Installation and Setup Guide for Resource Manager Essentials 3.5 on Solaris (With LMS 2.2/RWAN 1.3)
Preparing to Use Essentials Applications
Download this chapter
Preparing to Use Essentials ApplicationsPreparing to Use Essentials Applications
Download the complete book
Installation and Setup Guide for Resource Manager Essentials on SolarisInstallation and Setup Guide for Resource Manager Essentials on Solaris (PDF - 2 MB)
give_us_feedback

Table Of Contents

Preparing to Use Essentials Applications

Preparation Overview

Accessing the Server

Logging In

Configuring the Server

Setting Device Credentials

Setting Up Inventory

Adding or Importing Inventory Data

Adding Device Information Manually

Importing Devices

Creating a Device View

Changing Device Attributes (Credentials and Serial Numbers)

Setting Up and Verifying Availability

Setting Up Syslog Analysis

Specifying Country Codes

Configuring Devices for Syslog Analysis

Configuring Cisco IOS Devices

Configuring Catalyst Devices

Verifying the Settings in the Syslog Configuration File

Verifying the Syslog Analyzer

Setting Up Software Management

Verifying Space Required for Downloaded Files

Adding Device Passwords to Inventory

Setting Software Management Preferences

Setting Up TFTP

Enabling the TFTP Daemon

Creating the /tftpboot Directory

Setting Up rcp

Creating the rcp Remote User Account

Enabling the rcp Daemon

Selecting rcp as the Active File Transfer Method

Allowing the User casuser to Use at and cron

Setting Up Configuration Management

Entering Device Credentials

Modifying Device Configurations

Make Sure Devices Are rcp-enabled

Make Sure Devices Are SSH-enabled

Configure Devices for Syslog Analysis

Modifying Device Security

Setting Up NetConfig

Verifying Device Configurations

Verifying Device Credentials

Modifying Device Security

Verify Device Prompts

Configuration Job Setup

Logging Out


Preparing to Use Essentials Applications

After installing and setting up Resource Manager Essentials (Essentials), you must configure the server for Essentials and configure the Essentials applications for use.

This chapter assumes that you have performed the client setup tasks described in Installation and Setup Guide for Common Services on Solaris.

This chapter consists of:

Preparation Overview

Accessing the Server

Logging In

Configuring the Server

Setting Device Credentials

Setting Up Inventory

Setting Up and Verifying Availability

Setting Up Syslog Analysis

Setting Up Software Management

Setting Up Configuration Management

Preparation Overview

Table 2-1 lists the prerequisite tasks for using Essentials applications. It contains references to more detailed information about each task.

Table 2-1 Preparing To Use Essentials Applications Task Overview 

Task
Steps
References

1. Configure the system.

Enter information about the proxy server, SNMP, SMTP, and rcp

"Configuring the Server" section.

2. Setting device credentials

Configure items on the devices that are to be monitored by Essentials.

"Setting Device Credentials" section

3. Set up Inventory.

a. Create network inventory by either:

Adding device information one device at a time.

Importing device information from a file or NMS database or Auto Update Server

"Adding or Importing Inventory Data" section.

b. (Optional) Create a device view.

"Creating a Device View" section.

c. (Optional) Obtain login privileges to Cisco.com (CCO).

If you do not have login privileges, go to the Cisco.com home page, www.cisco.com, to obtain a login.

d. (Optional) Enter device serial numbers for devices that have Contract Connection service contracts.

"Changing Device Attributes (Credentials and Serial Numbers)" section.

e. (Optional) Perform the following Inventory setup tasks:

Schedule inventory polling and collection.

Set change report filters.

Display a detailed device report.

Inventory online help.

4. Verify Availability.

a. Create a device view with at least one device.

"Setting Up and Verifying Availability" section and "Creating a Device View" section.

b. Verify that Availability functions correctly.

"Setting Up and Verifying Availability" section.

5. Set up Syslog Analysis.

a. Configure your routers and switches for Syslog analysis.

"Configuring Devices for Syslog Analysis" section.

b. Verify settings in the Syslog configuration file.

"Verifying the Settings in the Syslog Configuration File" section.

c. Verify Syslog messages are being processed by Syslog Analyzer.

"Verifying the Syslog Analyzer" section.

6. Set up Software Management.

a. Add device passwords to inventory.

"Adding Device Passwords to Inventory" section.

b. Set Software Management preferences.

"Setting Software Management Preferences" section.

c. Obtain login privileges to Cisco.com.

If you do not have login privileges, go to the Cisco.com, to obtain a login.

d. Set up Trivial File Transfer Protocol (TFTP).

"Setting Up TFTP" section.

e. Set up rcp.

"Setting Up rcp" section.

f. Allow user casuser to use at and cron.

"Allowing the User casuser to Use at and cron" section.

g. (Optional) Perform setup tasks:

Create a baseline of the devices in your network and populate the software image library.

Schedule the Browse Defects job to run periodically.

Schedule the Synchronize Library job to run periodically.

Create one or more approver lists if you want to use the Maker Checker option.

Distribute a software image to a device or group of devices.

Software Management online help.

7. Set up Configuration Management.

a. Enter passwords.

"Entering Device Credentials" section.

b. Modify device configurations.

"Modifying Device Configurations" section.

c. Modify device security.

"Modifying Device Security" section.

d. Set up NetConfig:

Verify device configurations in configuration archive.

Verify device credentials.

Modify device security.

Verify device prompts.

"Setting Up NetConfig" section and NetConfig online help.

e. (Optional) Perform NetConfig setup tasks:

Install Java Plugin on client systems.

Configure default job properties.

Assign template access privileges to users.

Enable Job Approval.

NetConfig online help.


Accessing the Server

When you access the CiscoWorks Server, the CiscoWorks screen appears with the Login Manager displayed.

To access the server from a client system, enter any one of these URLs in your web browser:

If SSL is disabled and if you installed CiscoWorks Common Services (Common Services) on the default port, and enter: 

http://server_name:1741

If SSL is enabled, and if you installed CiscoWorks Common Services (Common Services) on the default port, enter: 

https://server_name:1742

where server_name is the hostname of the server on which you installed Essentials.

If an alternative port was assigned during Common Services installation, enter: 

http://server_name:port_number

where server_name is the name of the server on which you installed Common Services and Essentials, and port_number is the alternative port assigned during the installation. See the User Guide for CiscoWorks Common Services for information about administrator logins.

Logging In

To perform server setup tasks, you must log in as the system administrator:

Step 1 Enter the administrator username and password in the Login Manager dialog box (Figure 2-1): 

User Name: admin

Password: password

Figure 2-1 Login Manager Dialog Box

Step 2 Click Connect.

The Login Manager dialog box is replaced by the navigation tree.

Configuring the Server

You can configure system-wide information for Essentials applications using the System Configuration option. You should verify that the defaults are correct, if not enter the corrections.

Step 1 Select Resource Manager Essentials > Administration > System Configuration.

The System Configuration dialog box appears (Figure 2-2).

Figure 2-2 System Configuration Dialog Box

Step 2 Select one of the following tabs to enter information or to verify that the configured information is correct:

Proxy

SNMP

SMTP

rcp

See Table 2-2 for descriptions of the information in each dialog box tab.

Step 3 Click Apply to save changes, or click Defaults to apply the default.

Step 4 Repeat Step 2 and Step 3 until you have verified or corrected all the information displayed in the System Configuration dialog box.

The dialog box is displayed until you select another option from navigation tree.

Table 2-2 System Configuration Dialog Box Information 

Tab Name
Description
Fields—Values to Enter

Proxy

Connects to Cisco.com. If server access to the outside world is controlled through a proxy server, this setting must be configured.

Proxy URL—System-wide proxy URL. There is no default.

SNMP

Queries devices for inventory collection, which includes importing and adding devices and collecting inventory data.

Fast SNMP Timeout—Length of time (from 5 to 90 seconds) that the system waits for a device to respond before trying to access it again. Default is 5.

Fast SNMP Retry—Number of times (from 2 to 6) that the system tries to access devices with fast SNMP options. Default is 2.

Slow SNMP Timeout—Length of time (from 10 to 90 seconds) that the system waits for a device to respond before trying to access it again. Default is 20.

Slow SNMP Retry—Number of times (from 2 to 6) that the system tries to access a device with slow SNMP options. Default is 3.

The system tries the Fast SNMP Timeout and Fast SNMP Retry options first. If no response occurs after Fast Retry, the system switches to the Slow SNMP options.

rcp

Used to specify user during remote file transfers from devices. Authenticates rcp transfers between devices and server.

User account must exist on UNIX systems and should also be configured on devices as local user in the ip rcmd configuration command.

See "Setting Up rcp" section.

User Name—Name used by a network device when it connects to the server to run rcp.


Setting Device Credentials

Several important items must be configured correctly on every Cisco device that will be managed and monitored through Essentials.

Details about each application and the tasks involved in setting the credentials are available later in this document. For details see Table 2-1.

Table 2-3 lists all the applications and the device credentials required for proper functioning of the applications.

Table 2-3 Applications and the Device Credentials 

Application
Telnet Password
Enable Password
SNMP Read Only
SNMP Read / Write

NetConfig

Required

Required

Required

Not required1

NetShow

Required

Required

Required

Not required

Config Editor

Required

Required

Required

Not required2

ChangeAudit

Not required

Not required

Required

Not required

Configuration Management (Telnet)

Required

Required

Required

Not required

Configuration Management (TFTP)3

Not required

Not required

Required

Required

Inventory

Not required

Not required

Required

Not required

SWIM

Required4

Required4

Required

Required

Syslog

Not required

Not required

Required

Not required

Availability

Required

Required

Required

Not required

1 After execution of a job, NetConfig provides an option to fetch the configuration using TFTP. SNMP Read/Write credentials are required in such cases.

2 After execution of a job, Config Editor provides an option to fetch the configuration using TFTP. SNMP Read/Write credentials are required in such cases.

3 The file vlan.dat can be fetched only if telnet password and enable password are supplied.

4 Required in case of few devices like PIX devices, Cisco 2950 series switches.


Setting Up Inventory

As a network administrator, you need to be able to quickly troubleshoot problems on the network, identify when network capacity is being reached, and provide information to management on the number and types of devices that are used on the network.

If the network goes down, one of the first things you will need to know is what devices are running on the network. The Inventory application in Essentials caters to these requirements.

This section describes the tasks that you must perform to set up the Inventory application.

For detailed information see User Guide for Resource Manager Essentials 3.5.

Adding or Importing Inventory Data

You must have at least one managed device (a device whose inventory information is tracked by Essentials) to verify correct Essentials installation. To manage your network, you need to add device information for all your managed devices.

To populate your network inventory:

Add devices one at a time by entering the device information manually.

Import a group of devices from:

A comma-separated values (CSV) file or a device integration file (DIF) that you create from another information source.

A supported network management system (NMS) on the same host as your server (local import).

A supported NMS on a different host from your server (remote import).

A supported proxy server like Auto Update Server (AUS).

The supported NMS software is described in the "Supported NMS Environments for Device Import" section.

Adding Device Information Manually

This section describes how to add devices one at a time and how to troubleshoot problems you might have, using this method.

Step 1 Select Resource Manager Essentials > Administration > Inventory > Add Devices.

The Add a Single Device dialog box appears.

Step 2 Enter the access information and annotations for one device.

You must fill in the Device Name field with the device name or IP address. For Inventory, all other fields in this dialog box are optional. For other applications, you might need to fill in other fields. For more information, refer to the Inventory online help.

Step 3 Click Next.

The Enter Login Authentication Information dialog box appears.

You must fill in the Read Community String field and verify the password. For Inventory, all other fields in this dialog box are optional. For other applications, you might need to fill in other fields. For more information, refer to the online help.

Step 4 Click Next.

The Enter Enable Authentication Information dialog box appears.

If required, complete this dialog box. For Inventory, all fields in this dialog box are optional. For more information, refer to the online help.

Step 5 Click Finish.

The Single Device Add dialog box appears.

Step 6 Click View Status.

The Add/Import Status Summary dialog box appears.

Step 7 Use the Add/Import Status Summary dialog box to check the status of the device you specified.

The dialog box should contain:

Device Status
Number of Devices

Managed

0

Alias

0

Pending

1

Conflicting

0

Suspended

0

Not Responding

0

Device Attribute Errors

0


If the device responded quickly, the Managed row might already contain one device.

Step 8 Click Update on the Add/Import Status Summary dialog box to update device status.

If the pending count goes from 1 to 0 after you click Update and the Managed field has 1 device, Essentials was installed and configured correctly. You might need to wait a couple of minutes for the device to become managed. Click Update on the Add/Import Status Summary dialog box every minute or so to check current device status.

If you added a device and the Add/Import Status Summary dialog box shows that the device status has not changed from Pending even after 15 minutes, check the status of all processes to make sure they are running normally.

To view the latest device status information, select Resource Manager Essentials > Administration > Inventory > Import Status, then click Update in the Add/Import Status Summary dialog box.

To determine if the DIServer process is running, select Server Configuration > Administration > Process Management > Process Status. (The DIServer process is responsible for validating devices and changing their status from Pending.)

Even if the DIServer process has the state Running Normally, it might be in an error state. You need to stop and restart it.

To stop the DIServer process:

a. Select Server Configuration > Process Management > Stop Process.

The Stop Process dialog box appears.

b. Click the Process radio button.

c. In the Process Name field, select DIServer, then click Finish.

To restart the DIServer process:

a. Select Server Configuration > Process Management > Start Process.

The Start Process dialog box appears.

b. Click the Process radio button.

c. In the Process Name field, select DIServer, then click Finish.

Step 9 Select Resource Manager Essentials > Administration > Inventory > Import Status, to return to the Add/Import Status Summary dialog box, then click Update.

The device status should change to Managed within a couple of minutes.

Importing Devices

You can import devices either from a file or a network management system (NMS). The NMS can be either local or remote.

You can extract data from your existing data source into a comma-separated value (CSV) file or device integration file (DIF), then use this file as input into the Essentials database. First create a CSV file or DIF file, then select Resource Manager Essentials > Administration > Inventory > Import from File to access the file and import the device information. For additional information, refer to the online help.

To import devices from a local NMS database, select Resource Manager Essentials > Administration > Inventory > Import from Local NMS. For more information, refer to the online help.

For a list of supported NMS software, see the"Supported NMS Environments for Device Import" section.

To import devices from a remote NMS:

Work with the system administrator of the host on which the NMS database is running. For more information, refer to the online help.

Perform several system and NMS configuration steps that depend on the NMS you are using. For information about the device import software supported for remote import, see the "Supported NMS Environments for Device Import" section. For additional information, refer to the online help.

Select Resource Manager Essentials > Administration > Inventory > Import from Remote NMS to import devices from the databases listed in the Remote NMS Import dialog box.

To import devices from an Auto Update Server (AUS):

Select Resource Manager Essentials > Administration > Inventory > Proxy Management.

If you have difficulty importing device information:

Increase the SNMP timeout setting. Refer to the online help for more information or see the "Configuring the Server" section.

Verify that you entered correct read community strings for the devices.

For additional information, refer to the online help.

Creating a Device View

After you have added devices into the Essentials inventory database, you can define views to logically group devices into locations, types, or areas of responsibility. Device Views allow you to quickly view reports on all devices of a certain type or with specific characteristics, such as all Catalyst® switches.

Three categories of device views are available in Essentials:

System Views—Predefined and available after you install Essentials. System views include most major classes of Cisco devices, such as all Catalyst switches, all Cisco 7000 Series routers, or all SwitchProbes.

Custom Views—Defined by users and, when created, are available for use by anyone with the appropriate access to the server.

PrivateViews—Defined by users, but available only to the user account that created them.

Two different types of views can be created within the Custom or Private categories (all system views are dynamic views):

Dynamic views are logical groups based on device attributes, such as device class or software version. The devices in a dynamic view appear, based on the attribute value. If the device attribute for a device in which the dynamic view is based on changes, the device will no longer be a member of that dynamic view.

If devices are added to the inventory with the same value, or an existing devices attribute is changed to the same value, as the value for the attribute that a dynamic view is based on, then they will be automatically added to the view.
An example of a dynamic view is all devices with Cisco IOS Version 12.0. Any devices that currently have this attribute would be included in the device view. All system views are dynamic.

Static views are logical groups based on user-defined characteristics. Static views include any devices that you add to the view. The members of the logical group do not change unless you manually add or remove devices. Use static view when you do not want the membership to change automatically.

To set up and verify the Essentials applications, you must create a static device view (a group of devices) that includes at least one device. For additional information, refer to the online help.

To create a static device view:

Step 1 Select Resource Manager Essentials > Administration > Device Views > Add Static Views.

The Add Static Views dialog box appears.

Step 2 Select the view that has the device(s) you want to add from the Views column, If you have not previously configured any views, select All.

Step 3 Select the device(s) that you want to add from the Devices list, then click Add.

Step 4 Enter the view name and view description.

Step 5 Click Finish.

Changing Device Attributes (Credentials and Serial Numbers)

To make sure your devices have the correct device access, password information, and user information, you can change the device attributes.

Contract Connection lets you verify which of your Cisco IOS® devices are covered by a service contract. Contract Connection uses Inventory Manager, Cisco.com and the Cisco internal contract tracking service, Contract Agent, to provide the status of your service coverage.

For Contract Connection to provide accurate contract status information, you must enter device serial numbers to the inventory entries of devices that have service contracts.

To edit device attributes:

Step 1 Select Resource Manager Essentials > Administration > Inventory > Change Device Attributes.

The Change Device Attributes dialog box appears.

Step 2 Select the device whose device information you want to edit, then click Next.

The Change Device Attributes dialog box displays the options.

Step 3 Select one or more options, then click Next.

A dialog box appears for each option you selected. The dialog box fields are blank; they do not display the current information.

Step 4 Edit dialog boxes as needed:

To retain the current value, leave the field blank.

To change a value, enter the new information in the field. If you are changing a local or TACACS password, you must enter the username.

To delete a value, click Delete next to the field. If you are deleting a password, you must also enter the username.

Note Verify your entries before you click Next in any dialog box. If you change device attributes, you cannot undo the change, except by reediting.

Step 5 After you complete editing a dialog box:

Click Finish to apply the changes and move to the next dialog box or to exit, if you are in the final dialog box.

Click Back to close the dialog box without changing any information.

Setting Up and Verifying Availability

If users experience connectivity problems while trying to reach certain resources or services on the network, you should check whether or not any devices have gone down. If a device is unreachable, you will want to find out when it was last operational and if any abnormal reloads have occurred.

The Availability function within Essentials helps you track whether a device can be reached on your network.

To verify that the Availability function is working correctly, you must have a test device view with at least one device. You can use the view you created during Inventory setup. Use this test view to verify that the Availability function displays the devices in the Reachability Dashboard.

Step 1 Select Resource Manager Essentials > Administration > Availability > Change Polling Options.

The Select Polled Views dialog box appears.

Step 2 Select the test device view that you created from the All Views list, then click Add to add it to the Polled Views list.

This creates a view for Availability polling.

Note You must add views to the Polled Views list. Only polled views are monitored.

Step 3 Click Next.

The Change Polling Options dialog box appears.

Step 4 Select 5 Minutes from the Verify device reachability every drop-down list, then click Finish.

Step 5 Wait for at least 10 minutes to make sure Availability polls the devices in your test device view.

Step 6 Select Resource Manager Essentials > Availability > Reachability Dashboard.

The Reachability Dashboard appears.

Step 7 Click the view name.

The devices in your test device view should appear in the Availability Monitor.

Now that you have configured one Availability view and specified polling parameters, you can monitor devices and run reports. For details about using Availability, refer to the online help.

Setting Up Syslog Analysis

Syslog Analysis lets you centrally log and track messages generated by devices. You can use the logged error message data to analyze device and network performance. You can customize Syslog Analysis to produce the information and message reports that are important to your operation.

See the online help for more information about Syslog Analysis.

Setting up Syslog Analysis involves:

Specifying Country Codes

Configuring Devices for Syslog Analysis

Verifying the Syslog Analyzer

Specifying Country Codes

You must update the country code entry in the file, Sa.properties with the appropriate country code to make sure the Syslog timestamp conversion works correctly. Sa.properties is located in the directory, $NMSROOT/lib/classpath/com/cisco/nm/sysloga/sa, where $NMSROOT is the directory in which CiscoWorks is installed.

The country code is the 3-letter abbreviation specified according the ISO_3166 document.

For a list of country codes, refer to the file, CountryCode.txt, located in the directory, $NMSROOT/lib/classpath/com/cisco/nm/sysloga/CountryCode.txt.

Note You must restart Syslog Analyzer after you update the country code.

To terminate Syslog Analyzer, at the command prompt, enter: 

$NMSROOT/bin/pdterm SyslogAnalyzer

To start Syslog Analyzer, at the command prompt, enter: 

$NMSROOT/bin/pdexec SyslogAnalyzer

Configuring Devices for Syslog Analysis

Before you can use Syslog Analysis, you must configure your devices to forward messages to Essentials or to a system on which you have installed the distributed Syslog Analyzer Collector. For more information about setting up devices for message logging, refer to the online help, the Cisco IOS software documentation on Cisco.com (for Cisco IOS devices), and the appropriate reference guides.

Configuring Cisco IOS Devices

To configure Cisco IOS devices:

Step 1 Telnet to the device and log in.

The prompt changes to host>.

Step 2 Enter enable.

Step 3 Enter the enable password.

The prompt changes to host#.

Step 4 Enter configure terminal.

You are now in configuration mode, and the prompt changes to host(config)#.

Step 5 To make sure logging is enabled, enter logging on.

Step 6 To specify the server to receive the router syslog messages, enter logging 123.45.67.89 (where 123.45.67.89 is the IP address of the server).

Step 7 Set the logging trap level by entering logging trap informational. Severity level informational means all alert and informational messages will be logged to the server.

Step 8 Verify that Syslog is running:

a. From the CiscoWorks desktop, select Server Configuration > Administration > Process Management > Process Status.

The Process Status dialog box appears.

b. Verify that the entry for Syslog Analyzer has the status, Running normally.

Step 9 Verify that the Syslog configuration file settings are correct. See the "Verifying the Settings in the Syslog Configuration File" section for instructions.

Configuring Catalyst Devices

To configure Catalyst devices:

Step 1 Telnet to the device and log in.

The prompt changes to host>.

Step 2 Enter enable and the enable password.

The prompt changes to host(enable)

Step 3 To make sure logging is enabled, enter set logging server enable.

Step 4 Enter set logging server 123.45.67.89 (where 123.45.67.89 is the IP address of the server) to specify the server that is to receive the Catalyst switch syslog messages.

Step 5 Set the appropriate logging trap level by entering set logging all level 6 default.

Severity level 6 means all messages from levels 0-6 (from alerts to notifications) will be logged to the server.

Step 6 Verify that Syslog is running.

a. From the CiscoWorks desktop, select Server Configuration > Process Management > Process Status.

The Process Status dialog box appears.

b. Verify that the entry for Syslog Analyzer has the status, Running normally.

Step 7 Verify that the Syslog configuration file settings are correct. see the "Verifying the Settings in the Syslog Configuration File" section for instructions.

Verifying the Settings in the Syslog Configuration File

To check the path and permissions of the file pointed to by local7.info in the syslog configuration file /etc/syslog.conf on the server:

The first occurrence of local7 in the syslog.conf file, must contain the path for the Syslog message source.

Step 1 Make sure the facility.level definition is set to local7.info, and that the following line is present (note that there must be a tab between local7.info and the path/filename): 

local7.info     path/filename

where path/filename is the full path to a file.

Step 2 Make sure the syslog process (syslogd) can both read and write to the file.

If you modified the /etc/syslog.conf file, you must restart the syslog process (syslogd). Enter the following command to stop and restart syslogd: 

/etc/init.d/syslog start and /etc/init.d/syslog stop

If the start and stop command does not work, enter: 

kill -HUP `cat /etc/syslog.pid`

Step 3 Make sure the Message Source in the CiscoWorks Server is the same as the filename you specified in the syslog.conf file. You can check this by selecting Resource Manager Essentials > Administration > Syslog Analysis > Change Storage Operations.

Verifying the Syslog Analyzer

To verify that the Syslog Analyzer is processing messages from the network:

Step 1 Log in to a managed router that is configured to send Syslog messages to the server. You must have appropriate login privileges to make configuration changes.

Step 2 Make a nondestructive change to the router configuration. For example, to change the contents of the login banner enter: 

# enable

# configure terminal

The prompt changes to #>. 

#> banner motd /

This is a test /

#> end

Step 3 Wait approximately 2 minutes for the server to process the Syslog message

Step 4 Select Resource Manager Essentials > Syslog Analysis > Standard Reports.

The Standard Reports dialog box appears.

Step 5 Select the device for which you made a change. For more information, refer to the online help.

Step 6 Click Next.

The Select Dates and Report Type dialog box appears.

Step 7 Select:

All Messages in the Report Type list.

Today from the Dates list.

Step 8 Click Finish.

The Syslog-Standard report appears.

Verify that the report contains the Syslog message that the configuration change generated .

Setting Up Software Management

Cisco is constantly improving the quality and functionality of device software. As a network administrator, you need to know what versions are currently running on your devices, and you must keep informed of new software versions available to identify when upgrades are needed.

When software upgrades are required, you must plan for and manage the upgrade to minimize the disruption to the end users. The process of manually upgrading multiple devices on the network can be a very time-consuming and error-prone process.

Software Management application performs system software upgrades, boot loader upgrades, and software configuration operations on groups of routers and switches. For more information about setting up Software Management, see the online help.

Setting up Software Management involves the following:

Verifying Space Required for Downloaded Files

Setting Software Management Preferences

Adding Device Passwords to Inventory

Setting Up TFTP

Setting Up rcp

Allowing the User casuser to Use at and cron

Verifying Space Required for Downloaded Files

Software Management files downloaded to the server from the Cisco.com or the product CD-ROM are stored in the /var directory or its subdirectories. Make sure there is enough space in the /var directory for all files that you plan to download.

Device software image files maybe in a range from 4 MB to 20 MB in size. In addition, you need space for some smaller downloaded files and temporary files. To accommodate these needs, add at least 20% to the space needed for software image files for your final space calculation in the /var directory.

Adding Device Passwords to Inventory

Before you can use Software Management to manage device software images, you must add the required device passwords to Inventory. To add device passwords to Inventory, see the "Changing Device Attributes (Credentials and Serial Numbers)" section or the online help.

Setting Software Management Preferences

Software Management has many preferences you can set to control how the application behaves. To set preferences:

Step 1 Select Resource Manager Essentials > Administration > Software Management > Edit Preferences.

The Edit Preferences dialog box appears.

Step 2 Change preferences as appropriate. For more information, refer to the online help.

Step 3 After you complete the changes:

Click Finish to save your changes.

Click Default to display the default configuration.

Setting Up TFTP

A file transfer server must be installed on your system. You must enable a Trivial File Transfer Protocol (TFTP) server because it is the default file transfer server type.

During Software Management installation, if the installation tool cannot find a TFTP server, it tries to add one. If the installation tool cannot find or create a TFTP server, install and enable the TFTP server and verify that a /tftpboot directory exists, as explained in the following sections.

Enabling the TFTP Daemon

If you are using standard Solaris software, you can add and configure the TFTP server (TFTPD).

Step 1 Log in as superuser.

Step 2 Using a text editor, edit the /etc/inetd.conf file.

Look in the file /etc/inetd.conf for the line that invokes TFTPD. If the line begins with a pound sign (#), remove the pound sign with your text editor. Depending on your system, the line that invokes the TFTP server might look similar to: 

tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

Save the changes to the edited file and exit your text editor.

Step 3 At the UNIX prompt, enter the following command to display the process identification number for the inetd configuration: 

# /usr/bin/ps -ef | grep -v grep | grep inetd

The system response is similar to: 

root  119   1  0  12:56:14 ?           0:00 /usr/bin/inetd -s

The first number in the output (119) is the process identification number of the inetd configuration.

Step 4 To enable your system to read the edited /etc/inetd.conf file, enter: 

# kill -HUP 119

where 119 is the process identification number identified in Step 3.

Step 5 Verify that TFTP is enabled by entering either: 

# netstat -a 

or 

# grep tftp

which should return output similar to: 

*.tftp Idle

or enter: 

# /opt/CSCOpx/bin/mping -s tftp localhost_machine_name

which returns the number of modules sent and received, for example: 

sent:5 recvd:5 . ..

If the output shows that zero modules were received, TFTP is not enabled. Repeat these steps, beginning with Step 1, to make sure you have enabled TFTP.

Creating the /tftpboot Directory

Essentials uses the /tftpboot directory when transferring files between the Essentials server and network devices. The files are removed after the transfer is complete, but multiple jobs (for example, image distribution, image import, or config file scan) could be running at the same time.

Each of these jobs requires its own space. Software image sizes, for example, can be up to 20 MB. To ensure that jobs run successfully, make sure there is sufficient space available in the /tftpboot directory.

If the /tftpboot directory does not exist on your system, you must create it:

Step 1 Enter: 

# mkdir /tftpboot

Step 2 Make sure all users have read, write, and execute permissions to the /tftpboot directory by entering: 

# chmod 777 /tftpboot

The /tftpboot directory now exists and has the correct permissions.

Setting Up rcp

You can enable a remote copy (rcp) server on the server and select it as the active file transfer server. If you select rcp as the active server and then try to transfer files to a device that does not support rcp, Essentials uses TFTP to transfer the files.

Creating the rcp Remote User Account

To use rcp, you must create a user account on the system to act as the remote user to authenticate the rcp commands issued by devices. This user account must own an empty .rhosts file in its home directory to which the user casuser has write access.

You can choose the name of this user account because you can configure the Essentials server to use any user account. The default user account name is cwuser. The examples in this procedure use the default name cwuser. If you choose to use a different name, substitute that name for cwuser.

To create and configure the rcp remote user account, follow these steps while logged in as root:

Step 1 To add a user account named cwuser to the system, enter: 

# useradd -m -c "user account to authenticate remote copy operations" 
\ cwuser

Step 2 Navigate to the cwuser home directory.

Step 3 To create the .rhosts file, enter: 

# touch .rhosts

Step 4 To change the owner of the .rhosts file, enter: 

# chown cwuser:casusers .rhosts

Step 5 To change the permissions of the .rhosts file, enter: 

# chmod 0664 .rhosts

Step 6 If you did not use the default user name cwuser, use the user account that you created as the rcp remote user account.

a. Log on to the server as admin.

b. Select Resource Manager Essentials > Administration > System Configuration. The System Configuration dialog box appears.

c. Select the rcp tab.

d. Enter the name of the user account that you just created in the User Name field, then click Apply.

Enabling the rcp Daemon

To add and configure standard Solaris rcp server software:

Step 1 Log in as superuser.

Step 2 Using a text editor, edit the /etc/inetd.conf file.

Look in the file /etc/inetd.conf for the line that invokes rshd. If the line begins with a pound sign (#), remove the pound sign with a text editor. Depending on your system, the line that invokes the rshd server might look similar to: 

shell  stream  tcp   nowait  root   /usr/sbin/in.rshd   in.rshd

Save the changes to the edited file and exit the text editor.

Step 3 At the UNIX prompt, enter the following to display the process identification number for the inetd configuration: 

# /usr/bin/ps -ef | grep -v grep | grep inetd

The system response is similar to: 

root  119   1  0  12:56:14 ?           0:00 /usr/bin/inetd -s

The first number in the output (119) is the process identification number of the inetd configuration.

Step 4 To enable your system to read the edited /etc/inetd.conf file, enter: 

# kill -HUP 119

where 119 is the process identification number identified in Step 3.

Step 5 Verify that rshd is enabled by entering: 

# netstat -a | grep shell

which should return output similar to: 

*.shell    *.*     0 0 0 0 LISTEN

Selecting rcp as the Active File Transfer Method

If you have enabled rcp as the file transfer method, Essentials uses rcp to transfer device software images. For devices that do not support rcp, Essentials uses TFTP to transfer files.

You can disable rcp if you do not want Essentials to use it with any devices.

Step 1 Select Resource Manager Essentials > Administration > Software Management > Edit Preferences.

Step 2 Select Use RCP for image transfer (when applicable).

Step 3 Click Finish.

Allowing the User casuser to Use at and cron

Software Management uses at and cron to schedule Software Management image transfers to devices. The process that performs the download is executed as casuser, so the user casuser must be allowed to use at and cron.

To allow the user casuser to use at:

If an at.deny file exists in the /usr/lib/cron directory, make sure casuser is not listed in it. If necessary, remove casuser from the at.deny file using a text editor.

If an at.allow file exists in the /usr/lib/cron directory, make sure casuser is listed in it. If necessary, add casuser to the at.allow file, using a text editor.

If neither an at.allow nor an at.deny file exist in the directory /usr/lib/cron, create an at.allow file and add casuser to it, using a text editor.

To allow the user casuser to use cron:

If a cron.deny file exists in the /usr/lib/cron directory, make sure casuser is not listed in it. If necessary, remove casuser from the cron.deny file, using a text editor.

If a cron.allow file exists in the /usr/lib/cron directory, make sure casuser is listed in it. If necessary, add casuser to the cron.allow file, using a text editor.

If neither a cron.allow nor a cron.deny file exists in the /usr/lib/cron directory, create a cron.allow file and add casuser to it, using a text editor.

Setting Up Configuration Management

One of the most difficult but most important things to manage on network devices is the device configuration. Often a change to the device configuration leads to network performance issues and faults. The device configuration is the key to how a device operates on the network and traffic is passed.

As the network administrator, you need to be able to control and track changes to device configurations in order to minimize errors and assist in troubleshooting problems. This can be very difficult if several people are making changes to the device configurations. It can also become very repetitive and time-consuming to have to make the same update to each individual device on the network. Configuration Management application can help simplify and automate these tasks.

Before Configuration Management can gather device configurations, you need to update the Essentials database with passwords (credentials) and modify device configurations.

Entering Device Credentials

Before the configuration archive can use Telnet to gather device configurations, enter the following device credentials:

Read and write community strings

Telnet passwords for login mode and enable mode

TACACS, Local, and rcp information for the devices

If a device is configured for TACACS authentication, add the TACACS username and password, not the Telnet passwords.

If a device is configured for local user authentication, add the local username and password.

In case of Radius authentication, enter the Radius username and password of the device, either in the TACACS authentication fields or in the local authentication fields.

If you already added devices or imported them into Inventory and did not specify this information, you can change the device attributes.

See the "Changing Device Attributes (Credentials and Serial Numbers)" section or the Inventory online help for more information.

Modifying Device Configurations

You need to modify your device configurations so that Configuration Management can gather the configurations. After you perform the following procedures and your devices become managed, the configuration files are collected and stored in the configuration archive.

Make Sure Devices Are rcp-enabled

Make sure the devices are rcp-enabled by logging into each device and entering the following commands in the device configurations: 

# ip rcmd rcp-enable

# ip rcmd remote-host local_username 123.45.678.90 remote_username 
enable

where 123.45.678.90 is the IP address or hostname of the system on which Essentials is installed. The default remote_username and local_username are casuser.

Make Sure Devices Are SSH-enabled

Make sure the devices are SSH-enabled by logging into each device and entering the commands for the following kinds of devices:

For Catalyst Switches Running CatOS

For Cisco IOS Routers

For Catalyst Switches Running CatOS

To enable SSH on Catalyst switches do the following:

Step 1 Generate an RSA key, by entering: 

sec-cat6000> (enable) set crypto key rsa 1024

A message similar to the following appears: 

Generating RSA keys..... [OK]

Step 2 Verify the RSA key, by entering: 

sec-cat6000> (enable) ssh_key_process: host/server key size: 1024/768

Step 3 Display the RSA key, by entering 

sec-cat6000> (enable) show crypto key

A message similar to the following appears: 

RSA keys were generated at: Mon Jul 23 2001, 15:03:30 1024 65537 
1514414695360

5773328536717047857098506066347687468697169639403524406206785753387015
50888525

6996914783305378400669569876102078109594986481799653300180108447858634
72773067

6971852564183862430018810088305612411373816928200786743760582755731334
48529332

1996682019301329470978268059063378215479385405498193061651

Step 4 Specify the host or subnets which are allowed to use SSH to communicate with the switch. For example, to specify that the IP addresses 172.18.124.0 and 255.255.255.0 be allowed to use SSH, enter:

Note If you do not perform this step this, the switch will display the following error:
WARNING!! IP permit list has no entries! 

sec-cat6000> set ip permit 172.18.124.0 255.255.255.0


A message similar to the following appears:

172.18.124.0 with mask 255.255.255.0 added to IP permit list.

Step 5 To enable SSH, enter: 

sec-cat6000> (enable) set ip permit enable ssh

A message similar to the following appears: 

SSH permit list enabled.

Step 6 Verify the SSH permit list, by entering: 

sec-cat6000> (enable) sho ip permit

A message similar to the following appears: 

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list disabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

172.18.124.0 255.255.255.0 telnet ssh snmp


Denied IP Address Last Accessed Time Type

----------------- ------------------ ------

For Cisco IOS Routers

To enable SSH on Cisco IOS Routers do the following:

For example, if you want router1 to act as an SSH client to the another router, you can add SSH to a second router, say router2. The routers will then be in a client-server arrangement, with router1 acting as the server and router2 acting as the client. The IOS SSH client configuration on router2 is the same as required for the SSH server configuration on router1.

Step 1 Configure the hostname for router1, by entering: 

hostname router1

A message similar to the following appears: 

username username password 0 password

Step 2 Configure the DNS domain on router1, by entering: 

ip domain-name domain-name

Step 3 Generate the SSH key to be used, by entering: 

cry key generate rsa

A message similar to the following appears: 

ip ssh time-out 60

ip ssh authentication-retries 2

Step 4 Enable SSH transport support for vtys:

Note By default vtys transport is through Telnet. In this case, Telnet has been disabled and only SSH is supported. 

line vty 0 4

transport input SSH

Configure Devices for Syslog Analysis

Configure your devices for Syslog Analysis if you want the device configurations to be gathered and stored automatically in the configuration archive when syslog messages are received. See the "Setting Up Syslog Analysis" section or refer to the online help for more information.

Modifying Device Security

Configuration Management must be able to run certain commands on devices to archive their configurations. You must disable the security on devices that prevents Configuration Management from running the commands shown in Table 2-4.

Table 2-4 Required Configuration Management Commands  

Command Type
Command
Description

Catalyst commands

set len 0

Turns paging off for the Telnet session.

write term

Gets the running configuration.

FastSwitch command

show run

Gets the running configuration.

IOS commands

term len 0

Turns paging off for the Telnet session.

show run

Gets the running configuration.

show config

Gets the startup configuration.


Setting Up NetConfig

The NetConfig function provides wizard-based templates to simplify and reduce the time it takes to roll out global changes to network devices. These templates can be used to execute one or more configuration commands on multiple devices at the same time.

For example, if you want to change passwords on a regular basis to increase security on devices, you can use the appropriate password template to update passwords on all devices at once. A copy of all updated configurations will be stored in the configuration archive.

This section describes how to set up NetConfig. This involves:

Verifying Device Configurations

Verifying Device Credentials

Modifying Device Security

Verify Device Prompts

Configuration Job Setup

Verifying Device Configurations

NetConfig can configure only devices that have archived configurations. Use the Archive Status report to:

Verify that devices you want to configure have an archived configuration.

Troubleshoot the devices that do not have an archived configuration.

Step 1 Select Resource Manager Essentials > Administration > Configuration Management > Archive Status.

The Configuration Archive Status Summary dialog box appears.

Step 2 Click Update at the bottom of the dialog box to update the archive status.

Step 3 Click on a device status to view details:

Click Successful to display information on archived configurations. Click Close to close the window and return to the Configuration Archive Status Summary dialog box.

Click Failed to display information on configurations that could not be obtained. To update the archive for failed devices:

a. Click on one or more device names or click Select All

b. Click Update Archive.

The Running Configuration Status report appears.

c. Click Update Status to refresh the device status in the archive.

d. Click Close to return to the Configuration Archive Status Summary dialog box.

Click Not Supported to display the devices not supported by the configuration archive. Click Close to return to the Configuration Archive Status Summary dialog box.

Click Partial Failure to display the Catalyst 5000 devices whose submodules were not pulled into the archive. Click Close to return to the Configuration Archive Status Summary dialog box.

For more information, see the Configuration Management online help

Verifying Device Credentials

Verify that every device you want to configure using NetConfig has the correct device credentials entered in the Inventory application. NetConfig must have access to the correct credentials to make device configuration changes.

To verify device credentials, select Resource Manager Essentials > Inventory > Check Device Attributes. If any devices that you want to configure have incorrect credentials, see the "Changing Device Attributes (Credentials and Serial Numbers)" section or the online help.

Modifying Device Security

In addition to running the configuration commands that you assign to each job, NetConfig must be able to run certain commands on devices to configure them. You must disable the security on devices that prevents NetConfig from running the commands listed in Table 2-5.

Table 2-5 Required NetConfig Commands  

Command Type
Command
Description
IOS Commands

term len 0

Turns paging off for Telnet session

write term

Gets running configuration

show config

Gets startup configuration

write mem

Writes running configuration to startup configuration

config t

Enters config mode

exit

Exits config mode

Catalyst Commands

set len 0

Turns paging off for Telnet session

write term

Gets running configuration

FastSwitch Commands

show run

Gets running configuration

Content Service Switch Commands

no terminal more

Disables support for more functions with the terminal.

show running-config

Gets all components of the running configuration.

show startup-config

Gets the CSS startup configuration (startup-config).

Content Engine Commands

term len 0

Turns paging off for Telnet session.

show run

Gets running configuration.

show config

Gets startup configuration.


Verify Device Prompts

NetConfig requires particular CLI prompt formats:

If the telnet transport mechanism is used, the following prompts are applicable.

For IOS-based devices, FastSwitch devices, Content Engine devices, and Content Service Switch devices:

The login prompt must end with a greater-than symbol (>).

The enable prompt must end with a pound sign (#).

For Catalyst devices:

The login prompt must end with a greater-than symbol (>).

The enable prompt must end with the text (enable).

If the secure shell (SSH) transport mechanism is used, the following prompts are applicable. There is no support for FastSwitch devices in the SSH transport mechanism.

For IOS-based devices, Content Engine devices, and Content Service Switch devices:

The login prompt may end with any one of the following: (>), (#), (:), (%).

The login prompt may end with any one of the following: (>), (#), (:), enable prompt must end with a pound sign (#).

For Catalyst devices:

The login prompt may end with any one of the following: (>), (#), (:), (%).

The enable prompt must end with the text (enable).

Default prompts use this formatting. If you have changed your defaults, verify that the prompts meet these requirements, and change them if they do not.

Configuration Job Setup

Configuration Job Setup window allows you to set up these:

Transport Protocol Order for NetConfig, NetShow and Config Editor jobs

Password Policy for NetConfig, NetShow and Config Editor Jobs

Transport Protocol Order for NetConfig, NetShow and Config Editor jobs

You can set the protocol order for NetConfig, Config Editor and NetShow jobs to download configurations and for NetConfig and Config Editor to fetch configurations. This setup provides the flexibility of using your preferred protocol order for fetching and downloading the configuration.

Step 1 Select Resource Manager Essentials > Administration > Configuration Management > Configuration Job Setup.

The Configuration Job Setup dialog box appears.

Step 2 Click the Transport tab.

Step 3 Click on the protocol to reorder, then click Up or Down to change its position in the list.

Step 4 Click Apply.

A confirmation message appears.

Step 5 Click OK.

For more information, see the Configuration Job Setup online help.

Password Policy for NetConfig, NetShow and Config Editor Jobs

You have the option of entering your user name and password for job execution. If you enter your username and password, Essentials ignores the username and password in the database and uses the newly entered username and password, instead. If you do not enter your username and password, Essentials uses the user name and password in its database.

This option of entering the username and password for job execution helps in high security installations where device passwords are changed at frequent intervals. For example, the passwords may be changed every 60-90 seconds.

Step 1 Select Resource Manager Essentials > Administration > Configuration Management > Configuration Job Setup.

The Configuration Job Setup dialog box appears.

Step 2 Click the Password Policy tab.

Step 3 Select a combination of policies to set the job password policy.

Step 4 Click Apply.

A confirmation message appears.

Step 5 Click OK.

For more information, see the Configuration Job Setup online help.

Logging Out

To end your administrator tasks, you must log out of CiscoWorks.

Step 1 Close all secondary browser windows. You should have only one browser window opened, displaying the CiscoWorks interface.

Step 2 Click Logout.

The Login Manager dialog box replaces the navigation tree.