-
- Operating the Network
- Monitoring Alarms
- Updating Device Inventory
- Configuring Device Features
- Working With Device Configurations
- Maintaining Software Images
- Working with Wireless Operational Tools
- Ensuring Consistent Application Experiences
- Working with Wireless Mobility
- Configuring the Cisco AppNav Solution
- Configuring the Cisco WAAS Container
- Troubleshooting
- Reports
- Prime Infrastructure User Interface Reference
Cisco Prime Infrastructure 2.0 User Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 9, 2018
Chapter: Designing Device Configurations
- Creating Feature-Level Configuration Templates
Designing Device Configurations
You can use Cisco Prime Infrastructure configuration templates to design the set of device configurations that you need to set up the devices in a branch. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use configuration templates to build a generic configuration that you can apply to one or more devices in the branch. You can also use configuration templates when you have a new branch and want to quickly and accurately set up common configurations on the devices in the branch. Altering configurations across a large number of devices can be tedious and time-consuming, and templates save you time by applying the necessary configurations and ensuring consistency across devices.
- Creating and Deploying Feature-Level Configuration Templates
- Creating Feature-Level Configuration Templates
- Creating Monitoring Templates
- Creating Composite Templates
- Grouping Configuration Templates with Devices
- Creating Shared Policy Objects
- Creating Wireless Configuration Templates
- Creating Controller Configuration Groups
- Creating Custom SNMP Polling Templates
Creating Feature-Level Configuration Templates
Prime Infrastructure provides the following types of feature-level configuration templates:
- Features and technologies templates—Configurations that are specific to a feature or technology in a device’s configuration. See Creating Features and Technologies Templates.
- CLI templates—User-defined templates that are created based on your own parameters. CLI templates allow you to choose the elements in the configurations. Prime Infrastructure provides variables that you replace with actual values and logic statements. You can also import templates from the Cisco Prime LAN Management System. See Updating Passwords.
- Composite templates—Two or more feature or CLI templates grouped together into one template. You specify the order in which the templates contained in the composite template are deployed to devices. See Creating Composite Templates.
Note
All templates must be published before they can be deployed to devices.
Creating and Deploying Feature-Level Configuration Templates
To create and deploy a feature-level configuration template, follow these steps:
Step 1 Choose Design > Configuration , choose the type of template, and complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Step 2 Navigate to the My Templates folder, choose the template that you want to deploy, then click the Publish icon to publish the template.
After you publish a configuration task template, you can specify devices, values, and scheduling information to tailor your deployment (see Deploying and Monitoring Configuration Tasks).
Step 3 Click Deploy to deploy the template.
Step 4 To verify the status of the template deployment, choose Administration > Jobs Dashboard.
Creating Features and Technologies Templates
Features and Technologies templates are templates that are based on device configuration and that focus on specific features or technologies in a device’s configuration.
When you add a device to Prime Infrastructure, Prime Infrastructure gathers the device configuration for the model you added. Prime Infrastructure does not support every configurable option for all device types. If Prime Infrastructure does not have a Features and Technologies template for the specific feature or parameter that you want to configure, create a CLI template (see Creating CLI Configuration Templates).
Features and Technologies templates simplify the deployment of configuration changes. For example, you can create an SNMP Features and Technologies template and then quickly deploy it to devices you specify. You can also add this SNMP template to a composite template (see Creating Composite Templates). Then later, when you update the SNMP template, the composite template in which the SNMP template is contained automatically has your latest changes.
To create a Features and Technologies template, follow these steps:
Step 1 Choose Design > Configuration > Feature Design.
Step 2 In the Features and Technologies menu on the left, choose a template type to create.
Step 3 Complete the fields for that template.
If you are creating a feature template that applies only to a particular device type, the Device Type field lists only the applicable device type, and you cannot change the selection. Specifying a device type helps you to prevent a mismatch; that is, you cannot create a configuration and apply the configuration to a wrong device.
For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Step 4 Click Save as New Template. After you save the template, deploy it to your devices using the procedures in Creating and Deploying Feature-Level Configuration Templates.
Step 5 To verify the status of a template deployment, choose Administration > Jobs Dashboard.
Creating CLI Templates
CLI is a set of re-usable device configuration commands with the ability to parameterize select elements of the configuration as well as add control logic statements. This template is used to generate a device deployable configuration by replacing the parameterized elements (variables) with actual values and evaluating the control logic statements.
This section includes the following topics:
- Prerequisites for Creating CLI Templates
- Creating CLI Configuration Templates
- Creating CLI Configuration Templates
- Creating CLI Configuration Templates from Copied Code
- Exporting a CLI Configuration Template
- Importing a CLI Configuration Template
- Exporting CLI Variables
- Importing CLI Variables
- Updating Passwords
Prerequisites for Creating CLI Templates
Before you create a CLI template, you must:
- Have expert knowledge and understanding of the CLI and be able to write the CLI in Apache VTL. For more information about Apache Velocity Template Language, see http://velocity.apache.org/engine/devel/vtl-reference-guide.html.
- Understand to what devices the CLI you create can be applied.
- Understand the data types supported by Prime Infrastructure.
- Understand and be able to manually label configurations in the template.
- To know how to use variables and data types, see the “Variables and Data Types” section.
Creating CLI Configuration Templates
Use templates to define device parameters and settings, which you can later deploy to a specified number of devices based on device type.
Make sure you have satisfied the prerequisites (see Prerequisites for Creating CLI Templates).
Step 1 Choose Design > Configuration > Feature Design.
Step 2 Expand the CLI Templates folder, then click CLI.
Step 3 Enter the required information.
a. In the OS Version field, you can specify an OS image version so that you can filter out devices older than the one you specified.
a. In the Template Detail section, click the Manage Variables icon (above the CLI Content field).
This allows you to specify a variable for which you will define a value when you deploy the template.
b. Click Add Row and enter the parameters for the new variable (see the “Variables and Data Types” section), then click Save.
c. Enter the CLI information. In the CLI field, you must enter code using Apache VTL (see http://velocity.apache.org/engine/devel/vtl-reference-guide.html). For more information about different CLI command formats, see:
d. (Optional) To change the variables, click Form View (a read-only view), click the Manage Variables icon, then make your changes (see the “Variables and Data Types” section).
Step 4 Click Save As New Template.
Step 5 Click Publish to publish the template, click Deploy and specify the deployment options (see Creating and Deploying Feature-Level Configuration Templates), then click OK.
Step 6 To verify the status of a template deployment, choose Administration > Jobs Dashboard.
Note To duplicate a CLI template, expand the System Templates - CLI, hover your mouse cursor over the quick view picker icon next to CLI, and then click Duplicate. using the and Save as new template.
For field descriptions for the CLI templates, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Variables and Data Types
You can use variables as placeholders to store values. The variables have names and data types. Table 8-1 lists data types that you can configure in the Manage Variables page.
|
|
|
|---|---|
Enables you to create a text box for CLI template. To specify a validation expression and a default value, click the Expand icon and configure the Default Value and Validation Expression fields. |
|
Enables you to create a text box that accepts only numeric value. If you want to specify a range for the integer, click the Expand icon and configure the Range From and To fields. To specify a validation expression and a default value, click the Expand icon and configure the Default Value and Validation Expression fields. |
|
Enables you to specify a database type. See the “Managing Database Variables in CLI Templates” section. |
|
Enables you to create a text box that accepts only IPv4 address for CLI template. To specify a validation expression and a default value, click the Expand icon and configure the Default Value and Validation Expression fields. |
|
Enables you to create a list box for CLI template. To specify a validation expression and a default value, click the Expand icon and configure the Default Value field (with comma separated value for multiple list which appears in the UI). |
|
Enables you to create a check box for CLI template. To specify a validation expression and a default value, click the Expand icon and configure the Default Value field. |
|
Enables you to create a radio button for CLI template. To specify a validation expression and a default value, click the Expand icon and configure the Default Value field. |
|
Enables you to create a text area which allows multiline values for CLI template. To specify a validation expression and a default value, click the Expand icon and configure the Default Value and Validation Expression fields. |
Managing Database Variables in CLI Templates
You can use database (DB) variables for the following reasons:
- DB variable is one of the data types in CLI templates. You can create DB variables to find the exact device and generate the accurate commands.
- DB variables are pre-defined variables. All other variables are user-defined variables.
- To view the pre-defined DB variables go to the following path.
Cd/opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate
Note You can find the CLITemplateDbVariablesQuery.properties file inside the InventoryTagsInTemplate folder that contains the list of pre-defined DB variables.
- For example, SysObjectID, IPAddress, ProductSeries, ImageVersion are DB variables.When a device is added in to Prime Infrastructure, the complete details of the device is collected in the DB variables. That is, OID of the devices is collected in SysObjeectID, product series in ProductSeries, image versions of the device in ImageVersion and so on.
- Using the data collected by the DB variables, accurate commands can be generated to the device.
- You can select the DB variable in the Type field (using the Managed Variables page). Expand the name field and fill-in default value field with any of the DB variables which you want to use.
- When a device is discovered and added to Prime Infrastructure, you can use the database values that were gathered during the inventory collection to create CLI templates.
For example, if you want to create and deploy a CLI template to shut down all interfaces in a branch, create a CLI template that contains the following commands:
#foreach ($interfaceName in $interfaceNameList)
interface $interfaceName
shutdown
#end
where $interfaceNameList is the database variable type whose value will be retrieved from the database. $interfaceNameList has a default value of IntfName. You need to create the interfaceNameList variable as DB data type (using the managed variable dialog box) and add set the default to IntfName. If you have not specified a default value, you can specify it when you deploy the CLI template.
To populate interfaceNameList with the value from the database, you must create a properties file to capture the query string and save it in the /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate folder. This is a sample of a property file called interface.properties:
# for interface name tag->Name
IntfName=select name from EthernetProtocolEndpoint u where owningEntityId =
After you create the CLI template and the property file and deploy the CLI template, the following CLI is configured on the devices. This output assumes the device has two interfaces (Gigabitethernet0/1 and Gigabitethernet0/0):
interface GigabitEthernet0/0
shutdown
interface GigabitEthernet0/1
shutdown
Note Verify that the Enterprise JavaBeans Query Language (EJB QL) specified in the properties file returns a list of strings; or, if a single element is specified, the EJB QL should return a list containing one element.
Using Validation Expression
The values that you define in the Validation Expression are validated with the associated component value at deploy flow. For example, if you enter a default value and a validation expression value in the design flow, this will be validated during the deploy flow. That is, if the default value does not match with the entered value in the validation expression, you will encounter an get error at design flow.
Note The validation expression value works only for the string data type field.
Choose CLI > Manage Variables > Add Row. Choose string data type and then click the expand icon and configure the regular expression which will not allow a space in that text box.
Enter the following expression in the validating expression field.
The value should match with regular expression in validation expression field.)
Save the template, click Deploy, and then select a device. Try to enter a space in the text field. You will encounter a regular expression error.
Adding Multi-line Commands
To enter multi-line commands in the CLI Content area, use the following syntax:
- <MLTCMD> and </MLTCMD> tags are case-sensitive and must be entered as uppercase.
- The multi-line commands must be inserted between the <MLTCMD> and </MLTCMD> tags.
- Do not start this tag with a space.
- Do not use <MLTCMD> and </MLTCMD> in a single line.
Adding Enable Mode Commands
Use this syntax to add enable mode commands to your CLI templates:
Adding Interactive Commands
An interactive command contains the input that must be entered following the execution of a command.
To enter an interactive command in the CLI Content area, use the following syntax:
where <IQ> and <R> tag are case-sensitive and must be entered as uppercase.
Combining Interactive Enable Mode Commands
Use this syntax to combine interactive Enable Mode commands:
Adding Interactive Multiline Commands
This is an example of an interactive command that contains multiple lines:
Creating CLI Configuration Templates from Copied Code
One quick way to create CLI configuration templates is to copy code from a command line configuration session, CLI script, or other stored set of configuration commands. Prime Infrastructure lets you turn all the CLI parameters in the copied CLI into template variables.
To create a CLI template variable from copied code:
Step 1 Choose Design > Configuration > Feature Design.
Step 2 Expand the CLI Template folder, then click CLI.
Step 3 In the CLI template, paste the copied code into the CLI Content field.
Step 4 Select the text that is to be the variable name and click Manage Variables (the icon above the CLI Content field).
You can use this same procedure to edit an existing variable created from copied code.
Step 5 Fill out the required information, then click Save > Add.
Step 6 To view the new variable, click Form View.
Exporting a CLI Configuration Template
If you have CLI templates in any other Prime Infrastructure server, you can export them as an XML file and import them into your current Prime Infrastructure server.
Step 1 Choose Design > Configuration > Feature Design.
Step 2 Expand the CLI Template folder, then click System Templates - CLI.
Step 3 Select the template(s) that you want to export.
Step 4 Click the Export icon at the top right of the CLI template page.
Importing a CLI Configuration Template
Step 1 Choose Design > Configuration > Feature Design.
Step 2 Expand the CLI Template folder, then hover your mouse cursor over the quick view picker icon next to CLI.
Step 3 Click Show All Templates.
Step 4 Click the Import icon at the top right of the CLI template page.
Step 5 Click Select Templates to navigate to your file, then click OK.
Exporting CLI Variables
You can export the CLI variables into a CSV file while deploying a CLI configuration template. You can use the CSV file to make necessary changes in the variable configuration and import it into Prime Infrastructure at a later time.
Step 1 Choose Deploy > Configuration Tasks.
Step 2 Expand the CLI Template.
Step 3 Select the template that you want to deploy.
Step 4 Select the device whose variables you want to export.
Step 5 Click the Export icon at the top right of the CLI template page.
Importing CLI Variables
Step 1 Choose Deploy > Configuration Tasks.
Step 2 Expand the CLI Template.
Step 3 Select the template that you want to deploy.
Step 4 Select the device to which you want to import variables.
Step 5 Click the Import icon at the top right of the CLI template page.
Updating Passwords
To comply with SoX (Sound eXchange, a free cross-platform digital audio editor), you might want to update the password for the network devices once every six months. To make the changes in a rolling fashion, you plan to perform the operation once for two regions every three months.
In this example, there are four custom dynamic groups, one for each region based on the cities in every region: North Region, South Region, East Region, and West Region. You must update the enable password for all of the devices in the north and south region. After this is complete, you plan to set another job to occur for the West and East region devices to occur three months later.
The devices in these regions must have an assigned location attribute.
Step 1 If the four groups, North Region, South Region, East Region, and West Region, have not been created:
a. Choose Operate > Device Work Center, then mouse-over User Defined and choose Add SubGroup.
b. In the Create Sub-Group area, enter:
– Group Description: List of devices in the north region
– Filter: Location > Contains > SJC-N
To determine the location of a device, choose Operate > Device Work Center > (gear icon) > Columns > Location.
The devices for the new group appear under Device Work Center > User Defined > North.
c. Do the same for south, east, and west regions.
Step 2 To deploy the password template:
a. Choose Deploy > Configuration Tasks > CLI Templates > System Templates-CLI.
b. Select the Enable Password-IOS template and click Deploy.
c. In the Device Selection area, open the User Defined groups and select the North Region and South Region groups.
d. In the Value Selection area, enter and confirm the new enable password, then click Apply.
e. In the Schedule area, enter a name for the job, the date and time to deploy the new template (or click Now), then click OK.
Step 3 After the job has run, choose Administration > Jobs Dashboard to view the status of the job (see Monitoring Jobs).
Tagging Templates
You can label a set of templates by providing an intuitive name to tag the templates. Tagging a configuration template helps you:
Tagging a New Configuration Template
To tag a new configuration template and publish the tagged template, follow these steps:
Step 1 Choose Design > Configuration > Feature Design.
Step 2 Expand the Features and Technologies folder, choose an appropriate subfolder, and then choose a template type.
Step 3 Complete the required fields, enter a tag name in the Tags field, then click Save as New Template.
Step 4 Click Publish to publish the template, click Deploy and specify the deployment options (see Creating and Deploying Feature-Level Configuration Templates), then click OK.
Tagging an Existing Template
To tag an existing template, follow these steps:
Step 1 Choose Design > Configuration > Feature Design.
Step 2 In the Features and Technologies menu on the left, expand the My Templates folder and choose the template you want to update.
Step 3 Enter a tag name in the Tag as field, then click Save.
Step 4 Click Publish to publish the template, click Deploy and specify the deployment options (see Creating and Deploying Feature-Level Configuration Templates), then click OK.
Associating a Tag With Multiple Templates
You can tag a new tag name or associate an existing tag with multiple templates.
Step 1 Choose Design > Configuration > Feature Design.
Step 2 Click the Tag icon drop-down arrow on the navigation toolbar of the Templates column.
Step 3 Enter a tag name in the Tag as field.
Step 4 In the My Templates folder, click the templates that are to be associated with the tag.
To associate all of the templates in the folder with the tag, select the box beside the My Templates folder.
Creating Monitoring Templates
Prime Infrastructure provides several types of monitoring templates.
- Metrics—Use monitoring templates to enable Prime Infrastructure to monitor network device metrics and alert you of changing conditions before the issues impact their operation (see Monitoring Network Device Metrics). For an example of how to create a template that collects metrics, see Example: Creating Health Monitoring Templates.
- NetFlow—You can monitor the different types of NetFlow traffic (see Monitoring NetFlow Traffic).
- Thresholds—Use monitoring templates to define thresholds (see Defining Thresholds). When the thresholds that you specify are reached, Prime Infrastructure issues an alarm. For examples of how to create various types of thresholds, see:
– Example: Defining Health Monitoring Thresholds
Monitoring Network Device Metrics
Use monitoring templates to monitor network device metrics and alert you of changing conditions before the issues impact their operation.
Step 1 Choose Design > Configuration > Monitor Configuration.
Step 2 Expand the Features menu on the left and choose Metrics, then click one of the types of metrics.
Step 3 Complete the required fields, click Save, then click Save As New Template.
Step 4 You can now deploy the template (see Deploying Monitor Configuration Templates).
Example: Creating Health Monitoring Templates
You can use health monitoring templates to enable Prime Infrastructure to monitor network device metrics such as CPU and memory utilization statistics and alert you of changing conditions before they impact operations.
To create a health monitoring template, follow these steps:
Step 1 Choose Design > Configuration > Monitor Configuration.
Step 2 Expand the Features menu on the left and choose Metrics; then click Device Health or Interface Health.
Step 3 Complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Step 4 Choose Interface Health > Metric Parameters and select the parameters you want to monitor. To modify a parameter setting, click the parameter name, description, or polling frequency value and change the field, then click Save.
Step 5 Click Save as New Template, then deploy the template (see Deploying Monitor Configuration Templates).
Monitoring NetFlow Traffic
Use NetFlow monitoring templates to monitor NetFlow traffic.
Step 1 Choose Design > Configuration > Monitor Configuration.
Step 2 Expand the Features menu on the left and choose NetFlow, then click one of the types of NetFlow traffic.
Step 3 Complete the required fields, click Save, then click Save As New Template.
Step 4 You can now deploy the template (see Deploying Monitor Configuration Templates).
Defining Thresholds
Use monitoring templates to define thresholds. When the thresholds you specify are reached, Prime Infrastructure issues an alarm.
Step 1 Choose Design > Configuration > Monitor Configuration.
Step 2 Expand the Features menu on the left and choose Threshold.
Step 3 Complete the basic template fields.
Step 4 Under the Feature Category, choose one of the available metrics.
Step 5 Under Metric Parameters, choose the threshold setting that you want to change, then click Edit Threshold Setting. Enter a new value, choose the alarm severity when the threshold is met or exceeded, and click Done.
Step 6 Click Save as New Template.
Step 7 You can now deploy the template (see Deploying Monitor Configuration Templates).
Example: Defining Health Monitoring Thresholds
Use monitoring templates to define thresholds. When the thresholds you specify are reached, Prime Infrastructure issues an alarm.
Before you can define health-monitoring threshold values:
1. Choose Design > Monitoring Configuration > Features > Metrics.
2. Create an Interface Health Monitoring template.
To define monitoring thresholds, follow these steps:
Step 1 Choose Design > Configuration > Monitor Configuration.
Step 2 Expand the Features menu on the left and choose Threshold.
Step 3 Complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Step 4 In the Metric Parameters area, select the parameter for the threshold that you want to change, then click Edit Threshold Setting. The list of parameters displayed corresponds to the parameters that were included when the monitoring template was created; if you are using a default template, all available parameters are displayed.
Step 5 Enter a new value and choose the alarm severity for the threshold, then click Done.
Step 6 Click Save as New Template, then deploy the template (see Deploying Monitor Configuration Templates).
Health Monitoring Template Metrics
Prime Infrastructure polls SNMP objects to gather monitoring information for the following health monitoring templates under Design > Configuration > Monitor Configuration > Features > Metrics:
- Device Health— Table 8-3 describes the device health parameters that are polled.
- Interface Health— Table 8-4 describes the interface parameters that are polled.
- Class Based Quality of Service— Table 8-5 describes the QoS parameters that are polled.
For the following monitoring templates that provide assurance information, data is collected through NetFlow or NAMs:
|
|
|
|
|
|---|---|---|---|
cbQosCMDropByte64 cbQosCMPostPolicyByte64 cbQosCMPrePolicyByte64 |
Deploying Monitor Configuration Templates
Step 1 Choose Deploy > Configuration Deployment > Monitoring Deployment.
Step 2 Find the template you created and click Deploy, then click OK.
Creating Composite Templates
Create a composite template if you have a collection of existing features or CLI templates that you want to apply collectively to devices. For example, when you deploy a branch, you need to specify the minimum configurations for the branch router. Creating a composite template allows you to create a set of required features that include:
All of the templates that you create can be added to a single composite template, which aggregates all of the individual feature templates you need for the branch router. You can then use this composite template to perform branch deployment operations and to replicate the configurations at other branches.
If you have multiple similar devices replicated across a branch, you can create and deploy a master (golden) composite template for all of the devices in the branch. You can use this master composite template to:
- Simplify deployment and ensure consistency across your device configurations.
- Compare against an existing device configuration to determine if there are mismatches.
- Create new branches.
Step 1 Choose Design > Feature Design > Configuration > Composite Templates > Composite Templates.
Step 2 Provide the required information.
- From the Device Type drop-down list, choose the devices to which all of the templates contained in the composite template apply. For example, if your composite template contains one template that applies to Cisco 7200 Series routers and another that applies to all routers, choose the Cisco 7200 Series routers in the Device Type list.
Note If a device type is dimmed, the template cannot be applied on that device type.
Using the arrows, put the templates in the composite in the order in which they should be deployed to the devices. For example, to create an ACL and associate it with an interface, put the ACL template first, followed by the interface template.
Step 3 Click Save as New Template. After you save the template, deploy it to your devices (see Creating and Deploying Feature-Level Configuration Templates).
Grouping Configuration Templates with Devices
You might want to associate a set of configuration templates with specific devices. If you have devices that require the same configuration, you can create a configuration group that associates configuration templates with devices. Creating a configuration group allows you to quickly deploy new templates without remembering to which devices the new templates should be deployed.
Composite templates allow you to group smaller templates together, but only configuration groups specify the relationship between the templates and the groups of devices to which those templates apply. You can also specify the order in which the templates in the configuration group are deployed to the devices.
Before you create a configuration group, you should:
- Create configuration templates for the devices in your configuration group. See Creating and Deploying Feature-Level Configuration Templates.
- Determine which devices should be included in the configuration group.
Step 1 Choose Design > Configuration Groups.
Step 2 Hover your mouse cursor over Configuration Group in the left pane, then click New.
Step 3 Complete the required fields. The device types displayed depend on what you select from the Device Type field.
Step 4 Where needed, change a template’s order in the group by selecting it and clicking the up or down arrow.
Step 5 Click Save as a New Configuration Group.
Step 6 Click Publish to publish the group, click Deploy and specify the deployment options (see Creating and Deploying Feature-Level Configuration Templates), then click OK.
Table 8-6 describes the possible configuration group states.
Creating Shared Policy Objects
Policy objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. They also eliminate the need to define a component each time that you define a policy.
Objects are defined globally. This means that the definition of an object is the same for every object and policy that references it. However, many object types (such as interface roles) can be overridden at the device level. This means that you can create an object that works for most of your devices, then customize the object to match the configuration of a particular device that has slightly different requirements.
Creating Interface Roles
An interface role allows you to dynamically select a group of interfaces without having to manually define the interfaces on each device. For example, you can use interface roles to define the zones in a zone-based firewall configuration template. You might define an interface role with a naming pattern of DMZ*. When you include this interface role in a template and deploy the template, the configuration is applied to all interfaces whose name begins with “DMZ” on the selected devices. As a result, you can assign a policy that enables anti-spoof checking on all DMZ interfaces to all relevant device interfaces with a single action.
Step 1 Choose Design > Configuration > Shared Policy Objects.
Step 2 In the Templates menu on the left, choose Shared > Interface Role.
Step 3 From the Interface Role page, click Add Object.
Step 4 From the Add Interface Role page, create matching rules for the interface role.
When you deploy the zone-based template, for example, all of the interfaces on the device that match the specified rules will become members of the security zone represented by this interface role. You can match interfaces according to their name, description, type, and speed.
Step 5 Click OK to save the configurations.
Creating Network Objects
Network objects are logical collections of IP addresses or subnets that represent networks. Network objects make it easier to manage policies.
There are separate objects for IPv4 and IPv6 addresses; the IPv4 object is called “networks/hosts,” and the IPv6 object is called “network/hosts-IPv6.” Except for the address notation, these objects are functionally identical, and in many instances the name network/host applies to either type of object. Note that specific policies require the selection of one type of object over the other, depending on the type of address expected in the policy.
You can create shared policy objects to be used in the following configuration templates:
- Zone-based firewall templates—See Configuring a Zone-Based Firewall Template
- Application Visibility—See Configuring Application Visibility
Note Cisco Prime Infrastructure 2.0 supports IPv4 network objects only.
Step 1 Choose Design > Configuration > Shared Policy Objects > Shared > IPv4 Network Object.
Step 2 From the Network Object page, click Add Object and add a group of IP addresses or subnets.
Step 3 Click OK to save the configurations.
Creating Wireless Configuration Templates
The following sections describe how to create wireless configuration templates for:
- Lightweight access points
- Autonomous access points
- Switches
- Converting autonomous access points to lightweight access points
Creating Lightweight AP Configuration Templates
To create a template for a lightweight access point, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Lightweight AP Configuration Templates.
Step 2 From the Select a command drop-down list, choose Add Template, then click Go.
Step 3 Enter a name and description for the template and click Save. If you are updating an already existing template, click the applicable template in the Template Name column.
Step 4 Click each of the tabs and complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Creating Autonomous AP Configuration Templates
To create a template for an autonomous access point, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Autonomous AP Configuration Templates.
Step 2 From the Select a command drop-down list, choose Add Template, then click Go. If you are updating an already existing template, click the applicable template in the Template Name column.
Step 3 Enter a name for the template and the applicable CLI commands.
Note Do not include any show commands in the CLI commands text box. The show commands are not supported.
Creating Switch Location Configuration Templates
To configure a location template for a switch, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Switch Location Configuration.
Step 2 From the Select a command drop-down list, choose Add Template, then click Go.
Step 3 Enter the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Creating Autonomous AP Migration Templates
To make a transition from an autonomous solution to a unified architecture, autonomous access points must be converted to lightweight access points.
Note After an access point has been converted to lightweight, the previous status or configuration of the access point is not retained.
To create an autonomous AP migration template, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Autonomous AP Migration Templates.
Step 2 From the Select a command drop-down list, choose Add Template, then click Go. If you are updating an already existing template, click the applicable template in the Template Name column.
Step 3 Complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 2.0 Reference Guide.
Step 4 To view the migration analysis summary, choose Operate > Wireless > Migration Analysis.
Creating Controller Configuration Groups
By creating a configuration group, you can group controllers that should have the same mobility group name and similar configuration. You can assign templates to the group and push templates to all the controllers in a group. You can add, delete, or remove configuration groups, and download software, IDS signatures, or a customized web authentication page to controllers in the selected configuration groups. You can also save the current configuration to nonvolatile (flash) memory to controllers in selected configuration groups.
Note A controller cannot be a member of more than one mobility group. Adding a controller to one mobility group removes that controller from any other mobility group to which it is already a member.
By choosing Design > Configuration > Wireless Configuration > Controller Configuration Groups, you can view a summary of all configuration groups in the Prime Infrastructure database. Choose Add Configuration Groups from the Select a command drop-down list to display a table with the following columns:
- Group Name—Name of the configuration group.
- Templates—Number of templates applied to the configuration group.
Creating a New Configuration Group
To create a configuration group, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 From the Select a command drop-down list, choose Add Config Group, then click Go.
Step 3 Enter the new configuration group name. It must be unique across all groups.
Note If the Enable Background Audit option is chosen, the network and controller audit is performed on this configuration group.
Step 4 Other templates created in Prime Infrastructure can be assigned to a configuration group. The same WLAN template can be assigned to more than one configuration group. Choose from the following:
Note The order of the templates is important when dealing with radio templates. For example, if the template list includes radio templates that require the radio network to be disabled prior to applying the radio parameters, the template to disable the radio network must be added to the template first.
Step 5 Click Save. The Config Groups page appears.
After you create a configuration group, Prime Infrastructure allows you to choose and configure multiple controllers by choosing the template that you want to push to the group of controllers.
To enable the Background Audit option, set template-based audit in Administration > System > Audit Settings.
- Controllers—For details, see Adding or Removing Controllers from a Configuration Group.
- Country/DCA—For details, see Configuring Multiple Country Codes.
- Templates—Allows you to select the configuration templates that you have already created.
- Apply/Schedule—For details, see Applying or Scheduling Configuration Groups.
- Audit—For details, see Auditing Configuration Groups.
- Reboot—For details, see Rebooting Configuration Groups.
- Report—Allows you to view the most recent report for this group.
Adding or Removing Controllers from a Configuration Group
To add or remove controllers from a configuration group, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 Click a group name in the Group Name column, then click the Audit tab.
The columns in the table display the IP address of the controller, the configuration group name the controller belongs to, and the mobility group name of the controller.
Step 3 Click to highlight the row of the controller that you want to add to the group, then click Add.
Note If you want to remove a controller from the group, highlight the controller in the Group Controllers area and click Remove.
Step 4 Click the Apply/Schedule tab, click Apply to add or remove the controllers to the configuration groups, then click Save Selection.
Note You cannot add or configure Cisco Catalyst 3850 Series Switches or Cisco 5700 Series Wireless LAN Controllers using the Classic view. To add or configure these devices, use the Lifecycle view.
Configuring Multiple Country Codes
You can configure one or more countries on a controller. After countries are configured on a controller, the corresponding 802.11a/n DCA channels are available for selection. At least one DCA channel must be selected for the 802.11a/n network. When the country codes are changed, the DCA channels are automatically changed in coordination.
Note 802.11a/n and 802.11b/n networks for controllers and access points must be disabled before configuring a country on a controller. To disable 802.11a/n or 802.11b/n networks, choose Configure > Controllers, select the desired controller that you want to disable, choose 802.11a/n or 802.11b/g/n from the left sidebar menu, and then choose Parameters. The Network Status is the first check box.
To add multiple controllers that are defined in a configuration group and then set the DCA channels, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 From the Select a command drop-down list, choose Add Config Groups, then click Go.
Step 3 Create a configuration group by entering the group name and mobility group name.
Step 4 Click Save, then click the Controllers tab.
Step 5 Highlight the controllers that you want to add, and click Add. The controller is added to the Group Controllers page.
Step 6 Click the Country/DCA tab. The Country/DCA page appears. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.
Step 7 Select the Update Country/DCA check box to display a list of countries from which to choose.
Step 8 Those DCA channels that are currently configured on the controller for the same mobility group are displayed in the Select Country Codes page. The corresponding 802.11a/n and 802.11b/n allowable channels for the chosen country is displayed as well. You can add or delete any channels in the list by selecting or deselecting the channel and clicking Save Selection.
Note A minimum of 1 and a maximum of 20 countries can be configured for a controller.
Applying or Scheduling Configuration Groups
The scheduling function allows you to schedule a start day and time for provisioning.
To apply the mobility groups, mobility members, and templates to all of the controllers in a configuration group, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 Click a group name in the Group Name column, then choose the Apply/Schedule tab.
Step 3 Click Apply to start the provisioning of mobility groups, mobility members, and templates to all of the controllers in the configuration group. After you apply, you can leave this page or log out of Prime Infrastructure. The process continues, and you can return later to this page to view a report.
Note Do not perform any other configuration group functions during the apply provisioning.
A report is generated and appears in the Recent Apply Report page. It shows which mobility groups, mobility members, or templates were successfully applied to each of the controllers.
Step 4 Enter a starting date in the text box or use the calendar icon to choose a start date.
Step 5 Choose the starting time using the hours and minutes drop-down lists.
Step 6 Click Schedule to start the provisioning at the scheduled time.
Auditing Configuration Groups
The Config Groups Audit page allows you to verify if the configuration complies of the controller with the group templates and mobility group. During the audit, you can leave this window or log out of Prime Infrastructure. The process continues, and you can return to this page later to view a report.
Do not perform any other configuration group functions during the audit verification.
To perform a configuration group audit, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 Click a group name in the Group Name column, then click the Audit tab.
Step 3 Click to highlight a controller on the Controllers tab, choose >> (Add), and Save Selection.
Step 4 Click to highlight a template on the Templates tab, choose >> (Add), and Save Selection.
Step 5 Click Audit to begin the auditing process.
A report is generated and the current configuration on each controller is compared with that in the configuration group templates. The report displays the audit status, the number of templates in sync, and the number of templates out of sync.
Note This audit does not enforce Prime Infrastructure configuration to the device. It only identifies the discrepancies.
Step 6 Click Details to view the Controller Audit report details.
Step 7 Double-click a line item to open the Attribute Differences page. This page displays the attribute, its value in Prime Infrastructure, and its value in the controller.
Note Click Retain Prime Infrastructure Value to push all attributes in the Attribute Differences page to the device.
Step 8 Click Close to return to the Controller Audit Report page.
Rebooting Configuration Groups
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 Click a group name in the Group Name column, then click the Reboot tab.
Step 3 Select the Cascade Reboot check box if you want to reboot one controller at a time, waiting for that controller to come up before rebooting the next controller.
Step 4 Click Reboot to reboot all controllers in the configuration group at the same time. During the reboot, you can leave this page or log out of Prime Infrastructure. The process continues, and you can return later to this page and view a report.
The Recent Reboot Report page shows when each controller was rebooted and what the controller status is after the reboot. If Prime Infrastructure is unable to reboot the controller, a failure is shown.
Retrieving Configuration Group Reports
To display all recently applied reports under a specified group name, follow these steps:
Step 1 Choose Design > Configuration > Wireless Configuration > Controller Configuration Groups.
Step 2 Click a group name in the Group Name column, then click the Report tab. The Recent Apply Report page displays all recently applied reports including the apply status, the date and time the apply was initiated, and the number of templates. The following information is provided for each individual IP address:
- Apply Status—Indicates success, partial success, failure, or not initiated.
- Successful Templates—Indicates the number of successful templates associated with the applicable IP address.
- Failures—Indicates the number of failures with the provisioning of mobility group, mobility members, and templates to the applicable controller.
- Details—Click Details to view the individual failures and associated error messages.
Step 3 If you want to view the scheduled task reports, click the click here link at the bottom of the page.
Creating wIPS Profiles
Prime Infrastructure provides several predefined profiles from which to choose. These profiles (based on customer types, building types, industry types, and so on) allow you to quickly activate the additional wireless threat protection available through Cisco Adaptive wIPS. You can use a profile ‘as is’ or customize it to better meet your needs.
- Education
- EnterpriseBest
- EnterpriseRogue
- Financial
- HealthCare
- HotSpotOpen
- Hotspot8021x
- Military
- Retail
- Tradeshow
- Warehouse
The wIPS Profiles > Profile List page allows you to view, edit, apply, or delete current wIPS profiles and to add new profiles. The Profile List provides the following information for each profile:
- Profile Name —Indicates the user-defined name for the current profile. Click the profile name to view or edit profile details.
Note Hover your mouse cursor over the profile name to view the Profile ID and version.
- MSE(s) Applied To —Indicates the number of mobility services engines (MSEs) to which this profile is applied. Click the MSE number to view profile assignment details.
- Controller(s) Applied To —Indicates the number of controllers to which this profile is applied. Click the controller number to view profile assignment details.
To create a wIPS profile, follow these steps:
Step 1 Select Design > Configuration > Wireless Configuration > wIPS Profiles.
Step 2 From the Select a command drop-down list, choose Add Profile, then click Go.
Step 3 Enter a profile name in the Profile Name text box of the Profile Parameters page.
Step 4 Select the applicable pre-defined profile, or choose Default from the drop-down list.
Note When you select Save, the profile is saved to the Prime Infrastructure database with no changes and no mobility services engine or controller assignments. The profile appears in the profile list.
Step 6 To edit and delete current groups or add a new group:
a. From the Select a command drop-down list on the SSID Group List page, choose Add Group or Add Groups from Global List, then click Go.
b. Enter the group name and one or more SSID groups, then click Save.
Step 7 To determine which policies are included in the current profile, choose Profile Configuration. The check boxes in the policy tree (located in the left Select Policy pane) indicate which policies are enabled or disabled in the current profile. Using this page, you can:
Note By default, all policies are selected.
Note There must be at least one policy rule in place. You cannot delete a policy rule if it is the only one in the list.
Note If the profile is already applied to a controller, it cannot be deleted.
– Threshold (not applicable to all policies)—Indicates the threshold or upper limit associated with the selected policy. Because every policy must contain at least one threshold, default thresholds are defined for each based on standard wireless network issues. Threshold options vary based on the selected policy.
When the threshold is reached for a policy, an alarm is triggered. Alarms from Cisco Adaptive wIPS DoS and security penetration attacks are classified as security alarms. A summary of these attacks is located in the Security Summary page; choose Monitor > Security to access this page. The wIPS attacks are located in the Threats and Attacks section.
– Severity—Indicates the level of severity of the selected policy. Parameters include critical, major, info, and warning. The value of this field might vary depending on the wireless network.
– Notification—Indicates the type of notification associated with the threshold.
– ACL/SSID Group—Indicates the ACL or SSID Group(s) to which this threshold is be applied.
Note Only selected groups trigger the policy.
Step 8 When the profile configuration is complete, select Next to proceed to the MSE/Controller(s) page.
Step 9 In the Apply Profile page, select the mobility services engine and controller(s) to which you want to apply the current profile, then click Apply to apply the current profile to the selected mobility services engine/controller(s).
Note You can also apply a profile directly from the profile list. From the Profile List page, select the profile that you want to apply and click Apply Profile from the Select a command drop-down list. Then click Go to access the Apply Profile page.
Creating Custom SNMP Polling Templates
You can design custom SNMP polling templates to monitor third-party or Cisco devices and device groups. Using this feature, you can:
- Upload the SNMP MIB for the device type, then choose devices and attributes to poll and the polling frequency.
- Upload a single MIB definition file, or a group of MIBs with their dependencies as a ZIP file.
- Deploy the custom SNMP polling template the same way as other monitoring templates.
- Display the results as a line chart or a table.
This feature enables you to easily repeat polling for the same devices and attributes, and can be used to customize the way Cisco devices are polled using SNMP.
You can create a maximum of 25 custom SNMP polling templates.
To create a custom SNMP polling template, follow these steps:
Step 1 Choose Design > Configuration > Custom SNMP Templates.
Step 2 Click the Basic tab and enter the required information. When specifying MIB information:
- Specify a filename extension only if you are uploading a ZIP file.
- If you are uploading a ZIP file, ensure that all dependent MIB files are either included in the ZIP or already present in the system.
- Ensure your upload file and the MIB definition have the same name (for example: Do not rename the ARUBA-MGMT-MIB definition file to ARUBA_MGMT). If you are uploading a ZIP file, you may name it as you please, but the MIB files packaged inside it must also follow this convention (for example: MyMibs.zip is acceptable, as long as all MIB files in the ZIP match their MIB names).
Step 4 Specify the polling parameters for your new template:
a. On the Monitor Configuration Templates page, expand the Features menu, choose Custom SNMP, and select your new custom SNMP template.
b. Complete the basic template fields, then select a polling frequency, then click Save as New Template.
Step 5 To deploy the template:
a. Choose Deploy > Configuration Deployment > Monitoring Deployment. Find the template you created and click Deploy.
b. Check the boxes for the devices to which you want to deploy this template, then click Submit.
Step 6 To view the SNMP polling data, create a generic dashlet (see Creating Generic Dashlets) using the name of the template that you created in Step 4.
Note To view the SNMP polling date for ASR device, you should use the show platform hardware qfp active datapath utilization | inc Processing command for CPU utilization and show platform hardware qfp active infrastructure exmem statistics | sec DRAM command for memory utilization.
Feedback