Cisco Prime Infrastructure 3.0 Deployment Guide

Available Languages

Download Options

PDF (5.5 MB)
View with Adobe Reader on a variety of devices

Updated:February 10, 2016

Document ID:1455139588763425

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Prime Infrastructure Deployment Models. 7

Cisco Prime Infrastructure Form Factors. 7

Server Sizing Matrix. 7

Installing Cisco Prime Infrastructure. 9

Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance. 9

Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance. 9

Accessing Cisco Prime Infrastructure GUI 9

Client Requirements. 9

Logging In to Cisco Prime Infrastructure for the First Time. 10

Licensing. 10

Upgrading Cisco Prime Infrastructure. 11

Migrating Data from Previous Versions. 11

Device Packs and Software Updates. 12

Application Setup. 12

System Setup. 12

Users and User Group Management 12

Connection to Cisco.com... 14

Proxy Settings. 14

Cisco.com Settings. 14

Single Sign On (SSO) 15

RADIUS/TACACS+ Integration. 15

Email Server Settings. 16

Credential Profile. 16

Discovering Your Network. 16

Preparing the Network for Discovery. 17

Discovery Settings. 17

Scheduling Discovery. 18

Quick Discovery. 18

Importing Devices Manually. 18

Data Center Discovery. 19

Validate Discovery. 20

Fixing Credential Errors. 20

Grouping. 21

Device Grouping. 21

Port Grouping. 22

Topology and Maps. 23

Viewing Network Topology. 23

Wireless Planning Tool 23

Wireless Site Map. 24

Create Sites. 25

Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure. 26

Configuration Management 26

Managing Configuration Archives. 26

Comparing Configuration. 27

Image Management 27

Setting Up Image Management 27

Importing Software Images. 28

Image Distribution. 28

Configuration Templates. 29

Choosing a Configuration Template. 29

Defining Shared Policy Objects. 30

Wireless Controller Configuration. 31

RRM/Clean Air 31

Build RF Profiles. 32

Apply RF Profiles to AP Groups. 33

Automated Deployment 34

Compliance. 35

Prerequisites. 35

Creating Compliance Policy. 35

Creating Policy Profiles. 36

Run Compliance Audit 36

View Violation Summary. 37

PSIRT and EoX Reports. 37

Clients and Users. 38

Client Troubleshooting. 38

ISE Integration. 39

MSE Integration. 40

Monitoring. 41

Monitoring Policies. 41

Viewing Alarms and Events. 42

Configuring Alarm Severity. 43

Customizing Traps and Syslogs. 43

Defining Custom Trap Events. 43

Defining Custom Syslog Events. 44

Forwarding Alarms as Traps to Notification/Trap Receivers. 44

AVC and QoS Configuration. 45

Monitoring Application and Services. 45

Prerequisites. 45

AVC Supported Platforms. 45

Readiness Assessment 45

AVC Configuration. 46

Different Approaches to Enable AVC.. 46

Enabling AVC on Wireless Controllers. 46

Associate Endpoints to Sites. 46

Managing Netflow Data Sources. 46

Viewing AVC Metrics. 47

Classify Unknown Traffic by Defining Custom Application. 47

Updating Application Definitions (NBAR2 Protocol Pack) 48

Multi-NAM Capabilities within Cisco Prime Infrastructure. 48

Netflow Dashlets. 48

Lync Monitoring. 48

Setting Up Microsoft Lync Monitoring. 49

Monitoring Microsoft Lync. 49

PfR Monitoring. 50

Site-to-Site PfR Topology. 51

Comparing WAN Interfaces. 51

Dashboards. 52

Dashboard Customization. 52

Customizing the Dashlet Content 53

Remediation Tools. 53

Wireless Remediation. 53

Wired Remediation. 54

Trigger Packet Capture from Cisco Prime Infrastructure. 54

Manual Packet Capture from Cisco Prime Infrastructure. 54

Automating Packet Capture Using Cisco Prime Infrastructure. 55

Decoding Packet Capture Using Cisco Prime Infrastructure. 55

Reports. 56

REST API 56

High Availability. 56

Prerequisites. 57

Licensing. 57

High-Availability Setup. 57

HA Modes. 57

Failover 57

Failback. 58

Manual/Automatic Options. 58

Automatic Failover 58

Manual Failover 58

Configuring Cisco Prime Infrastructure Backup. 59

Advanced System Settings. 59

Data Retention. 59

Server Tuning. 59

Disabling Insecure Services. 59

Disabling Root Access. 59

Using SNMPv3 Instead of SNMPv2. 59

Authenticating with External AAA.. 60

Importing Client Certificates into Web Browsers. 60

Enabling NTP Update Authentication. 60

Enabling Certificate-Based OCSP Authentication. 60

Setting Up Local Password Policies. 60

Disabling Individual TCP/UDP Ports. 60

Checking Server Security Status. 61

Miscellaneous. 61

Accessing Cisco Prime Infrastructure Through CLI 61

How to Enable CLI Root User in Cisco Prime Infrastructure Server 61

Start/Stop Cisco Prime Infrastructure Services. 61

Verifying IOPS for Cisco Prime Infrastructure Virtual Machine. 61

References. 62

Cisco Prime Infrastructure 3.0 Links. 62

Cisco Product Pages. 62

Ordering and Licensing. 62

Scope

This guide covers the installation, set up, and basic operation of Cisco Prime^™ Infrastructure. For more information, see the “Design overview” section in this guide.

Introduction

Network administrators have a demanding, tedious job overseeing all the devices on a network. To complicate matters, network devices are sometimes added to or removed from the network. As an organization grows, so does the number of devices to be managed. The needs of the network management administrators include:

● Configuration backup and archive—Administrators need to make backup copies of device configurations and store them in a protected location. Performing this task manually is extremely time-consuming and tedious. An automated means of collecting and archiving device configuration files is a valuable aid to network administrators.

● Configuration deployment— Change in the network/services it supports, requires changes to device configurations. This results in manually connecting to and configuring all the affected devices, which can take many hours to make similar, if not identical, changes to device configurations. A means of automating the deployment of such configuration changes, including support for device-specific values, can greatly improve the speed and also the accuracy of updating the network.

● Software image management—A centralized way of viewing the operating system versions running on all the network devices is very helpful, but the administrators also need to get the necessary software images from a trusted source and then to propagate those images to many network devices.

● Monitoring, troubleshooting, and reporting—Running a network requires knowing about the state of the network and the state of individual devices. It also requires notification of events on the network, troubleshooting tools, and an ability to generate reports about many aspects of the network.

Cisco Prime Infrastructure is the one management solution for converged access enterprise-class network. It provides a single pane of glass solution for managing the wired and wireless networks and end-to-end visibility from the branch to the campus and all the way to the data center.

This deployment guide helps to choose the right deployment model and the steps to deploy Cisco Prime Infrastructure to manage the wired and wireless networks using some of the essential network management features.

Overview

Cisco Prime Infrastructure is a sophisticated network management tool that can help support the end-to-end management of the network technologies and services that are critical to the operation of your organization; it aligns the network management functionality with the way that network administrators do their jobs. Cisco Prime Infrastructure provides an intuitive, web-based graphical user interface (GUI) that can be accessed from anywhere from within the network and gives you a full view of a network use and performance.

Cisco Prime Infrastructure provides comprehensive lifecycle management, assurance visibility and troubleshooting capabilities across the network - from the user in the branch office, across the WAN, and to the data center. In essence, it is one management and one assurance for one network.

Cisco Prime Infrastructure lets you manage your network more efficiently and effectively so you can achieve the highest levels of wired and wireless network performance, service assurance, and application-centric end-user experience.

Figure 1 depicts the campus network architecture documented in the Campus Wired LAN Technology Design Guide and Campus Wireless LAN Technology Design Guide. With such a network and the services that it can support, Cisco Prime Infrastructure can play a critical role in day-to-day network operations.

Figure 1. Campus Wired and Wireless LAN Architecture

$Y:\Production\Cisco Projects\C07 Guides (Design, Ordering, Revision, Quick Reference)\C07-736611-00\v1a 040216 1236 vinica\C07-736611-00_Cisco Prime Infrastructure 3 0\Links\C07-736611-00_figure01.jpg$

Design Overview

Prerequisites

Cisco Prime Infrastructure software runs on either a dedicated Cisco Prime Infrastructure appliance or on a VMware ESXi version 5.1 or 5.5 server. The Cisco Prime Infrastructure software image does not support the installation of any other packages or applications on this dedicated platform. You cannot install Cisco Prime Infrastructure on a standalone operating system such as Red Hat Linux, because Cisco Prime Infrastructure is available as a physical or virtual appliance that comes preinstalled with a secure and hardened version of Red Hat Linux as its operating system and bundled with Oracle 11.2.0.

Cisco Prime Infrastructure Deployment Models

● Standalone: Cisco Prime Infrastructure can be deployed as a standalone Physical/Virtual appliance to manage the wired and wireless network infrastructure.

● High Availability (Recommended): The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco Prime Infrastructure server to failover to one secondary (backup) Cisco Prime Infrastructure server. The secondary server sizing should be larger than or equal to that of the primary server in order to take over Cisco Prime Infrastructure operation, in the event that the primary Cisco Prime Infrastructure system fails. For example, if the primary Cisco Prime Infrastructure server is the Standard OVA, then the secondary Cisco Prime Infrastructure server must be the Standard or Pro OVA.

In Cisco Prime Infrastructure, the only HA configuration supported is 1:1(Active, Standby) i.e., 1 primary system, and 1 secondary system.

● Distributed Deployment: Large or global organizations often distribute network management by domain, region, or country. For reasons of geography, scalability, resilience, or visibility, Cisco customers may deploy more than one instance of Cisco Prime Infrastructure to manage their network. If you’re one of those customers, you also need to manage all those instances together as one.

Cisco Prime Infrastructure Operations Center enables centralized management of multiple Cisco Prime Infrastructure instances. Operations Center streamlines how your administrators access and interact with multiple instances of Cisco Prime Infrastructure. You no longer need to generate reports one by one and manually consolidate results. Nor do you have to check for alarms at each dashboard. These tasks take time and may result in human errors. With Cisco Prime Infrastructure Operations Center, you get easier access to information about the health of your entire network managed by multiple instances.

Cisco Prime Infrastructure Form Factors

Cisco Prime Infrastructure comes in two main forms:

● Virtual: The Cisco Prime Infrastructure virtual appliance is packaged as an Open Virtualization Archive (OVA) file, which must be installed on a user-supplied, qualified VMware ESXi server. This form allows you to run on the server hardware of your choice. You can also install the virtual appliance in any of the four configurations, each optimized for a different size of enterprise network. For hardware requirements and capacities for each of the virtual appliance’s size options, see Virtual Appliance Options.

● Physical: The physical appliance is packaged as a rack-mountable server, with Cisco Prime Infrastructure preinstalled and configured for you. For physical appliance hardware specifications and capacities, see Physical Appliance Options.

Server Sizing Matrix

Table 1 should help users to pick the right OVA size image for Cisco Prime Infrastructure virtual appliance.

Note: Compliance is supported on the Professional virtual appliance (OVA) and the Gen 2 physical appliance based on Cisco UCS^® only.

Table 1. Server Sizing Matrix

Device Type	Express	Express-Plus	Standard	Professional	Hardware Appliance (Gen2)
Network Devices
● Max Unified APs	300	2500	5,000	10,000	20,000
● Max Wired Devices	300	1000	6,000	10,000	13,000
● Max Autonomous Aps	300	500	1500	2500	3,000
● Max NAMs	5	5	500	800	1,000
● Max Controllers	5	25	500	800	1000
● Maximum number of devices (combination of wired and wireless devices)	500	3000	10000	14000	24000
Clients
● Max Wireless (Roaming) Clients	4,000	30,000	75,000	150000	200,000
● Max Changing (Transient) Clients	1,000	5,000	25,000	30000	40,000
● Max Wired Clients	6,000	50,000	50,000	50,000	50,000
● Mobility Services Engine (MSEs)	1	1	6	10	12
Monitoring
● Max Interfaces	12,000	50,000	250,000	250,000	350,000
● Max Net flows Rate (flows/sec)	3,000	3,000	16,000	40,000	80,000
● Max Events (events/sec)	100	100	300	500	1,000
● Max Trap Rate	20	20	60	100	300
● Max Syslog Rate	70	70	210	350	600
● Max NAM Data Polling Enabled	5	5	20	30	40
● Max Polling Interfaces (Polling of trunk ports)	2400	8000	48000	10000	10000
● Max hourly Host Records	144,000	720,000	2,100,000	6,000,000	12,000,000
System
● Max Number of Sites per Campus	200	500	2,500	2,500	2,500
● Max Virtual Domains	100	500	750	750	750
● Max Groups (Total): User-Defined + Out of the Box + Device Groups + Port Groups	50	100	150	150	150
● Max Concurrent GUI Clients	5	10	25	50	50
● Max Concurrent API Clients	2	2	5	5	5

Refer to the Cisco Prime Infrastructure 3.0 Quick Start Guide for the latest sizing information.

Table 2 lists the hardware requirements for the virtual appliance based on wired/wireless scale.

Table 2. Hardware Requirements for Virtual Appliance

Virtual Appliance Size	Virtual CPU	Memory (DRAM)	HDD Size	Throughput (Disk I/O)^**	Max Concurrent Clients/Users	API Clients
Express	4	12 GB	300 GB	200 MB/s	5	2
Express-Plus	8	16 GB	600 GB	200 MB/s	10	2
Standard	16	16 GB	900 GB	200 MB/s	25	5
Professional	16	24 GB	1. 2 TB	320 MB/s	50	5

Note: You can configure any combination of sockets and cores, the product of which must equal the number of virtual CPUs required. For example, if 16 virtual CPUs are required, you can configure 4 sockets with 4 cores, or 2 sockets with 8 cores, etc.

Installing Cisco Prime Infrastructure

Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance

The Cisco Prime Infrastructure 3.0 comes preinstalled on a next-generation Cisco UCS appliance. For some reason, if the physical appliance comes without any software, application may be installed from the ‘.iso’ image (burnt on DVD). The procedure, once the server boots up, will be similar to the ones described for virtual appliance. Use the ‘.iso’ image instead of the ‘.ova’ image, if installing on a Cisco Prime Infrastructure Physical Appliance. For more details, see the Cisco Prime Infrastructure Hardware Appliance Installation Guide.

Cisco Prime Infrastructure Physical Appliance comes with the specifications shown in Table 3.

Table 3. Cisco Prime Appliance Specifications

Physical Appliance

Physical CPU

Memory (DRAM)

HDD Size

Throughput (Disk I/O)

Max Concurrent Clients/Users

API Clients

Cisco Prime Appliance

10 Cores (20 Threads)

64 GB

3600 GB

(8x900 GB RAID10)

320 MB/s

Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance

Cisco Prime Infrastructure is delivered as a virtual appliance or OVA file. OVA files allow you to easily deploy a prepackaged virtual machine (VM) - an application along with a database and an operating system. Please follow the link below for detailed instruction on installing Cisco Prime Infrastructure Virtual Application.

● Before You Begin

● Deploying the OVA from the VMware vSphere Client

● Installing the Server

Accessing Cisco Prime Infrastructure GUI

Client Requirements

Table 4 shows all the supported browsers that can be used to access Cisco Prime Infrastructure. See the Cisco Prime Infrastructure 3.0 Quick Start Guide for the latest client requirements.

Table 4. Client Requirements

Supported Browser	Browser Version	Additional Note
Internet Explorer	10, or 11	No plug-ins are required
Mozilla Firefox	Firefox 35 or later	Latest Firefox version may be used, but it may not be tested depending on when it was released.
Mozilla Firefox ESR	ESR 31, 38
Google Chrome	Chrome 40 or later	Latest Chrome version may be used, but it may not be tested depending on when it was released.

Display resolution—Cisco Prime Infrastructure supports 1366 x 768 or higher, but we recommend that you set the screen resolution to 1600 x 900.

Cisco Prime Infrastructure user interface is based on HTML 5 and removes any dependency on Adobe Flash.

TIP: It is strongly recommended to use a client with at least 4 GB or more. Adding more memory will definitely enhance the end-user experience.

Logging In to Cisco Prime Infrastructure for the First Time

Once the Cisco Prime Infrastructure server has been installed and configured, it is now ready to be accessed from the web. The server URL would be https://server_hostname or https://<ip-address>. To login, use the following credentials for the first time login.

Username: root

Password: <the root password is the one that was entered during the install script>

After the server has been configured, it is advisable to log in with a non-root user to keep the root user for system level configurations as and when needed. More information can be found at Cisco Prime Infrastructure 3.0 Quick Start Guide at Logging into the Cisco Prime Infrastructure User Interface.

Licensing

You can access the lifecycle and assurance features of the newly installed Cisco Prime Infrastructure using the built-in evaluation license that is available by default. The default evaluation license is valid for 60 days for 100 devices. You need to purchase the licenses to continue using Cisco Prime Infrastructure before the evaluation license expires.

License files can be added to Cisco Prime Infrastructure by navigating to Administration > Licenses and Software Updates > Licenses in the GUI.

Figure 2. Adding License Files

Table 5 lists the different licenses available for Cisco Prime Infrastructure.

Table 5. License Types in Cisco Prime Infrastructure

Licenses Types	License Purpose
Base	Required for every Cisco Prime Infrastructure installation and is a prerequisite for all other license types.
Management (Lifecycle, Assurance, APIC-EM/PnP)	Regulates the total number of devices, NetFlow devices under Cisco Prime Infrastructure management.
High Availability	High Availability Right To Use (RTU) License.
Collector	Regulates the total number of NetFlow data flows per second that Cisco Prime Infrastructure can process.
Data Center	Regulates the number of blade servers being managed by Cisco UCS device(s) in Cisco Prime Infrastructure. The license count matches the number of blades or rack units associated with any Cisco UCS device.
Data Center Hypervisor	Regulates the total number of host(s) managed by Cisco Prime Infrastructure management. This license manages Discovery Sources (vCenter) in Cisco Prime Infrastructure.
Operations Center base License	Operations Center base License is required in case of distributed deployment of Cisco Prime Infrastructure and when the customer wants to deploy Operations center to centrally manage the Cisco Prime Infrastructure Instances.
Operations Center Server License	Required to manage the Cisco Prime Infrastructure instances in Operations Center.

Note: Licenses are supplied in either evaluation or permanent form. For more information on Cisco Prime Infrastructure licensing, you can also refer to the Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide.

Upgrading Cisco Prime Infrastructure

Cisco Prime Infrastructure can be upgraded to version 3.0 from the below versions:

● Cisco Prime Infrastructure 2.2.3

● Cisco Prime Infrastructure 2.2.2

● Data Center Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1

● Wireless Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1

● Cisco Prime Infrastructure 2.2.1

● Cisco Prime Infrastructure 2.2

If your product/version is not in this list, to upgrade to 3.0, you must first upgrade to version 2.2.x at a minimum. For In-line Upgrade, follow the steps listed in the Cisco Prime Infrastructure 3.0 Quick Start Guide.

Note: You cannot upgrade to Cisco Prime Infrastructure 3.0 if you have installed version 2.2.x in FIPS mode.

Migrating Data from Previous Versions

Data migration is supported only from Cisco Prime Infrastructure 2.2.x versions. Follow the data migration steps listed in the Cisco Prime Infrastructure 3.0 Quick Start guide.

Device Packs and Software Updates

Cisco Prime Infrastructure periodically provides critical fixes, device support, and add-on updates that you can download and install by choosing Administration >Licenses and Software Updates> Software Update. Depending on the connectivity and preference, you can install software updates by:

● Downloading updates directly from Cisco.com to the Cisco Prime Infrastructure server. To use this method, Cisco Prime Infrastructure server must be able to connect externally to Cisco.com. For details, see Installing Software Updates from Cisco.com.

● Downloading software update files to a client or server with external connectivity, then uploading them to and installing them on the Cisco Prime Infrastructure server. For details, see Uploading and Installing Downloaded Software Updates.

Figure 3. Device Packs and Software Updates

Application Setup

System Setup

Users and User Group Management

It is not advisable to use the root user to log in for normal purposes. Role based Access control can be enforced by creating new users and assigning them to relevant User groups and Virtual Domain.

Manage User Groups

User groups are synonymous with roles. All the roles except the user-defined roles are preconfigured. User-defined groups can be modified by navigating to Administration > Users > Users, Roles & AAA > User Groups > User Defined #. By clicking the task list, you can perform the following activities:

● Modify other groups and roles.

● Add users.

● See audit trail.

● Export the TACACS+/RADIUS command sets.

User-defined roles can be modified by clicking the User Defined link in Figure 4. Once clicked, all the collapsed user access controls are expanded as shown in the figure. You can select the whole category, for example, Network Configuration, or a few of the options within that category to customize the role. Once the group/role is created, multiple users can then be assigned to that group.

Figure 4. User Group Administration

Manage Users

You can add new users by navigating to Administration > Users > Users, Roles & AAA > Users > Add Users and selecting “Add Users” from the drop-down on the right side. Once you get into the add user workflow, enter the username, password, and local authorization for this user as shown in Figure 5. Map the user to the appropriate Role and assign Virtual Domains. It doesn’t really matter whether you create users or groups first.

Figure 5. User Groups Creation

Virtual Domain

Virtual domains allow you to control who has access to specific sites and devices. After you add devices to Cisco Prime Infrastructure, you can configure virtual domains. Virtual domains are logical groupings of devices and are used to control the administration of the group. By creating virtual domains, an administrator allows users to view information relevant to them specifically and restricts their access to other areas. Virtual domain filters allow users to configure devices, view alarms, and generate reports for their assigned part of the network only.

Virtual domains are organized hierarchically. Subsets of an existing virtual domain contain the network elements that are contained in the parent virtual domain. The “ROOT-DOMAIN” domain includes all virtual domains.

Virtual Domain can be added by navigating to Administration > Users > Virtual Domain.

A virtual domain can also be assigned to the users when you define their roles by selecting the virtual domain on the left side and moving it to the right side as shown in Figure 6.

Figure 6. Virtual Domain

Connection to Cisco.com

Cisco.com connection is required for some of the advanced features such as Smart Interactions (TAC service requests, and support forums), importing software images, Software Update, and many others. It is vital for the Cisco Prime Infrastructure server to be able to connect to cisco.com to pull the data for those reasons. There are two parts to making this work:

● Proxy settings

● Cisco.com user settings

Proxy Settings

If Cisco Prime Infrastructure requires a proxy to connect to internet, you can enter the proxy information by navigating to Administration > Settings > System Settings > Proxy. You can enable proxy settings and enter all the proxy information there. Authentication proxies are also supported in Cisco Prime Infrastructure.

Cisco.com Settings

You can enter your cisco.com credentials at the following places:

● Administration > Settings > System Settings > Inventory > Account Credential

● Administration > Settings > System Settings > General > Support Request

Single Sign On (SSO)

Cisco Prime Infrastructure supports Single Sign on. You can configure more than one SSO server for Cisco Prime Infrastructure. Authentication will fall back to the second SSO server, and so on.

To add SSO servers, navigate to Administration > Users > Users, Roles & AAA > SSO Servers. Select Add SSO servers. SSO Servers settings can be configured by navigating to Administration > Users > Users, Roles & AAA > SSO Server Settings.

Figure 7. SSO Server Settings

RADIUS/TACACS+ Integration

Cisco Prime Infrastructure supports local authentication as well as TACACS+ and RADIUS AAA. To add TACACS+ or RADIUS server, navigate to Administration > Users > Users, Roles & AAA. For Cisco Prime Infrastructure to communicate with the TACACS+ server, the shared secret you enter on this page must match the shared secret configured on the TACACS+ server.

Figure 8. Adding TACACS+ Server

Email Server Settings

Administrators must configure email parameters to enable Cisco Prime Infrastructure to email reports, alarm notifications, and so on. You must configure the primary SMTP server before you can set the email parameters.

Choose Administration > Settings > System Settings > Mail and Notification > Mail Server Configuration.

Credential Profile

Credential profiles are set of device credentials. The credentials provided in a credential profile can include SNMP, Telnet, SSH and HTTP/HTTPS credentials.

Choose Inventory > Device Management > Credential Profiles to add, edit, delete or copy credential profiles. You can apply a credential profile during device discovery, when manually adding a device, or during bulk import of devices.

Figure 9. Creating Credential Profile

Discovering Your Network

Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols such as ping, SNMP (v1, v2c, and v3), Cisco^® Discovery Protocol, Link Layer Discovery Protocol (LLDP), and Open Shortest Path First (OSPF) to discover the network automatically. This section will focus on how best to configure the discovery settings once and to automate the discovery, going forward.

You can add devices to Cisco Prime Infrastructure in one of the following ways:

● Use an automated process

◦ Discovery Settings

◦ Quick Discovery

● Import devices from a CSV file.

● Add devices manually by entering IP address and device credential information.

Preparing the Network for Discovery

Devices must be configured with Cisco Discovery Protocol/LLDP, SNMP (V2, V3), or Telnet/SSH. Advanced protocols OSPF and BGP can also be used.

For successfully managing a device using Cisco Prime Infrastructure, it is crucial that all the essential protocols be defined in the device credential for a given device. The following matrix shows what protocols are needed for various wired and wireless device types.

Device Family	SNMP RW	Telnet/SSH	HTTP
Wireless controllers	ü
Wireless controllers (Cisco IOS^® XE Software)	ü	ü
Access points	ü	ü
Routers/switches	ü	ü
Medianet-capable routers and switches	ü	ü	ü
Network Analysis Module	ü	ü	ü
Third-party devices	ü

These credentials are sufficient to discover wired as well as wireless networks.

Discovery Settings

This method is recommended if you want to specify settings and rerun discovery in the future using the same settings. Discovery settings can be used to have a complete control over the discovery process.

You can specify various protocols, list of seed devices to be used, subnet range, credential profile/credential, and management IP address that needs to be used to discover the network. For various discovery settings supported by Cisco Prime Infrastructure, see the Cisco Prime Infrastructure User Guide.

You can create multiple discovery settings. These specify which protocols are to be used by Cisco Prime Infrastructure while discovering the network. Discovery can be easily accessed from the Getting Started page when you log in for the first time or by navigating to Inventory > Device Management > Discovery.

Select Discovery Settings to create a profile and reuse it for discovering the devices in the future. Now click New in the discovery settings modal pop-up. Discovery Settings window will pop-up, where you can configure all the discovery settings. You will observe that the pop-up is broken down into four sections: Protocol Settings, Filters, Credential Settings, and Preferred Management IP.

You need to select at least one item from Protocol Settings, SNMP and Telnet/SSH from Credential Settings, and Preferred Management IP. You can add your subnets manually or use the Import CSV File button to import all your subnets from a simple CSV file.

After creating discovery settings, you can discover the wired and wireless network. Select the saved discovery settings and click the Run Now button as shown in the figure. Discovery job will be created and status of the discovery job can be monitored in the same page in real time.

Figure 10. Discovery Profile Settings

Scheduling Discovery

In addition to running discovery in real time, you can schedule discovery to run when you want it. Select the required discovery settings and click Schedule. You will get a modal pop to specify the schedule. Scheduling is extremely flexible in Cisco Prime Infrastructure. You can run every x minutes to y years.

Figure 11. Discovery Job Schedule

Quick Discovery

Quick Discovery ping sweeps the network quickly based on the seed IP address you provide and also uses SNMP polling to get details on the devices.

Importing Devices Manually

If the device list and its credentials are maintained in an excel sheet, you have an option in Cisco Prime Infrastructure to import the device list. Navigate to Inventory > Device Management>Network Devices, select Bulk Import. The Bulk import pop-up is displayed as shown in Figure 12.

Figure 12. Bulk Import

TIP: Export the device template using the first “here” link. Use the exported CSV file to populate the device information. This will make sure your import goes through successfully.

Data Center Discovery

Cisco Prime Infrastructure extends coverage to the data center and to the compute infrastructure management supporting inventory, fault, configuration and performance for Cisco UCS B-series blade and C-series rack servers. Integration with VMware vCenter supports monitoring and visualization of virtualized servers and VMware hypervisors operating on Cisco UCS underlay hosts.

VMware vCenter details (Protocol—HTTP/HTTPS, Server—Host Name/IP address of vCenter, Port—443 for HTTPS or 80 for HTTP, User Name/Password—vCenter Credential) are needed to discover the complete inventory of compute resources like data center, cluster, hosts and VMs (Inventory > Device Management >Compute Devices > Discovery Sources- Add Device). You need to add Data Center Hypervisor license for collecting the inventory of VMware vCenter server.

Figure 13. Adding VMware vCenter Details

Compute devices provide a consolidated view of all the devices that provide compute capability within a Data Center. You can manage Cisco UCS devices in the same way other network devices are managed.

You can create user defined Hosts and VMs Sub-groups similar to device groups.

Figure 14. Compute Device Details

Validate Discovery

To validate and view the complete list of devices discovered by Cisco Prime Infrastructure, navigate to Inventory > Device Management>Network Devices to see the entire inventory that has been discovered. The left pane allows you to filter the devices based on the device types or user-defined group that you create.

Figure 15. Discovered Device Inventory

Fixing Credential Errors

At times, you will encounter a few devices that don’t have the SNMP strings or the CLI access that you thought they would have. You can either streamline or change the information on the devices, or if you have another set of credentials for a different subnet, you could add that by creating new credential profile and rerun the discovery. If you have a handful of changes, you can select the particular devices and then click Edit to modify the credentials.

Figure 16. Edit Device Discovery Credential

Figure 17. Device Inventory Status and Credential Verification

Cisco Prime Infrastructure allows the user to export devices with credentials directly from the GUI. Navigate to Inventory > Device Management>Network Devices to view the Export Device as shown in Figure 18.

Figure 18. Export Device Discovery Credential Information

User can export the device credentials, change them using a spreadsheet application, and import them back.

TIP: If you need to change the credentials for devices in bulk, this method can be used to do that.

Grouping

Device Grouping

Cisco Prime Infrastructure provides the following types of grouping:

● Device type groups—By default, Cisco Prime Infrastructure creates rule-based device groups and assigns devices to the appropriate Device Type folder. You cannot edit these device groups. The device type groups are not used for network topology maps.

● Location groups—Create location-based groups. Location groups allow you to group devices by location. You can create a hierarchy of location groups (such as theater, country, region, campus, building, and floor) by adding devices manually or dynamically.

Figure 19. Adding Devices to the Location Group Dynamically

● User defined groups— Allows to create your own device groups. These groups can be static or dynamic.

Figure 20. Device Groups in Cisco Prime Infrastructure

Port Grouping

Port grouping helps the user to simplify monitoring and configuration tasks. Cisco Prime Infrastructure allows you to create groups in addition to the default preconfigured port groups. Port groups creation can be accessed from Inventory>Group Management>Port Groups. If a custom port group needs to be created, you can hover over User Defined and click the (i) icon to access a pop-up menu for adding a new group.

Figure 21. Creating Port Groups

The WAN Interfaces port group is a special preconfigured port group. The interfaces in this group are your WAN interfaces that need to be actively monitored. In order to add WAN interfaces to this group, select all the groups and filter the WAN interfaces based on your interfaces type, IP address, interface description, or any other attributes that are used to denote a WAN interface group. It is highly recommended to populate this group with the WAN interface to get the most out of this application.

Topology and Maps

Viewing Network Topology

Cisco Prime Infrastructure topology maps are based on location groups. Cisco Prime Infrastructure provides a visual map of your network’s physical topology, including the network devices and the links that connect them. You must enable Cisco Discovery Protocol on the devices to visualize the links.

Figure 22. Network Topology Maps

Wireless Planning Tool

Cisco Prime Infrastructure provides a built-in planning tool that can be used by network administrators to determine what is required in the deployment of a wireless network. As part of the planning process, various criteria are inputted in the planning tool. Complete these steps:

1. Specify the AP prefix and AP placement method (automatic versus manual).

2. Choose the AP type and specify the antenna for both the 2.4 GHz and 5 GHz bands.

3. Choose the protocol (band) and minimum desired throughput per band that is required for this plan.

4. Enable planning mode for advanced options for data, voice, and location. Data and voice provide safety margins for design help. Safety margins help design for certain RSSI thresholds, which is detailed in online help. Monitor mode factors in APs could be deployed to augment location accuracy. The location typically requires a denser deployment than data, and the location check box helps plan for the advertised location accuracy.

5. Both the Demand and Override options allow for planning for any special cases where there is a high density of client presence such as conference rooms or lecture halls.

Generated proposal contains these:

● Floor plan details

● Disclaimer/scope/assumptions

● Proposed AP placement

● Coverage and data rate heat map

● Coverage analysis

Wireless Site Map

Cisco Prime Infrastructure site maps represent the geographical locations and physical structures where your organization maintains network assets. Site maps display the physical locations of network devices including wireless access points, client devices like laptops, tablets and mobile phones. It also helps to visualize wireless network coverage, including “heatmap,” which displays of signal strength and quality, the locations of RF interferers, chokepoints, and so on.

Site maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and floors. Cisco Prime Infrastructure allows the user to add maps and view their managed system on realistic campus, building, and floor.

The features of Cisco Prime infrastructure site maps are:

● Supports .PNG, .JPG, JPEG, or .GIF formats.

● Automatically converts images like DXF or DWG CAD files, Qualcomm MET files to your choice of PNG, JPG, JPEG, or GIF file formats.

● Automatically resizes the maps to fit the workspace.

● Supports importing Google Earth Maps.

It is recommended not to have more than 100 APs per floor area. If you have monitor mode access points on the floor plan, coverage heatmap excludes monitor mode access points.

Figure 23. Wireless Site Maps: Floor Settings

Create Sites

There are two way of creating sites. You can manually create the sites by navigating to Inventory > Device Management > Network Devices > Device Groups > Select ‘Create Sites’.

Figure 24. Site Creation by User Manually

If your access points follow a very consistent naming convention, you can automatically create a site tree map based on the hostname. Figure 25 shows how a device hostname separated by hyphens can be used as a delimiter to create a site map tree automatically.

Figure 25. Automatic Hierarchy Creation

To create automatic site hierarchies, go to Maps>Wireless Maps > Automatic Hierarchy Creation. Enter the AP Hostname and a suitable regular expression (or generate one as mentioned in the tip below). Click Test to see how the site is created from the hostname. Change the pull-down to map to the appropriate campus, building, floor, device, and so on.

TIP: After entering a sample hostname for an AP, you can click Create basic regex based on delimiter to automatically generate the regular expression.

Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure

If you have already created sites for the wireless network in a previous version of WCS or NCS, you can export from those applications and import the information into Cisco Prime Infrastructure as well. You can go to Maps > Wireless Maps > Site Maps > Choose File.

Figure 26. Importing Wireless Site Maps

Configuration Management

Managing Configuration Archives

Cisco Prime Infrastructure archives and maintains multiple versions of running and startup configurations. Configuration Archive settings control how Cisco Prime Infrastructure should manage the archives. Configuration archive settings can be configured by navigating to Administration > Settings > System Settings > Inventory > Configuration Archive.

The Basic tab allows users to define protocol order, SNMP timeout, the number of days and the versions to retain, thread pool count, and other such variables. The Advanced tab allows users to define a command to exclude list for each of the device family types.

Figure 27. Configuration Archive Settings

Comparing Configuration

You can use Cisco Prime Infrastructure to view and compare device configurations. To compare configurations, navigate to Inventory > Device Management >Network Devices > Select the device. Select Configuration Archive tab. Select the version of the configuration to compare and select the compare options. Now you can see the color-coded configuration differences instantly as shown in Figure 28.

Figure 28. Configuration Archive

Image Management

Upgrading software image of the devices to the latest version can be error prone and time consuming, if manual process is followed. Cisco Prime Infrastructure simplifies the deployment of software images to one or many devices at the same time by providing plan, schedule, download, and monitor software image update jobs. Cisco Prime Infrastructure provides software image details, lists recommended software images, and deletes software images.

Setting Up Image Management

Cisco Prime Infrastructure provides number of knobs that can be accessed from Administration > Settings >System Settings> Inventory>Image Management. These include team shared cisco.com username/password, job failure handling options, image and configuration protocol options, and so on. You are recommended to set it up initially so that preferred preferences are applied when distributing images on managed devices.

Figure 29. Image Management

Importing Software Images

Cisco Prime Infrastructure allows you to import images to software image library from devices, local file system and by other means.

Figure 30. Import Images

Image Distribution

Images can easily be added to the local repository by choosing Inventory >Device Management >Software Images >Import. Follow the wizard to import images. Images can be deployed to devices by navigating to Inventory>Device Management>Software Image. Select the image from the list (once it has been added to the repository) and click Distribute Images. Once the devices are selected to be upgraded/downgraded, a prerun status is shown, which avoids the job failure in the first place. Click Upgrade Analysis to generate a report on this.

Figure 31. Image Repository

Figure 32. Distributing Selected Image to Device

Configuration Templates

Configuration templates follow design, approve and deploy workflow. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use configuration templates to build a generic configuration that you can apply to one or more devices.

Choosing a Configuration Template

Cisco Prime Infrastructure provides the following types of templates:

● Features and technologies templates - These out-of-the-box templates are specific to a feature or a technology based on CVD or Cisco best practice recommendation. Features and Technologies templates are based on device configuration(s) that focus on specific features or technologies in a device configuration. These templates can configure various wired and wireless features on the devices. One can even customize these templates by duplicating these templates, editing the templates and saving them as your own custom template.

Figure 33. Configuration Templates Features and Technologies

● CLI templates - CLI templates use Cisco IOS Software CLI commands. Cisco Prime Infrastructure supports system defined CLI templates and custom CLI templates.

● System templates - CLI - These are CLI based customizable out-of-the-box templates. You can modify and save it as a new template, but you cannot delete a System Template. In this page, you can import or export any template. You cannot import a template under the system defined folder.

To view the list of CLI templates, choose Configuration > Templates > Features and Technologies > CLI Templates > System Templates - CLI.

● CLI - This is primarily meant for creating custom configuration templates. CLI uses set of reusable device configuration commands with the ability to parameterize select elements of the configuration as well as add control logic statements. This template is used to generate a device deployable configuration by replacing the parameterized elements (variables) with actual values and evaluating the control logic statements. CLI templates are based on Apache velocity template language. CLI templates do not have an option to undeploy.

Figure 34. CLI Templates

● Composite templates - You can create a composite template if you have a collection of existing feature or CLI templates that you want to apply collectively to devices. You specify the order in which the templates contained in the composite template are applied to devices. If you have multiple similar devices replicated across a branch, you can create and deploy a "primary" composite template to all the devices in the branch. This primary composite template can also be used later when you create new branches.

To create composite template, choose Configuration > Templates > Features and Technologies > Composite Templates > System Templates – Composite

Figure 35. Composite Template

Defining Shared Policy Objects

Policy objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. They also eliminate the need to define a component each time that you define a policy.

Interface roles configuration allows you to group a set of interfaces according to a set of rules and apply the AVC configuration for that group of interfaces. Navigate to Configuration -> Templates -> Shared Policy Objects. Select Interface Role. Create the new interface roles.

Figure 36. Shared Policy Objects

Wireless Controller Configuration

You can use the system templates to configure the wireless controllers. Another way to achieve this along with other benefits is by means of controller configuration groups. Configuration groups are an easy way to group controllers logically. This feature provides a way to manage controllers with similar configurations. You can first create templates to configure different features and apply them to a particular configuration group. Templates can be also extracted from existing controllers to provision new controllers. Configuration groups can also be used to schedule configuration sets from being provisioned. Controller reboots can also be scheduled or cascaded depending on operational requirements. Mobility groups, Dynamic Channel Assignment (DCA), and controller configuration auditing can also be managed using configuration groups.

Figure 37. WLAN Configuration

Configuration groups are used for grouping sites together for easier management (mobility groups, DCA, and regulatory domain settings) and for scheduling remote configuration changes. Configuration groups can be accessed from Configuration > Templates > Controller Configuration Groups.

RRM/Clean Air

RF profiles and groups are supported in Cisco Prime Infrastructure for both RF profile creation templates and AP group templates. If you use Cisco Prime Infrastructure to create the RF profiles through the creation of templates, this gives the administrator a simple way to create and apply templates consistently to groups of controllers.

Build RF Profiles

Cisco Prime Infrastructure provides two ways for building or managing an RF profile. Navigate to Configuration > Network > Network Devices > Select a controller and click Configuration tab and choose 802.11 > RF Profiles in order to access profiles for an individual controller.

Figure 38. RF Profiles

Figure 39 displays all the RF profiles currently present on the chosen controller and allows you to make changes to profiles or AP group assignments.

Figure 39. RF Profile Template

When you create a new profile, Cisco Prime Infrastructure prompts you to choose an existing template. When accessing the first time, you are directed to the Template Creation dialogue for an 802.11 controller template.

Figure 40. Features and Technologies RF Profile Template

Also, you can choose Configuration> Templates > Features & Technologies > Controller > 802.11 > RF Profiles (see Figure 41) to navigate to the controller template launch pad directly.

In both cases, a new RF profile is created in Cisco Prime Infrastructure through the use of a template. This is a recommended method, since it allows the administrator to use the workflow of Cisco Prime Infrastructure and apply templates and configurations to all or select groups of controllers and reduce configuration errors and mismatches.

Apply RF Profiles to AP Groups

New RF profiles can be applied to a controller through the use of AP groups they are assigned to. Choose Configuration > Templates > Features & Technologies > Controller > WLANs and choose AP Groups as shown in Figure 41.

Figure 41. Select an AP Group and RF Profile

In Cisco Prime Infrastructure, you can choose the Venue Group tab to add venue information as well. (See Figure 42.)

Figure 42. Venue Group

When you save the template, a warning message may appear. Changing the interface that the assigned WLAN uses disrupts the VLAN mappings for FlexConnect APs applied in this group. Make sure that the interface is the same before you proceed. Choose Deploy.

Choose the controllers to which the template needs to be applied as shown in Figure 43.

Figure 43. Choose Controllers

Only those access points attached to the controllers where the AP group was deployed successfully with the RF profiles applied (click the Apply to Access Points) are available to select from.

Note: Until this point, no real changes were made to the RF infrastructure, but this changes when APs that contain new RF profiles are moved into the group. When an AP is moved into or out of an AP group, the AP reboots to reflect the new configuration.

Choose the APs you want to add to the AP group and click OK. A warning message appears. Cisco Prime Infrastructure displays the status of the change.

Automated Deployment

Cisco Prime Infrastructure helps automate the deployment of new devices on the network by obtaining and applying the necessary software image and configuration on a new network device. Using features such as Cisco Network Services (CNS) call-home, APIC-EM (Application Policy Infrastructure Controller) call-home and Cisco IOS Software auto-install (which uses DHCP and TFTP), Cisco Prime Infrastructure reduces the time a new device takes to join the network and become functional.

The Plug and Play feature of Cisco Prime Infrastructure allows you to create templates to define features and configurations that you can reuse and apply to new devices. You can streamline new device deployment by creating bootstrap templates, which define the necessary initial configuration, to communicate with Cisco Prime Infrastructure. You can specify (and predeploy) software images and configurations that will be added to the devices in the future. See the Cisco Prime Infrastructure User Guide for detailed steps using automated deployment.

Compliance

Cisco Prime Infrastructure allows to define device configuration baselines and audit policies which help to identify and fix any device configuration deviations from the baseline. You can schedule a compliance audit job against multiple devices and get an audit report that indicates if any configurations deviate from the specified baseline.

Prerequisites

Compliance Baseline Audit is available when Cisco Prime Infrastructure is deployed using either of the below options:

● Professional OVA Virtual appliance

● Cisco Unified Computing System^™ (Cisco UCS) Gen 2 physical appliances

By default, Compliance Service feature is disabled. To enable compliance auditing, choose Administration > Settings > System Settings > General >Server, then enable Compliance Service (see Figure 44).

Figure 44. Enabling Compliance Service in Cisco Prime Infrastructure 3.0

Cisco Prime Infrastructure server will have to be restarted for the changes to take effect. No additional licenses are required to use the compliance baseline audit feature.

Creating Compliance Policy

A Compliance policy is a set of conditional rules required to validate against your network devices’ configuration. You can use the predefined policies or choose to create their own policies.

In order to create a new compliance policy, navigate to Configuration > Compliance > Policies. Click Add (+) button to create Compliance Policy, and enter a name for the Policy.

Upon policy creation, you can define one or more conditional rules for each compliance policy. Refer to the Cisco Prime Infrastructure User Guide for more details on the rule inputs and parameterization of user inputs.

Figure 45. Compliance Policies

Creating Policy Profiles

Once compliance policies have been defined, group one or more policies under a Compliance Profile. Profiles are sets of one or more policies, intended as a unit of comparison against the network device configurations.

Follow the below steps to create policy profile.

Browse to Configuration > Compliance > Profiles and add a new profile.

● Once profile is created, use the Compliance Policy selector to select the desired policies, from the system‑defined or user-defined policies to be grouped.

● Multiple policies can be selected and grouped.

● For each compliance policy, you have an option to use one or more of the rules defined.

Figure 46. Compliance Policy Profile

Run Compliance Audit

Once a policy profile is created by grouping the compliance policies, compliance baseline auditing can be performed. Follow the below steps to run the compliance audit job.

● Choose Configuration > Compliance > Profiles, select a profile and click Run compliance Audit icon (lightning bolt icon).

● Select the devices to be audited and the corresponding configuration to be checked (use latest archived configuration or use current configuration).

● Specify the desired job scheduling and recurrence (standard Cisco Prime Infrastructure job framework selection options are available).

Compliance Job Dashboard lists the compliance audit jobs as well as violation fix jobs. To view the details of a job result, Click Last Run Result. Results may be exported in PDF and CSV formats.

● You can view details of “Violations by Device” and select the specific fixes to be included in a Fix Job, along with an option to preview the Fix CLI.

Figure 47. View Compliance Audit Job

View Violation Summary

Violations raised during the compliance audit, can be viewed under Compliance > Jobs > Violation Summary. Violation summary can also be exported in PDF and CSV formats.

Figure 48. Violation Summary

PSIRT and EoX Reports

Cisco Prime Infrastructure helps to determine if any managed devices in the network have any security vulnerabilities as identified by the Cisco Product Security Incident Response Team (PSIRT). The report also includes documentation about the specific vulnerability that describes the impact of vulnerability and any potential steps needed to be applied.

Cisco Prime Infrastructure also gives you an option to run a report to determine if any Cisco device hardware or software in the network has reached its end of life (EOX). This can help determine the product upgrade and substitution options.

Browse to Reports>Reports> PSIRT and EOX.

Figure 49. PSIRT Reports

Figure 50. EoX Reports

Clients and Users

All clients (wired and wireless) available in the network and discovered by Cisco Prime Infrastructure are displayed in the Clients and Users page (Monitor -> Monitoring Tools -> Clients and Users).

Figure 51. Clients and Users

Wired clients display AP name as N/A. Switch port information is provided in interfaces column, as shown in Figure 51.

Client Troubleshooting

Cisco Prime Infrastructure also provides monitoring and troubleshooting for wired and wireless clients. SNMP is used to discover clients and collect client data. Cisco Identity Service Engine (ISE) is polled periodically to collect client statistics and other attributes to populate related dashboard components and reports. In order to launch the client-troubleshooting tool, select the client, and click Troubleshoot.

Figure 52. Client Troubleshooting Tool

Log messages can be retrieved from the controller using the use of the Log Analysis tool, as shown in Figure 53.

Figure 53. Debug Client Issues

Event history tool and Test analysis (CCX5 clients) tools can also be used for wireless client troubleshooting. Cisco Prime Infrastructure can also be used for troubleshooting wired clients.

Cisco Prime Infrastructure manages the wired and the wireless clients in the network. You can get enhanced information using the Cisco Identity Services Engine (ISE) or Cisco Secure Access Control (ACS) View servers or Cisco Mobility Services Engine (MSE). Hence, Cisco Prime Infrastructure provides a complete visibility of users and managed clients.

ISE Integration

When Cisco ISE is used as a RADIUS server to authenticate clients, Cisco Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to be visible in a single console.

You can get enhanced information about managed clients using the Cisco ISE.

If Cisco Prime Infrastructure is integrated with an ISE server (to access endpoint information), you can:

● Check the endpoint type.

● One can identify possible problems with the end user’s authentication and authorization for network access.

● View the bandwidth utilization for wired clients.

Note: Cisco Prime Infrastructure displays ISE Profiling attributes only for authenticated endpoints.

A maximum of two ISEs can be added to Cisco Prime Infrastructure. If you add two ISEs, one should be primary and the other should be standby. When you are adding a standalone node, you can add only one standalone node and cannot add a second node.

To add an Identity Services Engine, browse to Administration -> Servers -> ISE Servers.

From the Select a command drop-down list, choose Add ISE Server, then click Go. Complete the required fields, then click Save.

Figure 54. Identity Services Engine

Note: The credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.

MSE Integration

Cisco Prime Infrastructure when integrated with Cisco Mobility Service Engine can provide a single unified view by extracting location and posture information of managed clients. WIPS profiles can also be deployed.

You can add an MSE by navigating to Services -> Mobility Services -> Mobility Services Engines. Select Add Mobility Services Engine from the command drop-down list, and click Go.

In this dialog box, you can add licensing files, tracking parameters, and assign maps to the MSE. If you launch the wizard with an existing MSE for configuration, then the Add MSE option appears as Edit MSE Details.

Figure 55. Mobility Service Engine

For detailed information on MSE, see the Cisco Prime Infrastructure User guide.

Monitoring

Monitoring Policies

Cisco Prime Infrastructure uses monitoring policies to monitor devices against the thresholds you specify. When the thresholds that you specify are reached, Cisco Prime Infrastructure issues an alarm.

By default, Cisco Prime Infrastructure polls:

● Device health metrics on supported routers, switches and hubs. Storage devices and Cisco UCS series devices are not monitored by the default health policy.

● Port group health metrics.

● Interface health metrics on WAN interface groups, AVC, and Cisco UCS.

Note: Cisco Prime Infrastructure uses monitoring policies only for wired devices.

Choose Monitor -> Monitoring Tools -> Monitoring Policies -> Auto monitoring. Cisco Prime Infrastructure polls SNMP objects to gather monitoring information for the device and interface parameters.

Figure 56. Auto Monitoring

You can add new monitoring policies to monitor network device metrics and alert you of changing conditions before the issues impact their operation. Choose Monitor > Monitoring Tools > Monitoring Policies > My Policies. Then click Add. We can select the Policy Types, and configure the parameters and thresholds, and click “Save and Activate” to activate the policy on the selected devices.

Figure 57. Monitoring Policy

Cisco Prime Infrastructure displays the summary information in several different dashboards that contain graphs and visual indicators. Overview dashboards displays dashlet specific to network device summary graph, system health, interface health metrics, Top N CPU and memory utilization, etc.

Viewing Alarms and Events

Alarms and events provide a single page view of all alarms and events for wired and wireless infrastructure. Alarms can be viewed by navigating to Monitor > Monitoring Tools > Alarms and Events.

Almost all of the tables in Cisco Prime Infrastructure have a quick filter widget. This quickly allows you to filter through the table, especially when there are many rows involved. This is very useful with alarms and events or clients and users. Figure 58 shows different quick filtering options available for you.

Figure 58. Quick Filter

The Advanced Filter, as the name implies, allows you to filter on the content with complex rules. These filters can be saved for one-click use, the next time they are needed.

Figure 59. Advanced Filter

Configuring Alarm Severity

Choose Administration -> Settings -> System Settings to change the alarm’s default severity level. Under Alarms and Events section, select Alarm Severity and Auto Clear. Select the Event type and click Severity Configuration. From the Configure Severity Level drop-down list, choose a severity level.

Figure 60. Severity Configuration Page

Customizing Traps and Syslogs

Defining Custom Trap Events

Cisco Prime Infrastructure recognizes additional traps and helps to customize and create events and alarms for these traps. You can specify a trap notification name, specify the event severity, and message to use when the specified trap is received. Cisco Prime Infrastructure creates an event with the settings you specify. Choose Monitor -> Monitoring Tools -> Alarms & Events.

Figure 61. Adding Custom Trap Event

In Events tab, click Custom Trap Events. Click Add in the Custom Trap Events window, and select a MIB, Notification Name, and mention the default severity level, and then click OK.

Cisco Prime Infrastructure creates a new event type and alarm condition for the specified trap.

Defining Custom Syslog Events

You can enable Cisco Prime Infrastructure to create events for particular syslog. You can specify a syslog message identifier, and specify the event severity and message to use when the specified syslog is received. Cisco Prime Infrastructure creates an event with the settings you specify.

Choose Monitor -> Monitoring Tools -> Alarms & Events. In the Syslog tab, click Custom Syslog Events. Click Add and complete all the required fields, and click OK.

Figure 62. Adding Custom Syslog Event

Forwarding Alarms as Traps to Notification/Trap Receivers

Notification receivers can be configured, which supports North Bound access and guest access. Alerts and events are sent as SNMPv2 and SNMPv3 notifications to the configured notification receivers. You can add and remove notification receivers from Administration > Settings > System Settings > Alarms and Events > Notification Receivers.

Figure 63. Notification Receivers

AVC and QoS Configuration

Monitoring Application and Services

Network administrators need to gain visibility into applications running on the network and their performance, and to see the different types of traffic and their performance in greater detail. They should be able to quickly isolate and troubleshoot application performance issues. They can define policies to control and tune the performance of the different applications. Service assurance dashboards in Cisco Prime Infrastructure help to provide a granular and detailed view of assurance features.

The Cisco Application Visibility and Control (AVC) is a solution which offers application awareness in the network. AVC incorporates application recognition and performance monitoring capabilities. When coupled with network management tools, AVC provides a powerful and pervasive integrated solution for discovering and controlling applications within the network.

Prerequisites

● Make sure that the devices on which you have to enable AVC are fully managed (In Device Work Center).

● Make sure that the sites/location based groups are created and the endpoints (devices) that need to be monitored are associated with corresponding sites.

● Interface role (Shared Policy Objects) should be created for the wired devices, before using the AVC template.

AVC Supported Platforms

Platforms	Minimum Software version required
ASR 1000	15.3(1)S1 and later
ISR G2	15.2(4)M2 and later
ISR 4451-X	15.3(2)S
CSR 1000	15.3(2)S
WLC	7.4

Readiness Assessment

Readiness assessment allows you to analyze the routers in your network and determine whether these devices are capable of running AVC.

Choose Services -> Application Visibility and Control -> Readiness Assessment.

Figure 64. Readiness Assessment

The table view provides all the relevant information for the devices and also suggests whether these devices are AVC capable or not. It provides recommendations for AVC capable devices to make them AVC configurable.

AVC Configuration

Different Approaches to Enable AVC

There are three different approaches to enable AVC on routers.

● Use the one-click option to enable it on a single or multiple interface of a router, if this is your first time with AVC.

● Use the template option to enable AVC on multiple devices based on the interface role.

● Enable AVC on multiple interfaces and multiple devices for which you could use the location- and device-based filters. This method will also allow you to configure QoS if needed. See the AVC Solution Guide for more details.

Enabling AVC on Wireless Controllers

Feature design templates in Cisco Prime Infrastructure can be used to enable AVC on the controllers. You will first need to create an exporter configuration template followed by creating a monitor template mapping the exporter template and deploy the monitor template on the controllers. See the AVC Solution Guide for more details.

Associate Endpoints to Sites

Now that you have created all the sites where your network equipment is staged, it is time to map those sites to their respective subnets, data sources, and VLANs. This allows Cisco Prime Infrastructure to see the traffic flow, especially when it comes to application performance. In order to create an endpoint, you can navigate to Services >Application Visibility & Control > Endpoint Association. Figure 65 shows how various sites are mapped to their subnets. In addition to the subnet mask, you can also specify the default data source desired for that site.

Figure 65. Endpoint Association

Managing Netflow Data Sources

Cisco Prime Infrastructure can collect NetFlow from data sources directly. In case of Cisco Prime Network Analysis Module (NAM), Cisco Prime Infrastructure collects all the information from the NAM natively.

To view all the data sources exporting NetFlow to Cisco Prime Infrastructure, navigate to Service -> Application Visibility & Control -> Data Sources. The Device Data Sources lists all the devices that are actively sending NetFlow data to Cisco Prime Infrastructure. The NAM Data Collector lists all the NAMs that have been discovered or added to the inventory. You can select a NAM and enable/disable data collection from them.

Figure 66. Data Sources

Viewing AVC Metrics

Cisco Prime Infrastructure shows performance related metrics for applications in the following dashboards:

● Dashboard -> Overview -> Service Assurance

● Services -> Application Visibility and Control -> Service Health

● Dashboard -> Performance (all of the dashboards)

Classify Unknown Traffic by Defining Custom Application

Cisco Prime Infrastructure helps to define custom applications that you can deploy on the device and let Cisco Prime Infrastructure monitor these applications. Choose Services -> Application Visibility & Control -> Applications and Services and click Create.

Figure 67. Application and Services

Provide an application name and the selector ID. Select the Business Critical check-box if you would like this custom application to be marked so.

Updating Application Definitions (NBAR2 Protocol Pack)

NBAR2 Protocol packs can be uploaded to Cisco Prime Infrastructure to recognize any new applications. Choose Services -> Application Visibility & Control -> NBAR2 Protocol Pack Management. Using the Import option, you can update the protocol pack.

Multi-NAM Capabilities within Cisco Prime Infrastructure

Cisco Prime Infrastructure can serve as a central manager of managers (MoM) if multiple NAMs are deployed in the network. Some of the functionality that Cisco Prime Infrastructure can help with includes:

● Centralized monitoring of NAM health.

● Deploying configurations to multiple NAMs using the CLI configuration templates.

● Upgrading NAMs using software image management capabilities.

● Using one-click packet capture from multiple NAMs based on a capture policy.

● Proactively capturing packets using threshold breaches.

All of these allow you to use Cisco Prime Infrastructure to effectively manage the NAMs, thus making it a very good and stable data source for application visibility.

Netflow Dashlets

The following table lists the dashlets which help in monitoring the Netflow data in Cisco Prime Infrastructure.

Grouping of Dashlets

Dashlet Names

Site Specific Dashlets

Application Usage Summary

Top N Application Groups

Top N Applications

Top N Applications with Most Alarms

Top N Clients (In and Out)

Top N VLANs

Application Specific Dashlets

Application Configuration

Top N Applications

Top Application Traffic over Time

DSCP Classification

IP Traffic Classification

Client Conversations

Top N Clients (In and Out)

Client Traffic

Number of Clients over Time

Lync Monitoring

Cisco Prime Infrastructure can monitor the Microsoft Lync traffic in your network. It processes and filters Microsoft Lync quality update messages and aggregates Microsoft Lync calls. You can view volume trends over time and get a summary of call types, including filtering based on time and location groups. You can also view individual calls and troubleshoot individual call streams.

Setting Up Microsoft Lync Monitoring

Cisco Prime Infrastructure must be registered as a receiver of Microsoft Lync data in order to monitor and provide a centralized view of how Microsoft Lync is deployed in your network.

On your Microsoft Lync SDN server, edit the LyncDialogListener.exe.config file to add the following lines. The LyncDialogListener.exe.config file is located in the Lync SCN API installation directory at the following default location: C:\Program Files\Microsoft Lync Server\Microsoft Lync SDN API.

<add key=“submituri” value=“https://PI_server_name/webacs/lyncData”/>

Where https://PI_server_name is the name of your Cisco Prime Infrastructure as specified in the Trusted Root Certification Authorities certificate.

<add key= “clientcertificateid” value=“value”/>

Where value is the certificate value of your Cisco Prime Infrastructure server as specified in the Trusted Root Certification Authorities certificate.

Alternately, if you use the Microsoft SDN interface to enter your Cisco Prime Infrastructure server details, you must accept the SSL certificate in order to enable XML communication over secure HTTP. After you register Cisco Prime Infrastructure as a receiver of Microsoft Lync data, all Microsoft Lync details are sent to Cisco Prime Infrastructure.

Monitoring Microsoft Lync

To monitor Microsoft Lync data, browse to Services -> Application Visibility & Control -> Lync Monitoring. Colored bars represent the different call types and the respective call volume over the specified time period. The Lync Conversations table lists the aggregated conversations for the call type you select from the bar chart. Click the arrow next to a Caller to expand and view the details of that conversation, from the Caller to the Callee.

Cisco Prime Infrastructure displays the call metrics for the selected conversation.

Figure 68. Lync Monitoring

PfR Monitoring

Performance Routing (PfR) monitors network performance and selects the best path for each application based on advanced criteria such as reachability, delay, jitter and packet loss. PfR can evenly distribute traffic to maintain equivalent link utilization levels using an advanced load balancing technique.

PfR Version 3 (PfRv3) is an intelligent path control of the IWAN initiative and provides a business-class WAN over internet transports. PfR allows customers to protect critical applications from fluctuating WAN performance while intelligently load balancing traffic over all WAN paths.

Cisco IOS Software PfR makes real-time routing adjustments based on application criteria such as response time, packet loss, jitter, path availability, interface load, and circuit cost minimization.

Browse to Services -> Application Visibility & Control -> PfR Monitoring. The PfR landing page includes Site to Site PfR Events table, a filter panel, Metrics panel (Metrics Crossing Thresholds versus Service Provider(s)), and a time slider.

Figure 69. PfR Monitoring

The Metrics panel displays the metrics gathered using the TCA, as charts. Each service provider is represented by a unique color in the chart. The charts available in the Metrics panel are:

● Unreachability over time

● Maximum Delay over time

● Maximum Jitter over time

● Maximum Packet loss% over time

The Site to Site PfR events table displays site to site PfR events including Threshold Crossing Alert (TCA), Route change (RC) and Immitigable event (IME). The PfR events that occurred over last 72 hours are displayed, by default.

Site-to-Site PfR Topology

The site to site topology consists of nodes representing border router, primary controller, and service provider. The egress and ingress orange links represent the WAN link connectivity between border routers and service provider, and blue links connect the border router and primary controller.

Click a node to view the device metrics pop-up window from where you can navigate to the corresponding device context page. Click a link to view the link metrics pop-up window from where you can navigate to the link context page. Click Launch Interface Dashboard in the Link Metrics pop-up window to view the Interface dashlets in the Performance dashboard.

Figure 70. Site-to-Site PfR Topology

Comparing WAN Interfaces

The Compare WAN Interfaces page shows the WAN link usage and performance of the selected WAN interfaces. This compares the Egress Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and number of applications routed, for the selected WAN Interfaces.

Figure 71. Comparing WAN Interfaces

Dashboards

Cisco Prime Infrastructure user interface is based on HTML5, which makes the application tablet friendly. Flash is removed from the product.

Dashboard Customization

Easy visualization and customization of data views is possible in Cisco Prime Infrastructure. There are two different ways of customizing the dashboards:

● Adding your own dashboard in addition to the existing dashboards.

● Adding/moving dashlets (also known as portlets) from one dashboard to another.

Navigate to any of the existing dashboards under Dashboards menu. Use the Settings in the top right corner of the dashboard to add new dashboard. A new dashboard will be created under the current dashboard tree. A new tab is reflected immediately.

Figure 72. Add Dashboard

The next step is to populate the new dashboard that you created with dashlets. There are about 50 preconfigured dashlets that you can use for various dashboards.

Figure 73. Add Dashlet

A new dashlet can be added to the dashboard where you want it to appear. Use the Add Dashlet(s) from the Settings to view the list. Once you see the list of dashlets, you can add the appropriate Dashlet to the dashboard.

Customizing the Dashlet Content

Figure 74. Dashlet Customization

We can customize the dashboard and also the content within the dashlets. You can select the pencil icon in the title bar of any dashlet to customize the dashlet content. This will expose all the configurations that can be tweaked for a given dashlet. You can use the various options available to select and configure as needed. Each dashlet has its own configuration parameters. Once you are done, click Save and Close to view the data.

Remediation Tools

Wireless Remediation

The following tools available within Cisco Prime Infrastructure may be used in order to remediate wireless issues:

● Cisco CleanAir

● Client Troubleshooting

● AP Troubleshooting

● Audit Tool

● Security Dashboard

● Switch port Tracing (SPT)

● Contextual device 360-degree views for easy access to assorted tools:

◦ Ping

◦ Traceroute

◦ Cisco Discovery Protocol Neighbors

◦ WLAN and SSID information

◦ Active AP and client count

Apart from these key tools, you can find more tools by navigating to “Monitor > Wireless Technologies” or “Monitor > Tools”.

Wired Remediation

The following tools within Cisco Prime Infrastructure can be used to remediate wired issues:

● Wired Client Troubleshooting

● Ad Hoc and Automated Packet Capture

● Device Work Center

● Contextual device 360-degree views for easy access to assorted tools:

◦ Ping

◦ TraceRoute

◦ Cisco Discovery Protocol Neighbors

◦ Config Diffs

◦ Inventory Details

◦ Network Audits

◦ Support Forums

Figure 75. Device 360 Views

Trigger Packet Capture from Cisco Prime Infrastructure

Cisco Prime Infrastructure provides a very flexible solution for capturing packets throughout your network. You can either manually trigger a packet capture or automatically specify the capture based on some advanced parameters, so that it will be triggered once a threshold level is breached. In both of these solutions, packets can be captured locally on the NAM or they can be stitched from multiple NAMs and stored in Cisco Prime Infrastructure. Packet captures can also be triggered on the ASR 1Ks.

Manual Packet Capture from Cisco Prime Infrastructure

In order to do an ad hoc packet capture, you can navigate to Monitor > Tools > Packet Capture> Capture Sessions. In order to create a new profile, click Create and fill in all the criteria for capturing a particular traffic. If you need to capture a particular type of traffic all the time, it may be a good idea to proactively create those profiles and test them before automating them, as described in the next section.

Figure 76. Packet Capture Session

Automating Packet Capture Using Cisco Prime Infrastructure

There are times when you want to capture packets based on a trigger. There is no way to anticipate the time of the trigger. For example, if you are trying to meet the SLA for AvgRespTime for an application, you may want to start the packet capture if the response time exceeds the predefined time. You can easily achieve this by combining threshold and packet capture in Cisco Prime Infrastructure. Navigate to Monitor > Monitoring Tools > Monitoring Policies > Add > Traffic Analysis. By clicking on threshold template, you can create a new instance from it. In order to change any of them, simply select that row and edit the threshold as shown in Figure 77. You can see that we have chosen to alert and start capturing SharePoint traffic if the AvgRespTime exceeds the default value.

Figure 77. Automate Packet Capture

Decoding Packet Capture Using Cisco Prime Infrastructure

Once the packets are captured, there are two options to decode them. The easiest way is to select the packet capture session and click Decode from the Packet Capture homepage (Monitor > Tools > Packet Capture). The capture decode is shown in a pop-up window, which makes it extremely easy to evaluate each and every packet.

You could also click Export and the .pcap file will be downloaded directly on the client PC. This is useful if you need to perform advance troubleshooting on the capture decode. There is a dimmed Merge button between the Decode button and the Export button, which can be used to merge the .pcap files if more than one file is selected.

TIP: If the capture file is not very large (that is, not on the order of GB), it makes sense to decode it in Cisco Prime Infrastructure instead of jumping over to the NAM. Otherwise, you should use NAM instead of Cisco Prime Infrastructure for decoding very large capture files.

Figure 78. Packet Capture

Reports

Wide variety of preconfigured reports can be used for up-to-date information on the network, including detailed inventory, configuration, compliance, audit, capacity, and end of sale, security vulnerabilities, and many more. Reports can be scheduled or run immediately, emailed, or saved as PDFs for future viewing purposes. Composite reports help to group multiple reports. Navigate to “Reports > Report Launchpad” to generate various reports.

Figure 79. Report Launch Pad

REST API

Cisco Prime Infrastructure R/W REST APIs can be used to integrate with any in-house OSS systems. For details, see the REST API documents in the Cisco Prime Infrastructure 3.0 API Reference Guide.

High Availability

The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco Prime Infrastructure server to failover to one secondary (backup) Cisco Prime Infrastructure server. A second server is required that has sufficient resources (CPU, hard drive, network connection) in order to take over Cisco Prime Infrastructure operation in the event that the primary Cisco Prime Infrastructure system fails. In Cisco Prime Infrastructure, the only HA configuration is supported is 1:1 - 1 primary system, 1 secondary system.

Prerequisites

The size of the secondary server must be larger than or equal to that of the primary server; for example, if the primary Cisco Prime Infrastructure server is the Express Plus OVA, then the secondary Cisco Prime Infrastructure server must be the Express Plus or larger.

The primary and secondary server cannot be a mix of a physical and a virtual appliance. For example, if the primary Cisco Prime Infrastructure server is a virtual appliance, the secondary server can’t be a physical appliance. Secondary server should be a virtual appliance with same or large OVA.

Customers must be running the same version of Cisco Prime Infrastructure and should be at the same patch level on both the primary and secondary Cisco Prime Infrastructure servers.

The Cisco Prime Infrastructure HA feature is transparent to the wireless controller, that is, there is no software version requirement for the Cisco Wireless LAN Controller (WLC), access points (APs), and the Cisco Mobility Services Engine (MSE).

Licensing

An RTU (right-to-use) license is required to deploy Cisco Prime Infrastructure in HA implementation. Only one Cisco Prime Infrastructure server license needs to be purchased. There is no need to purchase a license for the secondary Cisco Prime Infrastructure server. The secondary server will use the license from the primary when a failover occurs. The same Cisco Prime Infrastructure license file resides on both the primary and secondary Cisco Prime Infrastructure servers. The license file is only active on one system at any given point in time.

High-Availability Setup

Cisco Prime Infrastructure HA can also be deployed with geographic separation of the primary and secondary servers. This type of deployment is also known as disaster recovery or geographic redundancy.

HA Modes

There are two HA modes: failover and failback. After initial deployment of Cisco Prime Infrastructure – HA, the entire configuration of the primary Cisco Prime Infrastructure server is replicated to the host of the secondary Cisco Prime Infrastructure server. During normal operation (that is, when the primary Cisco Prime Infrastructure server is operational), the database and application data files from the primary server are replicated to the secondary Cisco Prime Infrastructure server. Replication frequency is 11 seconds (for real‐time files) and 500 seconds (for batch files).

Failover

Failover is the process of activating (Automatically or manually) the secondary server in response to a detected failure on the primary server. Health Monitor (HM) detects failure conditions using the heartbeat messages that the two servers exchange. If the primary server is not responsive to three consecutive heartbeat messages from the secondary, it is considered to have failed. During the health check, HM also checks the application process status and database health; if there is no proper response to these checks, these are also treated as having failed.

Failback

When the issues on the server that host the primary Cisco Prime Infrastructure server have been resolved, failback can be manually initiated. Once this is done, the screen is displayed on the secondary Cisco Prime Infrastructure server. When you initiate failback, the Cisco Prime Infrastructure database on the secondary Cisco Prime Infrastructure server and any other files that have changed since the secondary Cisco Prime Infrastructure server took over Cisco Prime Infrastructure operation are synchronized between the secondary and the primary Cisco Prime Infrastructure servers.

Figure 80. Health Monitor Details in Fallback

Manual/Automatic Options

Automatic Failover

Automatic failover is a much simpler process. The configuration steps are the same except that automatic failover is selected. Once automatic failover is configured, the network administrator does not need to interact with the secondary HM for the failover operation to take place. Only during failback is human intervention required.

Manual Failover

This is the recommended mode of Failover in Cisco Prime Infrastructure High Availability deployment. When the secondary Cisco Prime Infrastructure server is configured with manual failover mode, the network administrator is notified through an email that the primary Cisco Prime Infrastructure server has experienced a down condition. The Health Monitor (HM) on the secondary Cisco Prime Infrastructure server detects the failure condition of the primary Cisco Prime Infrastructure server. Because manual failover has been configured, the network administrator needs to manually trigger the secondary Cisco Prime Infrastructure server to take over Cisco Prime Infrastructure functionality from the primary Cisco Prime Infrastructure server. This is done if you log in to the secondary HM. Even though the secondary Cisco Prime Infrastructure server is not running, you can connect to the secondary HM using the following syntax: https://<Secondary_PI_IP_Address>:8082/.

The secondary HM displays messages in regard to events that are seen. Because manual failover has been configured, the secondary HM waits for the network administrator to invoke the failover process. Once manual failover has been chosen, the message is displayed as The Secondary Cisco Prime Infrastructure Server Starts. Once the failover process has been completed, which means that the Cisco Prime Infrastructure database replication process is completed and the secondary Cisco Prime Infrastructure JVM process has started, then the secondary Cisco Prime Infrastructure server is the active Cisco Prime Infrastructure server.

Health Monitor on the secondary Cisco Prime Infrastructure server provides status information on both the primary and secondary Cisco Prime Infrastructure servers. Failback can be initiated through the secondary HM once the primary Cisco Prime Infrastructure server has recovered from the failure condition. The failback process is always initiated manually so as to avoid a flapping condition that can sometimes occur when there is a network connectivity problem. More details on how to deploy Cisco Prime Infrastructure 3.0 HA can be found at Cisco Prime Infrastructure Administration Guide.

Configuring Cisco Prime Infrastructure Backup

It is strongly advisable to configure the backup plan in a more proactive manner. Backup can be configured by navigating to Administration > Settings>Background Tasks > Prime Infrastructure Server Backup.

You can either use the default repository defaultRepo, or create an external backup repository. Enter credentials for the remote repository and other relevant information and click Submit to create this new remote backup repository.

Advanced System Settings

Data Retention

This feature allows you to specify how long the data is to be stored in Cisco Prime Infrastructure. By default you can store the performance data as short, medium, and long-term data for 7, 31, and 378 days, respectively. You can modify these numbers based on the available hard drive space. Navigate to Administration -> Settings -> System Settings. Select Data Retention under General Tab to configure the data retention.

Server Tuning

The following sections explain how to enhance server security by eliminating or controlling individual points of security exposure.

Disabling Insecure Services

You must disable non-secure services if not using them. For example: TFTP and FTP are not secure protocols. These services are typically used to transfer firmware or software images to and from network devices and Cisco Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend using secure protocols (such as SFTP or SCP) for such services.

Disabling Root Access

Administrative users can enable root shell access to the underlying operating system for trouble shooting purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We recommend that you keep this access disabled, and enable it only when required. To disable root access, run the command root_disable from the command line.

Using SNMPv3 Instead of SNMPv2

SNMPv3 is a higher security protocol than SNMPv2. You can enhance the security of communications between their network devices and the Cisco Prime Infrastructure server by configuring the managed devices so that management takes place using SNMPv3 instead of SNMPv2.

You can choose to enable SNMPv3 when adding new devices, importing devices in bulk, or as part of device discovery.

Authenticating with External AAA

User accounts and password are managed more securely when they are managed centrally, by a dedicated, remote authentication server running on a secure authentication protocol such as RADIUS or TACACS+. You can configure Cisco Prime Infrastructure to authenticate users using external AAA servers.

Importing Client Certificates into Web Browsers

You must import client certificates into your browsers to authenticate while accessing Cisco Prime Infrastructure servers with certificate authentication. Although the process is similar across browsers, the actual details vary with each browser.

Enabling NTP Update Authentication

Network Time Protocol (NTP) version 4 (which authenticates server date and time updates) is an efficient setting to harden server security. Note that you can configure a maximum of three NTP servers with Cisco Prime Infrastructure.

Enabling Certificate-Based OCSP Authentication

You can further enhance the security of Cisco Prime Infrastructure’s interaction with its web clients by setting up certificate-based client authentication using the Online Certificate Status Protocol (OCSP).

With this form of authentication, Cisco Prime Infrastructure validates the web client’s certificate and its revocation status before permitting you to access the login page. Checking the revocation status makes sure that the issuing Certificate Authority (CA) has not already revoked the certificate.

Setting Up Local Password Policies

If you are authenticating users locally, using Cisco Prime Infrastructure’s own internal authentication, you can enhance your system’s security by enforcing rules for strong password selection.

Disabling Individual TCP/UDP Ports

Table 6 lists the TCP and UDP ports Cisco Prime Infrastructure uses, the names of the services communicating over these ports, and the product’s purpose in using them. The “Safe” column indicates whether you can disable a port and service without affecting Cisco Prime Infrastructure’s functionality.

Table 6. Cisco Prime Infrastructure TCP/UDP Ports

Cisco Prime Infrastructure TCP/UDP Ports
Port	Service Name	Purpose	Safe?
21/tcp	FTP	File transfer between devices and server	Y
22/tcp	SSHD	Used by SCP, SFTP, and SSH connections to and from the system	N
69/udp	TFTP	File transfer between devices and the server	Y
162/udp	SNMP-TRAP	To receive SNMP Traps	N
443/tcp	HTTPS	Primary Web Interface to the product	N
514/udp	SYSLOG	To receive Syslog messages	N
1522/tcp	Oracle	Oracle/JDBC Database connections: These include both internal server connections and for connections with the High Availability peer server.	N
8082/tcp	HTTPS	Health Monitoring	N
8087/tcp	HTTPS	Software updates on HA Secondary Systems	N
9991/udp	NETFLOW	To receive Netflow streams (enabled if Assurance license installed)	N
61617/tcp	JMS (over SSL)	For interaction with remote Plug&Play Gateway server	Y

Checking Server Security Status

Cisco Prime Infrastructure administrators can connect to the server via CLI and use the show security-status command to display the server’s currently open TCP/UDP ports, the status of other services the system is using, and other security-related configuration information.

Miscellaneous

Accessing Cisco Prime Infrastructure Through CLI

In normal circumstances, you may not need to access the CLI, but if there is a need to access some service requirements, the Cisco Prime Infrastructure server may be accessed through Secure Shell Protocol Version 2 (SSH2) by the admin user. The admin user is provided with a Cisco IOS Software-like shell, which is the preferred shell for carrying out most operational tasks. The password for this admin user is configured during the initial installation and configuration, as mentioned in the “Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance” section. Please note that the root password that is prompted in the install script is only for web access and not access to the CLI.

How to Enable CLI Root User in Cisco Prime Infrastructure Server

The root user is not enabled by default, but you can enable the root user for the first time using the root_enable command at the admin console. Once the root user is enabled, log out of the admin shell and log in using the root user and the previously defined password for root.

Start/Stop Cisco Prime Infrastructure Services

In normal circumstances, you don’t stop or start PI services. The services will start automatically once installation is complete, and no manual startup of services is required. If there is a need to restart the services for some reason, the following commands may be executed by the admin user from the command-line interface (CLI):

<piserver>/admin# ncs stop - Stops the Cisco Prime Infrastructure server

<piserver>/admin# ncs status - Shows the Cisco Prime Infrastructure server status

<piserver>/admin# ncs start - Starts the Cisco Prime Infrastructure server

Verifying IOPS for Cisco Prime Infrastructure Virtual Machine

Until Cisco Prime Infrastructure 1.x, there was no easy way to verify data store input/output operations per second (IOPS) for the virtual infrastructure. With the addition of the following new command, users can now verify the raw performance before proceeding any further.

<piserver>/admin# ncs run test iops

Testing disk write speed...

8388608+0 records in

8388608+0 records out

8589934592 bytes (8.6 GB) copied, 38.3538 seconds, 224 MB/s

Note: If you run this command when Cisco Prime Infrastructure server is “running”, the results will be really skewed. This test needs to be run after shutting down Cisco Prime Infrastructure server using ncs stop command from the admin shell.

After shutting down ncs, here are they new results:

Pi30/admin# ncs run test iops

Testing disk write speed...

8388608+0 records in

8388608+0 records out

8589934592 bytes (8.6 GB) copied, 27.0878 seconds, 317 MB/s

The recommended value is the result from the command after “shutting down” ncs (ncs stop). Note that the recommended value for the IOPS is 200 MBps.

References