-
User Guide for Resource Manager Essentials 3.5 (With LMS 2.2/RWAN 1.3)
-
Preface
-
Overview
-
Resource Manager Essentials Applications
-
VPN Security Management Solution
-
Network Address Translation Support
-
Monitoring Your Devices
-
Upgrading Your Device Software
-
Performing Maintenance on Your Essentials Server
-
Performing a NetConfig Job with the Job Password Policy Enabled
-
Making a Device Configuration Change Using a Template
-
Configuring Multiple Devices
-
Importing Device Data to Inventory
-
Managing PIX Devices through Proxy Server (Auto Update Server)
-
Checking Device Configuration Changes and Who Made Them
-
Creating a Syslog Custom Report
-
Maintaining Your Inventory Information
-
Troubleshooting Essentials
-
File Import Format
-
Essentials Command Reference
-
User Guide for Resource Manager Essentials 3.5 Index
-
Table Of Contents
Resource Manager Essentials Applications
New Features of Configuration Management
Enable Job Password Policy for NetConfig, NetShow, and Config Editor Jobs
Specify the Transport Protocol Order for NetConfig, Config Editor, and Network Show Jobs
Quick Configuration Download from Configuration Archive
Archive and Restore VLAN Configuration Files
Benefits of Configuration Management
Configuration Management Functional Flow
NetConfig, Config Editor, and Network Show Commands
Benefits of Network Show Commands
Benefits of Data Extracting Engine
Benefits of Inventory Management
Inventory Management Functional Flow
New Features of Software Management
Benefits of Software Management
Software Management Functional Flow
New Features of Syslog Analysis
Syslog Analysis Functional Flow
Resource Manager Essentials Applications
This chapter lists all the Essentials applications and the tasks that can be accomplished with each of these applications. The applications are:
Device Views
Essentials provides device views—logical groupings that are used to specify a device or group of devices. You can define views to group selected devices into logical groups. Device views allow you to quickly view reports on all devices of a certain type, or with specific characteristics, such as all Catalyst switches or all devices that you are responsible for.
Since almost every Essentials task requires the set of devices to be executed against, views provide a convenient way to create groups of devices. For example, before you can display an Inventory report, you must select the devices to be included in the report. Views can speed up the selection (instead of running the report for one device at a time).
Note
Essentials graphical user interface (GUI) performance may be affected if the number of devices in the selected view is too large. You should avoid setting all devices views when the number of devices in the inventory is large. You can use system views or create custom views to keep the number of devices in a view from growing too large.
Creating a view using the Device Views application enables you to run reports for specific devices based on common attributes or user-defined characteristics.
Types of Views
Three categories of device views are available:
•
•
•
Two different types of views can be created within custom or private views:
•
•
Dynamic views are logical groups based on device attributes, such as device class or software version. The devices in a dynamic view can change based on the attribute value of devices in the Inventory. An example of a dynamic view is all devices with Cisco IOS Version 12.0. Any device that currently has this attribute would be included in the device view. All system views are dynamic.
Static views are logical groups based on user-defined characteristics. Static views include any devices that you add to the view. The members of the group do not change unless you manually add or remove devices. Use static views when you do not want the membership to change automatically. See Figure 2-1.
Figure 2-1 Device Views
Table 2-1 shows the tasks that you can accomplish with the Device Views application.
Setting Device Credentials
It is important to configure the device credentials correctly on every Cisco device that you will manage and monitor using Essentials.
Table 2-2 lists all the applications and the device credentials required for proper functioning of the applications.
Table 2-2 Applications and the Device Credentials
NetConfig
Required
Required
Required
Required if configuration fetch is through TFTP
NetShow
Required
Required
Required
Not required
Config Editor
Required
Required
Required
Required if configuration fetch is through TFTP
ChangeAudit
Not required
Not required
Required
Not required
Configuration Management (Telnet)
Required
Required
Required
Not required
Configuration Management (TFTP)
Not required
Not required
Required
Required
Device Views
Not required
Not required
Required
Not required
Inventory
Not required1
Not required2
Required
Not required3
SWIM
Required4
Required5
Required
Required
Syslog
Not required
Not required
Required
Not required
Availability
Required
Required
Required
Not required
Case Management
Required
Not required
Required
Not required
Contract Connection
Required
Not required
Required
Not required
1 Inventory requires Telnet password to perform the check device attributes operation.
2 Inventory requires enable password to perform the check device attributes operation.
3 Inventory requires SNMP Read/Write string to perform the check device attributes operation.
4 Required in case of few devices.
5 Required in case of few devices.
System Configuration
System Configuration lets you configure system-wide information on the CiscoWorks server. In this way, you can centrally locate information that is used by more than one Essentials application.
Note
Table 2-3 shows the tasks that you can accomplish with System Configuration.
Availability
The Availability application lets you monitor the reachability and response time of your network devices. You can view the availability of a selected group of devices, a summary of interface status, reports of reloads (reboots) and unreachable devices, and protocol distribution graphs.
Benefits of Availability
If you experience connectivity problems trying to reach certain resources or services on the network, one of the first things you must check is the status of a device. If a device is unreachable, you will want to find out when it was last operational and whether any abnormal reloads have occurred. This can be the first step in troubleshooting the exact location of the fault. Availability helps you track the reachability of devices on your network.
The Availability application periodically polls selected devices to determine device reachability, interface status, and response times. Availability reports display the status of devices, show devices that are offline for more than three hours, and summarize the percentage of Layer 3 protocol traffic forwarded on each Layer 3 device.
The Reloads Report shows the cause of the past five reloads for a device and includes a link to the Cisco.com Cisco Output Interpreter to help troubleshoot any device failures. Availability provides reports to quickly assess the status of selected devices on the network. Information can be tracked for all devices on the network, or only critical devices to reduce the load on the network and the network management system.
Availability Functional Flow
Before device availability information will be stored in Essentials, you must select the specific device views that needs to be monitored for Availability. When devices are selected to be included in Availability polling, Essentials will poll the devices according to the schedule set by the network administrator (only one schedule for all views). Devices will be polled for reachability, response time, interface status, reload, and protocol information.
This information will be updated in the Availability database after each scheduled poll, and can be viewed by displaying Availability Reports. Historical information on reachability and response times is also stored in the Essentials database and can be displayed in trend graphs under Availability Monitor. See Figure 2-2.
Figure 2-2 Availability Functional Flow
Availability Workflow
Figure 2-3 depicts the Availability workflow and associated tasks within Essentials:
•
•
Figure 2-3 Availability Workflow
Table 2-4 shows the tasks you can accomplish with the Availability application.
Table 2-4 Availability Manager Tasks
Set polling views and options.
Select views to be monitored. You must do this before you can monitor device availability.
If your system performance is degraded by availability polling, you can add more system resources, poll fewer devices, or poll less frequently.
Select Resource Manager Essentials > Administration > Availability > Change Polling Options.
Change polling options.
Select default Availability polling option values or to select new values from the drop-down list boxes.
The polling options you set, apply to all Availability views.
Select Resource Manager Essentials > Administration > Availability > Change Polling Options.
View the Reachability Dashboard.
View device status for all views set for availability monitoring. The dashboard continuously reports:
•
•
Select Resource Manager Essentials > Availability > Reachability Dashboard.
Monitor device availability.
Continuously monitor selected devices and access interface availability details.
Select Resource Manager Essentials > Availability > Availability Monitor.
View the Reloads report.
Display the most recent reloads (up to 5) for selected devices. The report shows the reason for each reload and when it occurred.
Select Resource Manager Essentials > Availability > Reloads Report.
To view reloads that occurred only within the past 24 hours, select Resource Manager Essentials > 24-Hour Reports > Reloads Report.
View the Cisco Output Interpreter Analysis.
Decode and analyze the device's stack dump, to enable troubleshooting of devices that reload unexpectedly.
An unexpected reload is any reload that is neither initiated by you nor a result of a power-on.
The Reloads report applies only to routers running Cisco IOS Release 10.2 or later and is available only for the most recent reload.
Select Resource Manager Essentials > Availability > Reloads Report.
In the generated report, click on the reload reason.
You may be prompted to enter your Cisco.com (CCO) username and password.
See the Cisco home page to have your Cisco.com (CCO) profile updated or changed, or, after you log in, use the Cisco.com Profile button to update your Cisco.com profile.
View the Offline Device report.
Generate a report of managed devices that have not responded to polling for more than a specified period of time (3, 6, 12, 24, 48, or 72 hours).
Select Resource Manager Essentials > Availability > Offline Device Report.
To view only devices that have been off line for the past 24 hours, select Resource Manager Essentials > 24-Hour Reports > Offline Device Report.
View the Protocol Distribution graph.
View the distribution of IP, AppleTalk, IPX, DECnet, VINES, and XNS packets for selected devices in a bar or pie chart. This report shows the Layer 3 protocol packet types that are forwarded by the devices.
Select Resource Manager Essentials > Availability > Protocol Distribution Graph.
Case Management
You can use Case Management to open and track a case for network problems that require assistance from Cisco Technical Assistance Centre. Case Management can collect critical network information, such as protocol, interface, and configuration data from Essentials and send to Cisco.com.
When you open a case, you can designate specific Telnet command data (if applicable) and SNMP inventory values to be collected from selected devices. Case Management will attach this information to the case description and forward it to Cisco.com, which can reduce the time it takes a Cisco representative to help resolve the problem.
Inquiries to Cisco TAC are categorized according to the urgency of the issue. New cases are automatically set to Priority level 3 (P3). If your case requires higher priority handling, you must contact the Cisco TAC or your sales engineer to request that the priority be raised. For more information on priority categories, see "Obtaining Technical Assistance" section.
Table 2-5 shows the tasks you can accomplish with the Case Management application.
Change Audit
The Change Audit application lets you track and report network changes. It provides the capability for other Essentials applications to log change information to a central repository called the Change Audit log.
New Features in Change Audit
You can now delete change audit records that are older than a specified number of days.
For example, if you specify 15 days, change audit records that are over 15 days old (including today) will be deleted (Resource Manager Essentials > Administration > Change Audit > Delete Change History).Change Audit Functional Flow
Change Audit tracks all changes discovered by the Inventory Manager, Software Manager, and Configuration Manager. Every time one of these applications detects a change, it sends a change record to the Change Audit Service, with details of who, when, and what type of change occurred. See Figure 2-4.
Inventory changes include any changes to device information stored in the Inventory database, such as chassis, interfaces, and system information. Software Management changes include upgrades to new software image versions. Configuration Management changes include all changes made to configuration files on devices. This includes changes made outside of Essentials tasks, detected by the Configuration Archive process, as well as changes made using Essentials functionality—NetConfig or Config Editor.
Inventory changes can be filtered to limit the types of changes that are stored in the Change Audit database. For example, you might not want to track every time the port status on a switch changes because users have shut down their computers connected to the switch. Software and configuration management changes cannot be filtered.
You can view change records or search for specific change records to determine who made a change or when a change was made. Change reports can also be time based to quickly report on changes that have, or have not, occurred during specified time periods—possibly detecting unauthorized change activity.
The Change Audit Service application can also be configured to forward change records, in the form of SNMP traps to remote servers, allowing you to monitor and view changes from a remote network-management station that has event-collection capabilities, such as HP OpenView.
Figure 2-4 Change Audit Functional Flow
Figure 2-5 Change Audit Work Flow
Figure 2-5 depicts the Change Audit workflow and associated tasks within Essentials. Change Audit automatically stores any change records sent from the Inventory Manager, Software Manager, and Configuration Manager applications. After these applications are set up, you can view change records at any time.
You need to perform Change Audit setup tasks only if you want to filter out specific Inventory changes, forward change records to a remote server, or report on changes during specific time periods every week. Change records are stored in the Essentials database until they are removed. Therefore, ongoing maintenance is required to delete old records from the database.
Table 2-6 shows the tasks that you can accomplish with the Change Audit application.
Configuration Management
The Configuration Management application stores the current, and a user-specified number of previous versions, of the configuration files for all supported Cisco devices maintained in the Inventory. It automatically tracks changes to configuration files and updates the database if a change is made.
New Features of Configuration Management
The Configuration Management application has the following new features, that allow you to:
•
•
•
•
For more details of the new features, see Configuration Management, in the Essentials online help.
Enable Job Password Policy for NetConfig, NetShow, and Config Editor Jobs
Essentials stores passwords in the database. While the job is run, the password is retrieved from the database for each of the selected devices. For example, if the TACACS server is managing the devices, the passwords in the TACACS server and the passwords in the Essentials database should be synchronized (with every password change).
You now have the option of entering a username and password for running a specific NetConfig, Network Show, or Config Editor job. If you enter a username and password, NetConfig, Network Show or Config Editor applications use this username and password to connect to the device, instead of taking these credentials from the Essentials database.
This option of entering the username and password for job execution is useful in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds.
To use this option of entering a username and password for running a specific job, you should enable the job password policy for NetConfig, Network Show, or Config Editor jobs using the Password Policy tab of the Configuration Job Setup dialog box, in the Configuration Management application. To invoke the Configuration Job Setup dialog box, select Resource Manager Essentials > Administration > Configuration Management > Configuration Job Setup.
You can also set the job password to be mandatory, or user configurable.
If you do not enable the job password policy, then the NetConfig, Network Show, or Config Editor applications take the device credentials from the Essentials database to connect to the device.
For details about:
•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration >
Password Policy for NetConfig, Config Editor and NetShow Jobs).•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration >
Usage Scenarios When Job Password is Configured on Devices).Specify the Transport Protocol Order for NetConfig, Config Editor, and Network Show Jobs
Essentials now provides you with the option of separately specifying the transport protocol order for the download operations of NetConfig, Config Editor and Network Show jobs, and for the fetch operations of NetConfig and Config Editor jobs.
You can use the Transport Protocol tab of the Configuration Management application (Resource Manager Essentials > Configuration Management > Administration > Configuration Job Setup) to specify the transport protocol order.
This option allows you to use your preferred protocols for downloading or fetching configurations.
For example, you can use Telnet to download configuration to the device, and TFTP to fetch the configuration, thereby improving the overall performance of NetConfig.
You can select the fallback option for these protocols. If you select this option, and the first preferred protocol fails, the next protocol in the list is used for configuration download or fetch operations, and so on.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Setting the Transport Protocol Order for NetConfig, Config Editor and NetShow Jobs).Quick Configuration Download from Configuration Archive
You can now create a job to immediately download a selected version of the running configuration, to a device from the Configuration Archive (Resource Manager Essentials > Configuration Management > Search Archive by Device or Resource Manager Essentials > Configuration Management > Search Archive by Pattern).
This method of download is useful when you know the version of the running configuration that has to be downloaded to the device.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Making a Quick Download of a Device Configuration).Archive and Restore VLAN Configuration Files
For all Cisco devices that support VLAN configuration such as Catalyst IOS switches, Essentials creates a version of the VLAN configuration file (vlan.dat) for each version of the running configuration file of a device. That is, the running configuration and the vlan configuration files are archived in pairs.
You can download the vlan configuration file to the device, using the Command Line Interface.
You can view the status of the archived VLAN files using the VLAN Configuration tab of the Configuration Archive Status Summary window (Resource Manager Essentials > Administration > Configuration Management > Archive Status).
This table details the scenarios under which VLAN configuration is fetched.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Checking VLAN Configuration Archive Status.)
Benefits of Configuration Management
One of the most difficult but important things to manage on network devices, is the device configuration. Often a change to the device configuration leads to network performance issues and faults. The device configuration is the key to how a device operates on the network and traffic is passed.
As the network administrator, you need to be able to control and track changes to device configurations to minimize errors and assist in troubleshooting problems. This can be very difficult if several different users are making changes to the device configurations. It can also become very repetitive and time-consuming. Configuration Management can help simplify and automate these tasks.
Configuration Management gives you easy access to the configuration files for all file-based or Cisco IOS-based Catalyst switches, FastSwitches, Cisco routers, Content Service Switches (CSS) and Content Engine (CE) devices in Essentials.
Configuration files are collected and stored in the Configuration Archive for all the devices supported by the Configuration Management application. (For the list of supported devices, on Cisco.com select Products and Services > Network Management CiscoWorks > CiscoWorks Resource Manager Essentials > Technical Details > Device Support Tables.)
When you change the configuration, an event is sent to the archive which automatically collects the latest configuration.Before you can use the Configuration Archive, you must make sure you have completed all the necessary setup tasks. For information on these tasks, see:
•
•
Configuration Management Functional Flow
After you add or import devices into your inventory, the configuration files for each supported device are collected and stored in the Configuration Archive. When you change the configuration, an alert is sent to the archive which automatically collects the latest configuration information. In addition, a change record is sent to the Change Audit application, which collects and organizes all changes to network devices. This allows you to view all configuration changes made over any period of time or by any specific user. See Figure 2-6
Figure 2-6 Configuration Management Functional Flow
Figure 2-7 Configuration Management Workflow
Figure 2-7 depicts Configuration Management workflow and associated tasks:
•
•
As ongoing maintenance, the Configuration Sync report should be checked daily to ensure that all running and startup configurations on devices match. In addition, the network administrator can use Network Show Commands and Custom reports to troubleshoot problems and gather information as needed.
Configuration Archive
The Configuration Archive maintains a history of configuration files for all managed devices on the network. The network administrator can specify how long files should be kept in the archive, how many versions should be maintained in the archive, and how often devices on the network should be polled for changes. In addition, there are multiple ways to detect changes on devices and trigger an update to the Configuration Archive.
For example, specific syslog messages sent from the device can indicate that a change has occurred and can trigger the Configuration Archive to retrieve the new configuration. The Configuration Archive can also be scheduled to poll all devices at a specific time each week.
Figure 2-8 Configuration Archive Functional Flow
NetConfig, Config Editor, and Network Show Commands
Two additional applications, NetConfig and Config Editor, are available to edit configuration files. The NetConfig application allows you to save sets of commands and execute those commands on multiple devices at the same time.
The Config Editor application can be used to edit any device configuration that is stored in the Configuration Archive, and then download the new configuration to the device. The new configuration is stored in the Configuration Archive and will also trigger a change record to be sent to Change Audit. Additional Configuration reports specific to active virtual private network (VPN) devices are also available.
The NetConfig application provides a set of wizard-based templates that can be used to update the device configuration on multiple devices all at once. The devices must already be managed by Essentials. The new configuration will be stored in the archive for each device changed, and associated change records will be created.
The Network Show Command application accesses network devices in real time to display output for common show commands. This can help in troubleshooting by allowing you to display interface statistics, routing tables, and system information for selected devices.
Table 2-7 shows the archive-specific tasks you can accomplish with the Configuration Management application.
NetConfig Option
Using the NetConfig option, which runs as a separate application in its own window, you can make configuration changes to your managed network devices.
New Features of NetConfig
NetConfig application has the following new features:
•
•
•
•
For more details of the new features, see the section, NetConfig, in the Essentials online help.
Job Password Option
Essentials stores passwords in the database. While the job is run, the password is retrieved from the database for each of the selected devices. For example, if the TACACS server is managing the devices, the passwords in the TACACS server and the passwords in the Essentials database should be synchronized (with every password change).
You now have the option of entering a username and password for running a specific job. If you enter a username and password, NetConfig uses this username and password to connect to the device, instead of taking these credentials from the Essentials database.
This option of entering the username and password for job execution is useful in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds.
To use this option of entering a username and password for running a specific job, you should enable the job password policy for NetConfig jobs using the Password Policy tab of the Configuration Job Setup dialog box, in the Configuration Management application. To invoke the Configuration Job Setup dialog box, select Resource Manager Essentials > Administration > Configuration Management > Configuration Job Setup.
You can also set the job password to be mandatory, or user configurable.
If you do not enable the job password policy, then NetConfig takes the device credentials from the Essentials database to connect to the device.
For details about:
•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > NetConfig > NetConfig Administration > Password Policy for NetConfig Jobs).•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Usage Scenarios When Job Password is Configured on Devices).•
Job Retry Option
You now have the retry option for failed NetConfig jobs. When you retry a job, it runs the job on the failed devices, and retains the job ID of the failed job.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > NetConfig >
Browsing and Editing NetConfig Jobs > Browsing and Editing Jobs.)Multiple Selection of Jobs for Deletion
You can now select more than one job at a time, for deletion from the Job Browser.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > NetConfig >
Browsing and Editing NetConfig Jobs > Browsing and Editing Jobs.)Separate Protocol Ordering for Configuration Download and Fetch Operations
Earlier, the NetConfig application used Telnet to download configuration diffs to the device, and same session was used to fetch the entire configuration from the device. If the configurations are large (for example, ACLs) this adversely affected the overall performance of NetConfig.
For NetConfig jobs, you can now set the transport protocol order separately, for downloading configurations, and for fetching configurations.
This option allows you to use your preferred protocols for downloading and fetching the configuration. For example, you can use Telnet to download configuration to the device, and TFTP to fetch the configuration, thus improving the overall performance of NetConfig.
For downloading the configurations, the protocols used are Telnet and SSH.
The default order is,
•
•
For fetching the configurations, the protocols used are Telnet, TFTP, SSH, and rcp. The default order is,
•
•
•
•
You can change the transport protocol order for both downloading and fetching the configurations.
You can select the fallback option for these protocols. If you select this option, and the first preferred protocol fails, the next protocol in the list is used for configuration download or fetch operations, and so on.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Setting the Transport Protocol Order for NetConfig, Config Editor and NetShow Jobs).Support for New Templates
Resource Manager Essentials now supports eleven new templates, that can be used through the NetConfig application. They are:
IOS Templates. (These are global IOS templates. They can be applied to one or more IOS device at a time.)
•
•
IOS-Interface-specific Templates. (These can be applied to only one IOS device at a time.)
•
•
Cable Templates (These are global templates. They can be applied to one or more Cable-CMTS devices at a time.)
•
•
Cable Interface-specific Templates. (These can be applied to only one Cable-CMTS device at a time.)
•
•
•
•
•
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > NetConfig >Configuration Templates).Support for System- Defined Templates to Configure IPSec and SSH on Devices
Essentials now supports system-defined templates for configuring IPSec and SSH on devices:
•
•
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > NetConfig >Configuration Templates).Support for Interactive and Multiline Commands
You can now specify interactive and multi-line commands in user defined templates.
For example, as a part of user-defined templates in NetConfig, you can do the following:
•
CLI Command<R>command response 1 <R>command response 2
•
<MLTCMD> banner login "Welcome to
CiscoWorks Resource Manager
Essentials - you are using
multiline commands" </MLTCMD>
Note
Support for interactive and multi-line commands is not available through the NetConfig CLI.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > NetConfig >Defining and Scheduling a NetConfig Job >
Handling Interactive Commands in NetConfig and Config Editor Jobs and
Handling Multi-line Commands).Benefits of Netconfig
The NetConfig application provides you with wizard-based templates to simplify and reduce the time it takes to make global changes to network devices. These templates can be used to execute one or more configuration commands on multiple devices at the same time.
For example, if you want to change passwords on a regular basis to increase security on devices, you can use the appropriate password template to update passwords on all devices at once. A copy of all updated configurations will be automatically stored in the Configuration Archive. See Figure 2-9.
Figure 2-9 NetConfig Functional Flow
NetConfig uses configuration templates to create the configuration commands run on devices when a NetConfig job runs. There are three types of configuration templates:
•
•
•
Caution
By default, only network administrators have access to configuration templates. Network administrators can assign template access privileges to the other system users. When you define or edit a job, the configuration templates to which you have access privileges, appear in the job definition wizard.
Table 2-8 shows the tasks that can be accomplished with the NetConfig option.
Network Show Commands Option
As a network administrators you must be familiar with show commands used on Cisco routers and switches. Network show commands represent a set of read-only commands that you can run on routers, Catalyst switches, Content Engine, Content Service Switches, FastSwitchs and PIX devices. These commands display configuration or status information. You can run Network Show commands from the GUI or from the command line interface.
New Features in Network Show
Network Show has the following new features:
•
•
For more details of the new features, see NetConfig, in the Essentials online help.
Job Password Option
Essentials stores passwords in the database. While the job is run, the password is retrieved from the database for each of the selected devices.
For example, if the TACACS server is managing the devices, the passwords in the TACACS server and the passwords in the Essentials database should be synchronized (with every password change).You now have the option of entering a username and password for running a specific job. If you enter a username and password, Network Show uses this username and password to connect to the device, instead of taking these credentials from the Essentials database.
This option of entering the username and password for job execution is useful in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds.
To use this option of entering a username and password for running a specific job, you should enable the job password policy for Network Show jobs using the Password Policy tab of the Configuration Job Setup dialog box, in the Configuration Management application. To invoke the Configuration Job Setup dialog box, select Resource Manager Essentials > Administration > Configuration Management > Configuration Job Setup.
You can also set the job password to be mandatory, or user configurable.
If you do not enable the job password policy, then Network Show takes the device credentials from the Essentials database to connect to the device.
For more details about:
•
Password Policy for NetConfig, Config Editor and NetShow Jobs).•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Network Show >
Network Show Batch Reports > Network Show Batch Reports Tasks > Scheduling a Report).•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration >
Usage Scenarios When Job Password is Configured on Devices).Multiple Selection of Jobs for Deletion
You can now select more than one job at a time, for deletion from the Job Browser.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Network Show >
Network Show Batch Reports > Network Show Batch Reports Tasks > Browsing Jobs).Protocol Ordering for Running Network Show Commands
You can now set the transport protocol order for running network show commands on devices.
For running the commands, the protocols used are Telnet and SSH. The default order is,
•
•
This option allows you to use your preferred protocol order for running network show commands on devices. If you select the fallback option for these protocols and the first preferred protocol fails, the next protocol in the list is used for running the show commands, and so on.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Setting the Transport Protocol Order for NetConfig, Config Editor and NetShow Jobs).Benefits of Network Show Commands
As an Essentials user, you can execute Show commands against many devices and view the results from Essentials, using the Network Show Commands application.
This application can be used to display Show command output for multiple devices in two modes:
•
•
You can use the Network Show tasks to organize and save one or more related Show commands into logical groups, called command sets. These command sets can then be applied to devices whenever specific configuration or status information is needed. You specify which commands you want to group together and run the commands on one or many devices. The output is displayed in a browser window.
All users have access to the following predefined command sets, which ship with Essentials. Some of the most common Show commands used in monitoring and troubleshooting a network are:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
For details of all the available Show commands, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Network Show > The Basics > List of Network Show Commands).In order to display output for other Show commands within Essentials, you must first define the command set, and then assign users to be able to access the command set.
Essentials ships with a set of default network command sets, which you cannot edit or delete. See Figure 2-10.
Figure 2-10 Network Show Commands Functional Flow
Table 2-9 shows the tasks you can accomplish with the Network Show Commands option.
Config Editor Option
You can edit configuration files stored in the Configuration Archive and download files to devices, using the Config Editor option. This option runs as a separate application in its own window.
New Features of Config Editor
Config Editor has the following new features:
•
•
•
For more details, see the Essentials online help.
Job Password Option
Essentials stores passwords in the database. While the job is run, the password is retrieved from the database for each of the selected devices.
For example, if the TACACS server is managing the devices, the passwords in the TACACS server and the passwords in the Essentials database should be synchronized (with every password change).You now have the option of entering a username and password for running a specific job. If you enter a username and password, Config Editor uses this username and password to connect to the device, instead of taking these credentials from the Essentials database.
This option of entering the username and password for job execution is useful in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds.
To use this option of entering a username and password for running a specific job, you should enable the job password policy for Config Editor jobs using the Password Policy tab of the Configuration Job Setup dialog box, in the Configuration Management application. To invoke the Configuration Job Setup dialog box, select Resource Manager Essentials > Administration > Configuration Management > Configuration Job Setup.
You can also set the job password to be mandatory, or user configurable.
If you do not enable the job password policy, then Config Editor takes the device credentials from the Essentials database to connect to the device.
For more details about:
•
Password Policy for NetConfig, Config Editor and NetShow Jobs).•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Config Editor >
Config Editor Tasks > Configuring Job Properties).•
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration >
Usage Scenarios When Job Password is Configured on Devices).Multiple Selection of Jobs for Deletion
You can now select more than one job at a time, for deletion from the Job Browser.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Config Editor > Config Editor Tasks > Working with Files > Displaying the Job Status).Separate Protocol Ordering for Configuration Download and Fetch Operations
For Config Editor jobs, you can now use your preferred transport protocols, separately, for downloading configurations, and for fetching configurations.
For example, you can use Telnet to download configuration to the device, and TFTP to fetch the configuration, thus improving the overall performance of Config Editor.
For downloading the configurations, the protocols used are Telnet and SSH.
The default order is,
•
•
For fetching the configurations, the protocols used are Telnet, TFTP, SSH, and rcp. The default order is,
•
•
•
•
You can change the transport protocol order for both downloading and fetching the configurations.
You can select the fallback option for these protocols. If you select this option, and the first preferred protocol fails, the next protocol in the list is used for configuration download or fetch operations.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Configuration Management > Configuration Management Administration > Setting the Transport Protocol Order for NetConfig, Config Editor and NetShow Jobs).Support for Interactive Commands
Interactive commands can be edited using Config Editor.
For example, you can enter an interactive command in the Enter CLI Commands area, using the following syntax:
CLI Command<R>command response 1 <R>command response 2
Benefits of Config Editor
Config Editor allows you to edit and download configuration files to devices using a GUI instead of the command line interface (CLI). Use Config Editor to edit individual device configurations within Essentials and then download them back to a device. A copy of the updated configuration will automatically be stored in the Configuration Archive.
When a configuration file is opened with Config Editor, the file is locked so that other users will not be able to make changes at the same time. While the file is locked, it is maintained in a private archive available only to the user who checked it out. If other users attempt to open the file to edit it, they will be notified that the file is already checked out and they can open only a read only copy. The file will remain locked until it is downloaded to the device or manually unlocked within Config Editor. See Figure 2-11.
Figure 2-11 Config Editor Functional Flow
Note
Select Resource Manager Essentials > Configuration Management > Config Editor > Tools > List Checked Out Files before exiting Config Editor to get a list of files that have to be checked in.Table 2-10 shows the tasks you can accomplish with the Config Editor option.
Contract Connection
Contract Connection lets you verify which of your Cisco IOS devices are covered by a service contract, and when they will expire. Contract Connection uses Inventory Manager, Cisco Connection Online (Cisco.com) and Contract Agent, Cisco's internal tracking service, to provide the status of your service coverage.
To view contract status, however, you must have login privileges to the Cisco.com web site and a Cisco.com profile that enables access to the Contract Agent.
Contract Connection Workflow
Contract Connection checks the devices in your Essentials Inventory against devices logged in the Cisco Contract Agent and displays a summary. You can also view a detailed report on the contract status, which shows when the contract was initiated and when it will expire.
Three different serial numbers can be associated with a device. This determines how Contract Connection works:
•
•
•
For Contract Connection to work properly and display contract details, the managed serial number in the Essentials Inventory must match the shipment serial number logged with the Cisco Contract Agent. If these numbers do not match, select Resource Manager Essentials > Administration > Inventory > Change Device Attributes, to edit the serial numbers.
Table 2-11 shows the task you can accomplish with the Contract Connection application.
Data Extracting Engine (DEE)
Data Extracting Engine (DEE) is a tool that enables you to extract detailed device inventory and running configuration information in XML format from the Essentials server. See Figure 2-12.
Figure 2-12 Data Extracting Engine Functional Flow
Using DEE, you can extract data, in the following ways:
•
•
Benefits of Data Extracting Engine
DEE has the following benefits. You can:
•
DEE has servlet access and command line utilities that can generate inventory data for devices managed by the Essentials server.•
DEE uses existing Configuration Archive APIs and generates latest configuration data from the Configuration Archive in XML format.
Elements in the XML file are created at the configlet level in the current Configuration Archive. Predefined rules that currently exist in the Configuration Archive are used to get the configlets data. The exported data contains the entire running configuration data.•
By default, the data generated through CLI is archived at the following location:For Inventory,
PX_DATADIR/archive/cwexport/timestampinventory.xml
For Config,
PX_DATADIR/archive/cwexport/timestampconfig.xml
Where PX_DATADIR is the NMSROOT/files directory, and NMSROOT is the Essentials installed directory.
You can also specify a directory to store the output. This application does not have a feature to automatically delete the files created in the archive. You should manually delete the files when necessary. While generating data through the servlet, the output will be displayed in the client terminal.
•
You have to upload a payload XML file, which contains the cwexport command options and CiscoWorks user credentials. You have to write your own script to invoke the servlet with a payload of this XML file and the servlet returns the exported file in XML format, if the credentials are correct and options are valid.
For details of payload XML file, see the DEE online help.Device Navigator
Device Navigator lets you access a device that has a Hypertext Transfer Protocol (HTTP) server enabled, directly from a Web Browser. You can select a device and go to the device home page to perform some operations typically performed by Telnet and CLI. You must have the appropriate permissions to access these features.
All Cisco routers and access servers with Cisco IOS 11.0(6) or later have an embedded HTTP server that allows you to access the device from a Web Browser.
From the device web page, you can view the configuration and connectivity information, and even modify the device configuration.
The Device Navigator allows you to connect to the HTTP server on a device directly from Essentials.
In order to utilize this feature, the HTTP server must be enabled on the device. TTP server is 80.
To enable the HTTP server, use the following Cisco IOS global configuration command:
router(config)# ip http server
To change the default port used to access the device Web page, use the following global configuration command:
router(config)# ip http port number
Table 2-13 shows the tasks you can accomplish with the Device Navigator application.
Benefits of Device Navigator
With the Device Navigator you can:
Browse Devices
When the HTTP server is enabled on a device, you can use the Device Navigator to display the device home page in Essentials:
1.
2.
The Device Login dialog box appears.
3.
The home page for the device appears.
The device home page provides links to the following configuration and connectivity information:
There are also links to additional resources and Cisco tech support information at the bottom of the Web page.
Configure a Fallback Port
Typically the HTTP server for a device is configured to run on Port 80. However you can configure the HTTP server to run on any port, in case Port 80 is used by another service.
When browsing the device, the Device Navigator will attempt to connect to Port 80 first.
If this fails, Device Navigator attempts to connect to the fallback port, if one has been configured in Essentials.
To select a fallback port for Device Navigator, select Management Connection > Device Navigator > Configure Fallback Port from the CiscoWorks desktop.
Inventory
Networks are a mix of heterogeneous and geographically dispersed systems. Tracking of hardware and software assets in such an environment is very critical. Inventory details are essential as a basic requirement for all network management applications.
Having all the information about all of your devices in a central place, makes it easier to locate necessary information, resolve problems quickly, and provide detailed information to interested parties.
New Features of Inventory
The Inventory application has the following new features:
•
•
The mapping.properties file is in NMSROOT/htdocs.
The changes that you make to these field labels are reflected in the:
–
–
For example, in the mapping.properties file, you can change the user fields to show meaningful names in the reports and in the GUI, as follows:
–
–
–
–
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Inventory > Add, Import, and Delete Devices > Adding Devices. In this topic, Step 2 of Procedure, click the link, "device access, user, and serial number".Benefits of Inventory Management
As a network administrator, you need to be able to quickly troubleshoot problems on the network, identify when network capacity is being reached, and provide information to management on the number and types of devices being used on the network. If the network goes down, one of the first things you will need to know is what devices are running on the network.
Most Essentials tasks are performed against a set of devices. Hence, information about a particular device must be available in the Essentials database. Inventory Manager is used to specify which devices to manage.
Since Essentials takes advantage of many different management services to collect device information (for example, SNMP, TFTP, Telnet), each device placed into the Essentials database (Inventory) must include the necessary parameters (device attributes) for various management services (community strings, passwords). When this information is included in the Essentials Inventory, the device is considered to be managed by Essentials, and data collection from the device takes place.
Therefore, nothing happens in Essentials until the devices and their attributes are included in the inventory. Inventory Manager is the starting point for all Essentials applications.
When devices are added to Essentials, Inventory Manager (and other applications within Essentials) proceed to contact the device and collect necessary information to be stored in the database. Inventory Management can now be configured to automatically poll devices on the network to look for any changes.
If any changes are detected in hardware or software components, the inventory database will be updated and a change audit record will be created to inform the network manager of the change, and to document the event. This helps to ensure that the information displayed in the Inventory reports reflects the current state of network devices.
The Inventory application lets you:
•
•
•
•
•
•
•
•
•
•
Inventory Management Functional Flow
To use Essentials at its full potential, the device attributes of the devices in the network must be included in the Inventory. Essentials does not auto-discover devices on the network. Devices must be manually added or imported into the Inventory database before information can be displayed in reports.
To simplify the process of populating the Inventory database, device information can be imported from a supported network management system, such as HP OpenView, or from a formatted text file. Essentials can also import the device data directly from Campus Manager Topology Services, which can auto-discover devices. For detailed information, see User Guide for Campus Manager.
Figure 2-13 Inventory Management Functional Flow
You can use the various tasks in the Inventory Manager to populate the database, start tracking any changes to the inventory, and produce inventory reports.
The database or inventory population is also the starting point for using other Essentials applications. See Figure 2-13.Figure 2-14 Inventory Management Workflow
Figure 2-14 depicts the Inventory Management workflow and Essentials tasks:
•
•
•
•
Note
Table 2-13 shows the tasks you can accomplish with the Inventory application.
Job Approval
Software Management and Configuration Management tasks allow you to set up approval checkpoints before you run a job that will change a configuration or update the software image on a device. This can help increase the security on your network, by forcing these types of high-impact jobs to be approved before they are scheduled or executed. Moreover, other CiscoWorks applications can also take advantage of this feature (for example, ACL Manager).
Job Approval is used by other applications to ensure that a job be approved before it can run. Job Approval sends job requests via e-mail to the users on the approver list of a job. If none of the approvers approves the job by its scheduled run time, or if an approver rejects the job, the job is moved to the rejected state and will not run.
When Job Approval is enabled, applications that use it require that the user do the following for each job that is scheduled:
•
•
Job Approval Process
The job approval process requires that you first create an approver list; a list of CiscoWorks user accounts that must approve the job before it can be run. Users must have the role of approver to be included in an approver list.
After you have created at least one approver list, you can enable the job approval feature for Software Management, Configuration Management, or both. See Figure 2-15.
Figure 2-15 Job Approval Workflow
The user must have the user role of system administrator or network administrator to perform this task. You must create at least one approver list before you can enable job approval. Only users who have been assigned the approver role, will be displayed in the list of valid user accounts for approval.
For Software Management, you can also be specific as to the types of jobs that require approval (new image distribution, undo image distribution, retry image distribution).
During scheduling of a job that requires job approval, the user will be queried to select an approver list. When scheduling is complete (the job must be scheduled for the future and not for immediate execution), an e-mail will be sent to all users on the approver list and the job will be placed in the job execution queue with a wait for approval status. The job will not run until at least one user on the approval list has accepted it. If anyone rejects the job, or if no one accepts the job by its scheduled time, the job will not run. The URL to this task is included in the e-mail.
The approver can only accept or reject the job and cannot change any of the operational parameters of the job. All approvers on the list and the creator of the job will receive e-mail notification when the job is either accepted or rejected.
Table 2-14 shows the tasks that can be accomplished with the Job Approval application.
For information on how to perform the Job Approval tasks, see the online help.
Software Management
The Software Management application automates the steps associated with upgrade planning, scheduling, downloading software images, and monitoring your network.
New Features of Software Management
The Software Management application has the following new features:
•
After the device is successfully upgraded, the stored image on the remote stage device is deleted automatically, if delete and squeeze operations are supported by the device.
The remote staging feature is useful when the Resource Manager Essentials server and the devices (including the remote stage device you have chosen) are distributed across a WAN.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager essentials > Software Management > Remote Staging).•
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager essentials > Software Management > Distribution > Distributing by Images).Benefits of Software Management
The Software Management application provides tools making it easier to store backup copies of all Cisco software images running on network devices. It also helps you to store any additional software images that you may wish to maintain, and to plan and execute software image upgrades to multiple devices on the network at the same time.
It gives you flexibility in upgrading devices with software images. You can either select a set of devices and perform an image upgrade, or select a software image and select a set of devices on which to perform the upgrade. You can even select one of your devices as a remote stage to temporarily store a software image.
It can analyze devices against software image requirements to determine device compatibility and make recommendations before performing a software upgrade.
The Software Management application can also download and list applicable images from Cisco.com, while recommending an image for the device upgrade. You should select the Cisco.com filters in Administration preferences, to avail this benefit.
If any errors occur during a software image upgrade, Software Management will allow you to roll back to the previous version. Optionally, for added security and change-management control, software images will not be downloaded unless approved by specifically assigned users. Software Management reports also allow you to track all software upgrades and monitor known bugs in the software versions running on your network.
Software Management Functional Flow
Software images must be imported into Essentials to be maintained in the Software Image Library. Images can initially be imported to the Essentials Software Library from all managed Cisco devices on the network to create a baseline backup copy of all software images running on your network.
Images can also be imported from Cisco.com or the local machine to be used for software image upgrades. See Figure 2-16.
Figure 2-16 Software Management Functional Flow
After images are imported into the Software Image Library, the Software Management application can be configured to automatically poll devices on the network and produce a report of images running on devices that are not stored in the Essentials database. This ensures that for disaster recovery purposes, there is a backup of all software images running on the network in the software library at all times.
Any image that is stored in the Software Image Library can be used to perform a software upgrade. Each step of the process is recorded in the distribution, so if there is a failure, the network administrator will know the reasons for the failure. Software Manager maintains a log of all software upgrades, to make it easy to identify and track when software modifications are made to devices.
In addition, whenever a change is made to the software image on a device, a change record is sent to the Change Audit application, which collects and organizes all changes to network devices.
Software Management can also be configured to periodically check Cisco.com for known software bugs, and produce a report to show all bugs that affect devices on your network.
Figure 2-17 Software Management Workflow
The image depicts the Software Management workflow and associated tasks within Essentials (see Figure 2-17):
•
•
•
•
•
Table 2-15 shows the tasks you can accomplish with the Software Management application.
Syslog Analysis
The Syslog Analysis application lets you centrally log and track system error messages from Cisco devices. Use logged error message data to analyze router and network performance. You can store a maximum of 1 million messages for up to 14 days.
Before you can use Syslog Analysis, you must configure your devices to forward messages either to the Essentials server directly or to a system on which you have installed a Syslog Analyzer Collector (SAC).
The collector filters and forwards the messages to the Essentials server. For more information on configuring network devices for Syslog Analysis, and for installing a remote SAC, see the online help.
New Features of Syslog Analysis
The Syslog Analysis application has the following new features:
•
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Syslog Analysis > Administrative Procedures > Changing Storage Options)•
If you choose to back up the purged messages, you will also be allowed to select the size of the backup file. You can also specify the email addresses, for receiving an email notification, after the backup file crosses the size limit that you have specified.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Syslog Analysis > Administrative Procedures > Changing Storage Options)•
When the server goes down, the RSAC goes into the polling mode and re-connects automatically when its specified server restarts. When the server is down RSAC sends the messages to a local log file. The default location for this log file is the RSAC installed directory.
For details, see the Essentials online help.
(In the left navigation pane of the Essentials online help, select Resource Manager Essentials > Syslog Analysis > Administrative Procedures > Remote Syslog Analyzer Collector (RSAC)).Syslog Analysis Functional Flow
To use the Syslog Analysis features, devices must be configured to forward syslog messages to the Essentials server. When devices are configured correctly, all syslog messages will be forwarded to the Essentials server or a remote SAC.
These messages are stored on the server and are periodically read by the Syslog Analyzer process (approximately every 30 seconds). The Syslog Analyzer reads and processes the messages in the Syslog file, applies any filters that have been defined, and writes remaining messages to the Essentials Syslog message database. All syslog messages that can be read, and that are not filtered out, will be written to the Essentials Syslog database. The database is then used to produce Syslog reports and initiate user-defined scripts.
To reduce the load on the network and the CiscoWorks Server, SACs can be configured on remote workstations to collect and periodically forward syslog messages to the Essentials server. Any filters that have been defined on the Essentials server will be synchronized on SACs during scheduled updates. See Figure 2-18.
Figure 2-18 Syslog Analysis Functional Flow
Syslog Analysis on Windows
Since system message logging is not part of the Windows operating system, CiscoWorks adds a logging service—CWCS Syslog Service, when it is installed on Windows systems. All system messages are stored in the Syslog.log file under the ciscoworks/log directory on the server. The Syslog Analyzer then reads this file to populate the syslog database. See Figure 2-19.
Syslog Analysis Workflow
Figure 2-19 Syslog Analysis Workflow
The above chart depicts the Syslog Analysis workflow and associated tasks within Essentials. Syslog Analysis will automatically store any supported syslog messages that are forwarded from devices. You must ensure that devices are configured to forward messages to the Essentials server or a remote SAC.
After the devices are configured properly, you can view Syslog reports at any time. You are required to perform Syslog Analysis setup tasks only if you want to filter out specific syslog messages, change how long syslog messages are stored, display syslog messages in a custom URL, group syslog in a custom report, or execute a user-defined script when specified syslog messages are detected.
Syslog Vs. Change Audit
Many actions that trigger change audit records will also trigger generation of syslog messages. Change Audit complements syslog message logging by providing additional details about some changes, tracking changes for devices, and providing multiple ways to organize and view changes to network devices. See Figure 2-20.
Figure 2-20 Syslog Analysis Vs. Change Audit Workflow
Changes in the network, such as a configuration change or the upload of a new Cisco IOS software image, can result in a device triggering a syslog message.
Some of these syslog messages in turn cause the inventory or the configuration management applications to poll the device and update the Essentials data appropriately. These applications will also log a record with the change audit application.
Besides, if the inventory or the configuration management applications independently detect changes to the network, they will poll the device, update the Essentials data, and log a change audit record.
For example, when a device sends a syslog message about a change in device configuration, this is passed on to Configuration Management, which determines the exact nature of the change. It retrieves the new configuration file, and then writes a change record into the Change Audit log.
Table 2-16 shows the tasks you can accomplish with the Syslog Analysis application.
