Installation and Setup Guide for Resource Manager Essentials 4.0 on Windows
Preparing to Use Resource Manager Essentials
Download this chapter
Preparing to Use Resource Manager EssentialsPreparing to Use Resource Manager Essentials
Download the complete book
Installation and Setup Guide for Resource Manager Essentials 4.0 on Windows (PDF Format)Installation and Setup Guide for Resource Manager Essentials 4.0 on Windows (PDF Format) (PDF - 2 MB)
give_us_feedback

Table Of Contents

Preparing to Use RME Applications

Preparation Overview

Accessing the Server

Logging In

Configuring the Server

Configuring the Proxy Server

Setting Device Credentials

Setting Up Inventory

Adding Devices in RME to Collect Inventory Data

Setting Up Syslog Analyzer

Configuring Devices for Syslog Analyzer

Configuring Cisco IOS Devices

Configuring Catalyst Devices

Verifying the Syslog Collector

Setting Up Software Management

Verifying Space Requirements for Downloaded Files

Setting Up File Transfer Servers

Enabling rcp

Setting Up SCP

Using SCP For File Transfer

Prerequisites for Secure Copy

Information About Secure Copy

How SCP Works

How to Configure SCP

Configuring the SMTP Server

Setting Software Management Preferences

Setting Up Configuration Management

Modifying Device Configurations

Ensuring Devices are rcp-enabled

Ensuring Devices are SSH-enabled

Configure Devices for Syslog Analyzer

Modifying Device Security

Setting Up NetConfig

Verifying Device Configurations

Modifying Device Security

Verify Device Prompts

Transport Settings Setup

Logging Out


Preparing to Use RME Applications

After installing and setting up Resource Manager Essentials (RME), you must configure the server for RME and configure RME applications for use.

This chapter assumes that you have performed the client setup tasks described in Installation and Setup Guide for Common Services 3.0 (Includes Ciscoview) on Windows.

This chapter consists of:

Preparation Overview

Accessing the Server

Logging In

Configuring the Server

Configuring the Proxy Server

Setting Device Credentials

Setting Up Inventory

Setting Up Syslog Analyzer

Setting Up Software Management

Setting Up Configuration Management

Preparation Overview

Table 2-1 lists the prerequisite tasks for using RME applications. It contains references to more detailed information about each task.

Table 2-1 Preparing to Use RME Applications Task Overview 

Task
Steps
References

1. Configure the system.

Enter information about the proxy server, SNMP, SMTP, and rcp.

"Configuring the Server" section.

2. Setting device credentials

Configure items on the devices that are to be monitored by RME.

"Setting Device Credentials" section

3. Set up Inventory.

a. Create network inventory by either:

Adding device information by adding one device at a time.

or

Performing Bulk Import from DCR

"Adding Devices in RME to Collect Inventory Data" section.

b. (Optional) Perform the following Inventory setup tasks:

Schedule inventory polling and collection.

Set change report filters.

Inventory Online help.

4. Set up Syslog Analyzer.

a. Configure your routers and switches for Syslog Analyzer.

"Configuring Devices for Syslog Analyzer" section.

b. Verify that Syslog messages are being processed by the Syslog Collector.

"Verifying the Syslog Collector" section.

5. Set up Software Management.

a. Set up file transfer servers.

"Setting Up File Transfer Servers" section.

b. Add device credentials to inventory.

"Configuring the SMTP Server" section.

c. Set Software Management preferences.

"Setting Software Management Preferences" section.

d. Obtain login privileges to Cisco.com for importing software images.

If you do not have login privileges, go to Cisco.com, to obtain a login.

e. (Optional) Perform setup tasks.

Create a baseline of the devices in your network and populate the software image library.

Schedule the Browse Defects job to run periodically.

Schedule the Synchronize Library job to run periodically.

Create one or more approver lists if you want to use the Job Approval option.

Distribute a software image to a device or group of devices.

Software Management Online help.

6. Set up Configuration Management.

a. Modify device security.

"Modifying Device Security" section.

b. Set up NetConfig:

Verify device configurations in configuration archive.

Verify device credentials.

Modify device security.

Verify device prompts.

"Setting Up NetConfig" section and the NetConfig online help.

c. (Optional) Perform NetConfig setup tasks:

Configure default job properties.

Assign template access privileges to users.

Enable Job Approval.

NetConfig Online help.


Accessing the Server

When you access the CiscoWorks Server, the CiscoWorks Login Manager appears.

To access the server from a client system, enter any one of these URLs in your web browser:

If SSL is disabled and if you installed CiscoWorks Common Services (Common Services) on the default port, and enter: 

http://server_name:1741

If SSL is enabled, and if you installed CiscoWorks Common Services (Common Services) on the default port, enter: 

https://server_name:443

where server_name is the hostname of the server on which you installed RME. If an alternative port was assigned during Common Services installation, enter:

http://server_name:port_number

where port_number is the alternative port assigned.

You may enter http://server_name:1741 in the SSL mode. The URL gets redirected to https and it still works.

See User Guide for CiscoWorks Common Services for information about administrator logins.

Logging In

To perform administrator setup tasks, you must log in as system administrator.

Step 1 Enter the system administrator username and password in the Login Manager dialog box. 

User Name: admin

Password: password

Step 2 Click Login.

The CiscoWorks homepage appears.

Configuring the Server

You can configure system-wide information for RME applications using the System Configuration option. You should verify that the defaults are correct or enter corrections.

Step 1 Select Common Services > Server > Admin > System Preferences.

The View / Edit System Preferences dialog box appears

Step 2 Select one of the following text boxes to enter information or to verify that the configured information is correct:

SMTP Server

RCP User

CiscoWorks Email ID

See Table 2-2 for descriptions of the information in each dialog box tab.

Step 3 Click Apply to save the changes, or click Defaults to apply the defaults.

Step 4 Repeat Step 2 and Step 3 until you have verified or corrected all the information displayed in the System Configuration dialog box.

This dialog box is displayed until you select another option from the navigation tree.

Configuring the Proxy Server

To configure the proxy server:

Step 1 Select Common Services > Server > Security > Cisco.com Connection Management > Proxy Server Setup.

The Proxy Server Setup dialog box appears.

Step 2 Enter the following information:

Host name/IP address—Proxy host or IP address.

Port—Proxy port Number.

Username—Login ID of the proxy server. This is optional.

Password—Password of the proxy server. This is optional.

Verify—Re-enter the same password as in Password, to confirm.

See Table 2-2 for descriptions of the information in each dialog box tab.

Step 3 Click Apply to save the changes.

This dialog box is displayed until you select another option from the navigation tree.

Table 2-2 System Configuration Dialog Box Information 

Tab Name
Description
Fields—Values to Enter

HTTP Proxy

Connects to Cisco.com. If server access to the outside world is controlled through a proxy server, you must configure this setting.

Proxy URL—System-wide proxy URL. There is no default.

SMTP Server

Sends E-mail.

SMTP Server—Server name. Default is localhost.

RCP User

Specifies user during remote file transfer operations from devices. Authenticates rcp transfers between devices and the server.

You must configure the User account on devices as local user. The default RCP user is cwuser.

See the "Setting Up File Transfer Servers" section.

User Name—Name used by a network device when it connects to the server to run rcp.

CiscoWorks E-mail ID

Specifies the E-mail ID of the user.

Enter the e-mail ID.


Setting Device Credentials

Several important items must be configured correctly on every Cisco device that will be managed and monitored through RME.

Details about each application and the tasks involved in setting the credentials are available later in this document. For more details, see Table 2-1.

Table 2-3 lists all the applications and the device credentials required for proper functioning of the applications.

.

Table 2-3 Applications and the Device Credentials 

Application
Telnet Password
Enable Password
SNMP Read Only
SNMP Read / Write

NetConfig

Required

Required

Required

Not required1

Config Editor

Required

Required

Required

Not required2

ChangeAudit

Not required

Not required

Required

Not required

Configuration Management (Telnet)

Required

Required

Required

Not required

Configuration Management3 (TFTP) 4

Not required

Not required

Required

Required

Inventory

Not required

Not required

Required

Not required

SWIM

Required5

Required5

Required

Required

Syslog

Not required

Not required

Required

Not required

1 After execution of a job, NetConfig provides an option to fetch the configuration using TFTP. SNMP Read/Write credentials are required in such cases.

2 After execution of a job, Config Editor provides an option to fetch the configuration using TFTP. SNMP Read/Write credentials are required in such cases.

3 Configuration download also uses TFTP. Hence, SNMP Read/Write credentials are required.

4 The file vlan.dat can be fetched only if telnet password and enable password are supplied.

5 Required in case of few devices like PIX devices, Cisco 2950 series switches.


Setting Up Inventory

As a network administrator, you need to be able to quickly troubleshoot problems on the network, know the Inventory of the devices RME manages and run various kinds of reports both pre-canned reports and custom reports. The Inventory application in RME caters to these requirements.

This section describes the tasks that you must perform to set up the Inventory application.

For detailed information see User Guide for Resource Manager Essentials 4.0.

Adding Devices in RME to Collect Inventory Data

You must have at least one managed device (a device whose inventory information is tracked by RME) to verify correct RME installation. To manage your network, you need to add the device information for all your managed devices.

You can add devices to RME either manually or automatically.

By default, devices are added to RME from Common Services' Device and Credential Repository automatically.

If you have disabled the option Automatically Manage Devices from Credential Repository using RME > Admin > Device Mgmt > Device Management Settings, you have to follow the procedure as described below (step 1 through
step 3).

To populate your network inventory:

Step 1 Select RME > Devices > Device Management > RME Devices

Step 2 Select the list of devices that you want RME to manage from the device credential repository.

Step 3 Click Add Devices.

The Device Management Status Summary dialog box appears.

Step 4 Use the Device Management Status Summary dialog box to check the status of the device you specified.

The dialog box should contain:

Device State
Number of Devices

Normal

0

Pending

1

Pre-deployed

0

Suspended

0

Alias

0

Conflicting

0

Total Number of Devices

1


If the device responded quickly, the Managed row might already contain one device.

Step 5 Refresh the screen to update device status.

If the pending count goes from 1 to 0 after you click Device Management and the Managed row has one device, RME was installed and configured correctly.

You might need to wait several minutes for the device to become managed.

Step 6 Click Device Management on the Device Management Status Summary dialog box every minute or so to check current device status.

For additional information, see the Online help.

If you added a device and the Device Management Status Summary dialog box shows that the device status has not changed from Pending even after 15 minutes, check the status of all processes to make sure they are running normally.

To view the latest device status information, select Resource Manager Essentials > Devices > Device Management.

To determine if the ICServer process is running, select Common services > Server > Admin > Processes.

The ICServer and Config Management are the processes responsible for validating devices and changing their status from Pending.

Even if the ICServer process has the state Running Normally, it might be in an error state. You need to stop and restart it.

To stop the ICServer process:

a. Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

b. Select the process.

c. Click the Stop button.

To restart the ICServer process:

a. Select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

b. Select ICServer from the list of processes

c. Click Start.

The device status should change to Managed within a couple of minutes.

Setting Up Syslog Analyzer

Syslog Analyzer lets you centrally log and track messages generated by devices. You can use the logged error message data to analyze device and network performance. You can customize Syslog Analyzer to produce the information and message reports that are important to your operation.

Since system message logging is not part of the Windows operating system, RME provides syslog message logging as a Windows service (RME syslog service).

The syslog service saves each system message to the default directory, SystemDrive:\Programs Files\CSCOpx\log\syslog.log. Syslog Analyzer reads the syslog.log file for messages, processes the messages, and writes them to the RME database. CGI scripts use the database information to generate system message reports.

See the Online help for more information about Syslog Analyzer.

Setting up Syslog Analyzer involves:

Configuring Devices for Syslog Analyzer

Verifying the Syslog Collector

Configuring Devices for Syslog Analyzer

Before you can use Syslog Analyzer, you must configure devices to forward messages to RME or a system on which you have installed the distributed Syslog Analyzer Collector.

For more information about setting up devices for message logging, see the Syslog online help, the Cisco IOS Software Documentation on Cisco.com (for Cisco IOS devices), and the appropriate reference guide.

Configuring Cisco IOS Devices

To configure Cisco IOS devices:

Step 1 Use Telnet access the device and log in.

The prompt changes to host>.

Step 2 Enter enable.

Step 3 Enter the enable password.

The prompt changes to host#.

Step 4 Enter configure terminal.

You are now in configuration mode, and the prompt changes to host(config)#.

To make sure logging is enabled, enter logging on.

To specify the RME server to receive the router syslog messages, enter logging 123.45.67.89 (where 123.45.67.89 is the IP address of the CiscoWorks server).

Step 5 Set the logging trap level by entering logging trap informational. Severity level informational means all alert and informational messages will be logged to the server.

Step 6 Verify that Syslog is running:

a. From the CiscoWorks desktop, select Common Services > Server >
Admin > Processes.

The Process Management dialog box appears.

b. Verify that the entry for Syslog Collector has the status, Running normally.

Also, verify the entry for status SyslogCollector, if you are directing Syslogs to that server.

Configuring Catalyst Devices

To configure Catalyst devices:

Step 1 Telnet to the device and log in.

The prompt changes to host>.

Step 2 Enter enable and the enable password.

The prompt changes to host(enable).

Step 3 To make sure logging is enabled, enter set logging server enable.

Step 4 Enter set logging server 123.45.67.89 (where 123.45.67.89 is the IP address of the server) to specify the server that is to receive the Catalyst switch syslog messages.

Step 5 Set the logging trap level by entering set logging all level 6 default.

Severity level 6 means all messages from level 0-6 (from alerts to notifications) will be logged to the server.

Step 6 Verify that syslog is running:

a. From the CiscoWorks desktop, select Common Services > Server > Admin > Processes.

The Process Management dialog box appears.

b. Verify that the entry for Syslog Collector has the status, Running normally.

Also, verify the entry for status SyslogCollector, if you are directing syslogs to that server.

Content Service Switches Devices

To configure Content Service Switches (CSS) devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands: 

logging commands enable 

logging host CiscoWorks IP address

logging facility local7

Content Engine Devices

To configure Content Engine (CE) devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands: 

logging host CiscoWorks IP address

logging facility local7

NAM Devices

To configure NAM devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands: 

remote-host CiscoWorks IP address

logging facility local7

PIX Devices

To configure PIX devices using Telnet:

Step 1 Telnet to the device and enter into the Global Configuration mode.

Step 2 Run the following commands:

logging host CiscoWorks IP address [in_if_name] CiscoWorks IP address [protocol /port] [format emblem]

logging facility local7

where

in_if_name is the interface on which the syslog server resides.

CiscoWorks IP address is the address of the CiscoWorks server.

protocol is the protocol over which the syslog message is sent; either tcp or udp. PIX Firewall only sends TCP syslog messages to the PIX Firewall Syslog Server.

You can only view the port and protocol values you previously entered by using the write terminal command and finding the command in the listing—the TCP protocol is listed as 6 and the UDP protocol is listed as 17.

port is the port from which the PIX Firewall sends either UDP or TCP syslog messages. This must be same port at which the syslog server listens.

For the UDP port, the default is 514 and the allowable range for changing the value is 1025 through 65535.

For the TCP port, the default is 1470, and the allowable range is 1025 through 65535. TCP ports only work with the PIX Firewall Syslog Server.

format emblem is the option that enables EMBLEM format logging on a per-syslog-server basis. EMBLEM format logging is available for UDP syslog messages only and is disabled by default.

For details on how to configure devices using the NetConfig Syslog task, refer to the Configuring the Device Using NetConfig Syslog Task section in the User Guide for Resource Manager Essentials 4.0.

Verifying the Syslog Collector

To verify that the Syslog Collector is processing syslog messages from the network:

Step 1 Log in to a managed router that is configured to send Syslog messages to the server. You must have appropriate login privileges to make configuration changes.

Step 2 Make a nondestructive change to the router configuration. For example, to change the contents of the login banner enter: 

# enable

# configure terminal

The prompt changes to #>. 

#> banner motd /

This is a test /

#> end

Step 3 Wait approximately 2 minutes for the server to process the Syslog message.

Step 4 Select RME > Reports > Report Generator.

The Report Generator dialog box appears.

Step 5 Select Syslog from the Select an Application drop-down menu.

Step 6 Select Standard Report from the Select a Report drop down menu.

The Standard Reports dialog box appears.

Step 7 Select the device for which you made a change. For more information, see the Online help.

Step 8 Click Finish.

The Syslog-Standard report appears.

Verify that the report contains the Syslog message that the configuration change generated.

Setting Up Software Management

Cisco is constantly improving the quality and functionality of device software. As a network administrator, you need to know what versions are currently running on your devices, and you must be aware of new software versions available to identify when upgrades are needed.

When software upgrades are required, you must plan for and manage the upgrade to minimize the disruption to the end users. The process of manually upgrading multiple devices on the network can be a very time-consuming and error-prone process.

Software Management application performs system software upgrades, boot loader upgrades, and software configuration operations on groups of routers and switches. For more information about setting up Software Management, see the Online help.

Setting up Software Management involves the following:

Verifying Space Requirements for Downloaded Files

Setting Up File Transfer Servers

Configuring the SMTP Server

Setting Software Management Preferences

Verifying Space Requirements for Downloaded Files

Before you can use Software Management, you must have sufficient space to store the software image files. You should have 4 to 20 MB of space for each IOS and Catalyst image. For, NAM and Content Engine images you must have 150 MB of space.

Note The space for each image varies according to the device type.

Setting Up File Transfer Servers

CiscoWorks Common Services installs two file-transfer servers that the Software Management application uses to transfer software files:

A Trivial File Transfer Protocol (TFTP) server

During Software Management installation, the tftpboot directory is created under the directory in which RME is installed (the default is SystemDrive:\Program Files\CSCOpx).

This directory saves and stores files that are loaded to a device when you use RME applications supported by TFTP. All users have read, write, and execute privileges to the tftpboot directory.

A remote copy (rcp) server

A secure and authenticated file transfer (SCP)

RME supports the Secure Copy (SCP) file transfer. It is a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH).

RME uses rcp with devices that support rcp. For other devices, RME uses TFTP.

Enabling rcp

You can enable rcp if you want RME to use it with any devices:

Step 1 Select RME > Admin > Software Mgmt > View/Edit Preferences.

Step 2 Set the protocol order so that RCP is the first protocol in the order.

Step 3 Click Apply.

Setting Up SCP

RME supports the Secure Copy (SCP) file transfer. It is a secure and authenticated method for copying router configuration or router image files. SCP relies on Secure Shell (SSH).

RME uses rcp with devices that support rcp. For other devices, RME uses TFTP.

Using SCP For File Transfer

SCP is derived from rcp.

The following are the prerequisites for Secure Copy:

Configure SSH, authentication, and authorization on the router.

Ensure the router has a Rivest, Shamir, and Adelman (RSA) key pair. SCP relies on SSH for its secure transport.

The behavior of SCP is similar to that of remote copy (rcp), except that SCP relies on SSH for security. In addition, SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether you have the correct privilege level.

SCP allows anyone who has appropriate authorization to copy any file that exists in the Cisco IOS File System (IFS) to and from a router by using the copy command. An authorized administrator may also perform this action from a workstation.

Prerequisites for Secure Copy

Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the router.

Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair.

Information About Secure Copy

To configure Secure Copy feature, you should understand the following concepts.

How SCP Works

How to Configure SCP

How SCP Works

The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security. In addition, SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level.

SCP allows a user who has appropriate authorization to copy any file that exists in the Cisco IOS File System (IFS) to and from a router by using the copy command. An authorized administrator may also perform this action from a workstation.

How to Configure SCP

This section contains the following procedures:

Configuring SCP

Verifying SCP

Troubleshooting SCP

Configuring SCP

To enable and configure a Cisco router for SCP server-side functionality, perform the following steps:

 
Command
Purpose

Step 1  

enable

Example: 

Router > enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

configure terminal

Example: 

Router# configure terminal

Enters global configuration mode.

Step 3  

aaa new-model

Example: 

Router (config)# aaa new-model

Enables the AAA access control system.

Step 4  

aaa authentication login {default | 
list-name} method1 [method2...]

Example: 

Router (config)# aaa authentication 
login default local

Sets AAA authentication at login.

Step 5  

aaa authentication enable {default | 
list-name} method1 [method2...]

Example: 

Router (config)# aaa authentication 
enable default none

Sets AAA authentication at enable.

Step 6  

aaa authorization {network | exec | 
commands level | reverse-access | 
configuration} {default | list-name} 
[method1 [method2...]]

Example: 

Router (config)# aaa authorization 
exec default local

Sets parameters that restrict user access to a network.

Note The exec keyword runs authorization to determine if the user is allowed to run an EXEC shell; therefore, you must use it when you configure SCP.

Step 7  

username name [privilege level] 
{password encryption-type 
encrypted-password}

Example: 

Router (config)# username superuser 
privilege 15 password 0 superpassword

Establishes a username-based authentication system.

Note You may skip this step if a network-based authentication mechanism—such as TACACS+ or RADIUS—has been configured.

Step 8  

ip scp server enable

Example: 

Router (config)# ip scp server enable

Enables SCP server-side functionality.


Verifying SCP

To verify SCP server-side functionality, perform the following steps:

 
Command or Action
Purpose

Step 1  

enable

Example: 

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

show running-config

Example: 

Router# show running-config

Verifies the SCP server-side functionality.


Troubleshooting SCP

To troubleshoot SCP authentication problems, perform the following steps.

 
Command or Action
Purpose

Step 1  

enable

Example: 

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2  

debug ip scp

Example: 

Router# debug ip scp

Troubleshoots SCP authentication problems.


Configuring the SMTP Server

Software Management uses an SMTP server on your network to deliver reports. The default location is localhost, which means that Software Management uses the SMTP server on the server.

If you want Software Management to use an SMTP server on a different system:

Step 1 Select Resource Manager Essentials > Administration > System Configuration.

The System Configuration dialog box appears.

Step 2 Select the SMTP tab.

Step 3 Enter the name of your SMTP server in the SMTP Server field.

Step 4 Click Apply.

Setting Software Management Preferences

Software Management has many preferences that you can set to control how the application behaves.

To set preferences:

Step 1 Select RME > Admin > Software Mgmt > View/Edit Preferences.

The Edit Preferences dialog box appears.

Step 2 Change preferences as appropriate. For more information, see the Online help.

Step 3 After you complete the changes:

Click Apply to save your changes.

Click Defaults to display the default configuration.

Setting Up Configuration Management

One of the most difficult but most important things to manage on network devices is the device configuration. Often a change to the device configuration leads to network performance issues and faults. The device configuration is the key to how a device operates on the network and how traffic is passed.

As the network administrator, you need to be able to control and track changes to device configurations in order to minimize errors and assist in troubleshooting problems.

This can be very difficult if several people are making changes to the device configurations. It can also become very repetitive and time-consuming to make the same update to each individual device on the network. Configuration Management application can help simplify and automate these tasks.

Before Configuration Management can gather device configurations, you need to update the RME database with passwords (credentials) and modify device configurations.

Note rcp and SSH are required only if you wish to use them.

Modifying Device Configurations

You must modify your device configurations to enable Configuration Management to gather the configurations. After your devices become managed, the configuration files are collected and stored in the configuration archive.

Ensuring Devices are rcp-enabled

To make sure the devices are rcp-enabled, log in to each device and enter these commands in the device configurations: 

# ip rcmd rcp-enable

# ip rcmd remote-host remote_username IP_address local_username enable

where IP_address is the IP address of the system on which RME is installed. You can also enter the hostname. The default remote_username and local_username are casuser.

Ensuring Devices are SSH-enabled

Make sure the devices are SSH-enabled by logging into each device and entering the commands for the following kinds of devices:

For Catalyst Switches Running CatOS

For Cisco IOS Routers

For Catalyst Switches Running CatOS

To enable SSH on Catalyst switches:

Step 1 Generate an RSA key, by entering: 

sec-cat6000> (enable) set crypto key rsa 1024

A message similar to the following appears: 

Generating RSA keys..... [OK]

Step 2 Verify the RSA key, by entering: 

sec-cat6000> (enable) ssh_key_process: host/server key size: 1024/768

Step 3 Display the RSA key, by entering: 

sec-cat6000> (enable) show crypto key

A message similar to the following appears: 

RSA keys were generated at: Mon Jul 23 2001, 15:03:30 1024 65537 
1514414695360

5773328536717047857098506066347687468697169639403524406206785753387015
50888525

6996914783305378400669569876102078109594986481799653300180108447858634
72773067

6971852564183862430018810088305612411373816928200786743760582755731334
48529332

1996682019301329470978268059063378215479385405498193061651

Step 4 Specify the host or subnets that are allowed to use SSH to communicate with the switch.

For example, to specify that the IP addresses 172.18.124.0 and 255.255.255.0 be allowed to use SSH, enter: 

sec-cat6000> set ip permit 172.18.124.0 255.255.255.0

If you do not perform this step, the switch will display the following error:
WARNING!! IP permit list has no entries! 


A message similar to the following appears:

172.18.124.0 with mask 255.255.255.0 added to IP permit list.

Step 5 To enable SSH, enter: 

sec-cat6000> (enable) set ip permit enable ssh

A message similar to the following appears: 

SSH permit list enabled.

Step 6 Verify the SSH permit list, by entering: 

sec-cat6000> (enable) sho ip permit

A message similar to the following appears: 

Telnet permit list disabled.

Ssh permit list enabled.

Snmp permit list disabled.

Permit List Mask Access-Type

---------------- ---------------- -------------

172.18.124.0 255.255.255.0 telnet ssh snmp


Denied IP Address Last Accessed Time Type

----------------- ------------------ ------

For Cisco IOS Routers

To enable SSH on Cisco IOS Routers:

For example, if you want router1 to act as an SSH client to the another router, you can add SSH to a second router, say router2. The routers will then be in a client-server arrangement, with router1 acting as the server and router2 acting as the client. The IOS SSH client configuration on router2 is the same as required for the SSH server configuration on router1.

Step 1 Configure the hostname for router1, by entering: 

hostname router1

A message similar to the following appears: 

username username password 0 password

Step 2 Configure the DNS domain on router1, by entering: 

ip domain-name domain-name

Step 3 Generate the SSH key to be used, by entering: 

cry key generate rsa

A message similar to the following appears: 

ip ssh time-out 60

ip ssh authentication-retries 2

Step 4 Enable SSH transport support for vtys:

By default vtys transport is through Telnet. In this case, Telnet has been disabled and only SSH is supported. 

line vty 0 4

transport input SSH

Configure Devices for Syslog Analyzer

Configure your devices for Syslog Analyzer if you want the device configurations to be gathered and stored automatically in the configuration archive when syslog messages are received. For more information, see the "Setting Up Syslog Analyzer" section or refer to the online help.

Modifying Device Security

To archive device configurations, Configuration Management must be able to run certain commands on the devices. You must disable the security on the devices that prevents Configuration Management from running the commands in Table 2-4.

Table 2-4 Required Configuration Management Commands 

Command Type
Command
Description
IOS Commands

term len 256 (to set terminal width)

Turns paging off for Telnet session

write term

Gets running configuration

show config

Gets startup configuration

write mem

Writes running configuration to startup configuration

config t

Enters config mode

exit

Exits config mode

Catalyst Commands

set len 0

Turns paging off for Telnet session

show config all

Gets running configuration

Content Service Switch Commands

no terminal more

Disables support for more functions with the terminal.

show running-config

Gets all components of the running configuration.

show startup-config

Gets the CSS startup configuration (startup-config).

Content Engine Commands

term len 0

Turns paging off for Telnet session.

show run

Gets running configuration.

show config

Gets startup configuration.


Setting Up NetConfig

The NetConfig function provides wizard-based templates to simplify and reduce the time it takes to roll out global changes to network devices. These templates can be used to execute one or more configuration commands on multiple devices at the same time.

For example, if you want to change passwords on a regular basis to increase security on devices, you can use the appropriate password template to update passwords on all devices at once. A copy of all updated configurations will be stored in the configuration archive.

This section describes how to set up NetConfig. This involves:

Verifying Device Configurations

Modifying Device Security

Modifying Device Security

Verify Device Prompts

Transport Protocol Order for NetConfig, Archive Management and Config Editor Jobs

Verifying Device Configurations

NetConfig can configure devices that do not have archived configurations. However, rollback command generation may be faulty if the archived configuration is not present. Use the Configuration Archival Summary to:

Verify that devices you want to configure have an archived configuration.

Troubleshoot the devices that do not have an archived configuration.

To verify configuration archive status:

Step 1 Select RME > Config Mgmt > Archive Mgmt.

The Configuration Archival Summary dialog box appears with the archival status.

Step 2 Click on a device status to view details:

Click Successful to display information on archived configurations.

Click Failed to display information on configurations that could not be obtained. This updates the archive for failed devices.

Click Partially Successful to display the Catalyst 5000 devices whose submodules were not pulled into the archive.

Step 3 Click Sync Archive.

For more information, see the Configuration Management Online help

Modifying Device Security

In addition to running the configuration commands that you assign to each job, NetConfig must be able to run certain commands on devices to configure them. You must disable the security on these devices that prevents NetConfig from running the commands in Table 2-5.

Table 2-5 Required NetConfig Commands 

Command Type
Command
Description
IOS Commands

term len 0

Turns paging off for Telnet session

write term

Gets running configuration

show config

Gets startup configuration

write mem

Writes running configuration to startup configuration

config t

Enters config mode

exit

Exits config mode

Catalyst Commands

set len 0

Turns paging off for Telnet session

write term

Gets running configuration

Content Service Switch Commands

no terminal more

Disables support for more functions with the terminal.

show running-config

Gets all components of the running configuration.

show startup-config

Gets the CSS startup configuration (startup-config).

Content Engine Commands

term len 0

Turns paging off for Telnet session.

show run

Gets running configuration.

show config

Gets startup configuration.


Verify Device Prompts

NetConfig requires specific CLI prompt formats:

If the Telnet transport mechanism is used, the following prompts are applicable.

For IOS-based devices, Content Engine devices, and Content Service Switch devices:

The login prompt must end with a greater-than symbol (>).

The enable prompt must end with a pound sign (#).

For Catalyst devices:

The login prompt must end with a greater-than symbol (>).

The enable prompt must end with the text (enable).

If the secure shell (SSH) transport mechanism is used, the following prompts are applicable.

For IOS-based devices, Content Engine devices, and Content Service Switch devices:

The login prompt may end with any one of the following: (>), (#), (:), (%).

The login prompt may end with any one of the following: (>), (#), (:), enable prompt must end with a pound sign (#).

For Catalyst devices:

The login prompt may end with any one of the following: (>), (#), (:), (%).

The enable prompt must end with the text (enable).

Default prompts use this formatting. If you have changed your defaults, verify that the prompts meet these requirements, and change them if they do not.

Transport Settings Setup

Transport Settings Setup Window allows you to setup:

Transport Protocol Order for NetConfig, Archive Management and Config Editor Jobs

Password Policy for NetConfig, Archive Management and Config Editor Jobs

Transport Protocol Order for NetConfig, Archive Management and Config Editor Jobs

You can set the protocol order for NetConfig, Config Editor and Config Archive Jobs to download configurations and for NetConfig and Config Editor to fetch configurations.

This setup provides the flexibility of using your preferred protocol order for fetching and downloading the configuration.

Step 1 Select Resource Manager Essentials > Admin > Config Mgmt

The Transport Settings page appears.

Step 2 Select the Application Name from the drop down menu.

Step 3 Select a protocol from the Available Protocols pane and click Add. Then do the following:

If you want to remove a protocol or change the protocol order, you can remove the protocol using the Remove button and re-add the protocol, again.

The list of protocols that you have selected appears in the Selected Protocol Order pane.

When a configuration fetch or update operation fails, an error message appears. This message gives details only about the supported protocol for the particular device.

Step 4 For the list of supported protocols, see Supported Device Table for Configuration Management application on Cisco.com.

Step 5 Click Apply.

A confirmation message appears.

Step 6 Click OK.

For more information, see Configuring Transport Protocols online help.

Password Policy for NetConfig, Archive Management and Config Editor Jobs

You have the option of entering your user name and password for job execution.

If you enter your username and password, RME ignores the username and password in the database and uses the newly entered username and password, instead.

If you do not enter your username and password, RME uses the username and password in its database.

This option of entering the username and password for job execution helps in high security installations where device passwords are changed at frequent intervals. In such instances, the passwords may be changed every 60-90 seconds.

Step 1 Select RME > Admin > Config Mgmt > Config Job Policies.

The Config Job Policies dialog box appears.

Step 2 Select Enable Job Password check box.

Step 3 Click Apply.

A confirmation message appears.

Step 4 Click OK.

For more information, see the Configuring Default Job Policies online help.

Logging Out

To end your system administrator tasks, you must log out of CiscoWorks.

Step 1 Close all secondary browser windows.

You should have only one browser window opened displaying the CiscoWorks desktop.

Step 2 Click Logout.

The Login Manager dialog box replaces the CiscoWorks homepage.