f file1.xml
cmexport Discrepancy -u admin -d 2

OL-25947-01 C-13
cmexport Manpage
cmexport Manpage
This sections contains:
• Command Line Syntax
• Commands
• Arguments and Options
• Accessing Help
Command Line Syntax

The command line syntax of the utility is in the following format:
cmexport command arguments options
where:
• cmexport is the Cisco Prime LMS command line interface for exporting User Tracking, Layer 2
topology, and discrepancy data details into XML format.
• command specifies the core operation that is to be performed.
• arguments are the additional parameters required for each core command.
• options are the optional parameters, which modify the behavior of the specific DEE core command.
The order of the arguments and options is not important. However, you must enter the core command
immediately after cmexport.
Commands
Core Command Description

ut Generates User Tracking data in XML format.
l2topology Generates Layer 2 topology data in XML format
discrepancy Generates discrepancy data in XML format
You must invoke the cmexport command with one of the core commands specified in the above table. If
no core command is specified, cmexport can execute the -v or -h options only:
• Option -v displays the version of the cmexport utility.
• Option -h (or null option) lists the usage information of this utility.

C-14 OL-25947-01
cmexport Manpage
Arguments and Options

This sections contains:
• Function-Specific Options
Mandatory Arguments
The options that must be specified with all functions are:
-u userid: Specifies the Cisco Prime userid.
Optional Arguments
The options you can specify with any function are:
• -p password
Specifies the password for Cisco Prime userid.
full path.
userid password
• -d debuglevel
• -l logfile

OL-25947-01 C-15
DEE Developer’s Reference
Function-Specific Options
The following function-specific option is supported
-f filename
If used with the:
• User Tracking function—Specifies the name of the file to which the user tracking information is to
be exported.
• Topology function—Specifies the name of the file to which the layer 2 topology information is to
be exported.
• Discrepancy function—Specifies the name of the file to which the discrepancy information is to be
exported.
Accessing Help
• cmexport -h: Displays a list of options for cmexport.
• cmexport command -h: Displays a list of options for the cmexport command.
man cmexport

The cmexport command exports data to XML format, as per the schema defined. When you need data
only for a few columns, remove the unwanted columns in the schema file. The schema files are available
in the following path in the LMS Server:
NMSROOT/campus/bin (Solaris/Soft Appliance)
NMSROOT\campus\bin (Windows)
The following are the schemas used for exporting the user tracking data in XML format:
• Schema for User Tracking Data
• User Tracking Schema for Switch Data
• User Tracking Schema for Phone Data
• User Tracking Schema for Subnet Data
• Schema for Topology Data
• Schema for Discrepancy Data
• Using Servlet to Export Data from LMS

C-16 OL-25947-01
Schema for User Tracking Data

<?xml version="1.0" encoding="UTF-8" ?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:element name="UTDetails">
<xs:complexType>
<xs:sequence>
<xs:element name="CMServer" type="xs:string" />
<xs:element name="CreatedAt" type="xs:string" />
<xs:element name="SchemaVersion" type="xs:string" />
<xs:element name="Heading" type="xs:string" />
<xs:element name="Query" type="xs:string" />
<xs:element name="Layout" type="xs:string" />
<xs:element ref="UTData" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="UTData">
<xs:complexType>
<xs:sequence>
<xs:element name="Index" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Subnet" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PrefixLength" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="ParentVLAN" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="dot1xEnabled" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="associatedRouters" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="discrepancyEnabled" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="bestPracticesDeviationEnabled" type="xs:string" minOccurs="0" maxOccurs="1"
/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

OL-25947-01 C-17
User Tracking Schema for Switch Data


<xs:complexType>
<xs:sequence>
<xs:element name="CMServer" type="xs:string"/>
<xs:element name="CreatedAt" type="xs:string"/>
<xs:element name="SchemaVersion" type="xs:string"/>
<xs:element name="Heading" type="xs:string"/>
<xs:element name="Query" type="xs:string"/>
<xs:element name="Layout" type="xs:string"/>
<xs:element ref="SwitchUTData" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="SwitchUTData">
<xs:complexType>
<xs:sequence>
<xs:element name="DeviceName" type="xs:string"/>
<xs:element name="DeviceIP" type="xs:string"/>
<xs:element name="UTData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType>
<xs:sequence>
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="MACAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Subnet" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PrefixLength" type="xs:string" minOccurs="0"
maxOccurs="1"/>
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Port" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="LastSeen" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

C-18 OL-25947-01
User Tracking Schema for Phone Data

<xs:annotation>
<xs:documentation>It gives the Phone details</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="PhoneQuery" type="xs:string"/>
<xs:element name="PhoneLayout" type="xs:string"/>
<xs:element ref="PhoneData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="PhoneData">
<xs:complexType>
<xs:sequence>
<xs:element name="PhoneNumber" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="CCMAddress" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Status" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PhoneType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PhoneDescr" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
User Tracking Schema for Subnet Data


<xs:complexType>
<xs:sequence>
<xs:element name="Query" type="xs:string"/>
<xs:element name="Layout" type="xs:string"/>
<xs:element ref="SubnetUTData" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="SubnetUTData">

OL-25947-01 C-19
<xs:complexType>
<xs:sequence>
<xs:element name="SubnetId" type="xs:string"/>
<xs:element name="UTData" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType>
<xs:sequence>
<xs:element name="UserName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="HostName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="IPv6Address" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PrefixLength" type="xs:string" minOccurs="0"
maxOccurs="1"/>
<xs:element name="Prefix" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="DeviceName" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Device" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortState" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortDuplex" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="PortSpeed" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VTPDomain" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANId" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="VLANType" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="trBRFVLAN" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="SecondaryVlan" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Ring" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Bridge" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element name="Notes" type="xs:string" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Schema for Topology Data

<xs:element name="CMData">
<xs:complexType>
<xs:sequence>
<xs:element ref="Layer2Details" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Layer2Details">
<xs:complexType>
<xs:sequence>
<xs:element ref="Device" minOccurs="0" maxOccurs="unbounded"/>

C-20 OL-25947-01
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Device">
<xs:complexType>
<xs:sequence>
<xs:element name="DeviceName" type="xs:string"/>
<xs:element name="IPAddress" type="xs:string"/>
<xs:element name="DeviceState">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:pattern value="Reachable"/>
<xs:pattern value="UnReachable"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="DeviceType" type="xs:string"/>
<xs:element ref="Neighbors" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbors">
<xs:complexType>
<xs:sequence>
<xs:element ref="Neighbor" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Neighbor">
<xs:complexType>
<xs:sequence>
<xs:element name="NeighborIPAddress" type="xs:string"/>
<xs:element name="NeighborDeviceType" type="xs:string"/>
<xs:element name="Link" type="xs:string"/>
<xs:element name="LocalPort" type="xs:string"/>
<xs:element name="RemotePort" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Schema for Discrepancy Data

<?xml version="1.0" encoding="UTF-8" ?>

<xs:element name="CMData">
<xs:complexType>
<xs:sequence>
<xs:element name="CMServer" type="xs:string" />
<xs:element name="CreatedAt" type="xs:string" />
<xs:element name="SchemaVersion" type="xs:string" />
<xs:element name="Heading" type="xs:string" />
<xs:element ref="Discrepancies" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Discrepancies">
<xs:complexType>
<xs:sequence>
<xs:element ref="Best-Practices-Deviation" minOccurs="0" maxOccurs="unbounded" />

OL-25947-01 C-21
<xs:element ref="Network-Discrepancy" minOccurs="0" maxOccurs="unbounded" />

</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Best-Practices-Deviation">
<xs:complexType>
<xs:sequence>
<xs:element name="Details" type="xs:string" />
<xs:element name="Type" type="xs:string" />
<xs:element name="Severity">
<xs:simpleType>
<xs:pattern value="High" />
<xs:pattern value="Medium" />
<xs:pattern value="Low" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Description" type="xs:string" />
<xs:element name="FirstFound" type="xs:string" />
<xs:element name="Acknowledged" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Network-Discrepancy">
<xs:complexType>
<xs:sequence>
<xs:element name="Details" type="xs:string" />
<xs:element name="Type" type="xs:string" />
<xs:element name="Severity">
<xs:simpleType>
<xs:pattern value="High" />
<xs:pattern value="Medium" />
<xs:pattern value="Low" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Description" type="xs:string" />
<xs:element name="FirstFound" type="xs:string" />
<xs:element name="Acknowledged" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Using Servlet to Export Data from LMS

The servlet allows you to access DEE features using simple scripts. You can invoke DEE functions by
running the script that connects to the LMS server and retrieves the data.
You can send the commands to export user tracking, topology, and discrepancy data (cmexport and
utexport) as HTTP or HTTPS requests to a special LMS server URL. This URL identifies a servlet that
accepts the request and authenticates the requesting user identity and credentials before authorizing the
information exchange.
• To export User Tracking data, use UTExportServlet.
• To export Discrepancy and Layer 2 Topology data, use CMExportServlet.

C-22 OL-25947-01
• To invoke cmexport and utexport commands, the servlet requires a payload file that contains details
such as:
– User credentials
– The command you want to execute.
– Optional details such as log and debug options as inputs in XML format.
The servlet then parses the payload file encoded in XML, performs the operations, and returns the results
in XML format. You must create the payload file to include the input details and submit it when you ask
for servlet access.
Typically, servlet access is used when you need to use the data export feature from a client system.
To use DEE export features, you can write a script to upload the payload file and perform the data export
functions.
See the following sample scripts:
• Sample Perl Script (test.pl) to Access the Servlet
• Sample Java Code to Access the Servlet
For example, if you are using the script test.pl, you can invoke the servlet in either of these modes:
• HTTP Mode
• HTTPS Mode
HTTP Mode
• For Discrepancy and Layer 2 topology data export, enter:
perl test.pl http://campus-server:1741/campus/servlet/CMExportServlet payload.xml
• For User Tracking data export, enter:

perl test.pl http://campus-server:1741/cmapps/UTExportServlet payload.xml
HTTPS Mode
• For Discrepancy and Layer 2 topology data export, enter:
perl test.pl https://campus-server/campus/servlet/CMExportServlet payload.xml
• For User Tracking data export, enter:

perl test.pl https://campus-server/cmapps/UTExportServlet payload.xml
Sample Perl Script (test.pl) to Access the Servlet

#!/opt/CSCOpx/bin/perl
use LWP::UserAgent;
$| = 1;
$temp = $ARGV[0] ;
$fname = $ARGV[1] ;
if ( -f $fname ) {
open (FILE,"$fname") || die "File open Failed $!";
while ( <FILE> )
{
$str .= $_ ;
}
close(FILE);
}
url_call($temp);

OL-25947-01 C-23
#-- Activate a CGI:

sub url_call {
my ($url) = @_;
my $ua = new LWP::UserAgent;
$ua->timeout(5000);
my $hdr = new HTTP::Headers 'Content-Type' => 'text/html';
my $req = new HTTP::Request ('GET', $url, $hdr);
$req->content($str);
my $res = $ua->request($req);
my $result;
if ($res->is_error)
{
print "ERROR : ", $res->code, " : ", $res->message, "\n";
$result = '';
}
else
{
$result = $res->content;
if($result =~ /Authorization error/)
{
print "Authorization error\n";
}
else
{
print $result ;
}
}
}
Sample Java Code to Access the Servlet

import java.io.*;
import java.net.URL;
import java.net.HttpURLConnection;
import java.lang.String;
import java.lang.Byte;
class CMExportServletRun {
static void main (String args[])

{
try {
URL url = new URL("http://localhost:1741/campus/servlet/CMExportServlet");
String payload = "adminadminut_hostdee.log1";
HttpURLConnection con;
InputStream is;
//opens connection to servlet
con = (HttpURLConnection)url.openConnection();
con.setRequestMethod("POST");
con.setRequestProperty("Content-type", "text/xml");
con.setDoOutput(true);
con.setUseCaches(false);
OutputStream bos = new BufferedOutputStream(con.getOutputStream());

PrintWriter out = new PrintWriter(bos);
out.println(payload);
out.flush();
out.close();

C-24 OL-25947-01
//prints out response from CMExportServlet

byte [] strBytes=new byte[10];
int noOfBytes = 0;
is = con.getInputStream();
BufferedReader bfr = new BufferedReader(new InputStreamReader(is));

String str = null ;
while ( ( str = bfr.readLine()) != null ) {

System.out.println(str);
}
}
catch (Exception e) {
System.out.println(e.toString());
}
}
}
Payload File
The payload file is an XML file that contains inputs required for the DEE servlet to process requests for
data export. Schema for the payload XML file is given in Schema for Payload File.
Table C-8 describes the elements in the schema.
Table C-8 Elements in the Schema
Element Description
username Cisco Prime user name.
password Password for Cisco Prime username.
command Command inside this tag can be ut_host, ut_phone, l2topology or
discrepancy.
view Use this option when you specify ut_host. This is optional.
This specifies the presentation of the User Tracking data in the
hierarchical format with either switch or subnet as the root.
queryname User Tracking host data is exported in XML format for the query provided
in queryname.
You can use this option when you specify ut_host
layoutname User Tracking host data is exported in XML format for the layout provided
in layoutname.
You can use this option when you specify ut_host
queryphone User Tracking phone data is exported in XML format for the query given
in queryphone.
You can use this option when you specify ut_phone

OL-25947-01 C-25
Table C-8 Elements in the Schema (continued)
Element Description
layoutphone User Tracking phone data is exported in XML format for the layout given
in layoutPhone.
You can use this option when you specify ut_phone
debug Optional. Debug messages can be collected only if log file is specified in
the log option. The debug level could be 1 or 2. You can set the value to:
1—For basic debug information.
2—For detailed debug information.
This is optional.
This section also describes:

• Sample Payload File
• Schema for Payload File
Sample Payload File

<payload>
<username>username</username>
<password>password</password>
<command>ut_host</command>
<debug>1</debug>
<view></view>
</payload>
Schema for Payload File

You can use the following schema for creating the payload file in XML format.
<xs:element name="payload">
<xs:complex Type>
<xs:sequence>
<xs:element name="username" type="xs:string"/>
<xs:element name="password" type="xs:string"/>
<xs:element name="command" type="xs:string"/>
<xs:element name="view" type="xs:string"/>
<xs:element name="queryname" type="xs:string"/>
<xs:element name="layoutname" type="xs:string"/>
<xs:element name="queryphone" type="xs:string"/>
<xs:element name="layoutphone" type="xs:string"/>
<xs:element name="debug" type="xs:string"/>
</xs:sequence>
</xs:complex Type>
</xs:element>

C-26 OL-25947-01
A P P E NDIX D
Understanding Cisco Prime Security
The Cisco Prime LMS Server provides some of the security controls necessary for a web-based network
management system. It also relies heavily on the end user’s own security measures and controls to
provide a secure computing environment for Cisco Prime applications.
The Cisco Prime LMS Server provides and requires three levels of security to be implemented to ensure
a secure environment:
• General Security—Partially implemented by the client components of Cisco Prime and by the
system administrator.
• Server Security—Partially implemented by the server components of Cisco Prime and by the system
administrator.
• Application Security—Implemented by the client and server components of the Cisco Prime
applications.
For more information on security related features, see Setting up Security.
The following sections describe the general and server security levels.
General Security
The Cisco Prime LMS Server provides an environment that allows the deployment of web-based network
management applications.
Web access provides an easy-to-use and easy-to-access computing model that is more difficult to secure
than the standard computing model that only requires a system login to execute applications.
The Cisco Prime LMS Server also provides security mechanisms (authentication and authorization) used
to prevent unauthenticated access to the Cisco Prime LMS Server and unauthorized access to Cisco
Prime applications and data.
However, Cisco Prime applications can change the behavior and security of your network devices.
Therefore, it is critical to limit access to applications and servers as follows:
• Limit access to personnel who need access to applications or the data that the applications provide.
• Limit Cisco Prime LMS Server logins to just the systems administrator.
• Limit connectivity access to the Cisco Prime LMS Server by putting it behind a firewall.

OL-25947-01 D-1
Appendix D Understanding Cisco Prime Security
Server Security
Server Security
The Cisco Prime LMS Server uses the basic security mechanisms of the operating system to protect the
code and data files that reside on the server. The following Cisco Prime LMS Server security control
elements apply:
• Server–Imposed Security
• System Administrator-Imposed Security
Server–Imposed Security
The Cisco Prime LMS Server has many dimensions, such as:
• Files, File Ownership, and Permissions
• Runtimer
• Remote Connectivity
• Access to Systems Other Than the Cisco Prime LMS Server
• Access Control
Files, File Ownership, and Permissions

The following describes the file ownership and permissions.
• UNIX Systems—Cisco Prime must be installed by a user with root privilege. It should be installed
as the user, casuser with a casusers group. If the system administrator needs to work on causer files,
a user with a name chosen by the system administrator, must be created and added to the causers
group.
All files and directories are owned by casuser with group equal to casusers. Temporary files are
created as the user casuser with permissions set to read-write for the user casuser and read for
members of group casusers.
The only exception to this rule is the log files created by the Cisco Prime web server and
diskWatcher. The Cisco Prime web server and diskWatcher must be started as root. Therefore, their
log files are owned by the user root with “group=casusers.”
• Windows Systems—Cisco Prime must be installed by the administrator and must be installed as the
user casuser.
– If it is a new installation, the system displays a message prompting you to either create or to
cancel the process. You can enter the password or it can be automatically generated.
– If it is not a new installation, the system displays a message prompting you to either continue
resetting the password or to retain the old password.
The Cisco Prime LMS Server uses the password but the casuser user is not intended as a general user
of the Windows system. No user is required to log on the Windows system as casuser.
All files and directories are owned by the user casuser. Read and write access are restricted to the
user casuser and the administrator. Temporary files are created as the user casuser with permissions
set to read-write for the user casuser.
The Cisco Prime LMS Server relies on the security mechanisms of the NTFS filesystem to provide
access control on Windows systems. If Cisco Prime is installed on a FAT filesystem, most security
assumptions made about controlled access to files and network management data are not valid.

D-2 OL-25947-01
Server Security
Runtimer
This describes the runtime activities.
• UNIX Systems—Typically Cisco Prime back-end processes are run with permissions set to the user
ID of the binary file.
For example, if user “Joe” owns an executable file, it will be run by the Cisco Prime daemon
manager under the user ID of “Joe”).
The exception are files owned by the root user ID. To prevent a potentially harmful program from
being run by the daemon manager with root permissions, the daemon manager will run only a
limited set of Cisco Prime programs that need root privilege.
This list is not documented to preclude any user from trying to impersonate these programs.
All back-end processes are run with a umask value of 027. This means that all files created by these
programs are created with permissions equal to “rwxr-x,” with an owner and group of the user ID
and group of the program that created it. Typically this will be “casuser” and “group=casusers.”
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are executed under the
control of the web server’s child processes or the servlet engine, which all run as the user casuser.
Cisco Prime uses standard UNIX tftp and rcp services. Cisco Prime also requires that user casuser
have access to the directories that these services read and write to.
The Cisco Prime LMS Server must allow the user casuser to run cron and at jobs to enable the
Resource Manager Essentials Software Management application to run image download jobs.
• Windows—Cisco Prime back-end processes are run with permissions set to the user casuser. Some
of the special Cisco Prime LMS Server processes are run as a service under the localsystem user ID.
These processes include:
– Daemon manager
– Web server
– Servlet engine
– Rcp/rsh service
– TFTP service
– Corba service
– Database engine
Cisco Prime foreground processes (typically cgi-bin programs or servlets) are run under the control
of the web server and the servlet engine that run as the user localsystem.
The local system user has special permissions on the local system but does not have network
permissions.
Cisco Prime provides several services for RCP, TFTP communication with devices. These services
are targeted for use by Cisco Prime applications, but can be used for purposes other than network
management.
The Cisco Prime Server uses the at command to run software update jobs for the Resource Manager
Essentials Software Image Manager application. Jobs run by the at command, run with system level
privileges.

OL-25947-01 D-3
Server Security
Remote Connectivity
The remote connectivity details for Windows and Solaris are:
• UNIX Systems—The Cisco Prime daemon manager only responds to requests to start, stop, register,
or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
• Windows Systems—The Cisco Prime daemon manager only responds to requests to start, stop,
register, or show status for Cisco Prime back-end processes from the Cisco Prime LMS Server.
Access to Systems Other Than the Cisco Prime LMS Server

The access details for UNIX and Windows are:
• UNIX Systems—Systems used by the Cisco Prime LMS Server as remote sources of device
information for importing into the LMS Inventory Manager application must allow the user casuser
to perform remote shell operations on the user who owns the device information.
• Windows Systems—Systems used by the Cisco Prime Server as remote sources of device
information for importing into the LMS Inventory Manager application must allow the user casuser
to perform remote shell operations on the user who owns the device information.
Access Control
The access control details are:
• UNIX Systems—The UNIX user casuser is a user ID that is not typically enabled for login.
Using this user ID as the user ID under which to install the Cisco Prime Server software simplifies
the installation process and ensures limited access to the Cisco Prime Server. This is because casuser
is not a valid login ID as there is no password assigned to it.
However, the casuser user on UNIX systems can perform system and possibly network-wide
operations that could be harmful to the system or the network.
• Windows Systems—The user casuser, created as part of the install process, has no special
permissions or considerations on a system so it is a “safe” user ID under which to run the Cisco
Prime Server and application code. The localsystem user can perform harmful system operations.
Therefore, consider that by using the localsystem user ID to run some of the backend processes, the
localsystem user ID cannot perform network operations.
Note The system administrator should review and adopt the security recommendations in System
Administrator-Imposed Security.

D-4 OL-25947-01
Server Security
System Administrator-Imposed Security

To maximize Cisco Prime LMS Server security, follow these security guidelines:
• Do not allow users other than the systems administrator to have a login on Cisco Prime LMS Server.
• Do not allow the Cisco Prime LMS Server file systems to be mounted remotely with NFS or any
other file-sharing protocol.
• Limit remote access (for example, FTP, RCP, RSH) to Cisco Prime LMS Server to those users who
are permitted to log into Cisco Prime LMS Server.
• Place your network management servers behind firewalls to prevent access to the systems from
outside of your organization.
• Change the database password after installation and periodically based on your company’s security
policies.
• Back up the security certificates in a safe location, if you are using SSL in Cisco Prime LMS Server.
Connection Security
The Cisco Prime LMS Server uses Secure Socket Layer (SSL) encryption to provide secure connection
between the client browser and management server, and Secure Shell (SSH) to provide secure access
between the management server and devices.
Security Certificates
Security certificates are similar to digital ID cards. They prove the identity of the server to clients.
Certificates are issued by Certificate Authorities (CAs) such as VeriSign® or Thawte.
A certificate vouches for the identity and key ownership of an individual, a computer system (or a
specific server running on that system), or an organization. It is a general term for a signed document.
Typically, certificates contain the following information:
• Subject public key value.
• Subject identifier information (such as the name and e-mail address).
• Validity period (the length of time that the certificate is considered valid).
• Issuer identifier information.
• The digital signature of the issuer. This attests to the validity of the binding between the subject
public key and the subject identifier information.
A certificate is valid only for the period of time specified within it. Every certificate contains Valid From
and Valid To dates, which are the boundaries of the validity period.
For example, a user's certificate verifies that the user owns a particular public key. The server certificate
for the server named myserver.cisco.com verifies that a specific public key belongs to this server.
Certificates can be issued for a variety of functions such as web user authentication, web server
authentication, secure e-mail (S/MIME), IP Security, Transaction Layer Security (TLS), and code
signing.

OL-25947-01 D-5
Server Security
Cisco Prime LMS Server supports security certificates for authenticating secure access between client
browser and management server.
Cisco Prime supports Self signed certificates and provides an option to create self-signed certificates.
For more information, see Creating Self Signed Certificates.
Terms and Definitions

The following explains the terms and corresponding definitions in Cisco Prime:
• Secure Socket Layer (SSL)
• Public Key, Private Key
• Secure Shell (SSH)
• PKCS#8
• Base64- Encoded X.509 Certificate Format
• Certificate Authority
• Cisco Prime TrustStore or KeyStore
Secure Socket Layer (SSL)
Secure Socket Layer (SSL) is an application-level protocol that enables secure transactions of data
through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private
keys.
Public Key, Private Key
Public and private keys are the ciphers used to encrypt and decrypt information. While the public key is
shared quite freely, the private key is never given out. Each public-private key pair works together. Data
encrypted with the public key can only be decrypted with the private key.
Secure Shell (SSH)
Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley
r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application
can be used similarly to the Berkeley rexec and rsh tools.
Two versions of SSH are currently available: SSH Version 1 and SSH Version 2.
PKCS#8
Public-Key Cryptography Standards (PKCS) are a set of standards for public-key cryptography,
developed by RSA Laboratories in cooperation with an informal consortium, originally including Apple,
Microsoft, DEC, Lotus, Sun and MIT.
The PKCS have been cited by the OIW (OSI Implementers' Workshop) as a method for implementation
of OSI standards.
The PKCS are designed for binary and ASCII data; PKCS are also compatible with the ITU-T X.509
standard. The published standards are PKCS #1, #3, #5, #7, #8, #9, #10, #11, #12, and #15; PKCS #13
and #14 are currently being developed.
PKCS #8 describes a format for private key information. This information includes a private key for
some public-key algorithm, and optionally a set of attributes.

D-6 OL-25947-01
Server Security
Base64- Encoded X.509 Certificate Format
X.509 certificate format is an emerging certificate standard. It is part of the OSI group of standards.
X.509 certificates are very clearly defined using a notation called ASN.1 (Abstract Syntax Notation 1)
which specifies the precise kinds of binary data that make up the certificate.
ASN.1 can be encoded in many ways, but the emerging standard is an encoding called DER
(Distinguished Encoding Rules), which results in a compact binary certificate.
For e-mail exchange purposes the binary certificate is often Base64 encoded, resulting in an ASCII text
document that looks like the following:
-----BEGIN CERTIFICATE-----
MIIC4jCCAkugAwIBAgIEA0E1UDANBgkqhkiG9w0BAQBhMC
VVMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYNQ2lz
Y28gU3lzdGVtczENMAsGA1UECxMERU1CVTEqMCgG0ZXN0
MiBDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTAyMDas3DA4
NTgwOVowgYIxCzAJBgNVBAYTAklOMQswCQYDVQQIQ2hl
bm5haTEMMAoGA1UEChMDSENMMQ0wCwYDVQQLEtzZGlu
YWthci1wYzEhMB8GCSqGSIb3DQEJARYSc2RpbmFrYXfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV1o9PyO7txr5vme
FU/f9tp5To/HaLIWHVx9zpihPnVuKaepp8kcEXO8Sed8crXeU8BP
9qHoIswGn1oJEGFXm9gs5uupJyAgeDd6O9eCuQbiSKgE1sFGFSL
xNGQJZbCrQIDAQABo2UwYzARBglghkgBhvhCAQEEB/BAQD
-----END CERTIFICATE-----
Cisco Prime requires the Certificates to be uploaded in this format.
Note Other certificate formats such as PKCS#7 also have similar formats. Hence it is important that you
confirm with the CA the format of the certificate, and request specifically for Base64 Encoded
X.509Certificates formats.
Certificate Authority
A certificate authority (CA) is an authority in a network that issues and manages security credentials and
public keys for message encryption.
As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify
information provided by the requestor of a digital certificate. If the RA verifies the requestor's
information, the CA then issues a certificate.
Cisco Prime TrustStore or KeyStore
Cisco Prime TrustStore or KeyStore is the location where Cisco Prime maintains the list of Certificates
that it trusts.
The KeyStore location is:
• NMSROOT\MDC\Apache\conf\ssl (on Windows)
• NMSROOT/MDC/Apache/conf/ssl (on Solaris/Soft Appliance)

OL-25947-01 D-7
Server Security

D-8 OL-25947-01
A P P E NDIX E
Commands to Enable MAC Notification
Traps on Devices
This appendix provides information on the list of commands that needs to run on each device to enable
MAC Notification traps.
This appendix contains the following:
• Overview of Dynamic Updates
• Configuring Switches With MAC Notification Commands
• Device Operating System Version-Specific Commands
• List of Commands to Enable MAC Notification Traps on Devices
Overview of Dynamic Updates

Dynamic Updates are asynchronous updates that are based on SNMP MAC notifications traps sent by
devices to Network Topology, Layer 2 Services and User Tracking . These traps are sent as and when
there are changes to the network.
You must configure the Cisco switches for sending SNMPv1/SNMPv2 MAC Notification traps when a
host is connected to or disconnected from that port.
If you do not have Configuration Management enabled on your LMS server, you have to manually
configure the switches, for the switches to send MAC Notifications to the LMS server.
To manually configure the switches:
Step 1 Choose Admin > Trust Management > Multi Server > System Identity Setup.
Step 2 Renter the password for the System Indentity user.
Ensure that the System Indentity User user name and password are are valid, also under Admin >
System > User Management > Local User Setup.
See the section Understanding Dynamic Updates in User Tracking and Dynamic Updates for more
information.

OL-25947-01 E-1
Appendix E Commands to Enable MAC Notification Traps on Devices
Configuring Switches With MAC Notification Commands
Configuring Switches With MAC Notification Commands

The list of commands that needs to be run on the devices are stored on the built-in XML file namely,
MACCommands.XML in a hierarchical manner.
The list of commands available are:
• Global commands
• Device Family-specific commands
• Device Type-specific commands
• Device Operating System version-specific commands
While configuring, Network Topology, Layer 2 Services and User Tracking selects the commands for
each device based on the fallback rule in the following order:
1. Device Operating System version-specific commands
2. Device Type-specific commands
3. Device Family-specific commands
4. Global commands
If a device OID matches an OS version, the Device OS version-specific commands should be selected to
configure the device. Otherwise, the Device Type-specific commands should be selected.
If a device OID could not find a specific match on both Device OS version-specific commands and
Device Type-specific commands, the Device-Family specific commands should be selected.
The Global commands are selected for configuring the device when there is no match of Device OS
version-specific, Device Type-specific, or Device Family-specific commands available for the device.
The device is considered as an unknown device type when there is no match of any of the command sets
available. In other words, for an unknown device type, command set will not be generated.
Device Operating System Version-Specific Commands

A device OID finds a match from the OS versions first, in the XML file.
A range of OS versions for which the command set remains the same, are indicated in the osversion tag
in the XML file.
The range of OS versions are represented using brackets [ ] and parantheses ( ). Brackets [ ] indicate an
inclusive list of OS versions. Parantheses ( ) indicate an exclusive list of OS versions.
The following are the examples for OS version ranges:
• [12.2(40),12.2(43)) denotes all OS versions between 12.2(40) and 12.2(43) including 12.2(40) and
excluding 12.2(43).
• [,12.2(40)] denotes all OS versions prior to 12.2(40) and including version 12.2(40).
• [12.1(19)EA1,12.2(46)SE) denotes all OS versions 12.1(19)EA1 and later, and prior to 12.2(46)SE.

E-2 OL-25947-01
List of Commands to Enable MAC Notification Traps on Devices
List of Commands to Enable MAC Notification Traps on

Devices
Table E-1 explains the list of commands that needs to be run on the devices.
Table E-1 List of Commands to Enable SNMP Traps in Devices
Interface
Device Family Device Type SysOID Global Command Set Command Set OS Version
default - - mac address-table snmp trap -
notification:mac mac-notification
address-table notification added:snmp trap
interval 15:snmp-server mac-notification
enable traps removed
MAC-Notification:snmp-ser
ver host HOST version
TRAPVERSION
COMMUNITY udp-port
PORT mac-notification

OL-25947-01 E-3
Table E-1 List of Commands to Enable SNMP Traps in Devices (continued)
Interface
C3750-STACK - - mac address-table snmp trap -
notification change:mac mac-notification
change interval mac-notification
15:snmp-server enable traps removed
TRAPVERSION
COMMUNITY udp-port
C3750-STACK 1.3.6.1.4.1.9.1.516 mac-address-table snmp trap [,12.1(19)EA1)
notification:mac-address-tabl mac-notification
e notification interval added:snmp trap
15:snmp-server enable traps mac-notification
MAC-Notification:snmp-ser removed
TRAPVERSION
COMMUNITY udp-port
mac address-table snmp trap [12.1(19)EA1,12
notification:mac mac-notification .2(46)SE)
TRAPVERSION
COMMUNITY udp-port
mac address-table snmp trap 12.2(52)SE
address-table notification change
change interval added:snmp trap
MAC-Notification:snmp-ser change removed
TRAPVERSION
COMMUNITY udp-port
PORT mac-notificatio

E-4 OL-25947-01
Interface
C3750-STACK NME16ES1GP 1.3.6.1.4.1.9.1.663 mac-address-table snmp trap [,12.1(19)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
NME16ES1GP 1.3.6.1.4.1.9.1.702 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-5
Interface
C3750-STACK NMEX23ES1 1.3.6.1.4.1.9.1.664 mac-address-table snmp trap [,12.1(19)EA1)
GP notification:mac-address-tabl mac-notification
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
NMEXD24ES 1.3.6.1.4.1.9.1.665 mac-address-table snmp trap [,12.1(19)EA1)
1SP notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-6 OL-25947-01
Interface
C3750-STACK NMEXD48ES 1.3.6.1.4.1.9.1.666 mac-address-table snmp trap [,12.1(19)EA1)
2SP notification:mac-address-tabl mac-notification
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
C3550-24ME 1.3.6.1.4.1.9.1.574 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-7
Interface
C3750-STACK C3550-24ME 1.3.6.1.4.1.9.1.589 mac-address-table snmp trap [,12.1(19)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-8 OL-25947-01
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-9
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
C3750-24P 1.3.6.1.4.1.9.1.536 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
mac-address-table snmp trap [12.1(19)EA1,12
notification:mac-address-tabl mac-notification .2(46)SE)
TRAPVERSION
COMMUNITY udp-port

E-10 OL-25947-01
Interface
C3750-STACK C3750 1.3.6.1.4.1.9.1.530 mac-address-table snmp trap [,12.1(19)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
C3750 1.3.6.1.4.1.9.1.511 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-11
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-12 OL-25947-01
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-13
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-14 OL-25947-01
Interface
C3750-STACK C3750P 1.3.6.1.4.1.9.1.604 mac-address-table snmp trap [,12.1(19)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-15
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
C3550 - - mac address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
C3550-24 1.3.6.1.4.1.9.1.366 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-16 OL-25947-01
Interface
C3550 C3550-12T 1.3.6.1.4.1.9.1.368 mac-address-table snmp trap [,12.1(11)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
C3550-12G 1.3.6.1.4.1.9.1.431 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C3550-24FX 1.3.6.1.4.1.9.1.453 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C3550-24DC 1.3.6.1.4.1.9.1.452 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C3550-24PWR 1.3.6.1.4.1.9.1.485 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-17
Interface
C3550 C3560-24PS 1.3.6.1.4.1.9.1.563 mac-address-table snmp trap [,12.1(11)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
C3560-48PS 1.3.6.1.4.1.9.1.564 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C3560G-24PS 1.3.6.1.4.1.9.1.614 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C3560G-24TS 1.3.6.1.4.1.9.1.615 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C3560G-48PS 1.3.6.1.4.1.9.1.616 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port

E-18 OL-25947-01
Interface
C3550 C3560G-48TS 1.3.6.1.4.1.9.1.617 mac-address-table snmp trap [,12.1(11)EA1)
(continued)
TRAPVERSION
COMMUNITY udp-port
C3560E 1.3.6.1.4.1.9.1.930 mac address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-19
Interface
C3550 3000 1.3.6.1.4.1.9.1.909 mac address-table snmp trap -
(continued)
TRAPVERSION
COMMUNITY udp-port
3000 1.3.6.1.4.1.9.1.910 mac address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-20 OL-25947-01
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-21
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-22 OL-25947-01
Interface
(continued)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-23
Interface
C3550 C3000IE 1.3.6.1.4.1.9.1.958 mac address-table snmp trap -
(continued)
- interval 15:snmp-server mac-notification
TRAPVERSION
COMMUNITY udp-port
C3000IE 1.3.6.1.4.1.9.1.959 mac address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
C3500XL - - mac-address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
C3508GXL 1.3.6.1.4.1.9.1.246 - - -
C3512XL 1.3.6.1.4.1.9.1.247 - - -
C3524XL 1.3.6.1.4.1.9.1.248 - - -
C3548XL 1.3.6.1.4.1.9.1.278 - - -
C3524PWRXL 1.3.6.1.4.1.9.1.287 - - -

E-24 OL-25947-01
Interface
TRAPVERSION
COMMUNITY udp-port
C2970G-24T 1.3.6.1.4.1.9.1.527 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
C2970G-24TS 1.3.6.1.4.1.9.1.561 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
371098-001 1.3.6.1.4.1.11.2.3.7. mac-address-table snmp trap [,12.1(19)EA1)
11.33.3.1.1 notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
ME-3400G-12 1.3.6.1.4.1.9.1.781 mac-address-table snmp trap [,12.1(19)EA1)
CS-D notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-25
Interface
C2970 ME-3400G-12 1.3.6.1.4.1.9.1.780 mac-address-table snmp trap [,12.1(19)EA1)
CS-A notification:mac-address-tabl mac-notification
(continued)
TRAPVERSION
COMMUNITY udp-port
C2960-24TC-S 1.3.6.1.4.1.9.1.928 mac-address-table snmp trap [,12.1(19)EA1)
TRAPVERSION
COMMUNITY udp-port
ME-3400G-2C 1.3.6.1.4.1.9.1.825 mac-address-table snmp trap [,12.1(19)EA1)
S-A notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
C2960G-48TC 1.3.6.1.4.1.9.1.697 mac-address-table snmp trap 12.2(35)SE5
-L notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
mac address-table snmp trap 12.2(44)SE6

notification change interval mac-notification
15:snmp-server enable traps change
MAC-Notification:snmp-ser added:snmp trap
ver host HOST version mac-notification
TRAPVERSION change removed
COMMUNITY udp-port
ME-3400 1.3.6.1.4.1.9.1.873 - - -

E-26 OL-25947-01
Interface
C2970 ME-3400 1.3.6.1.4.1.9.1.1007 - - -
(continued) ME-3400 1.3.6.1.4.1.9.1.1008 - - -
ME-3400 1.3.6.1.4.1.9.1.1009 - - -
C2960 1.3.6.1.4.1.9.1.929 - - -
C2960 1.3.6.1.4.1.9.1.927 - - -
C2960 1.3.6.1.4.1.9.1.1005 - - -
C2960 1.3.6.1.4.1.9.1.1006 - - -
C2960 1.3.6.1.4.1.9.1.950 - - -
C2960 1.3.6.1.4.1.9.1.951 - - -
C2960 1.3.6.1.4.1.9.1.952 - - -
C2975 1.3.6.1.4.1.9.1.1067 - - -
C2975 1.3.6.1.4.1.9.1.1068 - - -
C2900XL - - mac-address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
C2908XL 1.3.6.1.4.1.9.1.170 - - -
C2900XL C2924XL 1.3.6.1.4.1.9.1.183 - - -
(continued) C2924CXL 1.3.6.1.4.1.9.1.184 - - -
C2924XLV 1.3.6.1.4.1.9.1.217 - - -
C2924CXLV 1.3.6.1.4.1.9.1.218 - - -
C2912XL 1.3.6.1.4.1.9.1.219 - - -
C2924MXL 1.3.6.1.4.1.9.1.220 - - -
C2912MFXL 1.3.6.1.4.1.9.1.221 - - -
C2924XL-LRE 1.3.6.1.4.1.9.1.369 - - -
C2912XL-LRE 1.3.6.1.4.1.9.1.370 - - -

OL-25947-01 E-27
Interface
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

E-28 OL-25947-01
Interface
C2950 C2950C-24 1.3.6.1.4.1.9.1.325 mac-address-table snmp trap [,12.1(11)EA1)
(continued) notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
C2950T-24 1.3.6.1.4.1.9.1.359 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C2950G-24 1.3.6.1.4.1.9.1.428 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-29
Interface
C2950 C2950G-24DC 1.3.6.1.4.1.9.1.472 mac-address-table snmp trap [,12.1(11)EA1)
(continued) notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
C2950-24SX 1.3.6.1.4.1.9.1.480 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C2955C-12 1.3.6.1.4.1.9.1.489 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C2955S-12 1.3.6.1.4.1.9.1.508 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C2955T-12 1.3.6.1.4.1.9.1.488 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port

E-30 OL-25947-01
Interface
C2950 C2950ST-8LR 1.3.6.1.4.1.9.1.483 mac-address-table snmp trap [,12.1(11)EA1)
(continued) E notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
C2950ST-24L 1.3.6.1.4.1.9.1.482 mac-address-table snmp trap [,12.1(11)EA1)
RE notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
C2940-8TT 1.3.6.1.4.1.9.1.540 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C2940-8TF 1.3.6.1.4.1.9.1.542 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port
C2950-48SX 1.3.6.1.4.1.9.1.560 mac-address-table snmp trap [,12.1(11)EA1)
TRAPVERSION
COMMUNITY udp-port

OL-25947-01 E-31
Interface
C2950 CIGESM-18T 1.3.6.1.4.1.9.1.592 mac-address-table snmp trap [,12.1(11)EA1)
(continued) T notification:mac-address-tabl mac-notification
TRAPVERSION
COMMUNITY udp-port
C6000 - - set cam notification set cam -
enable:set snmp trap enable notification
macnotification:set snmp trap added enable
HOST COMMUNITY INTERFACE:set
version TRAPVERSION port cam notification
PORT removed enable
INTERFACE
C6006 1.3.6.1.4.1.9.5.38 - - -
C6009 1.3.6.1.4.1.9.5.39 - - -
C6509 1.3.6.1.4.1.9.5.44 - - -
C6506 1.3.6.1.4.1.9.5.45 - - -
C6509SP 1.3.6.1.4.1.9.5.47 - - -
C6513 1.3.6.1.4.1.9.5.50 - - -
C6503 1.3.6.1.4.1.9.5.56 - - -
C6000-IOS - - mac-address-table snmp trap -
notification mac-notification
change:mac-address-table change
notification change interval added:snmp trap
TRAPVERSION
COMMUNITY udp-port

E-32 OL-25947-01
Interface
C6000-IOS catalyst6000IO 1.3.6.1.4.1.9.1.657 - - -
(continued) S
catalyst6006IO 1.3.6.1.4.1.9.1.280 - - -
S
catalyst6009IO 1.3.6.1.4.1.9.1.281 - - -
S
Cisco 1.3.6.1.4.1.9.1.282 - - -
C6506-IOS
catalyst6509IO 1.3.6.1.4.1.9.1.283 - - -
S
catalyst6509sp 1.3.6.1.4.1.9.1.310 - - -
IOS
catalyst6513IO 1.3.6.1.4.1.9.1.400 - - -
S
ciscoWSC6503 1.3.6.1.4.1.9.1.449 - - -
ciscoWSC6509 1.3.6.1.4.1.9.1.534 - - -
neba
catalyst6509V 1.3.6.1.4.1.9.1.832 - - -
E
Cisco 1.3.6.1.4.1.9.1.449 - - -
C6503-IOS
C4000 - - set cam notification set cam -
enable:set snmp trap enable notification
macnotification:set snmp trap added enable
HOST COMMUNITY port INTERFACE:set
PORT cam notification
removed enable
INTERFACE
C4003 1.3.6.1.4.1.9.5.40 - - -
C4912G 1.3.6.1.4.1.9.5.41 - - -
C2948G 1.3.6.1.4.1.9.5.42 - - -
C4006 1.3.6.1.4.1.9.5.46 - - -
C2980G 1.3.6.1.4.1.9.5.49 - - -
C2980G-A 1.3.6.1.4.1.9.5.51 - - -
C4503 1.3.6.1.4.1.9.5.58 - - -
C4506 1.3.6.1.4.1.9.5.59 - - -
C2948G-GE-T 1.3.6.1.4.1.9.5.62 - - -
X

OL-25947-01 E-33
Interface
C4000-IOS - - mac-address-table snmp trap -
notification mac-notification
change:mac-address-table change
notification change interval added:snmp trap
TRAPVERSION
COMMUNITY udp-port
cisco4000 1.3.6.1.4.1.9.1.448 - - -
cisco4900M 1.3.6.1.4.1.9.1.917 - - -
cisco4948 1.3.6.1.4.1.9.1.626 - - -
cisco4948-10G 1.3.6.1.4.1.9.1.659 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.875 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.877 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.874 - - -
E
cisco4948-10G 1.3.6.1.4.1.9.1.876 - - -
E
C4506-IOS 1.3.6.1.4.1.9.1.502 mac address-table snmp trap 12.2(53)SG
address-table notification change
change interval added:snmp trap
mac-notification:snmp-serve change removed
r host HOST version 1
COMMUNITY udp-port
1431 mac-notification
C4900ME mac-address-table snmp trap
-
e notification interval change
15:snmp-server enable traps added:snmp trap
MAC-Notification:snmp-ser mac-notification
ver host HOST version change removed
TRAPVERSION
COMMUNITY udp-port
C4900ME 1.3.6.1.4.1.9.1.788 - - -

E-34 OL-25947-01
Interface
C2400ME - - mac address-table snmp trap -
TRAPVERSION
COMMUNITY udp-port
C2400ME 1.3.6.1.4.1.9.1.735 - - -
C2350 1.3.6.1.4.1.9.1.1104 - - -

OL-25947-01 E-35

E-36 OL-25947-01
A P P E NDIX F
Recommended Best Practices
This appendix provides the recommended best practices for increasing the disk space and system
performance. It contains the following topics:
• Basic Server and Client Requirements
• Best Practices to Reclaim Disk Space Using Purging Method
• Best Practices for Improving System Performance
• Best Practices for Performing Server Reboot
• Backing Up Data
• Handling Custom Telnet Prompts
• Best Practices for Software Image Upgrade
• FAQ
Note To avoid restarting daemons, you must ensure that device packages, point patches and software updates
are updated (up-to-date) before network is down during planned network downtime.
Basic Server and Client Requirements

Before installing LMS software, you must check if your system meets the recommended prerequisites.
There are various factors that you must consider before installing LMS on Soft Appliance, Windows and
Solaris systems. For more details, refer to Prerequisites in the Installing and Migrating to Cisco Prime
LAN Management Solution 4.2 guide.
Refer the following links to check if your system meets the recommended prerequisites:
• System and Browser Requirements for Server and Client
• Terminal Server Support for Windows Server
• Solaris Patches
• LMS 4.2 Port Usage
• Required Device Credentials for LMS Functionalities

OL-25947-01 F-1
Appendix F Recommended Best Practices
Best Practices to Reclaim Disk Space Using Purging Method

This section contains the list of best practices that are recommended when you want to reclaim disk
space using purging method.
When data in your system increases and disk space decreases, purging helps you reclaim disk space. You
can reclaim disk space using the following methods:
• Purging Databases
• Purging Jobs
• Purging Archives
Purging Databases
To reclaim disk space by purging your system’s database:
• Set the Syslog Purge Settings in such a way that syslog records do not pile up in the database. The
following steps should be performed to set the Syslog Purge Settings:
– Enable the Syslog Backup Settings by navigating to Admin > Network > Purge Settings >
Syslog Backup Settings.
– Set the purge policy date and schedule a job on daily/weekly basis by navigating to Admin >
Network > Purge Settings > Syslog Purge Settings.
– Perform a force purge job by navigating to Admin > Network > Purge Settings > Syslog Force
Purge.
• Run the DBSpaceReclaimer tool after performing force purge job to reclaim disk space to a greater
extent. The following steps should be performed:
– Open RMEDebugToolsReadme.txt from
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\debugtools, where NMSROOT is the
Cisco Prime installation directory.
– Refer Syslog DBSpaceReclaimer Tool section in the RMEDebugToolsReadme.txt file and
execute the perl script DBSpaceReclaimer.pl. For more details, refer Syslog Administrative
Tasks.
In Device Performance Management, if the size of the database remains the same after purging, the
following steps should be performed to reclaim disk space:
• For Windows:
– Stop the daemon using the net stop crmdmgtd command.
– Enter dbunload -c "uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>> " -ar
For example: dbunload -c
"uid=DBA;pwd=admin;dbf=C:\Progra~2\CSCOpx\databases\upm\upm.db" -ar
– Start the daemon using the net start crmdmgtd command.

• For Solaris:
– Stop the daemon using the /etc/init.d/dmgtd stop command.
– If you get an error message regarding library path, enter source
/opt/CSCOpx/etc/install.cshrc

F-2 OL-25947-01
– To get the library path LD_LIBRARY_PATH, navigate to

/opt/CSCOpx/lib/classpath/md.properties.
– To set the library path, enter setenv LD_LIBRARY_PATH <<PATH>>
– To reload the database, enter dbunload -c
"uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>>" -ar

"uid=DBA;pwd=welcome;dbf=/opt/CSCOpx/databases/upm/upm.db" -ar
Note Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
• chmod 600 upm.db
• chown casuser:casusers upm.db
– Start the daemon using the /etc/init.d/dmgtd start command.

• For Linux:
– Stop the daemon using the /etc/init.d/dmgtd stop command.
– If you get an error message regarding library path, enter source
/opt/CSCOpx/etc/install.cshrc from the csh shell.
– To get the library path LD_LIBRARY_PATH, navigate to
/opt/CSCOpx/lib/classpath/md.properties.
– To set the library path, enter setenv LD_LIBRARY_PATH <PATH>
– To reload the database, enter dbunload -c
"uid=DBA;pwd=<<password>>;dbf=<<upm_database_location>>" -ar

"uid=DBA;pwd=welcome;dbf=/opt/CSCOpx/databases/upm/upm.db" -ar
Note Ensure that the file /opt/CSCOpx/databases/upm/upm.db has permission as: -rw------- 1 casuser
casusers upm.db. You can change the permissions using the following commands:
• chmod 600 upm.db
• chown casuser:casusers upm.db
• Start the daemon using the /etc/init.d/dmgtd start command.
Purging Jobs
You can configure LMS to periodically purge job data that you no longer need. This is done using Job
Purge. For more details, refer Performance Purge Jobs.
Refer the following links to configure the purge settings for all modules in LMS:
• Purging Reports Jobs and Archived Reports
• Purging VRF Management Reports Jobs and Archived Reports

OL-25947-01 F-3
Best Practices for Improving System Performance
• Purging Configurations from the Configuration Archive

• Syslog Administrative Tasks
• Setting the Syslog Purge Policy
• Performance Purge Jobs
• Performance Purge Data
• View Performance Purge Details
• IPSLA Data Purging Settings
• Configuring the Daily Fault History Purging Schedule
Note You can view the status of all the LMS admin-related Jobs in Job Browser. For more details, refer Using
Job Browser.
Purging Archives
Purging archives frees disk space and maintains your archive at a manageable size. For more details,
refer Purging Configurations from the Configuration Archive.
Note Log files can expand and fill up disk space. Log files disk space usage can be maintained by deleting the
unwanted log files from the Cisco Prime installation directory. For more details, refer Maintaining Log
Files. Log Files can also be maintained by using the logrot functionality. For more details, refer
Configuring Log Files Rotation. Log files rotation can be also be scheduled. For more details, refer
Scheduling Log Files Rotation.

System performance can be improved by setting the Performance Tuning Tool (PTT) and also by
managing core devices in critical device poller.
Improving System Performance Using PTT

PTT is a Command Line Interface (CLI) utility that enables you to apply and list various profiles
available in LMS server. Profiles consist of configuration files, which are in the form of XML files whose
values are based on the recommendations for various applications. There are two profiles shipped with
LMS. You can use any of the profiles that matches the system. Parameters are tuned and available in each
profile. You can apply the required profile to the system and improve performance. This is a major
advantage of using PTT. For more details, refer to Performance Tuning Tool in the Configuration
Management with Cisco Prime LAN Management Solution 4.2 guide. For Layer2 and topology related
PTT, refer to Performance Tuning Tool in Appendix A.
Improving System Performance Using Critical Device Poller

Data collection consumes significant system resources. The critical device poller allows you to view the
device and link status without running Data Collection. You can simply poll the network and view the
device and link status in Topology maps. Only core devices should be managed in critical device poller.
For more details, refer Data Collection Critical Device Poller.

F-4 OL-25947-01
Suggestions for Better System Performance

Consider the following points for better system performance:
• Configure devices to send only the syslogs that you are working with. This practice will help you
avoid server issues that occur due to huge amount of syslogs.
• Avoid running numerous scheduled jobs of the same type.
• When restarting the scanner, delay the anti-virus scan to avoid issues that could occur in upcoming
processes. You can restart the scanner only after all processes are up again.
• Do not delete or move any files available in LMS-installed location, without confirming with the
TAC engineer about the impact the action might cause.
• Related or critical jobs from the same application should not be triggered in a way that it conflicts
with each other. For example: Inventory collection and Configuration collection should not be
scheduled to run at the same time because doing so will create system issues. Similarly, Data
Collection and User Tracking must not be scheduled to run simultaneously. You should identify
priority of jobs based on use cases and schedule appropriate timings for those critical jobs to run.
Unrelated jobs or non-critical jobs can run at a parallel or later time.
Consider the following points when you configure systems to manage a large number of devices:
• Device Discovery – Set up the discovery schedule to a less frequent one and choose the time most
appropriate to you. You must select the discovery parameters most suitable to your environment so
that it could speed up the discovery process, and discover and populate correct values.
• Data Collection Settings – The data collection is configured to run every four hours starting at
midnight. Run discovery manually once to determine an appropriate polling cycle. The subsequent
polls will be shorter in duration, but you should still give it a 20 percent buffer. For example, if it
took four hours to poll the whole network the first time, you could set the frequency to five hours to
make sure that there is no overlapping between the two consecutive data collection processes.
• User-Tracking Discovery – You must configure the time so that two consecutive schedules do not
overlap. You could also filter subnets for which you do not want to perform end-host discovery or
subnets where no end hosts are present. Configure subnets that you want excluded from doing a ping
sweep before the discovery process.
• Fault Management Polling Parameters and Threshold – Default Cisco Prime fault management
polling and threshold parameters are configured for Cisco Prime fault management system-defined
groups; however, it is recommended that you look at these configurations based on critical and
noncritical devices in your network.
• Cisco Prime Inventory, Configuration, and Image Management – In Cisco Prime LMS, you can
create user-defined jobs for inventory polling and collection, and configuration collection and
polling on a set of devices selected as part of the job creation process. You should consider this
option when servers manage a large number of devices.
• Periodic Polling Versus Periodic Collection – Polling uses fewer resources than full scheduled
collection because configuration files are retrieved only if the configuration MIB variable is set, so
it is recommended that you enable the Period Polling option and disable the Periodic Collection
option.
Note All collection must be scheduled in a way that it does not conflict with each other.
Recommendations on when to schedule various jobs

Consider the following points when scheduling jobs:
• Inventory/Config jobs can be scheduled to run on daily basis.

OL-25947-01 F-5
Best Practices for Performing Server Reboot
• Inventory/Config collection jobs can be scheduled to run on weekly basis.

• All Purge jobs (not specific to inventory and Config) can be scheduled to run on weekly basis.
• CDA Job can be scheduled to run on weekly basis.
Note The UI performance of the application client can be improved by using device groups when executing
application tasks, especially when a single server is managing a large number of devices.
Best Practices for Performing Server Reboot

In windows, Security patches/OS updates requires server reboot. For performing server reboot, refer the
following steps:
Step 1 Enter the following command to stop the Daemon Manager:

net stop crmdmgtd
Step 2 Change the startup type of the Daemon Manager to manual in Windows Services Control Panel.
Step 3 Update the software on server or reload the server.
Step 4 Change the startup type of the Daemon manager to automatic once the server comes up.
Step 5 Enter the following command to start the Daemon manager and wait till all the services comes up.
net start crmdmgtd
Note Don't restart the Daemon Manager when major collections like DC, UT, Inventory, Config is running to
avoid database corruption problem.
Note If you want to reboot the Windows, Solaris or VM server, you must do so only after stopping the
daemons. You must not reboot the server while the daemons are running.
Backing Up Data
Regular backup of data should be practiced on a daily/weekly basis to avoid data loss. To schedule
system backups at regular intervals, select Admin > System > Backup. For more details, refer Backing
Up Data.
Consider the following points when backing up data:

F-6 OL-25947-01
• While scheduling or triggering a backup, if the backup time conflicts with any JRM job time (Jobs
that is scheduled between backup time +/- one hr), then an error pops up displaying a list of job IDs.
Similarly, when scheduling or triggering a JRM job, if the JRM job schedule time conflicts with any
backup time (Backup time that is scheduled between JRM job time +/- one hr), then an error pops
up displaying a list of backup time that runs around the same schedule as the JRM job.
• If you want to backup Config on a daily basis, the shadow directory option can be used.
Note DiskWatcher is a back-end process that monitors disk space availability on LMS Server. This process
calculates the disk space information of a drive (on Windows) or a file system (on Solaris/Soft
Appliance) where Cisco Prime applications, are installed, and stores them in diskWatcher.log file. For
more details, refer Configuring Disk Space Threshold Limit.
Note You should never backup data on the Cisco Prime Installation directories, such as, NMSROOT for
Windows and /opt/CSCOpx for Soft Appliance and Solaris; as well on /var/adm/CSCOpx.

You can set the protocol order for Configuration Management features such as Archive Management,
Config Editor, and NetConfig jobs to download configurations and to fetch configurations.
The configuration archive uses Telnet/SSH to collect the configurations from the devices. Make sure you
enter the correct Telnet and Enable passwords.
If the device prompts for login credentials, you may experience problem in Telnet connection because
LMS may fail to recognize the login credential prompt. To make your prompts recognizable, you must
edit the TacacsPrompts.ini file. See the procedure given in the Handling Custom Telnet Prompts.
Best Practices for Software Image Upgrade

Software Distribution allows you to distribute images in your network and to analyze and determine the
impact and prerequisites for new software images before distribution.
• Out of the four distribution methods available, Cisco recommends Remote Staging method because
it is found to be the fastest while operating from a WAN network.
• A FTP server is found to be faster to stage an image temporarily.
• Perform image upgrade on one site at a time.
• Start with upgrading one device per each device type in the site, to uncover timeout or image related
issues.
• On successful upgradation of one device, schedule the upgrade for rest of the devices in that site,
grouping devices of the same type in a single job.
FAQ
Q. How can I exclude messages from Syslog Analyzer instead of performing a force purge?

OL-25947-01 F-7
FAQ
A. Instead of reclaiming the disc space by performing a force purge, you can create Filters to either
drop or keep the syslog messages. For a detailed procedure, go to
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guid
e/admin/useNotif.html#wp1074735
Q. How can I avoid too many configuration archives in a single day?

A. If you feel that the archives are not required for that particular device category or device family or
device type, you can add the respective command to the Config Compare Exclude Command
Configuration list. For more information, go to
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guid
e/admin/collection.html#wp1092555
You can also choose not to archive VLAN Config Collection by performing the following steps:
a. Check the Disable VLAN config collection check box.
b. Click Apply.
The VLAN config collection will be disabled for both manual and system config collection jobs. By
default the Disable VLAN Config collection checkbox is unchecked.
Q. Why is Port Scanning not recommended in LMS?

A. Port Scanning is not recommended in LMS because,
– Processes such as User Tracking (UT) might hang
– Apache might crash
– Tomcat might stop responding.
Solution is to restart Daemon Manager and stop further scanning.
Q. How to reduce CPU/Memory consumption usage by sm_server process?

A. CPU and Memory consumption of sm_server process is influenced by various factors such as the
components discovered in DFM, number of traps, polling interval, types of polling like fault and
performance polling and so on. Hence, the maximum number of components that can be discovered
in DFM is restricted to 40,000 per domain.
Type the command given below to know the number of components discovered in DFM.
CSCOpx/objects/smarts/bin/sm_tpmgr --server=<Domain Name> --sizes
Example:
CSCOpx/objects/smarts/bin/sm_tpmgr --server=DFM --sizes
To control the CPU or Memory usage by sm_server processes refer the below approaches:
• Unmanage the components that need not be monitored by DFM from Detailed Device View. To
manage or unmanage an interface or a port in DFM refer the steps given below:
Step 1 Log into LMS server using credentials.

Step 2 Go to Monitor > Fault Settings > Setup > Fault Device Details.
Step 3 Select the Device and Click View.
Step 4 Click the device name. Detailed Device View appears.
Step 5 Select Interface or Port.

F-8 OL-25947-01
FAQ
Step 6 To manage the Interface or Port, set the Managed State to True, and to unmanage the Interface or Port,
set it to False.
Step 8 Go to Monitor > Fault Settings > Setup > Apply Changes and click Yes apply change to fault engine.
• Reduce the number of network adapters being discovered in DFM by filtering the components which
need not be monitored.
We can avoid DFM discovery process to discover a particular type of interface or port by adding an
IFDescrPattern or IFTypePattern in CSCOpx\objects\smarts\conf\discovery\tpmgr-param.conf. You
can find the instructions to create patterns in this file. After modifying tpmgr-param.conf file,we
need to restart the daemon manager and rediscover the devices in DFM.
Examples:
IFDescrPattern-.1.3.6.1.4.1.9.1.110
~EFXS*|~*POTS*|~*Bearer*|~FXO*|~FXS*|~Voice*|~Foreign*
In this example, DFM discovery will not discover interfaces with description starting with EFXS,
containing POTS,containing Bearer, starting with FXO, starting with FXS, starting with Voice or
starting with Foreign for device having sysObjectId .1.3.6.1.4.1.9.1.110.
IFTypePattern-.1.3.6.1.4.1.164.6.1.3.83 ~80~81~82
In this example, DFM discovery will not discover ATMLogica(80), DS0 (81) and DS0Bundle(82)
for device having sysObjectId .1.3.6.1.4.1.164.6.1.3.83
IFTypePattern-SwitchPort.1.3.6.1.4.1.9.12.3.1.3.380 ~56
In this example, DFM discovery will not discover Fibre channel (56) ports for device having
sysObjectId .1.3.6.1.4.1.9.12.3.1.3.380
• Adjust the polling interval with proper values from LMS Polling Parameter Settings Screen.
• To reduce the number of traps received in LMS server, fine tune the trap configuration in devices
such a way that the traps which need to be monitored alone are sent to the LMS server.

OL-25947-01 F-9
FAQ

F-10 OL-25947-01
INDEX
default credential set, editing 4-26

A
default credential set policies 4-27
access default credential set policies, creating 4-28
connection security, understanding D-5 default credential set policies, deleting 4-33
control, security and D-4 default credential set policies, Display name
access ports policy type example 4-31
customizable groups 5-52 default credential set policies, examples 4-30
system defined groups 5-51 default credential set policies, host name policy
type example 4-32
ACS
default credential set policies, IP range policy type
roles on NDG basis, assigning 2-13 example 4-30
admin default credential set policies, ordering 4-33
application settings 8-28 default credential sets 4-24
purge settings 16-18 device polling settings 4-18
setting log level 17-11 Master-Slave configuration, prerequisites 4-16
administering mode, changing 4-15
Common Services 3-1 unreachable devices deletion 4-20
Daemon Manager, using 3-2 user-defined fields, adding 4-21
database password, changing 3-22 user-defined fields, deleting 4-22
processes, back-end processes 3-6 user-defined fields, renaming 4-21
processes, managing 3-3 Display Settings and DCR 4-1
processes, managing through CLI A-5 administering Campus Manager
processes, starting 3-5 ANI data collection, using
processes, stopping 3-5 best practices in discovery scheduling 6-3
processes, viewing 3-4 data collection, scheduling 6-3
processes, viewing specific state processes 3-5 debugging options 17-20
restoring data 3-20 user and host acquisition, using
DCR delete interval, modifying 7-22
default credentials 4-22 end host user information, importing 7-24
default credentials,using 4-22 purge policy, specifying 15-1
default credentials,using in multi-server schedule, modifying 7-19
setup 4-23
subnet discovery, configuring 7-21
default credential set,configuring 4-24
Administering Virtual Network Manager
default credential set,deleting 4-27
Setting VNM Debugging Options 17-30

OL-25947-01 IN-1
Index
VNM Client Debugging Settings 17-33 content engine commands 8-35

VNM Server Debugging Settings 17-31 content service switch commands 8-35
VNM Utility Debugging Settings 17-33 IOS commands 8-34
VRF Collector Debugging Settings 17-32 setting up 8-30
Using VNM Administration directory, moving 8-36
Modifying VNM SNMP Timeouts and shadow directory, enabling and disabling 8-37
Retries 8-20
using 8-30
Scheduling VRF Collector 8-19
automated actions, defining
Administering VRF in Change Audit 11-10
Using VRF Administration 8-18
creating 11-11
admin setting
deleting 11-14
application 8-28
editing 11-13
copying IP SLA configuration 8-29
enabling, disabling 11-13
log level 17-11
exporting, importing 11-14
managed source interface 8-29
in Syslog Analysis
purge 16-18
creating 10-37
Alerts and Activities display deleting 10-42
log file 17-8, 17-9
editing 10-39
ANI data collection administration, using enabling, disabling 10-41
best practices in discovery scheduling 6-3
example of 10-42
data collection, scheduling 6-3
exporting, importing 10-41
debugging options 17-20
verifying 10-44
SNMP settings, modifying 6-1
applications
Job Approval 12-15 B
licensing
backing up data 3-19
licensing information, viewing 3-29
back-up data
licensing procedure 3-29
directory structure of B-28, B-29
obtaining a license 3-29
sample CMF backup directory B-28
updating licenses 3-29
using CLI A-17
application settings 8-28
backing up selective data
managed source interface 8-29
using CLI A-17
running-config 8-29
backup policy, setting 16-5
Archive Management (part of Configuration Management)
browser-server security. See SSL
archive purging 16-2
configurations, modifying 8-32
credentials, entering 8-30 C
security, modifying 8-34
cautions regarding
Catalyst commands 8-35

IN-2 OL-25947-01
Index
admin password, guest password 2-6 collecting information on B-3

backups, and the CiscoWorks Daemon locked out of B-18
Manager 17-2
MDC support B-4
changing Change Audit purge settings 11-5
process status, checking B-3
data restoration from a backup 3-21
self-test, performing B-3
resetting purge policy in Syslog Analyzer 16-6
CiscoWorks Server back-end process 3-6
restarting Daemon Manager on Solaris 3-2
CiscoWorks Server Processes 3-6, A-5
restarting Daemon Manager on Windows 3-2
CiscoWorks Trust Store or KeyStore, definition D-7
certificates
cmexport command (see under Data Extraction
terms and definitions in D-6 Engine) C-2
CA (certificate authority) D-7 cmf as part of database path, explanation of B-18
CiscoWorks TrustStore or KeyStore D-7 CM view
PKCS#8 D-6 user log-in information 1-12
public key, private key D-6 collector group
SSH D-6 assigning membership 5-77
SSL D-6 defining rules 5-75
understanding D-5 membership details 5-80
Change Audit, using operation based 5-82
automated actions, defining 11-10 refreshing membership 5-81
Automated Action window details 11-10 setting properties 5-73
creating 11-11 viewing 5-79
deleting 11-14 viewing group details 5-79
editing 11-13 viewing summary 5-78
enabling, disabling 11-13 collector group rules 5-68
exporting, importing 11-14 Configuration Management, using
exception periods archive purging 16-2
creating 11-8 collection settings, defining 8-43
defining 11-7 job policies, configuring 12-5
deleting 11-9 defining default policies 12-6
editing 11-9 scenarios, job password configured 12-8
enabling and disabling 11-8 transport protocols, configuring
maintenance tasks 11-3 order, defining 8-49
forced purges, performing 11-5 requirements for use 8-46
purge policy, setting 11-4 configuring
changing event names 10-5 subnet discovery for User Tracking 7-21
Cisco.com connection, managing 2-38 connection security, understanding D-5
CiscoWorks security certificates D-5
processes and DFM 3-16 terms and definitions D-6
CiscoWorks Server, troubleshooting CA (certificate authority) D-7

OL-25947-01 IN-3
Index
CiscoWorks TrustStore or KeyStore D-7 available formats 3-24

PKCS#8 D-6 Solaris 3-22
public key, private key D-6 Windows 3-23
SSH D-6 Data Extraction Engine (see DEE) C-1
SSL D-6 DCR
connectivity administering
tasks B-3 default credentials 4-22
checking process status B-3 device polling settings 4-18
collecting server information B-3 Master-Slave configuration, prerequisites 4-16
MDC support B-4 mode, changing 4-15
performing a self-test B-3 unreachable devices deletion 4-20
copying IP SLA 8-29 user-defined fields, adding 4-21
creating user-defined fields, deleting 4-22
user-defined collector groups 5-73 user-defined fields, renaming 4-21
CS portlets changes, effect on DFM 8-25
job information status 1-12 Fault Management discovery and 8-26
log space usage 1-10 log file 17-9
customizable groups 5-52 DCR (Device and Credential Repository) CLI interface,
using A-22
access port 5-52
DCR mode, changing A-23
device 5-52
importing using A-24
editing 5-54
listing attributes A-22
interface 5-52
listing default credential sets A-22
restrictions 5-53
viewing current DCR mode A-22
trunk port 5-52
viewing device details A-23
(see also groups)
DDV
log file 17-8
D debugging options, setting 17-20
DEE (Data Extraction Engine) C-1
Daemon Manager, using 3-2
cmexport command
restarting on Solaris 3-2
about C-2
restarting on Windows 3-2
function-specific options C-5
Daily Purging Schedule
mandatory arguments C-4
log file 17-8
optional arguments C-4
managing 16-20
running C-2
database
cmexport Discrepancy comand C-12
inaccessible, troubleshooting B-29
cmexport L2topology command C-9
path includes "cmf," explanation B-18
cmexport manpage C-14
purging 16-20
cmexport ut command C-6
database password, changing 3-22

IN-4 OL-25947-01
Index
developer’s reference C-16 See also Software Center

Discrepancy data schema C-21 Device Selector
exporting data from Campus Manager, Device Selector settings 4-10
servlet C-22
displaying available devices 12-30
Topology data schema C-20
filtering usage example 12-29
User Tracking data schema C-17
searching devices 4-7
User Tracking phone data schema C-19
Advanced Search 4-8
User Tracking subnet data schema C-19
Simple Search 4-7
User Tracking switch data schema C-18
selecting devices 4-6
overview C-1
device selector 12-23
Default 4-23
DFM
deleting changing event names 10-5
device groups 5-28
DFM Object Grouping Services Server, log file 17-8
user-defined fields from DCR 4-22
discovery
device groups, managing 5-54
DCR synchronization and 8-26
customizable 5-52
device states 8-25
deleting groups 5-68
events that trigger 8-25
group membership 5-67
log file 17-9
rules 5-61
rediscovery 8-25
Device Poller 6-4
Rediscovery Schedule 8-25
adding critical devices 6-4
discovery, scheduling 4-1
devices discrepancy reporting 14-1
states 8-25
physical discrepancies 14-2
devices, discovery disk space, threshold configuring 3-42
scheduling 4-1
duplexity, interface 5-63
adding 4-2
deleting 4-3
editing 4-2 E
viewing status 4-3, 4-4
editing
devices, managing
device group details 5-27
attributes, editing 12-33
local user profile 2-13
Device Selector 12-23
e-mail
displaying available devices 12-30
configurations (Notification Services) 10-13
device states 8-25
E-Mail Notification Subscriptions 10-13
forwarding traps to DFM 10-22
E-Mail Subject Customization 10-16
importing
notifications (Notification Services) 10-3
using CLI A-24
SMTP server 3-31
log files 17-8, 17-9
ESS (Event Service Software)
rediscovering 8-25
changing the port for

OL-25947-01 IN-5
Index
in Solaris B-27 deleting 5-68

events details 5-65
changing names 10-5 editing 5-54, 5-55
log files managing, overview 5-53
Event Processing Adapters 17-8 membership 5-64, 5-66, 5-67
Event Promulgation Module 17-8 rules 5-61
Event Sets (see Notification Services) summaries 5-65
expired server certificate, how to handle B-23 system defined
exporting DFM 5-51
automated actions in Syslog Analysis 11-14 user defined
message filters, in Syslog Analyzer 10-47 editing 5-54
Groups, administering
creating 5-5
F
deleting
Fault History groups 5-28
log file 17-8 details
file ownership, and permissions D-2 modifying 5-27
filters viewing 5-26
Inventory change report filters, setting 11-22 editing 5-27
message filters in Syslog Analyzer, defining 10-44 exporting 5-29
creating 10-45 sample export file 5-29
deleting 10-48 exporting from UI 5-30
editing 10-46 Group Administration 5-4
enabling, disabling 10-47 group membership, assigning 5-25
exporting, importing 10-47 importing 5-31
forced purges importing from UI 5-31
in Change Audit 11-5 multi-server setup 5-3
in Syslog Analyzer 16-7 properties, specifying 5-7
refreshing 5-28
rules, defining 5-9
G composite group rule example 5-12
group administration 5-72 composite rule 5-10
group administration process 5-71 example for IP range 5-13
groups examples 5-11
creating 5-54, 5-58 range operator 5-11
customizable 5-52 simple group rule example 5-11
editing 5-54 simple rule 5-9
restrictions 5-53 single server scenario 5-3

single server setup 5-3

IN-6 OL-25947-01
Index
syntax checking 5-10, 5-11 images, and recommendation filters 11-20

system- and user-defined attributes 5-13 IP Address range operator, See range operator
system defined attributes 5-13
J
H
Java Plug-in, version to use B-17
HP OpenView 10-24 Job Approval, using 12-15
HPOV as primary listener 7-30 approver details, specifying 12-16
approver lists
assigning 12-18
I
creating, editing 12-17
images jobs, approving and rejecting 12-20
IOS images, and recommendation filters 11-20 setting up 12-18
importing automated actions in Syslog Analysis 11-14 task workflow 12-16
importing devices and credentials Job Browser (see under Inventory) 8-2
using CLI A-24 Job Browser, using 12-1
interfaces jrm, checking B-20
customizable groups 5-52
system defined groups 5-51
K
Inventory
change report filters, setting 11-22 Known device state 8-25
inventory
effect of DCR changes 8-25
L
log files
Inventory Collector 17-8 Learning device state 8-25
Inventory Interactor 17-8 licensing CiscoWorks applications
Inventory Service 17-9 license information, viewing 3-29
Inventory, using licensing procedure 3-29
collection or polling schedule, changing 8-12 obtaining a license 3-29
Inventory Job Browser 8-2 updating licenses 3-29
collection jobs, creating and editing 8-7 local user policy setup 2-4
job details, viewing 8-6 locked out of CiscoWorks Server, troubleshooting B-18
polling jobs, creating and editing 8-7 log files, maintaining
inventory collection on UNIX 17-3
log file 17-9 on Windows 17-3
overview 8-25 logrot utility, configuring 3-40
(see also discovery) logrot utility, running 3-41
IOS login module

OL-25947-01 IN-7
Index
CiscoWorks Local, changing to 2-27 Administering NetShow settings

local NT system, changing to 2-28 defining default job policies 12-12
Local UNIX system, changing to 2-27 defining protocol order 12-14
MS Active Directory, changing to 2-28 purging jobs 12-13
Netscape Directory, changing to 2-32 setting log levels 17-17
Radius, changing to 2-32 credentials, masking 12-15
TACACS+, changing to 2-33 NetView 10-24
log level setting 17-11 NMS, integrating with DFM 10-24
logrot utility Notification Groups (see Notification Services)
configuring 3-40 Notification Services
running 3-41 configuring notifications, overview 10-6
logs E-Mail Configurations 10-13
configuring 17-18 E-Mail Notifications 3-31, 10-3
DFM log files 17-8, 17-9 E-Mail Notification Subscriptions 10-13
incharge log files 17-9 E-Mail Subject Customization 10-16
log file (for Logging Services) 17-8 event names, customizing 10-5
Lookup Analyzer, using A-32 Event Sets 10-6
log file 17-8
Notification Groups 5-54, 10-7
M
SNMP Trap Notifications 10-3, 10-9
managed source interface 8-29 subscriptions 10-2
managing Syslog Notifications 10-3, 10-17
Common Services resources 3-35
Masking credentials of show commands 12-15
O
message filters, in Syslog Analysis 10-44
creating 10-45 online users, messaging 3-34
deleting 10-48 osagent, changing the port for
editing 10-46 Solaris B-19
enabling, disabling 10-47 Windows B-19
exporting, importing 10-47 overview
messaging online users 3-34 authentication using login modules 2-24
MS Active Directory, changing login module to 2-28 overviews
multi-server mode, and security 2-16 Common Syslog Collector 8-50
Syslog Analyzer 8-50
overviews of
N
DEE (Data Extraction Engine) C-1
Netscape Directory, changing login module to 2-32
NetShow

IN-8 OL-25947-01
Index
CiscoWorks 3-16
P
log file for multiple thread 17-8
peer server certificates processes, managing A-5
setting up 2-19 protocols, used by CiscoWorks 10-21
Pending device state 8-25 PSUCLI 13-11
physical discrepancy reports 14-2 device packages, installing 13-12
ping sweep options, modifying 7-20 device packages, listing dependents 13-16
PKCS#8, definition D-6 device packages, listing device packages 13-17
polling device packages, uninstalling 13-13
log files device updates, downloading 13-14
adapter 17-8 software updates, downloading 13-13
database 17-9 software updates, querying 13-12
grouping services 17-9 public key, definition D-6
manager 17-9 purge settings 16-18
polling and thresholds historical data 16-18
log files purging messages
adapter 17-8 cautions regarding changing purge values
database 17-9 in Change Audit 11-5
grouping services 17-9 in Syslog Analyzer 16-6
manager 17-9 forced purges
port and module groups in Change Audit 11-5
Administration 5-35 in Syslog Analyzer 16-7
Creating Groups 5-37 purge policies, setting
Defining Rule Expression 5-39 in Change Audit 11-4
Attributes 5-41 in Syslog Analyzer 16-6
Examples 5-42
Properties 5-37
Selecting Group Source 5-38
Q
Deleting Groups 5-49 Questioned device state 8-25
Editing Groups 5-48
Viewing Group Details 5-47
Viewing Membership Details 5-47 R
ports Radius, changing login module to 2-32
access ports 5-51, 5-52 range operator 5-11
occupied by CiscoWorks 10-21 rediscovery
trunk ports 5-51, 5-52 DCR synchronization and 8-26
preferences for system, modifying 3-35 events that trigger 8-25
private key, definition D-6 log file 17-9
processes

OL-25947-01 IN-9
Index
Rediscovery Schedule 8-25 runtime security, understanding D-3

(see also discovery)
Rediscovery Schedule page 8-22
S
(see also rediscovery)
refreshing group membership 5-81 Secure Shell (SSH), definition D-6
remote connectivity, security and D-4 security
reports access control, and D-4
discrepancy reporting 14-1 certificates, understanding D-5
physical discrepancies 14-2 understanding D-1
understanding 14-1 general D-1
user tracking server D-2
switch port usage reports, exporting A-31 security, setting up 2-1
resources, managing in Common Services 3-35 AAA mode, setting up 2-24
restoring data 3-20 Cisco.com login, setting up 2-39
solaris 3-21 login module
windows 3-22 multi-server mode 2-16
RME portlets peer server certificates
Audit Trail Information 1-13 setting up 2-19
RME Job Approval 1-14 proxy server, setting up 2-39
Syslog Collectors Information 1-15 security levels, understanding 2-7
RSAC (Remote Syslog Analyzer Collector) SSL 2-2
properties file enabling from the CiscoWorks Server 2-3
COLLECTOR_PORT 8-57 enabling from the CLI A-13, A-15
COUNTRY_CODE 8-55 SSO (Single Sign-On) mode
DEBUG_CATEGORY_NAME 8-56 changing 2-22
DEBUG_FILES 8-56 enabling 2-20
DEBUG_LEVEL 8-56 user management
DEBUG_MAX_BACKUPS 8-57 local user profile, modifying 2-13
DEBUG_MAX_FILE_SIZE 8-57 peer server, setting up 2-17
FILTER_THREADS 8-57 users, adding 2-9
PARSER_FILE 8-57 users, setting up through CLI A-2
QUEUE_CAPACITY 8-57 Self Signed certificates 2-14
READ_INTERVAL_IN_SECS 8-57 self-test information, collecting 3-33
SUBSCRIPTION_DATA_FILES 8-57 server, configuring
SYSLOG_FILES 8-56 AAA mode, setting up 2-24
TIMEZONE 8-55 authentication using login modules 2-24
TIMEZONE_FILE 8-56 applications, licensing
rules, group 5-61 licensing information, viewing 3-29
running-config 8-29 licensing procedure 3-29

IN-10 OL-25947-01
Index
obtaining a license 3-29 server security, understanding D-2

updating licenses 3-29 administrator-imposed D-5
certificate setup 2-14 connection D-5
Cisco.com login, setting up 2-39 security certificates D-5
Common Services, administering 3-1 terms and definitions D-6
backing up data 3-19 server-imposed D-2
Daemon Manager, using 3-2 access control D-4
processes, managing 3-3 files, file ownership, permissions D-2
processes, managing through CLI A-5 other systems D-4
resources, managing 3-35 remote connectivity D-4
server information, collecting 3-31 runtime D-3
disk space, threshold configuring 3-42 setting log level 17-11
log files, maintaining Setting system preferences
List of log files 17-4 job purge 16-8
on UNIX 17-3 log level settings 17-13
on Windows 17-3 RME device attributes 8-9
logging, configuring 17-17 RME secondary credentials 8-11
login module setting up, local user
peer server certificates modify profile 2-13
setting up 2-19 security levels 2-7
proxy server, setting up 2-39 user accounts 2-6
security. See security, setting up setting up, local user policy 2-4
Self-signed certificates 2-14 setting up, local users 2-6
SSO (Single Sign-On) mode SMTP server, default 3-31
changing 2-22 SNMP
enabling 2-20 MAC notification listener 7-29
system preferences, modifying 3-35 SNMP trap listener, configuring 7-29
user management SNMP traps on ports, enabling 7-27
adding 2-9 SNMP traps
adding through CLI integrating SNMP trap receiving with other
NMS 10-24
import remote users 2-8, A-3
SNMP Trap Notifications 10-3, 10-9
local user policy setup 2-4
trap forwarding port 10-25
local user profile, modifying 2-13
trap receiving port 10-24
peer server, adding 2-17
Software Center 13-1
setting up through CLI A-2
users, local, setting up 2-13
activity logs, viewing
event log 13-10
server certificate for CiscoWorks, expiration, how to
handle B-23 scheduled job 13-9
server information, collecting (Common Services) 3-31 device downloads, scheduling 13-8

OL-25947-01 IN-11
Index
device updates, checking 13-6 enabling, disabling 10-41

device updates, performing 13-4 example 10-42
packages, deleting 13-7 exporting, importing 10-41
software updates, downloading 13-4 backup policy, setting 16-5
software updates, performing 13-2 Common Syslog Collector, subscribing to 8-51
list of applications installed, viewing 13-2 collector status, viewing 8-51
software updates, selecting 13-3 procedure 8-52
Software Center CLI utility 13-11 forced purges 16-7
Software Management, using message filters 10-44
administration tasks 11-15 creating 10-45
preferences, viewing and editing 11-15 deleting 10-48
preferences, viewing and editing 11-15 editing 10-46
protocol order, selecting 11-19 enabling, disabling 10-47
recommendation filters, and IOS images 11-20 exporting, importing 10-47
Solaris, changing ports in overview 8-50
for ESS B-27 Syslog Notifications 10-3, 10-17
for osagent B-19 System Admin dashboard portlets
SSL, enabling on the server 2-2 critical message window 1-8
from the CiscoWorks Server 2-3 system administration
from the CLI A-13, A-15 databases, purging 16-20
SSL, definition D-6 devices from traps to DFM 10-22
SSO (Single Sign-On) mode logging, configuring 17-18
changing 2-22 SMTP default server 3-31
enabling 2-20 SNMP trap forwarding port 10-25
starting CiscoWorks applications, troubleshooting B-18 SNMP trap receiving port 10-24
states, devices 8-25 system defined groups
subscriptions (see Notification Services) DFM 5-51
Syslog Analyzer (see also groups)
purge policy System Preferences
caution regarding changing values 16-6 Loading MIB Files 9-2
setting 16-6 Poll Settings 8-27
status, viewing 8-51 Purging Data 16-14
collector status, viewing 8-51 Purging Jobs 16-12
procedure 8-52 Setting Log Levels 17-9
Syslog Analyzer and Collector, using Setting Report Publish Path 15-2
automated actions Syslog Receiver Group 10-31
creating 10-37 Creating Syslog Reveiver Group 10-32
deleting 10-42 Deleting Syslog Reveiver Group 10-34
editing 10-39 Editing Syslog Reveiver Group 10-33

IN-12 OL-25947-01
Index
Filtering Syslog Reveiver Group 10-35 server status, verifying B-3

Trap Receiver Group 10-25 database
Creating Trap Receiver Group 10-26 inaccessability B-29
Deleting Trap Reveiver Group 10-29 path includes "cmf" B-18
Editing Trap Receiver Group 10-27 ESS port change
Filtering Trap Reveiver Group 10-29 Solaris B-27
Viewing Audit Trail Log Report 10-25, 10-31 FAQs list
Viewing Purge Details 16-17 Apache and Tomcat B-31
Backup-restore B-28
Database B-29
T
EDS and ESS B-27
TACACS+, changing login module to 2-33 Software Center B-25
terms and definitions in security certificates D-6 Java Plug-in, which version to use B-17
CA (certificate authority) D-7 jrm B-20
CiscoWorks TrustStore or KeyStore D-7 osagent port change
PKCS#8 D-6 Solaris B-19
public key, private key D-6 Windows B-19
SSH D-6 suggestions B-5
SSL D-6 User Tracking
thresholds outdated entries in User Tracking table B-7
log files Troubleshooting and FAQs B-38
adapter 17-8 trunk ports
database 17-9 customizable groups 5-52
grouping services 17-9 end host discovery on trunk ports 7-23
manager 17-9 system defined groups 5-51
topology groups
system-defined groups
U
creating, based on subnet 5-33
transport protocols, configuring UNIX systems
order, defining 8-49 changing login module to local UNIX system 2-27
requirements for use 8-46 log files, maintaining on 17-3
traps Unknown device state 8-25
forwarding from devices to DFM 10-22 user accounts
SNMP (see SNMP traps) setting up
troubleshooting Cisco.com 2-39
back-up data, directory structure of B-28, B-29 local 2-13
CiscoWorks applications, starting B-18 user and host acquisition administration
CiscoWorks Server delete interval, modifying 7-22
locked out of, diagnosing B-18 end host user information, importing 7-24

OL-25947-01 IN-13
Index
ping sweep options, modifying 7-20 viewing

purge policy, specifying 15-1 application license information 3-29
schedule, modifying 7-19 collector group 5-79
subnet discovery, configuring 7-21 collector group details 5-79
user-defined collector groups 5-73 group details 5-26
user defined groups membership details 5-80
editing 5-54 views
User Tracking log file 17-9
acquisition schedule, modifying 7-19 view groups 5-54
acquisition settings, modifying 7-8 VNM Administration, using
command-line interface A-27 SNMP settings, modifying 8-20
DHCP snooping 7-25
Dynamic updates 7-24
W
Dynamic User Tracking 7-24
FAQs warnings regarding
error logging B-9 configuration change detection schedule, and
length of time data is maintained B-8 purging 16-2
non-CDP devices B-8 Windows 2003 or Windows NT systems
MACUHIC 7-26 log files, maintaining on 17-3
Major Acquisition 7-3 Windows systems
Minor Acquisition 7-3 changing the port
properties from the backend, configuring 7-14 for osagent B-19
properties that support duplicate MAC address 7-12 jrm, running B-20
User Tracking Debugger Utility A-39

understanding A-39
using A-40
using 7-2
UT data, accessing 7-2
UT in DHCP environment 7-11
various acquisitions 7-3
User Tracking Utility
installing
UTLite script, installing A-37
UTLite script, uninstalling A-39
UTLite, understanding A-34
verifying CiscoWorks Server status B-3

IN-14 OL-25947-01

Admin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Admin

Uploaded by

Copyright:

Available Formats

Preface

Table 1 Conventions Used

Administration of Cisco Prime LAN Management Solution 4.2

Table 2 describes the product documentation that is available.

Table 2 Product Documentation

Document Title Available Formats

Administration of Cisco Prime LAN Management Solution 4.2

Document Title Available Formats

Administration of Cisco Prime LAN Management Solution 4.2

Document Title Available Formats

Obtaining Documentation and Submitting a Service Request

Administration of Cisco Prime LAN Management Solution 4.2

The following notices pertain to this software license.

OpenSSL/Open SSL Project

Administration of Cisco Prime LAN Management Solution 4.2

Original SSLeay License:

Administration of Cisco Prime LAN Management Solution 4.2

Administration of Cisco Prime LAN Management Solution 4.2

Administration of Cisco Prime LAN Management Solution 4.2

How the guide is organized?

Table 1-1 Administration User Guide

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-1 Administration User Guide (continued)

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-1 Administration User Guide (continued)

Administration of Cisco Prime LAN Management Solution 4.2

IPv6 Support in LMS

Administration of Cisco Prime LAN Management Solution 4.2

Application IPv6 Supported Features

Administration of Cisco Prime LAN Management Solution 4.2

Application IPv6 Supported Features

Administration of Cisco Prime LAN Management Solution 4.2

Application IPv6 Supported Features

Note In LMS, IPv6 support is provided for Dual stack devices.

Administration of Cisco Prime LAN Management Solution 4.2

Understanding the System Dashboard

• Cisco Prime Product Updates

Cisco Prime Product Updates

Critical Message Window

Administration of Cisco Prime LAN Management Solution 4.2

Utilizing Space in the Cisco Prime Drive

Table 1-2 lists the Critical Message Window portlet details.

Table 1-2 Critical Message Window Portlet

Device Credentials and AAA Information

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-3 Device Credentials and AAA Information Portlet

Log Space Usage

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-4 Log Space Usage Portlet

Table 1-5 Process Status Portlet

System Backup Status

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-6 System Backup Job Details Portlet

User Login Information

Job Information Status

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-8 lists the Job Information Status portlet details.

Table 1-8 Job Information Status Portlet

Audit Trail Information

Table 1-9 Audit Trail Information Portlet

Administration of Cisco Prime LAN Management Solution 4.2

Table 1-10 Job Approval Portlet

Configuring the Job Approval portlet