Table Of Contents
Adding and Managing Devices
Device Management Overview
Device Import Overview
Preparing Devices for Import
Enabling SSH or Telnet Access on Cisco Catalyst 6K and 7600 Chassis
Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
Enabling SNMP Polling from ANM
Adding Network Devices into ANM
Adding Devices to ANM
Adding ACE Modules to ANM
Importing Cisco Content Switching Module (CSM) Devices
Importing Cisco Global Site Selector (GSS) Devices
GSS Firewall Deployment Overview
Enabling Syslog Messages from the ACE
Discovering Large Numbers of Devices
Preparing Devices for IP Discovery
Configuring Device Access Credentials
Modifying Credential Pools
Running Discovery to Identify Devices
Monitoring Device Discovery Status
Configuring Devices
Configuring CSM Primary Attributes
Configuring CSS Primary Attributes
Configuring GSS Primary Attributes
Configuring Cisco Catalyst Chassis and 7600 Series Router Primary Attributes
Configuring Device Static Routes
Viewing and Configuring Device Interfaces
Configuring Access Ports
Configuring Trunk Ports
Configuring Switch Virtual Interfaces
Configuring Routed Ports
Viewing All Ports
Managing Device VLANs
Adding Device VLANs
Viewing All Device VLANs
Configuring Device Layer 2 VLANs
Configuring Device Layer 3 VLANs
Modifying Device VLANs
Creating VLAN Groups
Configuring Device Role-Based Access Controls
Configuring Device RBAC Users
Guidelines for Managing Users
Displaying a List of Device Users
Configuring Device User Accounts
Modifying Device User Accounts
Deleting Device User Accounts
Configuring Device RBAC Roles
Guidelines for Managing User Roles
Role Mapping in Device RBAC
Configuring Device User Roles
Modifying Device User Roles
Deleting Device User Roles
Adding, Editing, or Deleting Rules
Configuring Device RBAC Domains
Guidelines for Managing Domains
Displaying Domains for a Device
Configuring Device Domains
Modifying Device Domains
Deleting Device Domains
Managing Devices
Synchronizing Device Configurations
Synchronizing Chassis Configurations
Synchronizing Module Configurations
Configuring User-Defined Groups
Adding a User-Defined Group
Modifying a User-Defined Group
Duplicating a User-Defined Group
Deleting a User-Defined Group
Updating Chassis Passwords
Changing ACE Module Passwords
Restarting Device Polling
Viewing All Devices
Viewing Modules by Chassis
Removing Modules from the ANM Database
Adding and Managing Devices
Revised: 2/18/09
After adding devices to ANM, you can configure them for use in your network. The following topics introduce you to adding and managing your supported network devices:
•
Device Management Overview
•Device Import Overview
•Preparing Devices for Import
•Adding Network Devices into ANM
•Discovering Large Numbers of Devices
•Configuring Devices
•Configuring Device Role-Based Access Controls
•Managing Devices
•Synchronizing Module Configurations
•Synchronizing Device Configurations
•Restarting Device Polling
•Configuring User-Defined Groups
Device Management Overview
ANM is comprised of many device management features. You can add devices and then configure them for use in your network. In addition to configuring ports, VLANs, and routes, you can modify device configurations, and manage them.
Table 2-1 identifies common management categories and related topics.
Device Import Overview
The quickest and easiest way to add devices to ANM is to import them individually using the Add function available at Config > Devices. If you already know the device IP address, use this procedure to add your devices to ANM. The terms add and import are interchangeable in this document.
Before you begin importing, you need to set up your network devices so that ANM can communicate and monitor them.
Perform the following steps to prepare and import devices:
1. Enable SSH access (see Preparing Devices for Import).
2. Import devices (see Adding Network Devices into ANM).
To add large numbers of devices, you can use the IP Discovery before importing your devices. This is a multi-step process and not as efficient as using the Add function. IP discovery shows where devices are, but does not add the devices to ANM. We recommend you use the Config > Devices > Add function. For details on IP Discovery, see Discovering Large Numbers of Devices.
Note Before importing a device or ACE, the ANM server pings the IP address of the device or ACE. If you have a firewall between the ANM server and the device you want to import, your network administrator needs to modify the firewall to allow the ping traffic to reach the device or ACE.
Preparing Devices for Import
ANM communicates with network devices through SSH and other protocols. You must set up your devices to allow ANM to collect data from them.
ANM uses the following protocols for communication:
•For communication to the ACE module and ACE appliance:
–XML over HTTPS
–Secure Shell (SSH) Protocol V2 (read and write)
–SNMP V2C (read-only)
–Syslog over User Datagram Protocol (UDP) (inbound notifications only)
•For communication to the chassis (Catalyst 6500/Cisco 7600) and CSM/CSM-S:
–Secure Shell (SSH) Protocol V2 and Telnet (read and write)
–SNMP V2C (read-only)
–Syslog over UDP (inbound notifications only)
•For communication to the CSS:
–Telnet (read and write)
–SNMP V2C (read-only)
–Syslog over UDP (inbound notifications only)
•For communication to the GSS:
–Secure Shell (SSH) Protocol V2
–RMI over SSL
Note Before you import a GSS device into ANM, you need to set the GSS communication on the GSS ethernet interface which will be used to import the GSS into ANM. Refer to the Cisco Global Site Selector Command Reference on cisco.com for instructions on using the gss-communications command.
ANM communicates with network devices through SSH and other protocols. You must set up your devices to allow ANM to collect data from them. Perform the steps in the following sections to set up your devices.
•Enabling SSH or Telnet Access on Cisco Catalyst 6K and 7600 Chassis
•Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
•Enabling SNMP Polling from ANM
Note Before importing a device or ACE module, the ANM server pings the IP address of the device or ACE module. If you have a firewall between the ANM server and the device you want to import, your network administrator needs to modify the firewall to allow the ping traffic to reach the device or ACE module.
Tip Once you have added devices, please see the "Enabling Syslog Messages from the ACE" section to streamline ANM CLI synchronization process. For more information on supported devices, see the Supported Devices Table for the Cisco Application Networking Manager 2.0.
Enabling SSH or Telnet Access on Cisco Catalyst 6K and 7600 Chassis
You can choose to use Telnet or SSH to import a Catalyst 6K or 7600 device in ANM. Telnet is enabled by default on the Catalyst chassis. If you have disabled Telnet on the device, you will need to enable it, to perform "Initial Setup and import" of an ACE module. If you wish to directly import an ACE module into ANM, Telnet is not mandatory on a Catalyst 6K device.
If you use SSH to communicate with the device:
•SSH2 must be enabled on the chassis, as well as the ACE appliance, in order for the ANM to add device information about the chassis.
•The chassis must have a K9 (Triple Data Encryption Standard [3DES]) software image in order to enable the SSH server. The ANM requires SSH2 to be enabled on the chassis.
The following table identifies the commands needed to enable SSH2 on the chassis. Comments explain why entries are needed:
Command
|
Comment
|
|
Enables SSH version 2
|
|
|
crypto key generate rsa general-keys modulus 1024
|
Generates the key
|
username <username> password <password>
|
Enter the username and password.
|
|
|
|
This is an example only. This commands works for Cisco IOS 12.2.18SXF(10), but not for 12.2.18SXF(8).
|
transport input telnet ssh
|
Allows SSH and Telnet to the chassis
|
transport output telnet ssh
|
Allows chassis to SSH and Telnet into the ACE module
|
Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
ANM uses SSH and XML over HTTPS to communicate with the ACE devices (modules and ACE 4710 appliances). You need to enable both SSH access and HTTPS as explained in this section. These settings can be enabled during device import as described in Adding Network Devices into ANM, or in CLI as shown below. If ANM does the initial ACE setup, then that is taken care of transparently.
Note Make sure that the management policy applied on the management interface permits SSH.
The following example details how to set up SSH and HTTPS on the ACE to allow access by ANM. Comments explain why entries are needed. Issue the following commands in config mode in the Admin context.
Tip If the ACE module or appliance is new and retains its factory settings, you do not need to issue these commands; SSH is enabled in bareblade configurations. If the ACE appliance does not have its factory settings, use the following commands in the Admin context.
Command
|
Comment
|
|
Configures SSH access on the ACE.
|
access-list acl line 10 extended permit ip any any
|
|
class-map type management match-any ANM_management
|
Needed by ANM for discovery.
|
2 match protocol ssh any
3 match protocol telnet any
4 match protocol https any
5 match protocol snmp any
6 match protocol icmp any
7 match protocol xml-https
|
The following comments apply to the line number specified before the command text in the left column:
•Line 2 classifies SSH traffic.
•Line 4 is needed by ANM for making configuration changes on the ACE.
•Line 5 is needed by ANM for periodic statistics.
•Line 6 is not mandatory but useful for network and route validation.
•Line 7 is needed only for ACE 4710 devices.
|
|
|
|
|
|
policy-map type management first-match
ANM_management
|
Allows protocols matched in management class map
|
ip address 192.168.65.131 255.255.255.0
service-policy input ANM_management
|
This is a management interface with the ACL, and defines the management service policy. This is not recommended as a client or server interface.
|
username admin password 5
$1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin
domain default-domain
|
Defined by the administrator.
|
ip route 0.0.0.0 0.0.0.0 192.168.0.1
|
Default route (or appropriate route) for traffic to reach ANM using the management interface, if ANM is not on the same subnet
|
For more information on configuring SSH access on ACE modules, see the Cisco Application Control Engine Module Administration Guide on Cisco.com.
Enabling SNMP Polling from ANM
In order for SNMP polling to be successfully performed by ANM:
•ACE 1.0 modules require a management IP with a suitable management policy that permits SNMP traffic on every context that needs to be polled.
•ACE 2.0 modules require the Admin context to be configured with a management IP with a suitable management policy that permits SNMP traffic. All other contexts can be polled using this Admin context management IP.
Note To send SNMP traps to ANM, configure the SNMP trap host to the ANM server, so that it can receive traps from ANM.
Adding Network Devices into ANM
ANM allows you to add the following devices individually to its database:
•ACE appliances
•ACE modules
•Cisco Catalyst chassis
•Cisco 7600 series routers
•Cisco Content Services Switch (CSS) devices
•Cisco Content Switching Module (CSM) devices
•Cisco Global Site Selector (GSS) devices
Adding devices using these procedures is a one-step way to see your devices in the ANM devices table. We recommend that you use this procedure to add your devices instead of running IP Discovery since it is faster and more efficient.
Note In order to import your ACE devices successfully ensure the following:
•The ACE module or CMS has booted successfully and is in the OK/Pass state confirmed by a show module Supervisor IOS CLI command.
•The ACE 4710 or the CSS state is up and running. There is no command to validate whether these devices are up and running.
Use the following procedures to add devices to the ANM database:
•To add ACE appliances, Cisco Catalyst chassis, Cisco 7600 series routers, CSS devices, and GSS devices, see Adding Network Devices into ANM.
•To add ACE modules, see Adding ACE Modules to ANM.
•To add CSM devices, see Importing Cisco Content Switching Module (CSM) Devices.
•To add GSS devices, see Importing Cisco Global Site Selector (GSS) Devices.
Tip Once devices have been added, to enhance the CLI synchronization process between ANM and managed devices, see Enabling Syslog Messages from the ACE.
Adding Devices to ANM
ANM allows you to add ACE appliances, Cisco Catalyst chassis, 7600 series routers, CSS, and GSS devices individually to its database instead of or in addition to running discovery and importing them from the Discovery Jobs table. To import modules, see Adding ACE Modules to ANM. To import CSM devices, see Importing Cisco Content Switching Module (CSM) Devices.
Note The time required to import devices depends on the number of appliances, chassis, modules, and contexts you are importing. For example, an ACE appliance with 50 virtual contexts takes longer than an ACE appliance with 25 contexts. While ANM imports devices, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other appliances, chassis, modules, or virtual contexts.
Use this procedure to add ACE appliances and other supported devices individually to the ANM database.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Click Add in the device tree or in the All Devices table. The New Device screen appears.
Step 3 Enter the information for the device using the information in Table 2-2.
Table 2-2 New Device Attributes
Field
|
Description
|
Name
|
Enter a unique name for the device. Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters.
|
Model
|
From the pulldown menu, select the type of device to import:
•ACE 4710—An ACE 4710 appliance.
•CSS—A Cisco Content Services Switch.
•Cisco IOS Device—A supported Cisco Catalyst chassis or 7600 series router.
•GSS—A high end device that monitors the health and load of the SLBs in each of your data centers and then uses that information along with customer-controlled routing algorithms to select the best-suited and least-loaded data center in real time.
|
Primary IP
|
Enter the IP address for the device in dotted-decimal format.
|
Access Protocol
|
This field appears when GSS or IOS Device is selected for the model. Select Secure/SSH2 or Telnet as the protocol that ANM uses to access the device for IOS devices. GSS uses Secure/SSH2 (that is the only option that appears).
|
Username
|
Enter the account name for device access.
Note If you did not configure an account on the chassis before starting this procedure, you can enter an alphanumeric string with no spaces to complete this procedure. We recommend, however, that you configure an account on the device to prevent unauthorized access.
|
Password
|
Enter the password for the account.
|
Enable Password
|
This field appears for Cisco Catalyst chassis, 7600 series routers and GSS devices for an extra level of security.
|
SNMP V2C Enabled
|
This field appears for Cisco Catalyst chassis, 7600 series routers, and CSS.
Select the check box to configure SNMP access.
|
Community
|
This field appears if you select the SNMP V2C check box.
Enter the community string for the device.
Note If you are adding a Cisco Catalyst chassis, in the Community field, enter the SNMP community string already configured on the Cisco Catalyst chassis. ANM uses this string to query device status information such as VLAN and interface status. This SNMP community string is also used for any CSM modules contained in the specified Cisco Catalyst.
For Cisco Catalyst chassis, CSS, and CSM devices, the SNMP community string already configured on the device is used by ANM for polling. For ACE modules and ACE appliances, the SNMP community string entered into ANM is configured on the ACE module/appliance and is used for polling the devices.
|
Description
|
Enter a brief description of the device.
|
Step 4 Click:
•Next to save your entries and import device information:
–If no ACE modules are associated with the device, a progress bar reports status, and the All Devices table refreshes with updated information.
–If ACE modules are associated with the device, a progress bar reports status, and the Modules configuration screen appears. Skip to Step 5.
•Cancel to exit the procedure without saving your entries and to return to the All Devices table. Clicking Cancel prevents device information from being imported and prevents ACE module discovery.
Step 5 In the Modules screen, you can either import the current module or click Next to skip this module and continue with the next module.
Step 6 To import a module, in the Card Slot field, confirm that the correct module appears.
Step 7 In the Card Type field, confirm that the correct device type appears.
Note The device version supported will also appear, but only by major release. For example, 8.2x might be supported but only 8.2 will display.
You will see but cannot revise the Module has been imported into ANM field, confirm that the check box is selected to indicate that the module has already been imported or cleared to indicate that it has not been imported. This is a read-only field.
Step 8 In the Operation to Perform field, select one of the following:
•Import—ANM is to import the ACE module configuration. Skip to Step 9.
•Perform initial setup and import—Allows you to perform initial setup manually required for ANM to communicate with the ACE module and imports ACE module configuration. Skip to Step 10.
Note We recommend you select this option for ACE modules configured only with factory defaults.
Step 9 If you select Import, enter the following information:
a. In the Admin Context IP field, enter the IP address to use for this module.
b. In the Username field, enter the username for accessing this module.
c. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field.
d. Skip to Step 11.
Step 10 If you select Perform initial setup and import, enter the following information:
a. In the Hostname field, enter a unique name for this module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters.
b. In the Admin Context IP field, enter the IP address for this module.
c. In the Netmask field, select from the pulldown menu the subnet mask to apply to this IP address from the pulldown menu.
d. In the Gateway field, enter the IP address of the gateway router to use.
e. In the VLAN field, select the VLAN to which this module belongs.
Step 11 Specify whether the ACE blade is configured with the factory default admin credentials (admin/admin):
•If you have changed the default admin credentials, enter the new device credentials in the Username and Password fields.
•If you have not changed the default admin credentials (admin/admin), enter new admin credentials in the Username and Password fields, and ANM will configure the credentials on the ACE.
Note For security reasons, we recommend that you change the username and password on your ACE device (and modules) after you import them. Security on the ACE module can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco Systems. See "Changing ACE Module Passwords" procedure.
Step 12 Click:
•OK to save your entries and to continue with device configuration. A progress bar reports status and the Device configuration screen appears.
•Cancel to exit the procedure without importing ACE modules and to return to the All Devices table.
Note Clicking Cancel in this screen does not cancel the chassis importing process.
Step 13 To confirm that the virtual contexts on the ACE were successfully imported into ANM:
a. Select Config > Devices. The device tree appears.
b. In the device tree, select the ACE you just imported. The Virtual Contexts table appears, listing the contexts for that device.
c. Confirm that the contexts imported successfully:
–If OK appears in the Config Status column, it means that the context imported successfully.
–If Import Failed appears in the Config Status column, it means that the context did not import successfully.
d. To synchronize the configurations for the context import that failed, select the context, then click Sync. ANM will synchronize the context by uploading it from the ACE device.
For more information on synchronizing virtual contexts, see "Creating Virtual Contexts" procedure on page 3-2.
Note If you receive authentication errors or incorrect username/password errors when trying to import ACE devices, refer to the ACE documentation regarding username and password settings and limitations.
Adding ACE Modules to ANM
You can import ACE modules into the ANM database at any time after chassis or routers have been imported.
Before You Begin
1. The time needed to import ACE modules depends on the number of modules and contexts that you are importing. For example, an ACE module with 20 virtual contexts takes longer than an ACE module with 5 contexts. While ANM imports the module, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other devices, modules, or virtual contexts.
2. If you receive authentication errors or incorrect username/password errors when trying to import ACE devices, refer to the ACE documentation regarding username and password settings and limitations.
3. If you physically replace an ACE module in a chassis, you need to synchronize the chassis in ANM. We recommend you start by adjusting syslog settings to facilitate the ANM auto sync process as described in Enabling Syslog Messages from the ACE.
Assumptions
•You have imported at least one device containing ACE modules into the ANM database.
•The module to be imported has booted successfully and is in OK/Pass state. To check the module state, run the show module Supervisor IOS CLI command.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the device containing the ACE module you want to import, then click Modules. The Modules table appears.
Step 3 Select the module you want to import, then click Import. The Modules configuration screen appears.
Step 4 In the Card Slot field, confirm that the correct module appears.
Step 5 In the Card Type field, confirm that the correct version appears.
Step 6 In the Operation to Perform field, select the import option:
•Import—ANM is to import the ACE module configuration. Skip to Step 7.
•Perform initial setup and import—ANM is to provide the ACE module with a prediscovery configuration file and then import the ACE module configuration.
Select this option only if the ACE module has never been configured before.Specify whether the ACE blade is configured with the factory default admin credentials (admin/admin):
–If you have changed the default admin credentials, enter the new device credentials in the Username and Password fields.
–If you have not changed the default admin credentials (admin/admin), enter new admin credentials in the Username and Password fields, and ANM will configure the credentials on the ACE.
Skip to Step 8.
Step 7 If you select Import, enter the following information:
a. In the Admin Context IP field, enter the IP address to use for this module.
b. In the Username field, enter the username for accessing this module.
c. In the Password field, enter the password for accessing this module.
Note For security reasons, we recommend that you change the username and password on your ACE modules after you import them. Security on the ACE module can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco Systems. See the section "Changing ACE Module Passwords" procedure.
Step 8 If you chose Perform Initial Setup And Import, enter the following information:
a. In the Hostname field, enter a unique name for the module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters.
b. In the Admin Context IP field, enter the IP address for the module.
c. In the Netmask field, select from the pulldown menu the subnet mask to apply to the IP address.
d. In the Gateway field, enter the IP address of the gateway router.
e. In the VLAN field, select the VLAN to which the module belongs.
Step 9 Click:
•OK to save your entries. A progress bar reports status and the Modules table refreshes with updated information.
•Cancel to exit the procedure without importing the module and to return to the Modules table.
Step 10 To confirm that the virtual contexts on the module were successfully imported into ANM:
a. Select Config > Devices. The device tree appears.
b. In the device tree, select the module you just imported. The Virtual Contexts table appears, listing the contexts for that module.
c. Confirm that the contexts imported successfully:
–If OK appears in the Config Status column, it means that the context imported successfully.
–If Import Failed appears in the Config Status column, it means that the context did not import successfully.
d. To synchronize the configurations for the context import that failed, select the context, then click Sync. ANM will synchronize the context by uploading it from the module.
For more information on synchronizing virtual contexts, see ""Creating Virtual Contexts" procedure on page 3-2.
Importing Cisco Content Switching Module (CSM) Devices
You can import CSM devices into the ANM database at any time after chassis or routers have been imported.
Note ANM assigns the device type CSM to both CSM and CSM-S devices. This assignment has to do with how ANM collects and assigns the information it receives from the device and does not affect functionality. To differentiate between these devices, see the description information in the user interface.
Use this procedure to import CSM devices into the ANM database independently of the discovery process.
Assumption
You have imported at least one device containing a CSM into the ANM database.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the device containing the CSM that you want to import, then click Modules. The Modules table appears.
Step 3 Select the CSM that you want to import, then click Import. The Modules configuration screen appears.
Step 4 Verify that the information is correct in the following read-only fields:
•Card Slot—The slot in the chassis in which the module resides.
•Card Type—The device type; in this instance, CSM.
•Module has been imported into ANM—The check box is selected to indicate that the module has already been imported or cleared to indicate that it has not been imported.
Step 5 In the Operation to Perform field, select Import.
Step 6 Click:
•OK to save your entries. A progress bar reports status and the Modules table refreshes with updated information.
•Cancel to exit the procedure without importing the device and to return to the Modules table.
Importing Cisco Global Site Selector (GSS) Devices
Global Site Selectors work together in a GSS network to provide distributed and redundant GSLB DNS services. You accomplish the creation of GSLB DNS services by first performing a basic configuration of each individual device, and then accessing the primary Global Site Selector Manager (GSSM) to manage the centralized and shared GSLB configuration.
Please keep in mind the following operational notes as you import GSS devices into ANM:
•You only need to import the primary GSSM into ANM—You are not required or permitted to add either the standby GSSM or a GSS device. ANM communicates only with the primary GSSM for activation and suspension of DNS rules and VIP answers, and for collecting statistics.
•GSS UI and CLI must have matching passwords—The username configured while adding a GSS device to ANM, must be configured on both GSS GUI and GSS CLI with same password.
•Communication between ANM and the primary GSSM is accomplished using GSS Communication Ethernet Interface—This is the interface used for internal communication between the primary GSSM and the other GSS devices in the GSS cluster.
Use this procedure to import GSS devices into the ANM database. Terminal length settings will be set to 0 during import, sync up, and background polling. The previous terminal length settings you had before import, sync up and background polling is performed will not be preserved.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the Add button. The New Device page appears.
Step 3 Configure the device using the information in Table 2-3.
Table 2-3 GSS Configuration Options
Field
|
Description
|
Name
|
The name assigned to the device.
|
Model
|
Pull down menu from which you can select GSS.
|
Primary IP Address
|
This is a read-only field with the device IP address.
|
User Name
|
This field displays any other GSS devices that have been imported into the ANM database.
|
Password
|
Allows you to specify a password for this user account (configurable, based on minimum and maximum values defined).
|
Enable Password
|
This field appears for Cisco Catalyst chassis, 7600 series routers, CSS, and GSS devices to provide an extra level of security.
Note When a GSS is configured with remote authorization using the enable command in the user privilege, the enable password is not used.
|
Description
|
Enter a brief description for this device.
|
Step 4 Click:
•OK to save your entries. A progress bar reports status and the Modules table refreshes with updated information.
•Cancel to exit the procedure without importing the device and to return to the Modules table.
Related Topic
GSS Firewall Deployment Overview
GSS Firewall Deployment Overview
When you configure your GSS for deployment behind a firewall, you must allow DNS traffic into the device. If you have multiple GSS devices deployed so that traffic between the devices must pass through a firewall, configure the firewall to allow inter-GSS communications and inter-GSS status reporting. Depending on your GSS configuration, you can also allow other traffic to pass through the firewall. This requirement depends on your GSS configuration (for example, if you are using TCP-based or KAL-AP keepalives) and the ability to access certain GSS services through the firewall (for example, SNMP).
The GSS does not support deployment of devices behind a NAT for inter-GSS communication. The communication between the GSS devices cannot include an intermediate device behind a NAT because the actual IP address of the devices is embedded in the payload of the packets. For more information consult your GSS documentation.
Table 2-4 lists the TCP ports that are used by ANM to communicate with GSS.
Table 2-4 TCP Ports Used by ANM for GSS
Port
|
Description
|
22
|
SSH
|
2001
|
Java RMI
|
3009
|
Secure RMI
|
Enabling Syslog Messages from the ACE
Setting auto sync to occur upon receipt of a syslog message from devices allows a faster, more streamlined synchronization process between ANM and any out-of-band configuration changes. Rather than wait the default polling period, ANM will sync when a syslog message is received if Setup Syslog for Autosync is enabled.
Use this procedure to have ANM receive syslog messages for a virtual context.
Note GSS devices are not supported for Autosync.
Procedure
Step 1 Select Config > Devices > Setup Syslog for Autosync. The Setup Syslog for Autosync screen appears.
Step 2 Select either All VC or the ACE with the virtual context configuration for which you want to receive Autosync syslog messages. A progress bar window appears.
A checkbox with checkmark will appear in the Setup Syslog for Autosync? column for each virtual context and ACE device you checked.
Step 3 Click the Setup Syslog button.
The following CLI commands are sent to the enabled devices:
logging enable
logging trap 2
logging device-id string <ACE-Ip>/Admin
logging host <ANM-Ip> udp/514
logging message 111008 level 2
Discovering Large Numbers of Devices
Discovering and importing chassis and ACEs into the ANM database involves:
1. Preparing devices for discovery. This involves enabling SSH and XML over HTTPS and adding device credentials. See Preparing Devices for IP Discovery.
2. Discovering devices residing on your network. The ANM uses SSH, XML over HTTPS, and Telnet to discover its supported devices. When you run IP Discovery you locate IP addresses of ACE chassis and appliances. See Running Discovery to Identify Devices.
After discovery, devices do not appear in the Devices table until device import is completed. To import a specific chassis into the ANM database, you need to enter IP and credentials information for the chassis and then import it and any associated modules. While this discovery method requires you to add more information initially, it provides more control over the discovery process.
3. Importing the device information into the ANM database to add the device into the Devices table. See Adding Network Devices into ANM.
4. After importing devices, you can add ACE Modules into the ANM database. See Adding ACE Modules to ANM or Importing Cisco Content Switching Module (CSM) Devices.
5. After you start a discovery job, you can monitor its status. See Monitoring Device Discovery Status.
ANM offers multiple ways to accomplish some of these steps. For example, you can either run a discovery job to identify the available chassis, then select the ones to import, or you can import a specific chassis into the ANM database.
To add a chassis without running discovery, see Adding Devices to ANM.
See the Supported Devices Table for the Cisco Application Networking Manager 1.2 for device specifics.
Related Topics
•Configuring Device Access Credentials
•Running Discovery to Identify Devices
•Monitoring Device Discovery Status
•Adding Network Devices into ANM
•Adding Network Devices into ANM
Preparing Devices for IP Discovery
ANM communicates with network devices through SSH and Telnet during IP discovery. In order to use IP discovery, you must set up your devices to allow ANM to collect device data (for example, you need to enter network credentials before running discovery).
Caution IP discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet who respond to the associated ports. This is a potential security risk because, in essence, credentials are broadcast out to one or more networks. Discovery may also find devices that cannot be imported or be unable to find devices that could be imported.
Perform all of the following steps to set up your devices for IP discovery:
•Enabling SSH or Telnet Access on Cisco Catalyst 6K and 7600 Chassis
•Enabling SSH Access and HTTPS Interface on ACE Module and ACE Appliance
•Configuring Device Access Credentials
•Modifying Credential Pools
Related Topics
•Running Discovery to Identify Devices
•Adding Network Devices into ANM
•Discovering Large Numbers of Devices
Configuring Device Access Credentials
Use this procedure to add device credentials to the ANM before running IP discovery.
Procedure
Step 1 Select Config > Tools > Credential Pool Management. The New Credential Pool screen appears.
Step 2 In the Name field, enter the name of the new credential pool.
Step 3 Click Save to save this entry and to proceed with credentials configuration. The configuration screen appears.
Step 4 Set Telnet credentials:
a. Select Configuration > Telnet Credentials. The Telnet Credentials table appears.
b. Click Add to add a set of credentials to this credential pool, or select an existing set of credentials, then click Edit to modify it.
c. Enter the credentials (see Table 2-5).
Table 2-5 Telnet Credentials
Field
|
Description
|
IP Address
|
Enter a specific IP address in dotted-decimal notation or use an asterisk (*) as a wildcard character to identify a number of devices, such as 192.168.11.*.
|
Username
|
Enter the Telnet username for the specified devices.
|
Password
|
Enter the Telnet password for the specified devices.
|
Confirm
|
Reenter the Telnet password.
|
Enable Password
|
Enter the Telnet enable password for the specified devices. ANM uses this password during the Cisco Catalyst chassis import process.
|
Confirm
|
Reenter the Telnet enable password.
|
d. Click:
–OK to save your entries and to return to the Telnet Credentials table.
–Cancel to exit this procedure without saving your entries and to return to the Telnet Credentials table.
–Next to deploy your entries and to add another set of Telnet credentials.
Step 5 Set SNMP credentials:
a. Select Configuration > SNMP Credentials. The SNMP Credentials table appears.
b. Click Add to add a set of credentials to this credential pool, or select an existing set of credentials, then click Edit to modify it.
c. Enter the SNMP credentials (see Table 2-6).
Table 2-6 SNMP Credentials
Field
|
Description
|
IP Address
|
Enter either a specific IP address in dotted-decimal notation or use an asterisk (*) as a wildcard character to identify a number of devices, such as 192.168.11.*.
|
Model
|
Ensure that the default version of SNMP is selected for this credential pool. SNMPV2 indicates that SNMP version 2 is to be used for this credential pool for the specified devices.
|
RO Community
|
Enter the SNMP read-only string for the specified devices. This entry is case sensitive.
|
Timeout
|
Enter the time, in seconds, that the ANM is to wait for response from a device before performing the first retry.
|
Retries
|
Enter the number of times that the ANM is to attempt to communicate with a device before declaring that the device has timed out.
|
Step 6 Click:
•OK to save your entries and to return to the SNMP Credentials table.
•Cancel to exit without saving your entries and to return to the SNMP Credentials table.
•Next to deploy your entries and to configure another set of SNMP credentials.
After establishing the Telnet and SNMP credentials, you are ready to run discovery. See Running Discovery to Identify Devices.
Related Topics
•Running Discovery to Identify Devices
•Configuring Device Access Credentials
•Discovering Large Numbers of Devices
Modifying Credential Pools
Use this procedure to modify existing Telnet or SNMP credentials.
Procedure
Step 1 Select Config > Tools > Credential Pool Management. The Credential Pools configuration screen appears.
Step 2 Select the credential pool you want to modify. The Edit Credential Pool configuration screen appears.
Step 3 Click Edit.
Step 4 To modify the existing Telnet credentials:
a. Select Configuration > Telnet Credentials. The Telnet Credentials table appears.
b. Click Add to add a set of credentials to this credential pool, or select an existing set of credentials, then click Edit to modify it.
c. Enter the Telnet credentials (see Table 2-5).
d. Click:
–OK to save your entries and to return to the Telnet Credentials table.
–Cancel to exit this procedure without saving your entries and to return to the Telnet Credentials table.
–Next to deploy your entries and to add another set of Telnet credentials.
Step 5 To modify the existing SNMP credentials:
a. Select Configuration > SNMP Credentials. The SNMP Credentials table appears.
b. Click Add to add a set of credentials to this credential pool, or select an existing set of credentials, then click Edit to modify it.
c. Enter the SNMP credentials (see Table 2-6).
d. Click:
–OK to save your entries and to return to the SNMP Credentials table.
–Cancel to exit without saving your entries and to return to the SNMP Credentials table.
–Next to deploy your entries and to configure another set of SNMP credentials.
Related Topics
•Running Discovery to Identify Devices
•Configuring Device Access Credentials
•Discovering Large Numbers of Devices
Running Discovery to Identify Devices
You can run IP discovery to locate IP addresses of ACE chassis and appliances.
After establishing Telnet and SNMP credentials (see Configuring Device Access Credentials), use this procedure to identify chassis and ACEs on your network.
Caution IP discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet that respond to the associated ports. This is a potential security risk because, in essence, credentials are broadcast out to one or more networks. Discovery may also find devices that cannot be imported or be unable to find devices that could be imported.
Before You Begin
For this procedure you need:
•An IP address for the discovery process.
•The applicable subnet mask.
•Valid credentials for this discovery (see Configuring Device Access Credentials).
•To ensure devices have SSH enabled (see Preparing Devices for IP Discovery).
Procedure
Step 1 Select Config > Tools > IP Discovery. The Discovery Jobs table appears.
Tip If you already know the IP address of your devices, use the Config > Devices > Add function. See Adding Network Devices into ANM.
Step 2 To create a discovery job, click Add. The Discovery Jobs screen appears.
Step 3 In the IP Address field, enter the IP address of a specific device in dotted-decimal notation such as 192.168.11.1.
Step 4 In the Netmask field, select the subnet mask to be used. When you specify a subnet mask, the discovery process discovers all devices in the range of the IP address and its subnet mask. The default netmask is 255.255.255.0.
Note Select a higher subnet mask only if you are certain that it is appropriate for your network and you understand the impact. If you select the subnet mask for a class A or class B network, the discovery process becomes extensive and can take a substantial amount of time to complete.
Step 5 In the Credential Pool field, select the credential pool to be used for this discovery.
Step 6 Click Discover to run discovery now or Cancel to exit this procedure without running discovery.
When you run discovery, the Discovery Jobs table reflects the state of the discovery as it runs. The amount of time to finish a discovery job depends on the size of your network and network activity.
If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs table appears with the discovery job in the table with the state Aborted.
Tip Click Refresh during discovery to see the number of devices found as discovery progresses.
Step 7 Continue with either of the following:
•Viewing discovery status (see Monitoring Device Discovery Status).
•Importing ACE appliance into the ANM (see Adding Network Devices into ANM).
Related Topics
•Creating Virtual Contexts, page 3-2
•Adding and Managing Devices
•Using Configuration Building Blocks, page 13-1
Monitoring Device Discovery Status
Use this procedure to view device discovery status after starting a discovery job.
Procedure
Step 1 Click Config > Tools > IP Discovery. The Discovery Jobs table appears with the following information for each discovery job:
•IP address
•Subnet mask
•Start time in the format hh:mm:ss.nnn
•End time, if available, in the format hh:mm:ss.nnn
•Credential pool being used
•State of the discovery job, such as Running or Completed
•Number of devices found
Step 2 Locate your discovery job to see its current status.
If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs table appears with the discovery job in the table with the state Aborted.
Step 3 When discovery is complete, select the discovery job in the table. A list of the discovered devices appears below the Discovery Jobs table.
You can now populate the ANM with chassis and ACEs. See Adding Network Devices into ANM.
Related Topics
•Adding Network Devices into ANM
•Running Discovery to Identify Devices
•Device Import Overview
Configuring Devices
The Modules table (Config > Devices > All Devices > chassis > Modules) offers the following options:
•Adding ACE Modules to ANM
•Changing ACE Module Passwords
•Removing Modules from the ANM Database
•Synchronizing Module Configurations
After importing a device, you can configure it. The configuration options available depend on the type of device:
•For ACE appliances and modules, see Configuring Virtual Contexts, page 3-1.
•For CSM devices, you can configure primary attributes. See Configuring CSM Primary Attributes.
•For CSS devices, you can configure primary attributes. See Configuring CSS Primary Attributes.
•For GSS devices, you can configure primary attributes. See Configuring GSS Primary Attributes.
•For Cisco Catalyst chassis and 7600 series routers, you can configure a number of options, grouped by configuration subset, as described in Table 2-7.
Note The ANM does not detect changes made to chassis via the CLI. Be sure to synchronize chassis configurations whenever chassis configuration has been modified via the CLI.
Configuring CSM Primary Attributes
Use this procedure to configure primary attributes for CSM devices.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the CSM you want to configure, then select System > Primary Attributes. The Primary Attributes screen appears with information about the device.
Step 3 In the Description field, enter a brief description of the module.
Step 4 The Redundant Device field displays any other CSM devices that have been imported into the ANM database.
Select another CSM for high availability pairing.
Step 5 Click Deploy Now to deploy this configuration.
To exit this procedure without deploying your entries, select another device in the device tree or in the object selector above the configuration pane.
Related Topics
•Configuring Devices
•Adding ACE Modules to ANM
Configuring CSS Primary Attributes
Use this procedure to configure primary attributes for CSS devices.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the CSS you want to configure, then select System > Primary Attributes. The Primary Attributes screen appears with information about the device.
Step 3 Configure the device using the information in Table 2-8.
Table 2-8 CSS Primary Attributes Configuration Options
Field
|
Description
|
Description
|
Enter a brief description for this device.
|
IP Address
|
This is a read-only field with the device IP address.
|
Redundant Device
|
This field displays any other CSS devices that have been imported into the ANM database.
Select another CSS for high availability pairing.
|
SNMP V2C Enabled
|
Select this check box to enable SNMP version 2C access. Clear the check box to disable this feature.
If you enable this feature, in the SNMP Trap Community string field, enter the SNMP community string.
|
SNMP V3 Enabled
|
Select this check box to enable SNMP Version 3 access. Clear the check box to disable this feature.
If you enable this feature:
1. In the SNMP V3 Username field, enter the SNMP username.
2. In the SNMP V3 Mode field, select the level of security to be used when accessing the chassis:
–NoAuthNoPriv—SNMP uses neither authentication nor encryption in its communications.
–AuthNoPriv—SNMP uses authentication, but the data is not encrypted.
3. If you select AuthNoPriv:
a. In the SNMP V3 Auth Proto field, select MD5 or DES to specify the authentication mechanism.
b. In the SNMP V3 Auth Pass field, enter the user authentication password. Valid entries are unquoted text strings with no spaces and a maximum of 130 characters.
c. In the Confirm field, reenter the user authentication password.
|
Step 4 Click Deploy Now to deploy this configuration.
To exit this procedure without deploying your entries, select another device in the device tree or in the object selector above the configuration pane.
Related Topics
•Configuring Devices
•Adding Network Devices into ANM
Configuring GSS Primary Attributes
Use this procedure to configure primary attributes for Cisco Global Site Selector devices.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the GSS you want to configure, then select System > Primary Attributes. The Primary Attributes screen appears with information about the device.
Step 3 Configure the device using the information in Table 2-9.
Table 2-9 GSS Primary Attributes Configuration Options
Field
|
Description
|
Description
|
Enter a brief description for this device.
|
Device Type
|
This is a read only field that has the device type, in this case GSS, in gray.
|
IP Address
|
Device IP address.
|
Step 4 Go to:
•Step 5 to update IP address and/or password for the GSS on the ANM server only,
or
•Step 6 to complete GSS Primary Attributes configuration.
Step 5 (Optional) To update IP address and/or password for the GSS on the ANM server only, click the Update IP Address/Password button.
Note The password changes are for ANM server only. The Password/Enable password on the device will not be changed.
Step 6 Enter new credentials using the information in Table 2-10.
Table 2-10 GSS Change IP Address and Password Options
Field
|
Description
|
Old Primary IP Address
|
Read only field displaying the device IP address.
|
New Primary IP Address
|
IP address you wish to have GSS associated with on the server.
|
Update
|
Radio buttons allowing you to choose to update either or both the password and enable passwords.
|
New Password
|
Enter the new password.
|
Confirm New Password
|
Reenter the new password.
|
Password
|
Enter the new enable password.
|
New Enable Password
|
Reenter the new enable password.
|
Step 7 Click:
•OK to save any changes made to GSS server IP address or password if changed and save to the ANM server
or
•Cancel
You will be returned to the Primary Attributes Page.
Step 8 Click one of the following:
•Next to save any changes made to device description or password if changed and save to the ANM server. You will be returned to the Primary Attributes Page.
or
•Another device in the device tree or in the object selector above the configuration pane.
Related Topics
•Configuring Devices
•Adding Devices to ANM
•Adding Network Devices into ANM
Configuring Cisco Catalyst Chassis and 7600 Series Router Primary Attributes
Use this procedure to configure primary attributes for Cisco Catalyst chassis and 7600 series routers.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure, then select System > Primary Attributes. The Primary Attributes screen appears with information about the chassis.
Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface. You can, however, add a description and configure the device for SNMP V2 or SNMP V3 access.
Step 3 In the Description field, enter a brief description for the device.
Step 4 To enable SNMP Version 2C access:
a. Select the SNMP V2C Enabled check box.
b. In the SNMP Trap Community string field, enter the SNMP community string.
Step 5 Click Deploy Now to save your entries and to return to the All Devices table.
Related Topics
•Viewing and Configuring Device Interfaces
•Viewing Modules by Chassis
•Managing Device VLANs
Configuring Device Static Routes
While interfaces can be shared across contexts, the ACE supports only static routes for virtual contexts. Use this procedure to configure static routes for Cisco Catalyst chassis and 7600 series routers.
Note After a device static route has been created, you can modify only its administrative distance.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure, then select System > Static Routes. The Static Routes table appears.
Step 3 Click Add to configure a new static route for the device, or select an existing static route, then click Edit to modify it. The Static Routes configuration screen appears.
Step 4 In the Destination Prefix field, enter the IP address for the route. The address you specify for the static route is the address that is in the packet before entering the ACE and performing network address translation.
Step 5 In the Destination Prefix Mask field, select the subnet for the static route.
Step 6 In the Next Hop field, enter the IP address of the gateway router for the route. The gateway address must be on the same network as a VLAN interface for the device.
Step 7 In the Admin Distance field, enter the administrative distance value of the route.
Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. Administrative distance is a measure of the trustworthiness of the source of the routing information.
The lower the administrative distance value, the more reliable the protocol. Valid entries are integers from 0 to 255, with lower numbers indicating greater reliability. For example, a static route has an administrative distance value of 1 while an unknown protocol has an administrative distance value of 255.
Table 2-11 lists default distance values of the protocols that Cisco supports.
Table 2-11 Cisco Default Distance Value Table
Route Source
|
Administrative Distance Value
|
Connected interface
|
0
|
Static route
|
1
|
Enhanced Interior Gateway Routing Protocol (EIGRP) summary route
|
5
|
External Border Gateway Protocol (BGP)
|
20
|
Internal EIGRP
|
90
|
IGRP
|
100
|
OSPF (Open Shortest Path First)
|
110
|
Intermediate System-to-Intermediate System (IS-IS)
|
115
|
Routing Information Protocol (RIP)
|
120
|
Exterior Gateway Protocol (EGP)
|
140
|
On-Demand Routing (ODR)
|
160
|
External EIGRP
|
170
|
Internal BGP
|
200
|
Unknown
|
255
|
Step 8 Click:
•Deploy Now to implement this configuration and to return to the Static Route table.
•Cancel to exit the procedure without saving your entries and to return to the Static Route table.
•Next to deploy your entries and to add another static route.
Related Topics
•Managing Device VLANs
•Viewing All Device VLANs
•Adding and Managing Devices
Viewing and Configuring Device Interfaces
Use this procedure to view a list of interfaces on a selected Cisco Catalyst chassis or 7600 series router and to configure a few high-level attributes for an interface.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 To view all interfaces on a device, select the device in the device tree, then select Interfaces > Summary. The Interfaces table appears, listing all interfaces on the device and related information:
•Interface name
•Description, if available
•Configured state, such as Up or Down
•Current state, if known
•Mode of operation, such as Access, Routed, or Trunk
•Interface hardware type
Step 3 To configure the high level attributes of an interface, select the interface, then click Edit. The configuration screen appears.
Step 4 Enter the following:
a. In the Description field, enter a brief description of the interface.
b. In the Administrative State field, select Up or Down to indicate whether the port should be up or down.
c. In the Mode field, select the operational mode of the interface: Trunk, Access, or Routed.
d. Click Apply to save your changes or Cancel to exit the procedure without saving your changes. The Interfaces table appears.
Related Topics
•Viewing and Configuring Device Interfaces
•Configuring Access Ports
•Configuring Trunk Ports
•Configuring Routed Ports
•Configuring Switch Virtual Interfaces
•Creating VLAN Groups
•Managing Device VLANs
Configuring Access Ports
An access port receives and sends traffic in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged), the packet is dropped, and the source address is not learned.
Use this procedure to configure access port attributes on the selected device.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure an access port for, then select Interfaces > Access Ports. The Interfaces table appears.
Step 3 Select the port you want to configure, then click Edit. The Access Ports configuration screen appears.
Step 4 In the Description field, enter a description for the port. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.
Step 5 In the Administrative State field, select Up or Down to indicate whether the port should be up or down.
Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to automatically negotiate its speed:
•Auto—The interface is to automatically negotiate speed with the connected device.
•10 mbps—The interface is to operate at 10 Mbps.
•100 mbps—The interface is to operate at 100 Mbps.
•1000 mbps—The interface is to operate at 1000 Mbps.
Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode or use full- or half-duplex mode:
•Auto—The interface is to automatically negotiate duplex mode with the connected device.
•Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time.
•Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic.
Step 8 In the VLANs field, enter the comma-separated names of the VLANs to which the interface belongs (allowable range is 2-4094).
Step 9 Click:
•Apply to save your entries and to return to the Interfaces table.
•Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
•Configuring Trunk Ports
•Configuring Switch Virtual Interfaces
•Configuring Routed Ports
•Managing Device VLANs
Configuring Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. Two types of trunk ports are:
•In an Inter-Switch Link (ISL) trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received from an ISL trunk port are dropped.
•An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default port VLAN ID or native VLAN, and all untagged traffic travels on the native VLAN. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the native VLAN. A packet with a VLAN ID equal to the outgoing port native VLAN is sent untagged. All other traffic is sent with a VLAN tag.
Use this procedure to configure trunk ports for the selected device.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure, then select Interfaces > Trunk Ports. The Interfaces table appears.
Step 3 In the Interfaces table, select the port you want to configure, then click Edit. The Trunk Port configuration screen appears.
Step 4 Configure the port using the information in Table 2-12.
Table 2-12 Trunk Port Configuration Attributes
Field
|
Description
|
Description
|
Enter a description for the port. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.
|
Administrative State
|
Select Up or Down to indicate whether the port should be up or down.
|
Speed
|
Specify the speed at which the interface is to operation or that the interface is to automatically negotiate its speed:
•Auto—The interface is to automatically negotiate speed with the connected device.
•10 mbps—The interface is to operate at 10 Mbps.
•100 mbps—The interface is to operate at 100 Mbps.
•1000 mbps—The interface is to operate at 1000 Mbps.
|
Duplex Mode
|
Specify whether the interface is to automatically negotiate its duplex mode or use full- or half-duplex mode:
•Auto—The interface is to automatically negotiate duplex mode with the connected device.
•Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time.
•Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic.
|
Trunk Mode
|
Specify how the interface is to interact with neighboring interfaces:
•Static—The interface is to enter permanent trunking mode and to negotiate converting a link into a trunk link. The interface becomes a trunk interface even if the neighboring interface does not change.
•Dynamic—The interface is to convert a link to a trunk link if the neighboring interface is set to trunk or desirable mode.
•Dynamic Desirable—The interface is to actively attempt to convert a link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
|
Desired Encapsulation
|
Select the type of encapsulation to be used on the trunk port:
•Dot1Q—The interface is to use 802.1Q encapsulation.
•Negotiate—The interface is to negotiate with the neighboring interface to use ISL (Inter-Switch Link) (preferred) or 802.1Q encapsulation, depending on the configuration and capabilities of the neighboring interface.
•ISL—The interface is to use ISL encapsulation.
|
Native VLAN
|
Select the VLAN to use as the native VLAN for the trunk in 802.1Q trunking mode. VLAN 1 (1) is the default native VLAN.
|
VLANs
|
Enter comma-separated names of the VLANs to which the interface belongs (allowable range is 2-4094). You can also enter ranges of VLANs, such as 101-120, 130.
|
Prune VLANs
|
Enter comma-separated names of the VLANs that can be pruned (allowable range is 2-4094). VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in this field. Only VLANs included in this field can be pruned. You can also specify ranges of VLANs that can be pruned, such as 75, 121-250, 351.
|
Step 5 Click:
•Apply to save your entries and to return to the Interfaces table.
•Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
•Configuring Access Ports
•Configuring Switch Virtual Interfaces
•Configuring Routed Ports
•Managing Device VLANs
Configuring Switch Virtual Interfaces
A VLAN defined on the Multilayer Switch Feature Card (MSFC) is called a switch virtual interface (SVI). If you assign the VLAN used for the SVI to an ACE, then the MSFC routes between the ACE and other Layer 3 VLANs. By default, only one SVI can exist between an MSFC and an ACE. However, for multiple contexts, you might need to configure multiple SVIs for unique VLANs on each context.
Use this procedure to configure SVIs on an MSFC.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure, then select Interfaces > Switched Virtual Interfaces. The Interfaces table appears.
Step 3 In the Interfaces table, click Add to add a new SVI, or select the interface you want to configure, then click Edit. The Switched Virtual Interfaces configuration screen appears.
Step 4 In the VLANs field, specify the VLAN to use in one of the following ways:
•To specify a new VLAN, select the first radio button, then enter a new VLAN.
•To select an existing VLAN, select the second radio button, then select one of the existing VLANs.
Note You cannot modify a VLAN for an existing SVI.
Step 5 In the Description field, enter a description for the SVI. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.
Step 6 In the Administrative State field, select Up or Down to indicate whether the SVI should be up or down.
Step 7 In the IP Address field, enter the IP address to be used for the interface on the MSFC in dotted-decimal format.
Step 8 In the Netmask field, select the subnet mask to be used for the IP address.
Step 9 Click:
•Apply to save your entries and to return to the Interfaces table.
•Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
•Configuring Access Ports
•Configuring Trunk Ports
•Configuring Routed Ports
•Managing Device VLANs
Configuring Routed Ports
A routed port is a physical port that acts like a port on a router; however, it does not have to be connected to a router. A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves like a regular router interface, except that it does not support VLAN subinterfaces. Routed ports can be configured with a Layer 3 routing protocol. A routed port is a Layer 3 interface only and does not support Layer 2 protocols, such as DTP and STP.
Use this procedure to configure routed ports.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure, then select Interfaces > Routed Ports. The Interfaces table appears.
Step 3 In the Interfaces table, select the interface you want to configure, then click Edit. The Routed Ports configuration screen appears.
Step 4 In the Description field, enter a description for the interface. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.
Step 5 In the Administrative State field, select Up or Down to indicate whether the interface should be up or down.
Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to automatically negotiate its speed:
•Auto—The interface is to automatically negotiate speed with the connected device.
•10 mbps—The interface is to operate at 10 Mbps.
•100 mbps—The interface is to operate at 100 Mbps.
•1000 mbps—The interface is to operate at 1000 Mbps.
Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode, or use full- or half-duplex mode:
•Auto—The interface is to automatically negotiate duplex mode with the connected device.
•Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time.
•Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic.
Step 8 In the IP Address field, enter the IP address to be used for the interface in dotted-decimal format.
Step 9 In the Netmask field, select the subnet mask to be used for the IP address.
Step 10 Click:
•Apply to apply your entries and to return to the Interfaces table.
•Cancel to exit the procedure without saving your entries and to return to the Interfaces table.
Related Topics
•Configuring Trunk Ports
•Configuring Switch Virtual Interfaces
•Configuring Access Ports
•Managing Device VLANs
Viewing All Ports
Use this procedure to view all configured interfaces on a chassis.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the chassis with the interfaces you want to view, then select Interfaces > Summary. The Interfaces table appears, listing all interfaces on the device and related information:
•Interface name
•Description, if available
•Configured state, such as Up or Down
•Current operational state, if known
•Mode of operation, such as Access, Routed, or Trunk
•Interface hardware type
Related Topics
•Configuring Trunk Ports
•Configuring Switch Virtual Interfaces
•Configuring Access Ports
•Managing Device VLANs
Managing Device VLANs
ACE modules do not include any external physical interfaces. Instead, they use internal VLAN interfaces.
The related topics describe how to configure Layer 2 and Layer 3 VLANs on chassis, view all VLANs, and create VLAN groups.
For information about configuring VLANs for use with virtual contexts, see Configuring VLAN Interfaces, page 9-2.
For more information about VLANs and their use with ACE modules, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.
Related Topics
•Adding Device VLANs
•Configuring Device Layer 3 VLANs
•Configuring Device Layer 2 VLANs
•Viewing All Device VLANs
•Creating VLAN Groups
Adding Device VLANs
Use this procedure to add a VLAN to a device, such as a Cisco Catalyst chassis or 7600 series router.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure, then select VLANs > Layer 2 or VLANs > Layer 3. The VLANs table appears.
Step 3 Click Add. The VLAN configuration screen appears.
Step 4 Configure the VLAN using the information in Table 2-13.
Table 2-13 Device VLAN Configuration Attributes
Field
|
Description
|
VLAN
|
Enter a unique identifier for the VLAN. Valid entries are integers from allowable range is 2-4094.
|
Name
|
Enter a name for the VLAN.
|
Description
|
Enter a description for the VLAN. Valid entries are unquoted text strings with a maximum of 240 characters including spaces.
|
Access Ports
|
Select the desired access ports from the Available Items list, then click Add.To remove a port that you do not want to use, select the port from the Selected Items list, then click Remove.
|
Trunk Ports
|
Select the desired trunk ports from the Available Items list, then click Add.To remove a port that you do not want to use, select the port from the Selected Items list, then click Remove.
|
VTP Domain
|
Enter the name of the VTP domain to which the VLAN belongs.
A VTP domain is made up of one or more interconnected network devices that share the same VTP domain name. A network device can be configured to be in one and only one VTP domain.
|
IP Address
|
This field appears for Layer 3 VLANs only.
Enter the IP address to be used for the VLAN interface. Enter the IP address in dotted-decimal notation, such as 192.168.1.1.
|
Mask
|
This field appears for Layer 3 VLANs only.
Select the subnet mask to apply to the IP address.
|
Step 5 Click:
•Apply to apply your entries and to return to the VLAN Management table.
•Cancel to exit the procedure without saving your entries and to return to the VLAN Management table.
Related Topics
•Configuring Device Layer 2 VLANs
•Configuring Device Layer 3 VLANs
•Viewing All Device VLANs
Viewing All Device VLANs
Use this procedure to view all configured VLANs on a selected device, such as a Cisco Catalyst chassis.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device with VLANs you want to view, then select VLANs > Summary. The VLANs table appears, listing all VLANs on the selected chassis and related information:
•VLAN number
•Name given to the VLAN
•VLAN type, such as Layer 2 or Layer 3
•Number of access ports
•Number of trunk ports
•VLAN Trunking Protocol (VTP) domain to which the VLAN belongs
Related Topics
•Configuring Device Layer 2 VLANs
•Configuring Device Layer 3 VLANs
•Viewing All Device VLANs
•Creating VLAN Groups
Configuring Device Layer 2 VLANs
Use this procedure to add or modify a Layer 2 VLAN on a selected device, such as a Cisco Catalyst chassis.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure a Layer 2 VLAN for, then select VLANs > Layer 2. The VLANs table appears, listing all Layer 2 VLANs associated with the chassis.
Step 3 Click Add to add a new VLAN, or select an existing VLAN, then click Edit to modify it. The VLAN configuration screen appears.
Step 4 Configure the VLAN using the information in Table 2-13.
Step 5 Click:
•Apply to apply your entries and to return to the VLAN Management table.
•Cancel to exit the procedure without saving your entries and to return to the VLAN Management table.
Related Topics
•Managing Device VLANs
•Configuring Device Layer 3 VLANs
•Viewing All Device VLANs
•Creating VLAN Groups
Configuring Device Layer 3 VLANs
Use this procedure to add or modify a Layer 3 VLAN on a selected device, such as a Cisco Catalyst chassis.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to configure a Layer 3 VLAN for, then select VLANs > Layer 3. The VLANs table appears, listing all Layer 3 VLANs associated with the chassis.
Step 3 Click Add to add a new VLAN, or select an existing VLAN, then click Edit to modify it. The VLAN configuration screen appears.
Step 4 Configure the VLAN using the information in Table 2-13.
Step 5 Click:
•Apply to apply your entries and to return to the VLAN Management table.
•Cancel to exit the procedure without saving your entries and to return to the VLAN Management table.
Related Topics
•Using Virtual Contexts, page 3-1
•Creating Virtual Contexts, page 3-2
•Deleting Virtual Contexts, page 3-68
Modifying Device VLANs
Use this procedure to modify VLANs for a specific device.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device with the VLAN you want to modify, then select VLANs > Layer 2 or VLANs > Layer 3. The VLANs table appears.
Step 3 Select the VLAN you want to modify, then click Edit. The VLAN configuration screen appears.
Step 4 Modify the VLAN configuration, using the information in Table 2-13.
Step 5 Click:
•Apply to save your entries and to return to the VLANs table.
•Cancel to exit the procedure without saving your entries and to return to the VLANs table.
Related Topics
•Adding Device VLANs
•Creating VLAN Groups
•Managing Device VLANs
Creating VLAN Groups
For an ACE module to receive traffic from the Cisco Catalyst supervisor module, you must create VLAN groups on the supervisor module, then assign the groups to the ACE module. When the VLANs are configured on the supervisor module to the ACE module, you can configure the VLANs on the ACE module.
You cannot assign the same VLAN to multiple groups; however, you can assign multiple groups to an ACE module. VLANs that you want to assign to multiple ACE modules, for example, can reside in a separate group from VLANs that are unique to each ACE module.
Use this procedure to create VLAN groups and to assign each group to an ACE module.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device you want to create a VLAN group for, then select VLANs > Groups. The Groups table appears.
Step 3 Click Add to add a new VLAN group, or select an existing VLAN group, then click Edit to modify it. The Groups configuration screen appears.
Step 4 In the VLAN Group Id field, enter a unique identifier for the VLAN group. Valid entries are unquoted text strings with no spaces and a maximum of 256 alphanumeric characters.
Step 5 In the Module Slot Numbers field, enter the ACE module you want to associate with the VLAN group. For example, to add ACE module 3 on the chassis, you would enter 3.
Step 6 In the VLANs field, enter the VLANs to be included in the VLAN group. Valid entries are comma-separated VLANs or ranges of VLANs (allowable range is 2-4094), such as 10, 50-110.
Step 7 Click:
•Deploy Now to implement the configuration and to return to the Groups table.
•Cancel to exit the procedure without saving your entries and to return to the Groups table.
•Next to deploy your entries and to add another VLAN group.
Related Topics
•Configuring Device Layer 3 VLANs
•Configuring Device Layer 2 VLANs
•Viewing All Device VLANs
•Adding and Managing Devices
Configuring Device Role-Based Access Controls
ANM provides an interface to allow you to configure device RBAC on the device only. This configuration is applicable only on the device and will not be enforced by ANM. If you want to set up authorization in ANM, go to Admin > Role-Based Access Control.
The following RBAC configurations can be set up on your device:
•Configuring Device RBAC Users
•Configuring Device RBAC Roles
•Configuring Device RBAC Domains
Related Topics
•Controlling Access to the Cisco ANM, page 15-3
•How ANM Handles Role-Based Access Control, page 15-7
•Preparing Devices for Import
•Adding Network Devices into ANM
•Configuring Devices
Configuring Device RBAC Users
ANM provides an interface to allow you to configure user access to your device via role-based access controls on the device only. This configuration is applicable only on the device and will not be enforced by ANM.
Use the Role-Based Access Control feature to specify the people that are allowed to log onto a device. The following sections describe how to manage device user accounts:
•Guidelines for Managing Users
•Displaying a List of Device Users
•Configuring Device User Accounts
•Modifying Device User Accounts
•Deleting Device User Accounts
Related Topics
•How ANM Handles Role-Based Access Control, page 15-7
•Configuring Device Role-Based Access Controls
Guidelines for Managing Users
•For users that you create in the Admin context, the default scope of access is for the entire ACE.
•If you do not assign a role to a new user, the default user role is Network-Monitor. For users that you create in other contexts, the default scope of access is the entire context.
•Users cannot log in until they are associated with a domain and a user role.
•You cannot delete roles and domains that are associated with an existing user.
Related Topics
•Configuring Device RBAC Users
•Configuring Device Role-Based Access Controls
Displaying a List of Device Users
Use this procedure to display of list of users that can access this device.
Procedure
Step 1 Select Config > Devices > context > Role-Based Access Control > Users. The Users table appears with the following fields:
•User Name
•Expiration Date
•Role
•Domains
Step 2 You can use the options in this screen to create a new user or modify or delete any existing user to which you have access (see Table 2-14).
Related Topics
•Configuring Device RBAC Users
•Configuring Device Role-Based Access Controls
Configuring Device User Accounts
Use this procedure to add or modify a user account on a selected device, such as a Cisco Catalyst chassis or ACE 4710.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Users.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Users.
A list of users appears.
Step 2 In the Users table, click Add to add a new user, or select the user you want to configure, then click Edit. The Users configuration screen appears.
Step 3 Complete the following required fields:
Table 2-14 User Attributes
Field
|
Description
|
User Name
|
Specifies the name by which the user is to be identified (up to 24 characters). Only letters, numbers, and underscore can be used. The field is case sensitive.
|
Expiry Date
|
Date user account expires (optional).
|
Password
|
Allows you to specify a password for this user account (configurable, based on minimum and maximum values defined).
|
Confirm Password
|
Renter the password for this account.
|
Encryption
|
Sets password to clear or encrypted text.
|
Role
|
Allows you to customize this user's role or accept any existing roles. To enter the Role for this user, see Configuring Device User Roles. See Table 2-15 for details about setting up new roles.
|
Domains
|
Allows you to select domains to which this user belongs. Use the Add and Remove buttons.
|
Step 4 Click Deploy Now. The Users table is displayed.
Related Topics
•Configuring Device RBAC Users
•Configuring Device Role-Based Access Controls
Modifying Device User Accounts
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Users.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Users.
A table of users, expiration dates, roles, and domains appears.
Step 2 Select the user account you want to modify.
Step 3 Click Edit.
Step 4 Modify any of the attributes in the attributes table (see Table 2-14).
Step 5 Click Deploy Now.
The Users table then appears.
Related Topics
•Configuring Device RBAC Users
•Configuring Device Role-Based Access Controls
Deleting Device User Accounts
Use this option to delete an existing device RBAC user account.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Users.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Users.
A table of users, their role and domain appears.
Step 2 Select the user account to be deleted, then click Delete.
Step 3 Confirm deletion of the user by clicking OK or Cancel to return to the Users table.
The user account is removed from the ANM database.
Related Topics
•Configuring Device RBAC Users
•Configuring Device Role-Based Access Controls
Configuring Device RBAC Roles
This topic contains the following device role sections:
•Guidelines for Managing User Roles
•Role Mapping in Device RBAC
•Configuring Device User Roles
•Modifying Device User Roles
•Deleting Device User Roles
Related Topics
•How ANM Handles Role-Based Access Control, page 15-7
•Configuring Device Role-Based Access Controls
Guidelines for Managing User Roles
Use these guidelines to manage roles:
•Administrators can view and modify all roles.
•Other users can only view the roles assigned to them.
•You cannot change the default roles.
•Role permissions are different based on whether they were created in an Admin context versus a non-admin or user context. If you want to allow users to switch between contexts, ensure they have a predefined role. If you want to restrict a user to only their home context, assign them a customized user role.
•Certain role features are only available to default roles, for example, and Admin role in the Admin context would have changeto and system permissions to perform tasks like license management, resource class management, HA setup, and so on. User-created roles cannot use these features.
Related Topics
•Role Mapping in Device RBAC
•Controlling Access to the Cisco ANM, page 15-3
•Configuring Device RBAC Users
•Configuring Device RBAC Roles
•Configuring Device RBAC Domains
•How ANM Handles Role-Based Access Control, page 15-7
Role Mapping in Device RBAC
When you are logged into a specific device Device RBAC, you see the tasks that you have been given permission to access. Features and menus that are not applicable for your role will not display.
Since the predefined roles encompass all the role types you may need, we encourage you to use them. If you choose to define your own roles, be aware that rules features are not a one-to-one mapping from CLI feature to ANM menu task.
Defining the proper rules for your user-defined role will require you to create a mapping between the features in Device RBAC and the ANM menu tasks. For example, in order to manage virtual servers, you must select the following six menu features (Real Servers, Server Farms, VIP, Probes, Loadbalance, NAT, and Interface) in your role.
Note There are certain features in the ANM that do not have a corresponding feature mapping on the CLI. Examples of those are class maps and SNMP. To modify these features you need to select a predefined role that a contains at least one feature with the Modify permission on it.
Related Topic
•How ANM Handles Role-Based Access Control, page 15-7
•Understanding Roles, page 15-5
Configuring Device User Roles
You can edit the predefined roles, or you can create or edit user-defined roles. When you create a new role, you specify a name and description of the new role, then select the operations privileges for each task. You can also assign this role to one or more users.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Roles.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles.
A table of the defined roles and their settings appears.
Step 2 Select the type of configuration you want to perform:
•To add a new role, click Add, enter the following attributes, then click Deploy Now.
Table 2-15 Role Attributes
Attribute
|
Description
|
Role Name
|
The name of the role.
|
Description
|
A brief description of the role.
|
The Roles configuration screen appears.
•To edit a role, select the role you want to configure, then click Edit. The Roles configuration screen appears.
Step 3 Click Edit to open the Rules table.
Step 4 In the Rules table, click Add to create rules for this role, or select the rule you want to configure, then click Edit. See Table 2-16 for rule attribute descriptions.
Table 2-16 Rule Attributes
Attribute
|
Description
|
Rule Number
|
The number assigned to this rule.
|
Permission
|
Permit or deny the specified operation.
|
Operation
|
Create, debug, modify1 , and monitor the specified feature.
|
Feature
|
AAA, Access-list, Config-copy, Connection, DHCP, Fault-tolerant, Inspect, Interface, Loadbalance, NAT, PKI, Probe, Real-inservice, Routing, Rserver, Server Farm, SSL, Sticky, Syslog, and VIP.
|
Step 5 Click Deploy Now to update the rule for this role or click Next to deploy this rule and move to another rule.
Step 6 Click Deploy Now to update this role.
Related Topics
•Configuring Device RBAC Roles
•Configuring Device Role-Based Access Controls
Modifying Device User Roles
You can modify any user-defined role.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Roles.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles.
A table of the defined roles and their settings appears.
Step 2 Select the role you want to modify.
Step 3 Click Edit. For details on updating role rules, see Table 2-16.
Step 4 Make the changes. For details on updating role rules, see Adding, Editing, or Deleting Rules.
Step 5 Click Deploy Now to update the rules for this role.
Related Topics
•Configuring Device RBAC Roles
•Configuring Device Role-Based Access Controls
Deleting Device User Roles
You can delete any user-defined roles.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Roles.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles.
Step 2 Select the role to be deleted.
Step 3 Click Delete.
Step 4 Click OK to confirm the deletion. Users that have the deleted role no longer have that access.
Related Topics
•Configuring Device RBAC Roles
•Configuring Device Role-Based Access Controls
Adding, Editing, or Deleting Rules
You can change or delete rules to redefine what feature access a specific role contains.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 After selecting the user-defined role, click Edit to open the Rule window and perform any of the following tasks:
•Click Add to create a new rule. Enter the rule information (see Table 2-16), then click Deploy Now to add the rule or Next to deploy this rule and add another rule.
•Select a rule and click Edit to change an existing rule. Click Deploy Now to save this rule.
•Select the rules to remove from this role, then click Delete. Click OK to confirm its deletion.
Step 2 Click Deploy Now to save these changes to the role.
Related Topic
•Configuring Device RBAC Roles
•Configuring Device Role-Based Access Controls
Configuring Device RBAC Domains
This section describes the following device domains tasks:
•Guidelines for Managing Domains
•Configuring Device Domains
•Modifying Device Domains
•Deleting Device Domains
Related Topics
•Device Management Overview
•How ANM Handles Role-Based Access Control, page 15-7
•Configuring Device Role-Based Access Controls
Guidelines for Managing Domains
•Devices and their components must already be configured in order for them to be added to a domain.
•Domains are logical concepts. You do not delete a member of a domain when you delete the domain.
•The predefined default domain cannot be modified or deleted.
•Normally, a user is associated with the default domain, which allows the user to see all configurations within the context. When a user is configured with a customized domain, then the user can see only what is in the domain.
Related Topics
•Configuring Device RBAC Domains
•Configuring Device Role-Based Access Controls
Displaying Domains for a Device
Note Your user role determines whether you can use this option.
Procedure
Step 1 Select the item to view:
•To view a domain for the device's virtual context, select Config > Devices > context > Device RBAC > Domains.
•To view a domain for a a configuration building block, select Config > Global > Building Blocks > building block > Role-Based Access Control > Domains.
The Domains table appears.
Step 2 Expand the table until you can see all the network domains.
Step 3 Select a domain from the Domains table to view the settings for that domain.
Step 4 You can also perform these tasks from this pane:
•Configuring Device Domains
•Modifying Device Domains
•Deleting Device Domains
Related Topic
•Configuring Device RBAC Domains
•Configuring Device Role-Based Access Controls
Configuring Device Domains
Use this procedure to add or modify domains on a selected device, such as a Cisco Catalyst chassis.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Domains.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains.
The Domains table appears.
Step 2 Select the type of configuration you want to perform:
•To add a new domain, click Add, enter the Domain Name, then click Deploy Now.
•To edit a domain, select the domain you want to configure, then click Edit.
The Domain Object field appears below the Domain Name in the content area.
Step 3 Click Edit to enter the Domain Object table.
Step 4 Select the type of configuration you want to perform:
•Click Add to create domain objects for this domain. See Table 2-17 for Domain Object attributes.
•To remove an object, select the object you want to remove, then click Delete.
Table 2-17 Domain Attributes
Field
|
Description
|
Object Type
|
The collection of objects which comprise this domain. The following options may be available depending on your virtual context:
•All
•Access list—Ethertype
•Access list—Extended
•Class-map
•Interface VLAN
•Interface BVI
•Parameter map
•Policy map
•Probe
•Real server
•Script
•Server farm
•Sticky
|
Object Name
|
This field appears when any specific object type is selected. Name of an existing object defined.
|
Step 5 Click Deploy Now.
The Domains Edit window updates and displays the total object number next to the object name.
Related Topics
•Configuring Device RBAC Domains
•Configuring Device Role-Based Access Controls
Modifying Device Domains
Use this option to change the settings in a domain.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Domains.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains.
Step 2 Select the domain you want to change. Click Edit.
Step 3 Click Edit to edit the domain object. For details on object fields, see Table 2-17.
Step 4 Make the changes.
Step 5 Click Deploy Now.
Related Topics
•Configuring Device RBAC Domains
•Configuring Device Role-Based Access Controls
Deleting Device Domains
Use this option to delete a network domain from the system, as well as all the devices and subdomains it contains.
Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC go to Admin > Role-Based Access Control.
Procedure
Step 1 Select the item to configure:
•To configure a virtual context, select Config > Devices > context > Device RBAC > Domains.
•To configure a configuration building block, select Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains.
Step 2 Select the domain you want to delete.
Step 3 Click Delete. A prompt asks if you to confirm this action.
Step 4 Click OK. The domain is removed from the ANM database.
Related Topic
•Configuring Device RBAC Domains
•Configuring Device Role-Based Access Controls
Managing Devices
The following topics describe additional options for managing devices:
•Synchronizing Device Configurations
•Configuring User-Defined Groups
•Updating Chassis Passwords
•Changing ACE Module Passwords
•Synchronizing Module Configurations
•Restarting Device Polling
•Viewing All Devices
•Viewing Modules by Chassis
•Removing Modules from the ANM Database
Synchronizing Device Configurations
ANM provides three levels of synchronization. You can choose to "sync up" from the device to ANM:
•From the chassis level—Use this when you want to sync up Catalyst chassis and module updates. See Synchronizing Chassis Configurations.
•From the ACE module level—Use this when you want to synchronize changes to your ACE or CSM modules, such as new virtual contexts. See Synchronizing Module Configurations.
•From the virtual context level —Use this at the Admin level to synchronize all current and new VCs or at the individual level to synchronize a specific virtual context. See Synchronizing Virtual Context Configurations, page 3-66.
Caution It is important to note that if you see a difference between the ANM management system and your network device information, the management system contains the data that is least accurate. This is because of CLI access to network devices and the ability to change things outside of the ANM. We recommend that you synchronize the network devices up to the ANM using the Sync option, thus making the ANM data more accurate.
Synchronizing Chassis Configurations
ANM allows you to manually synchronize the configuration for Cisco Catalyst chassis, CSS devices, GSS devices and ACE appliances when there have been changes to a device that are not tracked in ANM.
Note ANM does not support auto sync for Catalyst 6500/Cisco 7600) chassis, CSM, CSS and GSS devices. Be sure to synchronize configurations on these devices after import, and whenever their configurations have been modified via the CLI.
Changes that require synchronization include such items as:
•Upgrading chassis hardware or software
•Adding new modules to the chassis
•Removing a module from a chassis
•Rearranging modules within the chassis
•Upgrading module software
•Changing the chassis configuration using the CLI instead of the ANM, for example for VLANs or VLAN groups
Use this procedure to synchronize configurations for Cisco Catalyst chassis, CSS devices, and ACE appliances.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the device with the configuration that you want to synchronize, then click CLI Sync. A window appears asking you to confirm the synchronization.
Step 3 Click OK to synchronize the configuration or Cancel to cancel the synchronization.
The ANM displays status while synchronization is in progress and returns to the All Devices table when synchronization is complete.
Related Topics
•Configuring Devices
•Synchronizing Module Configurations
•Restarting Device Polling
Synchronizing Module Configurations
The ANM allows you to synchronize the configuration for ACE or CSM modules or when there have been changes to the module that are not tracked in ANM. Changes that require synchronization for a module include such items as:
•Upgrading module software
•Changing the module configuration using the CLI instead of the ANM
Use this procedure to synchronize configurations for ACE or CSM modules.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the chassis containing the module with the configuration you want to synchronize, then click Modules. The Modules table appears.
Step 3 Select the module with the configuration you want to synchronize, then click Sync. A window appears asking you to confirm the synchronization.
Step 4 Click OK to synchronize the configuration or Cancel to cancel the synchronization.
The ANM displays status while synchronization is in progress and returns to the Modules table when synchronization is complete.
Related Topics
•Configuring Devices
•Managing Devices
•Synchronizing Device Configurations
Configuring User-Defined Groups
The ANM allows you to create logical groupings of virtual contexts or chassis for ease of management. These logical groups are known as user-defined groups and appear in the device tree (Config > Devices) in the folder named Groups for quick access.
Users can create their own groups, add and remove members, and assign group names that suit their environment and are meaningful to them. For information on managing user-defined groups, see:
•Adding a User-Defined Group
•Modifying a User-Defined Group
•Duplicating a User-Defined Group
•Deleting a User-Defined Group
Note Device groups continue to display device information even after you remove that device from ANM. This allows the device group information to be easily reassociated if you reimport the device. The device name must remain the same for this to work properly.
Adding a User-Defined Group
Use this procedure to add a user-defined group.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 In the device tree, select Groups. The Groups table appears.
Step 3 Click Add to add a new group, or select an existing group, then click Edit to modify it. The Group configuration screen appears.
Step 4 In the Name field, enter a unique name for this group. Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters.
The screen identifies the objects by type and provides a Search field for each:
•Virtual Context Members
•Device Members
•CSM Members
Step 5 To add objects to the group, for each object type, select the object in the Available Items list, then click Add. The selected objects appear in the Selected Items list.
To remove objects that you do not want to include, select the objects in the Selected Items list, then click Remove. The items then appear in the Available Items list.
To search for specific objects, enter a search string containing the object name or part of the object name in the Search field, then click Search. The Available Items list refreshes with the objects that meet the search criteria.
Step 6 In the Description field, enter a description for this group.
Step 7 Click:
•Save to accept your entries and to return to the Groups table.
•Cancel to exit this procedure without saving your entries and to return to the Groups table.
Related Topics
•Configuring User-Defined Groups
•Modifying a User-Defined Group
•Duplicating a User-Defined Group
•Deleting a User-Defined Group
Modifying a User-Defined Group
Use this procedure to change the members or the description of a user-defined group. You cannot change the name of an existing user-defined group.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 In the device tree, click Groups. The Groups table appears.
Step 3 In the Groups table, select the group you want to modify, then click Edit. The Group configuration screen appears.
Step 4 In the each Members field, add or remove group members:
•Select the items you want to add to this group in the Available Items list, then click Add.
•Select the items you want to remove from this group in the Selected Items list, then click Remove.
Step 5 In the Description field, modify the description as needed.
Step 6 Click:
•Save to accept your entries and to return to the Groups table.
•Cancel to exit this procedure without saving your entries and to return to the Groups table.
Related Topics
•Configuring User-Defined Groups
•Adding a User-Defined Group
•Duplicating a User-Defined Group
•Deleting a User-Defined Group
Duplicating a User-Defined Group
Use this procedure to duplicate a user-defined group.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 In the device tree, click Groups. The Groups table appears.
Step 3 Select the user-defined group that you want to remove, then click Duplicate. A window appears asking you to enter a new name.
Step 4 Type the new group name, then click OK.
The Groups table refreshes and the duplicated group name appears in the list.
Related Topics
•Configuring User-Defined Groups
•Adding a User-Defined Group
•Modifying a User-Defined Group
•Deleting a User-Defined Group
Deleting a User-Defined Group
Use this procedure to delete a user-defined group.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 In the device tree, click Groups. The Groups table appears.
Step 3 Select the user-defined group that you want to remove, then click Delete. A window appears asking you to confirm the deletion.
Step 4 Click:
•OK to delete the selected user-defined group. The Groups table refreshes and the deleted group no longer appears.
•Cancel to exit this procedure without deleting the group. The Groups table refreshes.
Related Topics
•Configuring User-Defined Groups
•Adding a User-Defined Group
•Modifying a User-Defined Group
•Duplicating a User-Defined Group
Updating Chassis Passwords
If you change chassis passwords using the CLI, you can update the chassis passwords in ANM without rediscovering or reimporting the chassis information.
Use this option to update the chassis password or enable password in ANM after they have been changed on the device.
Note The password changes made in the UI apply to the ANM server only. Changing passwords in the Update Password window does not change the Password/Enable password on the device.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the chassis with the passwords that you want to update in ANM, then click Update Password. The Update Password window appears.
Step 3 Update the chassis passwords in ANM using the information in Table 2-18.
Table 2-18 Update Chassis Password Options
Field
|
Description
|
Update
|
Specify the passwords that you want to update in the ANM:
•Both—Update both the chassis password and the chassis enable password.
•Password Only—Update the chassis password only.
•Enable Password Only—Update the chassis enable password only.
|
New Password
|
Enter the updated chassis password.
|
Confirm New Password
|
Reenter the updated chassis password.
|
New Enable Password
|
Enter the updated enable password for the chassis.
|
Confirm New Enabled Password
|
Reenter the updated enable password for the chassis.
|
Related Topics
•Changing ACE Module Passwords
•Managing Devices
•Configuring Devices
Changing ACE Module Passwords
Note This functionality is available only in Admin contexts.
All ACE modules shipped from Cisco Systems are configured with the same administrative username and password. Because this can compromise network security, we recommend that you change the username and passwords of the ACE modules after you import them into the ANM database.
Assumption
The ACE module has been imported into the ANM database and is in an operational state.
Procedure
Step 1 Select Config > Devices > All Devices. The device tree appears.
Step 2 Select the device containing the ACE module with the password you want to change. The Modules table appears.
Step 3 Select the module whose password you want to change, then click Change Card Password. The Modules configuration screen appears.
Step 4 In the Card Slot field, confirm that the correct module is selected.
Step 5 In the Card Type field, confirm that the correct version appears.
Step 6 In the Module has been imported into ANM field, confirm that the check box is selected to indicate that the module has been imported. This is a read-only field.
Step 7 In the Operation to Perform field, select Change card password.
Step 8 In the Username field, enter the username of the account whose password you want to change.
Step 9 In the Password field, enter the existing password for the account.
Step 10 In the New Password field, enter the new password for the account. Valid passwords are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field.
Step 11 Click:
•OK to accept your entries and to return to the Modules table.
•Cancel to exit the procedure without saving your entries and to return to the Modules table.
Related Topics
•Configuring Devices
•Managing Devices
•Adding ACE Modules to ANM
•Updating Chassis Passwords
Restarting Device Polling
Use this procedure to restart monitoring on a device that has stopped or failed to start.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the device whose monitoring has stopped or failed, then click Restart Polling. The All Devices table refreshes with updated polling status. For a description of the various polling status variables see Table 2-19.
If the ANM cannot monitor the selected device, it displays an error message stating the reason.
Related Topics
•Configuring Devices
•Adding and Managing Devices
Viewing All Devices
Use this procedure to view all devices that have been imported into the ANM database.
Procedure
Step 1 Select Config > Devices. The device tree appears.
Step 2 Select All Devices. The All Devices table displays information for the devices being managed by the ANM (see Table 2-19).
Table 2-19 All Devices Table Attributes
Field
|
Description
|
Name
|
The name assigned to the device.
|
Type
|
The type of the device, such as Chassis, ACE 4710, or CSS.
|
Version
|
The version of the software running on the device, if available.
|
IP Address
|
The device IP address.
|
Polling Status
|
The current polling status of the device:
•Missing SNMP Credentials—SNMP credentials are not configured for this device; therefore, statistics are not collected. Add SNMP V2C credentials to fix this error.
•Not Polled—SNMP polling has not started. Add SNMP V2C credentials to fix this error.
•Monitoring Not Supported—This status appears at the device level only and applies to Cisco Catalyst chassis, 7600 series routers, and ACE appliances.
•Polling Failed—SNMP polling failed due to some internal error. Try enabling the SNMP collection again.
•Polling Started—No action required. Everything is working properly. Polling states will display activity.
•Polling Timed Out—SNMP polling has timed out. This might occur if the wrong credentials were configured or might be caused by an internal error (such as SNMP protocol configured incorrectly or destination is not reachable). Verify that SNMP credentials are correct. If the problem persists, enable SNMP collection again.
•Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the SNMP V2C credential configuration.
|
Related Topics
•Adding and Managing Devices
•Configuring Cisco Catalyst Chassis and 7600 Series Router Primary Attributes
•Viewing and Configuring Device Interfaces
Viewing Modules by Chassis
For devices that contain modules, such as Cisco Catalyst chassis, you can use this procedure to view all modules on a specific chassis.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the chassis containing the modules that you want to view, then click Modules. The Modules table appears, listing all modules on that chassis with the following information:
•Slot number
•Service module model
•Module type, such as Cisco Content Switching Module (CSM), ACE module and version, or other modules, such as supervisor modules
•Serial number
•Module operational state, such as Up, Powered Off, or Not Imported
•Version of software the module is running
•Brief description
•For ACE modules, the number of virtual contexts configured on the module
Depending on the type of module selected, such as CSM or ACE modules, the following options are available from this screen:
•Import—Use this option to import an ACE module that resides in the selected chassis but that has not yet been imported into the ANM database. For more information, see Adding ACE Modules to ANM or Importing Cisco Content Switching Module (CSM) Devices.
•Change Card Password—Use this option to change the administrative password on an ACE module that has been imported into the ANM database. For more information, see Changing ACE Module Passwords.
•Do Not Manage—Use this option to remove a selected ACE module from the ANM database. For more information, see Removing Modules from the ANM Database.
Step 3 To view the modules of another chassis, select another chassis in the device tree or use the chassis selector field at the top of the screen.
Related Topics
•Viewing and Configuring Device Interfaces
•Managing Device VLANs
•Adding ACE Modules to ANM
•Importing Cisco Content Switching Module (CSM) Devices
Removing Modules from the ANM Database
Use this procedure to remove a module from the ANM database.
Note If you physically replace an ACE module in a chassis, you need to synchronize the chassis in the ANM. See Synchronizing Chassis Configurations for more information.
Procedure
Step 1 Select Config > Devices > All Devices. The All Devices table appears.
Step 2 Select the device containing the module you want to remove, then click Modules. The Modules table appears.
Step 3 Select the module you want to remove from ANM management, then click Do Not Manage. The Modules configuration screen appears.
Step 4 Confirm the information in the following fields:
•Card Slot
•Card Type
•Module has been imported into ANM
Step 5 In the Operation to Perform field, select Do Not Manage.
Step 6 Click:
•OK to confirm removal of the module. The Modules table refreshes and the removed module appears with the state Not Imported.
You can import the module again when desired (see Adding ACE Modules to ANM).
•Cancel to exit the procedure without removing the ACE module and to return to the Modules table.
Related Topics
•Adding Network Devices into ANM
•Changing ACE Module Passwords
