Effective network management is critical in today's networks, helping enterprises deploy and manage solutions. With increasing reliance on networks to increase productivity, enterprises are confronted with an ever growing network size. Such increase in the number of network elements creates a challenge for network administrators. How does an enterprise effectively deploy and maintain its network devices?
CiscoWorks LAN Management Solution (LMS) provides the integrated management tools needed to simplify the configuration, administration, monitoring, and troubleshooting of Cisco® networks. LMS provides IT organizations an integrated system for sharing device information across management applications, automation of device management tasks, visibility into the health and capability of the network, and identification and localization of network trouble. By using common centralized systems and network-inventory knowledge, CiscoWorks LMS delivers a unique platform of cross-functional management capabilities that reduces network administration overhead and provides upper-layer systems integration.
This deployment guide considers scenarios where all applications reside on a single server and provides tips and suggestions on configuring the server and getting the basic functions of applications running. Discussions related to multiserver deployment can be found in the LMS 3.2 Large Scale Deployment Guide, available at http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html.
Tip: In short, the decision on whether to use single or multiple LMS servers to manage the network depends on:
• How many devices are managed by the LMS server. In LMS 3.2, one single server can manage up to 5000 devices per server.
• How the LMS applications are used. For example, if DFM is used extensively to poll the devices, it is recommended to dedicate a server to DFM. Refer to the scalibility numbers and server planning details in the Large Scale Deployment Guide.
Note: There are release notes for the individual components but not at the bundle level.
LMS 3.2 Applications
LMS 3.2 is the latest version of LMS, released in June 2009. LMS itself is a solution bundle that consists of varoius integrated applications. Figure 1 lists all the applications in LMS 3.2.
Figure 1. LMS 3.2 Solution Bundle
• Common Services 3.2
Common Services provides a set of shared application services that are used by all LMS applications. It runs the database server, the web server, the job scheduler, the device discovery engine, and other backend processes to support other applications.
Common Services 3.2 includes CiscoView 6.1.9, Integration Utility 1.9, LMS Portal 1.2, and CiscoWorks Assistant (CWA) 1.2.
– LMS Portal is the GUI front of the CiscoWorks server. It gives the user the ability to customize information regardless of applications and to view frequently used information in a common place. With LMS Portal, users do not need to navigate through several pages to obtain the information they need -- instead, users can display application-related information as portlets and customize the homepage to have all information on a single screen from all applications.
– CiscoView provides a "front panel" graphical display of Cisco devices, allowing users to easily interact with device components to change configuration parameters and monitor statistics.
– Integration Utility is an integration module that supports third-party network management systems, such as HP OpenView NNM (Network Node Manager).
– CiscoWorks Assistant 1.2 has the following features:
Workflows to improve usability of LMS applications
Help to solve real business problems and overcome network inconsistencies
• Resource Manager Essentials (RME) 4.3
To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images -- as well as syslog analysis.
• Campus Manager (CM) 5.2
Campus Manager provides the ability to visualize network topology, manage VLANs, detect/fix network discrepancies, and display end-host/IP phone user tracking information.
• Device Fault Manager 3.2
Device Fault Manager provides the ability to monitor device faults in real time and determine the root cause by correlating device-level fault conditions. DFM can issue notifications of critical network conditions by email or pager. Fault history lets the user store and access historical information about alerts and faults that are detected and processed by DFM.
• Internetwork Performance Monitor (IPM) 4.2
Internetwork Performance Monitor measures network performance based on the synthetic traffic generation technology within Cisco IOS®Software, which is known as Cisco IOS IP SLA (Service Level Agreement). Using synthetic traffic by IPM gives the network manager a high degree of flexibility in selecting the endpoints in a network between which network performance will be measured. This flexibility makes IPM a highly effective performance troubleshooting tool.
• Virtual Network Manager (VNM)
VNM is an enterprise solution that allows administrators to carry out end-to-end Virtual Route Forwarding (VRF) configuration and to edit, extend, and delete VRF configuration details. It also collects VRF details of the VRF configured devices and generates reports to help you analyze VRF configurations on your network.
EnergyWise is a comprehensive program for power management utilizing the Cisco network as the power management platform. EnergyWise will allow customers to monitor, change, and facilitate efficient operation and reduce power consumption across the enterprise.
Currently the focus of the EnergyWise initiative is on current Catalyst® switches and future next-generation switches. Targeted EnergyWise clients are IP Phones, IP Cameras, IP Gateway video encoders, Wireless Access Points, Wireless Access Controllers, PC Laptops/Servers, PD Switch (C2960).
CiscoWorks LMS 3.2 will have an EnergyWise drop-in that provides the manageability support for EnergyWise covering provisioning, monitoring, reporting, and troubleshooting. The EnergyWise drop-in will be released as an update after the official release of LMS 3.2.
Add-on application:
• Health Utilization Monitor (HUM) 1.2
CiscoWorks Health and Utilization Monitor is an add-on application pre-integrated into LMS. HUM is a Simple Network Management Protocol (SNMP)-based MIB polling application that monitors network elements (such as CPU, memory, interfaces/ports, and links) for their availability and utilization levels and provides historical reporting.
Note: Refer to Appendix B for the version matrix of LMS bundles. To understand the new and legacy features introduced in each version, refer to the Installation Guide and the individual application user guides.
LMS Workflow
The flow chart in Figure 2 summarizes the device and LMS setup workflow, which covers the whole lifecycle of LMS server from initial setup to ongoing operations. The following chapters illustrate in detail each of the steps mentioned in this workflow.
Figure 2. Summary of Device and LMS Setup Workflow
Step 1. The first step in the workflow is to turn on Cisco Discovery Protocol (CDP), SNMP, and other credentials such as Telnet username/password on the devices so that the devices can be discovered and managed by CiscoWorks.
Tools used: Command-line interface (CLI) tools such as console connection, Telnet, Secure Shell (SSH) Protocol, and so on.
Step 2. The LMS server is installed, and initial setup was done on the server. This includes setting up the dashboard for the user interface, configuring basic server settings, automatically discovering the devices or manually adding devices, allocating the devices to be managed by the applications, integrating with Cisco Secure Access Control Server (ACS), and so on.
Tools used: LMS Portal, CiscoWorks Assistant, Common Services, and Setup Center.
Step 3. Once the Common Services Device and Credentials Repository (DCR) and the individual device databases residing on different applications are populated, administrators can start to perform their daily management tasks including:
• Device management: RME, CiscoView, and Device Center
• Network management: Campus Manager
• Fault management: Device Fault Manager
• Performance management : Internetwork Performance Monitor and Health Utilization Monitor
Besides these steps, there is also ongoing work for the maintenance and administration of the LMS server. The administrator can backup and restore data on the LMS server. LMS also offers a rich set of command-line tools to extract data from DCR and other individual applications. In LMS 3.2, we also support direct Open Database Connectivity (ODBC) access to database views.
2. Setting up Devices on the Network
LAN Management Solution 3.2 helps in managing Cisco devices on the network. Before LMS 3.2 can function properly, the network devices that LMS interfaces with must be set up correctly in order to communicate with the CiscoWorks server. For example, the SNMP community strings must match between the device and the CiscoWorks server. The information provided in this chapter is a general description of the means and procedures recommended to make sure that the network devices are set up properly.
Note: This chapter provides a great deal of information on the device configuration procedures required to manage devices using CiscoWorks LAN Management Solution. Keep in mind that this document is not intended to be a comprehensive configuration guide for LMS 3.2. For additional LMS configuration details, please contact a Cisco Certified network engineer (if possible) and refer to pertinent documents that are posted on Cisco.com.
Prior to LMS deployment, in the case of Cisco IOS and Catalyst Operating System (CatOS) devices, all configuration changes must be saved to nonvolatile memory (NVRAM) using the following commands:
write memory
or
copy running-config startup-config
Please note that the above command is provided to save pre-LMS deployment configuration changes. After LMS is deployed, configuration changes will be saved automatically where appropriate and no user intervention is required.
Also note that newer versions of CatOS devices have separate running and startup configurations.
Generic Configuration of Devices
This section describes the generic elements in the device configuration.
System Name
Each Cisco IOS device in the network must have a unique system name (sysname) in order to be managed. The system name is also populated in the Cisco Discovery Protocol table. If there are duplicate system names on the network, LMS will discover only one device by that name on the network. On Cisco IOS devices, the domain name also affects the system name.
You can set up the system name using the following commands:
For Cisco IOS devices:
hostname <name>
For Cisco CatOS devices:
set system name <name>
Domain Name
You can set a domain name on a Cisco IOS or CatOS device. To set up the domain name, use the following commands.
For Cisco IOS devices:
ip domain-name <name>
For Cisco CatOS devices:
set system name <name with domain name>
Command-Line Prompts
To utilize the NetConfig capability to execute batch changes on devices, Cisco device command-line prompts should meet the requirements described in this section.
Note: Customized prompts should also fulfill these requirements.
Cisco IOS devices:
• Login prompt should end with an angle bracket (>).
For example:Cisco>
• Enable prompt should end with a pound sign (#).
For example:Cisco#
Cisco CatOS devices:
• Enable prompt must end with (enable).
For example:Cisco(enable)
Configuring Communication Protocols
LMS uses various protocols to communicate with the devices. These protocols must be configured properly on both the LMS server and devices so that they can communicate to each other. See Table 1 for a list of device credentials for LMS applications.
1Configuration download also uses TFTP. Hence, SNMP Read/Write credentials are required.
2The file vlan.dat can be fetched only if the Telnet password and Enable password are supplied.
3Required in the case of a few devices such as PIX® devices, Cisco 2950 Series Switches.
SNMP Settings
LMS supports SNMPv1/v2c, and SNMPv3 with both AuthNoPriv mode and AuthPriv. SNMPv3 AuthPriv is a new feature introduced since LMS 3.0.1.
Note: SNMPv3 AuthPriv support for DFM is added in a drop-in over LMS 3.1 for 100, 300, and 1500 device counts.
SNMP settings include both the read-only community string and the rewritable community string. The read-only community string is used to perform "snmp get" operations on MIB objects to collect information such as inventory, interface utilization, and so on. The rewritable community string is used in various cases. For example, the RW string is used in RME for:
• Configuration deployment
• Software Image Management (SWIM)
CiscoWorks can collect device configurations by either SNMP-write, which triggers a TFTP, or by grabbing output from a CLI 'show running' c(requiring Telnet or SSH access to the device).
In image deployment the RW community string is used to trigger the TFTP connection and also for the system reboot after the image is downloaded. The RW string is also used in Campus Manager for configuration changes such as fixing discrepancies.
Enabling SNMPv1/v2c on Cisco IOS devices:
To enable SNMPv1/v2c on Cisco IOS devices, follow these steps:
snmp-server community <read-community-string> ro
snmp-server community <write-community-string> rw
Enabling SNMPv1/v2c on Cisco CatOS devices:
To enable SNMPv1/v2c on Cisco CatOS devices, follow these steps:
set snmp community read-only <read-community-string>
set snmp community read-write <write-community-string>
The community strings configured on the devices should match the community strings entered in the DCR component in LMS.
Enabling SNMPv3 on Cisco IOS devices:
To enable SNMPv3 on Cisco IOS devices, follow these steps:
• Create a user and authentication protocol to be used
set snmp user cmtester authentication md5 cisco123
• Create a group and associate the user with it
set snmp group cmtest user cmtester security-model v3 nonvolatile
Enabling traps in CatOS devices to be sent to a particular host:
To enable traps in Catalyst OS devices to be sent to a particular host, enter this command:
set snmp trap 192.168.124.24 public
Enabling traps in Cisco IOS devices to be sent to a particular host using SNMPv2c:
To enable traps in Cisco IOS devices to be sent to a particular host using SNMPv2c, enter this command:
snmp-server host 192.168.124.24 traps version 2c public
In the above examples for enabling traps, the public community string is to help selective processing of traps on the trap receiving side.
Prerequisites for SNMPv3 Support on Spanning Tree Protocol
For using various spanning tree features in devices running SNMPv3, you are required to make specific configurations on the devices for context name support. The additional command that needs to be configured for the three types of Spanning Tree Protocol are:
Note: Context support is not available on XL Series and 2950 Switches, and Campus Manager will not fully work with them when they are configured to use SNMPv3.
After a software image distribution operation using Resource Manager Essentials is completed, RME will reload the device if specified in the image distribution job. RME will be able to reload any device (Cisco IOS or CatOS) only if an SNMP manager (in this case RME) is allowed to reset the agent.
The following command is needed on Cisco IOS devices only:
snmp-server system-shutdown
Telnet/SSH
Telnet is one of the basic protocols that can be used by RME for configuration management. You can enable Telnet using the following commands.
To enable Telnet on Cisco IOS devices and CatOS devices, enter these commands:
line vty 0 4
password <password>
transport input telnet
Note: More than four VTY lines can be selected for login.
Different authentication on different VTY lines is not supported.
SSH provides for a secure communication with the device.
Cisco IOS Software
The following example configures SSH control parameters on a router running Cisco IOS Software:
Router> config terminal
Router (config)# hostname hostname <the name of the router>
Router (config)# ip domain-name domainname <a domain that the router services>
Note: For greater access control and logging facilities, use TACACS. SSH configuration requires the domain name to be configured.
Remote Copy Protocol
Remote Copy Protocol (RCP) is one of the protocols that can be used by RME for configuration management and software image management. For LMS to be able to provide configuration and software management using RCP, it must be enabled on the devices.
RCP can be enabled only on devices running Cisco IOS Software using the following sample commands:
username cwuser password 7 000C1C0A05
ip rcmd rcp-enable
ip rcmd remote-host cwuser 172.17.246.221 cwuser enable
ip rcmd remote-username cwuser
Note: The value of <remote-username> and <local-username> entered in the device should match the "RCP User" value provided in the LMS server. The default value is cwuser. This value can be reset by traversing through the following user interface links in LMS server: Common ServicesàServeràAdminàSystem Preferences. See Figure 3.
Figure 3. System Preferences
Secure Copy Protocol
The Secure Copy Protocol (SCP) feature was introduced in Cisco IOS 12.2(2)T.
To enable and configure a Cisco router for SCP server-side functionality, perform the steps in Table 2.
Table 2. SCP Configuration
Command
Purpose
Step 1
enable
Enables privileged EXEC mode.Enter your password if prompted.
Step 2
Router# configure terminal
Enters global configuration mode.
Step 3
Router (config)# aaa new-model
Sets authentication, authorization, and accounting (AAA)at login.
Step 4
Router (config)# aaa authentication login default group tacacs+
Enables the AAA access control system. Complete syntax: aaa authentication login {default |list-name} method1 [method2...]
Step 5
Router (config)# aaa authorization exec default group tacacs+
Sets parameters that restrict user access to a network. The exec keyword runs authorization to determine if the user is allowed to run an EXEC shell; therefore, you must use it when you configure SCP.
Establishes a username-based authentication system. You may skip this step if a network-based authentication mechanism -- such as TACACS+ or RADIUS -- has been configured.
The Cisco IOS HTTP server provides authentication, but not encryption, for client connections. The data that the client and server transmit to each other is not encrypted. This leaves communication between clients and servers vulnerable to interception and attack.
Use the following command to enable HTTP mode:
ip http server
The Secure HTTP (HTTPS) feature provides the capability to connect to the Cisco IOS HTTPS server securely. It uses Secure Sockets Layer (SSL)1 and Transport Layer Security (TLS) to provide device authentication and data encryption.
Cisco Common Services uses both Layer 2 (Cisco Discovery Protocol) and Layer 3 (Border Gateway Protocol [BGP], Open Shortest Path First [OSPF], Address Resolution Protocol [ARP], and routing tables) to discover devices. Cisco Discovery Protocol is the default protocol to discover Cisco devices on the network. Cisco Discovery Protocol is a Cisco proprietary Layer 2 protocol that is media and protocol independent and runs on all Cisco manufactured equipment. A Cisco device enabled with Cisco Discovery Protocol sends out periodic interface updates to a multicast address in order to make itself known to neighbors. Since it is a Layer 2 protocol, these packets (frames) are not routed.
Enabling Cisco Discovery Protocol on devices allows Common Services to learn information about neighboring devices and to send SNMP queries to those devices.
Enable/Disable Cisco Discovery Protocol on Cisco IOS devices:
Cisco Discovery Protocol is enabled on Cisco IOS devices by default. To manually enable Cisco Discovery Protocol capability on Cisco IOS devices use the following commands.
To enable Cisco Discovery Protocol globally:
cdp run
To enable Cisco Discovery Protocol on specific interfaces only:
cdp enable
Use the no command to disable Cisco Discovery Protocol capability on Cisco IOS devices.
Enable/Disable Cisco Discovery Protocol on Cisco CatOS devices:
Cisco Discovery Protocol is enabled on Cisco CatOS devices by default. To enable Cisco Discovery Protocol capability manually on CatOS devices use the following commands:
To enable Cisco Discovery Protocol globally:
set cdp enable
To enable Cisco Discovery Protocol on specific ports only:
set cdp enable [mod/port]
Use the set cdp disable command to disable Cisco Discovery Protocol on CatOS devices.
Do not run Cisco Discovery Protocol on links that don't need to be discovered by Campus Manager, for example, connection to the Internet and end host connection ports on access switches.
To protect from Cisco Discovery Protocoldenial of service (DoS) attacks, do not enable Cisco Discovery Protocol on links that are connected to non Cisco devices.
Note: Certain nonCisco devices support Cisco Discovery Protocol. If you enable Cisco Discovery Protocol on the Cisco devices connected to nonCisco devices, they will appear on the Campus map.
For related information, please refer to the following URL for how to discover devices using LMS.
Syslog messages can be enabled on Cisco devices to fully use the capability of LMS, especially RME. RME has a built-in syslog receiver/analyzer, and it can invoke automated actions based on the content of the syslog message.
Cisco IOS Devices
Enable Syslog messages on IOS devices from global configuration mode:
logging on
logging < server-ip-address>
logging facility local7
logging trap <logging-level>
For example,
logging 10.1.1.1
logging on
logging facility local7
logging trap warnings
Note: To limit the number of messages sent to the syslog servers, use the logging trap configuration command above.
Catalyst OS Devices
Enable Syslog messages on CatOS devices:
set logging server enable
set logging server <server-ip-address>
set logging level all <logging-level> default
The <server-ip-address> is the IP address of the LMS server. In case of multiple servers the server IP address entered here is the address of the RME server. In the case of remote Syslog Analyzer and Collector, this parameter is the IP address of the remote Syslog Analyzer and Collector.
A better way to turn on syslog on devices is to use the RME NetConfig tool. With NetConfig users can create a job to deploy syslog configuration commands to multiple devices at the same time. NetConfig will be discussed in following section, but Figure 4 shows what an example syslog configuration will look like.
Figure 4. Turn on Syslog Using NetConfig
Protocol Setup on the LMS Server
Note: The settings described in this section will be finished after the LMS server is installed.
One of the most important areas of setup is the RME protocol setup. RME uses various protocols for configuration and software management. Network administrators can assign the protocols to be used in RME for configuration management and software management.
Configuration Management
You can set the protocols and order for configuration management applications such as Archive Management, Config Editor, and NetConfig jobs to download configurations and to fetch configurations. The available protocols are Telnet, Trivial File Transport Protocol (TFTP), RCP, SSH (Secure Shell), SCP, and HTTPS.
To setup protocol ordering for configuration management, go to Resource Manager EssentialsàAdministrationàConfig Mgmt.
Figure 5. RME Transport Protocol Settings
As in the Figure 5, for Config Fetch we use the SSH and TFTP protocols. LMS will first try SSH. If SSH does not work after three retries (not customizable) and timeouts (customizable, see below), LMS will fall back to TFTP, the next protocol on the list.
For secure communication between the server and device use SSH.
Retries and Timeouts
File transfer protocols like RCP and SCP use Telnet and SSH as underlying transport protocols.
From RMEàAdminàSystem PreferencesàRME Device Attributes, we have an option to set timeout for SNMP, Telnet, and TFTP. See Table 3 and Figure 6.
Table 3. Protocol Timeout/Retry Settings
HTTPS
-
Single attempt with primary credentials (default); if failed, one more attempt with secondary credentials (only if administrator settings are enabled for fallback)
TFTP
5 seconds (default)
2 (default)
RCP
36 seconds (default)
Single attempt (no retries)
SNMP
2 seconds (default)
2 (default)
SCP
36 seconds (default)
3 attempts with primary credentials (default); if failed, 3 more attempts with secondary credentials (only if administrator settings enabled for fallback)
Protocols
Timeout
Retries
Telnet
36 seconds (default)
SSH
36 seconds (default)
Note: Telnet is retried three times by default and cannot be changed.
Figure 6. Protocol Options
RME Secondary Credentials
The RME server polls and receives two types of credentials from each device and populates the DCR.These credentials are:
• Primary credentials
• Secondary credentials
RME uses either the primary or secondary credentials to access the devices using the following protocols:
• Telnet
• SSH
The RME server first uses the primary credentials to access the device. The primary credentials are tried out three times, and on failure the secondary credentials are tried out three times. Secondary credentials are used as a fallback mechanism in RME 4.3 for connecting to devices. See Figure 7.
For instance, if the AAA server is down, accessing devices using their primary credentials will lead to failure.
You can add or edit the secondary credentials information through the DCR page available in CiscoWorks Common Services if the secondary credentials information is not available for a device.
Similarly, software management attempts downloading the software images based on the protocol order specified. While downloading the images, software management uses the first protocol in the list. If the first protocol in the list fails, these jobs use the second protocol and so on, until software management finds a transport protocol for downloading the images. The supported protocols are RCP, TFTP, SCP, and HTTP.
In the View/Edit Preferences dialog box (Resource Manager EssentialsàAdministrationàSoftware MgmtàView/Edit Preferences) you can define the protocol order that software management has to use for software image downloads. Use the Add and Remove buttons for selecting the protocol order. See Figure 8.
Figure 8. Software Image Management Options
3. Cisco LAN Management Solution 3.2 Installation
Cisco LAN Management Solution installation is supported on both the Windows and Solaris operating systems.
Single Installation Experience
From LMS 3.0, the installation framework is enhanced to support installation of all LMS applications in a single package. You can install or upgrade the LMS applications from the single installation packaged in the LMS 3.2 DVD. Because everything is packaged in one bundle, customers do not need to worry about the sequencing order of installing the various components. Compared to the installation experience of previous LMS versions, the installation of LMS 3.x on Windows and Solaris is much easier. The installation will finish in one coordinated effort, smoothly.
Checklist before Installation
Before starting the installation, we recommend that you:
• Make sure your server hardware and software meet the minimum requirements to install the LMS server. The requirements vary according to how many devices you want to manage, how many applications you are installing, how heavily you are using the applications, any need to use a virtual machine, and so on. Check out the "System Requirements" section for more details.
• Back up your database if you have a previous version of LMS running. It is recommended to store backups on a separate partition or preferably on a separate disk. Backup partitions need to be large enough to store all application databases (for instance, RME, Campus Manager, DFM, and so on) as well as device configurations, software images, and user accounts. The backup partition should allow for multiple revisions. It is recommended to verify all backups that may be needed in the future. Please refer to the document Data Migration Guide of LMS3.0 available on the installation DVD.
• Enable Domain Name System (DNS) on the server so the device names can be resolved against IP addresses. If DNS is not present, create a local hosts file to help resolve the device names.
We recommend that before installing the LMS 3.2 product, you register the product and receive a permanent license.
Licensing Process
To license your product, follow these steps:
Step 4. Register the LMS product with Cisco.com to get your license file. If you are a registered user of Cisco.com, get your license file from http://www.cisco.com/go/license.
Logging into Cisco.com allows your Cisco user profile information to auto populate several product registration fields. Please note that the user authentication information is case sensitive.
Step 5. After you install LMS 3.2, copy the new license file to the CiscoWorks Common Services server into a directory with read permissions for the user name casuser or the user group casusers, such as .\NMSROOT (/opt/CSCopx) on Solaris, C:\program files\CSCopx on Windows.
Note: Do not save the license file on your desktop. casuser does not have read permission for the desktop folder. Even if you give casuser read permission to the license file residing on your desktop, casuser still cannot access the file, and therefore the license file cannot be verified. You must give read permission to the folder in which the license file is located.
Step 6. Install the license file:
If you have obtained the LMS license before installation:
c. Select the first LMS application you wish to install (ideally Common Services 3.1), and when prompted:
– On Windows, select the first option button and click Browse and use the File browse window to locate the license file directory.
– On Solaris, select L for License File after you accept the licensing agreement and continue installing the application.
d. Click Next to install the license file.
If you want to convert an evaluation copy to a licensed copy:
Go to the CiscoWorks homepage and select Common ServicesàServeràAdminàLicensing. The License Administration page appears. Enter the path to the new license file in the License field, or click Browse to locate the license file that you copied to the server in Step 2.
The system verifies whether the license file is valid, and updates the license.
The updated licensing information appears in the License Information page.
If you encounter errors, repeat the steps to license your product.
Note: The license file obtained is platform independent and thus can be used in both Windows as well as Solaris operating systems.
SKUs of LMS 3.2
The licenses of LMS 3.2 are based on how many devices managed. However, for Internetwork Performance Monitor, the license is based on the number of devices and the number of collectors.
You can select any one of the following four licenses of LMS 3.2:
• CWLMS-3.2-100-K9
Allows you to manage the following in each application:
– CiscoWorks RME: 100 devices
– CiscoWorks Campus Manager: 100 devices
– CiscoWorks DFM: 100 devices
– CiscoWorks IPM: 100 devices and 300 collectors
• CWLMS-3.2-300-K9
Allows you to manage the following in each application:
– CiscoWorks RME: 300 devices
– CiscoWorks Campus Manager: 300 devices
– CiscoWorks DFM: 300 devices
– CiscoWorks IPM: 300 devices and 1000 collectors
• CWLMS-3.2-1.5K-K9
Allows you to manage the following in each application:
– CiscoWorks RME: 1500 devices
– CiscoWorks Campus Manager : 1500 devices
– CiscoWorks DFM: 1500 devices
– CiscoWorks IPM: 1500 devices and 1500 collectors
• CWLMS-3.2-5K-K9
Allows you to manage the following in each application:
Note: The 10,000 SKU has not been tested at the bundle level, that is, RME and 5000 devices in all other applications in a single server. It can be only a multi-server deployment.
New Installation Instruction for LMS 3.2
Thanks to the single-package installation design, the LMS installation programs on both Windows and Solaris are user friendly and fail-proof. For Windows-based installations (Figure 9), follow the interactive instructions on executing setup.exe. Installation on Solaris may need more work since various patches will be needed before installing LMS. Please follow the interactive instructions once you execute setup.sh.
Figure 9. LMS Installation on Windows
For step-by-step installation instructions, please refer to the white paper Installing and Getting Started with LMS 3.2 on the installation DVD.
Note: Choose "Custom Installation" or "Typical Installation" with "Show Details" option enabled, so you can get the database password. The password may be needed if you want to develop applications to access the LMS database directly.
Upgrade and Migration from Legacy LMS Versions
Direct upgrade from LMS 2.5.1 and LMS 2.6 are supported (make sure the hardware/software requirements are met). Remote upgrade or migration to LMS 3.2 is supported from LMS 2.2, LMS 2.5, LMS 2.5.1, and LMS 2.6.
For more information on upgrade and migration, see Installing and Getting Started with CiscoWorks LAN Management Solution 3.2 (Maintenance Kit) and Data Migration Guide for CiscoWorks LAN Management Solution 3.2 on the installation DVD.
Note: For customers still running LMS 2.2 or earlier, it is recommended to get a new server and perform a fresh installation.
Installation Log
The installation log exhaustively logs operations performed during the installation process. In case the installation is unsuccessful or problematic, you can review the installation log for error messages, if any.
• Solaris
In Solaris, the installation log is located at /var/tmp/Ciscoworks_install_YYYYMMDD_hhmmss.log for LMS 3.2 installation, where YYYYMMDD denotes the year, month, and date of installation and hhmmss denotes the hours, minutes, and seconds of installation.For example:/var/tmp/Ciscoworks_install_20060721_182 205.log
• Windows
In Windows, the installation log is located in the root directory of the drive where the operating system is installed. Each installation creates a new log file.
For LMS 3.2, the installation log file is C:\Ciscoworks_install_YYYYMMDD_hhmmss.log, where YYYYMMDD denotes the year, month, and date of installation and hhmmss denotes the hours, minutes, and seconds of installation.
For example: C:\Ciscoworks_install_20060721_182205.log
Verifying the LMS 3.2 Installation
After you install CiscoWorks LMS 3.2 on Windows, you must verify the installation. To do this:
Launch CiscoWorks: http://server_name:1741
where server_name is the name of the CiscoWorks server and 1741 is the TCP port used by the CiscoWorks server.
In normal mode (HTTP), the default TCP port for the CiscoWorks server is 1741. When SSL (HHTPS) is enabled, the default TCP port for the CiscoWorks server is 443.
You can change the HTTPS port number of the CiscoWorks server during the installation. See Installing and Getting Started with LAN Management Solution 3.2 for more information.
Select Common ServicesàSoftware CenteràSoftware Update.
The Software Updates window appears. The entries shown in Figure 10 appear in the Products Installed table for each application that you have installed.
Figure 10. Installed Components
Third-Party Tools and Software Changes
LMS supports HP OpenView 7.5.x and IBM NetView 7.1.x. For information on how to integrate with HP OpenView or NetView, check out the user guide of Integration Utility included in the DVD.
On the client side, Firefox 3.0 and Internet Explorer 7.0 browsers are supported in this release.
Post installation Tasks
The first step after installing the products is to check for any updates for service packs. Service packs can be downloaded from either Cisco.com or as a software update (accessed from Common ServicesàSoftware CenteràSoftware Update).
Note: There is a link on LMS Portal for the latest announcements regarding software update and related topics.
Recommendations for Installation of LMS 3.0 Applications
Here are a few caveats for the installation:
• LMS Portal 1.2 and CiscoWorks Assistant 1.2 will be selected by default along with Common Services 3.3.
• Common Services 3.3, LMS Portal 1.2, and CiscoWorks Assistant 1.2 must be installed and uninstalled together.
• Integration Utility (NMIM) 1.9 can be installed independently without installing the default applications Common Services 3.3, LMS Portal 1.2, and CiscoWorks Assistant 1.2.
• Applications can be selected simultaneously for a reinstallation during new or upgrade install of LMS 3.2.
Ports Used by LMS Applications
Make sure the ports listed in Table 4 are open on the CiscoWorks server, or are not used by other applications.
Table 4. LMS Application Port Usage
Protocol
Port Number
Service Name
Applications
Direction
(of Establishment) of Connection
TCP
49
TACACS+ and ACS
CiscoWorks Common Services, RME, Campus Manager, DFM, and IPM
Server to ACS
TCP
25
Simple Mail Transfer Protocol (SMTP)
CiscoWorks Common Services (PSU), RME
Server to SMTP server
TCP
22
SSH
CiscoWorks Common Services, Campus Manager, and RME
Server to device
TCP
23
Telnet
CiscoWorks Common Services, Campus Manager, and RME
Server to device
UDP
69
TFTP
CiscoWorks Common Services and RME
Server to device
Device to server
UDP
161
SNMP
CiscoWorks Common Services, CiscoView, RME, Campus Manager, DFM, IPM, and HUM
Server to device
Device to server
TCP
514
Remote Copy Protocol
CiscoWorks Common Services
Server to device
UDP
162
SNMP traps (standard port)
Campus and DFM
Device to server
UDP
514
Syslog
CiscoWorks Common Services and RME
Device to server
UDP
1431
Trap listener to MAC notification traps
Campus Manager
Device to server
UDP
9000
DFM trap receiving (if port 162 is occupied)
DFM
Device to Server
UDP
16236
UT host acquisition
Campus Manager
End host to Server
TCP
443
CiscoWorks HTTP server in SSL mode
CiscoWorks Common Services
Client to server
Server internal
TCP
1741
CiscoWorks HTTP Protocol
CiscoWorks Common Services, CiscoView, Campus Manager, RME, DFM, and IPM
Client to server
UDP
42342
OSAGENT
CiscoWorks Common Services
Client to server
(for ANIServer)
TCP
42352
ESS HTTP
(alternate port is 44352/tcp)
CiscoWorks Common Services
Client to server
TCP
8898
Log server
DFM
Server internal
TCP
9002
DynamID authentication (DFM broker)
DFM
Server internal
TCP
9007
Tomcat shutdown
CiscoWorks Common Services
Server internal
TCP
9009
Ajp13 connector used by Tomcat
CiscoWorks Common Services
Server internal
UDP
9020
DFM trap receiving
DFM
Server internal
TCP
10002
OpsXML message bus, OpsXMLRuntime
CiscoWorks Assistant
Server internal
UDP
14004
Lock port for ANIServer singlet on check
Campus Manager
Server internal
TCP
15000
Log server
DFM
Server internal
TCP
40050-
40070
CSTM ports used by CS applications, such as OGS, DCR
CiscoWorks Common Services
Server internal
TCP
40401
LicenseServer
CiscoWorks Common Services
Server internal
TCP
43242
ANIServer
Campus Manager
Server internal
TCP
42340
CiscoWorks Daemon Manager - Tool for Server Processes
CiscoWorks Common Services
Server internal
TCP
42344
ANI HTTP server
CiscoWorks Common Services
Server internal
UDP
42350
Event Services Software (ESS)
(alternate port is 44350/udp)
CiscoWorks Common Services
Server internal
TCP
42351
Event Services Software (ESS) listening
(alternate port is 44351/tcp)
CiscoWorks Common Services
Server internal
TCP
42353
ESS routing
(alternate port is 44352/tcp)
CiscoWorks Common Services
Server internal
TCP
43441
CMF database
CiscoWorks Common Services
Server internal
TCP
43455
RME database
RME
Server internal
TCP
43443
ANIDbEngine
Campus
Server internal
TCP
43445
Fault history database
DFM
Server internal
TCP
43446
Inventory service database
DFM
Server internal
TCP
43447
Event Promulgation Module database
DFM
Server internal
TCP
44400-
44420
CSTM port for DFM, HUM
DFM, HUM
Server internal
TCP
47000-
47040
CSTM port for RME
RME
Server internal
TCP
49154
UPMDbEngine
HUM
Server internal
TCP
49155
OpsxmlDbEngine, JDBC / ODBC
CiscoWorks Assistant
Server internal
TCP
49157
IPM database
IPM
Server internal
TCP
50001
SOAPMonitor
RME
Server internal
TCP
55000-
55020
CSTM port for Campus Manager
Campus Manager
Server internal
4. Initial Setup of the LMS 3.2 Server: Portal, Setup Center, and Common Services
This chapter will guide you through the initial setup of the LAN Management Solution server. This chapter provides setup information on the CiscoWorks Portal, CiscoWorks Assistant, Setup Center, and Common Services.
LMS Portal is the GUI front of the server. CWA is the workflow engine, or GUI wizard, to guide the user through setting up the LMS server. CWA has been steadily improved since first introduced in LMS 3.0. It is the recommended way for the initial setup of the LMS 3.2 server.
Alternatively, advanced users can use LMS Setup Center for more server setup functions. LMS Setup Center is the centralized location where the user can get done with most of the application settings including Common Services, Resource Management Essential, Campus Manager, and Device Fault Manager.
CiscoWorks Portal
In previous versions of LMS, users had to go through multiple layers of user interface (sometimes through three or four mouse clicks) to reach status information or the desired data. Moreover there was no customization supported. Users could not customize the desktop for easy, quick access to frequently accessed data or functionality, which led to usability challenges.
Starting with LMS 3.0, the CiscoWorks Portal was introduced as the dashboard to provide zero-click access to network data and management functionality, significantly improving the usability of LMS. Through this portal, you can easily launch all the functions offered by LMS and have direct access to the status of your LMS servers, network devices, and network topologies.
The primary benefits of CiscoWorks LMS Portal are:
• Customization: You can personalize the CiscoWorks homepage using the drag-and-drop, add, edit, and remove features
• Information available zero-click: Easy and quick access to the frequently viewed vital information pulled directly from the applications in the CiscoWorks LMS suite
• Multi-server support: Lists all of the portlets based on the applications installed on remote servers
• Lightweight GUI: Eliminates the need to install any plug-ins to launch the application
Components of LMS Portal
When the user logs into the LMS server, the user sees the CiscoWorks LMS Portal (Figure 11). The LMS Portal has three different components:
Figure 11. Portal Layout
• The Portal: The portal serves as the overall container and contains a set of views. You can set up the portal to manage a single server or multiple servers.
• Communities and Views: Views are organized pages under name tabs and contain a set of portlets. For example, under the Functional tab is the Functional view. LMS 3.2 comes with three predefined communities, or supersets of views (Figure 12).
Figure 12. Portal Communities
You can select either LMS or CiscoWorks Portal or My Portal from the drop-down box displayed at the top right corner of CiscoWorks LMS Portal.
The LMS community is the default community and contains nine page views:Functional, System, Network, CS, DFM, CM, RME, IPM, and HUM. You can also create your own page views and add portlets to get the view you want.
The CiscoWorks Portal is the public community shared by all users. You can copy views from LMS super view and add or delete portlets for everyone to see.
The My Portal view is the private community configured by the user. It changes when a different user logs into the server.
• Portlets: Portlets are individual pieces of data pointing to an application function or status report. You can add or remove portlets to customize the views except the Functional view. The portlet list is based on the applications installed and registered. The visibility of portlet contents is based on the user's roles and privileges.
Each portlet contains six icons on the top. These icons will be visible only when you move the mouse over the right corner of each portlet. By clicking these icons you can change the look and feel of the portlet, configure the portlet, get help, minimize or maximize, or close the portlet. See Figure 13.
Figure 13. Portlet Example: RME Hardware Summary
Customize the Portal
LMS offers tremendous flexibility for the user to customize the look and feel of the portal. You can,
• Add a page view
Adding a new view helps you to consolidate information specific to a particular function, such as troubleshooting. It also allows you to group data from different LMS applications on a single page.
To add a view:
Go to the CiscoWorks LMS Portal homepage and click the Add View button located at the top right corner of the portal.
Figure 14. Add View
Input the name and click Save.
Note: After you add a View, you can customize it by either duplicating an existing view as a template or by creating it afresh by adding your own portlet. To duplicate from an existing view as a template, click in your newly created view, click View, and then choose the template and click Save. Following this step, you can go to the view and choose to add or delete individual portlets.
Customize a View
To start from a blank view, click the tab for the new view, and click the Add Portlet button located at the top right corner. The portlet selector appears (Figure 15).
Figure 15. Add Portlets
From this selector, you can choose the portlet you want to add to your view by browsing the available categories.
You can search a portlet by using the search box at the top. For example, you can search for Object Finder (Figure 16).
• Portlet view: This is the default type. It's a view that contains various portlets of interests.
• Embedded view: You can embed a webpage in the embedded view. Just point it to the URL of the webpage. It'll show the webpage in LMS Portal.
• URL: You can point to a URL. Clicking the view tab will launch the website outside the portal.
To change the view type, click the Edit View button at the top right corner of the portal. For example, see Figure 17 to see how to make an embedded view for the RME dashboard.
Figure 17. Make an Embedded View
Note: You can create a friendly URL for the view, which can be used to directly access functions.
Deleting a View
To delete a view, edit the view and choose the view to be deleted (Figure 18).
Figure 18. Delete a View
Use CWA for initial Setup of the CiscoWorks Server
To use CWA for the initial setup, go to the Functional view and locate the CiscoWorks Assistant portlet. There are three workflows out of the box. Choose Server Setup (Figure 19).
Figure 19. CWA Portlet
The Server Setup workflow will guide the user through the basic server setup tasks including:
• Configuring server settings such as System Identity, admin password, SMTP, and so on
• Configuring device management mode
• Configuring default credentials for the network devices
• Manually adding or automatically discovering network devices on your network
• Allocating devices to be managed by applications like RME, CM, DFM, and IPM
• Integrating with ACS (optional but recommended; covered in a separate whitepaper)
Note: After finishing the CWA workflow, all these tasks can still be directly accessed in Common Services.
After launching the CWA server setup workflow, it shows the local LMS server and the connection status (Figure 20).
Figure 20. CWA Server Setup Workflow
Click the Start Setup button to start the workflow, or continue the previous unfinished setup.
For a fresh server, the user needs to configure the server setting as shown in Figure 21.
Figure 21. CWA Server Settings
The next step will show the current system identity. System identity setup helps you to create a trusted user on servers that are part of a multiple LMS server setup or ACS integration. This facilitates user communication among servers that are part of a management domain. There can only be one system identity user for each server.
The system identity user you configure must be a peer server user.
In the non-ACS mode, the system identity user that you create must be a local user, with all privileges.
In the ACS mode, the system identity user should be configured in ACS, with Super Admin privileges, in all applications registered in ACS. You can either configure the system identity user with the predefined Super Admin role or with a custom role created with all privileges in ACS. See Figure 22.
Figure 22. CWA: System Identity
In Figure 23 we create a new system identity user.
Figure 23. CWA: New System Identity
The next step is to configure the device management mode. Initially the devices are added or discovered to the DCR of Common Services. By default, all devices are managed automatically by Campus Manager and RME, but not DFM and IPM. The device management mode determines whether the new devices are automatically managed by CiscoWorks applications. There are three device management modes. See Table 5.
Table 5. Device Management Mode
Device Management Mode
Description
Auto Allocation Off
In this mode, automatic addition of devices to LMS applications is disabled. You can use this option to:
• Selectively add devices to the application from DCR.
• Add previously deleted devices back into the application.
You can manually add the devices to LMS applications even if you have selected other modes for device management.
Auto Allocation - All Devices
In this mode, all devices in DCR are added to the selected LMS application. This is also limited by the LMS license you have purchased.
Auto Allocation - Allocate by Groups
In this mode, devices that belong to a specific group in Common Services are added to LMS applications. This is also limited by the LMS license you have purchased.
You must select a group name for all applications that are installed on local and peer servers.
In Figure 24 we auto allocate all devices to the applications including RME, CM, DFM, and IPM.
Figure 24. CWA: Auto Allocation
CWA will finish the first part of the server setup and report the status. See Figure 25.
Figure 25. CWA: Server Setup
Multiple Default Credential Sets
Next CWA will guide you to configure the default credentials and credential sets. Default Credentials is a new feature since LMS 3.0. It allows the user to set up common (default) credentials for the devices so the user does not need to specify credentials one by one for the devices. In LMS 3.2, a new feature is added to support credential sets. Now you can create multiple sets of default credentials and assign the sets based on policies, that is, IP address, host name, or display name.
Figure 26 shows how to create the default credential set.
Figure 26. Create Default Credential Set
Here we create the credential set MyDefaultSet2. Click Apply and fill in the standard credentials and SNMP credentials.
The standard default credentials include primary and secondary credentials (username, password, and enable password for Telnet or SSH). See Figure 27.
Figure 27. Default Credentials: Standard Credentials
SNMP credentials now support both SNMPv2, and SNMPv3 for both AuthNoPriv and AuthPriv modes (Figure 28).
Figure 28. Default SNMP Credentials
Credential Set Policies
After saving the default credential set, the user is prompted to add the policy configuration for the default credential sets created. You can assign sets based on IP range, hostname, or display name (Figure 29).
Figure 29. Credential Policy Configuration
Figure 30 shows the add device interface. You can manually add the devices into DCR by bulk importing from a file (comma-separated values [CSV] or XML) or network management systems (HP OpenView, IBM NetView, or Cisco Secure ACS).
Or you can run the discovery process on the server to find devices on your network.
Figure 30. CWA: Discover Mode
The NG (next-generation) automatic device discovery of LMS 3.2 supports both Layer 2 (Cisco Discovery Protocol) and Layer 3 protocols. You can also do a ping sweep across the network or use other options like Cluster Discovery Module and Hot Standby Router Protocol (HSRP). For details, check out the NG discovery whitepaper at http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-493921.html.
Note: In LMS 3.2, discovery supports IPv6 using ping sweep and the Cisco Discovery Protocol module only.
By default Cisco Discovery Protocol is used to discover the devices. Figure 31 shows how to choose the discovery modules.
Figure 31. CWA: Discovery Modules
To use Cisco Discovery Protocol as the discovery protocol, first add the seed devices. The seed devices are usually the core switches that have the most connections to other network devices. The CiscoWorks server will go to the seed device and find its neighbors, then find the neighbors' neighbors. This process will propagate across the network until all devices are found.
In Figure 32 we add the seed devices and specify how many hops the discovery shall proceed (the default is unlimited). Jump Router Boundaries is turned on to allow the discovery to extend beyond the boundaries set by routers within the network. Device discovery may take longer if you do not selectively choose the boundaries by excluding specific IP addresses.
There is another option to use DCR as a seed list, but it is not recommended if you have already imported many devices in DCR.
Figure 32. CWA: Seed Device for Discovery
Next we configure the SNMP settings, including target, read community string, timeouts, and retries (Figure 33).
Note: Discovery SNMP settings page is enhanced to support SNMPv2c to SNMPv1 and SNMPv3 to SNMPv2c fallback. When the SNMP fallback from SNMPv2c to SNMPv1 option is selected, the discovery falls back to SNMPv1 if SNMPv2c fails.When SNMP fallback from SNMPv3 to SNMPv2c is selected, the discovery falls back to SNMPv2c if SNMPv3 fails.
Figure 33. CWA: SNMP Settings for Discovery
If you want to limit the discovery scope, configure the filter settings to include or exclude devices based on IP address, DNS domain, sysObjectID, or sysLocation (Figure 34).
Figure 34. CWA: Discovery Filter Settings
On the global settings, users can configure the preferred DCR display name and preferred management IP and choose the default credentials. If you want the discovery process to resolve IP addresses to hostnames, make sure DNS is configured properly on the LMS server. See Figure 35.
Figure 35. CWA: Discovery Global Settings
Multiple Device Credentials
New in LMS 3.2, multiple sets of default credentials can be configured and applied when adding, editing, or importing devices. Policy-based credentials allow users to apply credential sets to devices based on IP address range, display name, or host name.
After the discovery is done, a message is shown to report the success (Figure 36).
Figure 36. CWA: Discovery Completed
Users can check the devices discovered by going to Common ServiceàDevice and CredentialsàDevice Management to check out the device summary (Figure 37).
Figure 37. Common Services: Device Selector
The next step is to allocate the devices to the applications. In Figure 38 we are allocating all devices to RME, CM, DFM, and IPM.
Note: Most of the steps done by CWA can be directly accessed from the Common Services dashboard. If you need to rerun some of the jobs such as device discovery, launch the Common Services dashboard from the Functional view. For example, under Common Services à Device and Credentials à Device Discovery you can configure and run discovery.
CiscoWorks LMS Setup Center
For advanced users, CiscoWorks LMS Setup Center is a centralized area where the user can quickly complete the CiscoWorks system configurations. One of the most common observations from new CiscoWorks users is that it is difficult to remember which application menu to navigate to when changing a system setting. CiscoWorks LMS Setup Center was designed to provide shortcuts to those options that may be difficult to find. It allows you to configure the necessary server settings immediately after installing the CiscoWorks LMS software. The Edit icon displayed for each setting takes you to the respective application page to configure the settings. See Figure 39.
Figure 39. LMS Setup Center
The configurations in CiscoWorks LMS Setup Center are grouped into the following categories:
• System Settings: The configuration that the system needs to function effectively
• Security Settings: The security-related settings for the product
• Data Collection Settings: The settings necessary for collecting data from the devices
• Data Collection Schedule: The schedule settings for collecting the data from the server
• Data Purge Schedule: The configurations that are necessary for the device to purge data
The settings specific to all applications including CiscoWorks Common Services, CiscoWorks RME, CiscoWorks Campus Manager, and Device Fault Manager are grouped within these five categories, and Setup Center enables you to configure them in a common space.
Note: If an application is not installed, the corresponding entries are not available.
System Settings
This category lists the configurations that are necessary for the system to function.
The system settings specific to all the applications are grouped under this category. If a CiscoWorks application is not installed, the corresponding entries are not displayed. To launch the System Settings page, click the System Settings tab from the CiscoWorks homepage's LMS Setup Center application. The System Settings page displays the name of the settings, their value, and a brief description. Each entry has an Edit icon. Click the Edit icon for a specific system setting to open the corresponding settings page.
Security Settings
The security-related configurations of all CiscoWorks applications are grouped under this category. If a CiscoWorks application is not installed, then the corresponding entries are not displayed.
To launch the Security Settings page, click the Security Settings tab from the LMS Setup Center application. The Security Settings page displays the name of the settings, their value, and a brief description. Each entry has an Edit icon. Click the Edit icon for a specific security setting to open the corresponding security settings page.
Data Collection Settings
This category lists the settings to collect the data from the devices. The data collection settings specific to all CiscoWorks applications are displayed here. If an application is not installed, the corresponding entries are not displayed.
To launch the Data Collection Settings page, click the Data Collection Settings tab from the LMS Setup Center application. The Data Collection Settings page displays the name of the settings, their value, and a brief description. Each entry has an Edit icon. Click the Edit icon for a specific data collection setting to open the corresponding data collection page.
Data Collection Schedule
This category lists the schedule settings for the server for data collection. The data collection schedule settings for all CiscoWorks applications are under this category. If a CiscoWorks application is not installed, the corresponding entries are not displayed.
To launch the Data Collection Schedule page, click the Data Collection Schedule tab from the LMS Setup Center application. The Data Collection Schedule page displays the name of the settings, their value, and a brief description. Each entry has an Edit icon. Click the Edit icon for a specific data collection schedule setting to open the corresponding configuration page.
Data Purge Schedule
This category lists the configurations for the device to purge data. The data purge settings specific to all CiscoWorks applications are under this category. If a CiscoWorks application is not installed, the corresponding entries are not displayed.
To launch the Data Purge Schedule page, click the Data Purge Schedule tab from the LMS Setup Center application. The Data Purge Settings page displays the name of the settings, their value, and a brief description. Each entry is accompanied by an Edit icon. Click the Edit icon for a specific data purge schedule to open the corresponding configuration page.
Common Services Setup
Common Services is the core component of the LMS applications, and other applications rely on it to perform their tasks. Common Services maintains the database for DCR, which stores all the device information to be managed.
General Server Setup
DCR Mode
This paper discusses LMS server as a standalone server. As you become more familiar with the LMS features, you can set up multiple LMS servers to work together in a master/slave scenario. To change the mode of the LMS server, go to CSàDevice and CredentialsàAdminàMode Settings. See Figure 40.
Figure 40. DCR Mode
Device Polling
Unreachable devices in DCR are detected by polling the devices using supported protocols for a specific period of time. These devices can then be deleted from DCR. Protocols supported are ping, Snmpv1/v2/v3.
To configure device polling, go to Common Services àDevice and Credentials àAdminàDevice Polling. See Figure 41.
Figure 41. Device Poll Settings
Deleting Unreachable Devices from DCR
The possible reasons for device unreachability are:
• Connectivity protocols such as SNMP or Internet Control Message Protocol (ICMP) may be disabled on the device.
• Incorrect credentials may be configured for the device.
• Invalid timeout and retries may have been configured on the device.
To delete unreachable devices from DCR:
1. Go to the CiscoWorks homepage and select Common Services à Device and Credentials à Admin à Device Polling à Unreachable Device Report.
The Unreachable Device Report page appears.
Alternatively, you can navigate to this page from the LMS Portal homepage if you have installed the LMS Portal application on the CiscoWorks server.
2. Do either one of the following:
• Select Show All Unreachable Devices to display all the devices that are not reachable.
• Or select Show Devices Not Reachable For and enter a number in the text field corresponding to the polling frequency you have selected to see a list of devices unreachable during the corresponding time period.
• For example, if you enter the number 2 and have selected the device polling job frequency as Daily in the Device Polling Settings page, a list of devices that are unreachable for two days or more appears.
• If you enter the number 3 and have selected the device polling job frequency as 6 hours in the Device Polling Settings page, a list of devices that are unreachable for 18 hours or more appears.
Setting Up the CiscoWorks Homepage
You can configure or change the CiscoWorks homepage settings.
To modify the CiscoWorks homepage settings:
1. Select Common Services à Server à HomePage Admin à Settings.
2. Enter a name for the CiscoWorks Server in the Homepage Server Name field.
3. Check the Display Server name With Browser Title checkbox to display the name of the CiscoWorks Server along with the browser title.
4. Select the Hide External Resources check box to hide the Resources and CiscoWorks Product Updates panels in the homepage.
5. Enter the display name you want for third-party tools in the Custom Name for Third Party field.
6. Enter the display name you want for custom tools/homegrown tools in the Custom Name for Custom Tools field.
7. Select a value from the Urgent Messages Polling Interval drop-down list to set the polling interval for messages.
To disable this feature, select Disable from the drop-down list. The values are 1 Minute, 5 Minutes, 10 Minutes, and DISABLE.
The time you set here decides the polling interval for disk watcher messages and messages you want to broadcast using the Notify Users features. Disk watcher is a utility that monitors the file system. If the file system size goes above 90 percent, it displays an alert to the dashboard of logged-in CiscoWorks users. You can use this to monitor critical file systems.
8. Click Update. You can update any one of the above settings by clicking Update. If you have changed the homepage server name, a popup window appears prompting you to confirm whether you want to use this name in the provider group name. Click OK if you want the name to be suffixed to the provider group name.
• You need to restart Daemon Manager for the provider group name change to take effect.
Displaying CiscoWorks Server Name with Browser Title
Displaying the CiscoWorks server name with a browser title helps you to identify the server from which the application window is launched especially in a multi-server and single sign-on-based setup.
You can enable or disable the option of displaying the CiscoWorks server name along with the browser title. When you choose to display the server name in the browser title, the browser window displays the title in the following format:
Hostname - Application Window Title
Here Hostname is the name of the CiscoWorks server and Application Window Title is the title of the application window launched from CiscoWorks server.
For example, if the name of your CiscoWorks server is lmsdocultra, then the title of the CiscoWorks homepage would be displayed as lmsdocultra - CiscoWorks. If you launch Common Services from the CiscoWorks homepage, the title of the Common Services home window would be displayed as lmsdocultra - Common Services Home.
You can also enable or disable the display of the server name with the browser title by changing the configurations in a properties file.
Configure the uii-windows.properties file located at NMSROOT/lib/classpath to:
• Enable or disable the option of displaying the server name with the browser title
• Change the format of the display from Hostname - ApplicationWindowTitle to ApplicationWindowTitle - Hostname and vice versa
• Replace a hyphen (-) with any other delimiter except empty spaces
• Trim the spaces between the hostname, delimiter, and application window title
Registering Applications with CiscoWorks Homepage
Using this feature, you can register CiscoWorks applications on local or remote servers. You need to enter application instance attributes (host, port, and protocol). Other information such as AppName and URLs available are already defined by the application in a template.
During registration you are prompted to select an application template and then register with the CiscoWorks server. The registration enables the application to be integrated with other applications based on the template definition. It also helps application launch points to be displayed on the CiscoWorks homepage.
To view the registered applications:
1. Select Common ServicesàServeràHomePage AdminàApplication Registration.
2. View the list of registered applications in the Registered Applications dialog box.
To register a new application:
1. Click Register in the Registered Applications dialog box. A wizard guides you through the process.
2. Choose the location for registration. You can select Register from Templates or Import from Other servers.
To register from templates:
1. Select the Register from Templates radio button and click Next.
2. Select the radio button corresponding to the template you require and click Next.
3. Enter the server attributes in the server attributes dialog box and click Next.
4. Click Finish.
Importing from Other Servers
You must perform the following tasks before importing application registrations from other servers. This is to help ensure a secure environment for importing registrations.
• Create self-signed certificates for the local and remote servers (if not already done).
• Add the remote server's certificate to the local server. See Setting up Peer Server Certificate from the online help that accompanies LMS for details.
• Restart the local server.
• Create a peer server user on the remote server. Configure this user as a system identity user in the local server. See Setting up Peer Server Account and Setting up System Identity Account from the online help that accompanies LMS for details.
To import from other servers:
1. Select the Import from Other Servers radio button and click Next.
2. Enter the server name, server display name, and the secure port numbe in the Import Server's Attributes dialog box. Click Next.
3. Select one or more applications from the list to import into the CiscoWorks server. Click Next.
4. The Import Registration Summary window displays a summary of the information you entered. Click Finish.
When the browser-server security mode of the remote server is changed from non-SSL to SSL or from SSL to non-SSL, you should deregister the applications imported from that server and register them again.
Viewing Registered Application Information
The Application Registration screen shows the list of registered applications. You can view the application name, version, host name, and a description for each of the registered applications. This page shows the applications that are registered in the local server as well as any other applications whose templates are imported from other servers.
The version in this screen shows the major version of the applications. In order to know the version with patch level, go to Software CenteràSoftware Updates. The Software Updates page shows the version with patch-level information. The patch-level information is only available for the applications installed in the local server.
Registering Links with the CiscoWorks Homepage
You can add additional links to the CiscoWorks homepage for custom tools and home-grown tools and for third-party applications such as HP OpenView. The links appear under Third Party or Custom Tools on the LMS Portal as you have specified it.
To register links with the CiscoWorks homepage:
1. Select Common ServicesàServeràHomePage AdminàLinks Registration. The Links Registration Status page appears.
2. Click Register. The Enter Link Attributes dialog box appears.
3. Enter the link name and the URL.
4. Select the radio button corresponding to Third Party or Custom Tools to set the display location.
5. Click OK.
Securing LMS Servers
Accessing the LMS Server Securely Using SSL
By default the LMS server is accessed over HTTP at http://server:1741. Common Services provides secure access between the client browser and management server by using SSL. SSL encrypts the transmission channel between the client and server.
Note: SSL is an application-level protocol that enables secure transactions of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys.
To enable browser-server security:
1. Go to the CiscoWorks homepage and select Common ServicesàServeràSecurityàBrowser-Server Security Mode Setup.
2. Select the Enable option to enable SSL.
3. Click Apply.
4. Log out from your CiscoWorks session, and close all browser sessions.
5. Restart the Daemon Manager from the CiscoWorks server CLI.
On Windows:
Enter net stop crmdmgtd
Enter net start crmdmgtd
On Solaris:
Enter /etc/init.d/dmgtd stop
Enter /etc/init.d/dmgtd start
6. Restart the browser and the CiscoWorks session.
After this change has been implemented, you can log into the server securely using SSL by going to https://server:443. Note the port number has been changed from 1741 to 443.
Setting Up a Local User
To create a local user, go to the CiscoWorks homepage and select Common ServicesàServeràSecurityàLocal User Setup. Click Add to start the process. Fill in the username and password on the form, and choose the user role.
Note: By default, the minimum character limit for CiscoWorks local usernames is five characters. To add a local username with fewer than five characters, change the entry for validate User to false in the NMSROOT/lib/classpath/ss.properties file.
You can only create one user at a time. To create local users in bulk, use the CLI tool. Refer to the help file and search on Setting Up Local Users Through CLI.
System administrators determine user security levels when users are granted access to CiscoWorks. When users are granted logins to the CiscoWorks application, they are assigned one or more roles (Table 6).
Table 6. User Roles
Level
Description
0
Help Desk
1
Approver
2
Network Operator
4
Network Administrator
8
System Administrator
16
Export Data
A role is a collection of privileges that dictate the type of system access you have. A privilege is a task or operation defined within the application. The set of privileges assigned to you defines your role and dictates how much and what type of system access you have.
The user role or combination of roles dictates which tasks are presented to the users. Table 7 shows the security levels.
For information on tasks that can be performed with each role, you can generate a permissions report. To generate a permissions report:
1. Go to the CiscoWorks homepage and select Common ServicesàServeràReports.
2. Select Permissions Report from the Available Reports pane.
3. Click Generate Report.
Note: The permissions report can only show the privilege details of local users. If a user is created on ACS, that user will only show as Help Desk.
You can only add one user at a time for the GUI. To bulk create users, use CLI. For detailed information, search Setting up Local Users Through CLI from the online help that accompanies LMS.
Creating Self-Signed Certificates
CiscoWorks allows you to create security certificates that enable SSL communication between your client browser and management server.
Self-signed certificates are valid for five years from the date of creation. When the certificate expires, the browser prompts you to install the certificate again from the server where you have installed CiscoWorks.
Note: If you regenerate the certificate, when you are in multiserver mode, any existing peer relation might break. The peers need to reimport the certificate in this scenario.
To create a certificate:
1. Go to the CiscoWorks homepage and select Common ServicesàServeràSecurityàCertificate Setup.
2. Enter the values required for the fields described in Table 7.
Table 7. Security Certificate Setup
Field
Usage Notes
Country Name
Two-character country code
State or Province
Two-character state or province code or the complete name of the state or province
Locality
Two-character city or town code or the complete name of the city or town
Organization Name
Complete name of your organization or an abbreviation
Organization Unit Name
Complete name of your department or an abbreviation
Host Name
DNS name of the computer or the IP address of the computer.
Enter the host name with a proper domain name. This is displayed on your certificate (whether self-signed or third-party issued). Local host or 127.0.0.1 should not be given.
Email Address
Email address to which the mail has to be sent.
You can also enter multiple email addresses separated by commas.
3. Click Apply to create the certificate.
The process generates the following files:
• server.key: Server's private key
• server.crt: Server's self- signed certificate
• server.pk8: Server's private key in PKCS#8 format
You can use the CSR file to request a security certificate, if you want to use a third-party security certificate.
Note: If the certificate is not a self-signed certificate, you cannot modify it.
5. Device Management: Resource Management Essentials, CiscoView, Device Center
Business Scenarios
As enterprise networks grow ever larger, it becomes a tedious job to manage hundreds or even thousands of devices. With the LMS applications discussed in this chapter, we can address problems like these:
How do I keep track of the inventory of devices on my network? How do I generate a customized report that digs out just the inventory information I need?
How do I keep track of the outdated devices and plan for an equipment upgrade budget? How do I keep track of not only outdated hardware but outdated Cisco IOS Software images?
How do I keep track of the product information relevant to my network, such as the Product Security Incident Response Team(PSIRT) security alerts and product defects (bugs)? How do I find out which devices are under support contract?
How do I keep an archive of the configuration and be able to restore the configurations if there is any mis-configuration? How do I push configurations to multiple devices on my network without doing it one-by-one through CLI? How do I keep track of the changes?
How do I manage compliance by enforcing configuration policies across the network so everyone is following rules when they configure hundreds of devices?
How do I automatically upgrade the software images on devices without spending too much time and affecting our business?
How do I monitor the syslog messages and be automatically notified if something happens?
All these questions and more can be answered with three LMS applications for elements management:
• Resource Manager Essentials
• CiscoView
• Device Center
Managing Devices in RME
RME Overview
RME is the cornerstone application for the CiscoWorks LMS bundle of infrastructure management tools focusing primarily on configuration management tasks. It includes many automated features that simplify configuration management tasks, such as performing software image upgrades or changing configuration files on multiple devices. RME also includes some fault-management features, such as filtering of syslog messages.
RME consists of the following major components (Figure 42):
• Inventory Manager: Builds and maintains an up-to-date hardware and software inventory providing reports on detailed inventory information. RME has many predefined reports. You can also create custom reports to dig out just the information you need.
• Configuration Manager: Maintains an active archive of multiple iterations of configuration files for every managed device and simplifies the deployment of configuration changes. You can use ConfigEditor to change, compare, and deploy configuration to one device, or use NetConfig to deploy to multiple devices. You can design baseline templates for different configuration needs. You can also specify which action to take after the configuration is deployed.
• Software Manager: Simplifies and speeds software image analysis and deployment. You can do an automatic upgrade analysis to help you select the right image. Then use the SWIM feature to import images, stage the image locally or remotely, then deploy to groups of devices.
• Syslog Analysis: Collects and analyzes syslog messages to help isolate network error conditions. You can filter the syslog messages and designate actions based on the messages.
• Change Audit Services: Continuously monitors incoming data versus stored data to provide comprehensive reports on software image, inventory, and configuration changes.
• Audit Trails: Continuously monitors and tracks changes made to the RME server by the system administrator.
• Compliance Management: By creating a baseline template, which is essentially sophisticated regular expressions, users can enforce configuration rules to help ensure that the configuration complies with the internal policies or government regulations.
Inventory Management provides comprehensive device information, including hardware and software details. This information is crucial for network maintenance, upgrades, administration, troubleshooting, and basic asset tracking. The inventory information can also be used by other applications that need access to this same information without the need for additional device queries. Network administrators must often be able to quickly provide information to management on the number and types of devices being used on the network. The more information network administrators have in one central place about all the devices, the easier it is to locate necessary information, resolve problems quickly, and provide detailed information to upper management.
Inventory Management is also the starting point for many other management activities. For example, to upgrade the software image of a device, information about the amount of RAM, the modules installed, and the current software version is needed. All this data is collected by RME Inventory Management.
In Chapter 4, we talked about how to populate the DCR and add devices to individual applications, such as RME's inventory. You can check out the RME devices under RMEàDevicesàDevice ManagementàRME Devices.Inventory Collection/Polling
At the time of RME installation, system jobs are created for both Inventory collection and polling, with their own default schedules.
Periodic inventory collection versus periodic inventory polling:
A periodic inventory collection job collects inventory data from all devices (devices in the All Devices group) and updates inventory database. The periodic polling polls all devices to check a certain MIB value to see whether the timestamp has changed. If there is a change in the timestamp, RME then goes ahead to retrieve inventory changes and collects and updates the inventory database.
Note: Inventory polling consumes much less bandwidth than inventory collection.
The predefined default periodicity of the collector job is once a week, and the predefined default periodicity of the polling job is once a day.
The polling job detects most changes in all devices, with much less impact on your network and on the LMS server.
To change the default settings, traverse to Resource Manager EssentialsàAdministrationàInventoryàSystem Job Schedule. The System Job Schedule dialog box displays the current collection or polling schedule; change the values and click Apply.
Reports Generator
Once you add devices to RME from DCR, RME start retrieving inventory information based on the default schedule setting. RME has numerous predefined reports built-in for all the internal applications. These reports can be generated for view by going to RMEàReportsàReport Generator. These applications include:
• Audit Trail: Tracks and reports changes that the RME administrator makes on the RME server
• BugToolkit: Helps users identify the bugs filed against devices in their network and check the status of the bugs
• Change Audit: Tracks and reports changes made in the network including configuration, inventory, and software image changes
• Contract Connection: Shows the status of service contracts of all Cisco IOS devices in your network
• Device Credential: Displays the device names and the credential status for each device
• Inventory: Reports the comprehensive inventory information collected by RME
• Syslog: Displays the syslog message received from the devices by RME
Under each application, you can generate different types of reports. For example, under Inventory you can generate the reports shown in Figure 43,
Figure 43. Built-in Inventory Reports
All these reports are generated with a set of predefined query criteria. For example, Software Report will list the software versions based on the categories of the devices. If you want to query a customized list of variables from the inventory, you can use a custom reports template for this as described in the following section.
Some built-in reports are particularly unique in LMS:
• PSIRT Summary report: Introduced in LMS 3.0, this report automates how users track the PSIRT security alert from Cisco. The LMS server can be scheduled periodically to fetch the PSIRT information from cisco.com and correlate to the user's network devices.
• EoS/EoL Hardware Report: Introduced along with PSIRT report, this report works in similar way to automate how users track the EoS/EoL (End of Sale/End of Life) status of the network devices. Good for budget planning. Some customers schedule it to run every quarter to know how much equipment needs to be upgraded.
In LMS 3.1, offline support for PSIRT/EOX was added. Users can select the source of the information to be from Cisco Connection Online or a local file if the LMS server is not directly connected to Internet. This can be customized at Resource Manager Essentials à Admin à Reports à PSIRT/EOX Reports. See Figure 44.
Figure 44. PSIRT/EOX Local Reports
Check the online help to learn how to download Cisco Connection Online PSIRT/EoX information to a local file.
• EoS/EoL Software Report: New feature in LMS 3.2, generates the end of sale, end of life, and end of engineering dates for the software image versions running in the devices in your network. It provides a summary of the end of sale or end of life alerts based on the selected devices.
• PoE Report: Power over Ethernet (PoE) is the ability of the LAN switching infrastructure to provide power over a copper Ethernet cable to an endpoint (powered device). You can generate a PoE report to display detailed information of PoE-enabled devices managed by RME.
• POE Port Level Report: New in LMS 3.2, you can generate a PoE Port Level Report to display information such as power consumption, power available, and power remaining at the port level for devices.
• PSE Report: New in LMS 3.2, you can generate a PSE Report to display information such as power consumption, power available, and power remaining at the PSE/device level.
Custom Reports
To create a customized report with your interested query variables, such as "the serial number of all c1701 routers", follow these steps:
1. Create a custom report template. Go to RMEàReportsàCustom Reports Template, choose Inventory, give it a name such as customreporttest, make it public so everyone can see it, and define the rule as illustrated in Figure 45.
Figure 45. Custom Reports Template
2. Go to RMEàReportsàReport Generator, and choose Inventory. Notice the custom report template customreporttest shows up at the bottom of the dropdown list (Figure 46).
Figure 46. Custom Report
3. Choose your devices and generate the report (Figure 47). Here you can generate a one-time report or schedule a job report to run daily, weekly, or monthly, and automatically be sent in an email or published to a central storage location.
Figure 47. Generate Custom Reports
Note: Successfully generated reports are stored in the archives. You can access the report archives by selecting RMEàReportsàReport Archives.
Software Image Management
RME greatly simplifies the work for software image management by building intelligence into the application to help the user pick and access device images from Cisco.com. Follow these steps to perform a software upgrade to your devices.
Analyze the software images: RME helps the user to analyze the device and decide whether it has enough resources to run the new image. RME gives image recommendations for each selected device. Go to RMEàSoftware MgmtàSoftware DistributionàUpgrade Analysis, then log into Cisco.com. Once you log in, you can see all the available versions for this device. When you select a version, RME will give you suggestions about what to do before upgrading (Figure 48).
Figure 48. Upgrade Analysis Report
The criteria for image recommendation can be modified at RMEàAdminàSoftware MgmtàViewàEdit Preferences.
Note: The number and type of variables analyzed depend on the device type and software version selected. The knowledge base used for analysis can be upgraded by going to RME à Admin à Software Mgmt à Update Upgrade Analysis.
Add images to the repository: Instead of browsing around on Cisco.com trying to find the image file, RME helps the user to locate the image easily online and adds it into the local repository. You can schedule the download immediately or later. See Figure 49.
Note: You can also export the image from the local repository to be used elsewhere.
Figure 49. Add Images from Cisco.com
Create a job for image distribution: Instead of manually loading the images one by one through the CLI, the user can schedule a job to deploy images to a group of devices.The methods of distribution include:
– Basic: This option allows you to select devices and then perform software image upgrades to those devices. Software Management checks the current image on the device and recommends a suitable image for distribution.
– By devices [Advanced]: This option allows you to enter the software image and storage media for the device that you want to upgrade. The selected image and storage media are validated and verified for dependencies and requirements.
– By images: This option lets you select a software image from the software image repository and then use it to perform an image upgrade on suitable devices in your network.
– Use Remote Staging: This option allows you to select a software image, store it temporarily on a device, and then use the stored image to upgrade suitable devices in your network. This is helpful when the Resource Manager Essentials server and the devices (including the remote stage device) are distributed across a WAN.
Software Image Baseline Collection
It is recommended that you first import a baseline of all software images running on your network. The baseline imports a copy of each unique software image running on the network (the same image running on multiple devices is imported into the software library only once). The images act as a backup if any of your devices get corrupted and need a new software image or if an error occurs during an upgrade. If some devices are running software images not in the software repository then a synchronization report can be generated for these devices.
To schedule a synchronization report:
1. Select Resource Manager EssentialsàSoftware MgmtàSoftware RepositoryàSoftware Repository Synchronization. Click Schedule. Enter the information and click Submit.
2. Import a baseline of all software images
3. Once the Software Repository Synchronization job has finished successfully, you could create a job to import all software images on your network by performing the following steps:
All running images that are not in the software repository will appear; click Next. Enter the job control information and click Next, and click Finish when completed.
Note: If you have not selected the Use Generated Out-of-Sync Report option, it will take more time to show the software image selection dialog box.
Customize Software Management Settings
Software Management attempts downloading the software images based on the protocol order specified. While downloading the images, Software Management uses the first protocol in the list. If the first protocol in the list fails, these jobs use the second protocol, and so on, until Software Management finds a transport protocol for downloading the images. The supported protocols are RCP, TFTP, SCP, and HTTP.
In the View/Edit Preferences dialog box (Resource Manager EssentialsàAdministrationàSoftware MgmtàView/Edit Preferences) you can define the protocol order that Software Management has to use for software image download. Use the Add and Remove buttons for selecting the protocol order. See Figure 50.
Figure 50. Management Protocol Settings
Support for In-Service Software Upgrade
RME supports the In-Service Software Upgrade (ISSU) process. This process allows Cisco IOS Software images to be updated without rebooting the device. This increases network availability and reduces downtime caused by planned software upgrades.
To perform the image upgrade using this ISSU process, the running image in the device must be ISSU capable.
ISSU support is available only for the following devices:
• Cisco Catalyst 6000 Series IOS Dual Chassis (VSS) Switches
• Cisco Catalyst 6000 Series Dual Supervisor Switches
The ISSU process can be applied for the following distribution methods:
• By devices [Basic]
• By devices [Advanced]
• By image
• Through remote staging
To perform this ISSU image upgrade process you must select the Reboot immediately after downloading option in the Job Schedule and Options page of the device distribution flow.
You can also customize the configurations available in the Issuconf.properties file located at NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/conf/swim.
You can configure the properties listed in Table 8 in the Issuconf.properties file.
Table 8. Device Management Mode
Variable
Description
RBTConfig
Configure the rollback timer.
By default, the value of this variable is set as NO.
If you configure the value as Yes, then rollback will happen for the value set in the variable RollBackTime.
RollBackTime
Enter the rollback timer (value in minutes).
By default, the rollback time is set as 45.
To consider the value for the rollback timer, you must set the RBTConfig value as Yes.
IssuSupImgVer
The ISSU-supported version of the running image.
For ISSU upgrade support, the value for this variable must be an ISSU-capable image version such as SXI.
This value can match the version of the running image either completely or partially. For example, 12.2(33)SXI, or SXI.
The running software image version in the device must match the version configured in the Issuconf.properties.
Configuration Management
The Configuration Management tab in RME includes three applications: Archive Management, Config Editor, and NetConfig.
1. Archive Management
2. The Archive Management application maintains an active archive of the configuration of devices managed by RME. It provides:
• The ability to fetch, archive, and deploy the device configurations
• The ability to handle syslog-triggered configuration fetches, thereby making sure that the archive is in sync with the device.
• The ability to search and generate reports on the archived data
• The ability to compare and label configurations
Configuration Collection/Polling
The configuration archive can be updated with configuration changes by periodic configuration archival (with and without configuration polling). You can enable this using Resource Manager EssentialsàAdministrationàConfig MgmtàArchive MgmtàCollection Settings.
Note: Scheduled collection and polling are disabled by default as the customer's network may have sporadic bursts of traffic and the network management system should not take up the existing bandwidth. It is best for the customer to select the periodic collection and polling.
You can modify how and when the configuration archive retrieves configurations by selecting one or all of the following:
• Periodic Polling
Configuration archive performs an SNMP query on the device, if there are no configuration changes detected in the devices, no configuration is fetched.
• Periodic Collection
Configuration is fetched without checking for any changes in the configuration.
Step 1. Select Resource Manager Essentials à Administration à Config Mgmt à Archive Mgmt à Collection Settings.
Step 2. Select one or all the options.
• Default protocols used for a configuration fetch and deploy
• Many protocols are used for performing a configuration fetch and deploy. The system provides a default order of protocols that will be used to fetch or deploy the configuration on the device. You can set the protocols and order for Configuration Management applications such as Archive Management, Config Editor, and NetConfig jobs to download configurations and to fetch configurations.
The available protocols are:
• Telnet
• TFTP
• RCP
• SSH
• Secure Copy Protocol (SCP)
• HTTPS
To setup protocol ordering for Configuration Management, go to Resource Manager EssentialsàAdministrationàConfig MgmtàTransport Settings. See Figure 51.
Figure 51. RME Transport Settings
Protocol ordering can be setup for different configuration applications (Archive Management, Config Editor, and NetConfig) by selecting the application from the Application Name drop-down list. Select the protocol order by using the Add and Remove buttons on the screen and click Apply.
For secure communication between the server and device use SSH.
1. Config Editor
2. You can use the Config Editor application to perform the tasks listed in Table 9.
Table 9. Config Editor Tasks
Task
Launch Point
Set or change your Config Editor preferences.
Select RMEàAdminàConfig MgmtàConfig Editor.
View the list of previously opened files in private or public work areas.
The RME Config Editor function can be used to edit a device configuration stored in the configuration archive and download it to the device. The Config Editor tool allows the user to make changes to any version of a configuration file, review changes, and then download the changes to the device.
When a configuration file is opened with Config Editor, the file is locked so that no one else will be able to make changes to it at the same time. While the file is locked, it is maintained in a "private" archive available only to the user who checked it out. If other users attempt to open the file to edit it, they will be notified that the file is already checked out and they can only open a "read-only" copy. The file will remain locked until it is downloaded to the device or manually unlocked within Config Editor by the user who checked it out or by a user that has network administrator and system administrator privileges.
1. NetConfig
2. You can use the NetConfig application to perform the tasks listed in Table 10.
Table 10. NetConfig Tasks
Task
Launch Point
• View and create NetConfig jobs using the NetConfig Job Browser.
• View job details (by clicking the Job ID hyperlink in the NetConfig Job Browser).
• You can also:
Edit jobs
Copy jobs
Retry jobs
Stop jobs
Delete jobs
Resource Manager Essentials à Config Mgmt à NetConfig
or
Resource Manager Essentials à Config Mgmt à NetConfig à NetConfig Jobs
Create and manage user-defined tasks.
Resource Manager Essentials à Config Mgmt à NetConfig à User-defined Tasks
Assign user-defined tasks to valid CiscoWorks users.
Resource Manager Essentials à Config Mgmt à NetConfig à Assigning Tasks
The NetConfig function provides a set of command templates that can be used to update the device configuration on multiple devices all at once. The NetConfig tool provides wizard-based templates to simplify and reduce the time it takes to roll out global changes to network devices. These templates can be used to execute one or more configuration commands on multiple devices at the same time. For example, to change SNMP community strings on a regular basis to increase security on devices, use the appropriate SNMP template to update community strings on all devices using the same job. A copy of all updated configurations will be automatically stored in the configuration archive. NetConfig comes with several predefined templates containing all necessary commands. The user simply supplies the parameters for the command and NetConfig takes care of the actual command syntax. These predefined templates include corresponding rollback commands; therefore, if a job fails on a device, the configuration will be returned to its original state.
Enabling Cisco Technologies through RME
RME provides great functionality in simplifying how Cisco technologies are enabled on the network devices. These technologies include,
• Embedded Event Manager (EEM):EEM is a framework to monitor and detect certain conditions that might affect network services. It includes methods to program corrective actions when incorrect events are detected. With NetConfig, users can configure EEM environment variables and register EEM scripts to one device or a group of devices at the same time. After EEM is deployed to the devices, RME can show the EEM status through NetShow reports and generate EEM-related syslog reports.
• GOLD (Generic OnLine Diagnostics):GOLD is a device-specific Cisco IOS feature with fault detection capabilities. It defines a common framework for diagnostic operations across Cisco platforms running Cisco IOS Software. Similarly, with NetConfig, users can configure GOLD tests. After GOLD is deployed to the devices, RME can show the GOLD test status through NetShow reports and generate GOLD-related syslog reports.
• Smart Call Home (SCH):Smart Call Home is a new, secure connected service that is currently available on the Cisco Catalyst 6500 devices. Similarly, with NetConfig, users can configure SCH tests. After SCH is deployed to the devices, RME can show the SCH test status through NetShow reports and generate SCH-related syslog reports.
• Virtual Switching System (VSS): VSS enables two standalone Catalyst 6500 Switches to work as one virtual switch. RME simplifies the VSS management by providing a GUI conversion wizard to guide the user through steps to convert the two standalone switches into one VSS. After conversion, VSS is managed as one single device with regular LMS functionalities including inventory reporting, configuration management, CiscoView, topology map, DFM alerts, and so on.
From LMS 3.2, users can create a NetConfig job based on the module or port.
• Port-level tasks to be supported:
– PoE: Configure power and power policing in ports. Power policing allows generating syslog or turn-off power, if the real-time power consumption exceeds the maximum power allocation on the port. Power policing and Enhanced Power over Ethernet (ePoE) is supported only on Catalyst 3750-E and Catalyst 3560-E Switches with PoE ports.
– Catalyst Integrated Security Features (CISF): Configure Port Security, DHCP Snooping, Dynamic ARP Inspection, and IP Source Guard on ports. The Catalyst Integrated Security Feature is supported only on Catalyst 2960, 3560, 3560E, 3750, 3750E Switches.
– Smart Port Macro: Configure Smart Port and Auto Smart Port macros on devices.
– FPM (Flexible Packet Matching) policies: Attach or detach package groups to an interface.
• Module-level tasks to be supported:
– GOLD
To use these new functions, users need to create port or module groups.
Port and Module Group Configuration
Go to RME à Device Management à Group Administration à Port and Module Group Administration, and click Create. For example,in Figure 52 we create a port group for Fast Ethernet.
Figure 52. Port And Module Group Properties
Select the device group, as shown in Figure 53.
Figure 53. Device Selector
Specify the port group criteria as shown in Figure 54.
Figure 54. Port Group Criteria
Table 11 lists the available attributes that you can use to define the rule for creating port and module groups.
Table 11. NetConfig Tasks
Object Type
Attribute
Description
Module
AdminStatus
Administrative status of the module
FW_Version
Firmware version of the module
ModuleName
Name of the module
OperStatus
Operational status of the module
SW_Version
Software version of the module
VendorType
Type of vendor of the module
Port
AdminStatus
Administrative status of the port
CM.AccessStatus
Whether the port is in AccessStatus mode or not
CM.Channel
Whether the port is a channel port or not
CM.Duplex
Whether the port is in duplex mode
CM.JumboFrameEnabled
Whether the port is JumboFrame enabled or not
CM.L2L3
Whether the port is in switched or routered mode
CM.LinkStatus
Link status of the port
CM.Neighbor
Whether the port is connected to a device (IP phone or end host)
CM.TrunkStatus
Whether the port is a trunk port or not
CM.VLAN_ID
Index of the VLAN
CM.VLAN_NAME
Name of the VLAN
CM.VTP_DOMAIN
Name of the VTP Domain
FlexLink
FlexLink status of the port
IFIndex
IFIndex of the port
OperStatus
Operational Status of the port
PortDescription
Description of the port
PortName
Name of the port
SpanEnabled
Whether the port is span-enabled or not
Speed
Speed of the port
Type
Port type
Now we are ready to create a NetConfig job using the port group we just created. Go to RMEàConfig MgmtàNetConfigàNetConfig Jobs, and click the Create button. Select Port Based (see Figure 55).
Figure 55. NetConfig Job Flow Type
Select the groups of devices as shown in Figure 56.
Figure 56. Device and Group Selector
Select the port group created, as shown in Figure 57.
Figure 57. Choose the Port Group
Choose the tasks, or templates, applicable to the port group, as shown in Figure 58.
Figure 58. Port Tasks
Add instances for each of the tasks selected, as shown in Figure 59.
Figure 59. Add NetConfig Tasks
For example, the instance shown in Figure 60 will configure the PoE for the port group.
Figure 60. PoE Configuration
As last step, schedule the NetConfig job and specify the job options, as shown in Figure 61.
Figure 61. NetConfig Schedule and Options
Change Management
All changes made on the network through LMS are recorded as part of the change audit. If syslogs are enabled on devices, any out-of-band changes made on the devices are also recorded as part of the change audit. Change audit reports can be viewed by going to Resource Manager EssentialsàReportsàReport Generator. Select Change Audit as the application, and the report type could be either a 24-hour report, Standard Report, or Exception Period Report. These reports help manage the changes on the network.
Resource Manager Essentials also provides the capability to have an audit trail. The audit trail provides a trail of all the changes that are being made on the server, such as addition or deletion of devices and credential changes.
Syslog
LMS has the ability to collect and analyze syslogs received from devices in the network. The ability to collect syslogs helps manage the network more effectively. Enabling syslogs provides a multifold advantage:
• LMS will collect and update any configuration and inventory changes on the network.
• Received syslogs can be analyzed and can also be used for further triggering automated actions.
Syslogs can be enabled on devices using NetConfig. A template for enabling syslogs is built into NetConfig. You can access the template under Resource Manager EssentialsàConfig MgmtàNetConfig. Create a NetConfig job by clicking NetConfig Jobs under the TOC.
Defining Message Filters
You can exclude messages from Syslog Analyzer by creating filters.
A list of all message filters is displayed in a dialog box, along with the name and the status of each filter -- enabled or disabled. Specify whether the filters are for dropping the syslog messages or for keeping them, by selecting either Drop or Keep. If you select the Drop option, the Common Syslog Collector drops the syslogs that match any of the Drop filters from further processing. If you select the Keep option, Collector allows further processing only of the syslogs that match any of the Keep filters.
Note: The Drop and Keep options apply to all message filters and are not on a per filter basis.
Change Audit
Setting up Inventory Filters
Certain inventory attributes can change often, and these changes can get logged whenever there is a collection. This may cause a lot of change audit messages to accumulate over a period of time. To prevent this, inventory change filters can be enabled to not track change audits for these attributes. Inventory filters can be set by traversing to Resource Manager EssentialsàAdministrationàInventoryàInventory Change Filter.
Defining Exception Periods
An exception period is a time you specify when no network changes should occur. Exception periods can be set by traversing to Resource Manager EssentialsàToolsàChange AuditàException Period Definition.
Select Days of the week from the Day drop-down list box and the start time and the end time from the Start Time and End Time drop-down list boxes.
Click Add.
Job Management
Jobs need to be created for performing archive management, editing of configurations, downloading of configurations, and Cisco IOS/CatOS device image management. There is a central location where all jobs created for various purposes in RME can be viewed. The central location can be accessed by traversing to the CWHPàResource Manager EssentialsàJob MgmtàRME Jobs link. All jobs can be searched on criteria such as the status of the jobs and type of job.
RME allows approval of jobs before they are executed. The following are the logical steps to configure job approval:
• Specify approver information: This can be done by traversing to theCWHPàResource Manager EssentialsàAdministrationàApprovalàApprover Details link. Note the user created here should have the Approver role in the system (be it local security mode or ACS security mode).
• Specify approver lists: A list of approvers needs to be created. The list has to be named and assigned approvers. This can be done by traversing to CWHPàResource Manager EssentialsàAdministrationàApprovalàCreate/Edit Approver Lists. Provide an approver name in the top left text field, click Add, select users from the list of available users field in the middle, and click Add in the middle. Save the configuration of approval lists.
• Assign approval lists with the various functions like NetConfig, Config Editor, Archive Management, and Software Management.
• Enable approval policies on the various functions like NetConfig, Config Editor, Archive Management, and Software Management.
The above steps will require all jobs created for NetConfig, Config Editor, Archive Management, and Software Management to be approved before being executed.
All jobs pending approval can be viewed by traversing to the CWHPàResource Manager EssentialsàJob MgmtàJob Approval link. The approver can either accept or reject the job. If a job is rejected then the status of the job is updated for the user who created the job.
Purge Policies
1. Configuration Management
You can specify when to purge archived configurations. This frees disk space and keeps your archive at a manageable size. You can purge configurations based on two criteria:
• Age: Configurations older than the number of days you specify are purged.
The maximum number of versions of each configuration to keep: The oldest configuration is purged when the maximum number is reached. For example, if you set the maximum versions to keep to 10, when the eleventh version of a configuration is archived, the first is purged to keep the total number of archived versions at 10.
By default, the purging jobs are disabled. Use the following steps to enable purging jobs:
Step 1. Select Resource Manager Essentials à Administration à Config Mgmt à Archive Mgmt à Purge Settings.
Step 2. The Archive Purge Setup dialog box appears.
Step 3. Select Enable.
Step 4. Click Change to schedule a purge job.
Step 5. To specify when to purge configuration files from the archive, select one or both of the following options:
• Click Maximum versions to retain and then enter the number of configurations to retain.
• Click Purge versions older than and then enter a number and select days, weeks, or months.
• Click Purge labeled files to delete the labeled configuration files.
The purged labeled files will be deleted only if the conditions set for the Maximum versions to retain and Purge versions older than options are satisfied.
Step 6. Click Apply.
Step 7. Syslog
A default policy can be specified for the periodic purging of syslog messages.
To specify the default purge policy:
Select Resource Manager EssentialsàAdministrationàSyslogàSet Purge Policy. Specify the number of days in the Purge records older than field. Only the records older than the stated age (the number of days that you specify here) will be purged. The default value is 7 days.
2. Change Audit
A periodic purge or a forced purge of change audit data can be scheduled. This frees disk space and maintains the change audit data at a manageable size. Select Resource Manager EssentialsàAdministrationàChange AuditàSet Purge Policy. Enter the values for each field and click Save to save the purge policy that you have specified.
What's New: Generic Device Support in RME
Day one device support for network management applications is a continuing challenge. As new hardware platforms come to market, device support may be lagging. The CiscoWorks Incremental Device Update team announces availability of a new "automated" update tool, providing device support for inventory and configuration functionality within Resource Manager Essentials. This tool allows customers to quickly get support for new hardware platforms where complete device package support through the Incremental Device Update program has not yet been delivered. This new tool can be downloaded from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-rme and installed on the LMS 3.01, 3.1, and 3.2 code base. The following features are enabled for devices using the automated update tool:
• Device Management in RME:
The Device Manageability Status Report provides details as to whether the device is officially supported or managed using automatic IDU.
• Inventory Management in RME:
– System-, port-, memory-, Flash-, and bridge-related information will be queried using Entity or the OCCM MIB.
– Support for CDA will be provided.
• Config Management in RME:
– Sync archive using CLI and TFTP protocols
– Ad-hoc template in NetConfig deployment
– Partial NetShow if MDF association is available
– Raw mode in version summary and version tree
– Partial out-of-sync summary and compare configuration
– Config Editor support for editing in raw mode only
An announcement regarding similar support capability in Campus Manager and Device Fault Manager will be sent when it becomes available.
Using CiscoView to Manage Devices
CiscoView is the primary element management system (EMS) to manage Cisco switches and routers. It is a graphical device management tool that uses SNMP v2/v3 to retrieve or set performance and configuration data from networked Cisco devices. See Figure 62.
Figure 62. CiscoView
Using the performance data retrieved, CiscoView provides real-time views of Cisco devices. These views deliver a continuously updated physical/logical picture of device configuration and performance conditions. With the proper user authorization, the user can configure a Cisco device and its cards and interfaces. The user can also monitor real-time statistics for interfaces, resource utilization, and device performance.
CiscoView simply uses SNMP to query the configuration and performance of the device and displays the information graphically. Given the proper user authorization privileges, CiscoView can also be used to change or modify the configuration of the device using SNMP.
Therefore network managers can use CiscoView to:
• View a graphical representation of the device, including component (interface, card, power supply, LED) status
• Configure parameters for devices, cards, and interfaces
• Monitor real-time statistics for interfaces, resource utilization, and device performance
• Set user preferences
• Perform device-specific operations as defined in each device package
• Manage groups of stackable devices
To launch CiscoView:
• From LMS Portal, go to the CiscoView Portlet, and open Chassis View. Input the device IP address or choose from the Device Selector to open the chassis view.
• From LMS Portal, go to Device Center Portlet, open Device Center, input the device IP address or choose from the Device Selector, then click CiscoView under the Tools section of the Device Center.
Mini-RMON Manager
CiscoView Mini-RMON manager is a real-time remote monitoring tool that provides the option to enable RMON collection, display the collected Ethernet statistics and lets you set thresholds against any of the collected statistics. An alarm is generated whenever the set thresholds are breached. This facilitates troubleshooting and improves network availability.
Within the LMS bundle, Device Center is a portal that provides the ability to gather and debug information about a particular device. The Summary in Device Center provides information about the device IP address and device type, a 24-hour change audit summary, the last inventory and configuration collection times, a syslog summary, and any fault-related alerts for the device and the neighboring devices.
Device Center also provides a set of functions that help facilitate debugging, run reports on the device, and perform management tasks such as changing credentials.
Device Center is installed as part of the Common Services install and can be launched from CWHPàDevice TroubleshootingàDevice Center. See Figure 63.
Figure 63. CiscoWorks Device Center
The following is the procedure to launch debugging utilities on a particular device:
• Browse through the group hierarchies to select a device or search for a particular device by typing in the name in the search utility provided above the group selector. Click the link on the device name after you have selected it. This launches the summary and tools page for the device.
• You can look at the 24-hour reports on the device in the top half of the right frame and launch tools in the bottom half of the right frame.
• Launch the tools in the suggested list that follows in the particular order in the list. This list is not complete but helps provide an understanding of some of the tools available in Device Center.
– Ping: Ping the device to see if it is reachable from the LMS server.
– Launch Credential Verification Report: Launch the Credential Verification Report to check for any missing credentials.
– If the credentials are missing, launch the Edit Device Credentials tool to edit the credentials.
– Launch Detailed Device Report on the device to view memory, flash, image, and IP address information
– Launch Fault History Report to view any faults that occurred in the last 24 hours or 31 days.
– If some faults are found, go to CiscoView tool to view the chassis and make some changes on the interfaces or ports and so on.
– If the device is a switch, you can launch the switch port usage report for recently up, down, or unused ports.
You can synchronize the archive or download a previous archive of the configuration or do an image upgrade.
6. Network Management: Campus Manager
Business Scenario
Being a network management application, LMS Campus Manager addresses problems from the network administrators such as the following,
• How do I automatically discover the topology of my network, which changes dynamically?
• How do I configure and troubleshoot Layer 2 problems such as VLAN and spanning tree without going through CLI procedures on switches one by one?
• How do I keep track of the users and end stations that move across campus and know which switch port they are connected to?
• How do I track down which IP phones are connected to which switch ports?
• How do I manage VRF more efficiently?
Campus Manager has the following major functions.
Topology Services
With Topology Services, you no longer have to trace cables from stack to stack through a wiring closet to determine which devices are connected through which ports. Topology Services auto discovers Cisco routers and switches on the network and displays the network layout in hierarchical topology maps. These maps make it easy to determine what types of devices are on the network and how they are connected. In addition, Topology Services auto discovers ATM and VTP domains and VLAN memberships configured on the network, making it easy to view and track them. It also provides features to allow you to create and modify VLANs, LANE, and ATM services through an easy-to-use GUI. Automated discrepancy reports highlight physical and logical problems with the network configuration, making it easy to identify configuration errors such as line-speed mismatches on either end of a connection.
User Tracking
The User Tracking tool greatly simplifies the task of tracking user and end-station connections to the network. User Tracking automatically identifies all end stations connected to Cisco devices that have been discovered on the network, including printers, servers, and PCs. User Tracking also collects detailed information about each end-station, including MAC address, IP address, DNS hostname, port assignment, and VLAN memberships. In addition, User Tracking can be configured to collect usernames associated with end stations, from UNIX hosts, a Windows NT primary domain controller (PDC), or Novell Directory Services (NDS), making it easier to locate specific users on the network. User Tracking provides a means to track VLAN memberships, port assignments, and end-user host specifications.
VLAN, PVLAN, and VTP Management
CiscoWorks Campus Manager provides an easy-to-use GUI for creating, modifying, or deleting VLANs and LANE elements or for assigning switch ports to VLANs. As VLANs are created or modified, port and user changes are instantly updated and transmitted to the switches, eliminating the need to update and configure each participating switch individually. As VLANs are selected, the table view displays the participating ports, port status, and switch information. The topology map can be launched to graphically highlight participating devices and links of the VLAN connections. Additional mapping tools allow the user to show spanning-tree states, VTP trunks, switch port links, and existing LANE service elements.
Spanning-Tree Management
CiscoWorks Campus Manager provides advanced capabilities to manage spanning-tree protocols in a campus network such as Per VLAN Spanning Tree (PVST) Protocol, Multiple Spanning Tree Protocol (MSTP), and Multi-Instance Spanning Tree Protocol (MISTP).
Virtual Network Manager
VNM is an enterprise solution that allows administrators to carry out end-to-end VRF configuration and to edit, extend, and delete VRF configuration details. It also collects VRF details of the VRF-configured devices and generates reports to help you analyze VRF configurations on your network.
In Chapter 4, we covered device discovery and data collection. During device discovery, Common Services uses SNMP to collect the Cisco Discovery Protocol neighbor tables to build the current physical connectivity of the network. Then during data collection, Campus Manager collects (from each device) additional information such as interfaces, ports, Spanning Tree Protocol, VTP domains, VLAN configurations, Switch CAM tables, and more.
This information is time-stamped and stored in a database. Campus Manager can then be configured to automatically update this information at regular intervals. Any Campus Manager collected information required by the network administrator is quickly retrieved from the Campus Manager database and displayed in the many Campus Manager reports.
You can invoke data collection from the Campus Manager home page. From LMS Portal, go to the Campus Manager Portlet and click Home. See Figure 64.
Figure 64. Start Data Collection
Because Campus Manager relies on data collection to maintain the latest knowledge about the network, we recommend data collection be scheduled at regular intervals to update the database with the most current knowledge. You can also do data collection on certain devices right before your operation.
To set up data collection schedule, go to Campus ManageràAdminàData Collection Schedule. See Figure 65.
Figure 65. Data Collection Schedule
Campus Manager Topology Services
Visualize the Network
After Campus Manager gathers the device and network information from the data collection, the first thing to do is to verify the device discovery and data collection by visually creating the topology map, as shown in the following steps.
1. From LMS Portal, go to the Campus Manager Portlet, and choose VisualizationàTopology Services.
Note: If you have trouble launching Topology Services, go to Control PanelàAdd/Remove Programs on your client PC, and remove all Java components (you may also need to manually delete everything under c:\program files\Java), then try to install the JRE by launching Topology Services. If you still have trouble getting the correct version of JRE, get it directly from Error! Hyperlink reference not valid..
3. After installing the JRE, try launching Topology Services again. It will download the applet and then ask you to launch Topology Services again. (You may need to edit the local hosts file to resolve the DNS name of the Campus Manager server if it is not resolvable.)
4. Once the Topology Services interface shows up, you can get a list and count of how many devices you have. Then click Network Services and right-click a view such as Layer 2 View.
5. The Layer 2 Views hows up. You can zoom in or out, drag and drop the icons to organize the view better, or go to View and choose Relay out, and choose Circular to organize the layout in better order. You can also show the IP addresses by turning on Show IP under ViewàShow Labels. See Figure 66.
Figure 66. Topology Services
Note: To see the list of map legends, check out the list at HelpàMap Legend. On the left side of the network topology map, you have different network views. See Figure 66.
Figure 67. VLAN Management
Table 12 gives definitions of the different network views.
Table 12. Network Views in Campus Manager
Item
Description
Usage Notes
LAN Edge View
Shows network connectivity between Layer 3 devices that have routing characteristics.
Devices without Layer 3 connectivity are placed in ATM Domain or Switch Cloud network views.
Displays devices for which connectivity information could not be obtained, including devices not supported by Topology Services.
This can include non-Cisco ATM devices discovered through Integrated Local Management Interface (ILMI), since it is an industry standard.
View:
Device Attributes
IPv6 Addresses
Port Attributes
VLAN Report
Change Management IP
Configure Inter-VLAN Routing
Link Attributes
VTP Views
Shows the devices that are participating in VTP domains. VTP Views also shows the non-VTP devices and ATM domains connected directly to the VTP domain.
View:
Device Attributes
Port Attributes
Service Attributes
VLAN Report
Change Management IP
Configure Inter-VLAN Routing
Link Attributes
Configure EtherChannel
Create Trunk
Trunk Attributes
TDR Report
Note: From the View menu, select Panner to see the full view of the network. On the right side of the Layer 2 view, you can filter the devices on the map based on their device types, link types, whether PoE enabled, and so on.
Customize the Map
You can add a geographical map as a background image to the map and position the network devices according to their locations. Do this by selecting Edit/Map Preferences and choose Background Image.
If you have too many devices to put into one map, consider organizing them into hierarchical maps under the topology groups. For example, you can have one group for headquarter and several groups for branch offices. Do this by going to Campus ManageràAdminàGroups and creating groups for different locations.
Launch the Reports
From the Network Topology view, you can directly launch many reports. The variety of reports depend on which map you launch them from. For example, for the Layer 2 View map, you can see the reports shown in Figure 68.
Figure 68. Campus Manager Layer 2 View
Note: Some of these reports can also be launched from Campus ManageràReports. They are:
• Best Practices Deviations Report
• Device Attributes Report
• Discrepancies Report
• Port Attributes Report
• VLAN Report
For detailed information about these reports, search for the latest Campus Manager User Guide at Cisco.com.
Network Configurations
From Topology Services, you can perform many network configurations using the GUI, which is much easier than using CLI commands (Figure 69). Configuration commands included under the Tools menu are listed in Table 13.
Figure 69. VLAN Management
Table 13. Network Configuration Commands
Command
Description
ATM Management à Display VCs
Displays virtual connections per device, or between devices.
ATM Management à Create SPVC/SPVP
Creates a Soft Permanent Virtual Path or connection. This function can only be performed by users logged in as network administrators or system administrators.
ATM Management à OAM Ping
Performs an OAM ping to check VC connectivity.
ATM Management à Interface Configuration
Configures a new ATM interface configuration, or makes changes to the current interface configuration. This function can be performed only by users logged in as network administrators or system administrators.
ATM Management à RMON Data Collection
Disables RMON data collection. This function can be performed only by users logged in as network administrators or system administrators.
ATM Management à Template Manager
Creates, edits, or deletes traffic templates.
VLAN Management à Create
Creates an Ethernet, Token Ring BRF, or Token Ring CRF VLAN. This function can be performed only by users logged in as network administrators or system administrators.
VLAN Management à Delete
Deletes the selected VLAN. This function can be performed only by users logged in as network administrators or system administrators.
PVLAN Management à Create
Creates private VLANs.
PVLAN Management à Delete
Deletes private VLANs.
LANE Management à Add/Modify LANE Services
Adds or modifies LANE services for an Ethernet VLAN, a Token Ring CRF, or a standalone ATM-VLAN. This function can be performed only by users logged in as network administrators or system administrators.
LANE Management à Configure Config Server
Configures the master and backup LE Config servers. This function can be performed only by users logged in as network administrators or system administrators.
VLAN Port Assignment
Moves ports between VLANs in the same VTP domain.
N-Hop View
The N-Hop View portlet is an HTML-based lightweight feature and is available as a part of CiscoWorks Portal. This is much faster than the regular Campus Manager Topology Services.
To create an N-hop view, first add the N-hop view portlet to your view, then configure it with a root device and specify how many hops you want to view from the root device. You can also make the view auto refresh and show alerts from the fault manager, DFM. See Figure 70.
Figure 70. N-Hop View Config
Click the back button to see the N-hop view (Figure 71).
Figure 71. N-Hop View
Note: Currently N-hop can support a maximum of 30 devices. Be careful if you are using it on a flat network.
New Topology Services Features in LMS 3.x
• Integration with IPM, HUM, and DFM for Topology Maps
From topology maps and N-Hop View portlets, you can:
– View DFM information. If an alert is associated with a device, you can see icons displayed along with the devices. These icons indicate the severity of the alert.
– Launch the DFM report that displays information on the alerts and events that are associated with the device.
– Launch the Create Collectors page in IPM to create collectors on IP SLA capable devices.
– Launch the Collectors page in IPM to view details on collectors that have already been created.
– Launch the Device Dashboard page in HUM that provides the performance details of the device.
– Launch the Interface Report in HUM that displays the previous hour data for a link.
You can launch the application pages if DFM, HUM, and IPM are installed on a local server or on a remote server with a master/slave setup.
• Restricted Topology View
After integration with ACS, you can limit the devices users can see by setting up a restricted topology view. You can turn on Restricted Topology View by going to Campus Manager à Administration à Topology à Restricted Topology View. See Figure 72.
Figure 72. Restricted Topology View
• VSS support. The virtual switching technology is the process of combining two standalone distribution switches in the local distribution layer into a single management point. The Virtual Switching System functions and appears as a single switch to the wiring closet and the core layer. In Campus Manager of LMS 3.2, VSS is supported on Topology Services as one single device.
User Tracking
User Tracking helps you to locate and track the end hosts in your network. Thus it provides you the information required to troubleshoot as well as to analyze any connectivity issues. The application identifies all end users connected to the discovered Cisco access layer switches on the network, including printers, servers, IP phones, and PCs.
How User Tracking Works
User Tracking works in two modes, by polling or dynamic tracking.
• User Tracking acquisition by polling
For end-station acquisition, the Campus Manager user acquisition process first uses SNMP to retrieve the CAM table (forwarding table) from all Cisco Layer 2 devices found during the data collection process. The CAM table is a list of the switch ports and the MAC addresses transmitting on them. The real challenge here is to discover the actual switch port the end user is attached to and not the interconnect ports used by the hosts to reach other end user. Thus, the user acquisition process will ignore the listings for the switch ports (trunks) connected to other network devices. This information was again discovered during the data collection phase. The user acquisition process now has a list of which MAC addresses are attached to which switch ports along with VLAN information also retrieved from the CAM. The user acquisition process next uses the ARP tables on the default routers found during the data collection process to resolve the MAC addresses into IP address. Finally, the IP addresses are resolved into host names using DNS queries.
For IP phones, theymust be registered in the Cisco Call Managers first. And these Call Managers must be managed by Campus Manager. Otherwise IP phones will show up as end hosts, not IP phones.
• Dynamic User Tracking
From LMS 3.0, Campus Manager also supports dynamic User Tracking. In addition to polling the network at regular intervals, Campus Manager tracks changes about the end hosts and users on the network to provide real-time updates. Dynamic updates are asynchronous updates that are based on SNMP MAC notifications traps. When an end-host is connected to a switch managed by Campus Manager, an SNMP MAC notification trap is immediately sent from the switch to the Campus Manager server, indicating an ADD event. This trap contains the MAC address of the end host connected to the switch. Similarly if an end host is disconnected from a switch port, an SNMP MAC notification trap is sent from the switch to Campus Manager indicating a DELETE event. Thus Campus Manager provides real-time data about end hosts coming into and moving out of the network.
The difference between acquisition of user data by polling and through the dynamic User Tracking process:
• Campus Manager collects data from the network at regular intervals for acquiring information for User Tracking by polling.
• In dynamic User Tracking, the devices send traps to Campus Manager as and when changes happen in the network.
This implies that you need not wait till the next User Tacking polling cycle to see the changes that have happened in your network. This is an improvement over the earlier versions, where updates on end-host information were based on the polling cycle.
As a result of dynamic updates, the following reports contain up-to-date information:
• End-Host Report
Contains information from UserTracking polling and the recently added end-hosts.
• History Report
Contains information from User Tracking polling and the recently disconnected end-hosts and end-hosts that have moved between ports or VLANs.
• Switch Port reports
Contains information about the utilization of switch ports.
SNMP traps are generated when a host is connected to the network, disconnected from the network, or when it moves between VLANs or ports in the network.
How to Associate the End Stations to Users
After Campus Manager collects the end station connection information by either acquisition through polling or dynamic update, the next step is to associate the user alias to the end station he or she is using.
For example, if configured properly, the user name in the User Tracking report should be populated as shown in Figure 73.
Figure 73. User Tracking Record
The username in the User Tracking report is not filled in unless UTLite is installed. UTLite is a utility that allows the network administrator to collect usernames from primary domain controllers, Windows Active Directory, and Novell directory servers. Combined with Campus Manager User Tracking, the administrator will not only know which end host is connected to which switch ports, but what is the user ID of the person logged into that end station.
To start User Tracking, first start the acquiring process by accessing Campus ManageràUser TrackingàAcquisition. See Figure 74.
Figure 74. Campus Manager Acquisition Settings
There are two principal types of acquisition in User Tracking. They are:
• Major acquisition:
Discovers all the end hosts that are connected to the devices managed by Campus Manager
• Minor acquisition:
Occurs on a device if any of the following changes take place:
– A new device is added to the network
– A port changes state, that is, if it comes up or goes down
– A new VLAN is added to the network
– There is a change in the existing VLAN
Minor acquisition updates the Campus Manager database only with the changes that have happened in the network. It is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the interval at which the acquisition takes place.
Acquisition Settings
Traverse to Campus ManageràAdministrationàUser TrackingàAdminàAcquisition Settings and configure the acquisition settings (Figure 75).
Figure 75. Campus Manager Acquisition Settings
In LMS 3.1, new features were added to track:
• Rogue MAC: MAC addresses that are not authorized to exist in your network. Rogue MACs can be added manually, imported from a file or User Tracking end host report, and defined from the New MAC report. Rogue MACs can be marked as Acceptable MACs.
• New MAC: MAC addresses that are newly added to your network.
• Dormant MAC: MAC addresses that are inactive for the specified number of days.
Configure the Acquisition Settings so rogue and new MAC addresses are detected. Later you can generate a MAC report to show rogue, new, and dormant MAC addresses. You can also setup an email alert to be notified when new or rogue MAC addresses are detected.
Acquisition Schedule
A schedule can be set for a major acquisition to happen. The schedule can be set by traversing to the Campus ManageràAdministrationàUser TrackingàAdminàAcquisitionàSchedule Acquisition link.
A ping sweep can be enabled on all IP addresses in a subnet before starting a major acquisition. An option can be chosen to exclude certain subnets from the ping sweep.
Note: A ping sweep operation is a very time-consuming process.
After the acquisition is complete, you can generate a User Tracking report, which as illustrated in Figure 76.
Figure 76. Campus User Tracking
User Tracking Reports
You can generate User Tracking reports by traversing to the Campus ManageràUser TrackingàReports link.
The following reports can be generated.
• Duplicate reports:
– Duplicate IP addresses
– Duplicate MAC addresses
– Duplicate MAC and VLANs
– Ports with multiple MAC addresses
• End Hosts
• History:
– End host history
– Switch port usage
• IP Phones
• MAC report:
– Rogue MAC
– New MAC
– Dormant MAC
• Switch port usage:
– Report on Recently Down Ports
– Reclaim Unused Down Access Ports Report
– Reclaim Unused Up Access Ports Report
– Switch Port Summary Report
– Switch Port Capacity Report
• Wireless reports
User Tracking Utility
There is another tool, User Tracking Utility (UTU). It is a Windows toolbar to quickly query the User Tracking database outside the CiscoWorks user interface. In other words, the user does not need to log into the CiscoWorks server to view the user tracking report.
After installation, the User Tracking Utility will show up on your Windows toolbar. Right-click and choose Configure to point the UTU to the Campus Manager server you are using. It is very easy to setup. See Figure 77.
Figure 77. User Tracking Utility Configuration
If you already have User Tracking set up on the Campus Manager server, you can query the database directly from the UTU. For example, in Figure 78we can find out this user's end-station connection information, including hostname, MAC address, IP address, subnet, which switch the user is connected to, port, vlan, and last time seen on this port.
Figure 78. User Tracking Utility
Note:You must have UTLite installed in order to query the user name, or you will have to manually edit the user name field on the User Tracking report.
Purge Policies
End hosts and IP Phones can be deleted from User Tracking either on demand or on a specified interval after major acquisition by traversing to CWHPàCampus ManageràAdministrationàUser TrackingàAdminàAcquisitionàDelete Interval.
Archives or jobs older than a particular date can also be purged by traversing to CWHPàCampus ManageràAdministrationàUser TrackingàAdminàReportsàUser Tracking Purge Policy.
Dynamic User Tracking
To enable the Dynamic Updates feature:
• Switches must be managed by Campus Manager.
• Configure Campus Manager as a primary or secondary receiver of the MAC notifications.
• Configure all devices to send traps to the Trap Listener port of the Campus Manager server (this is the port number that you would have configured on the Campus Manager Administration screen).
• Configure Dynamic Host Configuration Protocol (DHCP) snooping on the switches. DHCP snooping is a security feature that filters untrusted DHCP messages received from outside the network or firewall and builds and maintains a DHCP snooping binding table. Campus Manager queries the CISCO-DHCP-SNOOPING-MIB to get the IP address of the end-host connected. For details on configuring DHCP, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cddhcp.htm.
• User Tracking collects usernames and IP addresses through the UTLite for Windows environment.
Note: In the Windows environment you can either install UTLite or configure DHCP snooping to get the IP address of the end host. They can also coexist. If you have neither installed UTLite nor enabled DHCP snooping, the IP address of the end-host connected will be updated only in the next User Tracking major acquisition cycle.
New Campus Manager in LMS 3.2
Virtual Network Manager
VNM is an application that works in conjunction with Campus Manager and Resource Manager Essentials.
Virtual Network Manager provides pre-provisioning, provisioning, and monitoring of Virtual Routing and Forwarding-Lite (VRF-Lite) technology. VRF-Lite technology is used to virtualize networks that span across enterprise networks. It supports multiple virtual routing instances using a single routing device.
IPv6 support in Campus Manager includes the following network scenarios:
• Devices that may have IPv6 configured on their interfaces. These devices must have at least one IPv4 interface. Devices are managed using IPv4.
• Hosts running IPv6 are supported in the User Tracking application.
Port and Module Configuration
In this release, port configuration data is stored in the Resource Manager Essentials database; therefore the port configuration data from Campus Manager is also stored in the RME database.
Upon the completion of every instance of data collection, Campus Manager-related port configuration data is updated with the latest information.
Reclaim Unused Up/Unused Down Report
This report displays both link and access ports that have been used at least once but have not been used for a specific number of days. This report is an enhancement of the User Tracking Reclaim reports of Campus Manager 5.2.
Campus Manager 5.2 uses the data from data collection to generate the Link and Access Ports reports. The time-stamp information is added to the ports while the data collection process is running.
Selective Backup and Restore
You can selectively back up and restore the configuration files and specific tables in databases.
You can also backup the schema, stored procedures, and select tables given by applications in a configuration file. Applications will ensure that the selected tables include all the dependent tables for proper functioning as part of restore. For all the tables that are not mentioned, the empty tables will be created so that applications can work properly. You can restore the settings similar to the normal backup with no data or less data.
An option will be provided for selective backup that will back up only the system settings, user preferences, and configuration file.
7. Fault Management: Device Fault Manager
Business Scenarios
On a daily basis, network administrators face many challenges to maintain a healthy running network to support business needs. They constantly ask questions like:
• How do I quickly and easily detect, isolate, and correct network faults?
• How do I monitor not only up and down status, but also potential problems?
• How do I provide valuable insight into the relative health of a device and the network?
• How do I address problems before network service degradation affects users?
• How do I minimize downtime and service degradation?
CiscoWorks Device Fault Manager proactively monitors the network for indicators of device or network faults, helping enable the network administrator to know exactly where the problem is and what to fix, thus avoiding costly network service degradation. DFM has the built-in intelligence to determine what variables and events to look for to determine the health of a Cisco device, without user intervention, for true fault management.
DFM Architecture
Figure 79. DFM Architecture
As in Figure 79, CiscoWorks DFM uses SNMP polling and SNMP traps to discover and display real-time faults. DFM provides rules to analyze events that occur and help determine when a probable fault has occurred on Cisco devices. It allows you to configure immediate notifications on certain types of faults and stores events and alerts for 31 days in the fault history.
DFM already knows which MIB variables to poll for each different device to determine the status and health of the device. The necessary threshold values have also been predefined based on extensive testing. Therefore DFM can begin fault and performance monitoring as soon as the devices are added to the DFM inventory.
Device Management in DFM
The first thing to do in DFM is to pick which devices to import from DCR to be managed in DFM. By default, devices need to be manually imported into DFM. You can also set up automatic synchronization with DCR by enabling the Filter Selector. See Chapter 4 for details on this topic.
Check the Device Status
After devices are imported into DFM, go to DFMàDevice ManagementàDevice Summary to see the list of devices and their states in the DFM inventory. The states of DFM devices are:
• Known: The device has been successfully imported and is fully managed by DFM.
• Learning: DFM is discovering the device. This is the beginning state, when the device is first added or is being rediscovered. Some of the data collectors may still be gathering device information.
• Questioned: DFM cannot manage the device. For example, a Call Manager will show up as "questioned" if it's included in the DFM inventory.
• Pending: The device is being deleted. (DFM is waiting for confirmation from all of its data collectors before purging the device and its details.)
• Unknown: The device is not supported by DFM.
To get more details of the devices, go to DFMàDevice ManagementàDevice Details.
Rediscover a device: If a device is in stuck in "learning" state, you can rediscover the device by going to DFMàDevice ManagementàRediscover.
Alerts and Activities
To monitor the alerts and activities on the devices, you need to create a view first.
Create/Activate a View
Go to DFMàConfigurationàOther ConfigurationàAlerts and Activities, click Create, and include the devices for this view. You can create different views for different groups of devices.
After the view is created, select it to activate it. Then you can see the view by going to DFMàAlerts and Activities. This will launch a browser window to show the alerts and activities on the devices.
From these alerts and activities, you can monitor the faults going on in your network and start taking actions to correct them. See Figure 80.
Figure 80. Summary of All Faults
Clicking the Alert ID will open the Alert and Activities detail window (Figure 81).
Figure 81. Alerts and Activities Detail
From here, you can navigate to the event by clicking the event ID or taking actions to:
• Acknowledge: Changes the event status to Acknowledged
• Clear: Clears and deletes alarms and events
• Suspend: Suspends polling and trap processing on the device or device component by opening a Detailed Device View (DDV), from which you can perform the suspend command
• Notify: Sends email notification of the alert
You can also launch tools to help with the troubleshooting of the events:
• Fault History: Opens a 24-hour Fault History report on the component.
• Device Center: Opens the CiscoWorks Device Center, which provides a centralized point for reports, tools, and tasks that you can perform on the selected device.
• UT Report: Opens a User Tracking End Host report that lists end-user hosts in the network. (This tool is available if Campus Manager is installed.)
• CiscoView: Opens the CiscoView chassis view for the device. (This tool is available if CiscoView is installed.)
Notification Services
The Alerts and Activities display requires constant visual contact to monitor what is going on with the network. To free the administrators from the necessity of 24-hour-a-day, 7-day-a-week visual contact with the Alerts and Activities display, DFM allows for alternate means to notify personnel, such as email, SNMP traps, and syslog messages. Each of these notification mechanisms provides a summary of the alert or event. The receiver of the notification could then return to DFM for more details.
Notification Groups
Notifications are sent based on subscripts to notification groups. Basically a notification group is a set of events and alerts occurring on a set of devices. This allows for different recipients or notification mechanisms for different devices and alerts for ultimate notification flexibility.
Following are the setup steps for a typical application where the user receives email based on the notification group:
1. Set up the default email server. Go to DFMàConfigurationàOther ConfigurationsàSMTP Default Server.
2. Create a custom group to select devices to be monitored. See the "Group Administration" section in this chapter.
3. Create an event set to select the interesting events for the user. Go to DFMàNotification ServicesàEvent Sets. Up to nine event sets can be created. See Figure 82.
Figure 82. Event Sets
4. Create a notification group. Go to DFMàNotification ServicesàNotification Groups. Select the custom group created in step 2 and the event set created in step 3. See Figure 83.
Figure 83. Notification Group
5. Create an email subscription. Go to DFMàNotification ServicesàEmail Notification, and select the notification group, and then enter the email address as the destination.
Polling and Threshold Management
For the faults and events to show up in DFM, polling and threshold parameters need to be set. By default, DFM has built-in polling and threshold parameters based on device types and interface types. You can customize the polling and threshold parameters by traversing to the CWHPàDevice Fault ManageràConfigurationàPolling and Threshold link.
Polling parameters are used to make the DFM server poll the devices in the various groups in specified intervals.
Threshold parameters are used to determine the thresholds for various devices. When these thresholds are crossed for the various types of devices, alerts are raised in the DFM server.
Group Administration
System-Defined Groups
When devices are imported from DCR to DFM, they are automatically grouped into system-defined groups. These groups are:
• Access Port Groups
• Interface Groups
• Trunk Port Groups
Note: DFM system-defined groups cannot be added, modified, or deleted.
Custom Groups
If you want to manage the device differently by setting customized polling and threshold parameters, you can create custom groups. DFM provides 28 customizable groups, which are divided into four categories. See Figure 84.
Figure 84. Customizable Groups
To create DFM groups traverse to the ConfigurationàOther ConfigurationàGroup Administration link.
1. Select a customization group name.
2. Populate the group with devices and/or components.
3. Modify the polling and/or thresholds for the group.
4. Finally, change the priority of the customizable. See details next.
Priority Setting
When you create a custom group and add devices to it, the devices now belong to two groups, the system-defined group or the default group, and the new custom group. You need to set the priority of the custom group to be higher than that of the system-defined group.
To change the priority setting, go to DFMàConfigurationsàPolling and ThresholdsàSetting Priorities. See Figure 85.
Figure 85. Priority Setting
On this interface, you can move the priorities for the groups up or down.
Customizing DFM
DFM comes out of the box with the default settings ready to run. You can control and fine-tune these settings, such as:
• Notification Customization
• Rediscovery Schedule
• Daily purge schedule
• SNMP Settings
• Trap Receiving
• Trap Forwarding
• Logging
Notification Customization
You can change the event description and severity (new in LMS 3.2) by going to Notification ServicesàNotification Customization. See Figure 88.
Figure 86. Customize Event Severity
Rediscovery Schedule
DFM discovers each device to determine the manageable components it contains. DFM can then assign appropriate polling and threshold parameters. In order to make sure DFM monitoring of a device is up to date, the device needs to be "rediscovered" on a periodic basis. The default is to rediscover on a weekly basis. You can change this setting by going to DFMàConfigurationàOther ConfigurationsàRediscovery Schedule.
Daily Purging Schedule
A daily purging schedule needs to be setup for fault history information in the DFM. Traverse to the DFM panel and click ConfigurationàOther ConfigurationàDaily Purging Schedule to setup a purge schedule.
SNMP Settings
DFM gets the majority of the information it uses to determine a device's fault status through SNMP queries. Since SNMP is a User Datagram Protocol (UDP), there is the opportunity for information to be "lost." To help alleviate this, servers can employ a series of timeouts and retries. DFM comes preconfigured to perform three retries using a timeout value of 4 seconds.
To change these variables, select DFMàDevice ManagementàSNMP Config and make the changes.
SNMP Trap Receiving
This configuration is made for setting the global port for receiving traps in DFM. Traverse to the DFM panel and click ConfigurationàOther ConfigurationàSNMP Trap Receiving to set the port used for trap receiving.
SNMP Trap Forwarding
This configuration can be made to blindly forward traps that come into the trap receiver of the DFM. These are traps that are received from the devices in the network. Traverse to the DFM panel and click ConfigurationàOther ConfigurationàSNMP Trap Forwarding to setup trap forwarding.
Note: Trap generation is not northbound for applications like HP OpenView.
Configure Logging
DFM writes application log files for all major functional modules. By default, DFM writes only error and fatal messages to these log files; DFM saves the previous three logs as backups. You cannot disable logging. However, you can:
• Collect more data when needed by increasing the logging level
• Return to the default logging level as the norm
Change the logging setting by going to DFMàConfigurationsàOther ConfigurationsàLogging.
New DFM Features in LMS 3.1
DFM 3.1 provides the following new features and enhancements:
• Auto Allocation of Devices: It helps to define rules and automatically allocate the devices based on the rules. Allocate by Groups and Allocate All Devices are the two options of Auto Allocation of Devices.
• Clearing Multiple Alerts: In DFM 3.0.2, the user has to open each alert individually to clear it. In DFM 3.1, the user can clear multiple alerts in one click in the Alerts and Activities page. Using the checkboxes, the user can select multiple alerts and click the Clear button to manually clear all the selected alerts.
New DFM features in LMS 3.2
DFM 3.2 provides the following new features and enhancements:
• Supports devices with SNMPv3 NoAuthNoPriv and SNMPv3 AuthPriv credentials
Allows you to import devices with SNMPv3 credentials from DCR. It discovers the devices successfully and groups them under All Known Devices in Inventory Group.
• Email Subject Customization
You can use the Email Subject Customization page to customize the email subject for forwarded alerts and events notifications.
• 10 Gigabit Ethernet Interface Support
This feature helps you to configure and manage the 10 Gigabit Ethernet interfaces through the Polling and Threshold Settings page. It is applicable to all devices that support 10 Gigabit Ethernet, and you will be notified if there is any fault on the 10 Gigabit Ethernet interfaces.
• Enhancement in Polling and Threshold Configurations
Preview buttons are provided in the Polling Parameters and Managing Thresholds pages. These buttons help you to see the edited polling and threshold parameters before you apply the changes.
• Enhancement in Discovery Status page
The discovery status of the devices in the Discovery Status page were previously displayed in a scrolling table. In DFM 3.2 the status is displayed in a more user-friendly Paging table.
• New MIB support: DFM supports the POWER-ETHERNET-MIB(POE).
8. Performance Management Based on IP-SLAs: Internetwork Performance Monitor
Business Scenarios
Managing mission-critical networks has become an integral component of today's businesses. Customers no longer see the IP network as an unreliable infrastructure on which to build their business. Internet service providers (ISPs) and even internal IT departments now have to offer a defined level of service -- a service-level agreement (SLA) -- to provide their customers with a degree of predictability. How to measure network response time, determine device availability, resolve connectivity issues, analyze response time patterns, and provide critical reports, both real time and historical have taken on an even higher priority.
CiscoWorks Internetwork Performance Monitor is a network management application that leverages the Cisco IOS IP SLA technology to monitor the end-to-end performance of multiprotocol networks. IPM measures performance from one end of the network to the other and allows a broader reach and more accurate representation of the end-user experience. Using IP SLA, IPM measures and displays five key network performance statistics between a source and a target device. These five statistics include latency, availability, jitter, packet loss, and errors.
SLA was formerly known as RTR or SAA. For more information on Cisco IOS IP SLA, visit http://www.cisco.com/go/ipsla.
Workflow for the IPM Application
To use IPM for performance management, users need to define collectors to gather the performance data. A collector is made of four components,
• Source router: Originating point from which IPM makes latency and availability measurements. This is where the IPM server uses SNMP to configure Cisco IOS IP SLAs. A source router must run Cisco IOS Software with the IP SLA feature.
• Target router: Destination of the source router operations (IP SLA measurements) from which response data should be collected. A target can be an IP host, another Cisco IOS device with IP SLA, or an Systems Network Architecture (SNA) host.
• Test operation: The traffic test operations simulate actual network traffic for a specific protocol. For example, to measure the latency for a voice over IP (VoIP) session, an Enhanced UDP test operation is created and defined to send a series of 60-byte UDP packets with a specified type of service (ToS) value and target port number.
• Collection schedule: A collector can be scheduled to run at any point in time, or continuously over any time interval. This flexible scheduler makes IP SLAs suitable for both service-level monitoring and troubleshooting.
The workflow for the IPM application is illustrated in Figure 87.
Figure 87. IPM Workflow
As in this workflow diagram, we define the collector from step 1 to step 5. In the first and second steps, the source router and target device are defined. For Cisco IOS devices, we need to turn on IP SLAs in the Cisco IOS Software.
In step 6, IP SLAs in the source router generate the synthetic tests and measure latency/response time. The IPM server will then poll the collectors to collect test results and generate the results in real-time or historical reports.
The following sections will discuss each step in detail.
Source Router and Target Device
The first thing for the user to do is to select the source router and target device. For example, to measure the response time between clients and an application server, the source router will be a Cisco IOS router running 11.2 or later on the same segment where the application server will be placed. The target device is placed on the same segment where many clients would access the application server.
The target device can be any of these:
• IP host: If the target is an IP host, it can be any IP-addressable device such as a network device, server, or workstation. Likely candidates for target devices are the actual servers providing application services, or devices such as routers that can provide protocol performance measurements for an intermediate network segment.
• SNA host: If the target is an SNA host (IBM MVS mainframe), it must run a Virtual Telecommunications Access Method (VTAM) program called NSPECHO, available in the IPM product, to measure SNA latency. Optionally, the SNA host can use an SCCP-LU Native Echo.
• Cisco IOS device with the IP SLA Responder enabled (12.0(3)T or later): The Responder feature can improve the accuracy of the tests. The Responder can listen and respond to a specified port number. Additionally, the Responder, based on the type of operation, might put timestamps on the return packets for accurate measurement times.
Configure the Source Router
Once the source of the test operation has been identified and the device has been selected, the source router will need to be configured.
First, check the Cisco IOS version of the source router. Cisco IOS release 11.2 is the earliest and first release that supports the IP SLAs (formerly known as RTR or SAA).
Additionally, a few device configuration commands need to be set in order to configure IP SLAs using IPM and have IP SLA-related traps forwarded to a network management station. These commands are outlined in Figure 87 and discussed below.
• IPM uses SNMP to define the Cisco IOS IP SLA and to extract the data in the IP SLA MIB in the source router. Both the SNMP read-only (ro) and read-write (rw) community strings need to be configured on the source router.
• Optionally, to receive traps at an NMS when a test exceeds a specified latency threshold, verify that the source router is set up to send IP SLA-generated traps. The SNMP keyword rtr limits the traps sent to the specified address to IP SLA-related traps. If the keyword rtr is omitted, all default SNMP traps are sent to the named network management host including IP SLA-related traps.
Here are the configuration commands needed on the source router:
router>enable
router#config t
router(config)#snmp-server community <string> ro
router(config)#snmp-server community <string> rw
router(config)#ip sla monitor
router(config)#snmp-server host <ip address><trap community string> rtr
router(config)#snmp-server enable traps rtr -------------->still valid in 12.3
Depending upon the type of target device selected, the target device may need to be configured.
• IP host: The host must be reachable by the source device, but no other configuration is needed.
• SNA host: It must run a VTAM program called NSPECHO, available in the IPM product, to measure SNA latency. Optionally, the SNA host can use an SCCP-LU Native Echo.
• Cisco IOS device: The device must be reachable by the source device and the SNMP read community string must be configured.
• Cisco IOS device with IP SLA Responder: A target device that is running Cisco IOS Software can be configured as a Responder, which processes measurement packets and provides detail time-stamp information. The device must be reachable by the source device, and the SNMP read community string must be configured. Additionally, the IP SLA Responder feature must be enabled.
The responder has intimate knowledge of Cisco IOS Software processing, so it can send information about the target router's processing delay back to the source IP SLA. This delay is removed during calculation to further improve accuracy.
Following is the list of commands on the target device if it is a Cisco router running Cisco IOS Software:
router>enable
router#config t
router(config)#snmp-server community <string> ro
router(config)#ip sla monitor responder
Device Management for Source Routers and Target Devices
After the source and target routers are properly configured, they can be imported into IPM by three means:
• Automatic import from DCR
• Manually adding the devices one by one using the IPM configuration window
• Bulk import from a seed file such as a CSV file
Note: Auto synchronization with DCR is the most efficient and convenient way and has been discussed in Chapter 4.
When a new device is added to IPM, IPM first tries to access the device and then verifies the SNMP community strings. If successful and the device is a Cisco device, IPM determines the device's Cisco IOS version and its IP SLA version, formerly known as SAA. If the information is valid, it adds the device to the IPM database.
For a device to be added to the list of source routers, the device must have valid SNMP read-only and read-write community strings and a recent Cisco IOS version.
Define an Operation
IPM has a list of test operations built-in. You can also create your own test operations by going to IPMàCollector ManagementàOperation.
Finally we tie together the four components of the collector, that is, source and target devices, test operation, and schedule by creating a collector at IPMàCollector ManagementàCollector. See Figure 88.
Figure 88. Create a Collector
After the collector is created, we can monitor or generate reports based on the collector.
Sample Usage
Create a Report to Monitor the Video Jitter for Cisco TelePresence™
Step 1. Define an operation TP_Video_telepresence. Choose UDP jitter as the type. See Figure 89.
Figure 89. Define an Operation for Cisco TelePresence Video
Go to the next screen, keep the default settings, and finish the workflow for creating the operation.
Step 2. Create a collector based on the operation just created. Set it to run forever, but make sure that it is deleted later. See Figure 90.
Figure 90. Schedule Setting
Step 3. Go to Collector Management to start the collector.
Step 4. After a few days of data collection, you can create a report under IPMàReports. See Figure 91.
The following sections discuss the new features and enhancements in Internetwork Performance Monitor 4.1.
Support for 10,000 Collectors
IPM now supports 10,000 collectors. You can create a maximum of 5000 historical collectors and the remaining as real-time collectors. This is based on the LMS license you have opted for.
Device Auto Allocation
The device allocation in IPM has been enhanced to include two new methods for auto allocation:
• Manage All Devices: Allows you to automatically add devices into IPM after they are added to DCR.
• Manage By Groups: Allows you to automatically add devices into IPM based on device groups.
However, the number of devices added into IPM will depend on the license limit.
Metro Ethernet
IPM now supports the following IP SLA operations:
• ethernetPing
• ethernetPingAutoIPSLA
• ethernetJitter
• ethernetJitterAutoIPSLA
CLI Support
You can use CLI commands in IPM to import collectors from the given source devices.
DNS Server Name
You can enter the host name or the IP address for the DNS server.
Microseconds Accuracy
You can collect the jitter statistics for a UDP jitter operation at a precision level of microseconds.
Reaction Types for each Operation
IP SLA can be configured to react to certain measured network parameters. IPM now allows the creation of collectors in such a way as to react to various parameters such as RTT, MOS, ICPIF, packet loss, and so on.
Whenever the threshold levels are violated for any of the reaction variables configured, SNMP traps are sent to the configured management stations.
New IPM Features in LMS 3.2
The following are the new features and enhancements in Internetwork Performance Monitor 4.2.
Virtual Routing and Forwarding Support
Internetwork Performance Monitor 4.2 supports VRF. It does this by configuring collectors with the VRF name that you specify.
For more information, see the section on configuring collectors using VRF in the User Guide for IPM 4.2.
Planned Network Outage Support
Collector Manager is enhanced to support planned network outage intervals for existing collectors. IPM allows you to specify the start and end times for selected collectors.
For more information, see the Managing Outage Details chapter in the User Guide for IPM 4.2.
Enabling and Disabling IPSLA Syslog Support
You can select devices and enable or disable IPSLA syslog support for these devices.
Portlets Requested as Reports in IPM
This release allows you to create portlet reports in IPM. The portlets that are supported as reports are:
• Highest Jitter
• Lowest Availability
• Highest Latency
• IPM Violation Summary
Flexible Schedulable Option for IPM Reports
IPM reports now have flexible scheduling options that allow you to generate reports. You can generate these reports daily, weekly, or monthly. You can also send the reports as email notifications to other users.
This email notification includes an attachment that gives details on:
• Report period
• Granularity
• Next reporting time
IPM Schedulable Reports with Images
You can now send email notifications that include graphs and reports as attachments. You can send these attachments as either PDF or CSV files. The default is a PDF file.
9. Network Monitoring based on SNMP Polling: Health Utilization Monitor
Business Scenario
For network administrators, monitoring the network is an essential requirement in their network management tools. Not only do they need to be able to monitor any MIB object on the network but they also need to have a meaningful reporting capability that shows the top issues on the network and proactively provides alerts when things happen. They also need to keep track of the trends of network events to understand the network in a dynamic environment.
CiscoWorks Health and Utilization Monitor is an SNMP-based MIB polling application that monitors network elements (such as CPU, memory, interfaces/ports, and links) for their availability and utilization levels and provides historical reporting. It is an add-on application pre-integrated since LMS 3.0, managed in the same LMS Portal like other applications such as RME, DFM, CM, or IPM. Users need to purchase a separate license for HUM. HUM relies on LMS Common Services, so it cannot run on its own.
CiscoWorks HUM provides organizations with:
• CPU, memory, Interface/port monitoring for utilization and availability levels
• Support for system-defined MIB templates that enable easy polling setup
• The capability for users to create custom MIB templates
• Historical reporting on a daily, weekly, monthly, and annual basis
• Threshold breach event notification, reporting, and event handler support
• Comprehensive reporting such as Device Dashboard, Custom Reports, Top-N/Bottom-N Reports
• Historical trending on a daily, weekly, monthly, and annual basis
• Support for integration with CiscoWorks LMS 3.1
CiscoWorks HUM provides end users with:
• Capacity planning
• A clear way to troubleshoot network performance issues
• The capability to isolate/correlate network issues
Licensing and Scalability
Consistent with the LMS bundle, HUM is licensed based on the number of devices managed. See Table 14.
Table 14. HUM SKUs
SKU
License Parameter (Device Count)
CWHUM-1.2-S-K9
50
CWHUM-1.2-M-K9
300
CWHUM-1.2-L-K9
1000
Today the maximum SKU that is offered for HUM is 1000 devices (licensing restriction). It is not supported to add up licenses to make up to 10,000 devices even though LMS bundles support up to 10,000 devices. In future releases users will be able to add up licenses in the order of 1000 devices up to a maximum of 5000 devices total.
The device count restricts the license options. One HUM server can support up to 1000 devices. Actually the scalability of HUM depends on how many MIB objects are managed. The maximum number of MIB objects supported is 100,000, with 40,000 on 1-minute and 60,000 on 5-minute polling intervals.
HUM deployment can be either standalone or in bundle environments:
• Standalone: HUM with CiscoWorks Common Services, LMS Portal, and CiscoWorks Assistant
• Bundle: HUM with LAN Management Solutions (LMS) 3.1 and 3.2.
Table 15 gives the scalability numbers for the different SKUs in both standalone and bundle deployments.
Table 15. HUM Scalability Limits
Devices
Environment Type
MIB Objects Polled
300 Devices
Standalone (300 HUM SKU)
30,000 MIB objects
Bundle (300 HUM SKU + 1500 LMS SKU)
20,000 MIB objects
1000 Devices
Standalone (1000 HUM SKU)
100,000 MIB objects
Bundle
Not supported
Note: The scalability information is pending testing for the 50-license SKU. Generally the more powerful hardware will support more MIB objects.
Workflow of HUM
Understand the Templates
System-Defined Templates are logical groups of MIB objects users want to poll. HUM has available the system-defined templates shown in Figure 95.
Figure 95. HUM: System-Defined Templates
In system-defined templates, if the MIB variable in the primary set is not available, an alternate MIB variable in the fallback set stored in the device is selected. This fallback logic is applied during poller creation and an appropriate MIB variable is selected for polling.
System-defined templates support all Cisco devices that support the following MIB files:
• CISCO-ENHANCED-MEMPOOL-MIB
• CISCO-ENVMON-MIB
• CISCO-MEMORY-POOL-MIB
• CISCO-PROCESS-MIB
• ENTITY-MIB
• OLD-CISCO-CHASSIS-MIB
• RFC1213-MIB
• IF-MIB
• CISCO-POWER-EHTHERNET-EXT-MIB
• POWER-EHTHERNET-MIB
• CISCO-RTTMON-MIB
User-Defined Templates
Users can also create their own templates to poll MIB objects they are interested in. To create a template, go to HUMàPollers and Template ManagementàTemplate Management and click Create.
For example in Figure 96 we create a template to poll the temperature MIB objects using the CISCO-ENVMON-MIB.
Figure 96. User-Defined Template
Import/Export Templates
With multiple HUM servers, users can export and import templates. See Figure 97.
Figure 97. Import Template
Here is an example of the temperature template we created in XML format.
After you get the templates to poll the MIB objects in which you are interested, create a poller to poll the MIB objects on a specified schedule.
Here we create a poller, Demo-All, which polls several demo devices using the system-defined templates. The setup options include poller name, devices, template, polling intervals.
Clicking Poll All Instances will poll all MIB objects applicable. For example, if the device has two CPUs and you select the "CPU Utilization" template, both CPUs will be polled based on schedule. See Figure 98.
Figure 98. Create Poller
After the poller is created, it shows in the poller table (Figure 99). You can activate, deactivate, delete, edit, clear missed cycles, and clear failures.
Figure 99. Poller List
Poll Settings
CiscoWorks HUM allows you to configure the SNMP timeout and SNMP retries using the Poll Settings option. The SNMP timeout and SNMP retries are based on the device and network response time.
• SNMP timeout is the duration of time that HUM waits for the device to respond before it tries to query the device again.
• SNMP retry is the maximum number of times HUM retries to query the device.
You can also configure Poll Settings to send the polling failure report as an email.
To configure Poll Settings:
1. Go to LMS Portal and select Health and Utilization Monitor à Admin à System Preferences.
2. Select Poll Settings. See Figure 100.
Figure 100. Poll Settings
Verify the Pollers
Once the poller gathers enough statistics, check out the portlets under the HUM view of LMS Portal.
For example, the CPU Utilization poller populates the Top-N CPU Utilization portlet (Figure 101).
Figure 101. Top-N CPU Utilization
Users can also create historic graphs by specifying the device, MIB object, and the time interval (Figure 102).
Figure 102. Historic Graph
Click Save and view the historic graph. See Figure 103.
Figure 103. CPU Historic Graph
Threshold Management
Thresholds in HUM enable automated actions based on the crossing of threshold conditions. Users can create thresholds for one MIB object at a time. The polled value will be compared to threshold conditions and invoke automated actions when the threshold is violated. The automated actions include:
• Email
• Script
• Syslog messages
• SNMP traps
Before setting up thresholds, users can first setup a trap receiver group and a syslog receiver group.
Creating a Trap Receiver Group
To create a trap receiver group:
1. Go to LMS Portal and select Health and Utilization Monitor > Admin > System Preferences > Trap Receiver Groups. See Figure 104.
Figure 104. HUM Trap Group Configuration
Default port is 162. Default Community is public.
Creating a Syslog Receiver Group
To create a syslog receiver group:
1. Go to LMS Portal and select Health and Utilization Monitor > Admin > System Preferences > Syslog Receiver Groups. See Figure 105.
Figure 105. HUM Syslog Group Configuration
Default port is 162.
Once trap receiver and syslog receiver groups are set up, users can configure thresholds by going to HUMàThresholds Management and clicking Create.
In the example in Figure 106 we can create a threshold for interface bandwidth utilization. Here users can specify the details of the thresholds. The TXUtilization is monitored. If it exceeds 80 percent for three times, email as well as SNMP trap and syslog alerts will be sent.
Figure 106. Threshold Setup
Figure 107. HUM Purge Settings
TrendWatch Support
TrendWatch helps administrators to understand the current network capacity levels and plan for future. For instance, you can get notified when the Daily Interface Utilization Average crosses the 90 percent threshold for 20 times on your critical uplinks over the last 30 days. This will help you assess the load on the uplinks and aid in capacity planning
The TrendWatch feature helps ensure that the capacity, performance, and utilization of critical resource remain within the defined service level.
You can configure TrendWatch through HUM by setting up rules for each MIB variable or thresholds for a specific time period. TrendWatch can be scheduled (Immediate, Once, Daily, Weekly, and Monthly) as a job. It can be configured to send alert notifications through email, traps, or syslog. See Figure 108.
TrendWatch allows you to continuously monitor a value over time, sampling the value at periodic intervals to view the trends. You can watch variable trends in an hour, 6 hours, days, weeks, months, and years. You can identify trends that develop over time and take appropriate actions.
TrendWatch is calculated on past or historical data and therefore it does not monitor real-time data like threshold.
Some examples of TrendWatch rules are:
• When the average weekly CPU or interface utilization goes up or down relative to the previous week by n percent
• When the device or interface availability over a period is less than n percent
• When the average utilization of the interface is above n percent
• When the availability was false for nminutes for more than xtimes in a week/month/quarter
• When the minimum value is less that nfor xtimes over a period of y weeks
• When the 95th percentile value of availability is equal to nfor a period of x quarters
• When n percentage of times the utilization is greater than x percentage
Figure 108. TrendWatch Configuration
HUM Report
To generate reports, go to HUMàReports. See Figure 109.
Figure 109. HUM Reports
This page allows you create, manage, and view reports. You can use reports to analyze the utilization of a device interface.
You may not be able to use some of these functions if you do not have the required privileges.
Options
Report Management: You can view and manage the following reports:
• My Favorites: You can add your list of favorite reports to the My Favorites category. You can launch, edit, remove, and delete your favorite reports.
• Device Reports: You can view the complete performance of a device from a single report.
• Quick Reports: These are predefined system-generated reports. You can view and copy an existing report.
• Poller Reports: These reports are created based on the template used in a given poller. You can create, edit, copy, and view a report.
• Custom Reports: You can create custom reports based on your requirements. You can create, edit, copy, and view a report.
• Threshold Violation Reports: You can create reports based on the threshold configured for the MIB variable. You can create, edit, copy, and view a report.
• TrendWatch Reports: You can create reports based on TrendWatch configured for the MIB variable.You can create, edit, copy, and view a report.
• TrendWatch Summary Reports: You can create summary reports based on the TrendWatches configured for the MIB variables. You can create, edit, copy, and view a report.
Click to expand the report category node. Click the report name and select the following options:
• Launch: View the report
• Edit: Edit an existing user-defined report
• Copy: Create a new report from an existing report
• Delete: Delete an existing user-defined report
• Add to Favorites: Add the report to the My Favorites category
Report Job Browser: Allows you to view the list of jobs that are scheduled to generate reports. You can do the following tasks from the Report Job Browser.
• Delete: Allows you to delete one or more report jobs
• Suspend: Allows you to suspend a scheduled job
• Resume: Allows you to resume a suspended job
• View Output: Allows you to view the report
10. Server Administration
This chapter deals with server administration to optimally utilize the resources of the server while also maintaining a current status of the network topology.
Log Rotation
One common problem in LMS server maintenance is to control the size of log files. Log rotation helps you manage the log files more efficiently. In previous versions, a command line utility, logrot, is configured and run to rotate the log files. From LMS 3.1, logrot can be configured and scheduled to run on the GUI.
To configure log rotation, go to Common ServicesàServeràAdminàLog Rotation. See Figure 110.
Figure 110. Log Rotation
The backup directory stores the rotated log files. The default directory is:
• NMSROOT\log on Windows
• /var/adm/CSCOpx/log on Solaris
If you do not specify a backup directory, each log file will be rotated in its current directory.
You can also specify Restart Daemon Manager to stop and start the daemon before the log rotation starts. This is optional.
To add the log files for rotation, click the Add button to add log files one by one.
Figure 111. Configure Logrot
As shown in Figure 111, you specify the log file name, maximum logrot size(the default is 1024KB, the maximum size is 4096MB), the compression format, and the number of backups. If you do not want to keep any archive, enter 0 for the number of backups.
To schedule log file rotation, click the Schedule button and specify the schedule to run. See Figure 112.
Figure 112. Schedule Logrot
Database Backup
You can backup the LMS database either through GUI or CLI. Before LMS 3.2, it is not possible to do selective backup/restore. The backup process backed up all configuration files from the application databases. In this release, you can back up the required system configurations and data from the command-line interface.
The following data is backed up when you run a backup from the user interface or from CLI:
• CiscoWorks user information
• Single sign-on configuration
• DCR configuration
• Peer certificates and self-signed certificates
• Peer server account information
• Login module settings
• Software Center map files
• License data
• Core client registry
• System identity account configuration
• Cisco.com user configuration
• Proxy user configuration
• Database jobs and resources data, DCR data, groups data, and other data stored in the database
• Discovery settings and scheduled jobs
• ACS credentials
• Local user policy setup
• System preferences
When you run a selective data backup from CLI , all the data mentioned above gets backed up except:
• Software Center map files
• Software Center jobs data
• DCR jobs data
BackUp the Database from GUI
Backup of LMS data can be done through the GUI by traversing to PortalàCommon ServicesàServeràAdminàBackup link, PortalàLMS Setup CenteràSystem settings. A backup directory name can be provided, and the backup job can either be run immediately or be scheduled. It is recommended that the backup data not be stored in a directory where LMS is installed (that is, under the NMSROOT directory in Windows or Solaris).
Figure 113. Backup Schedule
The Generations option shown in Figure 113 specifies the maximum number of versions of backups to be stored in the backup directory.
Enter multiple email addresses in this window by separating them with commas.
Note: Please note that the DCR master/slave mode is also backed up.
-dest=BackupDirectory is the directory where the backed up data to be stored. This is mandatory.
-system is the command-line option that allows you to back up only the selected system configurations from all applications instead of backing up the complete databases. This is mandatory.
-log=LogFile is the name of the log file that contains the details of the backup.
-gen=Num_Generations is the maximum number of backup generations to be retained in the backup directory.
Verify the Backup
Here is a list of the folders created in the backup folder.
• campus
• cmf
• cvw
• cwportal
• dfm
• ipm
• opsxml
• rmeng
• upm
You can also examine the log file at the following location to verify backup status:
• On Solaris:
/var/adm/CSCOpx/log/dbbackup.log
• On Windows:
NMSROOT\log\dbbackup.log
Restoring Data
The new restore framework supports restore across versions. This allows you to restore data from versions 3.0.5, 3.0,6, 3.1, 3.1.1, and 3.2 in addition to Common Services 3.3. The restore framework checks the version of the archive.
• If the archive is of the current version, then the restore from the current version is run.
• If the backup archive is of an older version, the backup data is converted to Common Services 3.0.5 format, if needed, and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and restart CiscoWorks while restoring data.
In all backup-restore scenarios, a backup is taken from a machine A, and the backed up data, say Ab, is restored on the same machine A, or on a different machine B.
Make sure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data for such tasks.
Caution: Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on a CiscoWorks server where you want to restore the data. You should not continue the restore when there is a mismatch, as it may cause problems in the functionality of CiscoWorks applications.
• [-ttemporary directory]: The restore framework uses a temporary directory to extract the content of the backup archive.
• By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData. You can customize this, by using this - t option, where you can specify your own temp directory. This is to avoid overloading NMSROOT
• [-gengenerationNumber]: Optional. By default, it is the latest generation. If generations 1 through 5 exist, then 5 will be the latest.
• [-dbackup directory]: Required. Which backup directory to use.
• [-h]: Provides help. When used with -d<backup directory> syntax, shows correct syntax along with available suites and generations.
3. Examine the log file in the following location to verify that the database was restored by entering:
NMSROOT\log\restorebackup.log
4. Restart the system by entering:
net start crmdmgtd
While restoring using a backup taken from a machine that is in ACS mode, the machine on which data is restored needs to be added as a client in ACS. Contact the ACS administrator to add the restored machine as an ACS client. See also, Setting the Login Module to ACS, at the online help.
Data Restored from Common Services 3.0.x/CS 3.1.x/CS 3.2/CS 3.3 Backup Archive
The following data will be restored from a Common Services 3.0.x/3.1.x/3.2/3.3 backup archive:
• CiscoWorks user information
• Single sign-on configuration
• DCR configuration
• Peer certificates
• Self-signed certificate (based on your confirmation)
• Peer server account information
• Login module settings
• Software Center map files (will not overwrite existing data)
• Application and link registrations
• Log backup configuration
• License data (will not be restored, but will compare and display a warning and ask for confirmation to continue, if licenses are different)
• ACS credentials
• System identity account configuration
• Cisco.com user configuration
• Proxy user configuration
• Database jobs data, DCR data, groups data, and other data stored in the database
• Discovery settings and scheduled jobs (only from CS 3.1.1/CS 3.2/CS 3.3 backup archive)
• Local user policy setup (only from CS 3.1.1/CS 3.2/CS 3.3 backup archive)
• System preferences
Reset the LMS Databases
In case you need to reset the LMS databases to factory default, follow this procedure (this is the Windows version, Solaris is similar):
cd CSCOpx\campus\bin
perl reinitdb.pl -ut (User Tracking information only, LMS must be up)
perl reinitdb.pl (Devices only, LMS must be up)
net stop crmdmgtd
perl reinitdb.pl -restore (deletes all data and reloads the tables)
perl dbRestoreOrig.pl dsn=dfmFh dmprefix=FH DFM Fault History
del c:\progra~1\CSCOpx\objects\smarts\local\repos\icf\dfm.rps
net start crmdmgtd
Data Extraction from LMS Applications
This section covers the basic utilities available for data extraction from LMS applications. For complete information on this topic, search for the latest LMS user guides at Cisco.com.
DCR CLI
Using the command-line interface, you can add, delete, view, and modify devices and change DCR modes. You can import from a local NMS or remote NMS server or ACS. You can also export the DCR content to a file or ACS.
The main command to launch is at:
NMSROOT/bin/dcrcli.
The steps are:
Step 1. NMSROOT/bin/dcrcli -u username
Step 2. Enter the password corresponding to the username.
Step 3. Select one of the various top-level commands:
add Adds a device
del Deletes a device
mod Modifies a device
lsattr Lists the attributes stored in DCR
lsids To list the device IDs of the devices in DCR
lscsets Lists all credential sets available in CiscoWorks server
details View device details
lsmode Lists the DCR mode as Master, Slave, or Standalone
setmaster, setstand, setslave Set the DCR to Master, Standalone, or Slave mode
impFile, impNms, impRNms, impACS Importa device list from File, Local NMS, Remote NMS, and ACS (AAA server)
exp Export to a file
expAcs Export to ACS
Campus Manager Data Extraction Engine
Campus Manager provides a data extraction engine to extract data about the following:
• User Tracking
• Layer 2 topology
• Discrepancies in the network configuration
Data extraction can be done either through CLI or servlet access.
The CLI tool cmexport can be accessed by going to NMSROOT/campus/bin directory.
The top-level help provides the following output:
Usage: cmexport <-h | -v | commands><arguments>
For command-specific help: cmexport <commands> -h
• -h Prints this help message
• -v Prints DEE version
Commands can be one of the following:
ut Extracts user tracking data
l2topology Extracts Layer 2 topology data
discrepancy Extracts discrepancy data
Core Commands
Table 16 lists the core commands of the Campus Manager DEE.
Table 16. Commands of Campus Manager DEE
Core Command
Description
ut
Generates User Tracking data in XML format.
l2topology
Generates Layer 2 topology data in XML format
discrepancy
Generates discrepancy data in XML format
You must invoke the cmexport command with one of the core commands specified in Table 16. If no core command is specified, cmexport can execute the -v or -h options only:
• Option -v displays the version of the cmexport utility.
• Option -h (or null option) lists the usage information of this utility.
Data generated through cmexport CLI is archived at the following locations by default:
PX_DATADIRis %NMSROOT%\files folder (on Windows) or /var/adm/CSCOpx/files directory (on Solaris) (NMSROOT is the directory where you installed Campus Manager)
timestamp is the time at which the log was written in Year Month Date HourOfDay Minute Second format.
You can also use the -f option to specify the file name and the directory for storing the DEE output. This utility does not inherently delete the files created in the archive. You should delete these files when necessary. However, using the same file name and directory twice would cause the previous file to be overwritten.
Possible Combinations of cmexport Commands
• User Tracking:
cmexport ut -u admin -p admin -host
cmexport ut -u admin -p admin -phone
cmexport ut -u admin -p admin -host -query dupMAC -layout all
-view: Specifies the format in which the user tracking XML data is to be presented. It currently supports two options:
– switch: User Tracking data is displayed based on the switch.
– subnet: User Tracking data is displayed based on the subnet in which it is present.
-query:User Tracking host data is exported in XML format for the query given in queryname. This parameter is applicable only when -host is chosen
-layout: User Tracking host data is exported in XML format for the layout given in layoutname. The layout is a custom layout defined by the user in User Tracking. This parameter is applicable only when -host is chosen.
-queryPhone: User Tracking phone data is exported in XML format for the query given in phonequeryname. This parameter is applicable only when -phone is chosen.
-layoutPhone: User Tracking phone data is exported in XML format for the layout given in layoutPhone. This parameter is applicable only when -phone is chosen.
The servlet access to the Campus Manager data extraction engine is described below.
The servlet accepts users' requests and authenticates the requesting user's identity using the Common Services authentication mechanism. The command to export user tracking, topology, and discrepancy can be sent as an HTTP or HTTPS request. The servlet requires a payload file that contains details about the user's credentials, the command you want to execute, and optional details such as log and debug options as inputs in XML format. The servlet then parses the payload file encoded in XML, performs the operations, and returns the results in XML format. Typically, servlet access is used to extract the data from a client system. While generating data through the servlet, the output will be displayed at the client terminal.
The input XML file contains various tags for username, password, core command, and optional tags. The following outlines the steps to extract the export file from the servlet.
1. Generate the necessary payload XML file with the required data.
3. The HTTP response of the servlet contains the XML file generated by executing the cmexport command on the server with the parameters provided in the payload file.
4. Extract the XML file from the content of the HTTP response and save it to a local file.
Sample Payload file:
<payload>
<! -- The following element specifies the username (valid CiscoWorks or ACS user ID) of the person initiating this DEE call -->
<username>username</username>
<! -- The following element specifies the valid password of the user ID -->
<password>password</password>
<! -- The following element specifies the DEE command used for extracting UT host, phone, discrepancy and l2 topology information -->
Enter your password if prompted.
located at the top right corner of the portal.
located at the top right corner. The portlet selector appears (Figure 15).
to start the workflow, or continue the previous unfinished setup.
it with a root device and specify how many hops you want to view from the root device. You can also make the view auto refresh and show alerts from the fault manager, DFM. See Figure 70.
to expand the report category node. Click the report name and select the following options:
