User Guide for the Cisco Application Networking Manager 5.2.2
Importing and Managing Devices
Downloads: This chapterpdf (PDF - 879.0KB) The complete bookPDF (PDF - 28.37MB) | Feedback

Importing and Managing Devices

Table Of Contents

Importing and Managing Devices

Information About Device Management

Information About Importing Devices

Preparing Devices for Import

Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance

Enabling SNMP Polling from ANM

ANM Requirements for ACE High Availability

Modifying the ANM Timeout Setting to Compensate for Network Latency

Importing Network Devices into ANM

Importing Cisco IOS Host Chassis and Chassis Modules

Importing Cisco IOS Devices with Installed Modules

Importing ACE Modules after the Host Chassis has been Imported

Importing CSM Devices After the Host Chassis Has Been Imported

Importing VSS 1440 Devices After the Host Chassis Has Been Imported

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Enabling a Setup Syslog for Autosync for Use With an ACE

Discovering Large Numbers of Devices Using IP Discovery

Preparing Devices for IP Discovery

Configuring Device Access Credentials

Modifying Credential Pools

Running IP Discovery to Identify Devices

Monitoring IP Discovery Status

Configuring Devices

Configuring Device System Attributes

Configuring CSM Primary Attributes

Configuring CSS Primary Attributes

Configuring GSS Primary Attributes

Configuring Catalyst 6500 VSS 1440 Primary Attributes

Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes

Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes

Configuring VMware vCenter Server Primary Attributes

Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Configuring Access Ports

Configuring Trunk Ports

Configuring Switch Virtual Interfaces

Configuring Routed Ports

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Adding Device VLANs

Displaying All Device VLANs

Configuring Device Layer 2 VLANs

Configuring Device Layer 3 VLANs

Modifying Device VLANs

Creating VLAN Groups

Configuring ACE Module and Appliance Role-Based Access Controls

Configuring Device RBAC Users

Guidelines for Managing Users

Displaying a List of Device Users

Configuring Device User Accounts

Modifying Device User Accounts

Deleting Device User Accounts

Configuring Device RBAC Roles

Guidelines for Managing User Roles

Role Mapping in Device RBAC

Configuring Device User Roles

Modifying Device User Roles

Deleting Device User Roles

Adding, Editing, or Deleting Rules

Configuring Device RBAC Domains

Guidelines for Managing Domains

Displaying Domains for a Device

Configuring Device Domains

Modifying Device Domains

Deleting Device Domains

Managing Devices

Synchronizing Device Configurations

Synchronizing Chassis Configurations

Synchronizing Module Configurations

Mapping Real Servers to VMware Virtual Machines

Instructing ANM to Recognize an ACE Module Software Upgrade

Configuring User-Defined Groups

Adding a User-Defined Group

Modifying a User-Defined Group

Duplicating a User-Defined Group

Deleting a User-Defined Group

Changing Device Credentials

Changing ACE Module Passwords

Restarting Device Polling

Displaying All Devices

Displaying Modules by Chassis

Removing Modules from the ANM Database

Replacing an ACE Module Managed by ANM

Using the Preferred Method to Replace an ACE Module

Using the Alternate Method to Replace an ACE Module


Importing and Managing Devices


This chapter describes how to import and manage Cisco Application Networking Manager (ANM) devices. You can import the following Cisco devices to ANM:

Application Control Engine (ACE) module or appliance

Global Site Selector (GSS)

Content Services Switch (CSS)

Catalyst 6500 Virtual Switching System (VSS) 1440

Catalyst 6500 series switch

Cisco 7600 series router

Cisco Content Switching Module (CSM)

Cisco Content Switching Module with SSL (CSM-S)

VMware vCenter Server


Note The terms add and import are interchangeable in this document.



Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), and dot (.). Spaces are not allowed.

If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM.


This chapter includes the following sections:

Information About Device Management

Information About Importing Devices

Preparing Devices for Import

Modifying the ANM Timeout Setting to Compensate for Network Latency

Importing Network Devices into ANM

Discovering Large Numbers of Devices Using IP Discovery

Configuring Devices

Configuring ACE Module and Appliance Role-Based Access Controls

Managing Devices

Replacing an ACE Module Managed by ANM

Information About Device Management

ANM includes many device management features. You can import devices and then configure them for use in your network. In addition to configuring ports, VLANs, and routes, you can modify device configurations, and manage them.

Table 5-1 identifies common management categories and related topics.

Table 5-1 Device Management Options 

Device Management Activities
Related Topics

Importing devices

Information About Importing Devices

Preparing Devices for Import

Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Modifying the ANM Timeout Setting to Compensate for Network Latency

Importing Network Devices into ANM

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Discovering Large Numbers of Devices Using IP Discovery

Configuring device attributes

Configuring Devices

Configuring CSM Primary Attributes

Configuring CSS Primary Attributes

Configuring GSS Primary Attributes

Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes

Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes

Configuring VMware vCenter Server Primary Attributes

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Creating VLAN Groups

Configuring device role-based access control (RBAC)

Configuring Device RBAC Users

Configuring Device RBAC Roles

Configuring Device RBAC Domains

Managing devices

Synchronizing Device Configurations

Mapping Real Servers to VMware Virtual Machines

Instructing ANM to Recognize an ACE Module Software Upgrade

Configuring User-Defined Groups

Changing Device Credentials

Changing ACE Module Passwords

Restarting Device Polling

Displaying All Devices

Displaying Modules by Chassis

Removing Modules from the ANM Database


Information About Importing Devices

The quickest and easiest way to add devices to ANM is to import them individually using the Add function available at Config > Devices. If you already know the device IP address, you can use this procedure to add your devices to ANM.

Before you begin importing, you need to set up your network devices so that ANM can communicate and monitor them.

In the sections that follow, you will perform the following steps to prepare and import devices:

1. Enable SSH access (see the "Preparing Devices for Import" section).

2. Modifying the ANM timeout setting (see the "Modifying the ANM Timeout Setting to Compensate for Network Latency" section).


Note This step is required only when network latency is causing a timeout issue that prevents ANM from establishing a communication link with the device to be imported.


3. Import devices (see the "Importing Network Devices into ANM" section).

To add large numbers of devices, you can use IP Discovery before you import your devices. This process is not as efficient as using the Add function. IP Discovery shows where devices are but does not add the devices to ANM. We recommend that you use the Config > Devices > Device Management > Add function. For details on IP Discovery, see the "Discovering Large Numbers of Devices Using IP Discovery" section.


Note Before importing a device, the ANM server pings the IP address of the device. If you have a firewall between the ANM server and the device that you want to import, your network administrator needs to modify the firewall to allow the ping traffic to reach the device or ACE.


Preparing Devices for Import

This section describes how to set up your devices to allow ANM to communicate with them and also describes the requirements for adding ACE devices that are high availability peers.

ANM uses the following protocols for communication:

For communication to an ACE module or appliance:

XML over HTTPS

SSHv2 (read and write)

SNMP V2C (read-only)

Syslog over User Datagram Protocol (UDP) (inbound notifications only)

For communication to the Catalyst 6500 Virtual Switching System (VSS) 1440:

SSHv2 and Telnet (read and write)

SNMP V2C (read-only)

Syslog over UDP (inbound notifications only)

For communication to a Catalyst 6500 series switch, Cisco 7600 series router, CSM, or CSM-S:

SSHv2 and Telnet (read and write)

SNMP V2C (read-only)

Syslog over UDP (inbound notifications only)

For communication to the CSS:

Telnet (read and write)

SNMP V2C (read-only)

Syslog over UDP (inbound notifications only)

For communication to the GSS:

SSHv2

Remote Method Invocation (RMI) over SSL


Note Before you import a GSS device into ANM, you need to set the GSS communication on the GSS Ethernet interface that will be used to import the GSS into ANM. See the Cisco Global Site Selector Command Reference on Cisco.com for instructions on using the gss-communications command.


For communication to a VMware vCenter Server, HTTPS is used.


Note For more information about communication between ANM and a VMware vCenter Server, see the "Prerequisites for Using ANM With VMware vSphere Client" section and "Guidelines and Restrictions" section.


This section includes the following topics:

Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance

Enabling SNMP Polling from ANM

ANM Requirements for ACE High Availability

Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers

You can choose to use Telnet or SSH to import a Catalyst 6500 series switch or Cisco 7600 series router in ANM. Telnet is enabled by default on the Catalyst 6500 series chassis. If you have disabled Telnet on the device, you need to enable it to perform the initial setup and import of an ACE module. If you plan to directly import an ACE module into ANM, Telnet is not mandatory on a Catalyst 6500 series switch.


Note If you choose Telnet, the Use Telnet checkbox will be checked in the Primary Attributes window (see the "Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes" section).


If you use SSH to communicate with the device, you must do the following:

SSHv2 must be enabled on the chassis, as well as the ACE, in order for ANM to add device information about the chassis.

Ensure that the chassis has a K9 (Triple Data Encryption Standard [3DES]) software image in order to enable the SSH server. The ANM requires SSHv2 to be enabled on the chassis.

To enable SSH or Telnet access on Catalyst 6500 series switches or Cisco 7600 series routers, use the following commands:

 
Command
Purpose

Step 1 

ip ssh version 2

Enables SSHv2.

Step 2 

ip domain-name abc.com
 

Step 3 

crypto key generate rsa general-keys modulus 1024

Generates the key.

Step 4 

username username password password

Enters the username and password.

Step 5 

line vty 0 4 
 

Step 6 

session-timeout 60
 

Step 7 

login local

This is an example only. This commands works for Cisco IOS 12.2.18SXF(10), but not for 12.2.18SXF(8).

Step 8 

transport input telnet ssh

Allows SSH and Telnet to the chassis.

Step 9 

transport output telnet ssh

Allows SSH and Telnet from the chassis to the ACE module.

Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance

You can enable SSH access and the HTTPS interface on the ACE modules and appliances. ANM uses SSH and XML over HTTPS to communicate with the ACE devices. You need to enable both SSH access and HTTPS as explained in this section. These settings can be enabled during device import as described in the "Importing Network Devices into ANM" section or in the CLI.


Note If the ACE module or appliance is new and still has its factory settings, you do not need to perform the procedure in this section because SSH is enabled by default.



Note Ensure that the management policy applied on the management interface permits SSH.


To enable SSH access and the HTTPS interface on an ACE module or appliance, enter the following commands in config mode in the Admin context:

 
Command
Purpose

Step 1 

ssh key rsa 1024 force

Configures SSH access on the ACE.

Step 2 

access-list acl line 10 extended permit ip any any
 

Step 3 

class-map type management match-any ANM_management 
 
        

2 match protocol ssh any

3 match protocol telnet any

4 match protocol https any

5 match protocol snmp any

6 match protocol icmp any

7 match protocol xml-https

Configures discovery for ANM.

The following comments apply to the line number specified before the command text in the left column:

Line 2 classifies the SSH traffic.

Line 4 is needed by ANM for making configuration changes on the ACE.

Line 5 is needed by ANM for periodic statistics.

Line 6 is not mandatory but useful for network and route validation.

Line 7 is needed only for ACE 4710 devices.

Step 4 

policy-map type management first-match 
ANM_management
  class ANM_management
    permit

Allows protocols matched in the management class map.

Step 5 

interface vlan 30
  ip address 192.168.65.131 255.255.255.0
  access-group input acl
  service-policy input ANM_management
  no shutdown

Configures a management interface with the ACL and specifies the management service policy. This configuration is not recommended for a client or server interface.

Step 6 

username admin password 5 
$1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin 
domain default-domain

Defined by the administrator.

Step 7 

ip route 0.0.0.0 0.0.0.0 192.168.0.1 

Specifies the default route (or appropriate route) for traffic to reach ANM using the management interface if ANM is not on the same subnet.

For more information about configuring SSH access on the ACE, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Appliance Administration Guide on Cisco.com.

Enabling SNMP Polling from ANM

You can enable SNMP polling from ANM, which uses SNMPv2 for polling ACE, CSS, CSM, or CSM-S devices. To receive traps from these devices, ANM supports use of SNMPv2 traps.


Note To send SNMP traps to ANM, configure the SNMP trap host to the ANM server so that it can receive traps from ANM.


For alarm condition notifications, ANM uses SNMPv1 EPM-Notificaton-MIB based SNMP traps.

For the ACE, in order for ANM to successfully perform SNMP polling, you must configure the ACE Admin context with a management IP with a suitable management policy that permits SNMP traffic. All other contexts can be polled using this Admin context management IP.

For each device type (ACE, CSS, CSM, or CSM-S), see the corresponding configuration guide to configure the device to permit SNMP traffic.

ANM Requirements for ACE High Availability

ANM automatically identifies ACE high availability (HA) peers if both peers are imported into ANM. For ANM to identify two ACE devices (ACE modules or ACE appliances) as high availability peers, ANM looks for two ACE devices with the same fault-tolerant (FT) interface VLAN configuration and whose peer IP addresses are reversed.

For example, ANM would consider Peer 1 with the following configuration:

ft interface vlan 4000
  ip address 10.10.10.1 255.255.255.0
  peer ip address 10.10.10.4 255.255.255.0
 
   

and Peer 2 with the following configuration:

ft interface vlan 4000
  ip address 10.10.10.4 255.255.255.0
  peer ip address 10.10.10.1 255.255.255.0
 

as HA peers because they both use FT interface VLAN 4000 and their IP and peer IP addresses are reversed.

However, it is possible that multiple ACE devices imported into ANM have the same FT interface VLAN and IP address/peer IP address combinations. In this case, ANM is not able to identify the ACE HA pair correctly. To resolve this issue, ANM uses the following logic to determine that two ACE devices are an HA pair:

1. Two ACE devices could be identified as a HA pair if their FT interface VLAN IDs match and their FT interface IP and peer IP addresses are reversed.

2. If the Admin context management interface peer IP address is already defined, ANM will conclusively identify its HA peer if the other Admin context management interface reversely matches the management IP and peer IP addresses.

3. If both ACE Admin context management interface peer IP addresses are not defined, and their FT interface configuration combination is unique across all ACE devices, ANM will then identify them as an HA pair.

4. An ACE HA peer is identified as Inconclusive if there is a non unique FT interface configuration combination across all ACE devices and its Admin context management interface peer IP is not defined.

When importing an ACE HA pair into ANM, you should follow one of the following configuration requirements so that ANM can uniquely identify the ACE HA pair:

Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every ACE HA pair imported into ANM. For HA, it is critical that the combination of FT interface VLAN and IP address/peer IP address is always unique across every pair of ACE peer devices.

Define a peer IP address in the management interface using the management IP address of the peer ACE (module or appliance). The management IP address and management peer IP address used for this definition should be the management IP address used to import both ACE devices into ANM.

An example is as follows:

ACE1 is imported into ANM with management IP 10.10.10.10.

ACE2 is imported into ANM with management IP 10.10.10.12.

In this case, you would perform the following actions for both ACE1 and ACE2:

Update the management interface on ACE1 with IP address 10.10.10.10. to have 10.10.10.12 as the peer IP address.

Update the management interface on ACE2 with IP address 10.10.10.12 to have 10.10.10.10 as the peer IP address.

An ACE module or appliance may have many other management interfaces defined, but ANM is particularly interested only in the management interface whose IP address is used for importing into ANM.

When ANM is unable to determine a unique ACE HA peer pair, it displays an Inconclusive state in the ACE HA State column of the All Virtual Contexts table (Config > Devices > Virtual Context Management) or the Virtual Contexts listing page. The Inconclusive state indicates that ANM was able to determine that the given ACE was configured in HA; however, ANM was able to find more than one ACE module or ACE appliance that appeared to be a peer. In this case, ANM was unable to conclusively find a unique HA peer for the given ACE module or ACE appliance. You must then perform the actions outlined in this section to fix the ACE that is in this state.

More information will appear in the tooltip for the Inconclusive state to specify whether this state was reached because the FT interface VLAN and the IP address/peer IP address was not unique, or because the peer IP address on the management interface was not unique.

Based on the information provided to you in the tooltip for the Inconclusive state, you must update the ACE configuration as described in the configuration requirements outlined above. After you make these configuration changes, resynchronize the affected ACE devices in ANM to update the configuration and HA mapping. For more information about synchronizing virtual contexts, see the "Creating Virtual Contexts" procedure.

Modifying the ANM Timeout Setting to Compensate for Network Latency

You can adjust the amount of time that ANM waits for a response from a device that you want ANM to import. You may need to adjust the timeout value when network latency prevents ANM from establishing a communication link with the device to be imported.

To establish communications between ANM and the device during the device import process, the device sends requests to ANM for the required device username and password information. After ANM provides the device username, it waits two seconds for the device to make the next request for the password. If network latency prevents the password request from arriving within two seconds of providing the username, the connection times out, preventing ANM from importing the device.

This type of issue can occur when importing devices that are Telnet-managed or require remote user authentication. To compensate for the resulting network latency, you can modify the default two-second timeout value by editing the ANM cs-config.properties file.

Procedure


Step 1 Modify the timeout value to 20000 milliseconds (20 seconds) as follows:

ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and add the following line to the end of the file:

telnet.transport.login.timeout=20000

ANM Virtual Appliance—Enter the following command:

anm-property set telnet.transport.login.timeout 20000

Step 2 Restart ANM as follows:

ANM Server—Enter the following command:

/opt/CSCOanm/bin/anm-tool restart

ANM Virtual Appliance—Enter the following command:

anm-tool restart

Step 3 Import the device.

See one of the following sections:

Importing Network Devices into ANM

Discovering Large Numbers of Devices Using IP Discovery

Step 4 (Optional) If the timeout issue persists, slowly increase the timeout value by repeating this procedure.

Do not increase the timeout value beyond 60000 milliseconds.


Related Topics

Importing Network Devices into ANM

Discovering Large Numbers of Devices Using IP Discovery

Importing Network Devices into ANM

ANM allows you to add the following devices individually to its database:

ACE appliances

ACE modules

Catalyst 6500 series chassis

Catalyst 6500 Virtual Switching System (VSS) 1440

Cisco 7600 series routers

Cisco Content Services Switch (CSS) devices

Cisco Content Switching Module (CSM) devices

Cisco Global Site Selector (GSS) devices

VMware vCenter Servers

We recommend that you use the procedures in this section to add your devices to ANM because they are faster and more efficient than running IP Discovery (see the "Discovering Large Numbers of Devices Using IP Discovery" section).

Guidelines and Restrictions

This topic includes the following guidelines and restrictions:

When adding a module device, such as an ACE module or a CSM, you must first import the host chassis device, such as a Cisco Catalyst 6500 series switch chassis, and then you add the installed modules. The chassis device is referred to as a Cisco IOS device during the device import process.

The time required to import devices depends on the number of appliances, chassis, modules, and contexts that you are importing. For example, an ACE appliance with 20 virtual contexts takes longer than an ACE appliance with 5 contexts. While ANM imports devices, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other appliances, chassis, modules, or virtual contexts.

Network latency can prevent ANM from establishing a communication link with a device that you want to import. When ANM is providing the device with the device credentials (username and password), by default it waits two seconds after providing the device username for the password prompt to appear. The link times out when it takes longer than two seconds for the next prompt to appear. For information about possible causes of network latency that can create this issue and how to adjust the ANM timeout value, see the "Modifying the ANM Timeout Setting to Compensate for Network Latency" section.

Prerequisites

This topic includes the following prerequisites:

Before adding a device or ACE module, the ANM server pings the IP address of the device or ACE module. If you have a firewall between the ANM server and the device you want to import, your network administrator needs to modify the firewall to allow the ping traffic to reach the device or ACE module.

To import your devices successfully, ensure the following:

The ACE module or CSM has booted successfully and is in the OK/Pass state (enter the show module supervisor Cisco IOS CLI command to verify this action).

The ACE appliance or the CSS state is up and running. There is no command to validate whether these devices are up and running.

This section includes the following topics:

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Importing Cisco IOS Host Chassis and Chassis Modules

This section shows how to import a Cisco IOS host chassis into ANM, such as the Catalyst 6500 series chassis or the Cisco 7600 series router. After you define the Cisco IOS device during the import process, you import the ACE or CSM modules that currently reside in the chassis and are detected by ANM. When you add additional modules to the Cisco IOS device, you import the new modules into ANM without having to redefine the host chassis.

This section includes the following topics:

Importing Cisco IOS Devices with Installed Modules

Importing ACE Modules after the Host Chassis has been Imported

Importing CSM Devices After the Host Chassis Has Been Imported

Importing VSS 1440 Devices After the Host Chassis Has Been Imported`

Importing Cisco IOS Devices with Installed Modules

This section shows how to import the following Cisco IOS chassis devices into ANM along with any installed ACE modules or CSMs that ANM detects in the chassis:

Catalyst 6500 series chassis

Catalyst 6500 Virtual Switching System (VSS) 1440

Cisco 7600 series routers

Procedure


Step 1 Choose Config > Devices > All Devices.

The Device Management window appears.

Step 2 In the device tree or in the All Devices table, click Add.

The New Device window appears.

Step 3 Enter the information for the device using the information in Table 5-2.

Table 5-2 New Device Attributes 

Field
Description

Name

Unique name for the device. Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters.

Model

Type of device to import. From the Model drop-down list, choose Cisco IOS Device.

Primary IP

IP address for the device in dotted-decimal format.

Access Protocol

Protocol to use for communication with the device. Choose Secure/SSH2 (default setting) or Telnet as the protocol that ANM uses to access the Cisco IOS devices.

User Name

Account name for device access.

Note If you did not configure an account on the chassis before starting this procedure, you can enter an alphanumeric string with no spaces to complete this procedure. However, we recommend that you configure an account on the device to prevent unauthorized access.

Password

Password for the account.

Enable Password

Provides an extra level of security.

SNMP v2c Enabled

Check the SNMP v2c Enabled checkbox to configure SNMP access.

Description

Field that appears if you check the SNMP v2c Enabled checkbox.

Enter the community string for the device.

Note If you are adding a Catalyst 6500 series chassis, in the Community field, enter the SNMP community string already configured on the Catalyst 6500 series chassis. ANM uses this string to query device status information such as VLAN and interface status. This SNMP community string is also used for any CSM devices contained in the specified Catalyst 6500 series chassis.

For Catalyst 6500 series chassis, CSS, and CSM devices, the SNMP community string already configured on the device is used by ANM for polling. For ACE modules and ACE appliances, the SNMP community string entered into ANM is configured on the ACE module/appliance and is used for polling the devices.

Custom Prompt Settings

Custom Username Prompt

Optional field for use with the Cisco Catalyst 6500 series switch and Cisco 7600 series router only. With either device, if you have it configured to use a TACACS+ server for remote authentication, you can also configure it to display a custom username prompt during the login process rather than the default username prompt. If you have the device configured to use a custom username prompt, enter the custom prompt in this field.

Custom Password Prompt

Optional field for use with the Cisco Catalyst 6500 series switch and Cisco 7600 series router only. With either device, if you have it configured to use a TACACS+ server for remote authentication, you can also configure it to display a custom password prompt during the login process rather than the default password prompt. If you have the device configured to use a custom password prompt, enter the custom prompt in this field.


Step 4 Do one of the following:

Click Next to save your entries and import device information. A progress bar displays while ANM establishes a session with the chassis and collects information about the installed modules. When the information has been collected, ANM displays one of the following windows:

If no CSM devices or ACE or modules are associated with the chassis device, the All Devices table refreshes with the chassis information.

If CSM devices or ACE modules are associated with the chassis device, the Modules configuration window appears and displays information about the first detected module. To view the detected modules, continue to Step 5.

Click Cancel to exit the procedure without saving your entries and to return to the All Devices table. Clicking Cancel prevents device information from being imported and prevents ACE module discovery.

Step 5 In the Modules window, verify the information of the first detected chassis module as described in Table 5-3 and use the Next and Previous buttons to navigate through the list of detected chassis modules.

Table 5-3 Detected Modules in Imported Chassis Device 

Item
Description

Card Slot

Chassis IP address, detected module type, and chassis slot number. For example, 10.10.10.1:ACE:2.

Card Type

Version information about the detected module. For example, ACE v2.3. This field displays major release information only. For example, 8.2x might be supported by a module, but only 8.2 displays.

Module Has Been Imported Into ANM

Read only information to indicate that the module has already been imported (checked) or that it has not been imported (unchecked).

Operation To Perform

Drop down list to specify the action to take as follows:

Do Not Import (default setting)

Import

Perform Initial Setup and Import


Step 6 To import a displayed module, in the Operation to Perform field, choose one of the following:

Import—ANM is to import the CSM device or ACE module. For the ACE module, ANM displays additional configuration fields when the Import option is selected. For both modules types, skip to Step 7 after selecting Import.

Perform Initial Setup And Import—(ACE module only) Allows you to perform initial setup manually required for ANM to communicate with the ACE module and imports ACE module configuration. Skip to Step 8.


Note We recommend that you choose this option for ACE modules that are configured only with factory defaults.


Step 7 If you chose Import for a CSM device or ACE module, do one of the following:

To import a CSM device, no further device information is required. Click Next or Previous to navigate to the next module to specify to import or click Finish to import the specified modules.

To import an ACE module, perform the following steps:

a. In the Admin Context IP field, enter the module IP address.

b. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin.


Note For security reasons, we recommend that you change the username and password on your ACE device (and modules) after you import them. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco. See the "Changing ACE Module Passwords" section.


c. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin.

d. Click Next or Previous to navigate to the next module to specify to import or click Finish to import the specified modules.

Skip to Step 10.

Step 8 If you chose Perform Initial Setup And Import for an ACE module, perform the following steps:

a. In the Host Name field, enter a unique name for this ACE module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters.

b. In the Admin Context IP field, enter the IP address for this ACE module.

c. In the Netmask field, from the drop-down list, choose the subnet mask to apply to this IP address.

d. In the Gateway field, enter the IP address of the gateway router to use.

e. In the VLAN field, choose the VLAN to which this module belongs.

f. Check the Blade Is Configured With Factory Default Admin Credentials check box if the ACE module is currently configured with the default admin credentials (admin/admin).

g. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin.


Note For security reasons, we recommend that you change the username and password on your ACE after you import it. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE shipped from Cisco. See the "Changing ACE Module Passwords" section.


h. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin.

Step 9 Do one of the following:

Click OK to save your entries and to continue with the device configuration. A progress bar reports status and the Device configuration window appears.

Click Cancel to exit the procedure without importing ACE modules and to return to the All Devices table.


Note Clicking Cancel in this window does not cancel the chassis importing process.


Step 10 (Optional) To confirm that the virtual contexts on the ACE module were successfully imported into ANM, do the following:

a. Choose Config > Devices. The device tree appears.

b. In the device tree, choose the chassis device and ACE module that you just imported. The Virtual Contexts table appears, listing the contexts for that device.

c. Confirm that the contexts imported successfully:

If OK appears in the Config Status column, it means that the context imported successfully.

If Import Failed appears in the Config Status column, it means that the context did not import successfully.

d. To synchronize the configurations for the context import that failed, choose the context, and then click Sync. ANM will synchronize the context by uploading it from the ACE device.

For more information on synchronizing virtual contexts, see the "Creating Virtual Contexts" section.


Note If you receive authentication errors or incorrect username/password errors when trying to import ACE devices, refer to the ACE documentation regarding username and password settings and limitations.




Tip After you add an ACE module, see the "Enabling a Setup Syslog for Autosync for Use With an ACE" section to enable auto sync, which allows ANM to synchronization with the ACE CLI when ANM receives a syslog message from the ACE rather wait the default polling period.


Relate Topics

Importing ACE Modules after the Host Chassis has been Imported

Importing CSM Devices After the Host Chassis Has Been Imported

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Removing Modules from the ANM Database

Synchronizing Module Configurations

Importing ACE Modules after the Host Chassis has been Imported

You can add ACE modules into the ANM database at any time after the host chassis been added.

Before You Begin

Ensure that the module to be imported has booted successfully and is in OK/Pass state. To check the module state, enter the show module supervisor Cisco IOS CLI command.

Note that time needed to import ACE modules depends on the number of modules and contexts that you are importing. For example, an ACE module with 20 virtual contexts takes longer than an ACE module with 5 contexts. While ANM imports the module, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other devices, modules, or virtual contexts.

If you receive authentication errors or incorrect username/password errors when you try to import an ACE module, see the ACE documentation regarding username and password settings and limitations.

If you physically replace an ACE module in a chassis, you need to synchronize the chassis in ANM. We recommend you start by adjusting syslog settings to facilitate the ANM auto synchronization process as described in the "Enabling a Setup Syslog for Autosync for Use With an ACE" section.

Guidelines and Restrictions

ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x) software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you that it failed to import the unrecognized ACE configuration and that device discovery failed.

However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier ANM release contained an inventory with an ACE module that supported the A1(6x) software release or an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows the A1(x) software release to reside in the ANM database and will support operations for the release. ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software version.

We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE software release, and that you instruct ANM to recognize the updated release. See the "Instructing ANM to Recognize an ACE Module Software Upgrade" section.

See the Supported Device Tables for the Cisco Application Networking Manager for a complete list of supported ACE module and ACE appliance software releases.

Prerequisites

The host chassis of the ACE module that you are adding has been imported (see the "Importing Cisco IOS Host Chassis and Chassis Modules" section).

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the host device that contains the ACE module you want to import and click Modules.

The Modules table appears, which displays a list of the installed modules.

Step 3 In the Modules table, choose the module that you want to import and click Import.

The Modules configuration window appears.

Step 4 In the Modules window, verify the information of the selected module as described in Table 5-4.

Table 5-4 Importing ACE Modules 

Item
Description

Card Slot

Chassis IP address, detected module type, and chassis slot number. For example, 10.10.10.1:ACE:2.

Card Type

Version information about the detected module. For example, ACE v2.3. This field displays major release information only. For example, 8.2x might be supported by a module, but only 8.2 displays.

Module Has Been Imported Into ANM

Read only information to indicate that the module has already been imported (checked) or that it has not been imported (unchecked).

Operation To Perform

Drop down list to specify the action to take as follows:

Do Not Import (default setting)

Import

Perform Initial Setup and Import


Step 5 To import a displayed module, in the Operation to Perform field, choose one of the following:

Import—ANM is to import the ACE module. ANM displays additional configuration fields when the Import option is selected. For both modules types, skip to Step 6 after selecting Import.

Perform Initial Setup And Import—Allows you to perform initial setup manually required for ANM to communicate with the ACE module and imports ACE module configuration. Skip to Step 7.


Note We recommend that you choose this option for ACE modules that are configured only with factory defaults.


Step 6 If you chose Import, perform the following steps:

a. In the Admin Context IP field, enter the module IP address.

b. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin.


Note For security reasons, we recommend that you change the username and password on your ACE device (and modules) after you import them. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco. See the "Changing ACE Module Passwords" section.


c. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin.

d. Click Next or Previous to navigate to the next module to specify to import or click Finish to import the specified modules.

Skip to Step 9.

Step 7 If you chose Perform Initial Setup And Import, perform the following steps:

a. In the Host Name field, enter a unique name for this ACE module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters.

b. In the Admin Context IP field, enter the IP address for this ACE module.

c. In the Netmask field, from the drop-down list, choose the subnet mask to apply to this IP address.

d. In the Gateway field, enter the IP address of the gateway router to use.

e. In the VLAN field, choose the VLAN to which this module belongs.

f. Check the Blade Is Configured With Factory Default Admin Credentials check box if the ACE module is currently configured with the default admin credentials (admin/admin).

g. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin.


Note For security reasons, we recommend that you change the username and password on your ACE after you import it. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE shipped from Cisco. See the "Changing ACE Module Passwords" section.


h. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin.

Step 8 Do one of the following:

Click OK to save your entries and to continue with the device configuration. A progress bar reports status and the Device configuration window appears.

Click Cancel to exit the procedure without importing ACE modules and to return to the All Devices table.


Note Clicking Cancel in this window does not cancel the chassis importing process.


Step 9 (Optional) To confirm that the virtual contexts on the ACE module were successfully imported into ANM, do the following:

a. Choose Config > Devices. The device tree appears.

b. In the device tree, choose the chassis device and ACE module that you just imported. The Virtual Contexts table appears, listing the contexts for that device.

c. Confirm that the contexts imported successfully:

If OK appears in the Config Status column, it means that the context imported successfully.

If Import Failed appears in the Config Status column, it means that the context did not import successfully.

d. To synchronize the configurations for the context import that failed, choose the context, and then click Sync. ANM will synchronize the context by uploading it from the ACE device.

For more information on synchronizing virtual contexts, see the "Creating Virtual Contexts" section.


Note If you receive authentication errors or incorrect username/password errors when trying to import ACE devices, refer to the ACE documentation regarding username and password settings and limitations.




Tip After you add ACE devices, see the "Enabling a Setup Syslog for Autosync for Use With an ACE" section to enable auto sync, which allows ANM to synchronization with the ACE CLI when ANM receives a syslog message from the ACE rather wait the default polling period.


Related Topics

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Removing Modules from the ANM Database

Synchronizing Module Configurations

Importing CSM Devices After the Host Chassis Has Been Imported

You can import CSM devices into the ANM database at any time after the host chassis or router has been imported.


Note ANM assigns the device type CSM to both CSM and CSM-S devices. This assignment has to do with how ANM collects and assigns the information that it receives from the device and does not affect functionality. To differentiate between these devices, see the description information in the user interface.


Prerequisites

The host chassis of the CSM that you are adding has been imported (see the "Importing Cisco IOS Host Chassis and Chassis Modules" section).

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the host device that contains the CSM that you want to import, and then click Modules.

The Modules table appears.

Step 3 In the Modules table, choose the CSM that you want to import, and then click Import.

The Modules configuration window appears.

Step 4 Verify that the information is correct in the following read-only fields:

Card Slot—The slot in the chassis in which the module resides.

Card Type—The device type; in this instance, CSM.

Module Has Been Imported Into ANM—The checkbox is checked to indicate that the module has already been imported or cleared to indicate that it has not been imported.

Step 5 In the Operation to Perform field, choose Import.

Step 6 Do one of the following:

Click OK to save your entries. A progress bar reports status and the Modules table refreshes with updated information.

Click Cancel to exit the procedure without importing the device and to return to the Modules table.


Related Topics

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Removing Modules from the ANM Database

Synchronizing Module Configurations

Importing VSS 1440 Devices After the Host Chassis Has Been Imported

Catalyst 6500 Virtual Switching Systems (VSS) 1440 devices allow for the combination of two switches into a single, logical network entity from the network control plane and management perspectives. To the neighboring devices, the Cisco Virtual Switching System appears as a single, logical switch or router.

VSS devices will be discovered as normal Cisco IOS devices in ANM if the devices are already converted to virtual switch mode.


Note ANM does not recognize failure scenarios as discussed in the "Configuring Virtual Switching System" section of the Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide on Cisco.com at http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1062314.


Related Topics

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

This section shows how to import an ACE appliance into ANM.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the Add button.

The New Device window appears.

Step 3 In New Device window, define the ACE appliance to import using the information in Table 5-5.

Table 5-5 ACE Appliance Configuration Options 

Field
Description

Name

Name assigned to the ACE appliance.

Model

Drop-down list to specify the device type. From the Model drop-down list, choose ACE 4710 (appliance).

Primary IP

ACE appliance IP address.

User Name

Username that has the administrator role.

Password

Password that corresponds to the username.

Confirm

Confirmation of the password.

Description

Brief device description.


Step 4 Do one of the following:

Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window for the device appears.

Click Cancel to exit the procedure without importing the device and to return to the Modules table.


Related Topics

Importing Network Devices into ANM

Importing Cisco IOS Host Chassis and Chassis Modules

Importing CSS Devices

Importing GSS Devices

Importing VMware vCenter Servers

Importing CSS Devices

This section shows how to import CSS devices into ANM.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the Add button.

The New Device window appears.

Step 3 In New Device window, define the CSS device to import using the information in Table 5-6.

Table 5-6 CSS Configuration Options 

Field
Description

Name

Name assigned to the device.

Model

Drop-down list to specify the device type. From the Model drop-down list, choose CSS.

Primary IP

Device IP address.

Access Protocol

Protocol that ANM is to use when communicating with the CSS. Choose one of the following:

Secure/SSH (default setting)

Telnet

User Name

Username that has the administrator role.

Password

Password that corresponds to the username.

Confirm

Confirmation of the password.

SNMP v2c Enabled

Checkbox to enable SNMP v2c.

Description

Brief device description.


Step 4 Do one of the following:

Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window for the device appears (see the "Configuring CSS Primary Attributes" section).

Click Cancel to exit the procedure without importing the device and to return to the Modules table.


Related Topics

Importing Network Devices into ANM

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing GSS Devices

Importing VMware vCenter Servers

Importing GSS Devices

This section shows how to import GSS devices into ANM.

Guidelines and Restrictions

Follow these guidelines for importing GSS devices into ANM:

You only need to import the primary GSSM into ANM—You are not required or permitted to add either the standby GSSM or GSS device. ANM communicates only with the primary GSSM for activation and suspension of DNS rules and virtual IP (VIP) answers and for collecting statistics.

GSS graphical user interface (GUI) and CLI must have matching passwords—The username that you configure while adding a GSS device to ANM must be the same on both the GSS GUI and GSS CLI.

Communication between ANM and the primary GSSM is accomplished using the GSS Communication Ethernet Interface—This interface is used for internal communication between the primary GSSM and the other GSS devices in the GSS cluster. Beginning with ANM 4.3, ANM uses Java Remote Method Invocation (RMI) only to communicate with GSS devices using software Version 3.3 or later versions. If the GSS device is using an earlier version of software and ANM cannot communicate with it using RMI, ANM uses Secure Shell (SSH).

Table 5-7 lists the TCP ports that ANM uses to communicate with GSS devices.

Table 5-7 TCP Ports Used by ANM for GSS 

Port
Description

22

SSH

2001

Java RMI

3009

Secure RMI



Note When ANM uses SSH for GSS communication, terminal length settings are set to 0 during import, synchronization, and background polling. The previous terminal length settings that you had before import, synchronization, and background polling is performed are not preserved.


Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the Add button.

The New Device window appears.

Step 3 In New Device window, define the GSS device to import using the information in Table 5-8.

Table 5-8 GSS Configuration Options 

Field
Description

Name

Name assigned to the device.

Model

Drop-down list to specify the device type. From the Model drop-down list, choose GSS.

Primary IP

Device IP address.

User Name

Username that has the administrator role.

Password

Password that corresponds to the username.

Confirm

Confirmation of the password.

Enable Password

Password for remote authorization. When the GSS is configured for remote authorization with the enable command in the user privilege, then the enable password is not used.

Confirm

Confirmation of the enable password.

Description

Brief description for this device.


Step 4 Do one of the following:

Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window for the device appears (see the "Configuring GSS Primary Attributes" section).

Click Cancel to exit the procedure without importing the device and to return to the Modules table.


Related Topics

Importing Network Devices into ANM

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing CSS Devices

Importing VMware vCenter Servers

Importing VMware vCenter Servers

This section shows how to import VMware vCenter Servers that are part of a VMware virtual datacenter containing virtual machines (VM). When you import a VMware vCenter Server, ANM discovers the following network entities associated with the server: datacenters, VMs, and hosts (VMware ESX servers).

During the VMware vCenter Server import process, you can enable the ANM plug-in that allows you to access ANM ACE real server functionality from a VMware vSphere Client. Registering the plug-in provides the client with a URL to access ANM and retrieve the required XML definition file. ANM uses HTTPS for communication with VMware vCenter Server.

Guidelines and Restrictions

This topic includes the following guidelines and restrictions:

ANM does not recognize all the special characters that VMware allows you to use in a VM name. If you import a VMware vCenter Server containing VM names that use certain special characters, ANM encounters issues that affect the VM Mappings window (Config > Devices > vCenter > System > VM Mappings). This window shows how VMs map to real servers.

The issues associated with certain special characters in VM names are as follows:

When a VM name contains a double quote ("), ANM is not able to display the VM Mappings window (a blank window displays).

When a VM name contains a percent sign (%), backslash (\), or forward slash (/), ANM displays the VM name in the VM Mappings window; however, these special characters display as hex values (%25 for %, %5c for \, and %2f for /).

To avoid these issues, remove these special characters from the VM name before you use the following procedure to import the VMware vCenter Server in to ANM.

ANM supports importing a VMware vCenter Server operating in standard mode only. You cannot import a vCenter Server operating in linked mode.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the Add button.

The New Device window appears.

Step 3 In New Device window, configure the VMware vCenter Server using the information in Table 5-9.

Table 5-9 VMware vCenter Server Configuration Options 

Field
Description

Name

Name assigned to the device.

Model

Drop-down list of available device types. From the Model drop-down list, choose vCenter.

Primary IP

VMware vCenter Server IP address.

HTTPS Port

Port that the VMware vCenter Server uses to communicate with ANM using HTTPS.

User Name

VMware vCenter Server username that has the administrator role or an equivalent role that has privilege on "Extension," "Global->Manage custom attribute," and "Global->Set custom attribute."

Password

Password that corresponds to the VMware vCenter Server username.

ANM vCenter Plug-in

Registers the ANM plug-in when adding the VMware vCenter Server. Registering the plug-in provides the VMware vCenter Server and associated VMware vSphere Clients with a URL to access ANM and retrieve the required XML definition file. ANM uses HTTPS for communication with the VMware vCenter Server and vSphere Clients. When the plug-in is registered, you can access ANM ACE real server functionality from a VMware vSphere Client.

Choose one of the following options:

Import vCenter and register plug-in

Import vCenter and but do not register plug-in (default setting)

To register or unregister the ANM plug-in at a later time, see the "Registering or Unregistering the ANM Plug-in" section.

ANM Server

DNS name or IP address of the ANM server that will be used by the VMware vCenter Server and vSphere Client. By default, ANM populates this field with the virtual IP address or hostname or all of the available IP addresses. If you enter a DNS name, make sure that the name can be resolved on the VMware vSphere Client side of the network.


Note For ANM servers operating in an HA configuration, choose the shared alias IP address or VIP address for the HA pair so that the plug-in can still be used after an HA failover occurs.



Step 4 Do one of the following:

Click OK to save your entries. After ANM adds the VMware vCenter Server, the Primary Attributes window for the VMware vCenter Server appears (see the "Configuring VMware vCenter Server Primary Attributes" section).

Click Cancel to exit the procedure without importing the device and to return to the Modules table.


Related Topics

Configuring VMware vCenter Server Primary Attributes

Using the ANM Plug-In With Virtual Data Centers

Mapping Real Servers to VMware Virtual Machines

Importing Network Devices into ANM

Importing Cisco IOS Host Chassis and Chassis Modules

Importing ACE Appliances

Importing CSS Devices

Importing GSS Devices

Enabling a Setup Syslog for Autosync for Use With an ACE

You can set up auto synchronization to occur when ANM receives a syslog message from ACE devices. This feature allows a faster, more streamlined synchronization process between ANM and any out-of-band configuration changes. Rather than wait the default polling period, ANM will synchronize when a syslog message is received if you enable the Autosync feature.


Note ANM supports auto synchronization for GSS software version 4.1(2) but does not support this feature for CSS/CSM devices.


Procedure


Step 1 Choose Config > Devices. From the device tree, select either an ACE module or an ACE appliance.

Step 2 Choose Setup Syslog for Autosync.

The Setup Syslog for Autosync window appears.

Step 3 Choose one or more virtual contexts for which you want to receive Autosync syslog messages.

Step 4 Click the Setup Syslog button.

A progress bar window appears.

The following CLI commands are sent to the enabled ACE devices:

logging enable

logging trap 2

logging device-id string <ACE-Ip>/Admin

logging host <ANM-Ip> udp/514

logging message 111008 level 2

Step 5 If the setup is successful, a checkbox with check mark will appear in the Setup Syslog for Autosync? column for each virtual context that you selected. If there are any errors, the errors will be shown in a popup window.


Discovering Large Numbers of Devices Using IP Discovery

The IP Discovery feature allows you to discover and import Cisco chassis and ACEs into the ANM database as follows:

1. Preparing devices for discovery. This process involves enabling SSH and XML over HTTPS and adding device credentials. See the "Preparing Devices for IP Discovery" section.

2. Discovering devices residing on your network. The ANM uses SSH, XML over HTTPS, and Telnet to discover its supported devices. When you run IP Discovery, you locate IP addresses of ACE chassis and appliances. See the "Running IP Discovery to Identify Devices" section.

After discovery, devices do not appear in the Devices table until device import is completed. To import a specific chassis into the ANM database, you need to enter IP and credentials information for the chassis and then import it and any associated modules. While this discovery method requires you to add more information initially, it provides more control over the discovery process.

3. Importing the device information into the ANM database to add the device into the Devices table. See the "Importing Network Devices into ANM" section.

4. After importing a module host device, such as a Catalyst 6500 series chassis, you can add ACE modules and CSMs into the ANM database. See the "Importing ACE Modules after the Host Chassis has been Imported" section or the "Importing CSM Devices After the Host Chassis Has Been Imported" section.

5. After you start a discovery job, you can monitor its status. See the "Monitoring IP Discovery Status" section.

ANM offers multiple ways to accomplish some of these steps. For example, you can either run a discovery job to identify the available chassis, and then choose the ones to import, or you can import a specific chassis into the ANM database.

To add a chassis without running discovery, see the "Importing Cisco IOS Host Chassis and Chassis Modules" section.

See the Supported Devices Table for Cisco Application Networking Manager for more information about the devices that ANM supports.

This section includes the following topics:

Preparing Devices for IP Discovery

Running IP Discovery to Identify Devices

Monitoring IP Discovery Status

Preparing Devices for IP Discovery

This section describes how to prepare your Cisco devices for IP Discovery by enabling SSH and Telnet on each device and by configuring device SSH and Telnet credentials though ANM. These tasks enable ANM to communicate with the devices and collect data from them.


Caution IP Discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet who respond to the associated ports. This is a potential security risk because credentials are broadcast out to one or more networks. IP Discovery may also find devices that cannot be imported or may not be able to locate devices that could be imported.

Guidelines and Restrictions

Network latency can prevent ANM from establishing a communication link with a device that you want to import. When ANM is providing the device with the device credentials (username and password), by default it waits two seconds after providing the device username for the password prompt to appear. The link times out when it takes longer than two seconds for the next prompt to appear. For information about possible causes of network latency that can create this issue and how to adjust the ANM timeout value, see the "Modifying the ANM Timeout Setting to Compensate for Network Latency" section.

Before You Begin

Ensure that you have enabled SSH and Telnet in your Cisco network devices by performing the tasks described in the following sections:

Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance

This section includes the following topics:

Configuring Device Access Credentials

Modifying Credential Pools

Configuring Device Access Credentials

You can add device credentials to ANM before running IP Discovery.

Procedure


Step 1 Choose Config > Tools > Credential Pool Management.

The New Credential Pool window appears.

Step 2 In the Name field, enter the name of the new credential pool.

Step 3 Click Save to save this entry and to proceed with credentials configuration.

The configuration window appears.

Step 4 Set the Telnet credentials as follows:

a. Choose Configuration > Telnet Credentials. The Telnet Credentials table appears.

b. In the table, click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it.

c. Enter the credentials (see Table 5-10).

Table 5-10 Telnet Credentials 

Field
Description

IP Address

Specific IP address in dotted-decimal notation or use an asterisk (*) as a wildcard character to identify a number of devices, such as 192.168.11.*.

User Name

Telnet username for the specified devices.

Password

Telnet password for the specified devices.

Confirm

Telnet password that you reenter.

Enable Password

Telnet enable password for the specified devices. ANM uses this password during the Catalyst 6500 series chassis and Catalyst 6500 Virtual Switching System (VSS) 1440 import process.

Confirm

Telnet enable password that you reeenter.


d. Do one of the following:

Click OK to save your entries and to return to the Telnet Credentials table.

Click Cancel to exit this procedure without saving your entries and to return to the Telnet Credentials table.

Click Next to deploy your entries and to add another set of Telnet credentials.

Step 5 Set the SNMP credentials as follows:

a. Choose Configuration > SNMP Credentials. The SNMP Credentials table appears.

b. Click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it.

c. Enter the SNMP credentials (see Table 5-11).

Table 5-11 SNMP Credentials 

Field
Description

IP Address

Specific IP address in dotted-decimal notation is used or an asterisk (*) is used as a wildcard character to identify a number of devices, such as 192.168.11.*.

Mode

Default version of SNMP is selected for this credential pool. Snmpv2 indicates that SNMP version 2 is to be used for this credential pool for the specified devices.

RO Community

SNMP read-only string for the specified devices. This entry is case sensitive.

Timeout

Time, in seconds, that the ANM is to wait for response from a device before performing the first retry.

Retries

Number of times that the ANM is to attempt to communicate with a device before declaring that the device has timed out.


Step 6 Do one of the following:

Click OK to save your entries and to return to the SNMP Credentials table.

Click Cancel to exit without saving your entries and to return to the SNMP Credentials table.

Click Next to deploy your entries and to configure another set of SNMP credentials.


After establishing the Telnet and SNMP credentials, you are ready to run IP Discovery. See the "Running IP Discovery to Identify Devices" section.

Related Topics

Running IP Discovery to Identify Devices

Configuring Device Access Credentials

Discovering Large Numbers of Devices Using IP Discovery

Modifying Credential Pools

You can modify existing Telnet or SNMP credentials.

Procedure


Step 1 Choose Config > Tools > Credential Pool Management.

The Credential Pools configuration window appears.

Step 2 Choose the credential pool that you want to modify.

The Edit Credential Pool configuration window appears.

Step 3 Click Edit.

Step 4 To modify the existing Telnet credentials, do the following:

a. Choose Configuration > Telnet Credentials. The Telnet Credentials table appears.

b. In the table, click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it.

c. Enter the Telnet credentials (see Table 5-10).

d. Do one of the following:

Click OK to save your entries and to return to the Telnet Credentials table.

Click Cancel to exit this procedure without saving your entries and to return to the Telnet Credentials table.

Click Next to deploy your entries and to add another set of Telnet credentials.

Step 5 To modify the existing SNMP credentials, do the following:

a. Choose Configuration > SNMP Credentials. The SNMP Credentials table appears.

b. Click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it.

c. Enter the SNMP credentials (see Table 5-11).

d. Do one of the following:

Click OK to save your entries and to return to the SNMP Credentials table.

Click Cancel to exit without saving your entries and to return to the SNMP Credentials table.

Click Next to deploy your entries and to configure another set of SNMP credentials.


Related Topics

Running IP Discovery to Identify Devices

Configuring Device Access Credentials

Discovering Large Numbers of Devices Using IP Discovery

Running IP Discovery to Identify Devices

You can run IP Discovery to locate IP addresses of the Catalyst 6500 series chassis (hosting the ACE module), ACE appliance, and Catalyst 6500 Virtual Switching System (VSS) devices.

After establishing Telnet and SNMP credentials (see the "Configuring Device Access Credentials" section), use this procedure to identify chassis and ACEs on your network.


Caution IP Discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet that respond to the associated ports. This is a potential security risk because credentials are broadcast out to one or more networks. IP Discovery may also find devices that cannot be imported or be unable to find devices that could be imported.

Before You Begin

For this procedure, you need the follow items:

IP address for the discovery process.

Applicable subnet mask.

Valid credentials for this discovery (see the "Configuring Device Access Credentials" section).

Verification that the devices have SSH enabled (see the "Preparing Devices for IP Discovery" section).

Procedure


Step 1 Choose Config > Tools > IP Discovery.

The Discovery Jobs table appears.


Tip If you already know the IP address of your devices, use the Config > Devices > Add function. See the "Importing Network Devices into ANM" section.


Step 2 To create a discovery job, click Add.

The Discovery Jobs window appears.

Step 3 In the IP Address field, enter the IP address of a specific device in dotted-decimal notation such as 192.168.11.1.

Step 4 In the Netmask field, choose the subnet mask to be used. When you specify a subnet mask, the discovery process discovers all devices in the range of the IP address and its subnet mask. The default netmask is 255.255.255.0.


Note Choose a higher subnet mask only if you are certain that it is appropriate for your network and you understand the impact. If you choose the subnet mask for a class A or class B network, the discovery process becomes extensive and can take a substantial amount of time to complete.


Step 5 In the Credential Pool field, choose the credential pool to be used for this discovery.

Step 6 Click Discover to run discovery now or Cancel to exit this procedure without running discovery.

When you run IP Discovery, the Discovery Jobs table reflects the state of the discovery as it runs. The amount of time to finish a discovery job depends on the size of your network and network activity.

If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs table appears with the discovery job in the table with the state Aborted.


Tip Click Refresh during IP Discovery to see the number of devices found as the discovery process progresses.


Step 7 (Optional) View the discovery process status (see the "Monitoring IP Discovery Status" section).

Step 8 (Optional) Import ACE devices into the ANM when the discovery process is complete (see the "Importing Network Devices into ANM" section).


Related Topics

Creating Virtual Contexts

Importing Network Devices into ANM

Using Configuration Building Blocks

Monitoring IP Discovery Status

You can monitor device discovery status after starting a discovery job.

Procedure


Step 1 Click Config > Tools > IP Discovery.

The Discovery Jobs table appears with the following information for each discovery job:

IP address

Subnet mask

Start Time in the format hh:mm:ss.nnn

End Time, if available, in the format hh:mm:ss.nnn

Credential Pool being used

State of the discovery job, such as Running or Completed

Number of devices found

Step 2 Locate your discovery job to see its current status.

If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs table appears with the discovery job in the table with the state Aborted.

Step 3 When discovery is complete, choose the discovery job in the table. A list of the discovered devices appears below the Discovery Jobs table.

You can now populate the ANM with chassis and ACEs. See the "Importing Network Devices into ANM" section.


Related Topics

Importing Network Devices into ANM

Running IP Discovery to Identify Devices

Information About Importing Devices

Configuring Devices

This section describes how to configure the devices that you add to ANM and includes the following topics:

Configuring Device System Attributes

Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs


Note The ANM does not detect changes made to a chassis device though the CLI. Be sure to synchronize chassis configurations whenever chassis configuration has been modified via the CLI.


Configuring Device System Attributes

This section shows how to configure the device system attributes. For the CSM, CSS, and GSS devices, the system attributes consist of the primary attributes only. For the Catalyst 6500 series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440 devices, and Cisco 7600 series routers, the system attributes also include the static route attributes.

This section includes the following topics:

Configuring CSM Primary Attributes

Configuring CSS Primary Attributes

Configuring GSS Primary Attributes

Configuring Catalyst 6500 VSS 1440 Primary Attributes

Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes

Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes

Configuring VMware vCenter Server Primary Attributes

Configuring CSM Primary Attributes

You can configure primary attributes for CSM devices.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the CSM that you want to configure, and then choose System > Primary Attributes.

The Primary Attributes window appears.

Step 3 In the Description field, enter a brief description of the module.

Step 4 Choose another CSM for high availability pairing from the Redundant Device field, which displays any other CSM devices that have been imported into ANM.

Step 5 Click Deploy Now to deploy this configuration on the CSM and save your entries to the running-configuration and startup-configuration files.

To exit this procedure without deploying your entries, choose another device in the device tree or in the object selector above the configuration pane.


Related Topics

Configuring Devices

Importing ACE Modules after the Host Chassis has been Imported

Configuring CSS Primary Attributes

You can configure primary attributes for CSS devices.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the CSS that you want to configure, and then choose System > Primary Attributes.

The Primary Attributes window appears with information about the device.

Step 3 Configure the CSS using the information in Table 5-12.


Note Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface.


Table 5-12 CSS Primary Attributes Configuration Options 

Field
Description

Description

Brief description for this device.

Device Type

Read-only field that has the device type in gray.

Use Telnet

Read-only field that will be checked if the device was imported using Telnet.

IP Address

Read-only field with the device IP address.

Redundant Device

Field that displays any other CSS devices that have been imported into the ANM database.

Choose another CSS for high availability pairing.

SNMP v2c Enabled

Checkbox to enable SNMP version 2c access. Uncheck the checkbox to disable this feature.

If you enable this feature, in the SNMP Trap Community string field, enter the SNMP community string.

SNMP v3 Enabled

Checkbox to enable SNMP Version 3 access. Uncheck the checkbox to disable this feature.

If you enable this feature, do the following:

1. In the SNMP V3 User Name field, enter the SNMP username.

2. In the SNMP V3 Mode field, choose the level of security to be used when accessing the chassis:

NoAuthNoPriv—SNMP uses neither authentication nor encryption in its communications.

AuthNoPriv—SNMP uses authentication, but the data is not encrypted.

3. If you choose AuthNoPriv, do the following:

a. In the SNMP V3 Auth Proto field, choose MD5 or DES to specify the authentication mechanism.

b. In the SNMP V3 Auth Pass field, enter the user authentication password. Valid entries are unquoted text strings with no spaces and a maximum of 130 characters.

c. In the Confirm field, reenter the user authentication password.


Step 4 Click Deploy Now to deploy this configuration on the CSS and to save your entries to the running-configuration and startup-configuration files.

To exit this procedure without deploying your entries, choose another device in the device tree or in the object selector above the configuration pane.


Related Topics

Configuring Devices

Importing Network Devices into ANM

Configuring GSS Primary Attributes

You can configure primary attributes for Cisco Global Site Selector devices.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the GSS that you want to configure, and then choose System > Primary Attributes.

The Primary Attributes window appears with information about the device.

Step 3 Configure the GSS using the information in Table 5-13.

Table 5-13 GSS Primary Attributes Configuration Options 

Field
Description

Description

Brief description for this device.

Device Type

Read-only field that has the device type, in this case GSS, in gray.

IP Address

Device IP address.


Step 4 (Optional) To update the IP address and/or password for the GSS on the ANM server only, click Update IP Address/Password.

The Update IP Address/Password window appears.


Note The password changes are for the ANM server only. The Password/Enable password on the device will not be changed.


Enter new credentials in the Update IP Address/Password window using the information in Table 5-14.

Table 5-14 GSS Change IP Address and Password Options 

Field
Description

Old Primary IP Address

Read-only field displaying the device IP address.

New Primary IP Address

IP address that you wish to have GSS associated with on the server.

Update

Available password update choices are as follows:

Both—Update both the password and enable passwords.

Enable Password Only—Update only the enable password.

Password Only—Update only the password.

New Password

New password.

Confirm New Password

New password that you reenter.

New Enable Password

New enable password.

Confirm New Enable Password

New enable password that you reenter.


Step 5 Do one of the following:

Click OK to save any changes made to GSS server IP address or password to the ANM server.

Click Cancel.

You return to the Primary Attributes Page.

Step 6 Click Deploy Now to deploy this configuration save your entries to the gslb-configuration file.

To exit this procedure without deploying your entries, choose another device in the device tree or in the object selector above the configuration pane.


Related Topics

Configuring Devices

Importing ACE Appliances

Configuring Catalyst 6500 VSS 1440 Primary Attributes

You can configure primary attributes for VSS devices.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device you want to configure, then choose System > Primary Attributes. The Primary Attributes window appears with information about the chassis.

Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface. For example, a VSS-enabled checkbox will display as a read-only field. You can, however, add a description and configure the device for SNMPv2 or SNMPv3 access.


Note For the ACE devices in VSS, the slot number is represented in the format switch number/slot number.


Step 3 In the Description field, enter a brief description for the device.

Step 4 To enable SNMPv2c access, do the following:

a. Check the SNMPv2c Enabled checkbox.

b. In the SNMP Trap Community string field, enter the SNMP community string.

Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the All Devices table.


Related Topics

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Displaying Modules by Chassis

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes

You can configure primary attributes for Catalyst 6500 series chassis and Cisco 7600 series routers.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure, and choose System > Primary Attributes.

The Primary Attributes window appears.

Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface. However, you can add a description and configure the device for SNMPv2 or SNMPv3 access.

Step 3 In the Description field, enter a brief description for the device.

Step 4 To enable SNMPv2c access, do the following:

a. Check the SNMPv2c Enabled checkbox.

b. In the SNMP Trap Community string field, enter the SNMP community string.

Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the All Devices table.


Related Topics

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Displaying Modules by Chassis

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes

You can configure static routes for the Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers. Though interfaces can be shared across contexts, the ACE supports only static routes for virtual contexts. You can configure static routes for Catalyst 6500 series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440 devices, and Cisco 7600 series routers.


Note After a device static route has been created, you can modify only its administrative distance.


Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure, and choose Network > Static Routes.

The Static Routes table appears.

Step 3 In the Static Routes table, click Add to configure a new static route for the device, or choose an existing static route, and click Edit to modify it.

The Static Routes configuration window appears.

Step 4 In the Destination Prefix field, enter the IP address for the route.

The address that you specify for the static route is the address that is in the packet before entering the ACE and performing network address translation.

Step 5 In the Destination Prefix Mask field, choose the subnet for the static route.

Step 6 In the Next Hop field, enter the IP address of the gateway router for the route.

The gateway address must be on the same network as a VLAN interface for the device.

Step 7 In the Admin Distance field, enter the administrative distance value of the route.

The administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. The administrative distance is a measure of the trustworthiness of the source of the routing information.

A lower administrative distance value indicates that the protocol is more reliable. Valid entries are from 0 to 255, with lower numbers indicating greater reliability. For example, a static route has an administrative distance value of 1 while an unknown protocol has an administrative distance value of 255.

Table 5-15 lists default distance values of the protocols that Cisco supports.

Table 5-15 Cisco Default Distance Value Table 

Route Source
Administrative Distance Value

Connected interface

0

Static route

1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary route

5

External Border Gateway Protocol (BGP)

20

Internal EIGRP

90

IGRP

100

OSPF (Open Shortest Path First)

110

Intermediate System-to-Intermediate System (IS-IS)

115

Routing Information Protocol (RIP)

120

Exterior Gateway Protocol (EGP)

140

On-Demand Routing (ODR)

160

External EIGRP

170

Internal BGP

200

Unknown

255


Step 8 Do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Static Route table.

Click Cancel to exit the procedure without saving your entries and to return to the Static Route table.

Click Next to deploy your entries and to add another static route.


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Displaying All Device VLANs

Importing Network Devices into ANM

Configuring VMware vCenter Server Primary Attributes

You can configure the primary attributes for a selected VMware vCenter Server.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the VMware vCenter Server that you want to configure, and choose System > Primary Attributes.

The Primary Attributes window appears.

Step 3 In the Primary Attributes window, configure the VMware vCenter Server primary attributes as described in Table 5-16.

Table 5-16 VMware vCenter Server Primary Attributes

Item
Description

Description

Brief description for the VMware vCenter Server.

Version

VMware vCenter Server version number.

IP Address

IP address of the VMware vCenter Server.

HTTPS Port

Port number used by the VMware vCenter Server.

ANM vCenter Plug-in Registration Status

Current status of the ANM plug-in:

Registered

Not Registered

For more information about ANM plug-in registration or to change the plug-in registration status, see the "Registering or Unregistering the ANM Plug-in" section.

ANM IP Address

IP address of the ANM server.


Step 4 Click Deploy Now to deploy this configuration on the VMware vCenter Server and return to the All Devices table.


Related Topics

Importing VMware vCenter Servers

Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces

This section shows how to configure the interface attributes for the Catalyst 6500 series chassis or Cisco 7600 series router.

This section includes the following topics:

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Configuring Access Ports

Configuring Trunk Ports

Configuring Switch Virtual Interfaces

Configuring Routed Ports

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

You can display a complete list of interfaces on a selected Catalyst 6500 series chassis or Cisco 7600 series router. From this display, you can configure the following high-level attributes for a specified interface: interface description, operating mode, and administrative state.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device, and choose Interfaces > Summary.

The Interfaces table appears, listing all interfaces on the device and related information as follows:

Interface name

Description, if available

Configured state, such as Up or Down

Current operational state, if known

Mode of operation, such as Access, Routed, or Trunk

Interface hardware type

Step 3 Choose the interface to configure, and click Edit.

The configuration window appears.

Step 4 Enter the following:

a. In the Description field, enter a brief description of the interface.

b. In the Administrative State field, choose Up or Down to indicate whether the port should be up or down.

c. In the Mode field, choose the operational mode of the interface: Trunk, Access, or Routed.

d. Click Apply to save your changes or Cancel to exit the procedure without saving your changes.

The Interfaces table appears.


Related Topics

Configuring Access Ports

Configuring Trunk Ports

Configuring Routed Ports

Configuring Switch Virtual Interfaces

Creating VLAN Groups

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Access Ports

You can configure access port attributes for a selected device. An access port receives and sends traffic in native formats with no VLAN tagging. Traffic that arrives on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged), the packet is dropped, and the source address is not learned.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure an access port for, and choose Interfaces > Access Ports.

The Interfaces table appears.

Step 3 From the Interfaces table, choose the port that you want to configure, and click Edit.

The Access Ports configuration window appears.

Step 4 In the Description field, enter a description for the port.

Valid entries are unquoted text strings with a maximum of 240 characters including spaces.

Step 5 In the Administrative State field, choose Up or Down to indicate whether the port should be up or down.

Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to automatically negotiate its speed:

Auto—The interface is to automatically negotiate speed with the connected device.

10 Mbps—The interface is to operate at 10 Mbps.

100 Mbps—The interface is to operate at 100 Mbps.

1000 Mbps—The interface is to operate at 1000 Mbps.

Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode or use full- or half-duplex mode:

Auto—The interface is to automatically negotiate duplex mode with the connected device.

Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time.

Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic.

Step 8 In the VLANs field, enter individual names for each VLAN to which the interface belongs.

The allowable range is 1 to 4094.

Step 9 Do one of the following:

Click Apply to save your entries and to return to the Interfaces table.

Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.


Related Topics

Configuring Trunk Ports

Configuring Switch Virtual Interfaces

Configuring Routed Ports

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Trunk Ports

You can configure trunk ports for a selected device. A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. Two types of trunk ports are as follows:

In an Inter-Switch Link (ISL) trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (nontagged) frames received from an ISL trunk port are dropped.

An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default port VLAN ID or native VLAN, and all untagged traffic travels on the native VLAN. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the native VLAN. A packet with a VLAN ID that is equal to the outgoing port native VLAN is sent untagged. All other traffic is sent with a VLAN tag.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Trunk Ports.

The Interfaces table appears.

Step 3 In the Interfaces table, choose the port that you want to configure, and click Edit.

The Trunk Port configuration window appears.

Step 4 Configure the port using the information in Table 5-17.

Table 5-17 Trunk Port Configuration Attributes 

Field
Description

Description

Description for the port. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.

Administrative State

Up or Down to indicate whether the port should be up or down.

Speed

Speed at which the interface is to operate or that the interface is to automatically negotiate its speed:

Auto—The interface is to automatically negotiate speed with the connected device.

10 Mbps—The interface is to operate at 10 Mbps.

100 Mbps—The interface is to operate at 100 Mbps.

1000 Mbps—The interface is to operate at 1000 Mbps.

Duplex Mode

Whether the interface is to automatically negotiate its duplex mode or use full-duplex or half-duplex mode:

Auto—The interface is to automatically negotiate duplex mode with the connected device.

Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time.

Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic.

Trunk Mode

How the interface is to interact with neighboring interfaces:

Dynamic—The interface is to convert a link to a trunk link if the neighboring interface is set to trunk or desirable mode.

Dynamic Desirable—The interface is to actively attempt to convert a link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.

Static—The interface is to enter permanent trunking mode and to negotiate converting a link into a trunk link. The interface becomes a trunk interface even if the neighboring interface does not change.

Desired Encapsulation

Type of encapsulation to be used on the trunk port:

Dot1Q—The interface is to use 802.1Q encapsulation.

Negotiate—The interface is to negotiate with the neighboring interface to use ISL (Inter-Switch Link) (preferred) or 802.1Q encapsulation, depending on the configuration and capabilities of the neighboring interface.

ISL—The interface is to use ISL encapsulation.

Native VLAN

VLAN to use as the native VLAN for the trunk in 802.1Q trunking mode. VLAN 1 (1) is the default native VLAN.

VLANs

VLANs to which the interface belongs (allowable range is 1-4094). You can also enter ranges of VLANs, such as 101-120, 130.

Prune VLANs

VLANs that can be pruned (allowable range is 1-4094). VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in this field. Only VLANs included in this field can be pruned. You can also specify ranges of VLANs that can be pruned, such as 75, 121-250, 351.


Step 5 Do one of the following:

Click Apply to save your entries and to return to the Interfaces table.

Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.


Related Topics

Configuring Access Ports

Configuring Switch Virtual Interfaces

Configuring Routed Ports

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Switch Virtual Interfaces

You can configure a switch virtual interface on a Multilayer Switch Feature Card. A VLAN defined on the Multilayer Switch Feature Card (MSFC) is called a switch virtual interface (SVI). If you assign the VLAN used for the SVI to an ACE, then the MSFC routes between the ACE and other Layer 3 VLANs. By default, only one SVI can exist between an MSFC and an ACE. However, for multiple contexts, you might need to configure multiple SVIs for unique VLANs on each context.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Switched Virtual Interfaces.

The Interfaces table appears.

Step 3 In the Interfaces table, click Add to add a new SVI, or choose the interface you want to configure, and click Edit.

The Switched Virtual Interfaces configuration window appears.

Step 4 In the VLANs field, specify the VLAN to use in one of the following ways:

To specify a new VLAN, choose the first radio button, and then enter a new VLAN.

To choose an existing VLAN, choose the second radio button, and choose one of the existing VLANs.


Note You cannot modify a VLAN for an existing SVI.


Step 5 In the Description field, enter a description for the SVI. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.

Step 6 In the Administrative State field, choose Up or Down to indicate whether the SVI should be up or down.

Step 7 In the IP Address field, enter the IP address to be used for the interface on the MSFC in dotted-decimal format.

Step 8 In the Netmask field, choose the subnet mask to be used for the IP address.

Step 9 Do one of the following:

Click Apply to save your entries and to return to the Interfaces table.

Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.


Related Topics

Configuring Access Ports

Configuring Trunk Ports

Configuring Routed Ports

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Routed Ports

You can configure routed ports on a specified device. A routed port is a physical port that acts like a port on a router; however, it does not have to be connected to a router. A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves like a regular router interface, except that it does not support VLAN subinterfaces. Routed ports can be configured with a Layer 3 routing protocol. A routed port is a Layer 3 interface only and does not support Layer 2 protocols, such as Dynamic Trunking Protocol (DTP) and Spanning Tree Protocol (STP).

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Routed Ports.

The Interfaces table appears.

Step 3 In the Interfaces table, choose the interface that you want to configure, and click Edit.

The Routed Ports configuration window appears.

Step 4 In the Description field, enter a description for the interface. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.

Step 5 In the Administrative State field, choose Up or Down to indicate whether the interface should be up or down.

Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to automatically negotiate its speed:

Auto—The interface is to automatically negotiate speed with the connected device.

10 Mbps—The interface is to operate at 10 Mbps.

100 Mbps—The interface is to operate at 100 Mbps.

1000 Mbps—The interface is to operate at 1000 Mbps.

Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode, or use full- or half-duplex mode:

Auto—The interface is to automatically negotiate duplex mode with the connected device.

Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time.

Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic.

Step 8 In the IP Address field, enter the IP address to be used for the interface in dotted-decimal format.

Step 9 In the Netmask field, choose the subnet mask to be used for the IP address.

Step 10 Do one of the following:

Click Apply to apply your entries and to return to the Interfaces table.

Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table.


Related Topics

Configuring Trunk Ports

Configuring Switch Virtual Interfaces

Configuring Access Ports

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

You can add a VLANs and VLAN groups to a Catalyst 6500 series chassis or Cisco 7600 series router that you use when configuring the interfaces for an installed ACE module, which does not have any external physical interfaces. Instead, the ACE module uses internal VLAN interfaces. For information about configuring VLANs for use with virtual contexts, see the "Configuring Virtual Context VLAN Interfaces" section. For more information about VLANs and their use with ACE modules, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.

This section includes the following topics:

Adding Device VLANs

Displaying All Device VLANs

Configuring Device Layer 3 VLANs

Configuring Device Layer 2 VLANs

Displaying All Device VLANs

Creating VLAN Groups

Adding Device VLANs

You can add a VLAN to a Catalyst 6500 series chassis or Cisco 7600 series router.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure, and choose VLANs > Layer 2 or VLANs > Layer 3.

The VLANs table appears.

Step 3 From the VLANs table, click Add.

The VLAN configuration window appears.

Step 4 Configure the VLAN using the information in Table 5-18.

Table 5-18 Device VLAN Configuration Attributes 

Field
Description

VLAN

Unique identifier for the VLAN. Valid entries are from 1 to 4094.

Name

Name for the VLAN.

Description

Description for the VLAN. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.

Access Ports

Access ports. From the Available Items list, click Add.To remove a port that you do not want to use, choose the port from the Selected Items list, and click Remove.

Trunk Ports

Trunk ports. From the Available Items list, click Add.To remove a port that you do not want to use, choose the port from the Selected Items list, and click Remove.

VTP Domain

Name of the VTP domain to which the VLAN belongs.

A VTP domain is made up of one or more interconnected network devices that share the same VTP domain name. A network device can be configured to be in one and only one VTP domain.

IP Address

Field that appears for Layer 3 VLANs only.

Enter the IP address to be used for the VLAN interface. Enter the IP address in dotted-decimal notation, such as 192.168.1.1.

Mask

Field that appears for Layer 3 VLANs only.

Choose the subnet mask to apply to the IP address.


Step 5 Do one of the following:

Click Apply to apply your entries and to return to the VLAN Management table.

Click Cancel to exit the procedure without saving your entries and to return to the VLAN Management table.


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Device Layer 2 VLANs

Configuring Device Layer 3 VLANs

Displaying All Device VLANs

Creating VLAN Groups

Displaying All Device VLANs

You can display all configured VLANs on a Catalyst 6500 series chassis or Cisco 7600 series router.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device with VLANs that you want to display, and choose VLANs > Summary.

The VLANs table appears, listing all VLANs on the selected chassis and related information:

VLAN number

Name given to the VLAN

VLAN type, such as Layer 2 or Layer 3

Number of access ports

Number of trunk ports

VLAN Trunking Protocol (VTP) domain to which the VLAN belongs


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Device Layer 2 VLANs

Configuring Device Layer 3 VLANs

Displaying All Device VLANs

Creating VLAN Groups

Configuring Device Layer 2 VLANs

You can add or modify a Layer 2 VLAN on a Catalyst 6500 series chassis or Cisco 7600 series router.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure a Layer 2 VLAN for, and choose VLANs > Layer 2.

The VLANs table appears, listing all Layer 2 VLANs associated with the chassis.

Step 3 Click Add to add a new VLAN, or choose an existing VLAN, and then click Edit to modify it.

The VLAN configuration window appears.

Step 4 Configure the VLAN using the information in Table 5-18.

Step 5 Do one of the following:

Click Apply to apply your entries and to return to the VLAN Management table.

Click Cancel to exit the procedure without saving your entries and to return to the VLAN Management table.


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Adding Device VLANs

Configuring Device Layer 3 VLANs

Displaying All Device VLANs

Creating VLAN Groups

Configuring Device Layer 3 VLANs

You can add or modify a Layer 3 VLAN on a Catalyst 6500 series chassis or Cisco 7600 series router.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to configure a Layer 3 VLAN for, and choose VLANs > Layer 3.

The VLANs table appears, listing all Layer 3 VLANs associated with the chassis.

Step 3 In the VLANs table, click Add to add a new VLAN, or choose an existing VLAN, and click Edit to modify it.

The VLAN configuration window appears.

Step 4 Configure the VLAN using the information in Table 5-18.

Step 5 Do one of the following:

Click Apply to apply your entries and to return to the VLAN Management table.

Click Cancel to exit the procedure without saving your entries and to return to the VLAN Management table.


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Information About Virtual Contexts

Modifying Device VLANs

You can modify VLANs for a specific device.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device with the VLAN that you want to modify, and choose VLANs > Layer 2 or VLANs > Layer 3.

The VLANs table appears.

Step 3 Choose the VLAN you want to modify, and then click Edit.

The VLAN configuration window appears.

Step 4 Modify the VLAN configuration using the information in Table 5-18.

Step 5 Do one of the following:

Click Apply to save your entries and to return to the VLANs table.

Click Cancel to exit the procedure without saving your entries and to return to the VLANs table.


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Displaying All Device VLANs

Adding Device VLANs

Creating VLAN Groups

Creating VLAN Groups

You can create VLAN groups on a Catalyst 6500 series chassis or Cisco 7600 series router and assign each group an ACE module. For an ACE module to receive traffic from the Catalyst supervisor module and VSS devices, you must create VLAN groups on the supervisor module, and then assign the groups to the ACE module. When the VLANs are configured on the supervisor module to the ACE module, you can configure the VLANs on the ACE module.

You cannot assign the same VLAN to multiple groups; however, you can assign multiple groups to an ACE module. VLANs that you want to assign to multiple ACE modules, for example, can reside in a separate group from VLANs that are unique to each ACE module.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the device that you want to create a VLAN group for, and choose VLANs > Groups.

The Groups table appears.

Step 3 Click Add to add a new VLAN group, or choose an existing VLAN group, and click Edit to modify it.

The Groups configuration window appears.

Step 4 In the VLAN Group Id field, enter a unique numerical identifier for the VLAN group.

Valid entries are unquoted number strings with any value between 1-65535. Available Module Slot numbers will appear underneath this field.

Step 5 In the Module Slot Numbers field, select the ACE module(s) that you want to associate with the VLAN group.

Step 6 Double click or the number, or single click the arrow to the right of the Available Modules field for the slot numbers to the Selected field.

Step 7 In the VLANs field, enter the VLANs to be included in the VLAN group. Valid entries are individual names for each VLAN or ranges of VLANs (allowable range is 1-4094), such as 10, 50-110.

Step 8 Do one of the following:

Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Groups table.

Click Cancel to exit the procedure without saving your entries and to return to the Groups table.

Click Next to deploy your entries and to add another VLAN group.


Related Topics

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Configuring Device Layer 3 VLANs

Configuring Device Layer 2 VLANs

Displaying All Device VLANs

Configuring ACE Module and Appliance Role-Based Access Controls

ANM provides an interface to allow you to configure device Role-Based Access Control (RBAC) on the device only. The RBAC feature applies to ACE modules and appliances only and is applicable only on the device and is not enforced by ANM. If you want to set up authorization in ANM, go to Admin > Role-Based Access Control.

This section includes the following topics:

Configuring Device RBAC Users

Configuring Device RBAC Roles

Configuring Device RBAC Domains

Configuring Device RBAC Users

ANM provides an interface that allows you to configure user access to your device through role-based access controls on the device only. This configuration is applicable only on the device and will not be enforced by ANM.

Use the Role-Based Access Control feature to specify the people that are allowed to log onto a device.

This section includes the following topics:

Guidelines for Managing Users

Displaying a List of Device Users

Configuring Device User Accounts

Modifying Device User Accounts

Deleting Device User Accounts

Guidelines for Managing Users

Follow these guidelines for managing users:

For users that you create in the Admin context, the default scope of access is for the entire ACE.

If you do not assign a role to a new user, the default user role is Network-Monitor. For users that you create in other contexts, the default scope of access is the entire context.

Users cannot log in until they are associated with a domain and a user role.

You cannot delete roles and domains that are associated with an existing user.

Related Topics

Configuring Device RBAC Users

Configuring ACE Module and Appliance Role-Based Access Controls

Displaying a List of Device Users

You can display of list of users that can access an ACE context.

Procedure


Step 1 Choose Config > Devices > context  > Role-Based Access Control > Users.

The Users table appears with the following fields:

User Name

Expiry Date

Role

Domains

Step 2 (Optional) You can use the options in this window to create a new user or modify or delete any existing user to which you have access (see Table 5-19).


Related Topics

Configuring Device RBAC Users

Configuring ACE Module and Appliance Role-Based Access Controls

Configuring Device User Accounts

You can add or modify a user account in a selected ACE context.


Note This configuration is applicable only on the device or building block and is not enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Users.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Users.

A list of users appears.

Step 2 In the Users table, click Add to add a new user, or choose the user that you want to configure and click Edit.

The Users configuration window appears.

Step 3 Configure the user attributes using the information in Table 5-19.

Table 5-19 User Attributes 

Field
Description

User Name

Name by which the user is to be identified (up to 24 characters). Only letters, numbers, and an underscore can be used. The field is case sensitive.

Expiry Date

Date that user account expires (optional).

Password Entered As

Password for this user account. You can choose Clear Text or Encrypted Text.

Password

Password for the user account.

Confirm Password

Password for this account that you reenter.

Encryption

Password in either clear or encrypted text.

Role

Role that you customize or accept as an existing role. To enter the Role for this user, see the "Configuring Device User Roles" section. See Table 5-20 for details about setting up new roles.

Domains

Domains to which this user belongs. Use the Add and Remove buttons.


Step 4 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

The Users table appears.


Related Topics

Configuring Device RBAC Users

Configuring ACE Module and Appliance Role-Based Access Controls

Modifying Device User Accounts

You can modify an existing user account in a selected ACE context.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Users.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Users.

A table of users, expiration dates, roles, and domains appears.

Step 2 Choose the user account that you want to modify.

Step 3 Click Edit.

Step 4 Modify any of the attributes in the table (see Table 5-19).

Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

The Users table appears.


Related Topics

Configuring Device RBAC Users

Configuring ACE Module and Appliance Role-Based Access Controls

Deleting Device User Accounts

You can delete an existing device RBAC user account in a selected ACE context.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Users.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Users.

A table of users, roles, and domains appears.

Step 2 In the table, choose the user account to delete, and click Delete.

A confirmation window appears.

Step 3 In the confirmation window, do one of the following:

Click OK to remove the user account from the ANM database and return to the Users table.

Click Cancel to return to the Users table without deleting the user account.


Related Topics

Configuring Device RBAC Users

Configuring ACE Module and Appliance Role-Based Access Controls

Configuring Device RBAC Roles

This section shows how to configure RBAC roles and includes the following topics:

Guidelines for Managing User Roles

Role Mapping in Device RBAC

Configuring Device User Roles

Modifying Device User Roles

Deleting Device User Roles

Guidelines for Managing User Roles

Follow these guidelines to manage user roles:

Administrators can view and modify all roles.

Other users can view only the roles assigned to them.

You cannot change the default roles.

Role permissions are different based on whether they were created in either an Admin context or in a user context. If you want to allow users to switch between contexts, ensure that they have a predefined role. If you want to restrict a user to only their home context, assign them a customized user role.

Certain role features are available only to default roles, for example, an Admin role in the Admin context would have changeto and system permissions to perform tasks such as license management, resource class management, HA setup, and so on. User-created roles cannot use these features.

Related Topics

Role Mapping in Device RBAC

Controlling Access to Cisco ANM

Configuring Device RBAC Users

Configuring Device RBAC Roles

Configuring Device RBAC Domains

How ANM Handles Role-Based Access Control

Role Mapping in Device RBAC

When you are logged into a specific device RBAC, you see the tasks that you have been given permission to access. Features and menus that are not applicable for your role will not display.

Since the predefined roles encompass all the role types you may need, we encourage you to use them. If you choose to define your own roles, be aware that rules features are not a one-to-one mapping from a CLI feature to ANM menu task.

Defining the proper rules for your user-defined role will require you to create a mapping between the features in Device RBAC and the ANM menu tasks. For example, in order to manage virtual servers, you must choose the following six menu features (Real Servers, Server Farms, VIP, Probes, Loadbalance, NAT, and Interface) in your role.


Note Certain features in ANM do not have a corresponding feature mapping on the CLI. For example, class maps and SNMP do not have a corresponding feature mapping. To modify these features, you need to choose a predefined role that a contains at least one feature with the Modify permission on it.


Related Topics

How ANM Handles Role-Based Access Control

Understanding Roles

Configuring Device User Roles

You can edit the predefined roles, or you can create or edit user-defined roles. When you create a new role, you specify a name and description of the new role, and then choose the operations privileges for each task. You can also assign this role to one or more users.


Note This configuration is applicable only on the device or building block and will not be enforced by the ANM. To manipulate the ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles.

A table of the defined roles and their settings appears.

Step 2 In the table, choose the type of configuration that you want to perform as follows:

To add a new role, click Add, enter the attributes described in Table 5-20, and then click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Table 5-20 Role Attributes 

Attribute
Description

Name

Name of the role.

Description

Brief description of the role.


To edit an existing role, choose the role, and click Edit.

The Roles configuration window appears.

Step 3 Click Edit.

The Rule table appears.

Step 4 In the Rule table, click Add to create rules for this role, or choose the rule that you want to configure, and click Edit.

See Table 5-21 for rule attribute descriptions.

Table 5-21 Rule Attributes 

Attribute
Description

Rule Number

Number assigned to this rule.

Permission

Permit or deny the specified operation.

Operation

Create, debug, modify1 , and monitor the specified feature.

Feature

AAA, Access List, Change To Context, Config Copy, Connection, DHCP, Exec-Commands, Fault Tolerant, Inspect, Interface, Load Balance, NAT, PKI, Probe, Real Inservice, Routing, Real Server, Server Farm, SSL2 , Sticky, Syslog, and VIP.

The Changeto feature allows you to move from the Admin context to another virtual context and maintain the same role with the same privileges in the new context that you had in the Admin context. This feature applies only to the Admin context and to the following ACE software versions:

ACE module software Version A2(1.3) and later releases.

ACE appliance software Version A3(2.2) and later releases.

The Exec-commands feature enables all default custom role commands in the ACE. The default custom role commands are capture, debug, gunzip, mkdir, move, rmkdir, tac-pac, untar, write, and undebug. This feature applies to both Admin and user contexts and to the following ACE software versions:

ACE module software Version A2(1.3) and later releases.

ACE appliance software Version A3(2.2) and later releases.

1 Certain features are not available for certain operations. For modify, the following features cannot be used: Changeto, config-copy, DHCP, Exec-commands, NAT, real-inservice, routing, and syslog.

2 For all SSL-related operations, a user with a custom role should include the following two rules: A rule that includes the SSL feature, and a rule that includes the PKI feature.


Step 5 Click Deploy Now to update the rule for this role or click Next to deploy this rule and move to another rule.

Step 6 Click Deploy Now to update this role and save this configuration to the running-configuration and startup-configuration files.


Related Topics

Configuring Device RBAC Roles

Configuring ACE Module and Appliance Role-Based Access Controls

Modifying Device User Roles

You can modify any user-defined role.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles.

A table of the defined roles and their settings appears.

Step 2 In the table, choose the role that you want to modify.

Step 3 Click Edit. For details on updating role rules, see Table 5-21.

Step 4 Make the changes.

For details on updating role rules, see the "Adding, Editing, or Deleting Rules" section.

Step 5 Click Deploy Now to update the rules for this role and save this configuration to the running-configuration and startup-configuration files.


Related Topics

Configuring Device RBAC Roles

Configuring ACE Module and Appliance Role-Based Access Controls

Deleting Device User Roles

You can delete any user-defined roles.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles.

The Roles table appears.

Step 2 In the Roles table, choose the role to delete, and click Delete.

Step 3 Click OK to confirm the deletion.

Users that have the deleted role no longer have that access.


Related Topics

Configuring Device RBAC Roles

Configuring ACE Module and Appliance Role-Based Access Controls

Adding, Editing, or Deleting Rules

You can change or delete rules to redefine what feature access a specific role contains.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 After selecting the user-defined role, click Edit.

The Rule window appears.

Step 2 Do one of the following:

To create a new rule, click Add. Enter the rule information (see Table 5-21), and then click Deploy Now to add the rule or Next to deploy this rule and add another rule.

To change an existing rule, choose a rule and click Edit. Click Deploy Now to save this rule to the running-configuration and startup-configuration files.

To remove rules from a role, choose the rules to remove, and click Delete. Click OK to confirm its deletion.

Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.


Related Topics

Configuring Device RBAC Roles

Configuring ACE Module and Appliance Role-Based Access Controls

Configuring Device RBAC Domains

You can configure device RBAC domains.

This section includes the following topics:

Guidelines for Managing Domains

Displaying Domains for a Device

Configuring Device Domains

Modifying Device Domains

Deleting Device Domains

Related Topics

Information About Device Management

How ANM Handles Role-Based Access Control

Configuring ACE Module and Appliance Role-Based Access Controls

Guidelines for Managing Domains

Follow these guidelines for managing domains:

Devices and their components must already be configured in order for them to be added to a domain.

Domains are logical concepts. You do not delete a member of a domain when you delete the domain.

The predefined default domain cannot be modified or deleted.

Normally, a user is associated with the default domain, which allows the user to see all configurations within the context. When a user is configured with a customized domain, then the user can see only what is in the domain.

Related Topics

Configuring Device RBAC Domains

Configuring ACE Module and Appliance Role-Based Access Controls

Displaying Domains for a Device

You can display domains for a device.


Note Your user role determines whether you can use this option.


Procedure


Step 1 Choose the item to view:

To view a domain for the device's virtual context, choose Config > Devices > context > Device RBAC > Domains.

To view a domain for a configuration building block, choose Config > Global > Building Blocks > building block > Role-Based Access Control > Domains.

The Domains table appears.

Step 2 Expand the Domains table until you can see all the network domains.

Step 3 Choose a domain to display the settings for that domain.

You can also perform these tasks from this window:

Configuring Device Domains

Modifying Device Domains

Deleting Device Domains


Related Topics

Configuring Device RBAC Domains

Configuring ACE Module and Appliance Role-Based Access Controls

Configuring Device Domains

You can add or modify domains on a selected device, such as a Catalyst 6500 series chassis.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains.

The Domains table appears.

Step 2 In the Domains table, choose the type of configuration that you want to perform:

To add a new domain, click Add, enter the Domain Name, and then click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

To edit a domain, choose the domain that you want to configure, and then click Edit.

The Domain Object field appears below the Domain Name in the content area.

Step 3 Click Edit to enter the Domain Object table.

Step 4 In the Domain Object table, choose the type of configuration that you want to perform:

Click Add to create domain objects for this domain. See Table 5-22 for Domain Object attributes.

To remove an object, choose the object that you want to remove, and then click Delete.

Table 5-22 Domain Attributes 

Field
Description

Name

Field that appears when any specific object type is selected. Name of an existing object defined.

All Objects

Collection of objects in this domain. The following options may be available depending on your virtual context:

All

Access List EtherType

Access List Extended

Class Map

Interface VLAN

Interface BVI

Parameter Map

Policy Map

Probe

Real Server

Script

Server Farm

Sticky


Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

The Domains Edit window updates and displays the total object number next to the object name.


Related Topics

Configuring Device RBAC Domains

Configuring ACE Module and Appliance Role-Based Access Controls

Modifying Device Domains

You can change the settings in a domain.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains.

Step 2 Choose the domain that you want to edit.

Step 3 Click Edit.

The Edit Domain window appears.

Step 4 Edit the object fields (see Table 5-22).

Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.


Related Topics

Configuring Device RBAC Domains

Configuring ACE Module and Appliance Role-Based Access Controls

Deleting Device Domains

You can delete a network domain from ANM, and all the devices and subdomains that it contains.


Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control.


Procedure


Step 1 Choose the item to configure:

To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains.

To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains.

The Domains table appears.

Step 2 In the Domains table, choose the domain that you want to delete.

Step 3 Click Delete.

A prompt asks you to confirm this action.

Step 4 Click OK.

The domain is removed from the ANM database.


Related Topics

Configuring Device RBAC Domains

Configuring ACE Module and Appliance Role-Based Access Controls

Managing Devices

This section describes how to manage devices.

This section includes the following topics:

Synchronizing Device Configurations

Mapping Real Servers to VMware Virtual Machines

Instructing ANM to Recognize an ACE Module Software Upgrade

Configuring User-Defined Groups

Changing Device Credentials

Changing ACE Module Passwords

Restarting Device Polling

Displaying All Devices

Displaying Modules by Chassis

Removing Modules from the ANM Database

Synchronizing Device Configurations

ANM provides three levels of synchronization. You can choose to synchronize from the device to ANM as follows:

From the chassis level—Use this level when you want to synchronize Catalyst 6500 series chassis and module updates. See the "Synchronizing Chassis Configurations" section.

From the ACE module level—Use this level when you want to synchronize changes to your ACE or CSM modules, such as new virtual contexts. See the "Synchronizing Module Configurations" section.

From the virtual context level —Use this level in the Admin context to synchronize all current and new virtual contexts or at the user context level to synchronize a specific user context. See the "Synchronizing Virtual Context Configurations" section.


Caution If you see a difference in device information between what ANM displays and what you see by directly accessing the device through the CLI, ANM displays the data that is the least accurate. This condition can occur when the device is modified outside of ANM by using the CLI. We recommend that you synchronize the network devices up to the ANM using the synchronization option, which makes the ANM data more accurate.

Synchronizing Chassis Configurations

You can manually synchronize the configuration for Catalyst 6500 series switches, CSS devices, GSS devices and ACE appliances when there have been changes to a device that are not tracked in ANM.


Note ANM does not support auto synchronization for the Catalyst 6500 series switches, Cisco 7600 series routers, CSM, CSS, VSS devices. Be sure to synchronize configurations on these devices after import, and whenever their configurations have been modified through the CLI. ANM supports this feature for GSS software version 4.1(2).


The following require synchronization:

Upgrading chassis hardware or software

Adding new modules to the chassis

Removing a module from a chassis

Rearranging modules within the chassis

Upgrading module software

Changing the chassis configuration using the CLI instead of the ANM

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the device with the configuration that you want to synchronize, and click CLI Sync.

A popup confirmation window appears asking you to confirm the synchronization.

Step 3 In the confirmation window, click OK to synchronize the configuration or Cancel to cancel the synchronization.

ANM displays the status while synchronization is in progress and returns to the All Devices table when synchronization is complete.


Related Topics

Configuring Devices

Synchronizing Module Configurations

Restarting Device Polling

Synchronizing Module Configurations

You can synchronize configurations for ACE modules or CSM modules when changes are made that have not been tracked in ANM.

The following module changes require synchronization:

Upgrading module software

Changing the module configuration using the CLI instead of the ANM

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the chassis that contains the module with the configuration that you want to synchronize, and click Modules.

The Modules table appears.

Step 3 In the Modules table, choose the module with the configuration you want to synchronize, and click Sync.

A popup confirmation window appears asking you to confirm the synchronization.

Step 4 In the confirmation window, click OK to synchronize the configuration or Cancel to cancel the synchronization.

ANM displays the status while synchronization is in progress and returns to the Modules table when synchronization is complete.


Related Topics

Configuring Devices

Managing Devices

Synchronizing Device Configurations

Mapping Real Servers to VMware Virtual Machines

This section describes how ANM maps ACE, CSS, CSM, or CSM-S real servers to VMware vCenter Server VMs when you integrate ANM with a VMware virtual data center. This section also shows how you can display and manage the mappings associated with a VMware vCenter Server.


Note To map a real server to a VM, the real server must be associated with a server farm (see the "Configuring Server Farms" section).


ANM uses the following methods to map a real server to a VM:

IP Match—ANM matching the real server IP addresses to the VM IP address. This is the default mapping method that ANM uses and requires the following items:

Before you import a VMware vCenter Server into ANM along with its associated VMs, configure a real server in ANM for each VM about to be imported with the vCenter Server. Configure each real server with the IP address of a VM. For more information, see the "Configuring Real Servers" section and the "Importing VMware vCenter Servers" section.

ANM must be able to determine the IP address of a VM, which is accomplished by installing VMware Tools on the guest operating system (OS) of the VM.

Name Match—ANM matches the real server name to the VM name. This is the backup mapping method that ANM uses if it cannot match any IP address for the VM. This method requires consistent use of the device names throughout the network.


Note For the CSM and CSM-S, the VM name must be in uppercase because the CSM and CSM-S real server names are always in upper case and the mapping is case sensitive though the CSM and CSM-S is case insensitive. From vSphere Client, you can change a VM name to uppercase by right-clicking on the VM in the VM tree and choosing Rename.


Override—You specify the real server-to-VM mapping.

Ignore—ANM ignores any mapping method.

ANM can detect when VMs are added or deleted to a VMware vCenter Server by listening to the server events or by polling the server. When a new VM is detected, ANM uses the IP match method to try and match the new VM with a real server.

Prerequisites

This topic includes the following prerequisites:

Import the VMware vCenter Server into ANM (see the "Importing VMware vCenter Servers" section).

Register the ANM plug-in with the VMware vCenter Servers that you want to view and manage.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the VMware vCenter Server that contains the VMs that you want to display and map.

The Primary Attribute table appears.

Step 3 Click VM Mappings.

The VM Mappings table appears. Table 5-3 describes the information that displays in the VM Mappings table.

Table 5-23 VM Mappings Table 

Item
Description

VM Name

Name of the VM associated with the selected VMware vCenter Server.

IP Address(es)

IP address of the VM.

Full Path

Path of the VM on the VMware vCenter Server.

Rule Currently Applied

Mapping rule applied: IP Match, Name Match, Override, or Ignore. This field is blank if ANM is unable to find a real server match for the VM. You can manually map a real server to the VM using the Edit Mapping feature (see Step 5).

ACE Real Server(s)

ACE real server that the VM maps to on ANM.

Note the following:

This field is blank if ANM is unable to find a real server match for the VM. You can manually map a real server to the VM using the Edit Mapping feature (see Step 5).

If the VM has been deleted in the vCenter Server but ANM still has the mapping, a delete icon (red circle with an "x") appears at the end of the real server ID. Click the icon to remove the mapping from the table.

Last Updated Time

Timestamp when the mapping information was obtained.



Note If the VM Mappings window does not display or a VM name contains hex values rather than certain special characters, these conditions indicate that VM names associated with a vCenter Server that you imported in to ANM contain special characters that ANM does not recognize. For example, a VM name that contains a double quote (") prevents ANM from displaying the VM Mappings window. If a VM name contains a percent sign (%), backslash (\), or forward slash (/), ANM displays the VM name in the VM Mappings window; however, these special characters display as hex values (%25 for %, %5c for \, and %2f for /).

To correct these issues, remove the special characters from the VM names and then manually perform a CLI synchronization (see Step 4).


Step 4 (Optional) To update the displayed real server to VM mapping information, manually perform a CLI synchronization with the vCenter Server as follows:

a. Choose Config > Devices > All Devices. The All Devices table appears.

b. From the All Devices table, click the radio button associated with the desired vCenter Server.

c. Click CLI Sync.


Note You must perform this step to update the display if you import a Cisco device after you import an associated vCenter Server.


Step 5 (Optional) To change the mapping rule applied to a VM, in the VM Mappings window, check the checkbox next to the VM names to edit and click Edit Mappings.

The VM Mappings edit window appears, providing a list of the selected VMs and the mapping rule options.

Step 6 From the VM Mappings edit window, choose one of the following options from the Mapping Rule drop-down list:

IP Match—Map the VMs to ACE real servers based on matching IP addresses. Skip to Step 8.

Name Match—Map the VMs to ACE real servers based on matching device names. Skip to Step 8.

Ignore—Ignore any mapping rule and do not map the VM to an ACE real server. Skip to Step 8.

Override—Map the VMs the specified ACE real servers. This option is available only when you have one VM selected from the All Devices table (see Step 2). When you choose Override, ANM displays the Select Real Server(s) table of available ACE real servers that includes the device information, real server name, IP address, port number, and server farm to which the real server belongs.

Step 7 If you chose the Override mapping rule, do one or both of the following:

Check the checkbox next to the real servers to map the selected real servers to the VM. To select all of the available real servers, check the Device checkbox located at the top of the table.

Click Add to add a new real server. The Add a Real Server popup window appears. Define the new real server as described in Table 5-24 and click Deploy Now.

Table 5-24 Adding a Real Server for VM Mapping

Item
Description

Real Server Name

Unique name for this server or accept the automatically incremented value in this field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

Real Server IP Address

Unique IP address in dotted-decimal format (such as 192.168.11.1). The IP address cannot be an existing virtual IP address (VIP).

Real Server Port

Port used for communication with the real server.

Real Server Weight

Weight to be assigned to this real server in a server farm. Valid entries are from 1 to 100, and the default is 8.

Real Server State

State of the real server when deployed:

In Service—The real server is in service.

Out Of Service—The real server is out of service.

ACE Virtual Context

Virtual context that is associated with the real server.

Serverfarm

Server farm to which the real server belongs.

Virtual Servers

Virtual server that is associated with the real server.


Step 8 In the VM Mappings window, click OK to save the new mapping rule or Cancel to cancel the change.


Related Topics

Configuring Real Servers

Importing VMware vCenter Servers

Configuring VMware vCenter Server Primary Attributes

Instructing ANM to Recognize an ACE Module Software Upgrade

When you upgrade the software of an ACE module that has been imported to the ANM database, perform the procedure outlined in this section to enable ANM to recognize the updated release and display features and functions in the ANM GUI that are appropriate for the ACE module software upgrade.

For example, if an imported ACE module contains software Version A2(2.1), and you wish to upgrade to software Version A2(3.0) to take advantage of features such as backup and restore, you must perform the steps outlined below to instruct ANM to recognize the upgraded ACE module software version and display the features and functions associated with this release. If you do not instruct ANM to recognize an ACE module software upgrade, the ACE module import will occur without issue but the new features and functions associated a specific ACE module software release will not appear in the ANM GUI.

Procedure


Step 1 After you upgrade an ACE module software image, perform a CLI sync on the module's host device (see the "Synchronizing Chassis Configurations" section).

Step 2 After you complete the CLI sync, whenever ANM detects an upgrade on an imported ACE module, ANM issues a warning to instruct you to perform a CLI sync on the ACE module to recognize the upgrade. Perform the procedure described in the "Synchronizing Module Configurations" section.

The ACE software upgrade sequence is completed.


Configuring User-Defined Groups

You can create logical groupings of virtual contexts or chassis for ease of management. These logical groups are known as user-defined groups and appear in the device tree (Config > Devices) in the folder named Groups for quick access.

Users can create their own groups, add and remove members, and assign group names that suit their environment and are meaningful to them.

This section includes the following topics:

Adding a User-Defined Group

Modifying a User-Defined Group

Duplicating a User-Defined Group

Deleting a User-Defined Group


Note Device groups continue to display device information even after you remove that device from ANM, which allows the device group information to be easily reassociated if you reimport the device. The device name must remain the same.


Adding a User-Defined Group

You can add a user-defined group.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose Groups.

The Groups table appears.

Step 3 Click Add to add a new group, or choose an existing group, and click Edit to modify it.

The Group configuration window appears.

Step 4 In the Name field of the Group configuration window, enter a unique name for this group.

Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters.

The window identifies the objects by type and provides a search field for each:

Virtual Context Members

Device Members

Module Members

CSM Members

Step 5 To add objects to the group, for each object type, choose the object in the Available Items list, and click Add.

The selected objects appear in the Selected Items list.

To remove objects that you do not want to include, choose the objects in the Selected Items list, and click Remove. The items then appear in the Available Items list.

To search for specific objects, enter a search string that contains the object name or part of the object name in the Search field, and then click Search. The Available Items list refreshes with the objects that meet the search criteria.

Step 6 In the Description field, enter a description for this group.

Step 7 Do one of the following:

Click Save to accept your entries and to return to the Groups table.

Click Cancel to exit this procedure without saving your entries and to return to the Groups table.


Related Topics

Configuring User-Defined Groups

Modifying a User-Defined Group

Duplicating a User-Defined Group

Deleting a User-Defined Group

Modifying a User-Defined Group

You can change the members or the description of a user-defined group. You cannot change the name of an existing user-defined group.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, click Groups.

The Groups table appears.

Step 3 In the Groups table, choose the group that you want to modify, and click Edit.

The Group configuration window appears.

Step 4 In each Members field of the Group configuration window, add or remove group members as follows:

Choose the items that you want to add to this group in the Available Items list, and click Add.

Choose the items that you want to remove from this group in the Selected Items list, and click Remove.

Step 5 In the Description field, modify the description as needed.

Step 6 Do one of the following:

Click Save to accept your entries and to return to the Groups table.

Click Cancel to exit this procedure without saving your entries and to return to the Groups table.


Related Topics

Configuring User-Defined Groups

Adding a User-Defined Group

Duplicating a User-Defined Group

Deleting a User-Defined Group

Duplicating a User-Defined Group

You can duplicate a user-defined group.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, click Groups.

The Groups table appears.

Step 3 In the Groups table, choose the user-defined group that you want to duplicate, and click Duplicate.

A popup window appears asking you to enter a new name.

Step 4 In the popup window, type the new group name, and click OK.

The Groups table refreshes and the duplicated group name appears in the list.


Related Topics

Configuring User-Defined Groups

Adding a User-Defined Group

Modifying a User-Defined Group

Deleting a User-Defined Group

Deleting a User-Defined Group

You can delete a user-defined group.

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, click Groups.

The Groups table appears.

Step 3 In the Groups table, choose the user-defined group that you want to remove, and click Delete.

A popup confirmation window appears asking you to confirm the deletion.

Step 4 In the popup confirmation window, do one of the following:

Click OK to delete the selected user-defined group.

The Groups table refreshes and the deleted group no longer appears.

Click Cancel to exit this procedure without deleting the group.

The Groups table refreshes.


Related Topics

Configuring User-Defined Groups

Adding a User-Defined Group

Modifying a User-Defined Group

Duplicating a User-Defined Group

Changing Device Credentials

You can change the credentials associated with a device managed by ANM. Each device that you import into ANM has a device username and password associated with it that ANM uses to access the device. Some device types, such as the GSS, also have a device enable password associated with them. From ANM, you can change the device credentials in the ANM database to match a change made to the credentials on a device using the CLI. This feature allows you to change the device credentials without having to rediscover or reimport the device.

This procedure applies to the following device types that have been imported into ANM:

ACE appliance

Global Site Selector (GSS)

Content Services Switch (CSS)

Catalyst 6500 Virtual Switching System (VSS) 1440

Catalyst 6500 series switch

Cisco 7600 series router

VMware vCenter Server


Note To change the credentials of an ACE module, see the "Changing ACE Module Passwords" section.


Guidelines and Restrictions

This topic includes the following guidelines and restrictions:

You can change a device username, password, or both.

We recommend changing the device credentials on the device before changing the credentials on ANM.


Caution To maintain communication between ANM and the device, it is important that whatever device credential change you make on the device, you make the same change on ANM.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the device with the passwords that you want to update in ANM, and click Update Credentials.

The Update Credentials popup window appears.

Step 3 From the popup window, update the device credential using the information in Table 5-25.

Table 5-25 Update Device Credentials 

Field
Description

Username

Existing or new device username.

New Password

Existing or new device password.

Confirm New Password

Confirmation of the device password.

New Enable Password1

Existing or new device enable password.

Confirm Enable Password1

Confirmation of the device enable password.

1 GSS and Catalyst 6500 series switch only.



Note All credential fields are mandatory, so even if you are updating the device password only, you must enter the current device username.


Step 4 Do one of the following:

Click OK to save your changes to ANM. Do the following:

a. If you have not already made a similar change to the device credentials on the device, use the device CLI to make the changes now.

b. Perform a CLI synchronization to test communications between ANM and the device with the new credentials (see the "Synchronizing Device Configurations" section).

Click Cancel to ignore any changes that you made and close the popup window.


Related Topics

Configuring Devices

Managing Devices

Changing ACE Module Passwords

Changing ACE Module Passwords

You can change the ACE module username and password. All ACE modules shipped from Cisco are configured with the same administrative username and password. Because changing the module credentials can compromise network security, we recommend that you change the username and passwords after you import the module into the ANM database.


Note This functionality is available only in Admin contexts.


Before You Begin

Import the ACE module into ANM and ensure that it is operational (see the "Importing ACE Modules after the Host Chassis has been Imported" section).

Procedure


Step 1 Choose Config > Devices > All Devices.

The device tree appears.

Step 2 In the device tree, choose the chassis device containing the ACE module with the password that you want to change.

The Primary Attributes window appears.

Step 3 From the side menu, choose System > Module/Slots.

The Modules table appears.

Step 4 In the Modules table, choose the module with the password that you want to change and click Update Credentials.

The Modules configuration window appears.

Step 5 In the Card Slot field, confirm that the correct module is selected.

Step 6 In the Card Type field, confirm that the correct version appears.

Step 7 In the Module Has Been Imported Into ANM field, confirm that the checkbox is checked to indicate that the module has been imported. This is a read-only field.

Step 8 From the Operation To Perform drop-down list, choose Update Credentials.

Step 9 In the User Name field, enter the existing module username or enter a new username.

Step 10 In the New Password field, enter the existing device password or enter a new password.

Valid passwords are unquoted text strings with a maximum of 64 characters.

Step 11 In the Confirm field, verify the password that you entered in the New Password field.

Step 12 Do one of the following:

Click OK to save your changes to ANM. Do the following:

a. If you have not already made a similar change to the device credentials on the device, use the device CLI to make the changes now.

b. Perform a CLI synchronization to test communications between ANM and the device with the new credentials (see the "Synchronizing Device Configurations" section).

Click Cancel to exit the procedure without saving your entries and to return to the Modules table.


Related Topics

Importing ACE Modules after the Host Chassis has been Imported

Configuring Devices

Managing Devices

Changing Device Credentials

Restarting Device Polling

You can restart monitoring on a device that has stopped or failed to start.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the device whose monitoring has stopped or failed, and click Restart Polling.

The All Devices table refreshes with updated polling status. For a description of the various polling status variables, see Table 5-26.

If ANM cannot monitor the selected device, it displays an error message stating the reason.


Related Topics

Configuring Devices

Displaying All Devices

You can display all devices that have been imported into the ANM database.

Procedure


Step 1 Choose Config > Devices.

The device tree appears.

Step 2 In the device tree, choose All Devices.

The All Devices table displays information for the devices being managed by the ANM (see Table 5-26).

Table 5-26 All Devices Table Attributes

Field
Description

Name

Name assigned to the device.

Type

Type of the device, such as Chassis, ACE 4710, CSS, GSS, IOS Device, or VCenter.

Version

Version of the software running on the device, if available.

Note When you import the ACE appliance software version A5(2.0) or later with the NPE software, you will see NPE displayed with the ACE version in the version column.

IP Address

Device IP address.

Polling Status

Current polling status of the device:

Missing SNMP Credentials—SNMP credentials are not configured for this device; therefore, statistics are not collected. Add SNMPv2C credentials to fix this error.

Not Polled—SNMP polling has not started. Add SNMP V2C credentials to fix this error.

Monitoring Not Supported—This status appears at the device level only and applies to Catalyst 6500 series chassis, Cisco 7600 series routers, and ACE appliances.

Polling Failed—SNMP polling failed due to some internal error. Try enabling the SNMP collection again.

Polling Started—No action is required; everything is working properly. Polling states will display the activity.

Polling Timed Out—SNMP polling has timed out. This situation might occur if the wrong credentials were configured or an internal error exists, such as the SNMP protocol is configured incorrectly or the destination is not reachable. Verify that SNMP credentials are correct. If the problem persists, enable SNMP collection again.

Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the SNMPv2C credential configuration.



Related Topics

Importing Network Devices into ANM

Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Displaying Modules by Chassis

You can display all modules on a specific chassis.

Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the chassis containing the modules that you want to view, and click Modules.

The Modules table appears, listing all modules on that chassis with the following information:

Slot number

Service module model

Module type, such as Cisco Content Switching Module (CSM), ACE module and version, or other modules, such as supervisor modules

Serial number

Module operational state, such as Up, Powered Off, or Not Imported

Version of software the module is running


Note When you import the ACE module software version A5(2.0) or later with the NPE software, you will see NPE displayed with the ACE version in the version column.


Brief description

For ACE modules, the number of virtual contexts configured on the module

For VSS devices, a Virtual Switch number column indicating the switch, slot, and port number. For example, command interface 1/5/4 specifies port 4 of the switching module in slot 5 of switch 1.

Depending on the type of module selected, such as CSM or ACE modules, the following options are available from this window:

Import—Imports a CSM or ACE module that resides in the selected chassis but has not been imported into the ANM database. For more information, see the "Importing ACE Modules after the Host Chassis has been Imported" section or the "Importing CSM Devices After the Host Chassis Has Been Imported" section.

Change Card Password—Changes the administrative password on an ACE module that has been imported into the ANM database. For more information, see the "Changing ACE Module Passwords" section.

Do Not Manage—Removes a selected ACE module from the ANM database. For more information, see the "Removing Modules from the ANM Database" section.

Step 3 (Optional) To display the modules of another chassis, choose another chassis in the device tree or use the chassis selector field at the top of the window.


Related Topics

Importing ACE Modules after the Host Chassis has been Imported

Importing CSM Devices After the Host Chassis Has Been Imported

Displaying Chassis Interfaces and Configuring High-Level Interface Attributes

Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs

Removing Modules from the ANM Database

You can remove a module from the ANM database.


Note If you physically replace an ACE module in a chassis, you need to synchronize the chassis in the ANM. See the "Synchronizing Chassis Configurations" section for more information.


Procedure


Step 1 Choose Config > Devices > All Devices.

The All Devices table appears.

Step 2 In the All Devices table, choose the device containing the module that you want to remove, and click Modules.

The Modules table appears.

Step 3 In the Modules table, choose the module that you want to remove from ANM management, and click Do Not Manage.

The Modules configuration window appears.

Step 4 In the Modules configuration window, confirm the information in the following fields:

Card Slot

Card Type

Module Has Been Imported Into ANM

Step 5 In the Operation To Perform field, choose Do Not Manage.

Step 6 Do one of the following:

Click OK to confirm removal of the module.

The Modules table refreshes and the removed module appears with the state Not Imported.

You can import the module again when desired (see the "Importing ACE Modules after the Host Chassis has been Imported" section).

Click Cancel to exit the procedure without removing the ACE module and to return to the Modules table.


Related Topics

Importing Network Devices into ANM

Changing ACE Module Passwords

Replacing an ACE Module Managed by ANM

This section describes the process that you must follow when replacing an ACE module that is currently managed by ANM.You may need to replace an ACE module to perform a hardware upgrade or replace a device associated with a Return Materials Authorization (RMA).

The procedures in this section show how to replace an ACE module using either the preferred method, which uses the ANM GUI, or the alternate method, which uses a combination of the ACE CLI and the ANM GUI.

Guidelines and Restrictions

This topic includes the following guidelines and restrictions:

The replacement process includes creating a backup of the ACE module being removed and installing the backup on the replacement module. The final step is to run a script that maps the domain attributes that were mapped to the old ACE module serial number to the new module serial number. These domain attributes include items such as real servers, virtual servers, user groups, custom groups, mobile favorites, and so forth.


Caution When replacing your ACE module, it is important that you complete the entire replacement procedure before attempting to edit the properties of any domain. Editing the domains before running the script that remaps existing domain attributes to the new ACE module serial number can result in the attributes being removed.

If you currently use an ACE10 or ACE20 module, you must upgrade to the ACE30 module with ACE software Version A5(1.0) to use the new features associated with the A5(1.0) release in ANM 5.1. For more information about a module upgrade, see the Cisco Application Control Engine (ACE30) Module Installation Note.


Caution When replacing an ACE module that is part of a redundant pair providing high availability, be sure that the ACE module being replaced is operating in the standby state and not in the active state. Replacing an active redundant ACE module is a service-affecting operation.

The state information is displayed in the HA State and HA Autosync fields when you choose Config > Devices > virtual_context. Force a switchover if needed to place the ACE module in the standby state before you replace it.

Prerequisites

To perform the procedures in this section, you need a copy of the Cisco Application Control Engine (ACE30) Module Installation Note which you can obtain on Cisco.com.

This section includes the following topics:

Using the Preferred Method to Replace an ACE Module

Using the Alternate Method to Replace an ACE Module

Using the Preferred Method to Replace an ACE Module

You can replace an ACE module currently managed by ANM by using the ANM GUI-based method.


Note For details about any of the ANM GUI functions discussed in the following procedure, click Help to display the context-sensitive help associated with the current GUI window.


Procedure


Step 1 From the ANM GUI, create a backup the ACE module that you are replacing using one of the following methods:

Choose Config > Devices > context > System > Backup / Restore. The Backup/Restore window appears.

Choose Config > Global > All Backups. The Backup window appears.


Note The Backup/Restore feature requires ACE module software Version A2(3.0) or later.


Save or copy the backup to a network location.

Step 2 Record the module serial number of the ACE module being replaced, which you will need in Step 11.

To obtain the module serial number, choose Config > Devices > All Devices, click the chassis that contains the module being replaced, and click Modules.

Step 3 From the Cisco IOS host chassis, remove the ACE module that you want to replace (see the Cisco Application Control Engine (ACE30) Module Installation Note).

Step 4 From the ANM GUI, perform a CLI synchronization with the Cisco IOS host chassis.


Note When you perform the CLI synchronization, all the threshold groups associated with the removed ACE module are deleted.


Do the following:

a. Choose Config > Devices > All Devices. The Device Management window appears.

b. From the Device Management window, click the radio button associated with the host chassis.

c. Click CLI Sync.

A message similar to the following appears:

Warning: The module has been removed: serial#=SAL1413E2YK

Step 5 From the Cisco IOS host chassis, insert the replacement (new) ACE module into the chassis (see the Cisco Application Control Engine (ACE30) Module Installation Note).

Step 6 Using the CLI, verify that the software on the replacement ACE is equal to or greater than the software version used in the original ACE.

Upgrade the ACE software on the new device if needed. After the upgrade, reboot the ACE module and verify that it is running with the correct software image to ensure that ANM can recognize it.

Step 7 From the ANM GUI, do the following to perform a CLI synchronization with the Cisco IOS host chassis by doing the following:

a. Choose Config > Devices > All Devices. The Device Management window appears.

b. From the Device Management window, click the radio button associated with the host chassis.

c. Click CLI Sync.

A message similar to the following appears:

The module has been added: serial#=SAD140102XR

Record the new ACE module serial number, which you will need for Step 11.

Step 8 From the Device Management window, import the replacement module in to ANM as follows:

a. Click the radio button associated with the host chassis and click Modules. The Modules window appears.

b. From the Modules window, click the radio button associated with the replacement module and click Import. The Module configuration window appears.

c. From the configuration window, choose Perform Initial Setup and Import from the Operation To Perform drop-down list and enter the module configuration information that you recorded in Step 2.

d. Click OK to save the module configuration information.

Step 9 Install a license in the replacement module that is consistent with the removed module by choosing Config > Devices > chassis > module > Admin > System > Licenses. The Licenses window appears.

Step 10 Copy and restore the saved ACE configuration to the replacement module by choosing Config > Devices > chassis > module > Admin > System > Backup / Restore.


Note The Backup/Restore feature requires ACE module software Version A2(3.0) or later.


Step 11 Remap the ANM objects mapped to the old ACE module serial number to the new ACE module serial number as follows:

a. Enter the following command to list the module serial numbers that are unassociated with a device in ANM:

anm-RMA-helper-query

Verify that the list includes the serial number of the old ACE module that you recorded in Step 2.

b. Enter the following command to map the objects to the new ACE module serial number:

anm-RMA-helper-replace

c. Follow the prompts that appear to log in to ANM and specify the old ACE module serial number recorded in Step 2 and the new module serial number recorded in Step 7.


Related Topics

Importing ACE Modules after the Host Chassis has been Imported

Using the Alternate Method to Replace an ACE Module

This procedure describes the alternate method for replacing an ACE module currently managed by ANM. This method uses a combination of the ACE CLI and ANM GUI during the replacement process. To see the preferred method for replacing an ACE module, see the "Using the Preferred Method to Replace an ACE Module" section.


Note For details about using the ACE CLI to perform the procedures discussed in the following procedure, see the Cisco Application Control Engine (ACE30) Module Installation Note).

For details about any ANM GUI function discussed in the following procedure, click Help to display the context-sensitive help associated with the current GUI window.


Procedure


Step 1 Referring to the Cisco Application Control Engine (ACE30) Module Installation Note, do the following:

a. SSH in to the ACE and backup all contexts from the Admin context (requires ACE module software Version A2(3.0) or later).

b. Copy the backup to a network location (requires ACE module software Version A2(3.0) or later).

c. Obtain and record the old module serial number using the show hardware command. You will need the serial number in Step 4.

d. From the Cisco IOS host chassis, remove the ACE module that you want to replace.

e. From the Cisco IOS host chassis, insert the replacement ACE module into the chassis.

f. Verify that the software on the replacement ACE is equal to or greater than the software version used in the original ACE. Upgrade the ACE software on the new device if needed.

g. SSH in to the chassis and session in to the new ACE module.

h. Configure basic ACE module connectivity.

i. Obtain and record the new module serial number using the show hardware command.

j. Copy and install necessary licenses.

k. Copy and restore the ACE backup.

Step 2 From the ANM GUI, delete the Cisco IOS host chassis that hosts the replacement ACE module as follows:

a. Choose Config > Devices > All Devices. The Device Management window appears.

b. Click the radio button associated with the chassis in which the module was replaced.

c. Click Delete.

Step 3 From the Device Management window, import the Cisco IOS host chassis and associated chassis modules, including the replacement ACE module by clicking Add. The Add New Device window appears; complete the required chassis and module information.

Step 4 Remap the ANM objects mapped to the old ACE module serial number to the new ACE module serial number as follows:

a. Enter the following command to list the module serial numbers that are unassociated with a device in ANM:

anm-RMA-helper-query

Verify that the list includes the serial number of the old ACE module that you recorded in Step 1c.

b. Enter the following command to map the objects to the new ACE module serial number:

anm-RMA-helper-replace

c. Follow the prompts that appear to log in to ANM and specify the old ACE module serial number recorded in Step 1c and the new module serial number.


Related Topics

Importing ACE Modules after the Host Chassis has been Imported