Performing System Administration
You can perform the following system administration tasks:
For at-a-glance details on why you may want to perform these system administration tasks, see Table 5-1 .
Table 5-1 System Administration At-A-Glance
|
|
View system health and traffic details |
Administration > System > Overview |
Use IP hostname resolution/DNS lookup |
Administration > System > Network Parameters |
Add extra security and allow additional host details to be displayed in NAM traffic information |
Administration > System > SNMP Agent |
Ensure that the NAM system time is configured correctly (required) |
Administration > System > System Time |
Provide e-mail notification of alarms and reports |
Administration > System > E-Mail Setting |
Allow general web users and websites to access selected NAM monitor and report windows without a login session |
Administration > System > Web Data Publication |
Specify whether syslog messages should be logged locally on the NAM, on a remote host, or both |
Administration > System > Syslog Setting |
Set a host destination to which Prime NAM sends trap |
Administration > System > SNMP Trap Setting |
Change the Prime NAM display or logging characteristics |
Administration > System > Preferences |
Monitoring Prime NAM Health and Traffic Statistics
Ensuring that your Cisco NAM processes your traffic efficiently and effectively without becoming overloaded is a critical task.
To view the network traffic coming into the Cisco NAM as well as data about its health (such as server network details and CPU, memory, and data usage) use Administration > System > Overview.
Use the data provided in the Inputs and Resources tabs to determine scalability issues and to assist with troubleshooting.
Table C-56 describes the types of information of the System Overview window.
Setting Network Parameters
If you want to use IP hostname resolution in Prime NAM, you must configure the nameservers first. Prime NAM supports three DNS servers. If this task is not complete, you will be unable to perform DNS lookup. You can also set
Tip Ensure your name server addresses are correct, otherwise some of your Monitor dashboards and Capture Decode windows may seem slow to load.
To view and set your name servers:
Step 1 Choose Administration > System > Network Parameters.
The Network Parameters window displays.
Step 2 Enter or change the IPv4 or IPv6 information.
Step 3 To validate the accuracy of the nameservers, click Validate Nameservers.
Step 4 Do one of the following:
- To save the changes, click Submit.
- To cancel the changes, click Reset.
Step 5 Ensure you have turned on IP hostname resolution using Administration > System > Preferences. See Customizing System Preferences.
Setting the SNMP Agent
An SNMP Agent is a network management software module that resides in a managed device. It has local knowledge of management information and translates that information into a form compatible with SNMP.
You can manage devices with SNMPv3 in addition to SNMPv2 and SNMPv1. The NAM polls the managed device to get its basic health and interface statistics. For NAM blades, the managed device is the switch in which the NAM is inserted, and the NAM software negotiates with the switch to use SNMP and a community string to do the polling. This community string is only valid for use with the NAM. For security purposes, the switch associates the community string with the NAM's IP address only, and no other SNMP application can use this community string to communicate with the switch. For more information about community strings, see Working with NAM Community Strings.
Also, to further alleviate any security concerns, the SNMP exchanges between NAM blades and the switch take place on an internal backplane bus. These SNMP packets are not visible on any network, nor any interface outside of the switch. It is a completely secure out-of-band channel inside the switch.
For other platforms, such as Cisco NAM appliances, you can type in any IP address and use it as the managed device. In setting managed devices, virtual NAM platforms managed devices function just like the NAM appliances. On all platforms, NAM can only monitor and display data for one managed device at a time.
In this case, the managed device may only want to use SNMPv3 since it is more secure.
Note NAM blades use SNMPv2 to manage the locally managed device.
To view and set the NAM SNMP Agent:
Step 1 Choose Administration > System > SNMP Agent.
Step 2 Enter or change the information in the NAM SNMP window. The fields are detailed in Table C-57 .
Step 3 To create community strings, see Creating NAM Community Strings.
Step 4 To delete community strings, select the entry and click Delete.
Step 5 To save the changes, click Submit.
Working with NAM Community Strings
You use community strings so that other applications can send SNMP get and set requests to the NAM, set up collections, poll data, and so on.
Creating NAM Community Strings
To create the NAM community strings:
Step 1 Choose Administration > System > SNMP Agent.
Step 2 Click Create under NAM Community Strings.
The System SNMP Agent Dialog Box displays.
Step 3 Enter the community string (use a meaningful name).
Step 4 Enter the community string again in the Verify Community field.
Step 5 Assign read-only or read-write permissions using the following criteria:
- Read-only allows only read access to SNMP MIB variables (get).
- Read-write allows full read and write access to SNMP MIB variables (get and set).
Step 6 To make the changes, click Submit.
Deleting NAM Community Strings
To delete the NAM community strings:
Step 1 Choose Administration > System > SNMP Agent.
Step 2 Select an entry, then click Delete.
Caution
Deleting the NAM community strings blocks SNMP requests to the NAM from outside SNMP agents.
Testing the Router Community Strings
Before the router can send information to the NAM using SNMP, the router community strings set in the NAM must match the community strings set on the actual router. The Router Parameters dialog box displays the router name, hardware, Supervisor engine software version, system uptime, location, and contact information.
The local router IP address and the SNMP community string must be configured so that the NAM can communicate with the local router.
To set the community strings on the router, use the router CLI. For information on using the CLI, see the documentation that accompanied your device.
Caution
The router community string you enter must match the read-write community strings on the router. Otherwise you cannot communicate with the router.
To test router community strings:
Step 1 Choose Setup > Managed Device > Device Information.
The Device Information dialog box displays.
Step 2 Enter the Device's Community String.
Step 3 Click Test Connectivity.
Step 4 Wait for a while for NAM to communicate with the Device. If it comes back OK, then click on Submit.
Synchronizing Your System Time
Ensure that the NAM system time is configured correctly. If the system time is incorrect, NAM data presentation may be inaccurate due to time ranges, hence providing incorrect interpretations of NAM data.
Some platforms are synchronized automatically, but you must also synchronize the standard time source outside the NAM in addition to the NAM and the router, switch, or in order for the data to be accurate. We recommend you perform the time synchronization for your platform, especially if you see the following message on the dashboard interface: Client or NAM time is incorrect
.
You can configure the NAM system time by using one of the following methods:
This is valid for all platforms and is the recommended option.
This option is valid only for NAM-3, SM-SREs, and NAM-NX1.
This option is valid for Cisco NAM appliances, Nexus 1000 VSB, and vNAM.
This option is valid for NAM-3 and NAM-NX1.
Configuring the NAM System Time with an NTP Server
To configure the NAM system time with an NTP server:
Step 1 Choose Administration > System > System Time.
Step 2 Choose the NTP Server radio button.
Step 3 Enter one or two NTP server names or IP address in the NTP server name/IP Address text boxes.
Step 4 Select the Region and local time zone from the lists.
Step 5 To save the changes, click Submit.
Synchronizing the NAM System Time with the Switch or Router
Note This section is valid only for NAM-3, SM-SREs, and NAM-NX1. For additional platform options, see Synchronizing Your System Time.
To configure the NAM system time from the switch or router:
Step 1 Choose Administration > System > System Time.
Step 2 Choose:
- Local to sync to your switch or router. If you choose this option you must <is there anything on the router side that needs to be done?>
- NTP Server
Step 3 Select the Region and local time zone from the lists. This should be the region in which your NAM is located.
Step 4 Click Submit.
Synchronizing the NAM System Time Locally
Note This section is valid for Cisco NAM appliances, Nexus 1000V, and vNAM. For additional platform options, see Synchronizing Your System Time.
To configure the NAM system time locally using the NAM command line:
Step 1 Log into the NAM command line interface.
Step 2 Set the clock using the CLI clock set command.
clock set <hh:mm:ss:> <mm/dd/yyyy>
Step 3 On the Prime NAM GUI, choose Administration > System > System Time.
Step 4 Click the Local radio button.
Step 5 Select the Region and local time zone from the lists.
Step 6 Click Submit to save the changes.
Configuring the NAM System Time with Precision Time Protocol (IEEE 1588)
To use Precision Time Protocol (PTP), you will need to have a PTP-aware or multicast-enabled switch connected to the sync port on the front of the NAM-3 or NAM-NX1, as well as a PTP master connected to the switch.
Note This section is applicable to the NAM-3 and NAM-NX1. For details on any hardware setup requirements related to this feature, see your specific NAM installation guide. For additional platform options, see Synchronizing Your System Time.
To configure the NAM system time using PTP:
Step 1 On the NAM, choose Administration > System > System Time.
Step 2 Choose the PTP radio button.
Step 3 Enter the IP address of the PTP interface in the PTP Interface IP Address field.
Tip Set the PTP interface IP address so that it is not in the same subnet as the management interface. If they are in the same subnet, there may be routing issues for outbound management traffic (http, for example).
Step 4 Enter the subnet mask in the PTP Interface Subnet Mask field.
Step 5 For NAM Local Time Zone, select the Region and the Zone from the drop-down lists.
Step 6 To save the changes, click Submit.
Understanding NAM System Time
Ensure that the Prime NAM software application's Linux system time is synchronized with the packet timestamp and the standard time source outside of the NAM platform. Packet timing analysis uses system time to support application response time measurements, voice and video quality metrics, packet decode data, reporting, and many other network statistics.
The NAM gets the UTC (GMT) time from several sources, depending on its NAM platform type. All NAMs can be set up to get their time from an external NTP server. Other NAM platforms may prefer to use an IEEE 1588 Precision Time Protocol (PTP)-based time master due to its high accuracy and precision.
You should also configure any PTP switches that are between the NAM and the master clock to use Edge-to Edge (E2E) mode. E2E is preferred because it reduces PTP messaging bandwidth and eliminates delay accumulation when daisy chaining many nodes. If the master clock and/or PTP switches are not configured correctly, all of the clocks on the NAM will be synced with each other, but to the wrong time.
Caution
Both the client computer and the NAM server must have the time set accurately for their respective time zones. If either the client or the server time is incorrect, then the data shown in the GUI is incorrect.
The clock identity is the first three octets of the MAC address, followed by “ff fe,” and then the last three octets of the MAC address, as shown in the example below.
After the NAM acquires the time, you can set the local time zone using the NAM System Time configuration window.
For details on how to configure the NAM system time for your specific hardware platform, see Synchronizing Your System Time.
Setting Up E-Mail Notifications for Alarms
You can configure Prime NAM to provide e-mail notification of alarms and to e-mail reports.
To set up e-mail notifications:
Step 1 Choose Administration > System > E-Mail Setting.
Step 2 Check the Enable Mail check box and enter the required or optional field information.
Table C-58 describes the Mail Configuration Options.
Step 3 Check the optional Advanced Settings check box and enter the details in the fields provided.
Step 4 Click Submit to save your modifications, or click Reset to clear the dialog of any characters you entered or restore the previous settings.
Sharing NAM Data by Enabling Web Data Publication
Web Data Publication allows general web users and websites to access (or link to) selected NAM monitor and report windows without a login session.
Web Data Publication can be open or restricted using Access Control List (ACL) and/or publication code. The publication code, if required, must be present in the URL address or cookie to enable access to published data.
To enable Web Data Publishing:
Step 1 Choose Administration > System > Web Data Publication.
Step 2 Check the Enable Web Data Publication check box.
Step 3 Enter a Publication Code (Optional). This is the pass code required in a URL’s cookie to access the published page. For example, a publication code set to abc123 would be able to access the following published window:
http://<nam-hostname>/application-analysis/index?publicationcode=abc123
Step 4 Enter an ACL Permit IP Address/Subnets to permit only those IP addresses or subnets access to web publications. No entry provides open access to all.
Step 5 Click Submit to enable web publishing, or click Reset to clear the dialog of any characters you entered.
Note Before the new iSCSI storage entry takes effect, you must reboot the NAM system.
Setting Remote Servers to Receive Syslog Messages
NAM syslogs are created for alarm threshold events, voice threshold events, or system alerts. You can specify whether syslog messages should be logged locally on the NAM, on a remote host, or both. You can use the NAM to view the local NAM syslogs.
If logging on a remote host, in most Unix-based systems, the syslog collector that handles the incoming syslog messages uses the facility field to determine what file to write the message to, and it will use a facility called local7. Check the syslog collector configuration to ensure that local7 is handled properly.
To set up the NAM syslog:
Step 1 Choose Administration > System > Syslog Setting.
The NAM Syslog Setting window displays.
Step 2 In the Remote Server Names field, enter the IP address or DNS name of up to five remote systems where syslog messages are logged. Each address you enter receives syslog messages from all three alarms (Alarm Thresholds, Voice Signaling Thresholds, and System).
Step 3 Click Submit to save your changes, or click Reset to cancel.
Configuring Hosts to Receive SNMP Traps from Prime NAM
Traps are used to store alarms triggered by threshold crossing events. When an alarm is triggered, you can trap the event and send it to a separate host. Trap-directed notifications can result in substantial savings of network and agent resources by eliminating the need for frivolous SNMP requests.
To configure, edit, or delete a host destination to which Prime NAM will send traps:
Step 1 Choose Administration > System > SNMP Trap Setting.
The SNMP Trap Setting window displays.
Step 2 Click Create.
Step 3 In the Community field, enter the community string set in the NAM Thresholds.
Step 4 In the IP Address field, enter the IP address to which the trap is sent if the alarm and trap community strings match.
Step 5 In the UDP Port field, enter the UDP port number.
Step 6 Click Submit to save your changes, or click Reset to cancel and leave the configuration unchanged.
Customizing System Preferences
To change the Prime NAM display or logging characteristics, choose Administration > System > Preferences. See Table C-58 describes the fields of the Preferences window and why you may want to change the defaults.
Upgrading Your License
Certain software-only NAM platforms require software licenses to run. You can see your NAM platform installation guide for details.
To obtain a NAM license, go to the following URL:
http://www.cisco.com/go/license
Follow the instructions on this page to obtain a NAM license file. You will need your NAM platform’s PID and SN to obtain the license file.
Tip Use the Prime NAM show inventory command to obtain the PID and SN for licensing.
After you enter the PID and SN or the Product Authorization Key, a license file will be sent to you by e-mail. Store this license file on an available FTP server. Use the license install command to install the license after the NAM software installation completes.
Several Cisco Prime Network Analysis Module platforms require you to install a product license in the form of a text file (see your release notes as platform support changes with each release). An evaluation license allows you to use the software for up to 60 days. The NAM login window indicates how many days remain before the evaluation license expires. After that time, you will be unable to log into the NAM GUI.
You can provide licensing information, also known as node-locking information, during software installation or after software installation using the NAM CLI.
For details on licensing install and management CLI commands, see the Cisco Prime Network Analysis Module Command Reference Guide.
There is no license required for the protocol pack usage in Prime NAM.
Controlling User Access
In order to make your Cisco NAM solution more secure, you can take several steps including:
- Enable Secure Sockets Layer (SSL) on the Cisco NAM for secure, encrypted HTTP sessions. See your installation guide for details.
- Enable Secure Shell (SSH) protocol for secure Telnet to the Cisco NAM.
- Enable TACACS+ for authentication and authorization. Cisco NAMs provide support for multiple TACACS+ servers.
This section covers how to control your user’s access using the Administration options:
Local Database
When you first install the NAM, use the NAM command-line interface (CLI) to enable the HTTP server and establish a username and password to access the NAM for the first time.
After setting up the initial user accounts (root, admin, and webuser), you can create additional accounts, enabling or disabling different levels of access independently for each user.
Table C-60 provides information about User Privileges and describes each privilege.
For additional information about creating and editing users, see Creating a New User and Establishing TACACS+ Authentication and Authorization.
If you have forgotten your password, use the helper utility to reset your root or user passwords (see Resetting Passwords).
Resetting Passwords
There are several methods you can use to reset your NAM passwords. Use the options documented in Table 5-2 based on your needs.
Table 5-2 Password Reset Options
|
|
|
Root, Admin, and webuser |
Boot into helper utility |
Restart your NAM and choose option 5 or enter reboot -helper at the NAM CLI. |
Root and webuser |
clear system-passwords NAM CLI command |
The easiest way to reset NAM passwords. This command resets both the root and guest user passwords to the factory default state. You must have appropriate privileges to reset passwords. |
Root, Admin, and webuser |
CLI commands on the switch or router |
See your platform installation guide. |
NAM Admin users |
Admin > Users > Local Database |
Delete the user for whom you have forgotten the password; then create a new one. |
Webuser |
rmwebusers NAM CLI command |
Use if no other local users are configured other than the user for whom you have forgotten the password. Then enable http or https to prompt for the creation of a NAM user. |
Changing Predefined NAM User Accounts on the Switch or Router
The predefined root and guest NAM user accounts (accessible through either a switch or router session command or a Telnet login to the NAM CLI) are static and independent of the NAM. You cannot change these static accounts nor can you add other CLI-based users with the NAM.
Creating a New User
To create a new user:
Step 1 Choose Administration > Users > Local Database.
The GUI displays the users in the local database. Checks indicate the privileges each user has for the functions listed.
Step 2 Click Create.
The GUI displays the New User Dialog Box.
Step 3 Enter the information required to create new user and select each privilege to grant to the user. See Table C-61 for an explanation of user privileges. Table C-59 describes the fields in the New User Dialog Box.
Note If you delete user accounts while users are logged in, they remain logged in and retain their privileges. The session remains in effect until they log out. Deleting an account or changing permissions in mid-session affects only future sessions. To force off a user who is logged in, restart the NAM.
Step 4 Select a single or multiple check box to set user privileges. Table C-61 provides information about each privilege.
Step 5 Click Submit to create the user or Reset to clear the dialog of any characters you entered.
Invalid User Name and Password Characters
For usernames, do not use the following:
- Exclamation point !
- At sign @
- Pound sign #
- Dollar sign $
- Percent %
- Carot ^
- Ampersand &
- Asterisk *
- Left or right parentheses ()
- Greater than <
- Less than >
- Comma,
- Period.
- Double quote "
- Single quote '
- Forward slash /
- Backward slash \
For web user passwords, do not use the following:
- Double quote "
- Single quote '
- Greater than <
- Less than <
For root or guest user passwords, only the single quote is not allowed.
Establishing TACACS+ Authentication and Authorization
Terminal Access Controller Access Control System (TACACS) is an authentication protocol that provides remote access authentication, authorization, and related services such as event logging. With TACACS, user passwords and privileges are administered in a central database instead of an individual switch or router to provide scalability.
TACACS+ is a Cisco Systems enhancement that provides additional support for authentication and authorization.
When a user logs into the NAM, TACACS+ determines if the username and password are valid and what the access privileges are.
To establish TACACS+ authentication and authorization:
Step 1 Choose Administration > Users > TACACS+. The TACACS+ Authentication and Authorization Dialog Box displays.
Step 2 Enter or select the appropriate information in Table C-62, TACACS+ Authentication and Authorization Dialog Box.
Step 3 Do one of the following:
- To save the changes, click Submit.
- To cancel, click Reset.
Tip If you cannot log into the NAM with TACACS+ configured, verify that you entered the correct TACACS+ server name and secret key.
Configuring a TACACS+ Server to Support NAM Authentication and Authorization
In addition to enabling the TACACS+ option, you must configure your TACACS+ server so that it can authenticate and authorize NAM users. NAM supports ACS versions 5.2, 5.1 (including Patch 1), and 4.2.
Note Configuration methods vary depending on the type of TACACS+ server you use. When configuring NAM within ACS 5.x, uncheck the check box for the Single Connect Device option under the TACACS+ settings.
Continue to the section specific to your particular version:
Configuring a Cisco ACS Server, Version 4.2
To configure a version 4.2 Cisco ACS server, you must perform two tasks:
Configuring NAM on ACS for Windows NT and 2000 Systems for Version 4.2
To configure a Cisco ACS TACACS+ server (version 4.2):
Step 1 Log into the ACS server.
Step 2 Click Network Configuration.
Step 3 Click Add Entry.
Step 4 For the Network Access Server, enter the NAM hostname and IP address.
Step 5 Enter the secret key.
Note The secret key must be the same as the one configured on the NAM.
Step 6 In the Authenticate Using field, select TACACS+.
Step 7 Click Submit+Apply.
Step 8 Continue to Adding a NAM User or User Group for Version 4.2 to complete the next configuration task.
Adding a NAM User or User Group for Version 4.2
To add a NAM user or user group:
Step 1 Click User Setup.
Step 2 Enter the user login name.
Step 3 Click Add/Edit.
Step 4 Enter the user data.
Step 5 Enter a user password.
Step 6 If necessary, assign a user group.
Step 7 In the TACACS+ settings:
a. Select Shell.
b. Select IOS Command.
c. Select Permit.
d. Select Command.
e. Enter web.
f. In the Arguments field, enter:
permit capture
permit system
permit collection
permit account
permit alarm
permit view
Step 8 In Unlisted Arguments, select Deny.
Step 9 Click Submit.
Configuring a Cisco ACS Server, Version 5.x
To configure a version 5.1 (Patch 1) or 5.2 Cisco ACS server, you must perform these tasks. There is an additional configuration task that enables you to set up policy rules for your users or groups.
Use the following sections to configure your Cisco ACS server:
Configuring NAM on ACS For Windows NT and 2000 Systems for Version 5.x
To configure a Cisco ACS TACACS+ server (version 5.1(P1) or 5.2):
Step 1 Log into the ACS server.
Step 2 To set up an optional device type for NAM, click Network Resources > Network Device Groups > Device Type and create a device type. For example, you may choose to name your device type NAM_Module.
Step 3 Click Network Resources > Network Devices and AAA Clients to add NAM devices.
Step 4 For the Network Access Server, enter the NAM hostname and IP address.
Step 5 Under Authentication Options field, select TACACS+.
Step 6 Enter the secret key and deselect the check box for the Single Connect Device option under the TACACS+ settings.
Note The secret key must be the same as the one configured on the NAM.
Step 7 Click Submit.
Step 8 Continue to Adding a NAM User or User Group for Version 5.x to complete the next configuration task.
Adding a NAM User or User Group for Version 5.x
To add a NAM user or user group:
Step 1 Click Users and Identity Stores > Internal Identity Stores > Users.
Step 2 Click Create.
Step 3 Enter the user login name.
Step 4 Enter the user data.
Step 5 If necessary, assign a user group.
Step 6 Enter the password information.
Step 7 Click Submit.
Configuring Access Policies for ACS and NAM for Version 5.x
In versions 5.1(P1), 5.2, and 5.3 you must set up access policies to complete your ACS and NAM configuration.
Step 1 On the ACS server, click Policy Elements > Authorization and Permissions > Device Administration > Command Sets and click Create to create NAM command sets.
For example, if you want to provide full access to the NAM, create a command set called NAMfullAccess and check the check box Permit any command that is not in the table below.
Step 2 Click Submit when you have completed entering the NAM command sets. Ensure you include all of the following commands:
permit capture
permit system
permit collection
permit account
permit alarm
permit view
Step 3 Click Access Policies > Access Services > Create to create a new Service (for example, name = namAdmin ; Service Type = Device Administration.)
Step 4 Go to Access Policies > Access Services > namAdmin > Authorization > Customize to set up customized conditions which are needed in later step. For example, you may choose: NDG: Device Type, Device IP Address, and so on). Replace namAdmin with the service you created in this step.
Step 5 Go to Access Policies > Access Services > namAdmin > Authorization > Create to set up the condition to qualify all login requests. NAM devices use these conditions and follow the command set (created in Step 1). For example, your condition may be == NDG: Device Type is All Device Types: NAM device which you set up in Step 2.
Step 6 Click Access Policies > Service Selection Rules to choose a service (for example, the service you created in Step 3).
Step 7 Log into the NAM and click NAM > Administration > Users > TACACS+ to set up the ACS server IP and secret key.
Configuring a Generic TACACS+ Server
To configure a generic TACACS+ server:
Step 1 Specify the NAM IP address as a Remote Access Server.
Step 2 Configure a secret key for the TACACS+ server to communicate with the NAM.
Note The secret key must be the same as the one configured on the NAM.
Step 3 For each user or group to be allowed access to the NAM, configure the following TACACS+ parameters:
|
|
|
|
|
|
|
One or more the following:
accountmgmt system capture alarm collection view
|
password authentication method—Password Authentication Protocol (PAP)
|
|
Current User Sessions
The Current User Sessions table is a record of the users who are logged into the application. The user session times out after 30 minutes of inactivity. After a user session times out, that row is removed from the table.
To view the current user sessions table:
Step 1 Choose Administration > Users > Current Users.
The Current User Sessions table ( Table C-63 ) displays.