Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 3-1 Cisco Prime Network 4.3.2 User Guide 3 Setting Up Change and Configuration Management Cisco Prime Network Change and Configuration Management (CCM) allows you to manage the device configurations and software images used by the devices in your network. These topics explain how to use CCM: Workflow for Setting Up CCM, page 3-2 Setting Up Prime Network to Work With CCM, page 3-2 Setting Up Devices to Work With CCM, page 3-4 Setting Up Configuration Management, page 3-5 Setting Up Image Management, page 3-13 Setting Up CCM Device Groups, page 3-17 Setting Up Image Distribution Servers, page 3-19 Enabling SSH Resync on VNE and CCM, page 3-20 Whether you can perform these setup tasks depends on your account privileges. See Permissions Required to Perform Tasks Using the Prime Network Clients, page B-1 for more information. NoteAfter installing or upgrading Prime Network, we recommend you to clear the browser cache before using CCM. If Prime Network is installed on the Standalone mode and Suite mode with Prime Central client, and if you launch the NCCM from Prime Network, and allows the Prime Network session to expire, the Prime Network will close and prompts you to login again while the NCCM will not close automatically. The session will remain active until you log out of the NCCM.
3-2 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Workflow for Setting Up CCM Workflow for Setting Up CCM The following table provides the basic workflow for setting up CCM. Setting Up Prime Network to Work With CCM These topics describe how to set up Prime Network to use the CCM features: Configuring Prime Network for CCM, page 3-2 Checking Prime Network Global Settings for CCM Operations, page 3-4 Configuring Prime Network for CCM Check these settings to ensure Prime Network components are properly configured for CCM operations. Verify the gateway port to be used. 8043 is the secure HTTP port enabled by default for CCM, but you can use port 8080 instead using this command: # cd $NCCM_HOME/scripts/ # ./nccmHTTP.csh enable # dmctl stop # dmctl start To disable port 8080, perform the same operation but use the disable argument. For Image Management, verify that the gateway has sufficient space for the storing and staging directories (see Reference: Image Management Global Settings, page 3-14). For file transfers using TFTP, verify that the TFTP directory is set up and available in the Prime Network gateway and/or unit. To modify and verify the TFTP directory, log in as network-user and run the following commands from NETWORKHOME (the Prime Network installation directory, which is export/home/network-user by default). In the following, IP-address is the IP address of the unit or gateway. Description See: Step 1Make sure Prime Network is set up correctly: Verify the CCM port on the gateway, make sure the TFTP directory is set up on the gateway or unit, and so forth.Configuring Prime Network for CCM, page 3-2 Check the global settings that can impact the CCM functions that users can perform. If necessary, ask your Administrator to adjust the settings.Checking Prime Network Global Settings for CCM Operations, page 3-4 Step 2Set up your devices so CCM can manage them—for example, make sure devices are reachable and your transfer protocols are set up correctly.Setting Up Devices to Work With CCM, page 3-4 Step 3Set up Configuration Management—for example, perform the initial backup of configuration files to the configuration archive, set up the policy for ongoing and event-driven configuration checks, and so forth.Setting Up Configuration Management, page 3-5 Step 4Set up Image Management—for example, configure the transport protocol and the staging and storage directories.Setting Up Image Management, page 3-13 Step 5Set up device groups for bulk CCM operations. Setting Up CCM Device Groups, page 3-17
3-3 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Prime Network to Work With CCM –To check the TFTP directory: ./runRegTool.sh -gs 127.0.0.1 get IP-address avm83/services/tftp/read-dir ./runRegTool.sh -gs 127.0.0.1 get IP-address avm83/services/tftp/write-dir –To change the TFTP directory (optional): ./runRegTool.sh -gs 127.0.0.1 set IP-address avm83/services/tftp/read-dir tftp-dir-name ./runRegTool.sh -gs 127.0.0.1 set IP-address avm83/services/tftp/write-dir tftp-dir-name Supported TFTP Directory Name Format The TFTP directory name (tftp-dir-name) must be a single word and should not include any absolute path from the root directory. The following example represents the supported TFTP directory formats: ./runRegTool.sh -gs 127.0.0.1 set 10.81.87.25 avm83/services/tftp/write-dir tftpnew1 ./runRegTool.sh -gs 127.0.0.1 set 10.81.87.25 avm83/services/tftp/read-dir tftpnew1 TFTP Directory Name Formats that are not Supported Follow these restrictions while specifying the TFTP directory name (tftp-dir-name) in the registry settings: Do not use the forward slash (/) at the beginning and the end of the TFTP directory name. Specify the directory name without using the sub directories. The following example represents that the sub directories tftpnew/tftpinner are used and this naming format is not supported: ./runRegTool.sh -gs 127.0.0.1 set 10.81.87.25 avm83/services/tftp/write-dir tftpnew/tftpinner ./runRegTool.sh -gs 127.0.0.1 set 10.81.87.25 avm83/services/tftp/read-dir tftpnew/tftpinner Specify the same TFTP directory name in the registry settings for both the read directory avm83/services/tftp/write-dir and write directory avm83/services/tftp/read-dir: The following example represents that the TFTP directory name tftpnew1 is used for both the read and the write directories: ./runRegTool.sh -gs 127.0.0.1 set 10.81.87.25 avm83/services/tftp/write-dir tftpnew1 ./runRegTool.sh -gs 127.0.0.1 set 10.81.87.25 avm83/services/tftp/read-dir tftpnew1 –Restart AVM 83: networkctl -avm 83 restart NoteDo not block the port number 1069. Prime Network uses this port to listen the TFTP traffic flow. If the gateway is behind a firewall, you must open special ports for CCM. This is not required for units that are located behind firewalls and use Network Address Translation (NAT) because the unit will not require a publicly-available IP address in order for the gateway to contact it.
3-4 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Devices to Work With CCM For IPv6, CCM functions run smoothly when the network and devices have IPv6 addresses. Prime Network’s information must be consistent with the device configuration. –The SCP port configured on the device VNE (Prime Networks model of the device) must match the SCP port used by the device. If a device is not using the default SCP port, the VNE must also be configured with the non-default port. VNE properties are controlled from the Administration client. See the Cisco Prime Network 4.3.2 Administration Guide for more information. –The SNMP read-write community configured on the device VNE must match the read-write community configured on the device. You can configure timeout for the Command-line interface used for Image distribution jobs. In Prime Network Administration, click To o l s > Registry Controller > Image Management Settings > Image Distribution to configure timeout for image distribution. The default timeout value is 5400000 ms. You can enter a timeout value between 3600000 ms and 7200000 ms. Checking Prime Network Global Settings for CCM Operations The following default CCM behavior is controlled from the Administration client. The CCM actions that you can perform, and the devices you can view and manage. When a user account is created the administrator assigns a user access level to the user account. –The user access level controls what actions the user can perform using CCM. –The device scope determines which devices a user has permission to access, and what the user is allowed to do on those devices. For a matrix of actions users can perform depending on their user access level and device scope assignments, see Permissions Required to Perform Tasks Using the Prime Network Clients, page B-1. Whether users have permission to run CCM jobs. If global per-user authorization is enabled, a user can only run CCM jobs if they have been granted this permission in their user account settings. Global per-user authorization is disabled by default. Whether users are required to enter their credentials when they run CCM operations. This is disabled by default. NoteIf Prime Network is being used with Prime Central, both, job authorization and credential requirements are enabled. Users with Administrator privileges can change these settings. They can also configure Prime Network to generate a warning message whenever a user executes a command script. For more information, see the Cisco Prime Network 4.3.2 Administrator Guide. Setting Up Devices to Work With CCM Check these device settings to ensure your devices can communicate with Prime Network: Verify that the device is supported. See Cisco Prime Network 4.3.2 Supported Cisco VNEs. Make sure you have performed all of the CCM-specific device configuration prerequisites for adding VNEs. These commands are described in the Cisco Prime Network 4.3.2 Administrator Guide. For device configuration files, verify that devices are configured to forward configuration
3-5 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management change notifications to Prime Network. If you will be using event-triggered archiving, make sure the logging gateway-IP command is configured on all devices. For CPT devices, the TL1 protocol must be enabled in the VNE Properties, and the default TL1 port is 3082. The SNMP read-write community configured on the device must match the SNMP read-write community on the device VNE. Verify the reachability between devices and their hosting units. Verify the FTP settings. CCM supports FTP for all file and image transfers. Although you can configure a username and password on the device using the ip ftp command, this may not be safe if the network is not secure. Before using FTP, do the following: –Configure the network device to add the Prime Network unit user credentials of the unit that manages the device. (You do not need to add Prime Network unit server super-user credentials of the to the device configuration.) –Restrict the FTP configuration such that the Prime Network unit user has read-write access only to the NETWORKHOME/tftp directory and therefore does not have access to unwanted files outside the home directory. For IPv6, CCM functions run smoothly when the network and devices have IPv6 addresses. Setting Up Configuration Management These topics provide information on how to set up the Configuration Management feature: Steps for Setting Up Configuration Management, page 3-5 Reference: Global Settings for Configuration Management, page 3-7 Notes on Exclude Commands, page 3-12 NoteCCM does not support the following special characters on its Settings pages: For Password fields—>, , Settings). Many of these settings can be overridden when you create specific jobs. 1.Configure the transport protocol that Prime Network will use between the device and the gateway. These are controlled from the Transport Protocol area. The options are TFTP, SFTP/SCP, and FTP (TFTP is the default). To use FTP as the transfer protocol, you must install FTP on the gateway and the unit servers that manage the VNEs. Note the following: NoteFTP is not a secure mode of transfer. Use SCP/SFTP instead, for secure config and image transfers.
3-6 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management –The TFTP source interface on the devices must be able to reach the unit. Otherwise, the configuration management jobs that require TFTP may fail. –To use SFTP/SCP for configuration file transfers from a device to a unit, ensure that an SSH server is configured and running on the device (so that during the transfer, the device acts as a server and the unit as a client). –For Cisco IOS, Cisco IOS XR, and Cisco IOS-XE devices, configure the device with K9-security-enabled images so that the SSH server is up and running on the device. –To use SCP as the protocol to retrieve configuration files, execute the following command on the device: # ip scp server enable 2.Enable the initial synchronization of the archive files with the configurations that are running on the network devices. Whenever the gateway is restarted, CCM will perform this synchronization. By default, synchronization is disabled. To enable it, activate Enable Initial Config Syncup. 3.Configure the policies that control how often CCM retrieves information from devices and copies (backs up) configuration files to the archive. By default, all of these settings are disabled. Consider these questions when configuring your settings: a.How much disk space is available? Smaller space may require more frequent purging. b.Should new configuration files be copied (backed up) to the archive on a periodic basis or on an event-driven basis? If configurations are changing frequently and the changes are not of immediate importance, use periodic backups by selecting Enable Period Config Backup. This will minimize server workload. NoteThe periodic setting is recommended. If every change is considered significant, use event-driven backups (Enable Event-Triggered Config Archive). c.For event-driven archiving, should information be copied to the archive immediately upon receiving a change (Sync archive on each configuration change)? Or should changes be queued and then copied at a certain interval (Sync archives with changed configurations every ___ hours and ___ minutes)? If information needs to be copied to the archive immediately, synchronize the archive on each configuration change. Otherwise, you can synchronize the archive at regular intervals (every 1-24 hours). While scheduling automatic backup operations, you might be prompted to enter your device access credentials. The device credentials are taken from the Configuration Settings. (See Setting Up Prime Network to Work With CCM, page 3-2.) 4.Configure CCM to perform periodic synchronization of out-of-sync devices by selecting Enable Periodic Sync for Out of Sync Devices (24Hours). The configmgmt-synchronize-sysjob system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. 5.Configure CCM to export archived configuration to an export server on a periodic basis by selecting Enable Periodic Config Export and Export Settings. This allows you to free up disk space while keeping a permanent record of historical archives. 6.Configure when files should be purged from the archive using the Archive Purge Settings. Consider these questions when configuring the purge settings:
3-7 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management –How big are the configuration files? –How often are changes made to devices? 7.Specify the default mode of restoring configuration files to the devices using Restore Mode. 8.Configure the SMTP server and e-mail IDs so that regular configuration management job status e-mails are sent. (You can also specify e-mail settings when you create a job.) 9.Specify the commands that should be excluded when CCM compares device configuration files. A set of common exclude commands is provided by default (for example, ntp-clock-period). These are controlled in the Exclude Commands area (see Notes on Exclude Commands, page 3-12). NoteConfiguring exclude commands is especially important if you are using event-driven archiving. Doing so avoids unnecessary file backups to the archive. Reference: Global Settings for Configuration Management NoteIn the Configuration Management and Image Management Settings pages, CCM does not support the following special characters: For Password fields—>, , Settings. The backup settings you enter here do not affect the manual backups you can perform by choosing Configurations > Backup. The backups you perform from that page and the backups you configure on this Settings page are completely independent of each other. Table 3-1 Configuration Archive Global Settings Field Description Export Settings Server Name DNS-resolvable server name. NoteCCM supports export servers with IPv4 or IPv6 address. Location The full pathname of the directory to which Prime Network should copy the file on the server specified in the Server Name field. Username The login username that Prime Network should use when connecting to the server specified in the Server Name field. Password The login password that Prime Network should use when connecting to the server specified in the Server Name field. Export Protocol Default export protocol that Prime Network should use when exporting configuration files to another server. The choices are FTP and SFTP. The default is FTP. You can override this protocol while scheduling an export job, if required.
3-8 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management Archive Purge Settings When you set the Archive Purge Settings, the configmgmt-archivepurge-sysjob system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. Minimum Versions to RetainMinimum number of versions of each configuration that should be retained in the archive (default is 2). Maximum Versions to RetainMaximum number of versions of each configuration that Prime Network should retain (default is 5). The oldest configuration is purged when the maximum number is reached. Configurations marked do not purge are not included when calculating this number. The minimum number of versions to be retained is 5. The maximum number of versions that can be retained is 2147483647. Minimum Age to PurgeAge (in days) at which configurations should be purged (between 5-360). Configuration Change Purge Settings Purge Change Logs afterAge (in days) at which to purge Change Logs. (Change Logs contain configuration change notifications from devices.) The default is 30 days and the range is 5-360. When you set the Configuration Change Purge Settings, the configmgmt-changeadtprg-sysjob system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. Global Settings Transport Protocol Default transport protocol that Prime Network should use when copying configuration files to and from a device. The options are TFTP, SFTP/SCP, and FTP. The default is TFTP. To use FTP as the transfer protocol, you must install FTP on the gateway and the unit servers that manage the VNEs. Note the following: The TFTP source interface on the devices must be able to reach the unit. Otherwise, the configuration management jobs that require TFTP may fail. To use SFTP/SCP for config transfers from a device to a unit, you need to ensure that an SSH server is configured and running on the device, such that the device acts as a server and the unit as a client during the transfer. For Cisco IOS, Cisco IOS XR, and Cisco IOS-XE devices, configure the device with K9-security-enabled images so that the SSH server is up and running on the device. For information on the transfer protocol that CCM supports for each device, see the Cisco Prime Network 4.3.2 Supported VNEs - Addendum. For its Supported Protocols see the Support for Change and Configuration Management in 4.3.2 tables. Enable Periodic Config BackupDetect ongoing configuration changes by performing a periodic collection of device information. Use this method if configurations change frequently but those changes are not important to you. CCM compares the timestamp for the last configuration change on the version in the archive with the timestamp on the newer version. If they are different, CCM backs the new file to the archive immediately. By default, this is not enabled. The start time and repeat interval are configurable (4-100 hours). The default start time is 12:00 AM and the default repeat interval is 72 hours. NoteThis CCM collection is independent of the Prime Network inventory collection. When you enable this option, the Configmgmt-backup-sysjob system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. Table 3-1 Configuration Archive Global Settings (continued) Field Description
3-9 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management Enable Periodic Sync for Out of Sync Devices (72 Hours)(For Cisco IOS only) Enables automatic synchronization of the out-of-sync devices on a periodic basis. Prime Network adds a device to the list of out-of-sync devices whenever the latest version of the startup configuration is not in sync with the latest version of the running configuration file on the device. The start time and repeat interval are configurable (4-100 hours). The default start time is 12:00 AM and the default repeat interval is 72 hours. When you enable this option, the configmgmt-synchronize-sysjob system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. Periodic Export Options Enable Periodic Config ExportAllows CCM to periodically export configurations from the archive to the export server. You can set up an interval in the range of 4-100 hours. The default value for export interval is 24 hours. You can also specify the start time for the periodic export operation. Choose one of the following to specify how the export job should be performed when a copy of an archived configuration already exists on the export server: Export configuration file with all configurations—Overwrite the existing configuration on the export server. Do not export configuration file—Do nothing. Export configuration file with reference to previous configuration file— Create a new file that only contains a reference to the previous file. Refer to Copying the Device Files to the Archive (Backups), page 9-32, to learn more about the type of configuration files exported for different devices. When you enable this option, the configmgmt-export-sysjob system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. Enable Initial Config SyncupAllows CCM to fetch the configuration files from the network devices and archive it whenever a new device is added to Prime Network. This populates the Configuration Sync Status dashlet on the dashboard. If this setting is enabled, CCM will not perform a syncup when the gateway is restarted (to protect performance), and the Disable Initial Config Syncup on Restart is checked by default. If you do want CCM to fetch the configuration files when the gateway restarts, uncheck the Disable Initial Config Syncup on Restart check box. NoteThe “sync up” described here pertains to making sure the archive correctly reflects the network device configurations. This is different from the Synchronize operation, where devices are checked to make sure their running and startup configurations are the same. Disable Initial Config Syncup on RestartDo not fetch configuration files when the gateway restarts. Table 3-1 Configuration Archive Global Settings (continued) Field Description
3-10 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management Enable Event-Triggered Config ArchiveDetect ongoing configuration changes by monitoring device configuration change notifications. This setting also controls whether Prime Network populates the Configuration Changes in the Last Week and the Most Recent Configuration Changes dashlets (on the dashboard). When you enable this option, the configmgmt-chngprdcsync-sys job system job is scheduled. You can view the scheduled job in the Configuration Management Jobs (Configurations > Jobs) page. Use this method if you consider every configuration file change to be significant. When a notification is received, CCM backs up the new running configuration file to the archive using one of the following methods: Sync archive on each configuration change—Upon receiving a change notification from a device, immediately backs up the device configuration file to the archive. For each configuration change, a new archive version is created in the Configuration Archives page (Configurations > Archives) and the archive version ID is updated in the Configuration Change Logs page (Configurations > Change Logs). If the archive version is not created in the Configuration Archives page, the Version column in the Configuration Change Logs page displays “N/A”. Sync archives with changed configurations every ___ hours and ___ minutes—Upon receiving a change notification from a device, queue the changes and backs up the device configuration files according to the specified schedule. When a change is queued, the configuration change is updated in the Configuration Change Logs page but the Version column displays “N/A”. The backup operation starts to execute and based on the time that the device takes to respond, CCM fetches the running configuration from the device. When the backup operation is successful, a new archive version is created in the Configuration Archives page and the version ID is updated in the Version column in the Configuration Change Logs page. Following are the scenarios when the version ID is not updated in the Configuration Change Logs page: If you change any configuration using the Exclude Command, CCM ignores the change and will not create any new archive version in the Configuration Archives page. Therefore, version ID is not updated in the Configuration Change Logs page. Make sure you check the Excluded Commands area in the Configuration Management Settings page. When the backup operation fails and a new archive version is not created in the Configuration Archives page. NoteMake sure that the configuration change detection schedule does not conflict with purging, since both processes are database-intensive. NoteIf you are using event-triggered archiving, you should also make sure that exclude commands are properly configured. Exclude commands are commands that Prime Network ignores when comparing configurations, and they are controlled from the Settings page. Using this mechanism eliminates unnecessary file backups to the archive. When a configuration change occurs for Cisco ASR 5000, Cisco ASR5500, and Cisco OLT devices, the relevant trap does not include the information about the user who initiated the configuration change. Therefore, the User column in the Configuration Change Logs page displays “N/A”. Table 3-1 Configuration Archive Global Settings (continued) Field Description