Cisco Prime Infrastructure Deployment Models
Cisco Prime Infrastructure Form Factors
Installing Cisco Prime Infrastructure
Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance
Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance
Accessing Cisco Prime Infrastructure GUI
Logging In to Cisco Prime Infrastructure for the First Time
Upgrading Cisco Prime Infrastructure
Migrating Data from Previous Versions
Device Packs and Software Updates
Users and User Group Management
Preparing the Network for Discovery
Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure
Managing Configuration Archives
Choosing a Configuration Template
Defining Shared Policy Objects
Wireless Controller Configuration
Apply RF Profiles to AP Groups
Forwarding Alarms as Traps to Notification/Trap Receivers
Monitoring Application and Services
Different Approaches to Enable AVC
Enabling AVC on Wireless Controllers
Classify Unknown Traffic by Defining Custom Application
Updating Application Definitions (NBAR2 Protocol Pack)
Multi-NAM Capabilities within Cisco Prime Infrastructure
Setting Up Microsoft Lync Monitoring
Customizing the Dashlet Content
Trigger Packet Capture from Cisco Prime Infrastructure
Manual Packet Capture from Cisco Prime Infrastructure
Automating Packet Capture Using Cisco Prime Infrastructure
Decoding Packet Capture Using Cisco Prime Infrastructure
Configuring Cisco Prime Infrastructure Backup
Using SNMPv3 Instead of SNMPv2
Authenticating with External AAA
Importing Client Certificates into Web Browsers
Enabling NTP Update Authentication
Enabling Certificate-Based OCSP Authentication
Setting Up Local Password Policies
Disabling Individual TCP/UDP Ports
Checking Server Security Status
Accessing Cisco Prime Infrastructure Through CLI
How to Enable CLI Root User in Cisco Prime Infrastructure Server
Start/Stop Cisco Prime Infrastructure Services
Verifying IOPS for Cisco Prime Infrastructure Virtual Machine
Cisco Prime Infrastructure 3.0 Links
This guide covers the installation, set up, and basic operation of Cisco Prime™ Infrastructure. For more information, see the “Design overview” section in this guide.
Network administrators have a demanding, tedious job overseeing all the devices on a network. To complicate matters, network devices are sometimes added to or removed from the network. As an organization grows, so does the number of devices to be managed. The needs of the network management administrators include:
● Configuration backup and archive—Administrators need to make backup copies of device configurations and store them in a protected location. Performing this task manually is extremely time-consuming and tedious. An automated means of collecting and archiving device configuration files is a valuable aid to network administrators.
● Configuration deployment— Change in the network/services it supports, requires changes to device configurations. This results in manually connecting to and configuring all the affected devices, which can take many hours to make similar, if not identical, changes to device configurations. A means of automating the deployment of such configuration changes, including support for device-specific values, can greatly improve the speed and also the accuracy of updating the network.
● Software image management—A centralized way of viewing the operating system versions running on all the network devices is very helpful, but the administrators also need to get the necessary software images from a trusted source and then to propagate those images to many network devices.
● Monitoring, troubleshooting, and reporting—Running a network requires knowing about the state of the network and the state of individual devices. It also requires notification of events on the network, troubleshooting tools, and an ability to generate reports about many aspects of the network.
Cisco Prime Infrastructure is the one management solution for converged access enterprise-class network. It provides a single pane of glass solution for managing the wired and wireless networks and end-to-end visibility from the branch to the campus and all the way to the data center.
This deployment guide helps to choose the right deployment model and the steps to deploy Cisco Prime Infrastructure to manage the wired and wireless networks using some of the essential network management features.
Cisco Prime Infrastructure is a sophisticated network management tool that can help support the end-to-end management of the network technologies and services that are critical to the operation of your organization; it aligns the network management functionality with the way that network administrators do their jobs. Cisco Prime Infrastructure provides an intuitive, web-based graphical user interface (GUI) that can be accessed from anywhere from within the network and gives you a full view of a network use and performance.
Cisco Prime Infrastructure provides comprehensive lifecycle management, assurance visibility and troubleshooting capabilities across the network - from the user in the branch office, across the WAN, and to the data center. In essence, it is one management and one assurance for one network.
Cisco Prime Infrastructure lets you manage your network more efficiently and effectively so you can achieve the highest levels of wired and wireless network performance, service assurance, and application-centric end-user experience.
Figure 1 depicts the campus network architecture documented in the Campus Wired LAN Technology Design Guide and Campus Wireless LAN Technology Design Guide. With such a network and the services that it can support, Cisco Prime Infrastructure can play a critical role in day-to-day network operations.
Cisco Prime Infrastructure software runs on either a dedicated Cisco Prime Infrastructure appliance or on a VMware ESXi version 5.1 or 5.5 server. The Cisco Prime Infrastructure software image does not support the installation of any other packages or applications on this dedicated platform. You cannot install Cisco Prime Infrastructure on a standalone operating system such as Red Hat Linux, because Cisco Prime Infrastructure is available as a physical or virtual appliance that comes preinstalled with a secure and hardened version of Red Hat Linux as its operating system and bundled with Oracle 11.2.0.
Cisco Prime Infrastructure Deployment Models
● Standalone: Cisco Prime Infrastructure can be deployed as a standalone Physical/Virtual appliance to manage the wired and wireless network infrastructure.
● High Availability (Recommended): The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco Prime Infrastructure server to failover to one secondary (backup) Cisco Prime Infrastructure server. The secondary server sizing should be larger than or equal to that of the primary server in order to take over Cisco Prime Infrastructure operation, in the event that the primary Cisco Prime Infrastructure system fails. For example, if the primary Cisco Prime Infrastructure server is the Standard OVA, then the secondary Cisco Prime Infrastructure server must be the Standard or Pro OVA.
In Cisco Prime Infrastructure, the only HA configuration supported is 1:1(Active, Standby) i.e., 1 primary system, and 1 secondary system.
● Distributed Deployment: Large or global organizations often distribute network management by domain, region, or country. For reasons of geography, scalability, resilience, or visibility, Cisco customers may deploy more than one instance of Cisco Prime Infrastructure to manage their network. If you’re one of those customers, you also need to manage all those instances together as one.
Cisco Prime Infrastructure Operations Center enables centralized management of multiple Cisco Prime Infrastructure instances. Operations Center streamlines how your administrators access and interact with multiple instances of Cisco Prime Infrastructure. You no longer need to generate reports one by one and manually consolidate results. Nor do you have to check for alarms at each dashboard. These tasks take time and may result in human errors. With Cisco Prime Infrastructure Operations Center, you get easier access to information about the health of your entire network managed by multiple instances.
Cisco Prime Infrastructure Form Factors
Cisco Prime Infrastructure comes in two main forms:
● Virtual: The Cisco Prime Infrastructure virtual appliance is packaged as an Open Virtualization Archive (OVA) file, which must be installed on a user-supplied, qualified VMware ESXi server. This form allows you to run on the server hardware of your choice. You can also install the virtual appliance in any of the four configurations, each optimized for a different size of enterprise network. For hardware requirements and capacities for each of the virtual appliance’s size options, see Virtual Appliance Options.
● Physical: The physical appliance is packaged as a rack-mountable server, with Cisco Prime Infrastructure preinstalled and configured for you. For physical appliance hardware specifications and capacities, see Physical Appliance Options.
Table 1 should help users to pick the right OVA size image for Cisco Prime Infrastructure virtual appliance.
Note: Compliance is supported on the Professional virtual appliance (OVA) and the Gen 2 physical appliance based on Cisco UCS® only.
Table 1. Server Sizing Matrix
Device Type |
Express |
Express-Plus |
Standard |
Professional |
Hardware Appliance (Gen2) |
Network Devices |
|||||
● Max Unified APs
|
300 |
2500 |
5,000 |
10,000 |
20,000 |
● Max Wired Devices
|
300 |
1000 |
6,000 |
10,000 |
13,000 |
● Max Autonomous Aps
|
300 |
500 |
1500 |
2500 |
3,000 |
● Max NAMs
|
5 |
5 |
500 |
800 |
1,000 |
● Max Controllers
|
5 |
25 |
500 |
800 |
1000 |
● Maximum number of devices (combination of wired and wireless devices)
|
500 |
3000 |
10000 |
14000 |
24000 |
Clients |
|||||
● Max Wireless (Roaming) Clients
|
4,000 |
30,000 |
75,000 |
150000 |
200,000 |
● Max Changing (Transient) Clients
|
1,000 |
5,000 |
25,000 |
30000 |
40,000 |
● Max Wired Clients
|
6,000 |
50,000 |
50,000 |
50,000 |
50,000 |
● Mobility Services Engine (MSEs)
|
1 |
1 |
6 |
10 |
12 |
Monitoring |
|||||
● Max Interfaces
|
50,000 |
350,000 |
|||
● Max Net flows Rate (flows/sec)
|
3,000 |
3,000 |
16,000 |
40,000 |
80,000 |
● Max Events (events/sec)
|
100 |
100 |
300 |
500 |
1,000 |
● Max Trap Rate
|
20 |
20 |
60 |
100 |
300 |
● Max Syslog Rate
|
70 |
70 |
210 |
350 |
600 |
● Max NAM Data Polling Enabled
|
5 |
40 |
|||
● Max Polling Interfaces (Polling of trunk ports)
|
2400 |
8000 |
48000 |
10000 |
10000 |
● Max hourly Host Records
|
144,000 |
720,000 |
2,100,000 |
6,000,000 |
12,000,000 |
System |
|||||
● Max Number of Sites per Campus
|
500 |
2,500 |
|||
● Max Virtual Domains
|
500 |
750 |
|||
● Max Groups (Total): User-Defined + Out of the Box + Device Groups + Port Groups
|
100 |
150 |
|||
● Max Concurrent GUI Clients
|
10 |
50 |
|||
● Max Concurrent API Clients
|
2 |
5 |
Refer to the Cisco Prime Infrastructure 3.0 Quick Start Guide for the latest sizing information.
Table 2 lists the hardware requirements for the virtual appliance based on wired/wireless scale.
Table 2. Hardware Requirements for Virtual Appliance
Virtual Appliance Size |
Virtual CPU |
Memory (DRAM) |
HDD Size |
Throughput (Disk I/O)** |
Max Concurrent Clients/Users |
API Clients |
Express |
4 |
12 GB |
300 GB |
200 MB/s |
5 |
2 |
Express-Plus |
8 |
16 GB |
600 GB |
200 MB/s |
10 |
2 |
Standard |
16 |
16 GB |
900 GB |
200 MB/s |
25 |
5 |
Professional |
16 |
24 GB |
1. 2 TB |
320 MB/s |
50 |
5 |
Note: You can configure any combination of sockets and cores, the product of which must equal the number of virtual CPUs required. For example, if 16 virtual CPUs are required, you can configure 4 sockets with 4 cores, or 2 sockets with 8 cores, etc.
Installing Cisco Prime Infrastructure
Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance
The Cisco Prime Infrastructure 3.0 comes preinstalled on a next-generation Cisco UCS appliance. For some reason, if the physical appliance comes without any software, application may be installed from the ‘.iso’ image (burnt on DVD). The procedure, once the server boots up, will be similar to the ones described for virtual appliance. Use the ‘.iso’ image instead of the ‘.ova’ image, if installing on a Cisco Prime Infrastructure Physical Appliance. For more details, see the Cisco Prime Infrastructure Hardware Appliance Installation Guide.
Cisco Prime Infrastructure Physical Appliance comes with the specifications shown in Table 3.
Table 3. Cisco Prime Appliance Specifications
Physical Appliance |
Physical CPU |
Memory (DRAM) |
HDD Size |
Throughput (Disk I/O) |
Max Concurrent Clients/Users |
API Clients |
Cisco Prime Appliance |
10 Cores (20 Threads) |
64 GB |
3600 GB (8x900 GB RAID10) |
320 MB/s |
50 |
5 |
Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance
Cisco Prime Infrastructure is delivered as a virtual appliance or OVA file. OVA files allow you to easily deploy a prepackaged virtual machine (VM) - an application along with a database and an operating system. Please follow the link below for detailed instruction on installing Cisco Prime Infrastructure Virtual Application.
● Deploying the OVA from the VMware vSphere Client
Accessing Cisco Prime Infrastructure GUI
Table 4 shows all the supported browsers that can be used to access Cisco Prime Infrastructure. See the Cisco Prime Infrastructure 3.0 Quick Start Guide for the latest client requirements.
Table 4. Client Requirements
Supported Browser |
Browser Version |
Additional Note |
Internet Explorer |
10, or 11 |
No plug-ins are required |
Mozilla Firefox |
Firefox 35 or later |
Latest Firefox version may be used, but it may not be tested depending on when it was released. |
Mozilla Firefox ESR |
ESR 31, 38 |
|
Google Chrome |
Chrome 40 or later |
Latest Chrome version may be used, but it may not be tested depending on when it was released. |
Display resolution—Cisco Prime Infrastructure supports 1366 x 768 or higher, but we recommend that you set the screen resolution to 1600 x 900.
Cisco Prime Infrastructure user interface is based on HTML 5 and removes any dependency on Adobe Flash.
TIP: It is strongly recommended to use a client with at least 4 GB or more. Adding more memory will definitely enhance the end-user experience.
Logging In to Cisco Prime Infrastructure for the First Time
Once the Cisco Prime Infrastructure server has been installed and configured, it is now ready to be accessed from the web. The server URL would be https://server_hostname or https://<ip-address>. To login, use the following credentials for the first time login.
Username: root
Password: <the root password is the one that was entered during the install script>
After the server has been configured, it is advisable to log in with a non-root user to keep the root user for system level configurations as and when needed. More information can be found at Cisco Prime Infrastructure 3.0 Quick Start Guide at Logging into the Cisco Prime Infrastructure User Interface.
You can access the lifecycle and assurance features of the newly installed Cisco Prime Infrastructure using the built-in evaluation license that is available by default. The default evaluation license is valid for 60 days for 100 devices. You need to purchase the licenses to continue using Cisco Prime Infrastructure before the evaluation license expires.
License files can be added to Cisco Prime Infrastructure by navigating to Administration > Licenses and Software Updates > Licenses in the GUI.
Table 5 lists the different licenses available for Cisco Prime Infrastructure.
Table 5. License Types in Cisco Prime Infrastructure
Licenses Types |
License Purpose |
Base |
Required for every Cisco Prime Infrastructure installation and is a prerequisite for all other license types. |
Management (Lifecycle, Assurance, APIC-EM/PnP) |
Regulates the total number of devices, NetFlow devices under Cisco Prime Infrastructure management. |
High Availability |
High Availability Right To Use (RTU) License. |
Collector |
Regulates the total number of NetFlow data flows per second that Cisco Prime Infrastructure can process. |
Data Center |
Regulates the number of blade servers being managed by Cisco UCS device(s) in Cisco Prime Infrastructure. The license count matches the number of blades or rack units associated with any Cisco UCS device. |
Data Center Hypervisor |
Regulates the total number of host(s) managed by Cisco Prime Infrastructure management. This license manages Discovery Sources (vCenter) in Cisco Prime Infrastructure. |
Operations Center base License |
Operations Center base License is required in case of distributed deployment of Cisco Prime Infrastructure and when the customer wants to deploy Operations center to centrally manage the Cisco Prime Infrastructure Instances. |
Operations Center Server License |
Required to manage the Cisco Prime Infrastructure instances in Operations Center. |
Note: Licenses are supplied in either evaluation or permanent form. For more information on Cisco Prime Infrastructure licensing, you can also refer to the Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide.
Upgrading Cisco Prime Infrastructure
Cisco Prime Infrastructure can be upgraded to version 3.0 from the below versions:
● Cisco Prime Infrastructure 2.2.3
● Cisco Prime Infrastructure 2.2.2
● Data Center Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1
● Wireless Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1
● Cisco Prime Infrastructure 2.2.1
● Cisco Prime Infrastructure 2.2
If your product/version is not in this list, to upgrade to 3.0, you must first upgrade to version 2.2.x at a minimum. For In-line Upgrade, follow the steps listed in the Cisco Prime Infrastructure 3.0 Quick Start Guide.
Note: You cannot upgrade to Cisco Prime Infrastructure 3.0 if you have installed version 2.2.x in FIPS mode.
Migrating Data from Previous Versions
Data migration is supported only from Cisco Prime Infrastructure 2.2.x versions. Follow the data migration steps listed in the Cisco Prime Infrastructure 3.0 Quick Start guide.
Device Packs and Software Updates
Cisco Prime Infrastructure periodically provides critical fixes, device support, and add-on updates that you can download and install by choosing Administration >Licenses and Software Updates> Software Update. Depending on the connectivity and preference, you can install software updates by:
● Downloading updates directly from Cisco.com to the Cisco Prime Infrastructure server. To use this method, Cisco Prime Infrastructure server must be able to connect externally to Cisco.com. For details, see Installing Software Updates from Cisco.com.
● Downloading software update files to a client or server with external connectivity, then uploading them to and installing them on the Cisco Prime Infrastructure server. For details, see Uploading and Installing Downloaded Software Updates.
Users and User Group Management
It is not advisable to use the root user to log in for normal purposes. Role based Access control can be enforced by creating new users and assigning them to relevant User groups and Virtual Domain.
Manage User Groups
User groups are synonymous with roles. All the roles except the user-defined roles are preconfigured. User-defined groups can be modified by navigating to Administration > Users > Users, Roles & AAA > User Groups > User Defined #. By clicking the task list, you can perform the following activities:
● Modify other groups and roles.
● Add users.
● See audit trail.
● Export the TACACS+/RADIUS command sets.
User-defined roles can be modified by clicking the User Defined link in Figure 4. Once clicked, all the collapsed user access controls are expanded as shown in the figure. You can select the whole category, for example, Network Configuration, or a few of the options within that category to customize the role. Once the group/role is created, multiple users can then be assigned to that group.
Manage Users
You can add new users by navigating to Administration > Users > Users, Roles & AAA > Users > Add Users and selecting “Add Users” from the drop-down on the right side. Once you get into the add user workflow, enter the username, password, and local authorization for this user as shown in Figure 5. Map the user to the appropriate Role and assign Virtual Domains. It doesn’t really matter whether you create users or groups first.
Virtual Domain
Virtual domains allow you to control who has access to specific sites and devices. After you add devices to Cisco Prime Infrastructure, you can configure virtual domains. Virtual domains are logical groupings of devices and are used to control the administration of the group. By creating virtual domains, an administrator allows users to view information relevant to them specifically and restricts their access to other areas. Virtual domain filters allow users to configure devices, view alarms, and generate reports for their assigned part of the network only.
Virtual domains are organized hierarchically. Subsets of an existing virtual domain contain the network elements that are contained in the parent virtual domain. The “ROOT-DOMAIN” domain includes all virtual domains.
Virtual Domain can be added by navigating to Administration > Users > Virtual Domain.
A virtual domain can also be assigned to the users when you define their roles by selecting the virtual domain on the left side and moving it to the right side as shown in Figure 6.
Cisco.com connection is required for some of the advanced features such as Smart Interactions (TAC service requests, and support forums), importing software images, Software Update, and many others. It is vital for the Cisco Prime Infrastructure server to be able to connect to cisco.com to pull the data for those reasons. There are two parts to making this work:
● Proxy settings
● Cisco.com user settings
If Cisco Prime Infrastructure requires a proxy to connect to internet, you can enter the proxy information by navigating to Administration > Settings > System Settings > Proxy. You can enable proxy settings and enter all the proxy information there. Authentication proxies are also supported in Cisco Prime Infrastructure.
You can enter your cisco.com credentials at the following places:
● Administration > Settings > System Settings > Inventory > Account Credential
● Administration > Settings > System Settings > General > Support Request
Cisco Prime Infrastructure supports Single Sign on. You can configure more than one SSO server for Cisco Prime Infrastructure. Authentication will fall back to the second SSO server, and so on.
To add SSO servers, navigate to Administration > Users > Users, Roles & AAA > SSO Servers. Select Add SSO servers. SSO Servers settings can be configured by navigating to Administration > Users > Users, Roles & AAA > SSO Server Settings.
Cisco Prime Infrastructure supports local authentication as well as TACACS+ and RADIUS AAA. To add TACACS+ or RADIUS server, navigate to Administration > Users > Users, Roles & AAA. For Cisco Prime Infrastructure to communicate with the TACACS+ server, the shared secret you enter on this page must match the shared secret configured on the TACACS+ server.
Administrators must configure email parameters to enable Cisco Prime Infrastructure to email reports, alarm notifications, and so on. You must configure the primary SMTP server before you can set the email parameters.
Choose Administration > Settings > System Settings > Mail and Notification > Mail Server Configuration.
Credential profiles are set of device credentials. The credentials provided in a credential profile can include SNMP, Telnet, SSH and HTTP/HTTPS credentials.
Choose Inventory > Device Management > Credential Profiles to add, edit, delete or copy credential profiles. You can apply a credential profile during device discovery, when manually adding a device, or during bulk import of devices.
Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols such as ping, SNMP (v1, v2c, and v3), Cisco® Discovery Protocol, Link Layer Discovery Protocol (LLDP), and Open Shortest Path First (OSPF) to discover the network automatically. This section will focus on how best to configure the discovery settings once and to automate the discovery, going forward.
You can add devices to Cisco Prime Infrastructure in one of the following ways:
◦ Discovery Settings
● Import devices from a CSV file.
● Add devices manually by entering IP address and device credential information.
Preparing the Network for Discovery
Devices must be configured with Cisco Discovery Protocol/LLDP, SNMP (V2, V3), or Telnet/SSH. Advanced protocols OSPF and BGP can also be used.
For successfully managing a device using Cisco Prime Infrastructure, it is crucial that all the essential protocols be defined in the device credential for a given device. The following matrix shows what protocols are needed for various wired and wireless device types.
Device Family |
SNMP RW |
Telnet/SSH |
HTTP |
Wireless controllers |
ü |
||
Wireless controllers (Cisco IOS® XE Software) |
ü |
ü |
|
Access points |
ü |
ü |
|
Routers/switches |
ü |
ü |
|
Medianet-capable routers and switches |
ü |
ü |
ü |
Network Analysis Module |
ü |
ü |
ü |
Third-party devices |
ü |
|
These credentials are sufficient to discover wired as well as wireless networks.
This method is recommended if you want to specify settings and rerun discovery in the future using the same settings. Discovery settings can be used to have a complete control over the discovery process.
You can specify various protocols, list of seed devices to be used, subnet range, credential profile/credential, and management IP address that needs to be used to discover the network. For various discovery settings supported by Cisco Prime Infrastructure, see the Cisco Prime Infrastructure User Guide.
You can create multiple discovery settings. These specify which protocols are to be used by Cisco Prime Infrastructure while discovering the network. Discovery can be easily accessed from the Getting Started page when you log in for the first time or by navigating to Inventory > Device Management > Discovery.
Select Discovery Settings to create a profile and reuse it for discovering the devices in the future. Now click New in the discovery settings modal pop-up. Discovery Settings window will pop-up, where you can configure all the discovery settings. You will observe that the pop-up is broken down into four sections: Protocol Settings, Filters, Credential Settings, and Preferred Management IP.
You need to select at least one item from Protocol Settings, SNMP and Telnet/SSH from Credential Settings, and Preferred Management IP. You can add your subnets manually or use the Import CSV File button to import all your subnets from a simple CSV file.
After creating discovery settings, you can discover the wired and wireless network. Select the saved discovery settings and click the Run Now button as shown in the figure. Discovery job will be created and status of the discovery job can be monitored in the same page in real time.
In addition to running discovery in real time, you can schedule discovery to run when you want it. Select the required discovery settings and click Schedule. You will get a modal pop to specify the schedule. Scheduling is extremely flexible in Cisco Prime Infrastructure. You can run every x minutes to y years.
Quick Discovery ping sweeps the network quickly based on the seed IP address you provide and also uses SNMP polling to get details on the devices.
If the device list and its credentials are maintained in an excel sheet, you have an option in Cisco Prime Infrastructure to import the device list. Navigate to Inventory > Device Management>Network Devices, select Bulk Import. The Bulk import pop-up is displayed as shown in Figure 12.
TIP: Export the device template using the first “here” link. Use the exported CSV file to populate the device information. This will make sure your import goes through successfully.
Cisco Prime Infrastructure extends coverage to the data center and to the compute infrastructure management supporting inventory, fault, configuration and performance for Cisco UCS B-series blade and C-series rack servers. Integration with VMware vCenter supports monitoring and visualization of virtualized servers and VMware hypervisors operating on Cisco UCS underlay hosts.
VMware vCenter details (Protocol—HTTP/HTTPS, Server—Host Name/IP address of vCenter, Port—443 for HTTPS or 80 for HTTP, User Name/Password—vCenter Credential) are needed to discover the complete inventory of compute resources like data center, cluster, hosts and VMs (Inventory > Device Management >Compute Devices > Discovery Sources- Add Device). You need to add Data Center Hypervisor license for collecting the inventory of VMware vCenter server.
Compute devices provide a consolidated view of all the devices that provide compute capability within a Data Center. You can manage Cisco UCS devices in the same way other network devices are managed.
You can create user defined Hosts and VMs Sub-groups similar to device groups.
To validate and view the complete list of devices discovered by Cisco Prime Infrastructure, navigate to Inventory > Device Management>Network Devices to see the entire inventory that has been discovered. The left pane allows you to filter the devices based on the device types or user-defined group that you create.
At times, you will encounter a few devices that don’t have the SNMP strings or the CLI access that you thought they would have. You can either streamline or change the information on the devices, or if you have another set of credentials for a different subnet, you could add that by creating new credential profile and rerun the discovery. If you have a handful of changes, you can select the particular devices and then click Edit to modify the credentials.
Cisco Prime Infrastructure allows the user to export devices with credentials directly from the GUI. Navigate to Inventory > Device Management>Network Devices to view the Export Device as shown in Figure 18.
User can export the device credentials, change them using a spreadsheet application, and import them back.
TIP: If you need to change the credentials for devices in bulk, this method can be used to do that.
Cisco Prime Infrastructure provides the following types of grouping:
● Device type groups—By default, Cisco Prime Infrastructure creates rule-based device groups and assigns devices to the appropriate Device Type folder. You cannot edit these device groups. The device type groups are not used for network topology maps.
● Location groups—Create location-based groups. Location groups allow you to group devices by location. You can create a hierarchy of location groups (such as theater, country, region, campus, building, and floor) by adding devices manually or dynamically.
● User defined groups— Allows to create your own device groups. These groups can be static or dynamic.
Port grouping helps the user to simplify monitoring and configuration tasks. Cisco Prime Infrastructure allows you to create groups in addition to the default preconfigured port groups. Port groups creation can be accessed from Inventory>Group Management>Port Groups. If a custom port group needs to be created, you can hover over User Defined and click the (i) icon to access a pop-up menu for adding a new group.
The WAN Interfaces port group is a special preconfigured port group. The interfaces in this group are your WAN interfaces that need to be actively monitored. In order to add WAN interfaces to this group, select all the groups and filter the WAN interfaces based on your interfaces type, IP address, interface description, or any other attributes that are used to denote a WAN interface group. It is highly recommended to populate this group with the WAN interface to get the most out of this application.
Cisco Prime Infrastructure topology maps are based on location groups. Cisco Prime Infrastructure provides a visual map of your network’s physical topology, including the network devices and the links that connect them. You must enable Cisco Discovery Protocol on the devices to visualize the links.
Cisco Prime Infrastructure provides a built-in planning tool that can be used by network administrators to determine what is required in the deployment of a wireless network. As part of the planning process, various criteria are inputted in the planning tool. Complete these steps:
1. Specify the AP prefix and AP placement method (automatic versus manual).
2. Choose the AP type and specify the antenna for both the 2.4 GHz and 5 GHz bands.
3. Choose the protocol (band) and minimum desired throughput per band that is required for this plan.
4. Enable planning mode for advanced options for data, voice, and location. Data and voice provide safety margins for design help. Safety margins help design for certain RSSI thresholds, which is detailed in online help. Monitor mode factors in APs could be deployed to augment location accuracy. The location typically requires a denser deployment than data, and the location check box helps plan for the advertised location accuracy.
5. Both the Demand and Override options allow for planning for any special cases where there is a high density of client presence such as conference rooms or lecture halls.
Generated proposal contains these:
● Floor plan details
● Disclaimer/scope/assumptions
● Proposed AP placement
● Coverage and data rate heat map
● Coverage analysis
Cisco Prime Infrastructure site maps represent the geographical locations and physical structures where your organization maintains network assets. Site maps display the physical locations of network devices including wireless access points, client devices like laptops, tablets and mobile phones. It also helps to visualize wireless network coverage, including “heatmap,” which displays of signal strength and quality, the locations of RF interferers, chokepoints, and so on.
Site maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and floors. Cisco Prime Infrastructure allows the user to add maps and view their managed system on realistic campus, building, and floor.
The features of Cisco Prime infrastructure site maps are:
● Supports .PNG, .JPG, JPEG, or .GIF formats.
● Automatically converts images like DXF or DWG CAD files, Qualcomm MET files to your choice of PNG, JPG, JPEG, or GIF file formats.
● Automatically resizes the maps to fit the workspace.
● Supports importing Google Earth Maps.
It is recommended not to have more than 100 APs per floor area. If you have monitor mode access points on the floor plan, coverage heatmap excludes monitor mode access points.
There are two way of creating sites. You can manually create the sites by navigating to Inventory > Device Management > Network Devices > Device Groups > Select ‘Create Sites’.
If your access points follow a very consistent naming convention, you can automatically create a site tree map based on the hostname. Figure 25 shows how a device hostname separated by hyphens can be used as a delimiter to create a site map tree automatically.
To create automatic site hierarchies, go to Maps>Wireless Maps > Automatic Hierarchy Creation. Enter the AP Hostname and a suitable regular expression (or generate one as mentioned in the tip below). Click Test to see how the site is created from the hostname. Change the pull-down to map to the appropriate campus, building, floor, device, and so on.
TIP: After entering a sample hostname for an AP, you can click Create basic regex based on delimiter to automatically generate the regular expression.
Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure
If you have already created sites for the wireless network in a previous version of WCS or NCS, you can export from those applications and import the information into Cisco Prime Infrastructure as well. You can go to Maps > Wireless Maps > Site Maps > Choose File.
Managing Configuration Archives
Cisco Prime Infrastructure archives and maintains multiple versions of running and startup configurations. Configuration Archive settings control how Cisco Prime Infrastructure should manage the archives. Configuration archive settings can be configured by navigating to Administration > Settings > System Settings > Inventory > Configuration Archive.
The Basic tab allows users to define protocol order, SNMP timeout, the number of days and the versions to retain, thread pool count, and other such variables. The Advanced tab allows users to define a command to exclude list for each of the device family types.
You can use Cisco Prime Infrastructure to view and compare device configurations. To compare configurations, navigate to Inventory > Device Management >Network Devices > Select the device. Select Configuration Archive tab. Select the version of the configuration to compare and select the compare options. Now you can see the color-coded configuration differences instantly as shown in Figure 28.
Upgrading software image of the devices to the latest version can be error prone and time consuming, if manual process is followed. Cisco Prime Infrastructure simplifies the deployment of software images to one or many devices at the same time by providing plan, schedule, download, and monitor software image update jobs. Cisco Prime Infrastructure provides software image details, lists recommended software images, and deletes software images.
Cisco Prime Infrastructure provides number of knobs that can be accessed from Administration > Settings >System Settings> Inventory>Image Management. These include team shared cisco.com username/password, job failure handling options, image and configuration protocol options, and so on. You are recommended to set it up initially so that preferred preferences are applied when distributing images on managed devices.
Cisco Prime Infrastructure allows you to import images to software image library from devices, local file system and by other means.
Images can easily be added to the local repository by choosing Inventory >Device Management >Software Images >Import. Follow the wizard to import images. Images can be deployed to devices by navigating to Inventory>Device Management>Software Image. Select the image from the list (once it has been added to the repository) and click Distribute Images. Once the devices are selected to be upgraded/downgraded, a prerun status is shown, which avoids the job failure in the first place. Click Upgrade Analysis to generate a report on this.
Configuration templates follow design, approve and deploy workflow. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use configuration templates to build a generic configuration that you can apply to one or more devices.
Choosing a Configuration Template
Cisco Prime Infrastructure provides the following types of templates:
● Features and technologies templates - These out-of-the-box templates are specific to a feature or a technology based on CVD or Cisco best practice recommendation. Features and Technologies templates are based on device configuration(s) that focus on specific features or technologies in a device configuration. These templates can configure various wired and wireless features on the devices. One can even customize these templates by duplicating these templates, editing the templates and saving them as your own custom template.
● CLI templates - CLI templates use Cisco IOS Software CLI commands. Cisco Prime Infrastructure supports system defined CLI templates and custom CLI templates.
● System templates - CLI - These are CLI based customizable out-of-the-box templates. You can modify and save it as a new template, but you cannot delete a System Template. In this page, you can import or export any template. You cannot import a template under the system defined folder.
To view the list of CLI templates, choose Configuration > Templates > Features and Technologies > CLI Templates > System Templates - CLI.
● CLI - This is primarily meant for creating custom configuration templates. CLI uses set of reusable device configuration commands with the ability to parameterize select elements of the configuration as well as add control logic statements. This template is used to generate a device deployable configuration by replacing the parameterized elements (variables) with actual values and evaluating the control logic statements. CLI templates are based on Apache velocity template language. CLI templates do not have an option to undeploy.
● Composite templates - You can create a composite template if you have a collection of existing feature or CLI templates that you want to apply collectively to devices. You specify the order in which the templates contained in the composite template are applied to devices. If you have multiple similar devices replicated across a branch, you can create and deploy a "primary" composite template to all the devices in the branch. This primary composite template can also be used later when you create new branches.
To create composite template, choose Configuration > Templates > Features and Technologies > Composite Templates > System Templates – Composite
Defining Shared Policy Objects
Policy objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. They also eliminate the need to define a component each time that you define a policy.
Interface roles configuration allows you to group a set of interfaces according to a set of rules and apply the AVC configuration for that group of interfaces. Navigate to Configuration -> Templates -> Shared Policy Objects. Select Interface Role. Create the new interface roles.
Wireless Controller Configuration
You can use the system templates to configure the wireless controllers. Another way to achieve this along with other benefits is by means of controller configuration groups. Configuration groups are an easy way to group controllers logically. This feature provides a way to manage controllers with similar configurations. You can first create templates to configure different features and apply them to a particular configuration group. Templates can be also extracted from existing controllers to provision new controllers. Configuration groups can also be used to schedule configuration sets from being provisioned. Controller reboots can also be scheduled or cascaded depending on operational requirements. Mobility groups, Dynamic Channel Assignment (DCA), and controller configuration auditing can also be managed using configuration groups.
Configuration groups are used for grouping sites together for easier management (mobility groups, DCA, and regulatory domain settings) and for scheduling remote configuration changes. Configuration groups can be accessed from Configuration > Templates > Controller Configuration Groups.
RF profiles and groups are supported in Cisco Prime Infrastructure for both RF profile creation templates and AP group templates. If you use Cisco Prime Infrastructure to create the RF profiles through the creation of templates, this gives the administrator a simple way to create and apply templates consistently to groups of controllers.
Cisco Prime Infrastructure provides two ways for building or managing an RF profile. Navigate to Configuration > Network > Network Devices > Select a controller and click Configuration tab and choose 802.11 > RF Profiles in order to access profiles for an individual controller.
Figure 39 displays all the RF profiles currently present on the chosen controller and allows you to make changes to profiles or AP group assignments.
When you create a new profile, Cisco Prime Infrastructure prompts you to choose an existing template. When accessing the first time, you are directed to the Template Creation dialogue for an 802.11 controller template.
Also, you can choose Configuration> Templates > Features & Technologies > Controller > 802.11 > RF Profiles (see Figure 41) to navigate to the controller template launch pad directly.
In both cases, a new RF profile is created in Cisco Prime Infrastructure through the use of a template. This is a recommended method, since it allows the administrator to use the workflow of Cisco Prime Infrastructure and apply templates and configurations to all or select groups of controllers and reduce configuration errors and mismatches.
Apply RF Profiles to AP Groups
New RF profiles can be applied to a controller through the use of AP groups they are assigned to. Choose Configuration > Templates > Features & Technologies > Controller > WLANs and choose AP Groups as shown in Figure 41.
In Cisco Prime Infrastructure, you can choose the Venue Group tab to add venue information as well. (See Figure 42.)
When you save the template, a warning message may appear. Changing the interface that the assigned WLAN uses disrupts the VLAN mappings for FlexConnect APs applied in this group. Make sure that the interface is the same before you proceed. Choose Deploy.
Choose the controllers to which the template needs to be applied as shown in Figure 43.
Only those access points attached to the controllers where the AP group was deployed successfully with the RF profiles applied (click the Apply to Access Points) are available to select from.
Note: Until this point, no real changes were made to the RF infrastructure, but this changes when APs that contain new RF profiles are moved into the group. When an AP is moved into or out of an AP group, the AP reboots to reflect the new configuration.
Choose the APs you want to add to the AP group and click OK. A warning message appears. Cisco Prime Infrastructure displays the status of the change.
Cisco Prime Infrastructure helps automate the deployment of new devices on the network by obtaining and applying the necessary software image and configuration on a new network device. Using features such as Cisco Network Services (CNS) call-home, APIC-EM (Application Policy Infrastructure Controller) call-home and Cisco IOS Software auto-install (which uses DHCP and TFTP), Cisco Prime Infrastructure reduces the time a new device takes to join the network and become functional.
The Plug and Play feature of Cisco Prime Infrastructure allows you to create templates to define features and configurations that you can reuse and apply to new devices. You can streamline new device deployment by creating bootstrap templates, which define the necessary initial configuration, to communicate with Cisco Prime Infrastructure. You can specify (and predeploy) software images and configurations that will be added to the devices in the future. See the Cisco Prime Infrastructure User Guide for detailed steps using automated deployment.
Cisco Prime Infrastructure allows to define device configuration baselines and audit policies which help to identify and fix any device configuration deviations from the baseline. You can schedule a compliance audit job against multiple devices and get an audit report that indicates if any configurations deviate from the specified baseline.
Compliance Baseline Audit is available when Cisco Prime Infrastructure is deployed using either of the below options:
● Professional OVA Virtual appliance
● Cisco Unified Computing System™ (Cisco UCS) Gen 2 physical appliances
By default, Compliance Service feature is disabled. To enable compliance auditing, choose Administration > Settings > System Settings > General >Server, then enable Compliance Service (see Figure 44).
Cisco Prime Infrastructure server will have to be restarted for the changes to take effect. No additional licenses are required to use the compliance baseline audit feature.
A Compliance policy is a set of conditional rules required to validate against your network devices’ configuration. You can use the predefined policies or choose to create their own policies.
In order to create a new compliance policy, navigate to Configuration > Compliance > Policies. Click Add (+) button to create Compliance Policy, and enter a name for the Policy.
Upon policy creation, you can define one or more conditional rules for each compliance policy. Refer to the Cisco Prime Infrastructure User Guide for more details on the rule inputs and parameterization of user inputs.
Once compliance policies have been defined, group one or more policies under a Compliance Profile. Profiles are sets of one or more policies, intended as a unit of comparison against the network device configurations.
Follow the below steps to create policy profile.
Browse to Configuration > Compliance > Profiles and add a new profile.
● Once profile is created, use the Compliance Policy selector to select the desired policies, from the system‑defined or user-defined policies to be grouped.
● Multiple policies can be selected and grouped.
● For each compliance policy, you have an option to use one or more of the rules defined.
Once a policy profile is created by grouping the compliance policies, compliance baseline auditing can be performed. Follow the below steps to run the compliance audit job.
● Choose Configuration > Compliance > Profiles, select a profile and click Run compliance Audit icon (lightning bolt icon).
● Select the devices to be audited and the corresponding configuration to be checked (use latest archived configuration or use current configuration).
● Specify the desired job scheduling and recurrence (standard Cisco Prime Infrastructure job framework selection options are available).
Compliance Job Dashboard lists the compliance audit jobs as well as violation fix jobs. To view the details of a job result, Click Last Run Result. Results may be exported in PDF and CSV formats.
● You can view details of “Violations by Device” and select the specific fixes to be included in a Fix Job, along with an option to preview the Fix CLI.
Violations raised during the compliance audit, can be viewed under Compliance > Jobs > Violation Summary. Violation summary can also be exported in PDF and CSV formats.
Cisco Prime Infrastructure helps to determine if any managed devices in the network have any security vulnerabilities as identified by the Cisco Product Security Incident Response Team (PSIRT). The report also includes documentation about the specific vulnerability that describes the impact of vulnerability and any potential steps needed to be applied.
Cisco Prime Infrastructure also gives you an option to run a report to determine if any Cisco device hardware or software in the network has reached its end of life (EOX). This can help determine the product upgrade and substitution options.
Browse to Reports>Reports> PSIRT and EOX.
All clients (wired and wireless) available in the network and discovered by Cisco Prime Infrastructure are displayed in the Clients and Users page (Monitor -> Monitoring Tools -> Clients and Users).
Wired clients display AP name as N/A. Switch port information is provided in interfaces column, as shown in Figure 51.
Cisco Prime Infrastructure also provides monitoring and troubleshooting for wired and wireless clients. SNMP is used to discover clients and collect client data. Cisco Identity Service Engine (ISE) is polled periodically to collect client statistics and other attributes to populate related dashboard components and reports. In order to launch the client-troubleshooting tool, select the client, and click Troubleshoot.
Log messages can be retrieved from the controller using the use of the Log Analysis tool, as shown in Figure 53.
Event history tool and Test analysis (CCX5 clients) tools can also be used for wireless client troubleshooting. Cisco Prime Infrastructure can also be used for troubleshooting wired clients.
Cisco Prime Infrastructure manages the wired and the wireless clients in the network. You can get enhanced information using the Cisco Identity Services Engine (ISE) or Cisco Secure Access Control (ACS) View servers or Cisco Mobility Services Engine (MSE). Hence, Cisco Prime Infrastructure provides a complete visibility of users and managed clients.
When Cisco ISE is used as a RADIUS server to authenticate clients, Cisco Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to be visible in a single console.
You can get enhanced information about managed clients using the Cisco ISE.
If Cisco Prime Infrastructure is integrated with an ISE server (to access endpoint information), you can:
● Check the endpoint type.
● One can identify possible problems with the end user’s authentication and authorization for network access.
● View the bandwidth utilization for wired clients.
Note: Cisco Prime Infrastructure displays ISE Profiling attributes only for authenticated endpoints.
A maximum of two ISEs can be added to Cisco Prime Infrastructure. If you add two ISEs, one should be primary and the other should be standby. When you are adding a standalone node, you can add only one standalone node and cannot add a second node.
To add an Identity Services Engine, browse to Administration -> Servers -> ISE Servers.
From the Select a command drop-down list, choose Add ISE Server, then click Go. Complete the required fields, then click Save.
Note: The credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.
Cisco Prime Infrastructure when integrated with Cisco Mobility Service Engine can provide a single unified view by extracting location and posture information of managed clients. WIPS profiles can also be deployed.
You can add an MSE by navigating to Services -> Mobility Services -> Mobility Services Engines. Select Add Mobility Services Engine from the command drop-down list, and click Go.
In this dialog box, you can add licensing files, tracking parameters, and assign maps to the MSE. If you launch the wizard with an existing MSE for configuration, then the Add MSE option appears as Edit MSE Details.
For detailed information on MSE, see the Cisco Prime Infrastructure User guide.
Cisco Prime Infrastructure uses monitoring policies to monitor devices against the thresholds you specify. When the thresholds that you specify are reached, Cisco Prime Infrastructure issues an alarm.
By default, Cisco Prime Infrastructure polls:
● Device health metrics on supported routers, switches and hubs. Storage devices and Cisco UCS series devices are not monitored by the default health policy.
● Port group health metrics.
● Interface health metrics on WAN interface groups, AVC, and Cisco UCS.
Note: Cisco Prime Infrastructure uses monitoring policies only for wired devices.
Choose Monitor -> Monitoring Tools -> Monitoring Policies -> Auto monitoring. Cisco Prime Infrastructure polls SNMP objects to gather monitoring information for the device and interface parameters.
You can add new monitoring policies to monitor network device metrics and alert you of changing conditions before the issues impact their operation. Choose Monitor > Monitoring Tools > Monitoring Policies > My Policies. Then click Add. We can select the Policy Types, and configure the parameters and thresholds, and click “Save and Activate” to activate the policy on the selected devices.
Cisco Prime Infrastructure displays the summary information in several different dashboards that contain graphs and visual indicators. Overview dashboards displays dashlet specific to network device summary graph, system health, interface health metrics, Top N CPU and memory utilization, etc.
Alarms and events provide a single page view of all alarms and events for wired and wireless infrastructure. Alarms can be viewed by navigating to Monitor > Monitoring Tools > Alarms and Events.
Almost all of the tables in Cisco Prime Infrastructure have a quick filter widget. This quickly allows you to filter through the table, especially when there are many rows involved. This is very useful with alarms and events or clients and users. Figure 58 shows different quick filtering options available for you.
The Advanced Filter, as the name implies, allows you to filter on the content with complex rules. These filters can be saved for one-click use, the next time they are needed.
Choose Administration -> Settings -> System Settings to change the alarm’s default severity level. Under Alarms and Events section, select Alarm Severity and Auto Clear. Select the Event type and click Severity Configuration. From the Configure Severity Level drop-down list, choose a severity level.
Cisco Prime Infrastructure recognizes additional traps and helps to customize and create events and alarms for these traps. You can specify a trap notification name, specify the event severity, and message to use when the specified trap is received. Cisco Prime Infrastructure creates an event with the settings you specify. Choose Monitor -> Monitoring Tools -> Alarms & Events.
In Events tab, click Custom Trap Events. Click Add in the Custom Trap Events window, and select a MIB, Notification Name, and mention the default severity level, and then click OK.
Cisco Prime Infrastructure creates a new event type and alarm condition for the specified trap.
You can enable Cisco Prime Infrastructure to create events for particular syslog. You can specify a syslog message identifier, and specify the event severity and message to use when the specified syslog is received. Cisco Prime Infrastructure creates an event with the settings you specify.
Choose Monitor -> Monitoring Tools -> Alarms & Events. In the Syslog tab, click Custom Syslog Events. Click Add and complete all the required fields, and click OK.
Forwarding Alarms as Traps to Notification/Trap Receivers
Notification receivers can be configured, which supports North Bound access and guest access. Alerts and events are sent as SNMPv2 and SNMPv3 notifications to the configured notification receivers. You can add and remove notification receivers from Administration > Settings > System Settings > Alarms and Events > Notification Receivers.
Monitoring Application and Services
Network administrators need to gain visibility into applications running on the network and their performance, and to see the different types of traffic and their performance in greater detail. They should be able to quickly isolate and troubleshoot application performance issues. They can define policies to control and tune the performance of the different applications. Service assurance dashboards in Cisco Prime Infrastructure help to provide a granular and detailed view of assurance features.
The Cisco Application Visibility and Control (AVC) is a solution which offers application awareness in the network. AVC incorporates application recognition and performance monitoring capabilities. When coupled with network management tools, AVC provides a powerful and pervasive integrated solution for discovering and controlling applications within the network.
● Make sure that the devices on which you have to enable AVC are fully managed (In Device Work Center).
● Make sure that the sites/location based groups are created and the endpoints (devices) that need to be monitored are associated with corresponding sites.
● Interface role (Shared Policy Objects) should be created for the wired devices, before using the AVC template.
Platforms |
Minimum Software version required |
ASR 1000 |
15.3(1)S1 and later |
ISR G2 |
15.2(4)M2 and later |
ISR 4451-X |
15.3(2)S |
CSR 1000 |
15.3(2)S |
WLC |
7.4 |
Readiness assessment allows you to analyze the routers in your network and determine whether these devices are capable of running AVC.
Choose Services -> Application Visibility and Control -> Readiness Assessment.
The table view provides all the relevant information for the devices and also suggests whether these devices are AVC capable or not. It provides recommendations for AVC capable devices to make them AVC configurable.
Different Approaches to Enable AVC
There are three different approaches to enable AVC on routers.
● Use the one-click option to enable it on a single or multiple interface of a router, if this is your first time with AVC.
● Use the template option to enable AVC on multiple devices based on the interface role.
● Enable AVC on multiple interfaces and multiple devices for which you could use the location- and device-based filters. This method will also allow you to configure QoS if needed. See the AVC Solution Guide for more details.
Enabling AVC on Wireless Controllers
Feature design templates in Cisco Prime Infrastructure can be used to enable AVC on the controllers. You will first need to create an exporter configuration template followed by creating a monitor template mapping the exporter template and deploy the monitor template on the controllers. See the AVC Solution Guide for more details.
Now that you have created all the sites where your network equipment is staged, it is time to map those sites to their respective subnets, data sources, and VLANs. This allows Cisco Prime Infrastructure to see the traffic flow, especially when it comes to application performance. In order to create an endpoint, you can navigate to Services >Application Visibility & Control > Endpoint Association. Figure 65 shows how various sites are mapped to their subnets. In addition to the subnet mask, you can also specify the default data source desired for that site.
Cisco Prime Infrastructure can collect NetFlow from data sources directly. In case of Cisco Prime Network Analysis Module (NAM), Cisco Prime Infrastructure collects all the information from the NAM natively.
To view all the data sources exporting NetFlow to Cisco Prime Infrastructure, navigate to Service -> Application Visibility & Control -> Data Sources. The Device Data Sources lists all the devices that are actively sending NetFlow data to Cisco Prime Infrastructure. The NAM Data Collector lists all the NAMs that have been discovered or added to the inventory. You can select a NAM and enable/disable data collection from them.
Cisco Prime Infrastructure shows performance related metrics for applications in the following dashboards:
● Dashboard -> Overview -> Service Assurance
● Services -> Application Visibility and Control -> Service Health
● Dashboard -> Performance (all of the dashboards)
Classify Unknown Traffic by Defining Custom Application
Cisco Prime Infrastructure helps to define custom applications that you can deploy on the device and let Cisco Prime Infrastructure monitor these applications. Choose Services -> Application Visibility & Control -> Applications and Services and click Create.
Provide an application name and the selector ID. Select the Business Critical check-box if you would like this custom application to be marked so.
Updating Application Definitions (NBAR2 Protocol Pack)
NBAR2 Protocol packs can be uploaded to Cisco Prime Infrastructure to recognize any new applications. Choose Services -> Application Visibility & Control -> NBAR2 Protocol Pack Management. Using the Import option, you can update the protocol pack.
Multi-NAM Capabilities within Cisco Prime Infrastructure
Cisco Prime Infrastructure can serve as a central manager of managers (MoM) if multiple NAMs are deployed in the network. Some of the functionality that Cisco Prime Infrastructure can help with includes:
● Centralized monitoring of NAM health.
● Deploying configurations to multiple NAMs using the CLI configuration templates.
● Upgrading NAMs using software image management capabilities.
● Using one-click packet capture from multiple NAMs based on a capture policy.
● Proactively capturing packets using threshold breaches.
All of these allow you to use Cisco Prime Infrastructure to effectively manage the NAMs, thus making it a very good and stable data source for application visibility.
The following table lists the dashlets which help in monitoring the Netflow data in Cisco Prime Infrastructure.
Grouping of Dashlets |
Dashlet Names |
Site Specific Dashlets |
Application Usage Summary Top N Application Groups Top N Applications Top N Applications with Most Alarms Top N Clients (In and Out) Top N VLANs |
Application Specific Dashlets |
Application Configuration Top N Applications Top Application Traffic over Time DSCP Classification IP Traffic Classification Client Conversations Top N Clients (In and Out) Client Traffic Number of Clients over Time |
Cisco Prime Infrastructure can monitor the Microsoft Lync traffic in your network. It processes and filters Microsoft Lync quality update messages and aggregates Microsoft Lync calls. You can view volume trends over time and get a summary of call types, including filtering based on time and location groups. You can also view individual calls and troubleshoot individual call streams.
Setting Up Microsoft Lync Monitoring
Cisco Prime Infrastructure must be registered as a receiver of Microsoft Lync data in order to monitor and provide a centralized view of how Microsoft Lync is deployed in your network.
On your Microsoft Lync SDN server, edit the LyncDialogListener.exe.config file to add the following lines. The LyncDialogListener.exe.config file is located in the Lync SCN API installation directory at the following default location: C:\Program Files\Microsoft Lync Server\Microsoft Lync SDN API.
<add key=“submituri” value=“https://PI_server_name/webacs/lyncData”/>
Where https://PI_server_name is the name of your Cisco Prime Infrastructure as specified in the Trusted Root Certification Authorities certificate.
<add key= “clientcertificateid” value=“value”/>
Where value is the certificate value of your Cisco Prime Infrastructure server as specified in the Trusted Root Certification Authorities certificate.
Alternately, if you use the Microsoft SDN interface to enter your Cisco Prime Infrastructure server details, you must accept the SSL certificate in order to enable XML communication over secure HTTP. After you register Cisco Prime Infrastructure as a receiver of Microsoft Lync data, all Microsoft Lync details are sent to Cisco Prime Infrastructure.
To monitor Microsoft Lync data, browse to Services -> Application Visibility & Control -> Lync Monitoring. Colored bars represent the different call types and the respective call volume over the specified time period. The Lync Conversations table lists the aggregated conversations for the call type you select from the bar chart. Click the arrow next to a Caller to expand and view the details of that conversation, from the Caller to the Callee.
Cisco Prime Infrastructure displays the call metrics for the selected conversation.
Performance Routing (PfR) monitors network performance and selects the best path for each application based on advanced criteria such as reachability, delay, jitter and packet loss. PfR can evenly distribute traffic to maintain equivalent link utilization levels using an advanced load balancing technique.
PfR Version 3 (PfRv3) is an intelligent path control of the IWAN initiative and provides a business-class WAN over internet transports. PfR allows customers to protect critical applications from fluctuating WAN performance while intelligently load balancing traffic over all WAN paths.
Cisco IOS Software PfR makes real-time routing adjustments based on application criteria such as response time, packet loss, jitter, path availability, interface load, and circuit cost minimization.
Browse to Services -> Application Visibility & Control -> PfR Monitoring. The PfR landing page includes Site to Site PfR Events table, a filter panel, Metrics panel (Metrics Crossing Thresholds versus Service Provider(s)), and a time slider.
The Metrics panel displays the metrics gathered using the TCA, as charts. Each service provider is represented by a unique color in the chart. The charts available in the Metrics panel are:
● Unreachability over time
● Maximum Delay over time
● Maximum Jitter over time
● Maximum Packet loss% over time
The Site to Site PfR events table displays site to site PfR events including Threshold Crossing Alert (TCA), Route change (RC) and Immitigable event (IME). The PfR events that occurred over last 72 hours are displayed, by default.
The site to site topology consists of nodes representing border router, primary controller, and service provider. The egress and ingress orange links represent the WAN link connectivity between border routers and service provider, and blue links connect the border router and primary controller.
Click a node to view the device metrics pop-up window from where you can navigate to the corresponding device context page. Click a link to view the link metrics pop-up window from where you can navigate to the link context page. Click Launch Interface Dashboard in the Link Metrics pop-up window to view the Interface dashlets in the Performance dashboard.
The Compare WAN Interfaces page shows the WAN link usage and performance of the selected WAN interfaces. This compares the Egress Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and number of applications routed, for the selected WAN Interfaces.
Easy visualization and customization of data views is possible in Cisco Prime Infrastructure. There are two different ways of customizing the dashboards:
● Adding your own dashboard in addition to the existing dashboards.
● Adding/moving dashlets (also known as portlets) from one dashboard to another.
Navigate to any of the existing dashboards under Dashboards menu. Use the Settings in the top right corner of the dashboard to add new dashboard. A new dashboard will be created under the current dashboard tree. A new tab is reflected immediately.
The next step is to populate the new dashboard that you created with dashlets. There are about 50 preconfigured dashlets that you can use for various dashboards.
A new dashlet can be added to the dashboard where you want it to appear. Use the Add Dashlet(s) from the Settings to view the list. Once you see the list of dashlets, you can add the appropriate Dashlet to the dashboard.
Customizing the Dashlet Content
We can customize the dashboard and also the content within the dashlets. You can select the pencil icon in the title bar of any dashlet to customize the dashlet content. This will expose all the configurations that can be tweaked for a given dashlet. You can use the various options available to select and configure as needed. Each dashlet has its own configuration parameters. Once you are done, click Save and Close to view the data.
Wireless Remediation
The following tools available within Cisco Prime Infrastructure may be used in order to remediate wireless issues:
● Cisco CleanAir
● Client Troubleshooting
● AP Troubleshooting
● Audit Tool
● Security Dashboard
● Switch port Tracing (SPT)
● Contextual device 360-degree views for easy access to assorted tools:
◦ Ping
◦ Traceroute
◦ Cisco Discovery Protocol Neighbors
◦ WLAN and SSID information
◦ Active AP and client count
Wired Remediation
The following tools within Cisco Prime Infrastructure can be used to remediate wired issues:
● Wired Client Troubleshooting
● Ad Hoc and Automated Packet Capture
● Device Work Center
● Contextual device 360-degree views for easy access to assorted tools:
◦ Ping
◦ TraceRoute
◦ Cisco Discovery Protocol Neighbors
◦ Config Diffs
◦ Inventory Details
◦ Network Audits
◦ Support Forums
Trigger Packet Capture from Cisco Prime Infrastructure
Cisco Prime Infrastructure provides a very flexible solution for capturing packets throughout your network. You can either manually trigger a packet capture or automatically specify the capture based on some advanced parameters, so that it will be triggered once a threshold level is breached. In both of these solutions, packets can be captured locally on the NAM or they can be stitched from multiple NAMs and stored in Cisco Prime Infrastructure. Packet captures can also be triggered on the ASR 1Ks.
Manual Packet Capture from Cisco Prime Infrastructure
In order to do an ad hoc packet capture, you can navigate to Monitor > Tools > Packet Capture> Capture Sessions. In order to create a new profile, click Create and fill in all the criteria for capturing a particular traffic. If you need to capture a particular type of traffic all the time, it may be a good idea to proactively create those profiles and test them before automating them, as described in the next section.
Automating Packet Capture Using Cisco Prime Infrastructure
There are times when you want to capture packets based on a trigger. There is no way to anticipate the time of the trigger. For example, if you are trying to meet the SLA for AvgRespTime for an application, you may want to start the packet capture if the response time exceeds the predefined time. You can easily achieve this by combining threshold and packet capture in Cisco Prime Infrastructure. Navigate to Monitor > Monitoring Tools > Monitoring Policies > Add > Traffic Analysis. By clicking on threshold template, you can create a new instance from it. In order to change any of them, simply select that row and edit the threshold as shown in Figure 77. You can see that we have chosen to alert and start capturing SharePoint traffic if the AvgRespTime exceeds the default value.
Decoding Packet Capture Using Cisco Prime Infrastructure
Once the packets are captured, there are two options to decode them. The easiest way is to select the packet capture session and click Decode from the Packet Capture homepage (Monitor > Tools > Packet Capture). The capture decode is shown in a pop-up window, which makes it extremely easy to evaluate each and every packet.
You could also click Export and the .pcap file will be downloaded directly on the client PC. This is useful if you need to perform advance troubleshooting on the capture decode. There is a dimmed Merge button between the Decode button and the Export button, which can be used to merge the .pcap files if more than one file is selected.
TIP: If the capture file is not very large (that is, not on the order of GB), it makes sense to decode it in Cisco Prime Infrastructure instead of jumping over to the NAM. Otherwise, you should use NAM instead of Cisco Prime Infrastructure for decoding very large capture files.
Wide variety of preconfigured reports can be used for up-to-date information on the network, including detailed inventory, configuration, compliance, audit, capacity, and end of sale, security vulnerabilities, and many more. Reports can be scheduled or run immediately, emailed, or saved as PDFs for future viewing purposes. Composite reports help to group multiple reports. Navigate to “Reports > Report Launchpad” to generate various reports.
Cisco Prime Infrastructure R/W REST APIs can be used to integrate with any in-house OSS systems. For details, see the REST API documents in the Cisco Prime Infrastructure 3.0 API Reference Guide.
The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco Prime Infrastructure server to failover to one secondary (backup) Cisco Prime Infrastructure server. A second server is required that has sufficient resources (CPU, hard drive, network connection) in order to take over Cisco Prime Infrastructure operation in the event that the primary Cisco Prime Infrastructure system fails. In Cisco Prime Infrastructure, the only HA configuration is supported is 1:1 - 1 primary system, 1 secondary system.
The size of the secondary server must be larger than or equal to that of the primary server; for example, if the primary Cisco Prime Infrastructure server is the Express Plus OVA, then the secondary Cisco Prime Infrastructure server must be the Express Plus or larger.
The primary and secondary server cannot be a mix of a physical and a virtual appliance. For example, if the primary Cisco Prime Infrastructure server is a virtual appliance, the secondary server can’t be a physical appliance. Secondary server should be a virtual appliance with same or large OVA.
Customers must be running the same version of Cisco Prime Infrastructure and should be at the same patch level on both the primary and secondary Cisco Prime Infrastructure servers.
The Cisco Prime Infrastructure HA feature is transparent to the wireless controller, that is, there is no software version requirement for the Cisco Wireless LAN Controller (WLC), access points (APs), and the Cisco Mobility Services Engine (MSE).
An RTU (right-to-use) license is required to deploy Cisco Prime Infrastructure in HA implementation. Only one Cisco Prime Infrastructure server license needs to be purchased. There is no need to purchase a license for the secondary Cisco Prime Infrastructure server. The secondary server will use the license from the primary when a failover occurs. The same Cisco Prime Infrastructure license file resides on both the primary and secondary Cisco Prime Infrastructure servers. The license file is only active on one system at any given point in time.
Cisco Prime Infrastructure HA can also be deployed with geographic separation of the primary and secondary servers. This type of deployment is also known as disaster recovery or geographic redundancy.
There are two HA modes: failover and failback. After initial deployment of Cisco Prime Infrastructure – HA, the entire configuration of the primary Cisco Prime Infrastructure server is replicated to the host of the secondary Cisco Prime Infrastructure server. During normal operation (that is, when the primary Cisco Prime Infrastructure server is operational), the database and application data files from the primary server are replicated to the secondary Cisco Prime Infrastructure server. Replication frequency is 11 seconds (for real‐time files) and 500 seconds (for batch files).
Failover is the process of activating (Automatically or manually) the secondary server in response to a detected failure on the primary server. Health Monitor (HM) detects failure conditions using the heartbeat messages that the two servers exchange. If the primary server is not responsive to three consecutive heartbeat messages from the secondary, it is considered to have failed. During the health check, HM also checks the application process status and database health; if there is no proper response to these checks, these are also treated as having failed.
When the issues on the server that host the primary Cisco Prime Infrastructure server have been resolved, failback can be manually initiated. Once this is done, the screen is displayed on the secondary Cisco Prime Infrastructure server. When you initiate failback, the Cisco Prime Infrastructure database on the secondary Cisco Prime Infrastructure server and any other files that have changed since the secondary Cisco Prime Infrastructure server took over Cisco Prime Infrastructure operation are synchronized between the secondary and the primary Cisco Prime Infrastructure servers.
Automatic failover is a much simpler process. The configuration steps are the same except that automatic failover is selected. Once automatic failover is configured, the network administrator does not need to interact with the secondary HM for the failover operation to take place. Only during failback is human intervention required.
This is the recommended mode of Failover in Cisco Prime Infrastructure High Availability deployment. When the secondary Cisco Prime Infrastructure server is configured with manual failover mode, the network administrator is notified through an email that the primary Cisco Prime Infrastructure server has experienced a down condition. The Health Monitor (HM) on the secondary Cisco Prime Infrastructure server detects the failure condition of the primary Cisco Prime Infrastructure server. Because manual failover has been configured, the network administrator needs to manually trigger the secondary Cisco Prime Infrastructure server to take over Cisco Prime Infrastructure functionality from the primary Cisco Prime Infrastructure server. This is done if you log in to the secondary HM. Even though the secondary Cisco Prime Infrastructure server is not running, you can connect to the secondary HM using the following syntax: https://<Secondary_PI_IP_Address>:8082/.
The secondary HM displays messages in regard to events that are seen. Because manual failover has been configured, the secondary HM waits for the network administrator to invoke the failover process. Once manual failover has been chosen, the message is displayed as The Secondary Cisco Prime Infrastructure Server Starts. Once the failover process has been completed, which means that the Cisco Prime Infrastructure database replication process is completed and the secondary Cisco Prime Infrastructure JVM process has started, then the secondary Cisco Prime Infrastructure server is the active Cisco Prime Infrastructure server.
Health Monitor on the secondary Cisco Prime Infrastructure server provides status information on both the primary and secondary Cisco Prime Infrastructure servers. Failback can be initiated through the secondary HM once the primary Cisco Prime Infrastructure server has recovered from the failure condition. The failback process is always initiated manually so as to avoid a flapping condition that can sometimes occur when there is a network connectivity problem. More details on how to deploy Cisco Prime Infrastructure 3.0 HA can be found at Cisco Prime Infrastructure Administration Guide.
Configuring Cisco Prime Infrastructure Backup
It is strongly advisable to configure the backup plan in a more proactive manner. Backup can be configured by navigating to Administration > Settings>Background Tasks > Prime Infrastructure Server Backup.
You can either use the default repository defaultRepo, or create an external backup repository. Enter credentials for the remote repository and other relevant information and click Submit to create this new remote backup repository.
This feature allows you to specify how long the data is to be stored in Cisco Prime Infrastructure. By default you can store the performance data as short, medium, and long-term data for 7, 31, and 378 days, respectively. You can modify these numbers based on the available hard drive space. Navigate to Administration -> Settings -> System Settings. Select Data Retention under General Tab to configure the data retention.
The following sections explain how to enhance server security by eliminating or controlling individual points of security exposure.
You must disable non-secure services if not using them. For example: TFTP and FTP are not secure protocols. These services are typically used to transfer firmware or software images to and from network devices and Cisco Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend using secure protocols (such as SFTP or SCP) for such services.
Administrative users can enable root shell access to the underlying operating system for trouble shooting purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We recommend that you keep this access disabled, and enable it only when required. To disable root access, run the command root_disable from the command line.
Using SNMPv3 Instead of SNMPv2
SNMPv3 is a higher security protocol than SNMPv2. You can enhance the security of communications between their network devices and the Cisco Prime Infrastructure server by configuring the managed devices so that management takes place using SNMPv3 instead of SNMPv2.
You can choose to enable SNMPv3 when adding new devices, importing devices in bulk, or as part of device discovery.
Authenticating with External AAA
User accounts and password are managed more securely when they are managed centrally, by a dedicated, remote authentication server running on a secure authentication protocol such as RADIUS or TACACS+. You can configure Cisco Prime Infrastructure to authenticate users using external AAA servers.
Importing Client Certificates into Web Browsers
You must import client certificates into your browsers to authenticate while accessing Cisco Prime Infrastructure servers with certificate authentication. Although the process is similar across browsers, the actual details vary with each browser.
Enabling NTP Update Authentication
Network Time Protocol (NTP) version 4 (which authenticates server date and time updates) is an efficient setting to harden server security. Note that you can configure a maximum of three NTP servers with Cisco Prime Infrastructure.
Enabling Certificate-Based OCSP Authentication
You can further enhance the security of Cisco Prime Infrastructure’s interaction with its web clients by setting up certificate-based client authentication using the Online Certificate Status Protocol (OCSP).
With this form of authentication, Cisco Prime Infrastructure validates the web client’s certificate and its revocation status before permitting you to access the login page. Checking the revocation status makes sure that the issuing Certificate Authority (CA) has not already revoked the certificate.
Setting Up Local Password Policies
If you are authenticating users locally, using Cisco Prime Infrastructure’s own internal authentication, you can enhance your system’s security by enforcing rules for strong password selection.
Disabling Individual TCP/UDP Ports
Table 6 lists the TCP and UDP ports Cisco Prime Infrastructure uses, the names of the services communicating over these ports, and the product’s purpose in using them. The “Safe” column indicates whether you can disable a port and service without affecting Cisco Prime Infrastructure’s functionality.
Table 6. Cisco Prime Infrastructure TCP/UDP Ports
Checking Server Security Status
Cisco Prime Infrastructure administrators can connect to the server via CLI and use the show security-status command to display the server’s currently open TCP/UDP ports, the status of other services the system is using, and other security-related configuration information.
Accessing Cisco Prime Infrastructure Through CLI
In normal circumstances, you may not need to access the CLI, but if there is a need to access some service requirements, the Cisco Prime Infrastructure server may be accessed through Secure Shell Protocol Version 2 (SSH2) by the admin user. The admin user is provided with a Cisco IOS Software-like shell, which is the preferred shell for carrying out most operational tasks. The password for this admin user is configured during the initial installation and configuration, as mentioned in the “Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance” section. Please note that the root password that is prompted in the install script is only for web access and not access to the CLI.
How to Enable CLI Root User in Cisco Prime Infrastructure Server
The root user is not enabled by default, but you can enable the root user for the first time using the root_enable command at the admin console. Once the root user is enabled, log out of the admin shell and log in using the root user and the previously defined password for root.
Start/Stop Cisco Prime Infrastructure Services
In normal circumstances, you don’t stop or start PI services. The services will start automatically once installation is complete, and no manual startup of services is required. If there is a need to restart the services for some reason, the following commands may be executed by the admin user from the command-line interface (CLI):
<piserver>/admin# ncs stop - Stops the Cisco Prime Infrastructure server
<piserver>/admin# ncs status - Shows the Cisco Prime Infrastructure server status
<piserver>/admin# ncs start - Starts the Cisco Prime Infrastructure server
Verifying IOPS for Cisco Prime Infrastructure Virtual Machine
Until Cisco Prime Infrastructure 1.x, there was no easy way to verify data store input/output operations per second (IOPS) for the virtual infrastructure. With the addition of the following new command, users can now verify the raw performance before proceeding any further.
<piserver>/admin# ncs run test iops
Testing disk write speed...
8388608+0 records in
8388608+0 records out
8589934592 bytes (8.6 GB) copied, 38.3538 seconds, 224 MB/s
Note: If you run this command when Cisco Prime Infrastructure server is “running”, the results will be really skewed. This test needs to be run after shutting down Cisco Prime Infrastructure server using ncs stop command from the admin shell.
After shutting down ncs, here are they new results:
Pi30/admin# ncs run test iops
Testing disk write speed...
8388608+0 records in
8388608+0 records out
8589934592 bytes (8.6 GB) copied, 27.0878 seconds, 317 MB/s
The recommended value is the result from the command after “shutting down” ncs (ncs stop). Note that the recommended value for the IOPS is 200 MBps.
Cisco Prime Infrastructure 3.0 Links
● Cisco Prime Infrastructure 3.0 Quick Start Guide
● Cisco Prime Infrastructure 3.0 Administrator Guide
● Cisco Prime Infrastructure 3.0 User Guide
● Cisco Prime Infrastructure 3.0 Release Notes
● Cisco Prime Infrastructure 3.0 Data Sheet
● Cisco Prime Infrastructure 3.0 Supported Devices
● Ports used by Cisco Prime Infrastructure
● Cisco Prime Infrastructure Alarms and Events
● Cisco Prime Infrastructure 3.0 API Reference Guide
● Password Recovery for Cisco Prime Infrastructure
● Cisco Identity Security Engine (ISE)
● Cisco Prime Network Analysis Module (NAM)
● Cisco Application Visibility and Control
● Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide