Table Of Contents
Getting Started with Application Networking Manager
Acquiring and Uploading a Cisco Application Networking Manager License
Uploading Site-Specific Certificate/Key Pair Files for Server Authentication
Logging In To Cisco Application Networking Manager
Using the Firefox Web Browser to Access ANM 3.0
Managing Cisco Application Networking Manager Licenses
License Types
Uploading ANM Licenses
Preparing to Add Network Elements
Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
Enabling SNMP Polling from ANM
Adding Network Elements into Cisco Application Networking Manager
Adding Modules, Switches, Routers, and Other Network Elements to ANM
Adding ACE Modules to ANM
Instructing ANM to Recognize an ACE Module Software Upgrade
Importing Cisco Content Switching Modules
Importing Cisco Global Site Selectors
Information About GSS Firewall Deployment
Enabling syslog Messages from the ACE
Changing Configuration Values After Installing Cisco Application Networking Manager
Example ANM Standalone Configuration Session
Example ANM HA Configuration Session
ANM Ports Reference
Getting Started with Application Networking Manager
Date: 12/11/09
This chapter describes how to get started with the Cisco Application Networking Manager (ANM) and includes the following sections:
•
Acquiring and Uploading a Cisco Application Networking Manager License
•Uploading Site-Specific Certificate/Key Pair Files for Server Authentication
•Logging In To Cisco Application Networking Manager
•Managing Cisco Application Networking Manager Licenses
•Preparing to Add Network Elements
•Adding Network Elements into Cisco Application Networking Manager
•Changing Configuration Values After Installing Cisco Application Networking Manager
•Example ANM HA Configuration Session
•ANM Ports Reference
Acquiring and Uploading a Cisco Application Networking Manager License
You must have an ANM license before you can use ANM. Before you can install an ANM license, you must be a registered Cisco.com user and you must have the service license authorization key (PAK) that was shipped with your software CD. For more information, see the "Understanding ANM License Information" section in the "Administering the Cisco Application Networking Manager" chapter of the online help or the User Guide for the Cisco Application Networking Manager 3.0.
Note The license installation script reinitializes ANM. If you have performed an HA upgrade, it may also take some time for the system to determine which host is the active host. It may take several minutes before you can log into ANM after the installation or upgrade.
Step 1 On Cisco.com, go to http://www.cisco.com/go/license. You will be asked to log into Cisco.com. If you are not a registered user you will be given a number of options including the option to log in without registering. Once logged in, you will be prompted to enter the product authorization key (PAK).
Step 2 Enter the product authorization key (PAK) exactly as it appears on the label that accompanied the Cisco Information Packet. If you are unable to locate the PAK, contact your Cisco support team or click on the link for a demonstration license.
Note A demo license is valid for 90 days after it is issued. After 90 days, the product will require a standard license.
Step 3 Follow the instructions for registration on the license website. After you finish registering, you will receive a message that confirms your registration, and an e-mail that contains the license/key file will be sent to you at the e-mail address that you provided during product registration.
Step 4 After you receive your software license key by e-mail, save the e-mail and the license file (.lic) that is attached to the e-mail to a temporary directory on your hard drive for safekeeping.
Step 5 (Optional) Copy the file from the temporary directory to your ANM server.
Step 6 Install the license on the ANM server by entering the /opt/CSCOanm/bin/anm-license install /path/ANMxxxxxxxxxxxxxxxxx.lic command from the command line.
path is the location of the license file and ANMxxxxxxxxxxxxxxxxx.lic is the name of the license file.
You can install multiple license files at one time using the /opt/CSCOanm/bin/anm-license install license1 [license2 ...] command.
Step 7 Log in to ANM and under the Administration tab, choose ANM Management > License Management to make sure you can see both the ANM server and ANM-AD licenses.
If both licenses are not apparent, a step has been missed. Contact your network administrator to help install the missing license.
Note For more information about licenses, see the "License Types" section.
Uploading Site-Specific Certificate/Key Pair Files for Server Authentication
You can authenticate your server using a certificate key/pair of your choice.
Note This optional procedure can be performed at any time, not just during installation. A certificate/key pair is automatically installed with ANM. In HA mode, you must perform this procedure on both nodes.
To upload site-specific certificate/key pair files for server authentication, follow these steps:
Step 1 Copy the files (certificate and key) from the temporary directory to your ANM server, if necessary.
Step 2 From the command line, enter the /opt/CSCOanm/bin/anm-certificate install certificate key [key-password] command, where certificate is the name of the certificate file that you are installing, key is the name of the certificate key file, and key-password is the key password (if required).
Note The key password is required only if the key is encrypted.
Logging In To Cisco Application Networking Manager
You access ANM features and functions through a web-based interface. The ANM login window allows you to log into the ANM server, change the password for your account, and obtain online help by clicking Help.
To log into ANM, follow these steps:
Step 1 Choose one the following:
•To log in after a new installation, in your browser address field, enter https://host. The default web ports are 443 and 80.
Note You do not have to explicitly enter the port numbers.
•To log in after an upgrade, in your browser address field, enter: https://host:10443 or http://host:10080 depending on which port was enabled in the previous release. An upgrade uses the user specified web ports of 10443 and 10080; you must explicitly enter these port numbers.
Note All browsers require that you enable cookies, JavaScript/scripting, Adobe Flash Player 9, and popup windows. If you reinstall a later ANM release, make sure that you delete the cookies and clear the browser cache.
For example, enter https://192.168.10.10. The login window appears.
A new installation comes with predefined credentials; the username and password are both admin. Use admin the first time you log in.
Note The ANM 3.0 client supports use with Firefox 3.5 on Windows XP or Windows Vista. When you use Firefox 3.x to log in and access ANM for the first time, the Firefox web browser displays a warning that the site is untrusted. When Firefox displays this warning, follow the prompts to add a security exception and download the self-signed certificate from the ANM server. After you complete this procedure, Firefox accepts the ANM server as a trusted site both now and during all future login attempts. See the "Using the Firefox Web Browser to Access ANM 3.0" section for details.
Step 2 In the User Name field, enter admin.
The admin account was created when ANM was installed. After you log in, you can create additional user accounts. For more information about setting up user accounts, see the User Guide for the Cisco Application Networking Manager 3.0.
Step 3 In the Password field, enter the password that you used for installing ANM.
Step 4 Click Login.
Caution ANM installation takes 90 seconds for initialization to be completed. When the login window appears, make sure that you wait at least 90 seconds before you log in. Failure to wait a minimum of 90 seconds may result in an error.
When you log in, the default page that appears is the ANM Homepage. You can change your default page by making a different selection from the Homepage. See the User Guide for the Cisco Application Networking Manager 3.0 for details.
Click the Import a Device link from the ANM Homepage. The Import Devices window appears (Config > Guided Setup > Import Devices). Add network elements by one of the methods described in "Adding Network Elements into Cisco Application Networking Manager" section.
Using the Firefox Web Browser to Access ANM 3.0
The ANM 3.0 client supports use with Firefox 3.5 on Windows XP or Windows Vista. When you use Firefox 3.x to log in and access ANM for the first time, the Firefox web browser displays a warning that the site is untrusted (Figure 4-1).
Figure 4-1 Firefox 3.5 Untrusted Connection Warning
When Firefox displays this warning, follow the prompts to add a security exception and download the self-signed certificate from the ANM server. After you complete this procedure, Firefox accepts the ANM server as a trusted site both now and during all future login attempts.
Procedure
Step 1 In the This Connection Is Untrusted window, click I Understand the Risks.
Step 2 Click Add Exception to add a security exception to the Firefox web browser.
The Add Security Exception popup window appears identifying the location of the ANM server.
Step 3 In the Add Security Exception popup window, click Get Certificate.
Firefox retrieves the ANM self-signed certificate and the window's Confirm Security Exception button becomes active.
Step 4 Click Confirm Security Exception.
Firefox recognizes the ANM server as a trusted site and the ANM Login window appears.
Managing Cisco Application Networking Manager Licenses
To allow ANM to manage all your network elements, you must have the appropriate number of ANM licenses for your network elements. Although an ANM server license comes with the software, you must upload it to ANM after the installation.
ANM can manage up to two ACE devices with a default set of five virtual contexts each. You will need additional licenses for any network elements that you plan to manage beyond the standard configuration.
For more information about adding new ANM licenses to expand the number of network elements you can manage, see "Managing ANM Licenses" in the online help or in Chapter 17, "Administering the Cisco Application Networking Manager," of the User Guide for the Cisco Application Networking Manager 3.0.
For instructions on uploading your ANM server license, see the "Acquiring and Uploading a Cisco Application Networking Manager License" section.
For more information about license types and license management, see the "License Types" section or Chapter 17, "Administering the Cisco Application Networking Manager," in the online help or the User Guide for the Cisco Application Networking Manager 3.0.
This section includes the following topics:
•License Types
•Uploading ANM Licenses
License Types
License management allows you to view the license state, add licenses, and track license information on your ANM. ANM displays warnings if your ANM license is not compliant or if the ANM license is about to expire. Cisco ANM has the following different types of licenses that you can purchase:
•Licenses for ACE appliances and modules—ANM-AD-xx allows you to manage a specific number of ACE appliances or modules.
•Licenses for CSS or CSM network elements/modules—ANM-CD-xx allows you to manage a specific number of CSS or CSM network elements/modules.
•Virtual licenses to expand your network elements into virtual entities—ANM-AV-xx allows you to manage one ACE appliance or module that has an ACE license (ACE-VIRT-xx) for a supporting number of virtual contexts. For example, if you had a ACE 4710 appliance with a ACE-VIRT-050 installed, locate and enter the product authorization key (PAK) that you received with your software to acquire a license file on Cisco.com.
•Demo licenses—ANM-DEMO is a free temporary 30-, 60-, or 90-day license; you can have a maximum of three total demo licenses with ANM 3.0.
•Server licenses—ANM-SERVER allows you to run your ANM server or servers.
Uploading ANM Licenses
You can upload an ANM license if you have downloaded your license files to a directory that is accessible to the ANM server. For information, see the "Acquiring and Uploading a Cisco Application Networking Manager License" section.
Note Your user role determines whether you can use this option. For more information about role-based access, see the "Controlling Access to ANM" section in the online help or in Chapter 17, "Administering the Cisco Application Networking Manager" of the User Guide for the Cisco Application Networking Manager 3.0.
To upload additional ANM licenses, follow these steps:
Step 1 Choose Admin > ANM Management > License Management > Licenses. The Licenses table appears.
Step 2 From the Licenses table, Click Add. The New License window appears.
Step 3 From the New License window, click Browse to locate the new license name. Use the browser to choose the license file.
Step 4 From the browser window, click Upload to copy the license that you entered onto the ANM Server, or Cancel to exit.
The license file appears in the Licenses table and in the License Files table. From the Licenses table, you can also filter, add more licenses, or alter table views. See the online help for a description of table buttons.
From the License Files table, you can see the Install Status of the license file and if there are any errors. See the online help for more information on what to do next.
If you are performing an HA installation, you will also need a license for the second host machine. Log in to ANM on the standby server and repeat this procedure.
Preparing to Add Network Elements
ANM allows you to add the following network elements individually to its database:
•ACE appliances
•ACE modules
•Catalyst 6500 series chassis
•Cisco 7600 series routers
•Cisco Content Services Switches (CSS network elements)
•Cisco Content Switching Modules (CSMs)
•Cisco Global Site Selectors (GSS network element)
Note Before you import an appliance, module, or other network element, the ANM server pings the IP address of the network element. If you have a firewall between the ANM server and the network element that you want to import, you must modify the firewall to allow the ping traffic to reach the network element or ACE module.
Tip Once you add ACE appliances, ACE modules, or network elements, see the "Enabling syslog Messages from the ACE" section for more information about the ANM CLI synchronization process. For more information on supported network elements, see the Supported Devices Table for the Application Networking Manager 3.0.
ANM communicates with network elements through Secure Shell (SSH) and other protocols. You must set up your network elements to allow ANM to collect data from them. This section includes the following topics:
•Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers
•Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
•Enabling SNMP Polling from ANM
Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers
You can choose to use Telnet or SSH to import a Catalyst 6500 series switch or Cisco 7600 series router in ANM. Telnet is enabled by default on the Catalyst 6500 series switch. If Telnet is disabled on the chassis, you must enable it to perform Initial Setup and import of an ACE module. If you wish to directly import an ACE module into ANM, Telnet is not mandatory on a Catalyst 6500 series switch.
You must enable SSH2 on the chassis and on the ACE module in order for ANM to add network element information about the chassis. The chassis must have a K9 (Triple Data Encryption Standard [3DES]) software image in order to enable the SSH server. ANM requires SSH2 to be enabled on the chassis.
The following table lists the commands to enable SSH2 on the chassis.
Command
|
Purpose
|
|
Enables SSH version 2.
|
|
|
crypto key generate rsa general-keys
modulus 1024
|
Generates the key.
|
username <username> password
<password>
|
Allows you to enter the username and password.
|
|
|
|
Applies to Cisco IOS 12.2.18SXF(10), but not to Cisco IOS 12.2.18SXF(8).
|
transport input telnet ssh
|
Allows SSH and Telnet to the chassis.
|
transport output telnet ssh
|
Allows chassis to SSH and Telnet into the ACE module.
|
Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
ANM uses SSH and XML over HTTPS to communicate with the ACE modules and ACE 4710 appliances. You must enable both SSH access and HTTPS. You can enable these settings during network element import as described in the "Adding Network Elements into Cisco Application Networking Manager" section, or in the CLI.
Note Make sure that the management policy that is applied on the user interface permits SSH.
The following table lists the commands to set up SSH and HTTPS on the ACE to allow access by ANM. Enter the following commands in config mode in the Admin context.
Tip If the ACE module or appliance is new and retains its factory settings, you do not need to use these commands, because SSH is enabled in bareblade configurations. If the ACE appliance does not have its factory settings, use the following commands in the Admin context.
Command
|
Purpose
|
|
Configures SSH access on the ACE.
|
access-list acl line 10 extended
permit ip any any
|
|
class-map type management match-any
ANM_management
|
Performs discovery.
|
2 match protocol ssh any
3 match protocol telnet any
4 match protocol https any
5 match protocol snmp any
6 match protocol icmp any
7 match protocol xml-https
|
Specifies the line number before the command text in the left column:
•Line 2 classifies the SSH traffic.
•Line 4 is needed by ANM for making configuration changes on the ACE.
•Line 5 is needed by ANM for statistics.
•Line 6 is not mandatory but useful for network and route validation.
•Line 7 is needed only for ACE 4710 appliances.
|
|
|
|
|
|
policy-map type management
first-match ANM_management
|
Allows protocols that are matched in the management class map.
|
ip address 192.168.65.131
255.255.255.0
service-policy input
ANM_management
|
Acts as a user interface with the ACL and defines the management service policy. We do not recommend that you use this interface as a client or server interface.
|
username admin password 5
$1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/
role Admin domain default-domain
|
Specifies the administrator.
|
ip route 0.0.0.0 0.0.0.0 192.168.0.1
|
Specifies the fault route (or the appropriate route) for traffic to reach ANM using the user interface if ANM is not on the same subnet.
|
•For more information on configuring SSH access on ACE modules, see the Cisco Application Control Engine Module Administration Guide on Cisco.com.
•For more information on how to enable SSH access on an ACE appliance, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide on Cisco.com.
Enabling SNMP Polling from ANM
You can enable SNMP polling of network events from ANM. The ACE requires the Admin context to be configured with a management IP with a suitable management policy that permits SNMP traffic. All other contexts can be polled using this Admin context management IP. For more information, see "Configuring Virtual Contexts," Chapter 5 in the online help or the User Guide for the Cisco Application Networking Manager 3.0.
Note To send SNMP traps to ANM, configure the SNMP trap host to the ANM server, so that it can receive traps from ANM.
Adding Network Elements into Cisco Application Networking Manager
You can add the following modules, switches, routers, and network elements individually to the ANM database:
•ACE appliances
•ACE modules
•Catalyst 6500 series switch
•Cisco 7600 series routers
•Cisco Content Services Switches (CSS network elements)
•Cisco Content Switching Modules (CSMs)
•Cisco Global Site Selectors (GSS network elements)
Note To import your ACE modules and appliances successfully, you must ensure the following:
•The ACE module or CSM has booted successfully and is in the OK/Pass state (use the show module Cisco IOS command).
•The ACE 4710 or the CSS state is up and running. There is no command to validate whether these network elements are up and running.
This section includes the following topics:
•Adding Modules, Switches, Routers, and Other Network Elements to ANM
•Adding ACE Modules to ANM
•Importing Cisco Content Switching Modules
•Importing Cisco Global Site Selectors
Adding Modules, Switches, Routers, and Other Network Elements to ANM
ANM allows you to add ACE appliances, Catalyst 6500 series chassis, Cisco 7600 series routers, CSS, and GSS network elements individually to its database instead of or in addition to running discovery and importing them from the Discovery Jobs table. To import modules, see the "Adding ACE Modules to ANM" section. To import CSM network elements, see the "Importing Cisco Content Switching Modules" section.
The amount of time that it takes to import network elements depends on the number of appliances, chassis, modules, and contexts that you are importing. For example, an ACE appliance with 50 virtual contexts takes longer than an ACE appliance with 25 contexts. While ANM imports network elements, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other appliances, chassis, modules, or virtual contexts while ANM imports network elements.
To add ACE appliances and other supported network elements individually to the ANM database, follow these steps:
Step 1 Choose Config > Devices > All Devices. The All Devices table appears.
Step 2 In the device tree or in the All Devices table, click Add. The New Device window appears.
Step 3 Enter the information for the network element using the information in Table 4-1.
Table 4-1 New Device Attributes
Field
|
Description
|
Name
|
Unique name for the device. Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters.
|
Model
|
Type of device to import:
•ACE 4710—An ACE 4710 appliance.
•CSS—A Cisco Content Services Switch.
•Cisco IOS Device—A supported Catalyst 6500 series chassis, Cisco 7600 series router, or VSS device.
•GSS—A high end device that monitors the health and load of the server load balancers in each of your data centers and then uses that information along with customer-controlled routing algorithms to choose the best-suited and least-loaded data center in real time.
|
Primary IP
|
IP address for the device in dotted-decimal format.
|
Access Protocol
|
Field that appears when you select CSS, GSS or IOS Device for the model. Choose Secure/SSH2 or Telnet as the protocol that ANM uses to access the device for Cisco IOS devices. GSS uses Secure/SSH2 (that is the only option that appears).
|
User Name
|
Account name for device access.
Note If you did not configure an account on the chassis before starting this procedure, you can enter an alphanumeric string with no spaces to complete this procedure. However, we recommend that you configure an account on the device to prevent unauthorized access.
|
Password
|
Password for the account.
|
Enable Password
|
Field that appears for Catalyst 6500 series chassis, Cisco 7600 series routers, and GSS devices for an extra level of security.
|
SNMP v2c Enabled
|
Field that appears for Catalyst 6500 series chassis, Cisco 7600 series routers, and CSS.
Check the SNMP v2c Enabled checkbox to configure SNMP access.
|
SNMP v2c Read-Only Community String
|
SNMPv2c community string to be used.
|
Description
|
Field that appears if you check the SNMP v2c Enabled checkbox.
Enter the community string for the device.
Note If you are adding a Catalyst 6500 series chassis, in the Community field, enter the SNMP community string already configured on the Catalyst 6500 series chassis. ANM uses this string to query device status information such as VLAN and interface status. This SNMP community string is also used for any CSM modules contained in the specified Catalyst 6500 series chassis.
For Catalyst 6500 series chassis, CSS, and CSM devices, the SNMP community string already configured on the device is used by ANM for polling. For ACE modules and ACE appliances, the SNMP community string entered into ANM is configured on the ACE module/appliance and is used for polling the devices.
|
Step 4 Do one of the following:
•Click Next to save your entries and import network element information. If no ACE modules are associated with the network element, a progress bar reports the status, and the All Devices table refreshes with updated information. If ACE modules are associated with the network element, a progress bar reports the status, and the Modules configuration window appears. Skip to Step 5.
•Click Cancel to exit the procedure without saving your entries and to return to the All Devices table. Clicking Cancel prevents network element information from being imported and prevents ACE module discovery.
Step 5 In the Modules window, you can either import the current module or click Next to skip this module and continue with the next module.
Step 6 To import a module, in the Card Slot field, confirm that the correct module appears.
Step 7 In the Card Type field, confirm that the correct network element type appears.
Note The network element version supported will also appear, but only by major release. For example, 8.2x might be supported but only 8.2 will display.
You will see but cannot revise the Module has been imported into ANM field. Confirm that the checkbox is checked to indicate that the module has already been imported or cleared to indicate that it has not been imported. This is a read-only field.
Step 8 In the Operation to Perform field, choose one of the following:
•Import—Allows ANM to import the ACE module configuration. Skip to Step 9.
•Perform initial setup and import—Allows you to perform the initial setup manually required for ANM to communicate with the ACE module and to import the ACE module configuration. Skip to Step 10.
Note We recommend that you choose Perform initial setup and import for ACE modules configured only with factory defaults.
Step 9 If you choose Import, enter the following information:
a. In the Admin Context IP field, enter the IP address to use for this module.
b. In the Username field, enter the username for accessing this module.
c. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field.
d. Skip to Step 11.
Step 10 If you choose Perform initial setup and import, enter the following information:
a. In the Hostname field, enter a unique name for this module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters.
b. In the Admin Context IP field, enter the IP address for this module.
c. In the Netmask field, from the pulldown menu, choose the subnet mask to apply to this IP address.
d. In the Gateway field, enter the IP address of the gateway router to use.
e. In the VLAN field, choose the VLAN to which this module belongs.
Step 11 Specify whether the ACE blade is configured with the factory-default admin credentials (admin/admin) as follows:
•If you have changed the default admin credentials, in the Username and Password fields, enter the new network element credentials.
•If you have not changed the default admin credentials (admin/admin), in the Username and Password fields, enter the new credentials on the ACE.
Note For security reasons, we recommend that you change the username and password on your ACE appliance (and modules) after you import them. You can compromise security on your ACE module if you do not change the username and password, because they are configured to be the same for every ACE module shipped from Cisco. See the "Changing ACE Module Passwords" in the online help or in Chapter 4, "Adding and Managing Devices," of the User Guide for the Cisco Application Networking Manager 3.0 for more information.
Step 12 Do one of the following:
•Click OK to save your entries and to continue with the network element configuration. A progress bar reports the status and the Device configuration window appears. See "Adding and Managing Devices" in the online help or Chapter 4 of the online help or the User Guide for the Cisco Application Networking Manager 3.0.
•Click Cancel to exit the procedure without importing the ACE modules and to return to the All Devices table.
Note Clicking Cancel in this window does not cancel the chassis importing process.
Step 13 Confirm that the virtual contexts on the ACE were successfully imported into ANM:
a. Choose Config > Devices. The device tree appears.
b. In the device tree, choose the ACE that you just imported. The Virtual Contexts table appears, listing the contexts for that network element.
c. Confirm that the contexts imported successfully:
–If OK appears in the Config Status column, the context imported successfully.
–If Import Failed appears in the Config Status column, the context did not import successfully.
d. Synchronize the configurations for the context import that failed by choosing the context and then clicking Sync. ANM will synchronize the context by uploading it from the ACE appliance.
For more information on synchronizing virtual contexts, see the "Synchronizing Virtual Context Configurations" in the online help or in Chapter 5, "Configuring Virtual Contexts," of the User Guide for the Cisco Application Networking Manager 3.0.
Note If you receive authentication errors or incorrect username/password errors when trying to import ACE modules and appliances, see the ACE documentation regarding username and password settings and limitations on cisco.com at:
http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html.
Adding ACE Modules to ANM
You can add ACE modules into the ANM database at any time after the host chassis, VSS, or router has been added.
Before You Begin
•Ensure that the module to be imported has booted successfully and is in OK/Pass state. To check the module state, enter the show module Supervisor IOS CLI command.
•Note that time needed to import ACE modules depends on the number of modules and contexts that you are importing. For example, an ACE module with 20 virtual contexts takes longer than an ACE module with 5 contexts. While ANM imports the module, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other devices, modules, or virtual contexts.
•If you receive authentication errors or incorrect username/password errors when you try to import an ACE module, see the ACE documentation regarding username and password settings and limitations.
•If you physically replace an ACE module in a chassis, you need to synchronize the chassis in ANM. We recommend you start by adjusting syslog settings to facilitate the ANM auto synchronization process as described in the see the "Enabling a Setup Syslog for Autosync for Use With an ACE" section of the online help system or the User Guide for the Cisco Application Networking Manager 3.0.
Assumptions
•You have added to the ANM database, at least one host chassis, VSS, or router that contains the ACE modules. For information about adding the host device, see the "Adding Devices to ANM" section of the online help system or the User Guide for the Cisco Application Networking Manager 3.0.
Restrictions
ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x) software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you that it failed to import the unrecognized ACE configuration and that device discovery failed.
However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier ANM release contained an inventory with an ACE module that supported the A1(6x) software release or an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows the A1(x) software release to reside in the ANM database and will support operations for the release. ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software version.
We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE software release, and that you instruct ANM to recognize the updated release. See the "Instructing ANM to Recognize an ACE Module Software Upgrade" section.
See the Supported Device Tables for the Cisco Application Networking Manager 3.0 for a complete list of supported ACE module and ACE appliance software releases.
Step 1 Choose Config > Devices > All Devices. The All Devices table appears.
Step 2 From the All Devices table, choose the network element that contains the ACE module you want to import, and then click Modules. The Modules table appears displaying the fields noted in the following steps.
Step 3 Choose the module you want to import, and then click Import. The Modules configuration window appears.
Step 4 In the Card Slot field, confirm that the correct module appears.
Step 5 In the Card Type field, confirm that the correct version appears.
Step 6 In the Operation to Perform field, choose one of the following import options:
•Import—ANM allows you to import the ACE module configuration. Skip to Step 7.
•Perform initial setup and import—ANM allows you to provide the ACE module with a prediscovery configuration file and then import the ACE module configuration. Choose this option only if the ACE module has never been configured before.Specify whether the ACE blade is configured with the factory-default admin credentials (admin/admin):
–If you have changed the default admin credentials, in the Username and Password fields, enter the new network element credentials.
–If you have not changed the default admin credentials (admin/admin), in the Username and Password fields, enter new admin credentials, and ANM will configure the credentials on the ACE.
Skip to Step 8.
Step 7 If you choose Import, enter the following information:
a. In the Admin Context IP field, enter the IP address to use for this module.
b. In the Username field, enter the username for accessing this module.
c. In the Password field, enter the password for accessing this module.
Note For security reasons, we recommend that you change the username and password on your ACE appliance (and modules) after you import them. You can compromise security on your ACE module if you do not change the username and password, because they are configured to be the same for every ACE module shipped from Cisco. See the "Changing ACE Module Passwords" in the online help or in Chapter 4, "Adding and Managing Devices," of the User Guide for the Cisco Application Networking Manager 3.0 for more information.
Step 8 If you chose Perform Initial Setup And Import, enter the following information:
a. In the Hostname field, enter a unique name for the module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters.
b. In the Admin Context IP field, enter the IP address for the module.
c. In the Netmask field, from the pulldown menu, choose the subnet mask to apply to the IP address.
d. In the Gateway field, enter the IP address of the gateway router.
e. In the VLAN field, choose the VLAN to which the module belongs.
Step 9 Do one of the following:
•Click OK to save your entries. A progress bar reports the status and the Modules table refreshes with updated information.
•Click Cancel to exit the procedure without importing the module and to return to the Modules table.
Step 10 Confirm that the virtual contexts on the module were successfully imported into ANM:
a. Choose Config > Devices. The device tree appears.
b. From the device tree, choose the module that you just imported. The Virtual Contexts table appears, listing the contexts for that module.
c. Confirm that the contexts imported successfully:
–If OK appears in the Config Status column, the context imported successfully.
–If Import Failed appears in the Config Status column, the context did not import successfully.
d. Synchronize the configurations for the context import that failed by choosing the context, and then clicking Sync. ANM will synchronize the context by uploading it from the module.
For more information on synchronizing virtual contexts, see the "Synchronizing Virtual Context Configurations" in the online help or in Chapter 5, "Configuring Virtual Contexts," of the User Guide for the Cisco Application Networking Manager 3.0.
Instructing ANM to Recognize an ACE Module Software Upgrade
After you import an ACE module into the ANM database and the ACE module software version has been upgraded on Cisco.com, perform the procedure outlined in this section to enable ANM to recognize the updated release and display features and functions in the ANM GUI that are appropriate for the latest ACE module software release.
For example, if an imported ACE module contains software release A2(2.1), and you wish to upgrade to software release A2(3.0) to take advantage of features such as backup and restore, you must perform the steps outlined below to instruct ANM to recognize the upgraded ACE module software version and display the features and functions associated with this release. If you do not instruct ANM to recognize an ACE module software upgrade, the ACE module import will occur without issue but the new features and functions associated a specific ACE module software release will not appear in the ANM GUI.
Assumption
You have added to the ANM database, at least one host chassis, VSS, or router that contains the ACE modules. For information about adding the host device, see the "Adding Devices to ANM" section of the online help system or the User Guide for the Cisco Application Networking Manager 3.0.
Procedure
Step 1 When you upgrade an ACE module software image, after you complete the upgrade process perform a CLI sync on the chassis, VSS, or router that contains the ACE module. Perform the procedure outlined in the "Synchronizing Chassis Configurations" section of the online help system or the User Guide for the Cisco Application Networking Manager 3.0.
Step 2 After you complete the CLI sync, whenever ANM detects an upgrade on an imported ACE module, ANM issues a warning to instruct you to perform a CLI sync on the ACE module to recognize the upgrade. Perform the procedure outlined in "Synchronizing Module Configurations" section of the online help system or the User Guide for the Cisco Application Networking Manager 3.0.
The ACE software upgrade sequence is completed.
Importing Cisco Content Switching Modules
You can import CSM network elements into the ANM database at any time after the chassis or routers have been imported.
Note ANM assigns the network element type CSM to both CSM and CSM-S network elements. This assignment has to do with how ANM collects and assigns the information that it receives from the network element and does not affect functionality. To differentiate between these network elements, see the description information in the user interface.
To import CSMs, follow these steps:
Step 1 Choose Config > Devices > All Devices. The All Devices table appears.
Step 2 From the All Devices table, choose the network element containing the CSM that you want to import, and then click Modules. The Modules table appears.
Step 3 From the Modules table, choose the CSM that you want to import, and then click Import. The Modules configuration window appears.
Step 4 Verify that the information is correct in the following read-only fields:
•Card Slot—The slot in the chassis in which the module resides.
•Card Type—The network element type; in this instance, CSM.
•Module has been imported into ANM—Checkbox that is checked to indicate that the module has already been imported or cleared to indicate that it has not been imported.
Step 5 In the Operation to Perform field, choose Import.
Step 6 Do one of the following:
•Click OK to save your entries. A progress bar reports the status and the Modules table refreshes with updated information.
•Click Cancel to exit the procedure without importing the network element and to return to the Modules table.
Importing Cisco Global Site Selectors
You can import GSS network elements into the ANM database. To import GSS network elements, follow these steps:
Step 1 Choose Config > Devices > All Devices. The All Devices table appears.
Step 2 From the All Devices table, choose the Add button. The New Device page appears.
Step 3 From the New Device page, configure the network element using the information in Table 4-2.
Table 4-2 GSS Configuration Options
Field
|
Description
|
Name
|
Name assigned to the network element.
|
Model
|
Pulldown menu from which you can choose GSS.
|
Primary IP Address
|
Read-only field with the network element IP address.
|
User Name
|
Field that displays any other GSS network elements that have been imported into the ANM database.
|
Password
|
Field that allows you to specify a password for this user account (configurable, based on minimum and maximum values defined).
|
Enable Password
|
Field that appears for Catalyst 6500 series chassis, Cisco 7600 series routers, CSS, and GSS network elements to provide an extra level of security.
|
Description
|
Field that allows you to enter a brief description for this network element.
|
Step 4 Do one of the following:
•Click OK to save your entries. A progress bar reports the status and the Modules table refreshes with updated information.
•Click Cancel to exit the procedure without importing the network element and to return to the Modules table.
Information About GSS Firewall Deployment
When you configure your GSS for deployment behind a firewall, you must allow DNS traffic into the network element. If you have multiple GSS network elements deployed so that traffic between the network elements must pass through a firewall, configure the firewall to allow inter-GSS communications and inter-GSS status reporting. Depending on your GSS configuration, you can also allow other traffic to pass through the firewall. This requirement depends on your GSS configuration (for example, if you are using TCP-based or KAL-AP keepalives) and the ability to access certain GSS services through the firewall (for example, SNMP).
The GSS does not support deployment of network elements behind a NAT for inter-GSS communication. The communication between the GSS network elements cannot include an intermediate network element behind a NAT because the actual IP address of the network elements is embedded in the payload of the packets. For more information, see the GSS documentation at http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_support_series_home.html.
Table 4-3 lists the TCP ports that are used by ANM to communicate with GSS.
Table 4-3 TCP Ports Used by ANM for GSS
Port
|
Description
|
22
|
SSH
|
2001
|
Java RMI
|
3002
|
Java RMI
|
3003
|
Secure RMI
|
3004
|
Secure RMI
|
3005
|
Secure RMI
|
3006
|
Secure RMI
|
3007
|
Secure RMI
|
3008
|
Secure RMI
|
Enabling syslog Messages from the ACE
You can set autosynchronization to occur when a network element receives a syslog message. Rather than wait for the default polling period, ANM will synchronize when a syslog message is received if you enable Setup Syslog for Autosync.
To have ANM receive syslog messages for a virtual context, follow these steps:
Step 1 Choose Config > Devices > Setup Syslog for Autosync. The Setup Syslog for Autosync window appears.
Step 2 Choose either All VC or the ACE with the virtual context configuration for which you want to receive Autosync syslog messages. A progress bar window appears.
A checkbox with a checkmark will appear in the Setup Syslog for Autosync? column for each virtual context and ACE appliance that you checked.
Step 3 From the Setup Syslog for Autosync window, click Setup Syslog.
The following CLI commands are sent to the enabled network elements:
logging enable
logging trap 2
logging device-id string <ACE-Ip>/Admin
logging host <ANM-Ip> udp/514
logging message 111008 level 2
After populating ANM with the desired chassis, modules, and appliances, you can do the following:
•Configure virtual contexts for managing resources, users, and services. See "Using Virtual Contexts" in the online help or in Chapter 5, "Configuring Virtual Contexts," of the User Guide for the Cisco Application Networking Manager 3.0.
•Set up configuration templates for implementation on your network. See Chapter 15, "Using Configuration Building Blocks," in the online help or the User Guide for the Cisco Application Networking Manager 3.0.
•Configure resource classes for effective management of resources. See the "Using Resource Classes," section in Chapter 5, "Configuring Virtual Contexts," in the online help or the User Guide for the Cisco Application Networking Manager 3.0.
•Add users. See Chapter 7, "Administering the Application Networking Manager," in the online help or the User Guide for the Cisco Application Networking Manager 3.0.
•Back up your data. See the "Backing Up and Restoring Data" section on page 5-10.
For a summary of ANM features, see Chapter 1, "Cisco Application Networking Manager Overview" in the online help or the User Guide for the Cisco Application Networking Manager 3.0.
Changing Configuration Values After Installing Cisco Application Networking Manager
After you install ANM, you can reconfigure ANM ports and some other ANM configuration properties.
Caution If you enable HTTP, you are making your connection to ANM less secure.
To reconfigure ports or other ANM configuration properties, follow these steps:
Step 1 From the Linux command line, log in as the root user as described in the "Becoming the Root User" section on page 1-5.
Step 2 From the command line, enter one of the following:
•For a standard configuration change, enter the /opt/CSCOanm/bin/anm-tool configure command.
•To switch from an HA to a non-HA system configuration, enter the /opt/CSCOanm/bin/anm-tool --ha=0 configure command.
•To switch from a non-HA to an HA system configuration, enter the /opt/CSCOanm/bin/anm-tool --ha=1 configure command.
The "Keep existing ANM configuration? [y/n]" message appears.
Step 3 Enter n.
A message displays with the same configuration information that was presented during installation.
Step 4 For each configuration property, the current value displays in square brackets.
Do one of the following:
•To accept the value for a configuration property, press Enter.
•To change a configuration property, enter the appropriate information.
When you have accepted or changed all of the configuration property values, a list of all the properties appears and the "Commit these values? [y/n/q]" message appears.
Note For details about the specific ports that ANM uses for its processes, see the "ANM Ports Reference" section.
Step 5 Do one of the following:
•To accept the value and restart ANM, enter y for yes.
•To go through the list of configuration properties again, enter n for no.
•To retain the original property values and exit the configuration session, enter q.
If you receive errors when attempting to change the HA properties configuration values, check the host ID to be sure the active and standby values are not switched.
Step 6 Restart ANM to apply the changes to the properties file. For more information, see the "Stopping Cisco Application Networking Manager" section on page 5-8 and the "Starting Cisco Application Networking Manager" section on page 5-6.
Example ANM Standalone Configuration Session
The following is an example of a configuration session for an ANM standalone system.The values shown in the brackets are the currently configured values.
/opt/CSCOanm/bin/anm-tool configure
Checking ANM configuration files
Keep existing ANM configuration? [y/n]: n
Creating config file (/opt/CSCOanm/etc/cs-config.properties)
Enable HTTP for Web Server [true]:
Inbound Port for HTTP traffic to ANM Default [80]:
Enable HTTPS for Web Server [true]:
Inbound Port for HTTPS traffic to ANM Default [443]:
Enable HTTP for Web Server: true
Inbound Port for HTTP traffic to ANM Default: 80
Enable HTTPS for Web Server: true
Inbound Port for HTTPS traffic to ANM Default: 443
Commit these values? [y/n/q]: y
Committing values ... done
Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt
Stopping monit services (/etc/monit.conf) ... (0)
Stopping monit ... Stopped
Stopping heartbeat ... Stopped
Installing system configuration files
Backing up //opt/CSCOanm/etc/my-local.cnf
Setting service attributes
Enabling mysql for SELinux
setsebool: SELinux is disabled.
Service monit is started by OS at boot time
Starting mysql ... Started
Checking mysql user/password
Disabling mysql replication
Starting monit ...Starting monit daemon with http interface at [*:2812]
Example ANM HA Configuration Session
The following is an example of a configuration session for an ANM HA system. Non-HA systems will not contain any HA properties but will include a limited property value configuration. The values shown in the brackets are the currently configured values.
/opt/CSCOanm/bin/anm-tool configure
Configuring ANM
Checking ANM configuration files
Keep existing ANM configuration? [y/n]: n
Creating config file (/opt/CSCOanm/etc/cs-config.properties)
Enable HTTP for Web Server [false]: true
Inbound Port for HTTP traffic to ANM Default [80]: 80
Enable HTTPS for Web Server [true]:
Inbound Port for HTTPS traffic to ANM Default [443]:
Database Password [nI4ewPbmV51S]: passme
HA Node 1 UName []: anm49.cisco.com
HA Node 2 UName []: anm50.cisco.com
HA Node 1 Primary IP [0.0.0.0]: 10.77.240.126
HA Node 2 Primary IP [0.0.0.0]: 10.77.240.100
HA Node 1 HeartBeat IP [0.0.0.0]: 10.10.10.1
HA Node 2 HeartBeat IP [0.0.0.0]: 10.10.10.2
HA Virtual IP [0.0.0.0]: 10.77.240.101
HA Node ID [1 or 2] []: 1
Enable HTTP for Web Server: true
Inbound Port for HTTP traffic to ANM Default: 80
Enable HTTPS for Web Server: true
Inbound Port for HTTPS traffic to ANM Default: 443
Database Password: passme
HA Node 1 UName: anm49.cisco.com
HA Node 2 UName: anm50.cisco.com
HA Node 1 Primary IP: 10.77.240.126
HA Node 2 Primary IP: 10.77.240.100
HA Node 1 HeartBeat IP: 10.10.10.1
HA Node 2 HeartBeat IP: 10.10.10.2
HA Virtual IP: 10.77.240.101
Commit these values? [y/n/q]: y
Committing values ... done
Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt
Stopping services
Stopping monit services (/etc/monit.conf) ... (0)
Stopping monit ... Stopped
Stopping heartbeat ... Stopped
Installing system configuration files
Setting service attributes
Enabling mysql for SELinux
Service monit is started by OS at boot time
Starting mysql ... Started
Configuring mysql
Checking mysql user/password
Setting mysql privileges
Enabling mysql replication
Setting up database
executing /opt/CSCOanm/lib/install/etc/dcmdb.sql ... done
Starting services
Starting monit ... Started
ANM Ports Reference
ANM uses specific ports for its processes. Figure 4-2 illustrates a typical ANM server deployment in a network. This illustration identifies the protocols and ports used by the different network devices in a typical deployment.
•Table 4-4 lists the ports used for ANM client (browser) or ANM server and ANM high availability communication.
•Table 4-5 lists the ports used for communication between ANM and managed devices.
Figure 4-2 ANM Server Deployment
Table 4-4 Ports Used by ANM in a Network Deployment1
Port
|
Description
|
TCP (80)
|
Default port if ANM is configured for access using HTTP (using anm-installer).
|
TCP (443)
|
Default port if ANM is configured for access using HTTPS (using default install option).
|
TCP (3306)
|
MySQL Database system (ANM HA installation opens this port to communicate with the peer ANM).
|
TCP (10444) and
TCP (10445)
|
ANM License Manager (ANM HA installation opens these two ports to communicate with the peer ANM).
|
TCP (25)
|
Port used by ANM server to communicate to Email Gateway through SMTP.
|
UDP (162)
|
Port used by ANM server to send out trap notification to external NMS application.
|
Table 4-5 Ports Used by ANM for Communication with Managed Devices
Device Type
|
Port
|
Description
|
Chassis (Catalyst 6500 switch or Cisco 7600 router)
|
SSH (TCP:22) or Telnet (TCP:23)
|
Discover chassis configuration.
|
ACE (appliance or module)
|
HTTPS (TCP:443)
|
For ACE module: XML/HTTPS interface on the device used to discover, configure, and monitor using specific show CLI commands.
|
HTTPS (TCP:10443)
|
For ACE appliance: XML/HTTPS interface on the device used to discover, configure, and monitor using specific show CLI commands.
|
SSH (TCP: 22)
|
Discovery and configuration of ACE licenses, certificates/keys (crypto) licensing, scripts, and checkpoints.
|
SNMP (UDP: 161 & UDP:162)
|
Monitor ACE through SNMP requests
(UDP: 161) and receive trap notifications (UDP: 162).
|
CSM
|
SNMP (UDP: 161 & UDP:162)
|
Monitor CSM through SNMP requests
(UDP: 161) and receive trap notifications (UDP: 162).
|
CSS
|
SSH (TCP:22) or Telnet (TCP:23)
|
Discover chassis configuration.
|
SNMP (UDP: 161 & UDP:162)
|
Monitor CSS through SNMP requests
(UDP: 161) and receive trap notifications (UDP: 162)
|
GSS
|
SSH (TCP:22)
|
Discover chassis configuration and monitoring operational status of DNS rules and VIP answers.
|
RMI (TCP:2001 & TCP:3009)
|
Activate/suspend DNS rules and VIP answers.
|
Feedback
