Cisco DCNM Fundamental Guide, Release 10.0.x

Scope Menu

Beginning with Cisco NX-OS Release 6.x, a new drop-down list called Scope is added to Cisco DCNM Web Client that applies to all pages except the Administration and Configure pages.

You can use the scope menu to filter network information by:

• Data Center
• Default_LAN
• Default_SAN
• Individual Fabric Various other custom scopes created by the users.

The features accessible from the tabs are limited to the areas that you choose in the filter tree.

Admin Menu

You can use the admin menu to:

• DCNM SAN: Launch the SAN Client.
• DCNM DM: Launch the Device Manager Client which is part of the SAN option.
• Change Password: Changes the password for the current logged in user.
• Help Content: Pops out the online help of the current page.
• About: Display the information about Cisco Data Center Network Manager.
• Logout: Logout from the DCNM Web Client.

Table and Filtering Navigation

Some tables that can be filtered will have a filter option to view subsets of the information. Either choose the filter menu or click Filter. An editable row at the top of the table appears. Enter values into the table cells and click Return to display matching rows.

Printing

Click Print to view the table in a printer-friendly format. You can then print the page from the browser.

Exporting to a File

An Export icon is in the upper right corner of some tables or top right corner of the window. Click this icon to export the data to Microsoft Excel.

Sorting Columns

Not all columns are sortable but you can click a sortable column head to sort the information for that column.

Cisco DCNM Web Search Engine

The search engine helps you to locate records according to the following search criteria:

• Search by Name.
• Search by IP Address.
• Search by WWN.
• Search by Alias.
• Search by MAC Address.
• Search by Serial Number.

Using the Cisco DCNM Search Engine

Step 1 Click Search box on the top right corner of the main window.

You see the search text box.

Step 2 Use the drop-down to search by:

• Name
• IP Address
• WWN
• Alias
• MAC Address
• Serial Number

Step 3 Enter the value based on the search option and click the arrow to begin the search.

The search results are displayed in a new window.

Creating a Local Certificate

Step 1 Set up a keystore to use a self-signed certificate (local certificate). From the command line, enter the following command on windows:

Step 2 Enter your name, organization, state, and country. Enter change it when prompted for a keystore password. If you prefer to use your own password, do not forget to change the keystorepass attribute in the server.xml file. When prompted for a key password, press Enter or use the same password as the keystore password.

Note You can now follow the steps in the next section for modifying DCNM Web Client to use SSL.

To obtain a certificate from the Certificate Authority of your choice, you must create a Certificate Signing Request (CSR). The CSR is used by the certificate authority to create a certificate that identifies your website as secure.

Creating a Certificate Request

Step 1 Create a local certificate (as described in the previous section).

Note You must enter the domain of your website in the fields First and Last name in order to create a working certificate.

Step 2 Create the CSR with this commandon windows:

Now you have a file called certreq.csr. The file is encoded in PEM format. You can submit it to the certificate authority. You can find instructions for submitting the file on the Certificate Authority website.

Step 3 After you have your certificate, you can import it into your local keystore. You must first import a Chain Certificate or Root Certificate into your keystore. You can then import your certificate.

Step 4 Download a Chain Certificate from the Certificate Authority where you obtained the certificate:

• For Verisign.com commercial certificates, go to this URL:

http://www.verisign.com/support/install/intermediate.html

• For Verisign.com trial certificates, go to this URL:

http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html

• For Trustcenter.de, go to this URL:

http://www.trustcenter.de/certservices/cacerts/en/en.htm#server

• For Thawte.com, go to this URL:

http://www.thawte.com/certs/trustmap.html

• Import the Chain Certificate into your keystore by entering the keytool -import -alias root -keystore " C:\Program Files\Cisco Systems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -trustcacerts -file filename_of_the_chain_certificate command.
• Import the new certificate in X509 format by entering the keytool -import -alias tomcat -keystore " C:\Program Files\Cisco Systems\dcm\jboss-as-7.2.0.Final\standalone\configuration\fmserver.jks" -trustcacerts -file your_certificate_filename command.

Migration of DCNM function for LAN to Unified Web Client

For the simplification of management, Cisco DCNM LAN Thick Client has been omitted from release 10.0.x. Now you can perform the functionalities on the unified Cisco DCNM Web Client instead of another LAN thick client. DCNM SAN and DCNM DM Clients are an installation option.

The LAN client and server related components are removed from the installer. The Database tables related to LAN are not created during installation which reduces the size of the installer as well as the installation time and download time.

For more information about the usage of the Cisco DCNM Web Client, please refer to Web Client Online Help.

Multi-Fabric

Starting from Cisco DCNM release 10.0.x, Cisco DCNM supports multi-fabric which means fabrics of different encapsulation type such as FabricPath and VXLAN fabric, can co-exist and fabric level consistency can be validated.

The multi-fabric workflow includes fabric object creation, fabric bring-up per fabric plan, fabric provisioning, and fabric monitoring via topology.

Creating Fabric Object

You can add a LAN fabric through Cisco DCNM Web Client.

From the menu bar, choose Configure > LAN Fabric Settings > LAN Fabrics .

A fabric instance can encapsulate and define not just the properties of the Fabric, but also serve as a container to group all the Leaf, Spine, Border Leaf, Edge Router and other entities that fall into the purview of the Fabric.

The advantages of grouping of the Fabric includes:

• Fabrics of different encapsulation types like FP or VxLAN co-reside in DCNM now.
• Device types and template instances are validated and users can be warned accordingly since the intent of the Fabric is well defined at the beginning of the Fabric design.
• Topology and other visualization tools can feed off this Fabric instance information to make prudent judgments on layout design.
• Fabric level health computation is more meaningful because the meta-data provided by the user about the Fabric helps define the actual intent and behavior of the Fabric.

Fabric Plan

You can add a LAN fabric through Cisco DCNM Web Client.

From the menu bar, choose Configure > LAN Fabric Settings > LAN Fabrics . Click the Add Fabric Plan icon.

Fabric plan is a paradigm to define the intent and characteristics of the Fabric, so that this definition can help guide the rest of the Fabric deployment, management and monitoring.

During fabric plan creation, you can specify the spine, leaf and border switches count, type, and supply the subnets used for numbered IP fabric interfaces as well as VPC peer leaf and keep-alive interfaces. In addition, you can choose to override the default POAP templates that DCNM pre-selects for the switches based on the switch role. DCNM will then auto-generate the cabling plan and auto-populate the POAP definitions for all the switches within the fabric. You are able to update those auto-populated values. After the switch is powered on, DCNM will auto-associate switch according to the serial number with entries in cable plan based on switch's neighbor info gathered during switch boot-up. If needed, DCNM will auto-apply the corresponding POAP definition on the switches to bring up the complete fabric.

Fabric Provision

Similar as previous releases, fabric provision data is organized in organization, partition and network hierarchy. Instead of a flat structure for all the fabrics managed by the same DCNM, the provision data is separated at fabric level so as to be easily traversed, backed-up and restored.

There are 2 exclusive options to provision fabric:

• Switch initiates auto-configuration and Cisco DCNM triggers auto-pull, which requires switch to support auto-configuration feature.
• Cisco DCNM controlled configuration deployment. That means, DCNM manages the VLAN (de)allocation, (un)deploys and tracks the configuration on switches.

Fabric Monitoring

In addition to the fabric topology that depicts all the switches within the fabric and interaction across fabric, DCNM provides fabric level aggregation of information such as switch summary, licensing tracking, provision distribution and health score. The fabric level aggregation data will also be consumed by multi-site feature.

Enhanced Topology

Topology becomes a first class menu item in release 10.0.x with the intention that it is fully functional for providing detailed access to configuration as well as monitoring functionality.

The Cisco DCNM topology includes the following features in a single view:

• Optional display of Fabric topology or device icons
• Display of Multi-link, Port-channels, VPCs
• Display of Inter-fabric links
• VDC and Pod Groupings
• Device-Scope, Fabric and Datacenter drill-down
• Automatic VPC Peer and FEX Groupings
• Ability to select devices and take action consistent with other areas of the product.

The enhanced Topology provides the following functionality:

• Display Link state.
• You can drag, pan, and zoom on the topology page. Device layout is in a tiered topology by default. Customized views can be saved.
• Click on the switch device or the links, port-channel or vpc loop on the topology page, it pops out the summary configuration and status information panel.
• Mouse-over:

– Link mouse-over provides summary performance information.

– Device mouse-over displays the quick information about the device.

• Search for VLAN, VNI, FP, VRF, etc.

For more information about Topology, refer to the Web Client Online Help.

Multi-Site-Manager

From the menu bar, choose Administration > DCNM Server > Multi Site Manager .

Multi Site Manager (MsM) provides a single pane for customer to globally search for switches and virtual machine’s location which Cisco DCNM server owns it. Hyperlink will be provided to access the corresponding switch, host, or the virtual machine (if applicable). Enter the user name and password to login. The page also plays the role of remote site registration. The registration only allows the current Cisco DCNM server to access the remote DCNM server or site. For the remote site to access the current Cisco DCNM server, registration is required on the remote site as well. After you have done the registration, the MSM panel will display a diagram to show the overall health and status of the remote site, and the content of the panel will be subject to change.

MSM supports the following:

• Allow user to see the overall health of the switches (inside SAN and LAN Fabric) in each site.
• Allow user to find out which DCNM Server (site) is managing a given switch.
• On demand finding out the upstream LAN switch of a given host/virtual machine.
• On demand finding out which LAN switches have active VXLAN segment.

Migrated Cisco DCNM SAN Client Functionality

Above from release 10.0.x, Cisco DCNM has supported zone configuration, device alias management and port monitoring for SAN in web client.

From the menu bar, choose Configure > SAN > Zoning .

Zonesets, Zones, Zone Members and Available to Add panels are displayed in a single screen which is more easier to do the zone operation.

From the menu bar, choose Configure > SAN > Device Alias .

You can create, delete and edit the device alias in the device alias table. You can also Commit , Abort changes on the selected switch and Clear CFS Lock on the CFS tab.

From the menu bar, choose Configure > SAN > Port Monitoring .

You can select a set of non-editable default policy including Normal, Default, Aggressive, Most-Aggressive and Slowdrain which are bundled in DCNM to push to the selected switches. You can customize the policy based on the default policy and push the customized policy to the SAN switch. You can view the existing PMON policy on SAN switch.

For more information about the usage of the Cisco DCNM Web Client, please refer to Web Client Online Help.

Image Management

Data center administrators have the onus of tracking the images installed on switches in the network and upgrading them whenever Cisco releases new software images. Image management on the Cisco Nexus devices is done by In-Service Software Upgrade (ISSU), Software Maintenance Upgrades (SMU), and Graceful Insertion and Removal (GIR) through Cisco DCNM web client.

On Cisco DCNM web client, you can:

• Tack images installed on the switches.
• Do upgrade or downgrade of images on multiple switches.
• Schedule the image installation.

From the menu bar, choose Configure > Image Management > Upgrade .

Cisco Nexus Series switches and any connected FEXs can be upgraded without any traffic disruption.

From the menu bar, choose Configure > Image Management > Patch .

SMUs are created to respond to immediate issues and do not include new features. Typically, SMUs do not have a large impact on device operations. You can install and uninstall the SMU tasks in this page.

From the menu bar, choose Configure > Image Management > GIR .

You can change the system mode to GIR mode for the selected switch on this page. GIR mode provides an easy method for isolating a switch for maintenance windows and then bringing it back into service.

From the menu bar, choose Configure > Image Management > Repositories .

You can see the history of ISSU jobs that were triggered from Cisco DCNM for each of the device. This helps for accounting purpose and to find the images installed on the devices.

Note Image management is a licensed feature. Hence you are able to select only the licensed devices. Only Cisco Nexus 3000, Cisco Nexus 5000, Cisco Nexus 6000, Cisco Nexus 7000 and Cisco Nexus 9000 devices are supported.

For more information about the usage of the Cisco DCNM Web Client, please refer to Web Client Online Help.

Modular Device Support

Start from release 10.0.x, Cisco DCNM has supported to apply the patch to the released software that are running in production. In order to support any new hardware which doesn't require many major changes, a patch can be delivered instead of waiting for the next DCNM release. This feature helps to deliver and apply the DCNM patch releases. An authorized DCNM administrator can apply the patch deliverables to the production setup using this tool. Patch releases can be applicable for the following scenarios.

• Support any new hardware (Chassis/Line cards).
• Support latest Cisco NX-OS versions.
• Support critical fixes as patches.

Applying the patch

Step 1 Stop DCNM services.

Step 2 Execute the following command to apply the patch in command prompt or console:

• Windows

Note patch.bat is present in C:\Program Files\Cisco Systems\dcm\fm\bin

Example:

• Linux

Note patch.sh is present in /usr/local/cisco/dcm/fm/bin.

Example:

Step 3 To view the patch details, open the DCNM web UI and go to Administration > Modular Device Support . This window will show the patch deployed on each DCNM server.

• Federation

Patch needs to be applied on all servers in federation separately.

Before applying the patch stop DCNM service on all servers in Federation

• Native HA

Patch needs to be both Active and Standby Servers separately

Before applying the patch stop all service primary service should be stopped.

Rollback

Rollback will removes patch applied most recently. To rollback multiple patch run rollback operation multiple times.

Rollback the patch

Step 1 Stop the DCNM services.

Step 2 Execute the following command to roll back the patch.

• Windows

– Run the following command:

patch rollback

Note patch.bat is present in C:\Program Files\Cisco Systems\dcm\fm\bin.

– Start the DCNM services on windows.

• Linux

– Run the following command to roll back the patch.

./patch.sh rollback

Note patch.sh is present in /usr/local/cisco/dcm/fm/bin.

– Start the DCNM services on Linux

Step 3 Once the patch is rolled back, corresponding information will not be shown in Administration > Modular Device Support window in web UI.

Role Based Access Control

Cisco DCNM allows the administrator to manage users’ access to the Cisco DCNM server and assign a role to each user by using the Cisco DCNM Web client.

• If you are assigned the role as user ,

– You cannot change the Cisco DCNM authentication mode.

– You cannot add or delete Cisco DCNM local user accounts.

– You can change the details of your own local user account.

• If you are assgned the role as admin :

– You have full control of Cisco DCNM authentication settings.

Starting from release 10.0.x, the new introduced Role Based Access Control (RBAC) feature allows the admin to associate user to one or more device scope or group, so that the admin can control users ’ access to devices or fabrics from Cisco DCNM web client or SAN client, and the user can see only the associated switch groups in the Scope drop-down list. This way admin can restrict users to view or configure only subset of discovered devices.

Local Authentication for RBAC

You can do local authentication when you are assigned the role as Network Admin .

Step 1 Login the Cisco DCNM Web Client using the Network Admin account. You have full device access, i.e. Data Center group access.

Step 2 From the left menu bar, choose Administration > DCNM Server > Switch Groups . Click the Add icon to create a new group.

Step 3 From the left menu bar, choose Administration > Management Users > Local. Click Add User to create a new user and assign the role for the user.

Step 4 To manage the access for the user, select the user and click User Access. Check the box before the group or scope that you want the user to access to.

Step 5 When the newly created user logs into Cisco DCNM Web Client, he will see only the associated scope or groups in the Scope drop-down list at the top of the window and he can view only the devices belongs to those group.

Remote Authentication for RBAC

Cisco DCNM supports TACACS+, Radius, Switch and LDAP remote authentication. You can perform remote authentication when you are assigned the role as Network Admin .

Note Anonymous LDAP bind or access is disabled in Cisco DCNM Release 10.1. A read-only LDAP user has been introduced since DCNM 7.1(1), DCNM 7.0(2) and 7.0(1). We recommend you to upgrade to a later version for authenticated LDAP access.

Step 1 Login the Cisco DCNM Web Client using the Network Admin account. You have full device access, i.e. Data Center group access.

Step 2 From the left menu bar, choose Administration > DCNM Server > Switch Groups . Click the Add icon to create a new group.

Step 3 From the left menu bar, choose Administration > Management Users > Remote AAA .

– If you choose TACACS+ or Radius authentication mode, cisco-av-pair attribute has been extended by adding the dcnm-access key in addition to role. To assign a Cisco DCNM user role by TACACS+ and Radius, Cisco DCNM use the returned cisco-av-pair attribute-value pair from TACACS+ and Radius remote authentication.

cisco-av-pair Attribute-Value Pair shows the cisco-av-pair attribute-value pair

cisco-av-pair Attribute-Value Pair

Cisco DCNM Role	RADIUS Cisco-AV-Pair Value	TACACS+ Shell cisco-av-pair Value
User	shell:roles = "network-operator" dcnm-access="group1 group2 group5"	cisco-av-pair=shell:roles="network-operator" dcnm-access="group1 group2 group5"
Admin	shell:roles = "network-admin" dcnm-access="group1 group2 group5"	cisco-av-pair=shell:roles="network-admin" dcnm-access="group1 group2 group5"

Admin can configure the group information using the key dcnm-access with groups separated by commas as in the above table.

By getting the access information from the remote authentication, logged in user will be able to see only those associated group devices. If the remote authentication response does not assign groups, user can see all the devices.

– If you choose LDAP authentication mode, specify the Access Map text field to associate the accessible groups for the user. The format is: userDomain1:group1,group2;userDomain2:group3.

---

Note For Switch authentication mode, the RBAC is not supported.

---

---

 

Configuration Archive

The configuration archive feature allows you to backup device configurations, both running configuration and startup configurations as a regular text file in the file system. The backup files can be stored in the DCNM server host or on a file server.

You can also configure the archive system to support scheduling of jobs for the selected list of devices. You can configure only one job for a switch.

You can find this feature in the DCNM Web Client under Configure > Backup > Switch Configuration .

You can perform following tasks using this feature:

• Import the configuration file from the file server to the Cisco DCNM.
• Compare the configuration file with another version of the same configuration or with the configuration file of another device.
• Copy the configuration files to the same device, to another device, or multiple devices concurrently.
• Restore the configuration file from the selected switches or from the Golden backup.
• View or edit the configuration file on the device.
• Delete the configuration file from the device.
• Archive jobs.

For more information about the configuration archive feature, please refer to Web Client Online Help.