- Introduction to Administering Cisco Prime Infrastructure
- Administrator Setup Tasks
- Prime Infrastructure Server Settings
- Maintaining Prime Infrastructure Server Health
- Backing Up and Restoring Prime Infrastructure
- Maintaining Network Health
- Managing Data and Collection Retention
- Configuring Controller and AP Settings
- Configuring High Availability
- Configuring Wireless Redundancy
- Controlling User Access
- Advanced Monitoring
- Managing Licenses
- Managing Traffic Metrics
- Planning Network Capacity Changes
- Appendix A: Prime Infrastructure Internal SNMP Trap Generation
- Appendix B: Best Practices: Server Security Hardening
- Appendix C: Configuring the Plug and Play High Availability Feature
Cisco Prime Infrastructure 2.2 Administrator Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 9, 2018
Chapter: Administrator Setup Tasks
- Setting Up the Operations Center
- Required Software Versions and Configurations
- Configuring Data Sources for Prime Infrastructure With Assurance
- Enabling Medianet NetFlow
- Enabling NetFlow and Flexible NetFlow
- Deploying Network Analysis Modules (NAMs)
- Enabling Performance Agent
- Installing Prime Infrastructure Patches
Administrator Setup Tasks
The Cisco Prime Infrastructure administrator should plan on completing several initial setup tasks soon after the product is installed.
Setting Up the Operations Center
Before you can use the Operations Center to manage multiple Prime Infrastructure instances, you must first:
1. Activate your Operations Center license on the Prime Infrastructure server that will host Operations Center.
2. Perform a software update on any older Prime Infrastructure instances (that is, 2.1.2) that you plan to manage using Operations Center.
3. Enable single sign-on (SSO) on each of the Prime Infrastructure instances that you will manage using Operations Center.
4. Add Prime Infrastructure instances to Operations Center.
The related topics explain how to complete each of these tasks.
The DNS entry for the Operations Center instance must match the host name configured on the server (that is, running nslookup ipaddress and hostname on the server should yield the same output).
- Before You Begin Setting Up Operations Center
- Activating Your Operations Center License
- Enabling Prime Infrastructure 2.1.2 for Operations Center Management
- Enabling SSO for Operations Center
- Adding Prime Infrastructure Instances to Operations Center
- Operations Center Next Steps
Before You Begin Setting Up Operations Center
Before setting up Operations Center:
- Ensure that none of the Prime Infrastructure servers you use with Operations Center are installed in FIPS mode. Operations Center does not support FIPS mode.
- Verify that the DNS entry for the Prime Infrastructure server that will host the Operations Center matches the host name configured on that server. For example: Running the commands nslookup ipaddress and hostname on the Prime Infrastructure server that will host the Operations Center should yield the same output.
- Ensure that all users who will access network information using Operations Center have both NBI Read and NBI Write access privileges. You can do this by editing these users’ profiles to make them members of the “NBI Read” and “NBI Write” User Groups (see Changing User Group Memberships).
Activating Your Operations Center License
The Operations Center does not have a separate installation procedure. After you have installed Prime Infrastructure, you enable the Operations Center by activating an Operations Center license. The number of Prime Infrastructure instances you can manage using Operations Center depends on the license you have purchased. See the Cisco Prime Infrastructure 2.2 Ordering and Licensing Guide for more information.
Step 1 Select Administration > Licenses to open the Licenses > Summary page.
Step 2 From the left-hand navigation menu, select Files > License Files to open the Licenses > License Files page.
Step 3 Click Add to open the Add a License File dialog box.
Step 5 Navigate to your license file, select it, and then click Open .
Your license should now be listed in the Licenses > License Files page.
Step 7 Log out of Prime Infrastructure and then log back in. The login page that appears should display “Cisco Prime Infrastructure Operations Center”, which indicates the license has been applied.
Enabling Prime Infrastructure 2.1.2 for Operations Center Management
Operations Center is ready to use with instances of Prime Infrastructure 2.2; no software update is needed to use Operations Center to access instances of Prime Infrastructure 2.2.
However, if you want to use Operations Center to manage older Prime Infrastructure instances (“older” in this case means Prime Infrastructure 2.1.2), you must first apply a software update to those older instances.
Note that any user ID created in an instance of Operations Center, or any of the Prime Infrastructure 2.2 instances under that Operations Center’s management, can log in to Operations Center or any of the managed Prime Infrastructure instances. This is not true for instances of Prime Infrastructure older than version 2.2, however. You must re-create the user ID locally on those older instances.
Step 1 Point your browser to https://software.cisco.com/download/navigator.html . The Download Software page displays.
Step 2 Select Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Prime Infrastructure 2.1 .
Step 3 On the results page displayed, select Prime Infrastructure Patches .
Step 4 Select the Prime Infrastructure patch file “operations_center_pi_2_1_2_enable_update.ubf” and click Download to download it.
Step 5 When the download is complete: Log in to the Prime Infrastructure 2.1.2 instance you want to use with Operations Center.
Step 6 Select Administration > Software Update to open the Software Update page.
Step 7 Click Upload Update File to open the Upload Update dialog box.
Step 9 Navigate to the Operations Center update file, select it, and click Open .
After the upload completes, the file is listed on the Software Update page.
Step 11 Select the check box for the update file and then click Install .
After the installation completes, the Software Update page refreshes and displays the value
Yes
in the Installed column for the update file. The value
Yes
is also displayed in the Requires Restart column, indicating that you must restart the Prime Infrastructure server in order for the software update to take effect.
Step 12 Open a CLI session with the server (see Connecting Via CLI) and restart the server (see Restarting Prime Infrastructure).
Step 13 Run the server status command (see Checking Prime Infrastructure Server Status) and check that all of the server processes have restarted. Repeat as needed until you are sure all the processes have restarted.
Step 14 When all server processes are restarted: Log back in to Prime Infrastructure using an administrator ID and then select Administration > Software Update . If the software update was successful, the following values will be displayed for the update package:
Enabling SSO for Operations Center
Complete the following procedure as needed to enable SSO:
- First: On the Prime Infrastructure server that will host the Operations Center.
- Then: On the other Prime Infrastructure servers that the Operations Center will manage.
Step 1 Select Administration > Users, Roles & AAA . The AAA Mode Settings page is displayed.
Step 2 In the AAA Mode field, select the Local radio button and then click Save .
Step 3 From the left-hand navigation menu, click SSO Servers to open the SSO Servers page.
Step 4 From the Select a Command drop-down list, select Add SSO Server and then click Go . The Add SSO Servers page appears.
Step 5 Enter the following information and then click Save :
- Server IP Address : The IP address of the server on which you activated your license (i.e. the server on which the Operations Center will run).
- Port : The port used to log in to the SSO server. By default, port 443 is set. Do not change this value.
- Retries : The number of retries to attempt when logging into the SSO server. By default, this value is set to 1.
The server should now be listed on the Add SSO Servers page.
Step 6 From the left-hand navigation menu, select AAA Mode Settings to reopen the AAA Mode Settings page.
Step 7 Click the SSO radio button (if it is not already selected) and then click Save .
Step 8 After enabling SSO, log out of the instance of Prime Infrastructure on which you enabled SSO and then log back in. On the Operations Center instance, you will see “Operations Center” in the product title when you log in. On the managed instances the login page will look like Prime Infrastructure in SSO mode.
Adding Prime Infrastructure Instances to Operations Center
Once you have configured SSO on Operations Center and the other Prime Infrastructure instances, you must add the other instances to Operations Center to begin managing them.
Step 1 Log in to Operations Center
Step 2 Select Monitor > Manage and Monitor Servers .
Step 4 Enter the server IP and port. You may also enter an alias for the server, and select the HTTPS checkbox if the server uses this protocol. Then click OK .
Step 5 Repeat these steps to add other Prime Infrastructure servers (up to the license limit).
Operations Center Next Steps
When you have completed the tasks described in the related topics, you are ready to use Operations Center. See Monitoring Multiple Prime Infrastructure Instances in the Cisco Prime Infrastructure 2.2 User Guide for typical tasks you perform when using Operations Center.
Required Software Versions and Configurations
To work with Prime Infrastructure, your devices must run at least the minimum required software versions shown in the list of supported devices. You can access this list using the Prime Infrastructure user interface: Choose Help > Supported Devices List .
You must also configure your devices to support SNMP traps and syslogs, and the Network Time Protocol (NTP), as explained in the related topics.
Configuring SNMP
To ensure that Prime Infrastructure can query SNMP devices and receive traps and notifications from them, you must:
- Set SNMP credentials (community strings) on each device you want to manage using Prime Infrastructure.
- Configure these same devices to send SNMP notifications to the Prime Infrastructure server.
Use the following Cisco IOS configuration commands to set read/write and read-only community strings on an SNMP device:
admin(config)#
snmp-server community
private
RW
admin(config)#
snmp-server community
public
RW
where private and public are the community strings you want to set.
After you set the community strings, you can specify that device notifications be sent as traps to the Prime Infrastructure server using the following Cisco IOS global configuration command on each SNMP device:
admin(config)#
snmp-server host
Host
traps
version community notification-type
- Host i s the IP address of the Prime Infrastructure server.
- version is the version of SNMP that is used to send the traps.
- community is the community string sent to the server with the notification operation.
- notification-type is the type of trap to send.
You may need to control bandwidth usage and the amount of trap information being sent to the Prime Infrastructure server using additional commands.
For more information on configuring SNMP, see:
- The snmp-server community and snmp-server host commands in the Cisco IOS Network Management Command Reference .
- The “ Configuring SNMP Support ” section and the list of notification-type values in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 .
If you are planning on implementing IPSec tunneling between your devices and the Prime Infrastructure server, be advised that you will not receive syslogs transmitted from those devices to the Prime Infrastructure server after implementing IPSec tunneling because IPSec does not support free-form syslogs. However, IPSec does support SNMP traps. To continue getting SNMP notifications of any kind from these devices, you need to configure your devices to send SNMP traps to the Prime Infrastructure server.
Configuring NTP
Network Time Protocol (NTP) must be properly synchronized on all devices in your network as well as on the Prime Infrastructure server. This includes all Prime Infrastructure-related servers: Any remote FTP servers that you use for Prime Infrastructure backups, secondary Prime Infrastructure high-availability servers, the Prime Infrastructure Plug and Play Gateway, VMware vCenter and the ESX virtual machine, and so on.
You specify the default and secondary NTP servers during Prime Infrastructure server installation. You can also use Prime Infrastructure’s ntp server command to add to or change the list of NTP servers after installation. For details, see the section Connecting Via CLI in this Guide and the section on the ntp server command in the Command Reference Guide for Cisco Prime Infrastructure 2.2 . Note that Prime Infrastructure cannot be configured as an NTP server; it acts as an NTP client only.
Failure to manage NTP synchronization across your network can result in anomalous results in Prime Infrastructure. Management of network time accuracy is an extensive subject that involves the organization's network architecture, and is outside the scope of this Guide. For more information on this topic, see (for example) the Cisco White Paper Network Time Protocol: Best Practices .
Configuring Data Sources for Prime Infrastructure With Assurance
If you are licensing Assurance, you must complete pre-installation tasks so that Assurance can monitor your network interfaces and services. See Supported Assurance Data Sources for information about these tasks.
Supported Assurance Data Sources
Prime Infrastructure with Assurance needs to collect data from your network devices using the exported data sources shown in Table 2-1 . For each source, the table shows the devices that support this form of export, and the minimum version of Cisco IOS or other software that must be running on the device to export the data.
Use Table 2-1 to verify that your network devices and their software are compatible with the type of data sources Prime Infrastructure uses. If needed, upgrade your hardware or software. Note that each software version given is a minimum . Your devices can run any later version of the same software or Cisco IOS release train.
You may also need to make changes to ensure that Prime Infrastructure can collect data using SNMP, as explained in Configuring SNMP .
Configuring Assurance Data Sources
Before installing Prime Infrastructure, you should enable the supported devices shown in Table 2-1 to provide Prime Infrastructure with fault, application, and performance data, and ensure that time and date information are consistent across your network. The following topics provide guidelines on how to do this.
|
IP base or IP services feature set and equipped with the network services module. |
See the “Configuring NetFlow on Catalyst 3000, 4000, and 6000 Family of Switches” section in the Cisco Prime Infrastructure 2.2 User Guide . |
||
To configure TCP and UDP traffic, see the “Configuring NetFlow on Catalyst 3000, 4000, and 6000 Family of Switches” section in the Cisco Prime Infrastructure 2.2 User Guide . To configure Voice & Video, use this CLI template: Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Medianet - PerfMon |
|||
To configure TCP and UDP traffic, see the “Configuring NetFlow on Catalyst 3000, 4000, and 6000 Family of Switches” section in the Cisco Prime Infrastructure 2.2 User Guide . To configure Voice & Video, use this CLI template: Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Medianet - PerfMon |
|||
To configure TCP and UDP traffic, see the “Configuring NetFlow on Catalyst 3000, 4000, and 6000 Family of Switches” section in the Cisco Prime Infrastructure 2.2 User Guide . To configure Voice & Video, use this CLI template: Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Medianet - PerfMon |
|||
To configure TCP and UDP traffic, use this CLI template: Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Collecting Traffic Statistics To configure Voice & Video, use this CLI template: Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Medianet - PerfMon |
|||
TCP and UDP traffic, application response time, Voice & Video |
To configure TCP, UDP, and ART, see the “Configuring NetFlow on ISR Devices” section in Cisco Prime Infrastructure 2.2 User Guide . To configure Voice & Video, use this CLI template: Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Medianet - PerfMon |
||
TCP and UDP traffic, application response time, Voice and Video |
To configure TCP, UDP, and ART, see the “Configuring Application Visibility” section in the Cisco Prime Infrastructure 2.2 User Guide . |
||
|
TCP and UDP traffic, application response time, Voice & Video, HTTP URL visibility |
|||
Enabling Medianet NetFlow
To ensure that Cisco Prime Infrastructure can make use of Medianet data, your network devices must:
- Enable Medianet NetFlow data export for the basic set of statistics supported in Prime Infrastructure.
- Export the Medianet NetfFlow data to the Prime Infrastructure server and port.
Use a configuration like the following example to ensure that Prime Infrastructure gets the Medianet data it needs:
flow record type performance-monitor PerfMonRecord
match ipv4 destination address
match transport destination-port
collect application media bytes counter
collect application media bytes rate
collect application media packets counter
collect application media packets rate
collect application media event
collect routing forwarding-status
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport round-trip-time
collect transport event packet-loss counter
collect transport rtp jitter mean
collect transport rtp jitter minimum
collect transport rtp jitter maximum
flow monitor type performance-monitor PerfMon
policy-map type performance-monitor PerfMonPolicy
! Enter flow monitor configuration mode.
! Enter RTP monitor metric configuration mode.
!Specifies the minimum number of sequential packets required to identify a stream as being an RTP flow.
! Specifies the maximum number of dropouts allowed when sampling RTP video-monitoring metrics.
! Specifies the maximum number of reorders allowed when sampling RTP video-monitoring metrics.
! Enter IP-CBR monitor metric configuration mode
! Rate for monitoring the metrics (1 packet per sec)
service-policy type performance-monitor input PerfMonPolicy
service-policy type performance-monitor output PerfMonPolicy
In this example configuration:
- PrInIP is the IP address of the Prime Infrastructure server.
- PiInPort is the UDP port on which the Prime Infrastructure server is listening for Medianet data (the default is 9991).
- interfacename is the name of the interface (such as GigabitEthernet0/0 or fastethernet 0/1) sending Medianet NetFlow data to the specified PrInIP .
For more information on Medianet configuration, see the Medianet Reference Guide .
Enabling NetFlow and Flexible NetFlow
To ensure that Prime Infrastructure can make use of NetFlow data, your network devices must:
- Have NetFlow enabled on the interfaces that you want to monitor.
- Export the NetFlow data to the Prime Infrastructure server and port.
As of version 2.1, Prime Infrastructure supports Flexible NetFlow versions 5 and 9. Note that you must enable NetFlow on each physical interface for which you want Prime Infrastructure to collect data. These will normally be Ethernet or WAN interfaces. This applies to physical interfaces only. You do not need to enable NetFlow on VLANs and Tunnels, as they are included automatically whenever you enable NetFlow on a physical interface.
Use the following commands to enable NetFlow on Cisco IOS devices:
Device(config)# interface interfaceName
Device(config)# ip route-cache flow
where interfaceName is the name of the interface (such as fastethernet or fastethernet0/1) on which you want to enable NetFlow.
Once NetFlow is enabled on your devices, you must configure exporters to export NetFlow data to Prime Infrastructure. You can configure an exporter using these commands:
Device(config)# ip flow-export version 5
Device(config)# ip flow-export destination PrInIP PiInPort
Device(config)# ip flow-export source interfaceName
- PrInIP is the IP address of the Prime Infrastructure server.
- PiInPort is the UDP port on which the Prime Infrastructure server is listening for NetFlow data. (The default is 9991.)
- interfaceName is the name of the interface sending NetFlow data to the specified PrInIP . This will cause the source interface’s IP address to be sent to Prime Infrastructure as part of NetFlow export datagrams.
If you configure multiple NetFlow exporters on the same router, make sure that only one of them exports to the Prime Infrastructure server. If you have more than one exporter on the same router exporting to the same destination, you risk data corruption.
Use the following commands to verify that NetFlow is working on a device:
Device# show ip cache verbose flow
For more information on NetFlow configuration, see:
- Cisco IOS Switching Services Configuration Guide, Release 12.1
- Flexible NetFlow Configuration Guide, Cisco IOS Release 15.1M&T
- Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 5.x
- Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting
Deploying Network Analysis Modules (NAMs)
Ensure that your NAMs are placed appropriately in the network. For more information, see:
- Cisco Network Analysis Module Software 5.1 User Guide — Includes deployment scenarios and covers a variety of topics, including deploying NAMs in the branch, and deploying NAMs for WAN optimization.
- Cisco Network Analysis Module Deployment Guide —See the section “Places in the Network Where NAMs Are Deployed”.
If your NAMs are deployed properly, then no other pre installation work is required. When you conduct discovery using Cisco Prime AM, you will need to enter HTTP access credentials for each of your NAMs.
Prime Infrastructure uses a more efficient REST interface to query NAMs. For this reason, it does not support the direct export of NetFlow data from NAMs. Any device exporting NetFlow data must export that NetFlow data directly to Prime Infrastructure, not via a NAM. Exporting NetFlow data from any NAM to Cisco Prime Infrastructure will result in data duplication.
Enabling Performance Agent
To ensure that Prime Infrastructure can collect application performance data, use the Cisco IOS mace (for Measurement, Aggregation and Correlation Engine) keyword to configure Performance Agent (PA) data flow sources on your branch-office and data center routers.
For example, use the following commands in Cisco IOS global configuration mode to configure a PA flow exporter on a router:
Router (config)# flow exporter mace-export
Router (config)# destination 172.30.104.128
Router (config)# transport udp 9991
Use commands like the following to configure flow records for applications with flows across the router:
Router (config)# flow record type mace mace-record
Router (config)# collect application name
Router (config)# collect art all
where application name is the name of the application whose flow data you want to collect.
To configure the PA flow monitor type:
Router (config)# flow monitor type mace mace-monitor
Router (config)# record mace-record
Router (config)# exporter mace-export
To collect traffic of interest, use commands like the following:
Router (config)#
access-list 100 permit tcp any host 10.0.0.1 eq 80
Router (config)#
class-map match-any mace-traffic
Router (config)#
match access-group 100
To configure a PA policy map and forward the PA traffic to the correct monitor:
Router (config)# policy-map type mace mace_global
Router (config)# class mace-traffic
Router (config)# flow monitor mace-monitor
Finally, enable PA on the WAN interface:
Router (config)# interface Serial0/0/0
For more information on configuring Performance Agent, see the Cisco Performance Agent Deployment Guide .
Installing Prime Infrastructure Patches
You may need to install patches to get your version of Prime Infrastructure to the level at which upgrade is supported.You can check the Prime Infrastructure version and patch version you are running by using the CLI commands show version and show application .
Different patch files are provided for each version of Prime Infrastructure and its predecessor products. Download and install only the patch files that match the version of your existing system and that are required before you upgrade to a later version. You can find the appropriate patches by pointing your browser to the Cisco Download Software navigator .
Before installing a patch, you will need to copy the patch file to your Prime Infrastructure server’s default repository. Many users find it easy to do this by first downloading the patch file to a local FTP server, then copying it to the repository. You can also copy the patch file to the default repository using any of the following methods:
- cdrom—Local CD-ROM drive (read only)
- disk—Local hard disk storage
- ftp—URL using an FTP server
- http—URL using an HTTP server (read only)
- https—URL using an HTTPS server (read only)
- nfs—URL using an NFS server
- sftp—URL using an SFTP server
- tftp—URL using a TFTP server
Step 1 Download the appropriate point patch to a local resource in your environment:
a. With the Cisco Download Software navigator displayed in your browser, choose Products > Cloud and Systems Management > Routing and Switching Management > Network Management Solutions > Cisco Prime Infrastructure .
b. Select the version of Cisco Prime Infrastructure that most closely matches the one you are currently using (for example, Cisco Prime Infrastructure 2.2 ).
c. Click Prime Infrastructure Patches to see the list of available patches for that version of the product.
d. Next to each patch that is required, click Download , then follow the prompts to download the file.
Step 2 Open a command-line interface session with the Prime Infrastructure server (see Connecting Via CLI in the Cisco Prime Infrastructure 2.2 Administrator Guide ).
Step 3 Copy the downloaded patch file to the default local repository. For example:
admin#
copy
source path
/defaultRepo
– source is the downloaded patch file’s location and name (for example: ftp://MyFTPServer/pi_9.3.1.0_update.tar.gz).
–
path
is the complete path to the default local backup repository, defaultRepo (for example:
/localdisk
)
admin#
patch install
patchFile
Repositoryname
– patchFile is the name of the patch file you copied to /localdisk/defaultRepo
– Repositoryname is the name of the repository.
For example:
admin# patch install test.tar.gz defaultRepo
Feedback