Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3-11 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management Enabling the Enable Event-Triggered Config Archive will start the CCM TFS registration and disabling this option will stop the CCM TFS registration. If you stop the CCM TFS registration in the Event Notification Services page of Prime Network Administration, when the Enable Event-Triggered Config Archive option is enabled, CCM will not receive any change notifications. Similarly, if you start the CCM TFS registration in the Event Notification Services page of Prime Network Administration, when the Enable Event-Triggered Config Archive option is disabled, the count of notifications will increase in the Event Notification Service page, but CCM will not receive any change notifications. Hence, change logs will not be created. Device Access CredentialsFor enhanced security, and to prevent unauthorized access to devices, you might be asked to enter device credentials. This option is enabled if, from the Administration client, Global Settings > Security Settings > User Account Settings > Execution of Configuration Operations, you checked the option Ask for user credentials when running configuration operations. By default, the device credentials field is populated with the default VNE credentials. You must change the credentials to the device credentials before you save the settings. System jobs will fail, if the credentials entered are incorrect. If you checked the option Ask for user credentials when running configuration operations from the Administration client, and did not change the settings from the Settings page after making the change, all system jobs that are scheduled to run will fail. If the option Ask for user credentials when running configuration operations (from the Administration client) is not enabled, the default VNE credentials are used. Also, if device credentials are entered in the Settings page, and the option Ask for user credentials when running configuration operations is not enabled from the Prime Network Administration client (the Administration client), the device credentials you have entered in the Settings page are ignored and the default VNE credentials are used. Restore Mode Settings Restore Mode Mode for restoring configuration files to a device: Overwrite—Prime Network overwrites the existing configuration on the device with the file you selected from the archive. Check the Use Merge on Failure check box to restore configuration files in merge mode, if overwrite mode fails. Merge—Prime Network merges the existing running or startup configuration on the device with the configuration present in the version you selected from the archive. E-mail Settings SMTP Host SMTP server to use for sending e-mail notifications on the status of configuration management jobs to users. If an SMTP host is configured in the Image Management Settings page, the same value will be displayed here by default. You can modify it, if required. E-mail Id(s) E-mail addresses of users to send a notification to after the scheduled job is complete. For two or more users, enter a comma-separated list of e-mail IDs. For example: [email protected],[email protected] The e-mail IDs configured here will appear by default while scheduling the configuration management jobs. However, you can add or modify the e-mail IDs then. SMTP Port SMTP port ID to connect to the host server. The default port is 25. Table 3-1 Configuration Archive Global Settings (continued) Field Description
3-12 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Configuration Management Notes on Exclude Commands Exclude commands are inherited; in other words, if three exclude commands are specified for Cisco routers, all devices is any of the Cisco router families will exclude those three commands when comparing configuration files. CautionExclude commands configured for a device family (such as Cisco 7200 Routers) will be applied to all device types in that family (Cisco 7201, Cisco 7204, Cisco 7204VXR, and so forth). When you are working in the Exclude Commands page, your current selection will be highlighted in green. All exclude commands applied to that selection will be listed below the device selector. When Prime Network compares the router configuration files, it will exclude all of the commands listed in the Device Commands field. If a series is selected (example, Cisco 7200 Series), the commands listed in the Series Commands field will be excluded and so on. The following procedure describes how to configure exclude commands. Step 1Choose Configurations > Settings. Step 2In the Exclude Commands area, navigate and choose one of the following (your selection is highlighted in green): A device category A device series A device type Step 3Enter a comma-separated list of commands you want to exclude when comparing configuration files for that device category, series, or type. You can also edit an existing list of commands. Email Option Send an e-mail notification for Configuration Management jobs: All—To send a notification e-mail irrespective of the job result. Failure—To send a notification e-mail only when the job has failed. No Mail—Do not send a notification e-mail on the job status. The selected option will appear by default while scheduling Configuration Management jobs. However, you can modify the option then. Exclude Commands (Device Selector)Devices to which the exclude commands should be applied (meaning the exclude commands will not be considered when comparing device configuration files). The current selection is highlighted in green. All exclude commands applied to that selection will be listed below the device selector. See Notes on Exclude Commands, page 3-12. Category Commands Comma-separated list of commands to be excluded when comparing device configurations for any devices in this category (for example, all Cisco routers). Series Commands Comma-separated list of commands to be excluded when comparing device configurations for any devices in this series (for example, all Cisco 7200 series routers). Device Commands Comma-separated list of commands to be excluded when comparing device configurations for any devices of this same device type (for example, all Cisco 7201 routers). Table 3-1 Configuration Archive Global Settings (continued) Field Description
3-13 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Image Management Your entries change to red until they are saved, and all affected device types, series, or categories are indicated in bold font. Step 4If you want a device type to ignore the parent commands (that is, the series and category commands), check the Ignore Above check box. Step 5Click Save to save your changes. Setting Up Image Management These topics provide information on how to set up the Configuration Management feature: Steps for Setting Up Image Management, page 3-13 Reference: Image Management Global Settings, page 3-14 NoteIn the Configuration Management and Image Management Settings pages, Change and Configuration Management does not support the following special characters: For Password fields—>, , Settings). All of the fields in the settings page are described in xxxx. Many of these settings can be overridden when you create specific jobs. 1.Configure the transport protocol that Prime Network will use between the device and the gateway/unit that manages the device; these are controlled from the Transport Protocol area. The options are TFTP, SFTP/SCP, and FTP. The default is TFTP. Note the following: –The TFTP source interface on the devices must be able to reach the unit. Otherwise, the configuration management jobs that require TFTP may fail. –To use SFTP/SCP for image file transfers from a device to a unit, ensure that an SSH server is configured and running on the device (so that during the transfer, the device acts as a server and the unit as a client). For Cisco IOS, Cisco IOS XR, and Cisco IOS-XE devices, configure the device with K9-security-enabled images so that the SSH server is up and running on the device. 2.Configure the gateway staging directory to use when transferring images from Prime Network out to devices in the File Locations area. The default is NETWORKHOME/NCCMComponents/NEIM/staging/. 3.Configure the gateway storing directory to use when transferring images from an outside source into the image repository (from Cisco.com or from another file system). This is controlled from the File Locations area. The default is NETWORKHOME/NCCMComponents/NEIM/images/.
3-14 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Image Management 4.In case of insufficient memory, use the Clear Flash option (under Flash Properties). This deletes any one file (other than the running image) and recovers the disk space occupied by the file. This procedure is repeated until adequate space is available in the selected flash. 5.Enable the warm upgrade facility to reduce the downtime of a device during planned Cisco IOS software upgrades or downgrades (in the Warm Upgrade area). 6.Configure the SMTP server and e-mail IDs so that regular software image management job status e-mails are sent. (You can also specify e-mail settings when you create a job.) This is controlled in the E-Mail Settings area. 7.If you plan to download files from Cisco.com, configure the necessary vendor credentials to connect to Cisco.com. These are set in the Vendor Credentials area. If you do not have login privileges, follow the procedure in Reference: Image Management Global Settings, page 3-14. 8.Configure the proxy server details to use while importing images to the repository from Cisco.com (in the Proxy Settings field). 9.If you plan to download images from an external repository, set up the details of the external server to import images to the Prime Network image repository (in the External Server Details area). Reference: Image Management Global Settings NoteIn the Configuration Management and Image Management Settings pages, CCM does not support the following special characters: For Password fields—>, , Settings. Table 3-2 Image Management Global Settings Field Description Transfer Protocol Default transfer protocol to use when copying images to and from a device. This setting can be overridden when creating a distribution job (for example, if you know that a device does not support the default protocol), FTP and TFTP are unsecured. The TFTP source interface on the devices must be able to reach the unit. Otherwise, the image management jobs that require TFTP may fail. To use SFTP/SCP for image transfers from a device to a unit, you need to ensure that an SSH server is configured and running on the device, such that the device acts as a server and the unit as a client during the transfer. For Cisco IOS, Cisco IOS XR, and Cisco IOS-XE devices, configure the device with K9-security-enabled images so that the SSH server is up and running on the device. Flash Properties In case of insufficient memory, use the Clear Flash option (under Flash Properties). This deletes any one file (other than the running image) and recovers the disk space occupied by the file. This procedure is repeated until adequate space is available in the selected flash.
3-15 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Image Management Warm Upgrade If checked, a Cisco IOS image can read in and decompress another Cisco IOS image and transfer control to this new image. This functionality reduces the downtime of a device during planned Cisco IOS software upgrades or downgrades. This can be overridden when creating the job. NoteYou can perform a warm upgrade only on Cisco IOS devices 12.3(2)T or later, such as 12.4T, 15.0, 15.1T, and for ISR 800/1800/2800/3800 series and 1900/2900/3900 series. File Locations Full pathname of directories where images are stored when they are being imported into the Prime Network image repository, or when they are being transferred out of the repository to devices. New directories must be empty and have the proper permissions (read, write, and execute permissions for users). The entries must be full pathnames. In the following default locations, NETWORKHOME is the Prime Network installation directory. Staging Directory Location where images from the Prime Network image repository are placed before transferring them out to devices. The default is NETWORKHOME/NCCMComponents/NEIM/staging/. Storing Directory Location where images from an outside source are placed before importing them into the Prime Network image repository (from Cisco.com, from existing devices, or from file system). The default is NETWORKHOME/NCCMComponents/NEIM/images/. External Server DetailsDetails about external server from which images can be imported into repository. Server Name IP address of the external server (IPv4 or IPv6 addresses supported). Image Location Path where the image is located on the server. User Name Username to access the external server. NoteUsername is not displayed for Cisco OLT devices. Password Password to access the external server. SSH Port SSH port ID to connect to the server. Table 3-2 Image Management Global Settings (continued) Field Description
3-16 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Image Management Obtaining Cisco.com Login Privileges for Image Management Login privileges are required for all images operations that access Cisco.com. To get access, you must have a Cisco.com account. If you do not have a user account and password on Cisco.com, contact your channel partner or enter a request on the main Cisco website. You can register by going to the following URL: http://tools.cisco.com/RPF/register/register.do To download cryptographic images from Cisco.com, you must have a Cisco.com account with cryptographic access. To obtain the eligibility for downloading strong encryption software images: Step 1Go to the following URL: http://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y&return_url=http://www.cisco.com Step 2Enter your Cisco.com username and password, and click Log In. Step 3Follow the instructions provided on the page and update the user details. Step 4Click Accept to submit the form. E-mail Settings Settings for automatic e-mail notifications about the status of jobs. SMTP Host SMTP server to use for sending e-mail notifications on the status of image management jobs to users. If an SMTP host is configured in the Configuration Management Settings page, the same value will be displayed here by default. You can modify it, if required. E-mail Id(s) E-mail address of the user to send a notification to after the scheduled job is complete. For two or more users, enter a comma-separated list of e-mail addresses. For example: [email protected],[email protected] The e-mail IDs configured here will appear by default while scheduling the image management jobs. However, you can add/modify the e-mail IDs then. SMTP Port SMTP port ID to connect to the host server. The default port is 25. Email Option Controls when e-mail notifications for Imange Management jobs are sent (can be overridden when creating the job): All—Send a notification irrespective of the job result. Failure—Send a notification e-mail only when the job has failed. No Mail—Do not send a notification e-mail on the job status. Proxy Settings Details about proxy server to use when importing images from Cisco.com HTTP Proxy HTTP proxy server to use for downloading images from Cisco.com. Port Port address to use for downloading images from Cisco.com. Vendor Credentials Usernames and passwords that can be used to download images from Cisco.com. (See the procedure described in Reference: Image Management Global Settings, page 3-14.) Table 3-2 Image Management Global Settings (continued) Field Description
3-17 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up CCM Device Groups Step 5To verify whether you have obtained the eligibility to download encrypted software: a.Go to the following URL: http://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y&return_url=http://www.cisco .com b.Enter your username and password, and click Log In. The following confirmation message is displayed: You have been registered for download of Encrypted Software. Setting Up CCM Device Groups User-defined device groups allow you to apply changes to devices in bulk. You can choose specific devices as you perform CCM operations, but having predefined device groups can save you time. There are two types of device groups: If a device group’s members changes during a CCM operation, the CCM operation is applied to the devices that belong to the group at the time of execution. To view the existing device groups and create new user-defined device groups: Step 1Click the Device Groups tab. The Device Groups page appears as shown in Figure 3-1. Figure 3-1 Device Groups Page The Device Groups page displays the name, description, and whether the membership is static or dynamic. To delete a group, click the red X next to the group name.Group Type Description Static Devices are never automatically added to these groups; new devices must be added manually. Dynamic Devices are automatically added to a group if they match membership rules.
3-18 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up CCM Device Groups To view the devices in a group, click the hyperlinked group name. The Group Members page displays the device status, IP address, and element type. To display additional device properties, click the Device Name hyperlink. The status icons are illustrated in the following. Step 2To create a new group, click Create and enter the required information. Names must be unique. Do not use the reserved names adminGroup and ROOT-DOMAIN. Step 3In the Membership Update drop-down list box, choose Static or Dynamic. Dynamic device group—If you choose Dyamic, set up a membership rule to control which devices are added to the group. You can use rules with parameters such as device name, range of device IP addresses, and device element type. For example: Device Name equals 1800 IP Address between 10.77.214.107 And 10.77.214.171 IPv4 Element Type equals Cisco 1801 NoteYou can choose a combination of parameters by using the And/Or operator. You can also use a comma-separated list to provide multiple values for the Device Name and Element Type parameters. Static device group—If you choose static, select the devices from the Group Members list. Step 4Click OK to save the group. Symbol Description Device is in operational state. Device is not in operational state (the device is most likely in the Maintenance or Unreachable state). Click the device hyperlink and open the device properties popup to see details about the device.
3-19 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Setting Up Image Distribution Servers Setting Up Image Distribution Servers Cisco Prime Network provides solution for distributing software images in a network based on the network architecture that contains CCM GUI, gateways, units, and direct network elements with distribution servers placed between the units and network elements. Using the distribution servers for storing software images facilitates efficient bandwidth utilization within a network. The distribution server works with the secure protocol, for example, SCP or SFTP. In the distribution server, you can copy the software image to the network element. NoteUsing Distribution servers you can perform only the Distribution operation. Install Add operation must be performed as a separate operation. Prerequisites for Using Distribution Server Distribution server is a Linux server with minimal installation of RHEL with expect, PERL, and OpenSSL packages (to provide SSH, SCP, SFTP, and rsync functionalities). The Prime Network software must not be installed on it. Distribution server should be ready with a user account created to be used as a part of this solution. Distribution server credential configuration file should be created, at the time of solution installation, using a script provided as a part of the solution. Location of the directory where the images are stored on the distribution server should be identified and added to the mapping file. Initial configuration of tool or solution after installation includes executing the script to fetch distribution server username, SSH keys of the unit, and creating or saving it to a configuration file. You can test connectivity to distribution server at this time using a utility which is a part of the solution. Required Settings for Using Distribution Server VNE device to distribution servers mapping in Units—External file, for example file in CSV format must be available in the units. The CSV file contains information that describes about the mapping between the VNE devices and corresponding distribution servers, for example, distro_scp.csv and distro_sftp.csv. This file is maintained as a part of the new device add process to ensure that it is in sync with the Prime Network inventory. Certified Software Image on the Gateway—A certified image is made available in a predefined directory on the gateway. The image is imported into the Prime Network repository. Then, the image is copied to the distribution servers using rsync mechanism. SSH connection between unit and distribution server—Login as a Prime Network user and execute the following commands to setup SSH keys between the unit server and distribution server: ssh-keygen -t rsa ssh-copy-id -i /export/home/pn422/.ssh/id_rsa.pub [email protected] Execute image distribution configuration script—Execute the image distribution configuration script (imagedistributionconfig.pl) on units to provide the distribution server access credentials username and SSH keys. After which, a configuration file (.distroCreds.conf) is created.
3-20 Cisco Prime Network 4.3.2 User Guide Chapter 3 Setting Up Change and Configuration Management Enabling SSH Resync on VNE and CCM Copy the software image to the distribution server—Copy the image to be copied to distribution server and configure the image directory and distribution mappings in the CSV file on unit. Test the connectivity to distribution server—Execute the script (testDistroSSHaccess.pl) to test the connectivity. The script is available in the following location: $ANAHOME/Main/scripts/configuration/cisco/NEIM NoteThe required PERL modules should be installed. You can use distribution server in the IPv4 environment only. Setting Up Distribution Servers To set up distribution servers: Step 1Choose To o l s > Registry Controller > Image Management Settings > Image Distribution. Step 2In the Image Distribution window, select the Tr u e option to use distribution server. NoteYou can also copy the software image without using the distribution server. Choose the False option in the Image Distribution window. The False option is the default value in the Image Distribution window. Enabling SSH Resync on VNE and CCM SSH key is the common way to securely connect to remote machines. It is used to identify trusted computers, without using passwords. SSH enables connecting to a virtual private server in a highly secured manner than using a password. In Cisco Prime Network, the SSH key synchronization is created to handle device disconnections due to SSH key mismatch. Prime network uses SSH keys to communicate with the devices. Synchronization of SSH Key with VNE Based on user configuration, when the device reboots, a new SSH key is generated to serve the internal security purposes. Prime Network tries to connect to a device with the key which was used at the first communication. In case of any key mismatch, the VNE synchronizes with the device automatically, fetches the new SSH key from the device, updates in Prime Network, and re-connects to the device using the updated key. The new SSH key synchronization happens only if the server authentication is enabled as save-first-auth and automatic key synchronization feature is enabled via the registry controller.