Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 143
Deployment Guide
Contents
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 143
Deployment Guide
Introduction
Effective network management is critical in todays networks, helping enterprises deploy and manage solutions. With
increasing reliance on networks to increase productivity, enterprises are confronted with an ever growing network
size. Such increase in the number of network elements creates a challenge for network administrators. How does an
enterprise effectively deploy and maintain its network devices?
CiscoWorks LAN Management Solution (LMS) provides the integrated management tools needed to simplify the
configuration, administration, monitoring, and troubleshooting of Cisco networks. LMS provides IT organizations an
integrated system for sharing device information across management applications, automation of device
management tasks, visibility into the health and capability of the network, and identification and localization of
network trouble. By using common centralized systems and network-inventory knowledge, CiscoWorks LMS delivers
a unique platform of cross-functional management capabilities that reduces network administration overhead and
provides upper-layer systems integration.
For detailed product infoormation related to LMS, refer to the product portal http://www.cisco.com/go/lms.
Tip: In short, the decision on whether to use single or multiple LMS servers to manage the network depends on:
How many devices are managed by the LMS server. In LMS 3.2, one single server can manage up to 5000
devices per server.
How the LMS applications are used. For example, if DFM is used extensively to poll the devices, it is
recommended to dedicate a server to DFM. Refer to the scalibility numbers and server planning details in the
Large Scale Deployment Guide.
Supported Device List (check out the Generic Device Support section in Chapter 7, RME):
http://www.cisco.com/en/US/products/sw/cscowork/ps2425/products_device_support_tables_list.html
Evaluation copy (valid for 100 devices and 90 days; copies of both Windows and Solaris are available):
http://www.cisco.com/go/nmsevals
Note: There are release notes for the individual components but not at the bundle level.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 143
Deployment Guide
Note: Refer to Appendix B for the version matrix of LMS bundles. To understand the new and legacy features
introduced in each version, refer to the Installation Guide and the individual application user guides.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 143
Deployment Guide
LMS Workflow
The flow chart in Figure 2 summarizes the device and LMS setup workflow, which covers the whole lifecycle of LMS
server from initial setup to ongoing operations. The following chapters illustrate in detail each of the steps mentioned
in this workflow.
Step 1. The first step in the workflow is to turn on Cisco Discovery Protocol (CDP), SNMP, and other credentials
such as Telnet username/password on the devices so that the devices can be discovered and managed by
CiscoWorks.
Tools used: Command-line interface (CLI) tools such as console connection, Telnet, Secure Shell (SSH)
Protocol, and so on.
Step 2. The LMS server is installed, and initial setup was done on the server. This includes setting up the
dashboard for the user interface, configuring basic server settings, automatically discovering the devices or
manually adding devices, allocating the devices to be managed by the applications, integrating with Cisco
Secure Access Control Server (ACS), and so on.
Tools used: LMS Portal, CiscoWorks Assistant, Common Services, and Setup Center.
For stronger security, Cisco recommends that you integrate LMS with Cisco Secure ACS. Please refer to the
whitepaper on ACS integration at
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.
html.
Step 3. Once the Common Services Device and Credentials Repository (DCR) and the individual device databases
residing on different applications are populated, administrators can start to perform their daily management
tasks including:
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 143
Deployment Guide
Besides these steps, there is also ongoing work for the maintenance and administration of the LMS server. The
administrator can backup and restore data on the LMS server. LMS also offers a rich set of command-line tools to
extract data from DCR and other individual applications. In LMS 3.2, we also support direct Open Database
Connectivity (ODBC) access to database views.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 143
Deployment Guide
LAN Management Solution 3.2 helps in managing Cisco devices on the network. Before LMS 3.2 can function
properly, the network devices that LMS interfaces with must be set up correctly in order to communicate with the
CiscoWorks server. For example, the SNMP community strings must match between the device and the CiscoWorks
server. The information provided in this chapter is a general description of the means and procedures recommended
to make sure that the network devices are set up properly.
Note: This chapter provides a great deal of information on the device configuration procedures required to
manage devices using CiscoWorks LAN Management Solution. Keep in mind that this document is not intended to
be a comprehensive configuration guide for LMS 3.2. For additional LMS configuration details, please
contact a Cisco Certified network engineer (if possible) and refer to pertinent documents that are posted on
Cisco.com.
Prior to LMS deployment, in the case of Cisco IOS and Catalyst Operating System (CatOS) devices, all configuration
changes must be saved to nonvolatile memory (NVRAM) using the following commands:
write memory
or
copy running-config startup-config
Please note that the above command is provided to save pre-LMS deployment configuration changes. After LMS is
deployed, configuration changes will be saved automatically where appropriate and no user intervention is required.
Also note that newer versions of CatOS devices have separate running and startup configurations.
System Name
Each Cisco IOS device in the network must have a unique system name (sysname) in order to be managed. The
system name is also populated in the Cisco Discovery Protocol table. If there are duplicate system names on the
network, LMS will discover only one device by that name on the network. On Cisco IOS devices, the domain name
also affects the system name.
You can set up the system name using the following commands:
Domain Name
You can set a domain name on a Cisco IOS or CatOS device. To set up the domain name, use the following
commands.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 143
Deployment Guide
Command-Line Prompts
To utilize the NetConfig capability to execute batch changes on devices, Cisco device command-line prompts should
meet the requirements described in this section.
Application Telnet/SSH Password Enable Password SNMP Read Only SNMP Read / Write
Device Fault Manager Not required Not required Required Not required
Health and Utilization Monitor Not required Not required Required Not required
SNMP Settings
LMS supports SNMPv1/v2c, and SNMPv3 with both AuthNoPriv mode and AuthPriv. SNMPv3 AuthPriv is a new
feature introduced since LMS 3.0.1.
1
Configuration download also uses TFTP. Hence, SNMP Read/Write credentials are required.
2
The file vlan.dat can be fetched only if the Telnet password and Enable password are supplied.
3
Required in the case of a few devices such as PIX devices, Cisco 2950 Series Switches.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 143
Deployment Guide
Note: SNMPv3 AuthPriv support for DFM is added in a drop-in over LMS 3.1 for 100, 300, and 1500 device
counts.
SNMP settings include both the read-only community string and the rewritable community string. The read-only
community string is used to perform snmp get operations on MIB objects to collect information such as inventory,
interface utilization, and so on. The rewritable community string is used in various cases. For example, the RW string
is used in RME for:
Configuration deployment
Software Image Management (SWIM)
CiscoWorks can collect device configurations by either SNMP-write, which triggers a TFTP, or by grabbing output
from a CLI 'show running' c(requiring Telnet or SSH access to the device).
In image deployment the RW community string is used to trigger the TFTP connection and also for the system
reboot after the image is downloaded. The RW string is also used in Campus Manager for configuration changes
such as fixing discrepancies.
The community strings configured on the devices should match the community strings entered in the DCR
component in LMS.
Create a view
snmp-server view campus oid-tree included
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 143
Deployment Guide
Create a view
set snmp view campus 1.3.6.1 included nonvolatile
Enabling traps in Cisco IOS devices to be sent to a particular host using SNMPv2c:
To enable traps in Cisco IOS devices to be sent to a particular host using SNMPv2c, enter this command:
snmp-server host 192.168.124.24 traps version 2c public
In the above examples for enabling traps, the public community string is to help selective processing of traps on the
trap receiving side.
For example:
set snmp access campusgroup security-model v3 authentication context vlan prefix
write campusview read campusview nonvolatile
For example:
set snmp access campusgroup security-model v3 authentication context mst prefix
write campusview read campusview nonvolatile
For example:
set snmp access campusgroup security-model v3 authentication context mistp prefix
write campusview read campusview nonvolatile
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 143
Deployment Guide
Note: Context support is not available on XL Series and 2950 Switches, and Campus Manager will not fully work
with them when they are configured to use SNMPv3.
System Reload
After a software image distribution operation using Resource Manager Essentials is completed, RME will reload the
device if specified in the image distribution job. RME will be able to reload any device (Cisco IOS or CatOS) only if
an SNMP manager (in this case RME) is allowed to reset the agent.
Telnet/SSH
Telnet is one of the basic protocols that can be used by RME for configuration management. You can enable Telnet
using the following commands.
To enable Telnet on Cisco IOS devices and CatOS devices, enter these commands:
line vty 0 4
password <password>
transport input telnet
Note: More than four VTY lines can be selected for login.
The following example configures SSH control parameters on a router running Cisco IOS Software:
Router> config terminal
Router (config)# hostname hostname <the name of the router>
Router (config)# ip domain-name domainname <a domain that the router services>
Router (config)# crypto key generate rsa
Router (config)# aaa new-model
Router (config)# username <username> password <password>
Router (config)# ip ssh time-out <seconds>
Router (config)# ip ssh authentication-retries <integer>
Router (config)# line vty 0 4
Router (config-line)# transport input SSH
Make sure to do this for all vty lines.
Catalyst OS
Note: For greater access control and logging facilities, use TACACS. SSH configuration requires the domain
name to be configured.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 143
Deployment Guide
RCP can be enabled only on devices running Cisco IOS Software using the following sample commands:
username cwuser password 7 000C1C0A05
ip rcmd rcp-enable
ip rcmd remote-host cwuser 172.17.246.221 cwuser enable
ip rcmd remote-username cwuser
Note: The value of <remote-username> and <local-username> entered in the device should match the
RCP User value provided in the LMS server. The default value is cwuser. This value can be reset by traversing
through the following user interface links in LMS server: Common Services Server Admin
System Preferences. See Figure 3.
To enable and configure a Cisco router for SCP server-side functionality, perform the steps in Table 2.
Command Purpose
Step 1 enable Enables privileged EXEC mode. Enter your password if prompted.
Step 3 Router (config)# aaa new-model Sets authentication, authorization, and accounting (AAA)at login.
Step 4 Router (config)# aaa authentication login Enables the AAA access control system. Complete syntax: aaa authentication login
default group tacacs+ {default |list-name} method1 [method2...]
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 143
Deployment Guide
Step 5 Router (config)# aaa authorization exec Sets parameters that restrict user access to a network. The exec keyword runs
default group tacacs+ authorization to determine if the user is allowed to run an EXEC shell; therefore, you must
use it when you configure SCP.
Syntax:
aaa authorization {network | exec | commands level | reverse-access |
configuration} {default | list-name} [method1 [method2...]]
Step 6 Router (config)# username superuser Establishes a username-based authentication system. You may skip this step if a
privilege 2 password 0 superpassword network-based authentication mechanism -- such as TACACS+ or RADIUS -- has been
configured.
Syntax:
usernamename[privilegelevel]{passwordencryption-type encrypted-
password}
Step 7 Router (config)# ip scp server enable Enables SCP server-side functionality.
The Secure HTTP (HTTPS) feature provides the capability to connect to the Cisco IOS HTTPS server securely. It
uses Secure Sockets Layer (SSL)4 and Transport Layer Security (TLS) to provide device authentication and data
encryption.
Note: As of LMS Release 2.5, HTTPS mode is supported only for VPN 3000 concentrators. To enable HTTPS
mode in a VPN 3000 concentrator, visit Configuration | System | Management Protocols | HTTP/HTTPS.
Enabling Cisco Discovery Protocol on devices allows Common Services to learn information about neighboring
devices and to send SNMP queries to those devices.
Cisco Discovery Protocol is enabled on Cisco IOS devices by default. To manually enable Cisco Discovery Protocol
capability on Cisco IOS devices use the following commands.
4
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more details please visit
http://www.openssl.org/.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 15 of 143
Deployment Guide
Use the no command to disable Cisco Discovery Protocol capability on Cisco IOS devices.
Cisco Discovery Protocol is enabled on Cisco CatOS devices by default. To enable Cisco Discovery Protocol
capability manually on CatOS devices use the following commands:
Do not run Cisco Discovery Protocol on links that dont need to be discovered by Campus Manager, for example,
connection to the Internet and end host connection ports on access switches.
To protect from Cisco Discovery Protocoldenial of service (DoS) attacks, do not enable Cisco Discovery Protocol on
links that are connected to non Cisco devices.
Note: Certain nonCisco devices support Cisco Discovery Protocol. If you enable Cisco Discovery Protocol on the
Cisco devices connected to nonCisco devices, they will appear on the Campus map.
For related information, please refer to the following URL for how to discover devices using LMS.
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-
493921_ps3996_Products_White_Paper.html
Syslog Messages
Syslog messages can be enabled on Cisco devices to fully use the capability of LMS, especially RME. RME has a
built-in syslog receiver/analyzer, and it can invoke automated actions based on the content of the syslog message.
Cisco IOS Devices
Enable Syslog messages on IOS devices from global configuration mode:
logging on
logging < server-ip-address>
logging facility local7
logging trap <logging-level>
For example,
logging 10.1.1.1
logging on
logging facility local7
logging trap warnings
Note: To limit the number of messages sent to the syslog servers, use the logging trap configuration command
above.
Catalyst OS Devices
Enable Syslog messages on CatOS devices:
set logging server enable
set logging server <server-ip-address>
set logging level all <logging-level> default
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 16 of 143
Deployment Guide
The <server-ip-address> is the IP address of the LMS server. In case of multiple servers the server IP address
entered here is the address of the RME server. In the case of remote Syslog Analyzer and Collector, this parameter
is the IP address of the remote Syslog Analyzer and Collector.
A better way to turn on syslog on devices is to use the RME NetConfig tool. With NetConfig users can create a job to
deploy syslog configuration commands to multiple devices at the same time. NetConfig will be discussed in following
section, but Figure 4 shows what an example syslog configuration will look like.
Note: The settings described in this section will be finished after the LMS server is installed.
One of the most important areas of setup is the RME protocol setup. RME uses various protocols for configuration
and software management. Network administrators can assign the protocols to be used in RME for configuration
management and software management.
Configuration Management
You can set the protocols and order for configuration management applications such as Archive Management,
Config Editor, and NetConfig jobs to download configurations and to fetch configurations. The available protocols are
Telnet, Trivial File Transport Protocol (TFTP), RCP, SSH (Secure Shell), SCP, and HTTPS.
To setup protocol ordering for configuration management, go to Resource Manager Essentials Administration
Config Mgmt.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 17 of 143
Deployment Guide
As in the Figure 5, for Config Fetch we use the SSH and TFTP protocols. LMS will first try SSH. If SSH does not
work after three retries (not customizable) and timeouts (customizable, see below), LMS will fall back to TFTP, the
next protocol on the list.
For secure communication between the server and device use SSH.
From RME Admin System Preferences RME Device Attributes, we have an option to set timeout for
SNMP, Telnet, and TFTP. See Table 3 and Figure 6.
HTTPS Single attempt with primary credentials (default); if failed, one more attempt with
secondary credentials (only if administrator settings are enabled for fallback)
SCP 36 seconds (default) 3 attempts with primary credentials (default); if failed, 3 more attempts with secondary
credentials (only if administrator settings enabled for fallback)
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 18 of 143
Deployment Guide
Primary credentials
Secondary credentials
RME uses either the primary or secondary credentials to access the devices using the following protocols:
Telnet
SSH
The RME server first uses the primary credentials to access the device. The primary credentials are tried out three
times, and on failure the secondary credentials are tried out three times. Secondary credentials are used as a
fallback mechanism in RME 4.3 for connecting to devices. See Figure 7.
For instance, if the AAA server is down, accessing devices using their primary credentials will lead to failure.
You can add or edit the secondary credentials information through the DCR page available in CiscoWorks Common
Services if the secondary credentials information is not available for a device.
In the View/Edit Preferences dialog box (Resource Manager Essentials Administration Software Mgmt
View/Edit Preferences) you can define the protocol order that software management has to use for software image
downloads. Use the Add and Remove buttons for selecting the protocol order. See Figure 8.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 19 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 20 of 143
Deployment Guide
Cisco LAN Management Solution installation is supported on both the Windows and Solaris operating
systems.
Make sure your server hardware and software meet the minimum requirements to install the LMS server. The
requirements vary according to how many devices you want to manage, how many applications you are
installing, how heavily you are using the applications, any need to use a virtual machine, and so on. Check
out the System Requirements section for more details.
Back up your database if you have a previous version of LMS running. It is recommended to store backups
on a separate partition or preferably on a separate disk. Backup partitions need to be large enough to store
all application databases (for instance, RME, Campus Manager, DFM, and so on) as well as device
configurations, software images, and user accounts. The backup partition should allow for multiple revisions.
It is recommended to verify all backups that may be needed in the future. Please refer to the document Data
Migration Guide of LMS3.0 available on the installation DVD.
Enable Domain Name System (DNS) on the server so the device names can be resolved against IP
addresses. If DNS is not present, create a local hosts file to help resolve the device names.
We recommend that before installing the LMS 3.2 product, you register the product and receive a permanent
license.
Licensing Process
To license your product, follow these steps:
Step 4. Register the LMS product with Cisco.com to get your license file. If you are a registered user of Cisco.com,
get your license file from http://www.cisco.com/go/license.
Note: If you are not a registered user of Cisco.com, get your Cisco.com user ID from
http://tools.cisco.com/RPF/register/register.do.
Once you have obtained your Cisco.com user ID, log on to http://www.cisco.com/go/license to get your
license file.
Logging into Cisco.com allows your Cisco user profile information to auto populate several product
registration fields. Please note that the user authentication information is case sensitive.
Step 5. After you install LMS 3.2, copy the new license file to the CiscoWorks Common Services server into a
directory with read permissions for the user name casuser or the user group casusers, such as
.\NMSROOT (/opt/CSCopx) on Solaris, C:\program files\CSCopx on Windows.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 21 of 143
Deployment Guide
Note: Do not save the license file on your desktop. casuser does not have read permission for the desktop folder.
Even if you give casuser read permission to the license file residing on your desktop, casuser still cannot
access the file, and therefore the license file cannot be verified. You must give read permission to the folder
in which the license file is located.
Go to the CiscoWorks homepage and select Common Services Server Admin Licensing. The License
Administration page appears. Enter the path to the new license file in the License field, or click Browse to locate the
license file that you copied to the server in Step 2.
The system verifies whether the license file is valid, and updates the license.
Note: The license file obtained is platform independent and thus can be used in both Windows as well as Solaris
operating systems.
You can select any one of the following four licenses of LMS 3.2:
CWLMS-3.2-100-K9
Allows you to manage the following in each application:
CiscoWorks RME: 100 devices
CiscoWorks Campus Manager: 100 devices
CiscoWorks DFM: 100 devices
CiscoWorks IPM: 100 devices and 300 collectors
CWLMS-3.2-300-K9
Allows you to manage the following in each application:
CiscoWorks RME: 300 devices
CiscoWorks Campus Manager: 300 devices
CiscoWorks DFM: 300 devices
CiscoWorks IPM: 300 devices and 1000 collectors
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 22 of 143
Deployment Guide
CWLMS-3.2-1.5K-K9
Allows you to manage the following in each application:
CiscoWorks RME: 1500 devices
CiscoWorks Campus Manager : 1500 devices
CiscoWorks DFM: 1500 devices
CiscoWorks IPM: 1500 devices and 1500 collectors
CWLMS-3.2-5K-K9
Allows you to manage the following in each application:
CiscoWorks RME: 5000 devices
CiscoWorks Campus Manager: 5000 devices
CiscoWorks DFM: 5000 devices
CiscoWorks IPM: 5000 devices and 5000 collectors,or 10,000 collectors (1 hour polling interval)
CWLMS-3.2-10K-K9
Allows you to manage the following in each application:
CiscoWorks RME : 10,000 devices
CiscoWorks Campus Manager: 5000 devices
CiscoWorks DFM: 5000 devices
CiscoWorks IPM: 5000 device and 5000 collectors,or 10,000 collectors (1 hour polling interval)
Note: The 10,000 SKU has not been tested at the bundle level, that is, RME and 5000 devices in all other
applications in a single server. It can be only a multi-server deployment.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 23 of 143
Deployment Guide
For step-by-step installation instructions, please refer to the white paper Installing and Getting Started with LMS 3.2
on the installation DVD.
Note: Choose Custom Installation or Typical Installation with Show Details option enabled, so you can get the
database password. The password may be needed if you want to develop applications to access the LMS
database directly.
For more information on upgrade and migration, see Installing and Getting Started with CiscoWorks LAN
Management Solution 3.2 (Maintenance Kit) and Data Migration Guide for CiscoWorks LAN Management Solution
3.2 on the installation DVD.
Note: For customers still running LMS 2.2 or earlier, it is recommended to get a new server and perform a fresh
installation.
Installation Log
The installation log exhaustively logs operations performed during the installation process. In case the installation is
unsuccessful or problematic, you can review the installation log for error messages, if any.
Solaris
In Solaris, the installation log is located at /var/tmp/Ciscoworks_install_YYYYMMDD_hhmmss.log for LMS 3.2
installation, where YYYYMMDD denotes the year, month, and date of installation and hhmmss denotes the
hours, minutes, and seconds of installation.For example:/var/tmp/Ciscoworks_install_20060721_182 205.log
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 24 of 143
Deployment Guide
Windows
In Windows, the installation log is located in the root directory of the drive where the operating system is
installed. Each installation creates a new log file.
For LMS 3.2, the installation log file is C:\Ciscoworks_install_YYYYMMDD_hhmmss.log, where YYYYMMDD
denotes the year, month, and date of installation and hhmmss denotes the hours, minutes, and seconds of
installation.
For example: C:\Ciscoworks_install_20060721_182205.log
where server_name is the name of the CiscoWorks server and 1741 is the TCP port used by the
CiscoWorks server.
In normal mode (HTTP), the default TCP port for the CiscoWorks server is 1741. When SSL (HHTPS) is
enabled, the default TCP port for the CiscoWorks server is 443.
You can change the HTTPS port number of the CiscoWorks server during the installation. See Installing
and Getting Started with LAN Management Solution 3.2 for more information.
Step 2. Select Common Services Software Center Software Update.
The Software Updates window appears. The entries shown in Figure 10 appear in the Products Installed table for
each application that you have installed.
On the client side, Firefox 3.0 and Internet Explorer 7.0 browsers are supported in this release.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 25 of 143
Deployment Guide
Note: There is a link on LMS Portal for the latest announcements regarding software update and related topics.
System Requirements
Use the server sizing tool to determine the hardware/software requirements. Its located at
http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_presentation_list.html. (Please contact your local
Cisco account team to access http://wwwin-people.cisco.com/tshah/LMS/lms31-sizing.html if you are unable to
reach this URL).
There will be a special whitepaper for VMware support published along with the release of LMS 3.2. It will be posted
at http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html.
LMS Portal 1.2 and CiscoWorks Assistant 1.2 will be selected by default along with Common Services 3.3.
Common Services 3.3, LMS Portal 1.2, and CiscoWorks Assistant 1.2 must be installed and uninstalled
together.
Integration Utility (NMIM) 1.9 can be installed independently without installing the default applications
Common Services 3.3, LMS Portal 1.2, and CiscoWorks Assistant 1.2.
Applications can be selected simultaneously for a reinstallation during new or upgrade install of LMS 3.2.
TCP 49 TACACS+ and ACS CiscoWorks Common Services, RME, Campus Server to ACS
Manager, DFM, and IPM
TCP 25 Simple Mail Transfer Protocol CiscoWorks Common Services (PSU), RME Server to SMTP server
(SMTP)
TCP 514 Remote Copy Protocol CiscoWorks Common Services Server to device
UDP 162 SNMP traps (standard port) Campus and DFM Device to server
UDP 514 Syslog CiscoWorks Common Services and RME Device to server
UDP 1431 Trap listener to MAC notification Campus Manager Device to server
traps
UDP 9000 DFM trap receiving (if port 162 is DFM Device to Server
occupied)
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 26 of 143
Deployment Guide
TCP 443 CiscoWorks HTTP server in SSL CiscoWorks Common Services Client to server
mode Server internal
TCP 1741 CiscoWorks HTTP Protocol CiscoWorks Common Services, CiscoView, Client to server
Campus Manager, RME, DFM, and IPM
TCP 9009 Ajp13 connector used by Tomcat CiscoWorks Common Services Server internal
UDP 14004 Lock port for ANIServer singlet Campus Manager Server internal
on check
TCP 40050 CSTM ports used by CS CiscoWorks Common Services Server internal
40070 applications, such as OGS, DCR
TCP 42340 CiscoWorks Daemon Manager CiscoWorks Common Services Server internal
Tool for Server Processes
TCP 42344 ANI HTTP server CiscoWorks Common Services Server internal
UDP 42350 Event Services Software (ESS) CiscoWorks Common Services Server internal
(alternate port is 44350/udp)
TCP 42351 Event Services Software (ESS) CiscoWorks Common Services Server internal
listening
(alternate port is 44351/tcp)
TCP 44400- CSTM port for DFM, HUM DFM, HUM Server internal
44420
TCP 55000- CSTM port for Campus Manager Campus Manager Server internal
55020
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 27 of 143
Deployment Guide
4. Initial Setup of the LMS 3.2 Server: Portal, Setup Center, and
Common Services
This chapter will guide you through the initial setup of the LAN Management Solution server. This chapter
provides setup information on the CiscoWorks Portal, CiscoWorks Assistant, Setup Center, and Common
Services.
LMS Portal is the GUI front of the server. CWA is the workflow engine, or GUI wizard, to guide the user through
setting up the LMS server. CWA has been steadily improved since first introduced in LMS 3.0. It is the
recommended way for the initial setup of the LMS 3.2 server.
Alternatively, advanced users can use LMS Setup Center for more server setup functions. LMS Setup Center is the
centralized location where the user can get done with most of the application settings including Common Services,
Resource Management Essential, Campus Manager, and Device Fault Manager.
CiscoWorks Portal
In previous versions of LMS, users had to go through multiple layers of user interface (sometimes through three or
four mouse clicks) to reach status information or the desired data. Moreover there was no customization supported.
Users could not customize the desktop for easy, quick access to frequently accessed data or functionality, which led
to usability challenges.
Starting with LMS 3.0, the CiscoWorks Portal was introduced as the dashboard to provide zero-click access to
network data and management functionality, significantly improving the usability of LMS. Through this portal, you can
easily launch all the functions offered by LMS and have direct access to the status of your LMS servers, network
devices, and network topologies.
Customization: You can personalize the CiscoWorks homepage using the drag-and-drop, add, edit, and
remove features
Information available zero-click: Easy and quick access to the frequently viewed vital information pulled
directly from the applications in the CiscoWorks LMS suite
Multi-server support: Lists all of the portlets based on the applications installed on remote servers
Lightweight GUI: Eliminates the need to install any plug-ins to launch the application
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 28 of 143
Deployment Guide
The Portal: The portal serves as the overall container and contains a set of views. You can set up the portal
to manage a single server or multiple servers.
Communities and Views: Views are organized pages under name tabs and contain a set of portlets. For
example, under the Functional tab is the Functional view. LMS 3.2 comes with three predefined communities,
or supersets of views (Figure 12).
You can select either LMS or CiscoWorks Portal or My Portal from the drop-down box displayed at the top
right corner of CiscoWorks LMS Portal.
The LMS community is the default community and contains nine page views:Functional, System, Network,
CS, DFM, CM, RME, IPM, and HUM. You can also create your own page views and add portlets to get the
view you want.
The CiscoWorks Portal is the public community shared by all users. You can copy views from LMS super
view and add or delete portlets for everyone to see.
The My Portal view is the private community configured by the user. It changes when a different user logs into
the server.
Portlets: Portlets are individual pieces of data pointing to an application function or status report. You can
add or remove portlets to customize the views except the Functional view. The portlet list is based on the
applications installed and registered. The visibility of portlet contents is based on the users roles and
privileges.
Each portlet contains six icons on the top. These icons will be visible only when you move the mouse over the right
corner of each portlet. By clicking these icons you can change the look and feel of the portlet, configure the portlet,
get help, minimize or maximize, or close the portlet. See Figure 13.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 29 of 143
Deployment Guide
To add a view:
Go to the CiscoWorks LMS Portal homepage and click the Add View button located at the top right corner of the
portal.
Note: After you add a View, you can customize it by either duplicating an existing view as a template or by
creating it afresh by adding your own portlet. To duplicate from an existing view as a template, click in your newly
created view, click View, and then choose the template and click Save. Following this step, you can go to
the view and choose to add or delete individual portlets.
Customize a View
To start from a blank view, click the tab for the new view, and click the Add Portlet button located at the top right
corner. The portlet selector appears (Figure 15).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 30 of 143
Deployment Guide
From this selector, you can choose the portlet you want to add to your view by browsing the available categories.
You can search a portlet by using the search box at the top. For example, you can search for Object Finder (Figure
16).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 31 of 143
Deployment Guide
Portlet view: This is the default type. Its a view that contains various portlets of interests.
Embedded view: You can embed a webpage in the embedded view. Just point it to the URL of the webpage.
Itll show the webpage in LMS Portal.
URL: You can point to a URL. Clicking the view tab will launch the website outside the portal.
To change the view type, click the Edit View button at the top right corner of the portal. For example, see Figure 17
to see how to make an embedded view for the RME dashboard.
Note: You can create a friendly URL for the view, which can be used to directly access functions.
Deleting a View
To delete a view, edit the view and choose the view to be deleted (Figure 18).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 32 of 143
Deployment Guide
The Server Setup workflow will guide the user through the basic server setup tasks including:
Configuring server settings such as System Identity, admin password, SMTP, and so on
Configuring device management mode
Configuring default credentials for the network devices
Manually adding or automatically discovering network devices on your network
Allocating devices to be managed by applications like RME, CM, DFM, and IPM
Integrating with ACS (optional but recommended; covered in a separate whitepaper)
Note: After finishing the CWA workflow, all these tasks can still be directly accessed in Common Services.
After launching the CWA server setup workflow, it shows the local LMS server and the connection status (Figure 20).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 33 of 143
Deployment Guide
Click the Start Setup button to start the workflow, or continue the previous unfinished setup.
For a fresh server, the user needs to configure the server setting as shown in Figure 21.
The next step will show the current system identity. System identity setup helps you to create a trusted user on
servers that are part of a multiple LMS server setup or ACS integration. This facilitates user communication among
servers that are part of a management domain. There can only be one system identity user for each server.
The system identity user you configure must be a peer server user.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 34 of 143
Deployment Guide
In the non-ACS mode, the system identity user that you create must be a local user, with all privileges.
In the ACS mode, the system identity user should be configured in ACS, with Super Admin privileges, in all
applications registered in ACS. You can either configure the system identity user with the predefined Super Admin
role or with a custom role created with all privileges in ACS. See Figure 22.
The next step is to configure the device management mode. Initially the devices are added or discovered to the DCR
of Common Services. By default, all devices are managed automatically by Campus Manager and RME, but not
DFM and IPM. The device management mode determines whether the new devices are automatically managed by
CiscoWorks applications. There are three device management modes. See Table 5.
Auto Allocation Off In this mode, automatic addition of devices to LMS applications is disabled. You can use this option to:
Selectively add devices to the application from DCR.
Add previously deleted devices back into the application.
You can manually add the devices to LMS applications even if you have selected other modes for device
management.
Auto Allocation All In this mode, all devices in DCR are added to the selected LMS application. This is also limited by the LMS license
Devices you have purchased.
Auto Allocation Allocate In this mode, devices that belong to a specific group in Common Services are added to LMS applications. This is also
by Groups limited by the LMS license you have purchased.
You must select a group name for all applications that are installed on local and peer servers.
In Figure 24 we auto allocate all devices to the applications including RME, CM, DFM, and IPM.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 35 of 143
Deployment Guide
CWA will finish the first part of the server setup and report the status. See Figure 25.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 36 of 143
Deployment Guide
Here we create the credential set MyDefaultSet2. Click Apply and fill in the standard credentials and SNMP
credentials.
The standard default credentials include primary and secondary credentials (username, password, and enable
password for Telnet or SSH). See Figure 27.
SNMP credentials now support both SNMPv2, and SNMPv3 for both AuthNoPriv and AuthPriv modes (Figure 28).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 37 of 143
Deployment Guide
Figure 30 shows the add device interface. You can manually add the devices into DCR by bulk importing from a file
(comma-separated values [CSV] or XML) or network management systems (HP OpenView, IBM NetView, or Cisco
Secure ACS).
Or you can run the discovery process on the server to find devices on your network.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 38 of 143
Deployment Guide
The NG (next-generation) automatic device discovery of LMS 3.2 supports both Layer 2 (Cisco Discovery Protocol)
and Layer 3 protocols. You can also do a ping sweep across the network or use other options like Cluster Discovery
Module and Hot Standby Router Protocol (HSRP). For details, check out the NG discovery whitepaper at
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-493921.html.
Note: In LMS 3.2, discovery supports IPv6 using ping sweep and the Cisco Discovery Protocol module only.
By default Cisco Discovery Protocol is used to discover the devices. Figure 31 shows how to choose the discovery
modules.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 39 of 143
Deployment Guide
To use Cisco Discovery Protocol as the discovery protocol, first add the seed devices. The seed devices are usually
the core switches that have the most connections to other network devices. The CiscoWorks server will go to the
seed device and find its neighbors, then find the neighbors neighbors. This process will propagate across the
network until all devices are found.
In Figure 32 we add the seed devices and specify how many hops the discovery shall proceed (the default is
unlimited). Jump Router Boundaries is turned on to allow the discovery to extend beyond the boundaries set by
routers within the network. Device discovery may take longer if you do not selectively choose the boundaries by
excluding specific IP addresses.
There is another option to use DCR as a seed list, but it is not recommended if you have already imported many
devices in DCR.
Next we configure the SNMP settings, including target, read community string, timeouts, and retries (Figure 33).
Note: Discovery SNMP settings page is enhanced to support SNMPv2c to SNMPv1 and SNMPv3 to SNMPv2c
fallback. When the SNMP fallback from SNMPv2c to SNMPv1 option is selected, the discovery falls back to
SNMPv1 if SNMPv2c fails.When SNMP fallback from SNMPv3 to SNMPv2c is selected, the discovery falls
back to SNMPv2c if SNMPv3 fails.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 40 of 143
Deployment Guide
If you want to limit the discovery scope, configure the filter settings to include or exclude devices based on IP
address, DNS domain, sysObjectID, or sysLocation (Figure 34).
On the global settings, users can configure the preferred DCR display name and preferred management IP and
choose the default credentials. If you want the discovery process to resolve IP addresses to hostnames, make sure
DNS is configured properly on the LMS server. See Figure 35.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 41 of 143
Deployment Guide
After the discovery is done, a message is shown to report the success (Figure 36).
Users can check the devices discovered by going to Common Service Device and Credentials Device
Management to check out the device summary (Figure 37).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 42 of 143
Deployment Guide
The next step is to allocate the devices to the applications. In Figure 38 we are allocating all devices to RME, CM,
DFM, and IPM.
Now we have successfully completed the basic server setup, added devices to DCR, and allocated the devices to
applications. It is recommended to integrate LMS with Cisco Secure ACS, which is covered in a detailed whitepaper
at
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.
html.
Note: Most of the steps done by CWA can be directly accessed from the Common Services dashboard. If you
need to rerun some of the jobs such as device discovery, launch the Common Services dashboard from the
Functional view. For example, under Common Services Device and Credentials Device Discovery you
can configure and run discovery.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 43 of 143
Deployment Guide
The configurations in CiscoWorks LMS Setup Center are grouped into the following categories:
System Settings: The configuration that the system needs to function effectively
Security Settings: The security-related settings for the product
Data Collection Settings: The settings necessary for collecting data from the devices
Data Collection Schedule: The schedule settings for collecting the data from the server
Data Purge Schedule: The configurations that are necessary for the device to purge data
The settings specific to all applications including CiscoWorks Common Services, CiscoWorks RME, CiscoWorks
Campus Manager, and Device Fault Manager are grouped within these five categories, and Setup Center enables
you to configure them in a common space.
Note: If an application is not installed, the corresponding entries are not available.
System Settings
This category lists the configurations that are necessary for the system to function.
The system settings specific to all the applications are grouped under this category. If a CiscoWorks application is
not installed, the corresponding entries are not displayed. To launch the System Settings page, click the System
Settings tab from the CiscoWorks homepages LMS Setup Center application. The System Settings page displays
the name of the settings, their value, and a brief description. Each entry has an Edit icon. Click the Edit icon for a
specific system setting to open the corresponding settings page.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 44 of 143
Deployment Guide
Security Settings
The security-related configurations of all CiscoWorks applications are grouped under this category. If a CiscoWorks
application is not installed, then the corresponding entries are not displayed.
To launch the Security Settings page, click the Security Settings tab from the LMS Setup Center application. The
Security Settings page displays the name of the settings, their value, and a brief description. Each entry has an Edit
icon. Click the Edit icon for a specific security setting to open the corresponding security settings page.
To launch the Data Collection Settings page, click the Data Collection Settings tab from the LMS Setup Center
application. The Data Collection Settings page displays the name of the settings, their value, and a brief description.
Each entry has an Edit icon. Click the Edit icon for a specific data collection setting to open the corresponding data
collection page.
To launch the Data Collection Schedule page, click the Data Collection Schedule tab from the LMS Setup Center
application. The Data Collection Schedule page displays the name of the settings, their value, and a brief
description. Each entry has an Edit icon. Click the Edit icon for a specific data collection schedule setting to open the
corresponding configuration page.
To launch the Data Purge Schedule page, click the Data Purge Schedule tab from the LMS Setup Center
application. The Data Purge Settings page displays the name of the settings, their value, and a brief description.
Each entry is accompanied by an Edit icon. Click the Edit icon for a specific data purge schedule to open the
corresponding configuration page.
DCR Mode
This paper discusses LMS server as a standalone server. As you become more familiar with the LMS features, you
can set up multiple LMS servers to work together in a master/slave scenario. To change the mode of the LMS
server, go to CS Device and Credentials Admin Mode Settings. See Figure 40.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 45 of 143
Deployment Guide
Device Polling
Unreachable devices in DCR are detected by polling the devices using supported protocols for a specific period of
time. These devices can then be deleted from DCR. Protocols supported are ping, Snmpv1/v2/v3.
To configure device polling, go to Common Services Device and Credentials Admin Device Polling. See
Figure 41.
Connectivity protocols such as SNMP or Internet Control Message Protocol (ICMP) may be disabled on the
device.
Incorrect credentials may be configured for the device.
Invalid timeout and retries may have been configured on the device.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 46 of 143
Deployment Guide
1. Go to the CiscoWorks homepage and select Common Services Device and Credentials Admin Device
Polling Unreachable Device Report.
The Unreachable Device Report page appears.
Alternatively, you can navigate to this page from the LMS Portal homepage if you have installed the LMS Portal
application on the CiscoWorks server.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 47 of 143
Deployment Guide
You can enable or disable the option of displaying the CiscoWorks server name along with the browser title. When
you choose to display the server name in the browser title, the browser window displays the title in the following
format:
Here Hostname is the name of the CiscoWorks server and Application Window Title is the title of the application
window launched from CiscoWorks server.
For example, if the name of your CiscoWorks server is lmsdocultra, then the title of the CiscoWorks homepage
would be displayed as lmsdocultra - CiscoWorks. If you launch Common Services from the CiscoWorks homepage,
the title of the Common Services home window would be displayed as lmsdocultra - Common Services Home.
You can also enable or disable the display of the server name with the browser title by changing the configurations in
a properties file.
Enable or disable the option of displaying the server name with the browser title
Change the format of the display from Hostname - ApplicationWindowTitle to ApplicationWindowTitle -
Hostname and vice versa
Replace a hyphen (-) with any other delimiter except empty spaces
Trim the spaces between the hostname, delimiter, and application window title
During registration you are prompted to select an application template and then register with the CiscoWorks server.
The registration enables the application to be integrated with other applications based on the template definition. It
also helps application launch points to be displayed on the CiscoWorks homepage.
1. Click Register in the Registered Applications dialog box. A wizard guides you through the process.
2. Choose the location for registration. You can select Register from Templates or Import from Other servers.
To register from templates:
1. Select the Register from Templates radio button and click Next.
2. Select the radio button corresponding to the template you require and click Next.
3. Enter the server attributes in the server attributes dialog box and click Next.
4. Click Finish.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 48 of 143
Deployment Guide
Create self-signed certificates for the local and remote servers (if not already done).
Add the remote servers certificate to the local server. See Setting up Peer Server Certificate from the online
help that accompanies LMS for details.
Restart the local server.
Create a peer server user on the remote server. Configure this user as a system identity user in the local
server. See Setting up Peer Server Account and Setting up System Identity Account from the online help that
accompanies LMS for details.
To import from other servers:
1. Select the Import from Other Servers radio button and click Next.
2. Enter the server name, server display name, and the secure port numbe in the Import Servers Attributes dialog
box. Click Next.
3. Select one or more applications from the list to import into the CiscoWorks server. Click Next.
4. The Import Registration Summary window displays a summary of the information you entered. Click Finish.
When the browser-server security mode of the remote server is changed from non-SSL to SSL or from SSL to non-
SSL, you should deregister the applications imported from that server and register them again.
The version in this screen shows the major version of the applications. In order to know the version with patch level,
go to Software Center Software Updates. The Software Updates page shows the version with patch-level
information. The patch-level information is only available for the applications installed in the local server.
1. Select Common Services Server HomePage Admin Links Registration. The Links Registration
Status page appears.
2. Click Register. The Enter Link Attributes dialog box appears.
3. Enter the link name and the URL.
4. Select the radio button corresponding to Third Party or Custom Tools to set the display location.
5. Click OK.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 49 of 143
Deployment Guide
Note: SSL is an application-level protocol that enables secure transactions of data through privacy,
authentication, and data integrity. It relies upon certificates, public keys, and private keys.
1. Go to the CiscoWorks homepage and select Common Services Server Security Browser-Server
Security Mode Setup.
2. Select the Enable option to enable SSL.
3. Click Apply.
4. Log out from your CiscoWorks session, and close all browser sessions.
5. Restart the Daemon Manager from the CiscoWorks server CLI.
On Windows:
a. Enter net stop crmdmgtd
On Solaris:
c. Enter /etc/init.d/dmgtd stop
Note: By default, the minimum character limit for CiscoWorks local usernames is five characters. To add a local
username with fewer than five characters, change the entry for validate User to false in the
NMSROOT/lib/classpath/ss.properties file.
You can only create one user at a time. To create local users in bulk, use the CLI tool. Refer to the help file and
search on Setting Up Local Users Through CLI.
System administrators determine user security levels when users are granted access to CiscoWorks. When users
are granted logins to the CiscoWorks application, they are assigned one or more roles (Table 6).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 50 of 143
Deployment Guide
Level Description
0 Help Desk
1 Approver
2 Network Operator
4 Network Administrator
8 System Administrator
16 Export Data
A role is a collection of privileges that dictate the type of system access you have. A privilege is a task or operation
defined within the application. The set of privileges assigned to you defines your role and dictates how much and
what type of system access you have.
The user role or combination of roles dictates which tasks are presented to the users. Table 7 shows the security
levels.
For information on tasks that can be performed with each role, you can generate a permissions report. To generate a
permissions report:
Note: The permissions report can only show the privilege details of local users. If a user is created on ACS, that
user will only show as Help Desk.
You can only add one user at a time for the GUI. To bulk create users, use CLI. For detailed information, search
Setting up Local Users Through CLI from the online help that accompanies LMS.
Self-signed certificates are valid for five years from the date of creation. When the certificate expires, the browser
prompts you to install the certificate again from the server where you have installed CiscoWorks.
Note: If you regenerate the certificate, when you are in multiserver mode, any existing peer relation might break.
The peers need to reimport the certificate in this scenario.
To create a certificate:
1. Go to the CiscoWorks homepage and select Common Services Server Security Certificate Setup.
2. Enter the values required for the fields described in Table 7.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 51 of 143
Deployment Guide
State or Province Two-character state or province code or the complete name of the state or province
Locality Two-character city or town code or the complete name of the city or town
Host Name DNS name of the computer or the IP address of the computer.
Enter the host name with a proper domain name. This is displayed on your certificate (whether self-signed or third-party
issued). Local host or 127.0.0.1 should not be given.
Note: If the certificate is not a self-signed certificate, you cannot modify it.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 52 of 143
Deployment Guide
Business Scenarios
As enterprise networks grow ever larger, it becomes a tedious job to manage hundreds or even thousands of
devices. With the LMS applications discussed in this chapter, we can address problems like these:
How do I keep track of the inventory of devices on my network? How do I generate a customized report that
digs out just the inventory information I need?
How do I keep track of the outdated devices and plan for an equipment upgrade budget? How do I keep track
of not only outdated hardware but outdated Cisco IOS Software images?
How do I keep track of the product information relevant to my network, such as the Product Security Incident
Response Team(PSIRT) security alerts and product defects (bugs)? How do I find out which devices are
under support contract?
How do I keep an archive of the configuration and be able to restore the configurations if there is any mis-
configuration? How do I push configurations to multiple devices on my network without doing it one-by-one
through CLI? How do I keep track of the changes?
How do I manage compliance by enforcing configuration policies across the network so everyone is following
rules when they configure hundreds of devices?
How do I automatically upgrade the software images on devices without spending too much time and
affecting our business?
How do I monitor the syslog messages and be automatically notified if something happens?
All these questions and more can be answered with three LMS applications for elements management:
RME Overview
RME is the cornerstone application for the CiscoWorks LMS bundle of infrastructure management tools focusing
primarily on configuration management tasks. It includes many automated features that simplify configuration
management tasks, such as performing software image upgrades or changing configuration files on multiple
devices. RME also includes some fault-management features, such as filtering of syslog messages.
Inventory Manager: Builds and maintains an up-to-date hardware and software inventory providing reports
on detailed inventory information. RME has many predefined reports. You can also create custom reports to
dig out just the information you need.
Configuration Manager: Maintains an active archive of multiple iterations of configuration files for every
managed device and simplifies the deployment of configuration changes. You can use ConfigEditor to
change, compare, and deploy configuration to one device, or use NetConfig to deploy to multiple devices.
You can design baseline templates for different configuration needs. You can also specify which action to
take after the configuration is deployed.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 53 of 143
Deployment Guide
Software Manager: Simplifies and speeds software image analysis and deployment. You can do an
automatic upgrade analysis to help you select the right image. Then use the SWIM feature to import images,
stage the image locally or remotely, then deploy to groups of devices.
Syslog Analysis: Collects and analyzes syslog messages to help isolate network error conditions. You can
filter the syslog messages and designate actions based on the messages.
Change Audit Services: Continuously monitors incoming data versus stored data to provide comprehensive
reports on software image, inventory, and configuration changes.
Audit Trails: Continuously monitors and tracks changes made to the RME server by the system
administrator.
Compliance Management: By creating a baseline template, which is essentially sophisticated regular
expressions, users can enforce configuration rules to help ensure that the configuration complies with the
internal policies or government regulations.
There is a separate whitepaper on compliance management at
http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html.
Inventory Management
Inventory Management provides comprehensive device information, including hardware and software details. This
information is crucial for network maintenance, upgrades, administration, troubleshooting, and basic asset tracking.
The inventory information can also be used by other applications that need access to this same information without
the need for additional device queries. Network administrators must often be able to quickly provide information to
management on the number and types of devices being used on the network. The more information network
administrators have in one central place about all the devices, the easier it is to locate necessary information,
resolve problems quickly, and provide detailed information to upper management.
Inventory Management is also the starting point for many other management activities. For example, to upgrade the
software image of a device, information about the amount of RAM, the modules installed, and the current software
version is needed. All this data is collected by RME Inventory Management.
In Chapter 4, we talked about how to populate the DCR and add devices to individual applications, such as RMEs
inventory. You can check out the RME devices under RME Devices Device Management RME
Devices.Inventory Collection/Polling
At the time of RME installation, system jobs are created for both Inventory collection and polling, with their own
default schedules.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 54 of 143
Deployment Guide
A periodic inventory collection job collects inventory data from all devices (devices in the All Devices group) and
updates inventory database. The periodic polling polls all devices to check a certain MIB value to see whether the
timestamp has changed. If there is a change in the timestamp, RME then goes ahead to retrieve inventory changes
and collects and updates the inventory database.
Note: Inventory polling consumes much less bandwidth than inventory collection.
The predefined default periodicity of the collector job is once a week, and the predefined default periodicity of the
polling job is once a day.
The polling job detects most changes in all devices, with much less impact on your network and on the LMS server.
To change the default settings, traverse to Resource Manager Essentials Administration Inventory
System Job Schedule. The System Job Schedule dialog box displays the current collection or polling schedule;
change the values and click Apply.
Reports Generator
Once you add devices to RME from DCR, RME start retrieving inventory information based on the default schedule
setting. RME has numerous predefined reports built-in for all the internal applications. These reports can be
generated for view by going to RME Reports Report Generator. These applications include:
Audit Trail: Tracks and reports changes that the RME administrator makes on the RME server
BugToolkit: Helps users identify the bugs filed against devices in their network and check the status of the
bugs
Change Audit: Tracks and reports changes made in the network including configuration, inventory, and
software image changes
Contract Connection: Shows the status of service contracts of all Cisco IOS devices in your network
Device Credential: Displays the device names and the credential status for each device
Inventory: Reports the comprehensive inventory information collected by RME
Syslog: Displays the syslog message received from the devices by RME
Under each application, you can generate different types of reports. For example, under Inventory you can generate
the reports shown in Figure 43,
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 55 of 143
Deployment Guide
All these reports are generated with a set of predefined query criteria. For example, Software Report will list the
software versions based on the categories of the devices. If you want to query a customized list of variables from the
inventory, you can use a custom reports template for this as described in the following section.
PSIRT Summary report: Introduced in LMS 3.0, this report automates how users track the PSIRT security
alert from Cisco. The LMS server can be scheduled periodically to fetch the PSIRT information from
cisco.com and correlate to the users network devices.
EoS/EoL Hardware Report: Introduced along with PSIRT report, this report works in similar way to automate
how users track the EoS/EoL (End of Sale/End of Life) status of the network devices. Good for budget
planning. Some customers schedule it to run every quarter to know how much equipment needs to be
upgraded.
In LMS 3.1, offline support for PSIRT/EOX was added. Users can select the source of the information to be
from Cisco Connection Online or a local file if the LMS server is not directly connected to Internet. This can
be customized at Resource Manager Essentials Admin Reports PSIRT/EOX Reports. See Figure 44.
Check the online help to learn how to download Cisco Connection Online PSIRT/EoX information to a local
file.
Note: The offline data file has been changed to a zip file due to size limit. The new URL to download the file is
http://www.cisco.com/cgi-bin/front.x/eox/RME_PSIRT_DETAILS.pl?action=zipdownload.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 56 of 143
Deployment Guide
EoS/EoL Software Report: New feature in LMS 3.2, generates the end of sale, end of life, and end of
engineering dates for the software image versions running in the devices in your network. It provides a
summary of the end of sale or end of life alerts based on the selected devices.
PoE Report: Power over Ethernet (PoE) is the ability of the LAN switching infrastructure to provide power
over a copper Ethernet cable to an endpoint (powered device). You can generate a PoE report to display
detailed information of PoE-enabled devices managed by RME.
POE Port Level Report: New in LMS 3.2, you can generate a PoE Port Level Report to display information
such as power consumption, power available, and power remaining at the port level for devices.
PSE Report: New in LMS 3.2, you can generate a PSE Report to display information such as power
consumption, power available, and power remaining at the PSE/device level.
Custom Reports
To create a customized report with your interested query variables, such as the serial number of all c1701 routers,
follow these steps:
1. Create a custom report template. Go to RME Reports Custom Reports Template, choose Inventory,
give it a name such as customreporttest, make it public so everyone can see it, and define the rule as
illustrated in Figure 45.
2. Go to RME Reports Report Generator, and choose Inventory. Notice the custom report template
customreporttest shows up at the bottom of the dropdown list (Figure 46).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 57 of 143
Deployment Guide
3. Choose your devices and generate the report (Figure 47). Here you can generate a one-time report or schedule
a job report to run daily, weekly, or monthly, and automatically be sent in an email or published to a central
storage location.
Note: Successfully generated reports are stored in the archives. You can access the report archives by selecting
RME Reports Report Archives.
Step 1. Analyze the software images: RME helps the user to analyze the device and decide whether it has
enough resources to run the new image. RME gives image recommendations for each selected device. Go
to RME Software Mgmt Software Distribution Upgrade Analysis, then log into Cisco.com. Once
you log in, you can see all the available versions for this device. When you select a version, RME will give
you suggestions about what to do before upgrading (Figure 48).
The criteria for image recommendation can be modified at RME Admin Software Mgmt View Edit
Preferences.
Note: The number and type of variables analyzed depend on the device type and software version selected. The
knowledge base used for analysis can be upgraded by going to RME Admin Software Mgmt
Update Upgrade Analysis.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 58 of 143
Deployment Guide
Step 2. Add images to the repository: Instead of browsing around on Cisco.com trying to find the image file, RME
helps the user to locate the image easily online and adds it into the local repository. You can schedule the
download immediately or later. See Figure 49.
Note: You can also export the image from the local repository to be used elsewhere.
Step 3. Create a job for image distribution: Instead of manually loading the images one by one through the CLI,
the user can schedule a job to deploy images to a group of devices.The methods of distribution include:
Basic: This option allows you to select devices and then perform software image upgrades to those
devices. Software Management checks the current image on the device and recommends a suitable image
for distribution.
By devices [Advanced]: This option allows you to enter the software image and storage media for the
device that you want to upgrade. The selected image and storage media are validated and verified for
dependencies and requirements.
By images: This option lets you select a software image from the software image repository and then use
it to perform an image upgrade on suitable devices in your network.
Use Remote Staging: This option allows you to select a software image, store it temporarily on a device,
and then use the stored image to upgrade suitable devices in your network. This is helpful when the
Resource Manager Essentials server and the devices (including the remote stage device) are distributed
across a WAN.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 59 of 143
Deployment Guide
Note: If you have not selected the Use Generated Out-of-Sync Report option, it will take more time to show the
software image selection dialog box.
In the View/Edit Preferences dialog box (Resource Manager Essentials Administration Software Mgmt
View/Edit Preferences) you can define the protocol order that Software Management has to use for software image
download. Use the Add and Remove buttons for selecting the protocol order. See Figure 50.
To perform the image upgrade using this ISSU process, the running image in the device must be ISSU capable.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 60 of 143
Deployment Guide
The ISSU process can be applied for the following distribution methods:
By devices [Basic]
By devices [Advanced]
By image
Through remote staging
To perform this ISSU image upgrade process you must select the Reboot immediately after downloading option in
the Job Schedule and Options page of the device distribution flow.
You can also customize the configurations available in the Issuconf.properties file located at
NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/conf/swim.
You can configure the properties listed in Table 8 in the Issuconf.properties file.
Variable Description
The running software image version in the device must match the version configured in the Issuconf.properties.
Configuration Management
The Configuration Management tab in RME includes three applications: Archive Management, Config Editor, and
NetConfig.
1. Archive Management
2. The Archive Management application maintains an active archive of the configuration of devices managed by
RME. It provides:
The ability to fetch, archive, and deploy the device configurations
The ability to handle syslog-triggered configuration fetches, thereby making sure that the archive is in sync
with the device.
The ability to search and generate reports on the archived data
The ability to compare and label configurations
Configuration Collection/Polling
The configuration archive can be updated with configuration changes by periodic configuration archival (with and
without configuration polling). You can enable this using Resource Manager Essentials Administration
Config Mgmt Archive Mgmt Collection Settings.
Note: Scheduled collection and polling are disabled by default as the customers network may have sporadic
bursts of traffic and the network management system should not take up the existing bandwidth. It is best
for the customer to select the periodic collection and polling.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 61 of 143
Deployment Guide
You can modify how and when the configuration archive retrieves configurations by selecting one or all of the
following:
Periodic Polling
Configuration archive performs an SNMP query on the device, if there are no configuration changes detected
in the devices, no configuration is fetched.
Periodic Collection
Configuration is fetched without checking for any changes in the configuration.
Step 1. Select Resource Manager Essentials Administration Config Mgmt Archive Mgmt Collection
Settings.
Telnet
TFTP
RCP
SSH
Secure Copy Protocol (SCP)
HTTPS
To setup protocol ordering for Configuration Management, go to Resource Manager Essentials Administration
Config Mgmt Transport Settings. See Figure 51.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 62 of 143
Deployment Guide
Protocol ordering can be setup for different configuration applications (Archive Management, Config Editor, and
NetConfig) by selecting the application from the Application Name drop-down list. Select the protocol order by using
the Add and Remove buttons on the screen and click Apply.
For secure communication between the server and device use SSH.
1. Config Editor
2. You can use the Config Editor application to perform the tasks listed in Table 9.
Set or change your Config Editor preferences. Select RME Admin Config Mgmt Config Editor.
View the list of previously opened files in private or public work areas. Select RME Config Mgmt Config Editor Private Configs
or
Select RME Config Mgmt Config Editor User Archive.
Open a configuration file for editing in four ways: Select RME Config Mgmt Config Editor Config Files.
Device and version
Pattern search
Baseline
External location
View the status of all pending, running, and completed jobs. You can also Select RME Config Mgmt Config Editor Config Editor Jobs.
create a new job or edit, copy, stop and delete a job that you have opened.
The RME Config Editor function can be used to edit a device configuration stored in the configuration archive and
download it to the device. The Config Editor tool allows the user to make changes to any version of a configuration
file, review changes, and then download the changes to the device.
When a configuration file is opened with Config Editor, the file is locked so that no one else will be able to make
changes to it at the same time. While the file is locked, it is maintained in a private archive available only to the
user who checked it out. If other users attempt to open the file to edit it, they will be notified that the file is already
checked out and they can only open a read-only copy. The file will remain locked until it is downloaded to the
device or manually unlocked within Config Editor by the user who checked it out or by a user that has network
administrator and system administrator privileges.
1. NetConfig
2. You can use the NetConfig application to perform the tasks listed in Table 10.
Create and manage user-defined tasks. Resource Manager Essentials Config Mgmt NetConfig User-
defined Tasks
Assign user-defined tasks to valid CiscoWorks users. Resource Manager Essentials Config Mgmt NetConfig Assigning
Tasks
The NetConfig function provides a set of command templates that can be used to update the device configuration on
multiple devices all at once. The NetConfig tool provides wizard-based templates to simplify and reduce the time it
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 63 of 143
Deployment Guide
takes to roll out global changes to network devices. These templates can be used to execute one or more
configuration commands on multiple devices at the same time. For example, to change SNMP community strings on
a regular basis to increase security on devices, use the appropriate SNMP template to update community strings on
all devices using the same job. A copy of all updated configurations will be automatically stored in the configuration
archive. NetConfig comes with several predefined templates containing all necessary commands. The user simply
supplies the parameters for the command and NetConfig takes care of the actual command syntax. These
predefined templates include corresponding rollback commands; therefore, if a job fails on a device, the
configuration will be returned to its original state.
Embedded Event Manager (EEM): EEM is a framework to monitor and detect certain conditions that might
affect network services. It includes methods to program corrective actions when incorrect events are
detected. With NetConfig, users can configure EEM environment variables and register EEM scripts to one
device or a group of devices at the same time. After EEM is deployed to the devices, RME can show the EEM
status through NetShow reports and generate EEM-related syslog reports.
GOLD (Generic OnLine Diagnostics): GOLD is a device-specific Cisco IOS feature with fault detection
capabilities. It defines a common framework for diagnostic operations across Cisco platforms running Cisco
IOS Software. Similarly, with NetConfig, users can configure GOLD tests. After GOLD is deployed to the
devices, RME can show the GOLD test status through NetShow reports and generate GOLD-related syslog
reports.
Smart Call Home (SCH): Smart Call Home is a new, secure connected service that is currently available on
the Cisco Catalyst 6500 devices. Similarly, with NetConfig, users can configure SCH tests. After SCH is
deployed to the devices, RME can show the SCH test status through NetShow reports and generate SCH-
related syslog reports.
Virtual Switching System (VSS): VSS enables two standalone Catalyst 6500 Switches to work as one
virtual switch. RME simplifies the VSS management by providing a GUI conversion wizard to guide the user
through steps to convert the two standalone switches into one VSS. After conversion, VSS is managed as
one single device with regular LMS functionalities including inventory reporting, configuration management,
CiscoView, topology map, DFM alerts, and so on.
For details about LMS support for these technologies, check out the RME user guides and the whitepaper Managing
Cisco Catalyst Modular Switches Using CiscoWorks LMS" at
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-494607.html.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 64 of 143
Deployment Guide
FPM (Flexible Packet Matching) policies: Attach or detach package groups to an interface.
Module-level tasks to be supported:
GOLD
To use these new functions, users need to create port or module groups.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 65 of 143
Deployment Guide
Table 11 lists the available attributes that you can use to define the rule for creating port and module groups.
CM.Neighbor Whether the port is connected to a device (IP phone or end host)
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 66 of 143
Deployment Guide
Now we are ready to create a NetConfig job using the port group we just created. Go to RME Config Mgmt
NetConfig NetConfig Jobs, and click the Create button. Select Port Based (see Figure 55).
Choose the tasks, or templates, applicable to the port group, as shown in Figure 58.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 67 of 143
Deployment Guide
Add instances for each of the tasks selected, as shown in Figure 59.
For example, the instance shown in Figure 60 will configure the PoE for the port group.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 68 of 143
Deployment Guide
As last step, schedule the NetConfig job and specify the job options, as shown in Figure 61.
Change Management
All changes made on the network through LMS are recorded as part of the change audit. If syslogs are enabled on
devices, any out-of-band changes made on the devices are also recorded as part of the change audit. Change audit
reports can be viewed by going to Resource Manager Essentials Reports Report Generator. Select
Change Audit as the application, and the report type could be either a 24-hour report, Standard Report, or
Exception Period Report. These reports help manage the changes on the network.
Resource Manager Essentials also provides the capability to have an audit trail. The audit trail provides a trail of all
the changes that are being made on the server, such as addition or deletion of devices and credential changes.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 69 of 143
Deployment Guide
Syslog
LMS has the ability to collect and analyze syslogs received from devices in the network. The ability to collect syslogs
helps manage the network more effectively. Enabling syslogs provides a multifold advantage:
LMS will collect and update any configuration and inventory changes on the network.
Received syslogs can be analyzed and can also be used for further triggering automated actions.
Syslogs can be enabled on devices using NetConfig. A template for enabling syslogs is built into NetConfig. You can
access the template under Resource Manager Essentials Config Mgmt NetConfig. Create a NetConfig job
by clicking NetConfig Jobs under the TOC.
A list of all message filters is displayed in a dialog box, along with the name and the status of each filter -- enabled or
disabled. Specify whether the filters are for dropping the syslog messages or for keeping them, by selecting either
Drop or Keep. If you select the Drop option, the Common Syslog Collector drops the syslogs that match any of the
Drop filters from further processing. If you select the Keep option, Collector allows further processing only of the
syslogs that match any of the Keep filters.
Note: The Drop and Keep options apply to all message filters and are not on a per filter basis.
Change Audit
Select Days of the week from the Day drop-down list box and the start time and the end time from the Start Time
and End Time drop-down list boxes.
Click Add.
Job Management
Jobs need to be created for performing archive management, editing of configurations, downloading of
configurations, and Cisco IOS/CatOS device image management. There is a central location where all jobs created
for various purposes in RME can be viewed. The central location can be accessed by traversing to the CWHP
Resource Manager Essentials Job Mgmt RME Jobs link. All jobs can be searched on criteria such as the
status of the jobs and type of job.
RME allows approval of jobs before they are executed. The following are the logical steps to configure job approval:
Specify approver information: This can be done by traversing to theCWHP Resource Manager Essentials
Administration Approval Approver Details link. Note the user created here should have the
Approver role in the system (be it local security mode or ACS security mode).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 70 of 143
Deployment Guide
Specify approver lists: A list of approvers needs to be created. The list has to be named and assigned
approvers. This can be done by traversing to CWHP Resource Manager Essentials Administration
Approval Create/Edit Approver Lists. Provide an approver name in the top left text field, click Add,
select users from the list of available users field in the middle, and click Add in the middle. Save the
configuration of approval lists.
Assign approval lists with the various functions like NetConfig, Config Editor, Archive Management, and
Software Management.
Enable approval policies on the various functions like NetConfig, Config Editor, Archive Management, and
Software Management.
The above steps will require all jobs created for NetConfig, Config Editor, Archive Management, and Software
Management to be approved before being executed.
All jobs pending approval can be viewed by traversing to the CWHP Resource Manager Essentials Job
Mgmt Job Approval link. The approver can either accept or reject the job. If a job is rejected then the status of
the job is updated for the user who created the job.
Purge Policies
1. Configuration Management
You can specify when to purge archived configurations. This frees disk space and keeps your archive at a
manageable size. You can purge configurations based on two criteria:
Age: Configurations older than the number of days you specify are purged.
The maximum number of versions of each configuration to keep: The oldest configuration is purged when the
maximum number is reached. For example, if you set the maximum versions to keep to 10, when the
eleventh version of a configuration is archived, the first is purged to keep the total number of archived
versions at 10.
By default, the purging jobs are disabled. Use the following steps to enable purging jobs:
Step 1. Select Resource Manager Essentials Administration Config Mgmt Archive Mgmt Purge Settings.
Step 5. To specify when to purge configuration files from the archive, select one or both of the following options:
Click Maximum versions to retain and then enter the number of configurations to retain.
Click Purge versions older than and then enter a number and select days, weeks, or months.
Click Purge labeled files to delete the labeled configuration files.
The purged labeled files will be deleted only if the conditions set for the Maximum versions to retain and Purge
versions older than options are satisfied.
Step 7. Syslog
A default policy can be specified for the periodic purging of syslog messages.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 71 of 143
Deployment Guide
Select Resource Manager Essentials Administration Syslog Set Purge Policy. Specify the number of
days in the Purge records older than field. Only the records older than the stated age (the number of days that you
specify here) will be purged. The default value is 7 days.
2. Change Audit
A periodic purge or a forced purge of change audit data can be scheduled. This frees disk space and maintains the
change audit data at a manageable size. Select Resource Manager Essentials Administration Change
Audit Set Purge Policy. Enter the values for each field and click Save to save the purge policy that you have
specified.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 72 of 143
Deployment Guide
Using the performance data retrieved, CiscoView provides real-time views of Cisco devices. These views deliver a
continuously updated physical/logical picture of device configuration and performance conditions. With the proper
user authorization, the user can configure a Cisco device and its cards and interfaces. The user can also monitor
real-time statistics for interfaces, resource utilization, and device performance.
CiscoView simply uses SNMP to query the configuration and performance of the device and displays the information
graphically. Given the proper user authorization privileges, CiscoView can also be used to change or modify the
configuration of the device using SNMP.
View a graphical representation of the device, including component (interface, card, power supply, LED)
status
Configure parameters for devices, cards, and interfaces
Monitor real-time statistics for interfaces, resource utilization, and device performance
Set user preferences
Perform device-specific operations as defined in each device package
Manage groups of stackable devices
To launch CiscoView:
From LMS Portal, go to the CiscoView Portlet, and open Chassis View. Input the device IP address or
choose from the Device Selector to open the chassis view.
From LMS Portal, go to Device Center Portlet, open Device Center, input the device IP address or choose
from the Device Selector, then click CiscoView under the Tools section of the Device Center.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 73 of 143
Deployment Guide
Mini-RMON Manager
CiscoView Mini-RMON manager is a real-time remote monitoring tool that provides the option to enable RMON
collection, display the collected Ethernet statistics and lets you set thresholds against any of the collected statistics.
An alarm is generated whenever the set thresholds are breached. This facilitates troubleshooting and improves
network availability.
For details about how to use the full features of CiscoView, see
http://cisco.biz/en/US/docs/net_mgmt/ciscoworks_ciscoview/6.1.8/user/guide/ug_pref.html.
Device Center
Within the LMS bundle, Device Center is a portal that provides the ability to gather and debug information about a
particular device. The Summary in Device Center provides information about the device IP address and device type,
a 24-hour change audit summary, the last inventory and configuration collection times, a syslog summary, and any
fault-related alerts for the device and the neighboring devices.
Device Center also provides a set of functions that help facilitate debugging, run reports on the device, and perform
management tasks such as changing credentials.
Device Center is installed as part of the Common Services install and can be launched from CWHP Device
Troubleshooting Device Center. See Figure 63.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 74 of 143
Deployment Guide
Browse through the group hierarchies to select a device or search for a particular device by typing in the
name in the search utility provided above the group selector. Click the link on the device name after you have
selected it. This launches the summary and tools page for the device.
You can look at the 24-hour reports on the device in the top half of the right frame and launch tools in the
bottom half of the right frame.
Launch the tools in the suggested list that follows in the particular order in the list. This list is not complete but
helps provide an understanding of some of the tools available in Device Center.
Ping: Ping the device to see if it is reachable from the LMS server.
Launch Credential Verification Report: Launch the Credential Verification Report to check for any missing
credentials.
If the credentials are missing, launch the Edit Device Credentials tool to edit the credentials.
Launch Detailed Device Report on the device to view memory, flash, image, and IP address information
Launch Fault History Report to view any faults that occurred in the last 24 hours or 31 days.
If some faults are found, go to CiscoView tool to view the chassis and make some changes on the
interfaces or ports and so on.
If the device is a switch, you can launch the switch port usage report for recently up, down, or unused
ports.
You can synchronize the archive or download a previous archive of the configuration or do an image upgrade.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 75 of 143
Deployment Guide
Business Scenario
Being a network management application, LMS Campus Manager addresses problems from the network
administrators such as the following,
Topology Services
With Topology Services, you no longer have to trace cables from stack to stack through a wiring closet to determine
which devices are connected through which ports. Topology Services auto discovers Cisco routers and switches on
the network and displays the network layout in hierarchical topology maps. These maps make it easy to determine
what types of devices are on the network and how they are connected. In addition, Topology Services auto discovers
ATM and VTP domains and VLAN memberships configured on the network, making it easy to view and track them. It
also provides features to allow you to create and modify VLANs, LANE, and ATM services through an easy-to-use
GUI. Automated discrepancy reports highlight physical and logical problems with the network configuration, making it
easy to identify configuration errors such as line-speed mismatches on either end of a connection.
User Tracking
The User Tracking tool greatly simplifies the task of tracking user and end-station connections to the network. User
Tracking automatically identifies all end stations connected to Cisco devices that have been discovered on the
network, including printers, servers, and PCs. User Tracking also collects detailed information about each end-
station, including MAC address, IP address, DNS hostname, port assignment, and VLAN memberships. In addition,
User Tracking can be configured to collect usernames associated with end stations, from UNIX hosts, a Windows NT
primary domain controller (PDC), or Novell Directory Services (NDS), making it easier to locate specific users on the
network. User Tracking provides a means to track VLAN memberships, port assignments, and end-user host
specifications.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 76 of 143
Deployment Guide
Spanning-Tree Management
CiscoWorks Campus Manager provides advanced capabilities to manage spanning-tree protocols in a campus
network such as Per VLAN Spanning Tree (PVST) Protocol, Multiple Spanning Tree Protocol (MSTP), and Multi-
Instance Spanning Tree Protocol (MISTP).
This information is time-stamped and stored in a database. Campus Manager can then be configured to
automatically update this information at regular intervals. Any Campus Manager collected information required by the
network administrator is quickly retrieved from the Campus Manager database and displayed in the many Campus
Manager reports.
You can invoke data collection from the Campus Manager home page. From LMS Portal, go to the Campus
Manager Portlet and click Home. See Figure 64.
Because Campus Manager relies on data collection to maintain the latest knowledge about the network, we
recommend data collection be scheduled at regular intervals to update the database with the most current
knowledge. You can also do data collection on certain devices right before your operation.
To set up data collection schedule, go to Campus Manager Admin Data Collection Schedule. See Figure
65.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 77 of 143
Deployment Guide
1. From LMS Portal, go to the Campus Manager Portlet, and choose Visualization Topology Services.
2. CiscoWorks server will prompt you to install a specified Java JRE from
http://server:1741/JSP/CAMPUS/help/cmf/jplug_install_ns_windows.html.
Note: If you have trouble launching Topology Services, go to Control Panel Add/Remove Programs on your
client PC, and remove all Java components (you may also need to manually delete everything under
c:\program files\Java), then try to install the JRE by launching Topology Services. If you still have trouble
getting the correct version of JRE, get it directly from Error! Hyperlink reference not valid..
3. After installing the JRE, try launching Topology Services again. It will download the applet and then ask you to
launch Topology Services again. (You may need to edit the local hosts file to resolve the DNS name of the
Campus Manager server if it is not resolvable.)
4. Once the Topology Services interface shows up, you can get a list and count of how many devices you have.
Then click Network Services and right-click a view such as Layer 2 View.
5. The Layer 2 Views hows up. You can zoom in or out, drag and drop the icons to organize the view better, or go
to View and choose Relay out, and choose Circular to organize the layout in better order. You can also show
the IP addresses by turning on Show IP under View Show Labels. See Figure 66.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 78 of 143
Deployment Guide
Note: To see the list of map legends, check out the list at Help Map Legend. On the left side of the network
topology map, you have different network views. See Figure 66.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 79 of 143
Deployment Guide
LAN Edge View Shows network connectivity between Layer 3 devices that have routing View:
characteristics. Device Attributes
Devices without Layer 3 connectivity are placed in ATM Domain or IPv6 Addresses
Switch Cloud network views.
Port Attributes
Change Management IP
Configure Inter-VLAN Routing
Link Attributes
Aggregate Link Attributes
Delete Link(s)
Switch Cloud View Displays the Layer 2 devices between two Layer 3 devices in your View:
network. Device Attributes
IPv6 Addresses
Port Attributes
Service Attributes
Change Management IP
Configure Inter-VLAN Routing
VLAN Report
Link Attributes
Configure EtherChannel
Create Trunk
Trunk Attributes
TDR Report
Layer 2 View Displays the Layer 2 information about your network, including ATM and View:
LAN switches, routers, MLS devices, hubs, and switch probes. Device Attributes
IPv6 Addresses
Port Attributes
Service Attributes
Change Management IP
Configure Inter-VLAN Routing
VLAN Report
Link Attributes
Configure EtherChannel
Create Trunk
Trunk Attributes
TDR Report
Unconnected Devices View Displays devices for which connectivity information could not be View:
obtained, including devices not supported by Topology Services. Device Attributes
This can include non-Cisco ATM devices discovered through Integrated IPv6 Addresses
Local Management Interface (ILMI), since it is an industry standard.
Port Attributes
VLAN Report
Change Management IP
Configure Inter-VLAN Routing
Link Attributes
VTP Views Shows the devices that are participating in VTP domains. VTP Views View:
also shows the non-VTP devices and ATM domains connected directly Device Attributes
to the VTP domain.
Port Attributes
Service Attributes
VLAN Report
Change Management IP
Configure Inter-VLAN Routing
Link Attributes
Configure EtherChannel
Create Trunk
Trunk Attributes
TDR Report
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 80 of 143
Deployment Guide
Note: From the View menu, select Panner to see the full view of the network. On the right side of the Layer 2
view, you can filter the devices on the map based on their device types, link types, whether PoE enabled,
and so on.
If you have too many devices to put into one map, consider organizing them into hierarchical maps under the
topology groups. For example, you can have one group for headquarter and several groups for branch offices. Do
this by going to Campus Manager Admin Groups and creating groups for different locations.
Note: Some of these reports can also be launched from Campus Manager Reports. They are:
Network Configurations
From Topology Services, you can perform many network configurations using the GUI, which is much easier than
using CLI commands (Figure 69). Configuration commands included under the Tools menu are listed in Table 13.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 81 of 143
Deployment Guide
Command Description
ATM Management Create Creates a Soft Permanent Virtual Path or connection. This function can only be performed by users logged in as
SPVC/SPVP network administrators or system administrators.
ATM Management Configures a new ATM interface configuration, or makes changes to the current interface configuration. This function
Interface Configuration can be performed only by users logged in as network administrators or system administrators.
ATM Management RMON Disables RMON data collection. This function can be performed only by users logged in as network administrators or
Data Collection system administrators.
VLAN Management Creates an Ethernet, Token Ring BRF, or Token Ring CRF VLAN. This function can be performed only by users
Create logged in as network administrators or system administrators.
VLAN Management Deletes the selected VLAN. This function can be performed only by users logged in as network administrators or
Delete system administrators.
LANE Management Adds or modifies LANE services for an Ethernet VLAN, a Token Ring CRF, or a standalone ATM-VLAN. This function
Add/Modify LANE Services can be performed only by users logged in as network administrators or system administrators.
LANE Management Configures the master and backup LE Config servers. This function can be performed only by users logged in as
Configure Config Server network administrators or system administrators.
VLAN Port Assignment Moves ports between VLANs in the same VTP domain.
N-Hop View
The N-Hop View portlet is an HTML-based lightweight feature and is available as a part of CiscoWorks Portal. This is
much faster than the regular Campus Manager Topology Services.
To create an N-hop view, first add the N-hop view portlet to your view, then configure it with a root device and
specify how many hops you want to view from the root device. You can also make the view auto refresh and show
alerts from the fault manager, DFM. See Figure 70.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 82 of 143
Deployment Guide
Click the back button to see the N-hop view (Figure 71).
Note: Currently N-hop can support a maximum of 30 devices. Be careful if you are using it on a flat network.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 83 of 143
Deployment Guide
Launch the Collectors page in IPM to view details on collectors that have already been created.
Launch the Device Dashboard page in HUM that provides the performance details of the device.
Launch the Interface Report in HUM that displays the previous hour data for a link.
You can launch the application pages if DFM, HUM, and IPM are installed on a local server or on a remote
server with a master/slave setup.
Restricted Topology View
After integration with ACS, you can limit the devices users can see by setting up a restricted topology view.
You can turn on Restricted Topology View by going to Campus Manager Administration Topology
Restricted Topology View. See Figure 72.
VSS support. The virtual switching technology is the process of combining two standalone distribution
switches in the local distribution layer into a single management point. The Virtual Switching System functions
and appears as a single switch to the wiring closet and the core layer. In Campus Manager of LMS 3.2, VSS
is supported on Topology Services as one single device.
User Tracking
User Tracking helps you to locate and track the end hosts in your network. Thus it provides you the information
required to troubleshoot as well as to analyze any connectivity issues. The application identifies all end users
connected to the discovered Cisco access layer switches on the network, including printers, servers, IP phones, and
PCs.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 84 of 143
Deployment Guide
Campus Manager collects data from the network at regular intervals for acquiring information for User
Tracking by polling.
In dynamic User Tracking, the devices send traps to Campus Manager as and when changes happen in the
network.
This implies that you need not wait till the next User Tacking polling cycle to see the changes that have happened in
your network. This is an improvement over the earlier versions, where updates on end-host information were based
on the polling cycle.
End-Host Report
Contains information from UserTracking polling and the recently added end-hosts.
History Report
Contains information from User Tracking polling and the recently disconnected end-hosts and end-hosts that
have moved between ports or VLANs.
Switch Port reports
Contains information about the utilization of switch ports.
SNMP traps are generated when a host is connected to the network, disconnected from the network, or when it
moves between VLANs or ports in the network.
For example, if configured properly, the user name in the User Tracking report should be populated as shown in
Figure 73.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 85 of 143
Deployment Guide
The username in the User Tracking report is not filled in unless UTLite is installed. UTLite is a utility that allows the
network administrator to collect usernames from primary domain controllers, Windows Active Directory, and Novell
directory servers. Combined with Campus Manager User Tracking, the administrator will not only know which end
host is connected to which switch ports, but what is the user ID of the person logged into that end station.
For how to setup UTLite, refer to the whitepaper Integrating UTLite with Microsoft Active Directory at
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-469745.html.
Acquisition
To start User Tracking, first start the acquiring process by accessing Campus Manager User Tracking
Acquisition. See Figure 74.
There are two principal types of acquisition in User Tracking. They are:
Major acquisition:
Discovers all the end hosts that are connected to the devices managed by Campus Manager
Minor acquisition:
Occurs on a device if any of the following changes take place:
A new device is added to the network
A port changes state, that is, if it comes up or goes down
A new VLAN is added to the network
There is a change in the existing VLAN
Minor acquisition updates the Campus Manager database only with the changes that have happened in the network.
It is triggered at regular intervals. The default for these intervals is 60 minutes. You can configure the interval at
which the acquisition takes place.
Acquisition Settings
Traverse to Campus Manager Administration User Tracking Admin Acquisition Settings and
configure the acquisition settings (Figure 75).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 86 of 143
Deployment Guide
Rogue MAC: MAC addresses that are not authorized to exist in your network. Rogue MACs can be added
manually, imported from a file or User Tracking end host report, and defined from the New MAC report.
Rogue MACs can be marked as Acceptable MACs.
New MAC: MAC addresses that are newly added to your network.
Dormant MAC: MAC addresses that are inactive for the specified number of days.
Configure the Acquisition Settings so rogue and new MAC addresses are detected. Later you can generate a MAC
report to show rogue, new, and dormant MAC addresses. You can also setup an email alert to be notified when new
or rogue MAC addresses are detected.
Acquisition Schedule
A schedule can be set for a major acquisition to happen. The schedule can be set by traversing to the Campus
Manager Administration User Tracking Admin Acquisition Schedule Acquisition link.
A ping sweep can be enabled on all IP addresses in a subnet before starting a major acquisition. An option can be
chosen to exclude certain subnets from the ping sweep.
After the acquisition is complete, you can generate a User Tracking report, which as illustrated in Figure 76.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 87 of 143
Deployment Guide
Duplicate reports:
Duplicate IP addresses
Duplicate MAC addresses
Duplicate MAC and VLANs
Ports with multiple MAC addresses
End Hosts
History:
End host history
Switch port usage
IP Phones
MAC report:
Rogue MAC
New MAC
Dormant MAC
Switch port usage:
Report on Recently Down Ports
Reclaim Unused Down Access Ports Report
Reclaim Unused Up Access Ports Report
Switch Port Summary Report
Switch Port Capacity Report
Wireless reports
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 88 of 143
Deployment Guide
After installation, the User Tracking Utility will show up on your Windows toolbar. Right-click and choose Configure
to point the UTU to the Campus Manager server you are using. It is very easy to setup. See Figure 77.
If you already have User Tracking set up on the Campus Manager server, you can query the database directly from
the UTU. For example, in Figure 78we can find out this users end-station connection information, including
hostname, MAC address, IP address, subnet, which switch the user is connected to, port, vlan, and last time seen
on this port.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 89 of 143
Deployment Guide
Note: You must have UTLite installed in order to query the user name, or you will have to manually edit the user
name field on the User Tracking report.
Purge Policies
End hosts and IP Phones can be deleted from User Tracking either on demand or on a specified interval after major
acquisition by traversing to CWHP Campus Manager Administration User Tracking Admin
Acquisition Delete Interval.
Archives or jobs older than a particular date can also be purged by traversing to CWHP Campus Manager
Administration User Tracking Admin Reports User Tracking Purge Policy.
Note: In the Windows environment you can either install UTLite or configure DHCP snooping to get the IP
address of the end host. They can also coexist. If you have neither installed UTLite nor enabled DHCP snooping, the
IP address of the end-host connected will be updated only in the next User Tracking major acquisition cycle.
Virtual Network Manager provides pre-provisioning, provisioning, and monitoring of Virtual Routing and Forwarding-
Lite (VRF-Lite) technology. VRF-Lite technology is used to virtualize networks that span across enterprise networks.
It supports multiple virtual routing instances using a single routing device.
Devices that may have IPv6 configured on their interfaces. These devices must have at least one IPv4
interface. Devices are managed using IPv4.
Hosts running IPv6 are supported in the User Tracking application.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 90 of 143
Deployment Guide
Upon the completion of every instance of data collection, Campus Managerrelated port configuration data is
updated with the latest information.
Campus Manager 5.2 uses the data from data collection to generate the Link and Access Ports reports. The time-
stamp information is added to the ports while the data collection process is running.
You can also backup the schema, stored procedures, and select tables given by applications in a configuration file.
Applications will ensure that the selected tables include all the dependent tables for proper functioning as part of
restore. For all the tables that are not mentioned, the empty tables will be created so that applications can work
properly. You can restore the settings similar to the normal backup with no data or less data.
An option will be provided for selective backup that will back up only the system settings, user preferences, and
configuration file.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 91 of 143
Deployment Guide
Business Scenarios
On a daily basis, network administrators face many challenges to maintain a healthy running network to support
business needs. They constantly ask questions like:
How do I quickly and easily detect, isolate, and correct network faults?
How do I monitor not only up and down status, but also potential problems?
How do I provide valuable insight into the relative health of a device and the network?
How do I address problems before network service degradation affects users?
How do I minimize downtime and service degradation?
CiscoWorks Device Fault Manager proactively monitors the network for indicators of device or network faults,
helping enable the network administrator to know exactly where the problem is and what to fix, thus avoiding costly
network service degradation. DFM has the built-in intelligence to determine what variables and events to look for to
determine the health of a Cisco device, without user intervention, for true fault management.
DFM Architecture
As in Figure 79, CiscoWorks DFM uses SNMP polling and SNMP traps to discover and display real-time faults. DFM
provides rules to analyze events that occur and help determine when a probable fault has occurred on Cisco
devices. It allows you to configure immediate notifications on certain types of faults and stores events and alerts for
31 days in the fault history.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 92 of 143
Deployment Guide
DFM already knows which MIB variables to poll for each different device to determine the status and health of the
device. The necessary threshold values have also been predefined based on extensive testing. Therefore DFM can
begin fault and performance monitoring as soon as the devices are added to the DFM inventory.
Known: The device has been successfully imported and is fully managed by DFM.
Learning: DFM is discovering the device. This is the beginning state, when the device is first added or is
being rediscovered. Some of the data collectors may still be gathering device information.
Questioned: DFM cannot manage the device. For example, a Call Manager will show up as questioned if
its included in the DFM inventory.
Pending: The device is being deleted. (DFM is waiting for confirmation from all of its data collectors before
purging the device and its details.)
Unknown: The device is not supported by DFM.
To get more details of the devices, go to DFM Device Management Device Details.
Rediscover a device: If a device is in stuck in learning state, you can rediscover the device by going to DFM
Device Management Rediscover.
Create/Activate a View
Go to DFM Configuration Other Configuration Alerts and Activities, click Create, and include the
devices for this view. You can create different views for different groups of devices.
After the view is created, select it to activate it. Then you can see the view by going to DFM Alerts and Activities.
This will launch a browser window to show the alerts and activities on the devices.
From these alerts and activities, you can monitor the faults going on in your network and start taking actions to
correct them. See Figure 80.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 93 of 143
Deployment Guide
Clicking the Alert ID will open the Alert and Activities detail window (Figure 81).
From here, you can navigate to the event by clicking the event ID or taking actions to:
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 94 of 143
Deployment Guide
You can also launch tools to help with the troubleshooting of the events:
Notification Services
The Alerts and Activities display requires constant visual contact to monitor what is going on with the network. To
free the administrators from the necessity of 24-hour-a-day, 7-day-a-week visual contact with the Alerts and Activities
display, DFM allows for alternate means to notify personnel, such as email, SNMP traps, and syslog messages.
Each of these notification mechanisms provides a summary of the alert or event. The receiver of the notification
could then return to DFM for more details.
Notification Groups
Notifications are sent based on subscripts to notification groups. Basically a notification group is a set of events and
alerts occurring on a set of devices. This allows for different recipients or notification mechanisms for different
devices and alerts for ultimate notification flexibility.
Following are the setup steps for a typical application where the user receives email based on the notification group:
1. Set up the default email server. Go to DFM Configuration Other Configurations SMTP Default
Server.
2. Create a custom group to select devices to be monitored. See the Group Administration section in this chapter.
3. Create an event set to select the interesting events for the user. Go to DFM Notification Services Event
Sets. Up to nine event sets can be created. See Figure 82.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 95 of 143
Deployment Guide
4. Create a notification group. Go to DFM Notification Services Notification Groups. Select the custom
group created in step 2 and the event set created in step 3. See Figure 83.
5. Create an email subscription. Go to DFM Notification Services Email Notification, and select the
notification group, and then enter the email address as the destination.
Polling parameters are used to make the DFM server poll the devices in the various groups in specified intervals.
Threshold parameters are used to determine the thresholds for various devices. When these thresholds are crossed
for the various types of devices, alerts are raised in the DFM server.
Group Administration
System-Defined Groups
When devices are imported from DCR to DFM, they are automatically grouped into system-defined groups. These
groups are:
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 96 of 143
Deployment Guide
Custom Groups
If you want to manage the device differently by setting customized polling and threshold parameters, you can create
custom groups. DFM provides 28 customizable groups, which are divided into four categories. See Figure 84.
To create DFM groups traverse to the Configuration Other Configuration Group Administration link.
Priority Setting
When you create a custom group and add devices to it, the devices now belong to two groups, the system-defined
group or the default group, and the new custom group. You need to set the priority of the custom group to be higher
than that of the system-defined group.
To change the priority setting, go to DFM Configurations Polling and Thresholds Setting Priorities. See
Figure 85.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 97 of 143
Deployment Guide
On this interface, you can move the priorities for the groups up or down.
Customizing DFM
DFM comes out of the box with the default settings ready to run. You can control and fine-tune these settings, such
as:
Notification Customization
Rediscovery Schedule
Daily purge schedule
SNMP Settings
Trap Receiving
Trap Forwarding
Logging
Notification Customization
You can change the event description and severity (new in LMS 3.2) by going to Notification Services
Notification Customization. See Figure 88.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 98 of 143
Deployment Guide
Rediscovery Schedule
DFM discovers each device to determine the manageable components it contains. DFM can then assign appropriate
polling and threshold parameters. In order to make sure DFM monitoring of a device is up to date, the device needs
to be rediscovered on a periodic basis. The default is to rediscover on a weekly basis. You can change this setting
by going to DFM Configuration Other Configurations Rediscovery Schedule.
SNMP Settings
DFM gets the majority of the information it uses to determine a devices fault status through SNMP queries. Since
SNMP is a User Datagram Protocol (UDP), there is the opportunity for information to be lost. To help alleviate this,
servers can employ a series of timeouts and retries. DFM comes preconfigured to perform three retries using a
timeout value of 4 seconds.
To change these variables, select DFM Device Management SNMP Config and make the changes.
Configure Logging
DFM writes application log files for all major functional modules. By default, DFM writes only error and fatal
messages to these log files; DFM saves the previous three logs as backups. You cannot disable logging. However,
you can:
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 99 of 143
Deployment Guide
Change the logging setting by going to DFM Configurations Other Configurations Logging.
Auto Allocation of Devices: It helps to define rules and automatically allocate the devices based on the rules.
Allocate by Groups and Allocate All Devices are the two options of Auto Allocation of Devices.
Clearing Multiple Alerts: In DFM 3.0.2, the user has to open each alert individually to clear it. In DFM 3.1, the
user can clear multiple alerts in one click in the Alerts and Activities page. Using the checkboxes, the user
can select multiple alerts and click the Clear button to manually clear all the selected alerts.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 100 of 143
Deployment Guide
Business Scenarios
Managing mission-critical networks has become an integral component of todays businesses. Customers no longer
see the IP network as an unreliable infrastructure on which to build their business. Internet service providers (ISPs)
and even internal IT departments now have to offer a defined level of service -- a service-level agreement (SLA) -- to
provide their customers with a degree of predictability. How to measure network response time, determine device
availability, resolve connectivity issues, analyze response time patterns, and provide critical reports, both real time
and historical have taken on an even higher priority.
CiscoWorks Internetwork Performance Monitor is a network management application that leverages the Cisco IOS
IP SLA technology to monitor the end-to-end performance of multiprotocol networks. IPM measures performance
from one end of the network to the other and allows a broader reach and more accurate representation of the end-
user experience. Using IP SLA, IPM measures and displays five key network performance statistics between a
source and a target device. These five statistics include latency, availability, jitter, packet loss, and errors.
SLA was formerly known as RTR or SAA. For more information on Cisco IOS IP SLA, visit
http://www.cisco.com/go/ipsla.
Source router: Originating point from which IPM makes latency and availability measurements. This is where
the IPM server uses SNMP to configure Cisco IOS IP SLAs. A source router must run Cisco IOS Software
with the IP SLA feature.
Target router: Destination of the source router operations (IP SLA measurements) from which response data
should be collected. A target can be an IP host, another Cisco IOS device with IP SLA, or an Systems
Network Architecture (SNA) host.
Test operation: The traffic test operations simulate actual network traffic for a specific protocol. For example,
to measure the latency for a voice over IP (VoIP) session, an Enhanced UDP test operation is created and
defined to send a series of 60-byte UDP packets with a specified type of service (ToS) value and target port
number.
Collection schedule: A collector can be scheduled to run at any point in time, or continuously over any time
interval. This flexible scheduler makes IP SLAs suitable for both service-level monitoring and troubleshooting.
The workflow for the IPM application is illustrated in Figure 87.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 101 of 143
Deployment Guide
As in this workflow diagram, we define the collector from step 1 to step 5. In the first and second steps, the source
router and target device are defined. For Cisco IOS devices, we need to turn on IP SLAs in the Cisco IOS Software.
In step 6, IP SLAs in the source router generate the synthetic tests and measure latency/response time. The IPM
server will then poll the collectors to collect test results and generate the results in real-time or historical reports.
IP host: If the target is an IP host, it can be any IP-addressable device such as a network device, server, or
workstation. Likely candidates for target devices are the actual servers providing application services, or
devices such as routers that can provide protocol performance measurements for an intermediate network
segment.
SNA host: If the target is an SNA host (IBM MVS mainframe), it must run a Virtual Telecommunications
Access Method (VTAM) program called NSPECHO, available in the IPM product, to measure SNA latency.
Optionally, the SNA host can use an SCCP-LU Native Echo.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 102 of 143
Deployment Guide
Cisco IOS device with the IP SLA Responder enabled (12.0(3)T or later): The Responder feature can improve
the accuracy of the tests. The Responder can listen and respond to a specified port number. Additionally, the
Responder, based on the type of operation, might put timestamps on the return packets for accurate
measurement times.
First, check the Cisco IOS version of the source router. Cisco IOS release 11.2 is the earliest and first release that
supports the IP SLAs (formerly known as RTR or SAA).
Additionally, a few device configuration commands need to be set in order to configure IP SLAs using IPM and have
IP SLA-related traps forwarded to a network management station. These commands are outlined in Figure 87 and
discussed below.
IPM uses SNMP to define the Cisco IOS IP SLA and to extract the data in the IP SLA MIB in the source
router. Both the SNMP read-only (ro) and read-write (rw) community strings need to be configured on the
source router.
Optionally, to receive traps at an NMS when a test exceeds a specified latency threshold, verify that the
source router is set up to send IP SLA-generated traps. The SNMP keyword rtr limits the traps sent to the
specified address to IP SLA-related traps. If the keyword rtr is omitted, all default SNMP traps are sent to the
named network management host including IP SLA-related traps.
Here are the configuration commands needed on the source router:
router>enable
router#config t
router(config)#snmp-server community <string> ro
router(config)#snmp-server community <string> rw
router(config)#ip sla monitor
router(config)#snmp-server host <ip address><trap community string> rtr
router(config)#snmp-server enable traps rtr -------------->still valid in 12.3
IP host: The host must be reachable by the source device, but no other configuration is needed.
SNA host: It must run a VTAM program called NSPECHO, available in the IPM product, to measure SNA
latency. Optionally, the SNA host can use an SCCP-LU Native Echo.
Cisco IOS device: The device must be reachable by the source device and the SNMP read community string
must be configured.
Cisco IOS device with IP SLA Responder: A target device that is running Cisco IOS Software can be
configured as a Responder, which processes measurement packets and provides detail time-stamp
information. The device must be reachable by the source device, and the SNMP read community string must
be configured. Additionally, the IP SLA Responder feature must be enabled.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 103 of 143
Deployment Guide
The responder has intimate knowledge of Cisco IOS Software processing, so it can send information about the
target routers processing delay back to the source IP SLA. This delay is removed during calculation to further
improve accuracy.
Following is the list of commands on the target device if it is a Cisco router running Cisco IOS Software:
router>enable
router#config t
router(config)#snmp-server community <string> ro
router(config)#ip sla monitor responder
When a new device is added to IPM, IPM first tries to access the device and then verifies the SNMP community
strings. If successful and the device is a Cisco device, IPM determines the devices Cisco IOS version and its IP SLA
version, formerly known as SAA. If the information is valid, it adds the device to the IPM database.
For a device to be added to the list of source routers, the device must have valid SNMP read-only and read-write
community strings and a recent Cisco IOS version.
Define an Operation
IPM has a list of test operations built-in. You can also create your own test operations by going to IPM Collector
Management Operation.
Echo
Path Echo
UDP Echo
ICMP Jitter
UDP Jitter
VoIP Post Dial Delay
VoIP Gatekeeper Registration Delay
RTP
DNS
DHCP
HTTP
FTP
DLSw
TCP Connect
For definition of these test operations, please refer to
http://www.cisco.com/en/US/products/ps6602/products_white_paper09186a00802d5efe.shtml.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 104 of 143
Deployment Guide
Define a Collector
Finally we tie together the four components of the collector, that is, source and target devices, test operation, and
schedule by creating a collector at IPM Collector Management Collector. See Figure 88.
After the collector is created, we can monitor or generate reports based on the collector.
Sample Usage
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 105 of 143
Deployment Guide
Go to the next screen, keep the default settings, and finish the workflow for creating the operation.
Step 2. Create a collector based on the operation just created. Set it to run forever, but make sure that it is deleted
later. See Figure 90.
Step 4. After a few days of data collection, you can create a report under IPM Reports. See Figure 91.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 106 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 107 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 108 of 143
Deployment Guide
Manage All Devices: Allows you to automatically add devices into IPM after they are added to DCR.
Manage By Groups: Allows you to automatically add devices into IPM based on device groups.
However, the number of devices added into IPM will depend on the license limit.
Metro Ethernet
IPM now supports the following IP SLA operations:
ethernetPing
ethernetPingAutoIPSLA
ethernetJitter
ethernetJitterAutoIPSLA
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 109 of 143
Deployment Guide
CLI Support
You can use CLI commands in IPM to import collectors from the given source devices.
Microseconds Accuracy
You can collect the jitter statistics for a UDP jitter operation at a precision level of microseconds.
Whenever the threshold levels are violated for any of the reaction variables configured, SNMP traps are sent to the
configured management stations.
For more information, see the section on configuring collectors using VRF in the User Guide for IPM 4.2.
For more information, see the Managing Outage Details chapter in the User Guide for IPM 4.2.
Highest Jitter
Lowest Availability
Highest Latency
IPM Violation Summary
Report period
Granularity
Next reporting time
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 110 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 111 of 143
Deployment Guide
Business Scenario
For network administrators, monitoring the network is an essential requirement in their network management tools.
Not only do they need to be able to monitor any MIB object on the network but they also need to have a meaningful
reporting capability that shows the top issues on the network and proactively provides alerts when things happen.
They also need to keep track of the trends of network events to understand the network in a dynamic environment.
CiscoWorks Health and Utilization Monitor is an SNMP-based MIB polling application that monitors network
elements (such as CPU, memory, interfaces/ports, and links) for their availability and utilization levels and provides
historical reporting. It is an add-on application pre-integrated since LMS 3.0, managed in the same LMS Portal like
other applications such as RME, DFM, CM, or IPM. Users need to purchase a separate license for HUM. HUM relies
on LMS Common Services, so it cannot run on its own.
Capacity planning
A clear way to troubleshoot network performance issues
The capability to isolate/correlate network issues
CWHUM-1.2-S-K9 50
CWHUM-1.2-M-K9 300
CWHUM-1.2-L-K9 1000
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 112 of 143
Deployment Guide
Today the maximum SKU that is offered for HUM is 1000 devices (licensing restriction). It is not supported to add up
licenses to make up to 10,000 devices even though LMS bundles support up to 10,000 devices. In future releases
users will be able to add up licenses in the order of 1000 devices up to a maximum of 5000 devices total.
The device count restricts the license options. One HUM server can support up to 1000 devices. Actually the
scalability of HUM depends on how many MIB objects are managed. The maximum number of MIB objects
supported is 100,000, with 40,000 on 1-minute and 60,000 on 5-minute polling intervals.
Standalone: HUM with CiscoWorks Common Services, LMS Portal, and CiscoWorks Assistant
Bundle: HUM with LAN Management Solutions (LMS) 3.1 and 3.2.
Table 15 gives the scalability numbers for the different SKUs in both standalone and bundle deployments.
Bundle (300 HUM SKU + 1500 LMS SKU) 20,000 MIB objects
Note: The scalability information is pending testing for the 50-license SKU. Generally the more powerful hardware
will support more MIB objects.
Workflow of HUM
In system-defined templates, if the MIB variable in the primary set is not available, an alternate MIB variable in the
fallback set stored in the device is selected. This fallback logic is applied during poller creation and an appropriate
MIB variable is selected for polling.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 113 of 143
Deployment Guide
System-defined templates support all Cisco devices that support the following MIB files:
CISCO-ENHANCED-MEMPOOL-MIB
CISCO-ENVMON-MIB
CISCO-MEMORY-POOL-MIB
CISCO-PROCESS-MIB
ENTITY-MIB
OLD-CISCO-CHASSIS-MIB
RFC1213-MIB
IF-MIB
CISCO-POWER-EHTHERNET-EXT-MIB
POWER-EHTHERNET-MIB
CISCO-RTTMON-MIB
User-Defined Templates
Users can also create their own templates to poll MIB objects they are interested in. To create a template, go to
HUM Pollers and Template Management Template Management and click Create.
For example in Figure 96 we create a template to poll the temperature MIB objects using the CISCO-ENVMON-MIB.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 114 of 143
Deployment Guide
Import/Export Templates
With multiple HUM servers, users can export and import templates. See Figure 97.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 115 of 143
Deployment Guide
<variableRefId>0</variableRefId>
<dataType>INTEGER</dataType>
<objectType>SEQUENCE</objectType>
</com.cisco.nm.upm.templatemgmt.MibVar>
<com.cisco.nm.upm.templatemgmt.MibVar>
<mibReferenceId>0</mibReferenceId>
<objectId>1.3.6.1.4.1.9.9.13.1.3.1.4</objectId>
<responseHandlerType>GENERIC</responseHandlerType>
<persistance>true</persistance>
<variableName>ciscoEnvMonTemperatureThreshol</variableName>
<variableRefId>0</variableRefId>
<dataType>Integer32</dataType>
<objectType>SEQUENCE</objectType>
<units>"degrees Celsius"</units>
</com.cisco.nm.upm.templatemgmt.MibVar>
<com.cisco.nm.upm.templatemgmt.MibVar>
<mibReferenceId>0</mibReferenceId>
<objectId>1.3.6.1.4.1.9.9.13.1.3.1.5</objectId>
<responseHandlerType>GENERIC</responseHandlerType>
<persistance>true</persistance>
<variableName>ciscoEnvMonTemperatureLastShut</variableName>
<variableRefId>0</variableRefId>
<dataType>Integer32</dataType>
<objectType>SEQUENCE</objectType>
<units>"degrees Celsius"</units>
</com.cisco.nm.upm.templatemgmt.MibVar>
</mibVar>
</primarySet>
</com.cisco.nm.upm.templatemgmt.Template>
</templates>
</com.cisco.nm.upm.templatemgmt.TemplateCollection>
Creating Pollers
After you get the templates to poll the MIB objects in which you are interested, create a poller to poll the MIB objects
on a specified schedule.
Here we create a poller, Demo-All, which polls several demo devices using the system-defined templates. The setup
options include poller name, devices, template, polling intervals.
Clicking Poll All Instances will poll all MIB objects applicable. For example, if the device has two CPUs and you
select the CPU Utilization template, both CPUs will be polled based on schedule. See Figure 98.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 116 of 143
Deployment Guide
After the poller is created, it shows in the poller table (Figure 99). You can activate, deactivate, delete, edit, clear
missed cycles, and clear failures.
Poll Settings
CiscoWorks HUM allows you to configure the SNMP timeout and SNMP retries using the Poll Settings option. The
SNMP timeout and SNMP retries are based on the device and network response time.
SNMP timeout is the duration of time that HUM waits for the device to respond before it tries to query the
device again.
SNMP retry is the maximum number of times HUM retries to query the device.
You can also configure Poll Settings to send the polling failure report as an email.
1. Go to LMS Portal and select Health and Utilization Monitor Admin System Preferences.
2. Select Poll Settings. See Figure 100.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 117 of 143
Deployment Guide
For example, the CPU Utilization poller populates the Top-N CPU Utilization portlet (Figure 101).
Users can also create historic graphs by specifying the device, MIB object, and the time interval (Figure 102).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 118 of 143
Deployment Guide
Click Save and view the historic graph. See Figure 103.
Threshold Management
Thresholds in HUM enable automated actions based on the crossing of threshold conditions. Users can create
thresholds for one MIB object at a time. The polled value will be compared to threshold conditions and invoke
automated actions when the threshold is violated. The automated actions include:
Email
Script
Syslog messages
SNMP traps
Before setting up thresholds, users can first setup a trap receiver group and a syslog receiver group.
1. Go to LMS Portal and select Health and Utilization Monitor > Admin > System Preferences > Trap Receiver
Groups. See Figure 104.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 119 of 143
Deployment Guide
1. Go to LMS Portal and select Health and Utilization Monitor > Admin > System Preferences > Syslog
Receiver Groups. See Figure 105.
Once trap receiver and syslog receiver groups are set up, users can configure thresholds by going to HUM
Thresholds Management and clicking Create.
In the example in Figure 106 we can create a threshold for interface bandwidth utilization. Here users can specify the
details of the thresholds. The TXUtilization is monitored. If it exceeds 80 percent for three times, email as well as
SNMP trap and syslog alerts will be sent.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 120 of 143
Deployment Guide
TrendWatch Support
TrendWatch helps administrators to understand the current network capacity levels and plan for future. For instance,
you can get notified when the Daily Interface Utilization Average crosses the 90 percent threshold for 20 times on
your critical uplinks over the last 30 days. This will help you assess the load on the uplinks and aid in capacity
planning
The TrendWatch feature helps ensure that the capacity, performance, and utilization of critical resource remain
within the defined service level.
You can configure TrendWatch through HUM by setting up rules for each MIB variable or thresholds for a specific
time period. TrendWatch can be scheduled (Immediate, Once, Daily, Weekly, and Monthly) as a job. It can be
configured to send alert notifications through email, traps, or syslog. See Figure 108.
TrendWatch allows you to continuously monitor a value over time, sampling the value at periodic intervals to view
the trends. You can watch variable trends in an hour, 6 hours, days, weeks, months, and years. You can identify
trends that develop over time and take appropriate actions.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 121 of 143
Deployment Guide
TrendWatch is calculated on past or historical data and therefore it does not monitor real-time data like threshold.
When the average weekly CPU or interface utilization goes up or down relative to the previous week by n
percent
When the device or interface availability over a period is less than n percent
When the average utilization of the interface is above n percent
When the availability was false for nminutes for more than xtimes in a week/month/quarter
When the minimum value is less that nfor xtimes over a period of y weeks
When the 95th percentile value of availability is equal to nfor a period of x quarters
When n percentage of times the utilization is greater than x percentage
HUM Report
To generate reports, go to HUM Reports. See Figure 109.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 122 of 143
Deployment Guide
This page allows you create, manage, and view reports. You can use reports to analyze the utilization of a device
interface.
You may not be able to use some of these functions if you do not have the required privileges.
Options
Report Management: You can view and manage the following reports:
My Favorites: You can add your list of favorite reports to the My Favorites category. You can launch, edit,
remove, and delete your favorite reports.
Device Reports: You can view the complete performance of a device from a single report.
Quick Reports: These are predefined system-generated reports. You can view and copy an existing report.
Poller Reports: These reports are created based on the template used in a given poller. You can create,
edit, copy, and view a report.
Custom Reports: You can create custom reports based on your requirements. You can create, edit, copy,
and view a report.
Threshold Violation Reports: You can create reports based on the threshold configured for the MIB
variable. You can create, edit, copy, and view a report.
TrendWatch Reports: You can create reports based on TrendWatch configured for the MIB variable.You can
create, edit, copy, and view a report.
TrendWatch Summary Reports: You can create summary reports based on the TrendWatches configured
for the MIB variables. You can create, edit, copy, and view a report.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 123 of 143
Deployment Guide
Click to expand the report category node. Click the report name and select the following options:
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 124 of 143
Deployment Guide
This chapter deals with server administration to optimally utilize the resources of the server while also maintaining a
current status of the network topology.
Log Rotation
One common problem in LMS server maintenance is to control the size of log files. Log rotation helps you manage
the log files more efficiently. In previous versions, a command line utility, logrot, is configured and run to rotate the
log files. From LMS 3.1, logrot can be configured and scheduled to run on the GUI.
To configure log rotation, go to Common Services Server Admin Log Rotation. See Figure 110.
The backup directory stores the rotated log files. The default directory is:
NMSROOT\log on Windows
/var/adm/CSCOpx/log on Solaris
If you do not specify a backup directory, each log file will be rotated in its current directory.
You can also specify Restart Daemon Manager to stop and start the daemon before the log rotation starts. This is
optional.
To add the log files for rotation, click the Add button to add log files one by one.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 125 of 143
Deployment Guide
As shown in Figure 111, you specify the log file name, maximum logrot size(the default is 1024KB, the maximum
size is 4096MB), the compression format, and the number of backups. If you do not want to keep any archive, enter
0 for the number of backups.
To schedule log file rotation, click the Schedule button and specify the schedule to run. See Figure 112.
Database Backup
You can backup the LMS database either through GUI or CLI. Before LMS 3.2, it is not possible to do selective
backup/restore. The backup process backed up all configuration files from the application databases. In this release,
you can back up the required system configurations and data from the command-line interface.
The following data is backed up when you run a backup from the user interface or from CLI:
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 126 of 143
Deployment Guide
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 127 of 143
Deployment Guide
The Generations option shown in Figure 113 specifies the maximum number of versions of backups to be stored in
the backup directory.
Enter multiple email addresses in this window by separating them with commas.
Note: Please note that the DCR master/slave mode is also backed up.
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl BackupDirectory [LogFile]
[Num_Generations]
On Solaris, run:
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl BackupDirectory [LogFile]
[Num_Generations]
where,
BackupDirectory is the directory that you want to be your backup directory. This
is mandatory.
LogFile is the name of the log file that contains the details of the backup.
Num_Generations is the maximum number of backup generations to be kept in the
backup directory.
On Windows, run:
NMSROOT\bin\perl NMSROOT\bin\backup.pl-dest=BackupDirectory {-system | -
history}[-log=LogFile] [-email=E-mail][-gen=Num_Generations]
On Solaris, run:
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/backup.pl-dest=BackupDirectory {-system|-
history} [-log=LogFile] [-email=E-mail] [-gen=Num_Generations]
where,
-dest=BackupDirectory is the directory where the backed up data to be stored.
This is mandatory.
-system is the command-line option that allows you to back up only the selected
system configurations from all applications instead of backing up the complete
databases. This is mandatory.
-log=LogFile is the name of the log file that contains the details of the backup.
-gen=Num_Generations is the maximum number of backup generations to be retained
in the backup directory.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 128 of 143
Deployment Guide
campus
cmf
cvw
cwportal
dfm
ipm
opsxml
rmeng
upm
You can also examine the log file at the following location to verify backup status:
On Solaris:
/var/adm/CSCOpx/log/dbbackup.log
On Windows:
NMSROOT\log\dbbackup.log
Restoring Data
The new restore framework supports restore across versions. This allows you to restore data from versions 3.0.5,
3.0,6, 3.1, 3.1.1, and 3.2 in addition to Common Services 3.3. The restore framework checks the version of the
archive.
If the archive is of the current version, then the restore from the current version is run.
If the backup archive is of an older version, the backup data is converted to Common Services 3.0.5 format, if
needed, and applied to the machine.
You can restore your database by running a script from the command line. You have to shut down and restart
CiscoWorks while restoring data.
In all backup-restore scenarios, a backup is taken from a machine A, and the backed up data, say Ab, is restored on
the same machine A, or on a different machine B.
Make sure that you do not run any critical tasks during data restoration. Otherwise, you may lose the data for such
tasks.
For details on the effect of the restore operation on DCR modes and groups, see Effects of Backup-Restore on DCR
and Effects of Backup-Restore on Groups.
Caution: Restoring the database from a backup permanently replaces your database with the backed up version.
The list of applications in a backup archive should match the list of applications installed on a CiscoWorks server
where you want to restore the data. You should not continue the restore when there is a mismatch, as it may cause
problems in the functionality of CiscoWorks applications.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 129 of 143
Deployment Guide
[-ttemporary directory]: The restore framework uses a temporary directory to extract the content of the
backup archive.
By default the temporary directory is created under NMSROOT as NMSROOT/ tempBackupData. You can
customize this, by using this - t option, where you can specify your own temp directory. This is to avoid
overloading NMSROOT
[-gengenerationNumber]: Optional. By default, it is the latest generation. If generations 1 through 5 exist,
then 5 will be the latest.
[-dbackup directory]: Required. Which backup directory to use.
[-h]: Provides help. When used with -d<backup directory> syntax, shows correct syntax along with available
suites and generations.
To restore the most recent version, enter:
/opt/CSCOpx/bin/perl /opt/CSCOpx/bin/restorebackup.pl-dbackup directory
where NMSROOT is the CiscoWorks installation directory. See the previous section for command option
descriptions.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 130 of 143
Deployment Guide
While restoring using a backup taken from a machine that is in ACS mode, the machine on which data is restored
needs to be added as a client in ACS. Contact the ACS administrator to add the restored machine as an ACS client.
See also, Setting the Login Module to ACS, at the online help.
Data Restored from Common Services 3.0.x/CS 3.1.x/CS 3.2/CS 3.3 Backup Archive
The following data will be restored from a Common Services 3.0.x/3.1.x/3.2/3.3 backup archive:
cd CSCOpx/bin directory
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 131 of 143
Deployment Guide
DCR CLI
Using the command-line interface, you can add, delete, view, and modify devices and change DCR modes. You can
import from a local NMS or remote NMS server or ACS. You can also export the DCR content to a file or ACS.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 132 of 143
Deployment Guide
User Tracking
Layer 2 topology
Discrepancies in the network configuration
Data extraction can be done either through CLI or servlet access.
Core Commands
Table 16 lists the core commands of the Campus Manager DEE.
You must invoke the cmexport command with one of the core commands specified in Table 16. If no core command
is specified, cmexport can execute the -v or -h options only:
For Discrepancy:
PX_DATADIR/cmexport/Discrepancy/timestampDiscrepancy.xml
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 133 of 143
Deployment Guide
Where:
PX_DATADIRis %NMSROOT%\files folder (on Windows) or /var/adm/CSCOpx/files
directory (on Solaris) (NMSROOT is the directory where you installed Campus
Manager)
timestamp is the time at which the log was written in Year Month Date HourOfDay
Minute Second format.
You can also use the f option to specify the file name and the directory for storing the DEE output. This utility does
not inherently delete the files created in the archive. You should delete these files when necessary. However, using
the same file name and directory twice would cause the previous file to be overwritten.
Where:
view: Specifies the format in which the user tracking XML data is to be
presented. It currently supports two options:
The servlet access to the Campus Manager data extraction engine is described below.
The servlet accepts users requests and authenticates the requesting users identity using the Common Services
authentication mechanism. The command to export user tracking, topology, and discrepancy can be sent as an
HTTP or HTTPS request. The servlet requires a payload file that contains details about the users credentials, the
command you want to execute, and optional details such as log and debug options as inputs in XML format. The
servlet then parses the payload file encoded in XML, performs the operations, and returns the results in XML format.
Typically, servlet access is used to extract the data from a client system. While generating data through the servlet,
the output will be displayed at the client terminal.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 134 of 143
Deployment Guide
The input XML file contains various tags for username, password, core command, and optional tags. The following
outlines the steps to extract the export file from the servlet.
1. Generate the necessary payload XML file with the required data.
2. Use a script to perform a POST operation to the servlet with the payload file. The servlet is http://Campus-
Server:1741/CSCOnm/campus/servlet/CMExportServlet.
3. The HTTP response of the servlet contains the XML file generated by executing the cmexport command on the
server with the parameters provided in the payload file.
4. Extract the XML file from the content of the HTTP response and save it to a local file.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 135 of 143
Deployment Guide
$ua->timeout(5000);
my $hdr = new HTTP::Headers Content-Type => text/html;
my $req = new HTTP::Request (GET, $url, $hdr);
$req->content($str);
my $res = $ua->request($req);
my $result;
if ($res->is_error)
{
print ERROR : , $res->code, : , $res->message, \n;
$result = ;
}
else
{
$result = $res->content;
if($result =~ /Authorization error/)
{
print Authorization error\n;
}
else
{
print $result ;
}
}
}
Note: Sample scripts are available in the Campus Manager DEE online help.
The above Perl script will invoke the servlet with the use of a payload XML file. The command will look similar to the
following:
In HTTP mode:
./perl script.pl http://server:1741/campus/servlet/CMExportServlet payload.xml
In HTTPS mode:
./perl script.pl https://server/campus/servlet/CMExportServlet payload.xml
Any user using the data extraction engine is authenticated and authorized. The username and password are either
provided as part of the CLI and servlet call or the password is put in a password file for retrieval by the data
extraction engine. The access permissions to the file can be set to prevent any unauthorized access. When using
this option, the CMEXPORTFILE environment variable should be set so it points to the file containing the credentials
and the command should be entered in the following format:
cmexport ut u admin host
The above syntax enables cmexport to find the relevant password associated with the username (in the above
case, for the username admin).
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 136 of 143
Deployment Guide
The top-level help command cwcli help provides the following output:
------------------------------------
------------------------------------
cwcli <application/command><arguments>
------------------------------------------------------------------
invreport Lists system and custom reports and generates inventory reports in CSV format.
config It has a set of commands that are used to download and fetch configurations, compare two different
configurations ,delete the archived configuration files, and reload the devices.
swim It has a set of commands that are used to list and export images from repositories.
Where:
cwcli export is the CiscoWorks command line interface for exporting inventory/config/changeaudit details
into XML format.
commandspecifies which core operation is to be performed.
GlobalArguments are the additional parameters required for each core command.
AppSpecificArguments are the optional parameters, which modify the behavior of the specific cwcli export
core command.
The order of the arguments and options is not important. However, you must enter the core command immediately
after cwcli export.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 137 of 143
Deployment Guide
On UNIX, you can view the cwcli export man pages by setting the MANPATH to /opt/CSCOpx/man/man1. The man
pages to launch the cwcli export are:
ChangeAudit
On Solaris: /var/adm/CSCOpx/files/rme/archive/YYYY-MM-DD-HH-MM-SS-changeaudit.xml
On Windows: NMSROOT\files\rme\archive\ YYYY-MM-DD-HH-MM-SS-changeaudit.xml
Config
On Solaris: /var/adm/CSCOpx/files/rme/cwconfig/YYYY-MM-DD-HH-MM-SS-MSMSMS-
Device_Display_Name.xml
On Windows: NMSROOT\files\rme\cwconfig\ YYYY-MM-DD-HH-MM-SS- MSMSMS-
Device_Display_Name.xml
Inventory
On Solaris: /var/adm/CSCOpx/files/rme/archive/YYYY-MM-DD-HH-MM-SS-inventory.xml
On Windows: NMSROOT\files\rme\archive\ YYYY-MM-DD-HH-MM-SS- inventory.xml
The details of servlet access to the RME data extraction engine is given below.
The name of the servlet is /rme/cwcli. The following is the servlet to be invoked to execute any command:
Note: Use <arg> and <argval> tags when the argument is a file.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 138 of 143
Deployment Guide
The remote access servlet creates a temporary file with the contents specified between the arg-val tags for the
import command. On the server the command is executed as cwcli config import -u admin -p
<Base64Encoded pwd> -device 10.77.240.106 -f tempfile. Here the tempfile contains the line
banner motd welcome,Sir.
For example:
perl samplescript.pl http(s)://<rme-server>:<rme-port>/rme/cwcli <payload XML file>
Note: For the secure mode (HTTPS) the port number is 443. The default port for CiscoWorks server in HTTP
mode is 1741.
if ($res->is_error)
{
print ERROR : , $res->code, : , $res->message, \n; $result = ;
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 139 of 143
Deployment Guide
else {
$result = $res->content;
if($result =~ /Authorization error/)
{ print Authorization error\n;
}
else {
print $result ;
}
}
}
IPM Export
The ipm exportCLI command is used to do IPM export.
The following example shows the command syntax and help that is displayed when you use the ipm export help
command:
Usage:
ipm export -u userid -p password [-m email] [-delimiter delimiter ] [-file filename
][-coll collectorname|all] [-source sourceDisplayNames|all] [-target
targetDisplayNames|all] [-oper operationNames|all] [-input argumentFile]
It is mandatory to specify only one of the options among -coll,-source,-target, and -oper.
Where:
-u: Specifies the CiscoWorks username
-p: Specifies the password for the CiscoWorks username
-m: Specifies an email address to send the results
-delimiter: Specifies the delimiter thatwill be used in the exported file to separate different fields
-coll: Specifies all,one, or more collector name(s) as a comma-separated list
-source: Specifies all,one, or more source display name(s) as acomma-separated list
-target: Specifies all,one, or more target display name(s) as a comma-separated list
-oper: Specifies all,one, or more operation name(s) as a comma-separated list
-file: Specifies a filename to export the data. This option is not applicable for exporting operations.
-input: Text file containing arguments to the command
Common Services
Network_Devices
Job_Details
Campus Manager
End_Hosts
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 140 of 143
Deployment Guide
For how to setup ODBC to the database and details of the database schema, please refer to the document Open
Database Schema Support in LMS 3.2 included in the DVD.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 141 of 143
Deployment Guide
Acronym Meaning
Certificate Setup This feature allows the creation of self-signed security certificates, which can be used to enable SSL connections
between the client browser and management server.
CWHP CiscoWorks homepage. A web page that a CiscoWorks user accesses after logging into a CiscoWorks server.
DCR Device and Credentials Repository is a common repository of devices, their attributes, and the credentials required to
manage devices in a management domain. DCR will enable the sharing of device information among various
network management applications.
FR Frame Relay
IOS Internetwork Operating System. It is an operating system that runs Cisco routers and switches.
MST Multiple Spanning Tree Protocol. It is an IEEE standard derived from MISTP.
NMSROOT Installation of folder of LMS. On Windows the default is c:\program files\CSCOpx; on Solaris it is /opt/CSCOpx.
Peer Server Account Setup This feature helps you create users who can programmatically login to CiscoWorks servers and perform certain
tasks. These users should be set up to enable communication between multiple CiscoWorks servers.
Peer Server Certificate Setup This feature allows you to add the certificate of another CiscoWorks server into a trusted store. This will allow one
CiscoWorks server to talk to another, using SSL.
IP SLA Cisco IOS IP Service Level Agreement (SLA), a network performance measurement feature in Cisco IOS Software,
provides a scalable, cost-effective solution for service level monitoring. It eliminates the deployment of dedicated
monitoring devices by including the operation capabilities in the routers.
Single Sign-On A feature by which a single browser session is used to transparently navigate to multiple CiscoWorks servers without
having to authenticate to each server.
SSO Single sign-on: The ability to login to multiple computers or servers with a single action and the entry of a single
password. Especially useful where, for example, a user on a LAN or WAN requires access to a number of different
servers.
System Identity Setup Communication between multiple CiscoWorks servers is enabled by a trust model addressed by certificates and
shared secrets. System Identity setup should be used to create a trust user on slave / regular servers for
communication to happen in multiserver scenarios.
TACACS+ Terminal Access Controller Access Control System Plus. It is an authentication protocol.
VTP VLAN Trunk Protocol. A protocol used in a trunk link of two switches to maintain VLAN information in a switched
network.
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 142 of 143
Deployment Guide
Date Common CiscoView Resource Campus Content Device Traffic nGenius Internetwork LMS LMS
Released Services (CV) Manager Manager Flow Fault Director Real-Time Performance Portal Assistant
(CS/CD Essentials (CM) Monitor Manager (TD) Monitor Manager
One) (RME) (CFM) (DFM) (RTM) (IPM)
LMS 1.0 Apr-00 CD One 5.1 3.1 3.0 1.0 N/A 5.8 N/A N/A N/A N/A
2nd Edition
LMS 1.0 Oct-00 CD One 5.2 3.2 3.0.1 1.1 Optional 5.8.1 N/A N/A N/A N/A
Update 3rd Edition 1.0
LMS 1.1 Mar-01 CD One 5.3 3.3 3.1 EOS N/A EOS 1.3 N/A N/A N/A
Update 4th Edition
LMS 1.2 May-02 CD One 5.4 3.4 3.2 N/A N/A N/A 1.4 N/A N/A N/A
Update 5th Edition
LMS 1.3 May-03 CS 2.2 + 5.5 for 3.5 for 3.3 for N/A N/A N/A 1.4 SP6 N/A N/A N/A
Update Update 1 Update 1 Update 1 Update 1
LMS 2.0 Mar-01 CD One 5.3 3.3 3.1 N/A 1.1 N/A 1.3 N/A N/A N/A
Upgrade 4th Edition
LMS 2.1 May-02 CD One 5.4 3.4 3.2 N/A 1.2 N/A 1.4 N/A N/A N/A
Update 5th Edition
LMS 2.2 May-03 CS 2.2 5.5 3.5 3.3 N/A 1.2 for CS N/A 1.4 SP6 N/A N/A N/A
Update 2.2
LMS 2.2 Oct-03 CS 2.2 + 5.5 for 3.5 for 3.3 for N/A 1.2 for CS N/A 1.4 SP6 N/A N/A N/A
Update Update 1 Update 1 Update 1 Update 1 2.2+UP1
LMS 2.5 Jan-05 CS 3.0 6.1 4.0 4.0 N/A 2.0 N/A EOS 2.6 N/A N/A
Update
LMS 2.5.1 Dec-05 CS 3.0.3 6.1.2 4.0.3 4.0.3 N/A 2.0.3 N/A N/A 2.6 N/A N/A
Update
LMS 2.6 Sep-06 CS 3.0.5 6.1.5 4.0.5 4.0.6 N/A 2.0.6 N/A N/A 2.6 N/A N/A
Update
LMS 3.0 Jun-07 CS 3.1 6.1.6 4.1 5.0 N/A 3.0 N/A N/A 4.0 1.0 1.0
LMS 3.0.1 Dec-07 CS 3.1.1 6.1.7 4.1.1 5.0.2 N/A 3.0.2 N/A N/A 4.0.1 1.0.1 1.0.1
Update
LMS 3.1 Jun-08 CS 3.2 6.1.8 4.2 5.1 N/A 3.1 N/A N/A 4.1 1.1 1.1
Update
LMS 3.2 Jun-09 CS3.3 6.1.9 4.3 5.2 N/A 3.2 N/A N/A 4.2 1.2 1.2
2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 143 of 143