Cisco Prime Infrastructure 3.9 Administrator Guide

Cisco Prime Infrastructure 3.
9 Administrator Guide
First Published: 2020-12-17
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
Full Cisco Trademarks with Software License ?
CHAPTER 1 Set Up the Prime Infrastructure Server 1
Server Setup Tasks 1

User Management Setup Tasks 2
Fault Management Setup Tasks 3
Administrator Setup Tasks 4
Set Up Operations Center 4
Activate Your Operations Center License 4
Add Cisco Prime Infrastructure Instances to Operations Center 6
Disable Idle User Timeouts for Operations Center 7
Enable AAA for Operations Center 7
Required Software Versions and Configurations 8
Configure SNMP 8
Configure NTP 9
Configure Data Sources for Cisco Prime Infrastructure With Assurance 10
Supported Assurance Data Sources 10
Configure Assurance Data Sources 10
Enable Medianet NetFlow 12
Enable NetFlow and Flexible NetFlow 14
Deploy Network Analysis Modules NAMs 15
Enable Performance Agent 15
Install Cisco Prime Infrastructure Patches 16
CHAPTER 2 Licenses and Software Updates 19
Prime Infrastructure Licensing 19
Cisco Prime Infrastructure 3.9 Administrator Guide

iii
Contents
Purchase Prime Infrastructure Licenses 20

Verify License Details 20
Add Licenses 21
Delete Licenses 21
Troubleshoot Licenses 21
Controller Licensing 23
MSE Licensing 25
MSE License Structure Matrix 25

Sample MSE License File 25
Revoke and Reuse an MSE License 26
MSE Services Coexistence 27
Manage MSE Licenses 27
Register Product Authorization Keys 28
Install Client and wIPS License Files 29
Delete Mobility Services Engine License Files 29
Assurance Licensing 30
Verify Assurance License Details 30

Add License Coverage For NetFlow and NAM Devices 31
Delete License Coverage for NetFlow and NAM Devices 31

Smart Licensing 32
Set Up Cisco Smart Licensing on Prime Infrastructure 32
Set Up the Transport Mode Between Prime Infrastructure and Cisco Smart Software Manager 33
Enable Smart License on Prime Infrastructure 34
Register Prime Infrastructure with the Cisco Smart Software Manager 35
Generate Token ID 35
Convert from Traditional Licensing 35
Register Product Instance 36
Choose Smart Software Licenses 36
Configure License Thresholds for the Prime Infrastructure License Dashboard 37
View the Licensing Dashboard 37
Disable Smart Licensing 38
Perform Additional Actions 39
Reference: Product Registration and License Authorization Statuses 39
Manage Software Updates 40

iv
Contents
What Are Software Updates? 40

View the Installed Product Software Version 41
View Installed Software Updates 41
Enable or Disable Notifications About Software Updates 41
Validate Images (ISO and OVA) Before Installing Them 42
Download and Install a Software Update from Cisco.com 43
Copy a File from a Client Machine to the Prime Infrastructure Server 44
CHAPTER 3 Backup and Restore 45
Backup and Restore Concepts 45

Backup Types: Application and Appliance 45
Backup Scheduling 46
Backup Repositories 47
Backup Filenames 47
Backup Validation Process 48
Information That Is Backed Up 48
Information That Is Not Backed Up 50
Set Up and Manage Repositories 50
Create a Local Backup Repository 50
Use a Remote Backup Repository 51
Use Remote NFS Backup Repositories 51
How to Use Remote SFTP Backup Repositories 53
How to Use Remote FTP Backup Repositories 54
Delete a Local Backup Repository 55
Set Up Automatic Application Backups 55
Schedule Automatic Application Backups 56
Specify the Backup Repository for Automatic Backups 56
Change the Number of Automatic Application Backups That Are Saved 57
Perform a Manual Backup 57
Perform an Immediate Appliance Backup Using the CLI 57
Perform an Immediate Application Backup Using the Web GUI 58
Perform an Immediate Application Backup Using the CLI 58
Perform a Manual Appliance Backup 58
Restore Prime Infrastructure Data 59

v
Contents
Restore an Application Backup 59

Restore an Appliance Backup 60
Recover from Failed Restores 61
How to Manage Disk Space Issues During Backup and Restore 61
Migrate to Another Virtual Appliance Using Backup and Restore 62
Migrate to Another Physical Appliance Using Backup and Restore 62
Backup and Restore with Operations Center 63
CHAPTER 4 Configure the Prime Infrastructure Server 65

View the Prime Infrastructure Server Configuration 65
Available System Settings 66
Secure the Connectivity of the Prime Infrastructure Server 81
Set Up HTTPS Access to Prime Infrastructure 81
Generate and Apply Self-Signed Certificates 82
Import CA-Signed Host Certificates 82
Import Private Key 84
Export Private Key 84
Set Up Certificate Validation 85
Accessing Certificate Validation Page 86
MIB to Prime Infrastructure Alert/Event Mapping 87
Establish an SSH Session With the Prime Infrastructure Server 89
Set Up NTP on the Server 90
Set Up the Prime Infrastructure Proxy Server 91
Configure Server Port and Global Timeout Settings 91

Set Up the SMTP E-Mail Server 92
Enable FTP/TFTP/SFTP Service on the Server 92
Configure Stored Cisco.com Credentials 93
Create a Login Banner (Login Disclaimer) 93
Stop and Restart Prime Infrastructure 93
Configure Global SNMP Settings for Communication with Network Elements 94
Configure Global SNMP Settings 94
View SNMP Credential Details 95
Add SNMP Credentials 96
Import SNMP Credentials 97

vi
Contents
Enable Compliance Services 99

Configure ISE Servers 99
Configure Software Image Management Servers 100
Add Device Information to a User Defined Field 100
Manage OUIs 101
Add a New Vendor OUI Mapping 101
Upload an Updated Vendor OUI Mapping File 101
Sample Log File from North-Bound SNMP Receiver 102
Work With Server Internal SNMP Traps That Indicate System Problems 102
Customize Server Internal SNMP Traps and Forward the Traps 103
Troubleshoot Server Internal SNMP Traps 103
Set Up Defaults for Cisco Support Requests 104
Configure Cisco Product Feedback Settings 104
Migrating Data from Prime Infrastructure to Cisco Digital Network Architecture Center 105
CHAPTER 5 Maintain Prime Infrastructure Server Health 111
Overview Dashboard 111

Performance Dashboard 112
Admin Dashboard 113
How to Evaluate OVA Size and System Resources 113
View the Number of Devices Prime Infrastructure Is Managing 114
How to Improve the Performance of Prime Infrastructure 115
Tune the Server 115
Modify VM Resource Allocation Using VMware vSphere Client 115
Compact the Prime Infrastructure Database 116
Configure Client Performance Settings 117
Enable Automatic Client Troubleshooting 117
Enable DNS Hostname Lookup 118
Specify How Long to Retain Client Association History Data 118
Poll Clients When Receiving Client Traps/Syslogs 118
Save Client Traps as Events 119
Save 802.1x and 802.11 Client Traps as Events 119
Enable Enhanced Client Traps 120
Optimize Memory for Assurance Processing 120

vii
Contents
Monitor Assurance Memory Allocation and Demand 121

Increase the Assurance Memory Pool Via CLI 121
How to Balance the Assurance Memory Allocation 122
Reset Assurance Memory Allocation 122
Reset the Assurance Memory Pool 122
Manage Data Sources 123
View Current Data Sources 123
Delete Data Sources 124
Special Administrative Tasks 124
How to Connect Via CLI 125
Start Prime Infrastructure 126
Check Prime Infrastructure Server Status 126
Check Prime Infrastructure Version and Patch Status 127
Stop Prime Infrastructure 127
Restart Prime Infrastructure Using CLI 127
Restart Prime Infrastructure Using GUI 128
How to Remove Prime Infrastructure 128
Reset Prime Infrastructure to Defaults 129
Change the Prime Infrastructure Host Name 129
Enable the FTP User 130
Change the Root User Password 130
Change the Admin Password using CLI 131
How to Recover Administrator Passwords on Virtual Appliances 131
How to Recover Administrator Passwords on Physical Appliances 133
134
How to Recover Administrator Passwords on Hyper-V Virtual Appliances 135

How to Get the Installation ISO Image 136
How to Update Prime Infrastructure With Latest Software Updates 137
View Installed and Available Software Updates 137
How to Get Software Update Notifications 138
Configure Software Update Notifications 138
View Details of Installed Software Updates 138
View Installed Updates From the Login Page 139
View Installed Updates From the About Page 139

viii
Contents
Install Software Updates 139

Install Software Updates from Cisco.com 140
Upload and Install Downloaded Software Updates 140
How to Use Your Cisco.com Account Credentials with Prime Infrastructure 141
Save Cisco.com Account Credentials in Prime Infrastructure 141
Deleting Cisco.com Account Credentials 142
How to Configure Support Request Settings 142
How to Manage Disk Space Issues 143
CHAPTER 6 Data Collection and Background Tasks 145
Control Data Collection Jobs 145

How Data Retention Settings Affect Web GUI Data 145
About Historical Data Retention 146
Performance and System Health Data Retention 147
Specify Data Retention By Database Table 149
Specify Client Data Retrieval and Retention 149
Enable Data Deduplication 150
Control Report Storage and Retention 151
Specify Inventory Collection After Receiving Events 151
Control Configuration Deployment Behavior 152
Archive Device Configurations Before Template Deployment 152
Roll Back Device Configurations on Template Deployment Failure 152
Specify When and How to Archive WLC Configurations 152
Alarm, Event, and Syslog Purging 153
Log Purging 154
Report Purging 154
Backup Purging 155
Device Configuration File Purging 155
Software Image File Purging 155
Control System Jobs 155
Schedule Data Collection Jobs 155
Resume Data Collection Jobs 156
Run Data Collection Jobs Immediately 156
About System Jobs 156

ix
Contents
Migrate Data from Cisco Prime LMS to Cisco Prime Infrastructure 165
CHAPTER 7 User Permissions and Device Access 167
User Interfaces, User Types, and How To Transition Between Them 167
User Interfaces and User Types 167
How to Transition Between the CLI User Interfaces in Prime Infrastructure 169
Transition Between the Prime Infrastructure admin CLI and Prime Infrastructure config CLI 170
Log In and Out as the Linux CLI root User 171
Enable and Disable root Access for the Linux CLI and the Prime Infrastructure Web GUI 172
Disable and Enable the Linux CLI Users in Prime Infrastructure 172
Disable and Enable the Web GUI root User 172
Control the Tasks Web Interface Users Can Perform (User Groups) 173
Types of User Groups 173
User Groups—Web UI 173
User Groups—NBI 174
View and Change the Tasks a User Can Perform 175
View and Change the Groups a User Belongs To 176
View User Groups and Their Members 176

User Group Permissions and Task Description 176
Create a Customized User Group 194
Add User with Wireless Persona 195
View and Change the Tasks a Group Can Perform 196
Use Prime Infrastructure User Groups with RADIUS and TACACS+ 197
Export the Prime Infrastructure User Group and Role Attributes for RADIUS and TACACS+
197
Add Users and Manage User Accounts 198

Change User Group Memberships 198
Create Web GUI Users with Administrator Privileges 199
Add and Delete Users 200
Disable (Lock) a User Account 201
Change a User’s Password 201
Configure Guest Account Settings 201
Use Lobby Ambassadors to Manage Guest User Accounts 202
Manage Guest User Accounts: Workflows 202

x
Contents
Create Lobby Ambassador Accounts 203

Login as a Lobby Ambassador 203
Create Guest User Accounts as a Lobby Ambassador 204
Schedule Guest User Accounts 204
Print or Email Guest User Details 204
View Lobby Ambassador Activities 205
Save Guest Accounts on a Device 206
Edit Guest User Credentials 206
Find Out Which Users Are Currently Logged In 206
View the Tasks Performed By Users (Audit Trail) 207
Configure Job Approvers and Approve Jobs 207
Configure Job Notification Mail for User Jobs 208
Configure Global Password Policies for Local Authentication 209
Configure the Global Timeout for Idle Users 209
Disable Idle User Timeout 210
Set Up the Maximum Sessions per User 210
Create Virtual Domains to Control User Access to Devices 211
What Are Virtual Domains? 211
How Virtual Domains Affect Prime Infrastructure Features 211
Reports and Virtual Domains 212
Search and Virtual Domains 212
Alarms and Virtual Domains 212
Maps and Virtual Domains 212
Configuration Templates and Virtual Domains 212
Config Groups and Virtual Domains 213
Email Notifications and Virtual Domains 213
Create New Virtual Domains 213
Create Virtual Domains Directly Under ROOT-DOMAIN 213
Create Child Virtual Domains (Subdomains) 214
Import a List of Virtual Domains 215
Add Network Devices to Virtual Domains 215
Add Groups to Virtual Domains 216
Assign Virtual Domains to Users 217
Edit a Virtual Domain 217

xi
Contents
Delete a Virtual Domain 217

Use Prime Infrastructure Virtual Domains with RADIUS and TACACS+ 218
Export the Prime Infrastructure Virtual Domain Attributes for RADIUS and TACACS+ 218
Configure Local Authentication 219
Use SSO With Local Authentication 219
Configure External Authentication 220
Integrate Prime Infrastructure with an LDAP Server 220
Use RADIUS or TACACS+ for External Authentication 220
Add a RADIUS or TACACS+ Server to Prime Infrastructure 220
Configure RADIUS or TACACS+ Mode on the Prime Infrastructure Server 221
Required TACACS+/RADIUS Configurations After Prime Infrastructure IP Address Changes
222
Renew AAA Settings After Installing a New Prime Infrastructure Version 222
Use Cisco ISE With RADIUS or TACACS+ for External Authentication 222
Supported Versions of Cisco ISE in Prime Infrastructure 223

Add Prime Infrastructure as a Client in Cisco ISE 224
Create a User Group in Cisco ISE 224
Create a User and Add the User to a User Group in Cisco ISE 224
Create an Authorization Profile for RADIUS in Cisco ISE 224
Create an Authorization Profile for TACACS+ in Cisco ISE 225
Configure an Authorization Policy for RADIUS in Cisco ISE 227
Configure an Authorization Policy for TACACS in Cisco ISE 227
Create an Authentication Policy in Cisco ISE 228
Use Cisco ACS With RADIUS or TACACS+ for External Authentication 228
Use SSO with External Authentication 233
Add the SSO Server 234
Configure SSO Mode on the Prime Infrastructure Server 234
CHAPTER 8 Fault Management Administration Tasks 235
Event Receiving, Forwarding, and Notifications 235

User Roles and Access Permissions for Configuring Alarm Notification Settings 236
Points to Remember While Adding a New Notification Policy 236
Configure Alarms Notification Destination 239
Customize Alarm Notification Policies 240

xii
Contents
Convert Old Email and Trap Notification Data to New Alarm Notification Policy 241
Configure Default Settings for E-Mail Notifications 242
Specify Alarm Clean Up, Display and Email Options 242
Configure Global Display and Search Settings for Acknowledged, Cleared, and Assigned Alarms 245
Change Alarm Severity Levels 245
Change Alarm Auto-Clear Intervals 246
Change the Information Displayed in the Failure Source for Alarms 247
Change the Behavior of Expedited Events 247
Customize Generic Events That Are Displayed in the Web GUI 248
Disable and Enable Generic Trap and Syslog Handling 249
Disable and Enable Generic Trap Processing 249
Disable and Enable Generic Syslog Processing 249
Customize Generic Events Based on SNMP Traps 249
Troubleshoot Fault Processing Errors 250
Get Help from the Cisco Support Community and Technical Assistance Center (TAC) 251
Open a Cisco Support Case 251
Join the Cisco Support Community 252
CHAPTER 9 Audits and Logs 253
Audit Configuration Archive and Software Image Management Changes ( Change Audit Dashboard)
253
Audit Changes Made By Users (Change Audit) 253

Generate a Change Audit Report 253
Enable Change Audit Notifications and Configure Syslog Receivers 254
View Change Audit Details 255
Audit Actions Executed from the GUI (System Audit) 255
System Logs 256
View and Manage General System Logs 256
View the Logs for a Specific Job 256
Adjust General Log File Settings and Default Sizes 257
Download and E-Mail Log Files for Troubleshooting Purposes 258
Forward System Audit Logs As Syslogs 266
Enable SNMP Traces and Adjust SNMP Log Settings (Levels, Size) 267

xiii
Contents
CHAPTER 10 Configure Controller and AP Settings 269
Configure Protocols for CLI Sessions 269

Enable Unified AP Ping Reachability Settings on the Prime Infrastructure 269
Refresh Controllers After an Upgrade 271
Track Switch Ports to Rogue APs 271
Configure Switch Port Tracing 272
Configuring SNMP credentials 273
View the switch port trace details 274
Establish Switch Port Tracing 275
Configure SNMP Credentials for Rogue AP Tracing 275
Switch Port Tracing Details 275
Switch Port Tracing Troubleshooting 276
Frequently Asked Questions on Rogues and Switch Port Tracing 276
How Do You Configure Auto SPT? 277
How Does Auto SPT Differ From Manual SPT? 277
Where Can I See SPT Results (Manual and Auto)? 278
Why Does Auto SPT Take Longer to Find Wired Rogues? 278
How Can I Detect Wired Rogues on Trunk Ports? 279
How Do You Configure Switch Port Location? 279
How Can I Use the Auto SPT “Eliminate By Location” Feature? 280
What is the Difference Between “Major Polling” and “Minor Polling”? 280
CHAPTER 11 Configure High Availability 283
How High Availability Works 283

About the Primary and Secondary Servers 285
Sources of Failure 285
File and Database Synchronization 285
HA Server Communications 286
Health Monitor Process 286
Health Monitor Web Page 287
Using Virtual IP Addressing With HA 288
How to Use SSL Certificates in an HA Environment? 289
Import Client Certificates Into Web Browsers 290

xiv
Contents
Hot Standby Behavior 290

Planning HA Deployments 291
Network Throughput Restrictions on HA 291
Using the Local Model 292
Using the Campus Model 293
Using the Remote Model 293
What If I Cannot Use Virtual IP Addressing? 294
Automatic Versus Manual Failover 294
Enable HA for Operations Center 295
Set Up High Availability 297
Before You Begin Setting Up High Availability 298
How to Install the HA Secondary Server 299
How to Register HA on the Primary Server 299
Check Readiness for HA Registration/Configuration 301
Check High Availability Status 303
What Happens During HA Registration 304
How to Patch HA Servers 305
How to Patch New HA Servers 305
How to Patch Paired HA Servers 307
How to Patch Paired HA Servers Set for Manual Failover 307
How to Patch Paired HA Servers Set for Automatic Failover 310
Monitor High Availability 312
Access the Health Monitor Web Page 312
How to Trigger Failover 313
How to Trigger Failback 313
Force Failover 314
Respond to Other HA Events 314
HA Registration Fails 315
Network is Down (Automatic Failover) 315
Network is Down (Manual Failover) 316
Process Restart Fails (Automatic Failover) 318
Process Restart Fails (Manual Failover) 319
Primary Server Restarts During Sync (Manual Failover) 320
Secondary Server Restarts During Sync 320

xv
Contents
Both HA Servers Are Down 320

Both HA Servers Are Powered Down 321
Both HA Servers Are Down and the Secondary Will Not Restart 322
How to Replace the Primary Server 322
How to Recover From Split-Brain Scenario 323
How to Resolve Database Synchronization Issues 324
High Availability Reference Information 324
HA Configuration Mode Reference 324
HA State Reference 325
HA State Transition Reference 326
High Availability CLI Command Reference 328
Reset the HA Authentication Key 328
Remove HA Via the GUI 328
Remove HA Via the CLI 329
Remove HA During Restore 329
Remove HA During Upgrade 330
Using HA Error Logging 330
Reset the HA Server IP Address or Host Name 331
Resolve TOFU Failure at Any State 331
Configure MSE High Availability 331
Overview of the MSE High Availability Architecture 331

MSE High Availability Pairing Matrix 332
Guidelines and Limitations for MSE High Availability 332
Failover Scenario for MSE High Availability 333
Failback Scenario for MSE High Availability 333
Licensing Requirements for MSE High Availability 334
Set Up MSE High Availability: Workflow 334
Prepare the MSEs for High Availability 334
Configure MSE High Availability on Primary MSEs 335
Configure MSE High Availability on Secondary MSEs 343
Replace Primary MSEs 348
CHAPTER 12 Configure Wireless Redundancy 351
About Wireless Controller Redundancy 351

xvi
Contents
Prerequisites and Limitations for Redundancy 351

Configure Redundancy Interfaces 352
Configure Redundancy on Primary Controllers 352
Configure Redundancy on Secondary Controllers 353
Monitor Redundancy States 354
Configure Peer Service Port IPs and Subnet Mask 354
Add Peer Network Routes 355
Reset and Upload Files from the Secondary Server 355
Disable Redundancy on Controllers 356
CHAPTER 13 Manage Traffic Metrics 357
How to Manage Traffic Metrics 357

Prerequisites for Traffic Metrics With Mediatrace 357
Configure Cisco Prime Infrastructure to Use NAM Devices as Data Sources 358
Configure Cisco Prime Infrastructure to Use Routers and Switches as Data Sources 358
Configure Mediatrace on Routers and Switches 359
Configure WSMA and HTTP(S) Features on Routers and Switches 359
CHAPTER 14 Plan Network Capacity Changes 361
How to Plan the Network Capacity Changes 361
CHAPTER 15 Enable Backward Compatibility 365
Enable Backward Compatibility between Catalyst 9800 WLC Devices and Prime Infrastructure 3.9
365
Installing Cisco Prime Infrastructure System Patch 3.9 367
APPENDIX A Best Practices: Server Security Hardening 369

Disable Insecure Services 369
Disable Root Access 369

Use SNMPv3 Instead of SNMPv2 370
Use SNMPv3 to Add Devices 370
Use SNMPv3 to Import Devices 371
Use SNMPv3 to Run Discovery 371
Authenticate With External AAA 372

xvii
Contents
Set Up External AAA Via GUI 372

Set Up External AAA Via CLI 372
Enable NTP Update Authentication 373
Set Up Local Password Policies 374
Disable Individual TCP/UDP Ports 374
Check On Server Security Status 375
APPENDIX B Internal SNMP Trap Generation 377

About Internal Trap Generation 377
Prime Infrastructure SNMP Trap Types 378
Generic SNMP Trap Format 380
Northbound SNMP Trap-to-Alarm Mappings 381
Prime Infrastructure SNMP Trap Reference 384
Configure Prime Infrastructure Traps 389
Configure Notifications 390

Port Used To Send Traps 391
Configure Email Server Settings 391
View Events and Alarms for SNMP Traps 391

Filter Events and Alarms for SNMP Traps 392
Filter for SNMP Traps Using Quick Filters 392
Filter for SNMP Traps Using Advanced Filters 392
Purge Alarms for SNMP Traps 393
How to Troubleshoot Prime Infrastructure SNMP Traps 393
APPENDIX C Configure High Availability for Plug and Play Gateway 395
How Cisco Plug and Play Gateway HA Works 395
Cisco Plug and Play Gateway HA Prerequisites 395
Set up Standalone Cisco Plug and Play Gateway for Prime Infrastructure HA 396
Cisco Prime Infrastructure in HA with Virtual IP Address 396
Cisco Prime Infrastructure in HA with Different IP Address 396
Cisco Standalone Plug and Play Gateway Server HA Setup 397
Cisco Plug and Play Gateway Status 398
Remove Cisco Plug and Play Gateway in HA 399
Cisco Plug and Play Gateway HA and Cisco Prime Infrastructure Combinations 400

xviii
Contents
Limitations of Cisco Plug and Play Gateway HA 400

xix
Contents

xx
CHAPTER 1
Set Up the Prime Infrastructure Server
This section contains the following topics:
• Server Setup Tasks, on page 1
• User Management Setup Tasks, on page 2
• Fault Management Setup Tasks, on page 3
• Administrator Setup Tasks, on page 4
Server Setup Tasks

Task See
Verify the backup settings Set Up Automatic Application Backups, on

page 55
Install any required product licenses and software updates Licenses and Software Updates, on page 19
Modify the stored Cisco.com credentials (user name and Configure Stored Cisco.com Credentials, on
password) used to log on to Cisco.com and: page 93
• Check for product updates
• Check for device software image updates
• Open or review Cisco support cases
For software updates: Enable or Disable Notifications About Software

Updates, on page 41
• Enable notifications for product software updates
(critical fixes, device support, add-ons)
• Specify whether you want credentials stored on
Cisco.com when Prime Infrastructure checks for
software updates, and if yes, whether you want the user
to be prompted for credentials when checking for
updates

1
User Management Setup Tasks
Task See
Set up HTTPS on the server for secure interactions between Secure the Connectivity of the Prime
the server and browser-based GUI client (you can use HTTP Infrastructure Server, on page 81
but HTTPS is recommended)
Configure high availability How High Availability Works, on page 283
Adjust data retention and purging Data Collection and Background Tasks, on page
145
For server-related traps that signal system problems, Customize Server Internal SNMP Traps and
customize the threshold settings and severities, and forward Forward the Traps, on page 103
the traps as SNMP trap notifications to configured receivers
Configure Alarms Notification Destination, on
page 239
Set up NTP (Network Time Protocol) so that time is Set Up NTP on the Server, on page 90
synchronized between the server and network devices
Configure FTP/TFTP on the server for file transfers between Enable FTP/TFTP/SFTP Service on the Server,
the server and network devices on page 92
Configure a proxy for the Prime Infrastructure server Set Up the Prime Infrastructure Proxy Server ,
on page 91
Configure the email server Set Up the SMTP E-Mail Server, on page 92
Set global SNMP polling parameters for managed network Configure Global SNMP Settings for
elements Communication with Network Elements, on
page 94
Enable the Compliance feature if you plan to use it to identify Enable and Disable Compliance Auditing
device configuration deviations
Configure product feedback to help Cisco improve its Set Up Defaults for Cisco Support Requests,
products on page 104
Configure product feedback to help Cisco improve its Configure Cisco Product Feedback Settings,
products on page 104
User Management Setup Tasks

Task See
Create web GUI users that have administration Create Web GUI Users with Administrator Privileges, on
privileges, and disable the web GUI root page 199
account
Disable and Enable the Web GUI root User, on page 172
Set up user audits Audit Configuration Archive and Software Image

Management Changes ( Change Audit Dashboard) , on page
253

2
Fault Management Setup Tasks
Task See
Set up user authentication and authorization Configure External Authentication

Configure Local Authentication, on page 219
Create user accounts and user groups Control the Tasks Web Interface Users Can Perform (User
Groups), on page 173
Adjust user security settings (password rules Configure Global Password Policies for Local
for local authentication, idle time logout setting) Authentication, on page 209
Configure the Global Timeout for Idle Users, on page 209
Specify which users can approve jobs Configure Job Approvers and Approve Jobs, on page 207
Create virtual domains to control device access Create Virtual Domains to Control User Access to Devices,
on page 211
Create a message that is displayed when users Create a Login Banner (Login Disclaimer), on page 93
log in to the GUI client
Fault Management Setup Tasks

Task See
Forward alarms and events to other receivers in e-mail Configure Alarms Notification Destination, on
format page 239
Forward alarms and events to other receivers in SNMP Configure Alarms Notification Destination, on
trap format page 239
Configure global settings for alarm and event displays Configure Global Display and Search Settings for
and searches: Acknowledged, Cleared, and Assigned Alarms,
on page 245
• Hide acknowledged, assigned, and cleared alarms in
the Alarms and Events tables
• Include acknowledged and assigned alarms in search
results
• Include device names in alarm messages
Customize the severity for specific events Change Alarm Severity Levels, on page 245
Customize the auto-clear interval for specific alarms Change Alarm Auto-Clear Intervals, on page 246
Make the text in the alarm Failure Source field more Change Alarm Severity Levels, on page 245
user-friendly
Control generic event handling Disable and Enable Generic Trap Processing, on
page 249

3
Administrator Setup Tasks
Task See
Control if and how users can create Cisco Support Set Up Defaults for Cisco Support Requests, on
Requests page 104
Administrator Setup Tasks

Set Up Operations Center
Prime Infrastructure Operations Center is a licensed feature that allows you to manage multiple instances of
Prime Infrastructure from a single instance. Before you can use Operations Center, you must first:
1. Activate your Operations Center license on the Prime Infrastructure server that will host Operations Center.
Applying the license will automatically enable Operations Center as the SSO server for the cluster of
Prime Infrastructure instances it manages.
Note You can also activate your operation center license on the Prime Infrastructure server that will host Operations
Center using smart licensing feature. Applying the smart license will also automatically enableOperations
Center as the SSO server for the cluster of Prime Infrastructure instances it manages. To know more on Smart
Licensing, see Smart Licensing, on page 32.
2. Add to Operations Center the Prime Infrastructure instances you want to manage. You can configure each
instance as an SSO client as it is added to Operations Center
3. (Optional) Disable the personal and global idle-user timeouts for Operations Center and all of its managed
instances.
4. (Optional) Configure remote AAA using TACACS+ or RADIUS servers for Operations Center and all
of its managed instances,
The Related Topics explain how to complete each of these tasks.

Related Topics
Add Cisco Prime Infrastructure Instances to Operations Center, on page 6
Disable Idle User Timeouts for Operations Center, on page 7
Activate Your Operations Center License

Before setting up Operations Center:
• Verify that the DNS entry for thePrime Infrastructure server that will host the Operations Center matches
the host name configured on that server. For example: Running the commands nslookup ipaddress and
hostname on the Prime Infrastructure server that will host the Operations Center should yield the same
output.
• Ensure that all users who will access network information using Operations Center have both NBI Read
and NBI Write access privileges. You can do this by editing these users’ profiles to make them members
of the “NBI Read” and “NBI Write” User Groups (see “ Change User Group Memberships ” in Related
Topics).

4
Enable Smart Software Licenses for Operations Center
• By default, five is the maximum SSO login sessions for one Operations Center user. This is also applicable
for instances. Hence, ensure that the number of Active SSO Sessions does not exceed five, or else the
managed instances will go into an “unreachable” state.
• If you plan to use remote AAA with Operations Center: Set up a RADIUS or TACACS+ AAA server
before you begin (see “Enable AAA for Operations Center” in Related Topics)
Operations Center does not require a separate installation. Instead, you can select or install the Prime
Infrastructure server that you want to use to manage other Prime Infrastructure instances, and then activate
an Operations Center license on that server.
Note Enabling Operations Center license will prevent the same server instance from monitoring the devices directly.
The devices will be added to a separate instance.
When activating the license, Operations Center automatically configures itself as the SSO server Prime
Infrastructure.
The number of Prime Infrastructure instances you can manage using Operations Center depends on the license
you have purchased. For details, see the Cisco Prime Infrastructure Ordering and Licensing Guide.
Step 1 Select Administration > Licenses and Software Updates > Licenses > Files > License Files. The License Files page
displays.
Step 2 Click Add. The Add a License File dialog box displays.
Step 3 Click Choose File.
Step 4 Navigate to your license file, select it, then click Open.
Step 5 Click OK. Prime Infrastructure will confirm that the Operations Center license has been added.
Step 6 If you are notified that SSO is not set up:
• Click Yes, to configure this new Operations Center as an SSO server automatically.
• Click No to configure SSO with DNS Name. Seamless SSO will Add SSO server with DNS Name.
Step 7 When prompted to log out: Click OK. The newly active license should now be listed in the Licenses > License Files
page.
Step 8 Log out of Prime Infrastructure and then log back in. The login page that appears should display “Cisco Prime Infrastructure
Operations Center [SSO]”, which indicates the license has been applied.
Related Topics
Set Up Operations Center, on page 4
Enable AAA for Operations Center, on page 7
Change User Group Memberships, on page 198
Enable Smart Software Licenses for Operations Center
Step 1 If this is the first time you are choosing Smart licenses:
a) Choose Administration > Licenses and Software Updates > Licenses.

5
Add Cisco Prime Infrastructure Instances to Operations Center
After a few moments, Prime Infrastructure displays a dialog box informing you that you cannot access the page
because you are not using traditional licensing. This is normal.
b) In the dialog box, click Smart License Settings.
c) Click the Licensing Settings tab.
Step 2 If you are already using Smart Licensing:
a) Choose Administration > Licenses and Software Updates > Smart Software Licensing.
b) Click the Licensing Settings tab.
Step 3 Click Smart Software Licensing radio button.
Step 4 Choose Prime Infrastructure Operation Center from the Product Name drop-down list and click Enable Smart Software
Licensing.
Note To enable Operation Center SSO, click Yes in the If you want to add SSO for the same server with IP/DNS
dialog box.
Step 5 Select the licenses in the Available Licenses dialog box, then click Save.
Add Cisco Prime Infrastructure Instances to Operations Center

Once you have activated your Operations Center license, you must add to Operations Center each of the Prime
Infrastructure server instances you want to manage using Operations Center.
Note that each Prime Infrastructure server instance you plan to manage using Operations Center must be
enabled as an SSO client of the Operations Center server. You can do this in advance, by adding Operations
Center as the SSO server for the managed instance (see “Add SSO Servers” in Related Topics). You can also
have Operations Center do this for you when you add the Prime Infrastructure server to Operations Center
(you must know the password for the “root” user on the Prime Infrastructure server instance).
Step 1 Log in to Prime Infrastructure Operations Center.

Step 2 Select Monitor > Manage and Monitor Servers.
Step 3 Click Add.
Step 4 Enter the IP address/FQDN of the Prime Infrastructure server instance that you want to manage using Operations Center.
You may also enter an alias or host name for the server.
The port number 443 is preset for HTTPS communications between Operations Center and its Prime Infrastructure
managed instances. Do not change this value unless you have configured HTTPS for a different port.
Step 5 Click OK.

If the Prime Infrastructure server instance you are adding is already configured to use Operations Center as its SSO server,
it is added as a managed server instance.
If the Prime Infrastructure server instance is not configured as an SSO client:
a) Select Enable Single-Sign-On Automatically. Operations Center prompts you for a Username and Password.
b) Enter the user name and password for the “root” user on the Prime Infrastructureserver instance you want to add.
Note When you login as an SSO authenticated user and want to run an API query, make sure that you login as
a local user in that particular instance, because SSO does not support basic authentication required by the
API.

6
Disable Idle User Timeouts for Operations Center
c) Click OK again.
Step 6 Repeat these steps to add more Prime Infrastructure servers, up to the license limit.
Note If you configure High Availability on a managed instance after adding it in Prime Operations Center, make
sure that the primary and secondary server details are appearing correctly by navigating to the Monitor >
Managed Elements > Manage and Monitor Servers.
Related Topics
Add SSO Servers
Disable Idle User Timeouts for Operations Center

By default,Prime Infrastructure automatically signs out all users whose sessions stay idle for too long. This
feature is enabled by default to preserve network bandwidth and Prime Infrastructure processing cycles for
active use.
This feature can be annoying for Operations Center users, who will typically have sessions opened not only
with Operations Center, but with one or more of the instances of Prime Infrastructure that Operations Center
is managing. Idleness in one of these sessions can force a global idle-user timeout for all the sessions, resulting
in a sudden logout without warning.
To avoid this inconvenience, Prime Infrastructure administrators must:
1. Disable the global idle user timeout feature, as explained in Adjust Your GUI Idle Timeout and Other
Settings section in Cisco Prime Infrastructure User Guide. Note that the administrator must disable this
feature separately , on each of the Prime Infrastructure managed instances that Operations Center manages.
2. Instruct Operations Center users to disable the user-specific idle-user timeout feature for the Prime
Infrastructure managed instances they access, as explained in Change Your Idle User Timeout section in
Cisco Prime Infrastructure User Guide. Note that each Prime Infrastructure user must disable this feature
separately , on each of the Prime Infrastructure managed instances they access.
Related Topics
Enable AAA for Operations Center

Operations Center supports local authentication as well as remote AAA using TACACS+ and RADIUS
servers. Using remote AAA is optional, but if you want to use it, follow this workflow:
1. Complete the setup for TACACS+ or RADIUS in the remote server. See Use Cisco ACS With RADIUS
or TACACS+ for External Authentication or Use Cisco ISE With RADIUS or TACACS+ for External
Authentication , on page 222
2. Login to Operations Center server and navigate to Administration > Users > Users, Roles & AAA
3. Add a TACACS+ or RADIUS server to Operations Center.
4. Click on SSO Server Settings. Depending on the remote server authentication, select TACACS+ or
RADIUS under SSO Server AAA mode.

7
Required Software Versions and Configurations
5. Click on Enable Fall-back to Local check box and select "On Authentication Failure or No Response from
Server" from the drop-down list. Remember that the shared secret configured on the AAA server must
match the shared secret.
Note Make sure you do not change the AAA setting under Administration > Users > Users, Roles & AAA >
AAA Mode Setting. It should be in SSO mode only.
6. Perform steps to manage instance in Prime Infrastructure servers.
Note Prime Infrastructure Manage Instance will only fall back to TACACS+ or RADIUS if SSO server is unreachable
or not responding.
What to do Next
When you have completed the setup tasks, you are ready to use Operations Center.
You can enable the Operations Center instance for High Availability (HA). HA uses a pair of linked,
synchronized Prime Infrastructure servers, to minimize or eliminate the impact of application or hardware
failures that may take place on either server. For details, see “Enable HA for Operations Center” in Related
Topics
Related Topics
Enable HA for Operations Center, on page 295
Required Software Versions and Configurations

To work with Prime Infrastructure, your devices must run at least the minimum required software versions
shown in the list of supported devices. You can access this list using the Prime Infrastructure user interface:
Choose Help > Supported Devices.
You must also configure your devices to support SNMP traps and syslogs, and the Network Time Protocol
(NTP), as explained in the related topics.
Related Topics
Configure SNMP, on page 8
Configure NTP, on page 9
Configure SNMP
To ensure that Prime Infrastructure can query SNMP devices and receive traps and notifications from them,
you must:
• Set SNMP credentials (community strings) on each device you want to manage usingPrime Infrastructure.
• Configure these same devices to send SNMP notifications to thePrime Infrastructure server.
Use the following Cisco IOS configuration commands to set read/write and read-only community strings on
an SNMP device:

8
Configure NTP
• admin(config)# snmp-server community private RW

• admin(config)# snmp-server community public RW
where:
• private and public are the community strings you want to set.
After you set the community strings, you can specify that device notifications be sent as traps to the Prime
Infrastructure server using the following Cisco IOS global configuration command on each SNMP device:
admin(config)# snmp-server host Host traps version community notification-type
where:
• Host is the IP address of the Prime Infrastructure server.
• version is the version of SNMP that is used to send the traps.
• community is the community string sent to the server with the notification operation.
• notification-type is the type of trap to send.
You may need to control bandwidth usage and the amount of trap information being sent to the Prime
Infrastructure server using additional commands.
For more information on configuring SNMP, see:
• The snmp-server community and snmp-server host commands in the Cisco IOS Network Management
Command Reference.
• The Configuring SNMP Support section and the list of notification-type values in the Cisco IOS
Configuration Fundamentals Configuration Guide, Release 12.2.
If you are planning on implementing IPSec tunneling between your devices and the Prime Infrastructure
server, be advised that you will not receive syslogs transmitted from those devices to the Prime Infrastructure
server after implementing IPSec tunneling because IPSec does not support free-form syslogs. However, IPSec
does support SNMP traps. To continue getting SNMP notifications of any kind from these devices, you need
to configure your devices to send SNMP traps to thePrime Infrastructure server.
Configure NTP
Network Time Protocol (NTP) must be properly synchronized on all devices in your network as well as on
thePrime Infrastructure server. This includes all Prime Infrastructure-related servers: any remote FTP servers
that you use for Prime Infrastructure backups, secondary Prime Infrastructure high-availability servers, the
Prime Infrastructure Plug and Play Gateway, VMware vCenter and the ESX virtual machine, and so on.
You specify the default and secondary NTP servers during Prime Infrastructure server installation. You can
also use Prime Infrastructure ntp server command to add to or change the list of NTP servers after installation.
For details, see How to Connect Via CLI, on page 125 and the section on the ntp server command in the
Command Reference Guide . Note that Prime Infrastructure cannot be configured as an NTP server; it acts
as an NTP client only.
Failure to manage NTP synchronization across your network can result in anomalous results in Prime
Infrastructure. Management of network time accuracy is an extensive subject that involves the organization's
network architecture, and is outside the scope of this Guide. For more information on this topic, see (for
example) the Cisco White Paper Network Time Protocol: Best Practices .

9
Configure Data Sources for Cisco Prime Infrastructure With Assurance
Configure Data Sources for Cisco Prime Infrastructure With Assurance

If you are licensing the Prime Infrastructure Assurance features, you must complete pre-installation tasks so
that Assurance can monitor your network interfaces and services. See Supported Assurance Data Sources for
information about these tasks.
Supported Assurance Data Sources

Prime Infrastructure with Assurance needs to collect data from your network devices using the exported data
sources shown in Table 1: Prime Infrastructure Assurance: Supported Data Sources, Devices and Software
Versions . For each source, the table shows the devices that support this form of export, and the minimum
version of Cisco IOS or other software that must be running on the device to export the data.
Use Table 1: Prime Infrastructure Assurance: Supported Data Sources, Devices and Software Versions to
verify that your network devices and their software are compatible with the type of data sources Prime
Infrastructure uses. If needed, upgrade your hardware or software. Note that each software version given is
a minimum . Your devices can run any later version of the same software or Cisco IOS release train.
You may also need to make changes to ensure that Prime Infrastructure can collect data using SNMP, as
explained in Configure SNMP.
Configure Assurance Data Sources

Before installing Prime Infrastructuree, you should enable the supported devices shown in the below table to
provide Prime Infrastructure with fault, application, and performance data, and ensure that time and date
information are consistent across your network. The following table provide guidelines on how to do this.
Table 1: Prime Infrastructure Assurance: Supported Data Sources, Devices and Software Versions
Device Type Cisco IOS Releases Supported NetFlow Export NetFlow Configuration
That Support NetFlow Types
Catalyst 15.0(1)SE TCP and UDP traffic See the Configure NetFlow on Catalyst 3000, 4000, and 6000
3750-X / Family of Switches section in the Cisco Prime Infrastructure
IP base or IP services
3560-X User Guide.
feature set and equipped
with the network
services module.
' 15.0(1)EX TCP and UDP traffic, To configure TCP and UDP traffic, See the Configure NetFlow
Voice & Video on Catalyst 3000, 4000, and 6000 Family of Switches section
Catalyst 3850
in the Cisco Prime Infrastructure User Guide.
To configure Voice & Video, use this CLI template:
Configuration > Templates > Features & Technologies >
CLI Templates > System Templates - CLI > Medianet -
PerfMon

10
Configure Assurance Data Sources
Device Type Cisco IOS Releases Supported NetFlow Export NetFlow Configuration
That Support NetFlow Types
Catalyst 4500 15.0(1)XO and 15.0(2) TCP and UDP traffic, To configure TCP and UDP traffic, See the Configure NetFlow
PerfMon
Catalyst 6500 SG15.1(1)SY TCP and UDP traffic, To configure TCP and UDP traffic, See the Configure NetFlow
PerfMon
ISR 15.1(3) T TCP and UDP traffic, To configure TCP and UDP traffic, use this CLI template:
Voice & Video
CLI Templates > System Templates - CLI > Collecting
Traffic Statistics
PerfMon
ISR G2 15.2(1) T and 15.1(4)M TCP and UDP traffic, To configure TCP, UDP, and ART, see the Configure NetFlow
application response time, on ISR Devices section in Cisco Prime Infrastructure User
Voice & Video Guide.
PerfMon
ISR G2 15.2(4) M2 or later, TCP and UDP traffic, To configure TCP, UDP, and ART, see the Improve
15.3(1)T or later application response time, Application Performance With Application Visibility and
Voice and Video Control chapter in the Cisco Prime Infrastructure User Guide.
ASR 15.3(1)S1 or later TCP and UDP traffic,

application response time,
ISR G3 15.3(2)S or later Voice & Video, HTTP
URL visibility

11
Enable Medianet NetFlow

To ensure that Cisco Prime Infrastructure can make use of Medianet data, your network devices must:
• Enable Medianet NetFlow data export for the basic set of statistics supported in Prime Infrastructure.
• Export the Medianet NetfFlow data to the Prime Infrastructure server and port.
Use a configuration like the following example to ensure that Prime Infrastructure gets the Medianet data it
needs:
• flow record type performance-monitor PerfMonRecord
• match ipv4 protocol
• match ipv4 source address
• match ipv4 destination address
• match transport source-port
• match transport destination-port
• collect application media bytes counter
• collect application media bytes rate
• collect application media packets counter
• collect application media packets rate
• collect application media event
• collect interface input
• collect counter bytes
• collect counter packets
• collect routing forwarding-status
• collect transport packets expected counter
• collect transport packets lost counter
• collect transport packets lost rate
• collect transport round-trip-time
• collect transport event packet-loss counter
• collect transport rtp jitter mean
• collect transport rtp jitter minimum
• collect transport rtp jitter maximum
• collect timestamp interval
• collect ipv4 dscp
• collect ipv4 ttl

12
• collect ipv4 source mask

• collect ipv4 destination mask
• collect monitor event
• flow monitor type performance-monitor PerfMon
• record PerfMonRecord
• exporter PerfMonExporter
• flow exporter PerfMonExporter
• destination PrInIP
• source Loopback0
• transport udp PiInPort
• transport udp PiInPort
• class class-default
• ! Enter flow monitor configuration mode.
• flow monitor PerfMon
• ! Enter RTP monitor metric configuration mode.
• monitor metric rtp
• !Specifies the minimum number of sequential packets required to identify a stream as being an RTP flow
• min-sequential 2
• ! Specifies the maximum number of dropouts allowed when sampling RTP video-monitoring metrics.
• max-dropout 2
• max-reorder 4
• ! Enter IP-CBR monitor metric configuration mode
• monitor metric ip-cbr
• ! Rate for monitoring the metrics (1 packet per sec)
• rate layer3 packet 1
• interface interfacename
• service-policy type performance-monitor input PerfMonPolicy
• service-policy type performance-monitor output PerfMonPolicy
In this example configuration:

• PrInIP is the IP address of the Prime Infrastructure server.
• PiInPort is the UDP port on which the Prime Infrastructure server is listening for Medianet data (the
default is 9991).

13
Enable NetFlow and Flexible NetFlow
• interfacename is the name of the interface (such as GigabitEthernet0/0 or fastethernet 0/1) sending
Medianet NetFlow data to the specified PrInIP .
For more information on Medianet configuration, see the Medianet Reference Guide.
Enable NetFlow and Flexible NetFlow

To ensure that Prime Infrastructure can make use of NetFlow data, your network devices must:
• Have NetFlow enabled on the interfaces that you want to monitor.
• Export the NetFlow data to thePrime Infrastructure server and port.
As of version 2.1, Prime Infrastructure supports Flexible NetFlow versions 5 and 9. Note that you must enable
NetFlow on each physical interface for which you want Prime Infrastructure to collect data. These will normally
be Ethernet or WAN interfaces. This applies to physical interfaces only. You do not need to enable NetFlow
on VLANs and Tunnels, as they are included automatically whenever you enable NetFlow on a physical
interface.
Use the following commands to enable NetFlow on Cisco IOS devices:
• Device(config)# interface interfaceName
• Device(config)# ip route-cache flow where interfaceName is the name of the interface (such as fastethernet
or fastethernet0/1) on which you want to enable NetFlow.
Once NetFlow is enabled on your devices, you must configure exporters to export NetFlow data to Prime
Infrastructure. You can configure an exporter using these commands:
• Device(config)# ip flow-export version 5
• Device(config)# ip flow-export destination PrInIP PiInPort
• Device(config)# ip flow-export source interfaceName where:
• PrInIP is the IP address of the Prime Infrastructure server.

• PiInPort is the UDP port on which the Prime Infrastructure server is listening for NetFlow data. (The
default is 9991.)
• interfaceName is the name of the interface sending NetFlow data to the specified PrInIP . This will cause
the source interface’s IP address to be sent to Prime Infrastructure as part of NetFlow export datagrams.
If you configure multiple NetFlow exporters on the same router, make sure that only one of them exports to
the Prime Infrastructure server. If you have more than one exporter on the same router exporting to the same
destination, you risk data corruption.
Use the following commands to verify that NetFlow is working on a device:
• Device# show ip flow export
• Device# show ip flow export
• Device# show ip cache flow
• Device# show ip cache verbose flow

14
Deploy Network Analysis Modules NAMs
For more information on NetFlow configuration, see:

• Cisco IOS Switching Services Configuration Guide, Release 12.2
• Flexible NetFlow Configuration Guide, Cisco IOS Release 15.1M&T
• Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting
Deploy Network Analysis Modules NAMs

Ensure that your NAMs are placed appropriately in the network. For more information, see:
• Cisco Network Analysis Module Software 5.1 User Guide — Includes deployment scenarios and covers
a variety of topics, including deploying NAMs in the branch, and deploying NAMs for WAN optimization.
• Cisco Network Analysis Module Deployment Guide —See the section Places in the Network Where
NAMs Are Deployed.
If your NAMs are deployed properly, then no other pre installation work is required. When you conduct
discovery using Cisco Prime AM, you will need to enter HTTP access credentials for each of your NAMs.
Prime Infrastructure uses a more efficient REST interface to query NAMs. For this reason, it does not support
the direct export of NetFlow data from NAMs. Any device exporting NetFlow data must export that NetFlow
data directly to Prime Infrastructure, not via a NAM. Exporting NetFlow data from any NAM to Prime
Infrastructure will result in data duplication.
Enable Performance Agent

To ensure that Prime Infrastructure can collect application performance data, use the Cisco IOS mace (for
Measurement, Aggregation and Correlation Engine) keyword to configure Performance Agent (PA) data flow
sources on your branch-office routers.
For example, use the following commands in Cisco IOS global configuration mode to configure a PA flow
exporter on a router:
• Router (config)# flow exporter mace-export
• Router (config)# destination 172.30.104.128
• Router (config)# transport udp 9991
• Use commands like the following to configure flow records for applications with flows across the router:
• Router (config)# flow record type mace mace-record
• Router (config)# collect application name
Router (config)# collect art all where application name is the name of the application whose flow data you
want to collect.To Configure teh PA flow Monitor type:
• Router (config)# flow monitor type mace mace-monitor
• Router (config)# record mace-record
• Router (config)# exporter mace-export

15
Install Cisco Prime Infrastructure Patches
To collect traffic of interest, use commands like the following:

• Router (config)# access-list 100 permit tcp any host 10.0.0.1 eq 80
• Router (config)# class-map match-any mace-traffic
• Router (config)# match access-group 100
To configure a PA policy map and forward the PA traffic to the correct monitor:
• Router (config)# policy-map type mace mace_global
• Router (config)# class mace-traffic
• Router (config)# flow monitor mace-monitor
Finally, enable PA on the WAN interface:

• Router (config)# interface Serial0/0/0
• Router (config)# mace enable
For more information on configuring Performance Agent, see the Cisco Performance Agent Deployment
Guide.

You may need to install patches to get your version of Prime Infrastructure to the level at which upgrade is
supported. You can check the Prime Infrastructure version and patch version you are running by using the
CLI commands show version and show application.
Different patch files are provided for each version of Prime Infrastructure and its predecessor products.
Download and install only the patch files that match the version of your existing system and that are required
before you upgrade to a later version. You can find the appropriate patches by pointing your browser to the
Cisco Download Software navigator .
Before installing a patch, you will need to copy the patch file to your Prime Infrastructure server’s default
repository. Many users find it easy to do this by first downloading the patch file to a local FTP server, then
copying it to the repository. You can also copy the patch file to the default repository using any of the following
methods:
• cdrom—Local CD-ROM drive (read only)
• disk—Local hard disk storage
• ftp—URL using an FTP server
• http—URL using an HTTP server (read only)
• https—URL using an HTTPS server (read only)
• nfs—URL using an NFS server
• sftp—URL using an SFTP server
• tftp—URL using a TFTP server

16
Step 1 Download the appropriate point patch to a local resource in your environment:
a) With the Cisco Download Software navigator displayed in your browser, choose Products > Cloud and Systems
Management > Routing and Switching Management > Network Management Solutions > Prime Infrastructure.
b) Select the version of Prime Infrastructure that most closely matches the one you are currently using.
c) Click Prime Infrastructure Patches to see the list of available patches for that version of the product.
d) Next to each patch that is required, click Download, then follow the prompts to download the file.
Step 2 Open a command-line interface session with the Prime Infrastructure server (see How to Connect Via CLI, on page 125
).
Step 3 Copy the downloaded patch file to the default local repository. For example:
admin# copy source path/defaultRepo
Where:
• source is the downloaded patch file’s location and name.
• path is the complete path to the default local backup repository, defaultRepo (for example: /localdisk )
Step 4 Install the patch:

admin# patch install patchFile Repositoryname
Where:
• patchFile is the name of the patch file you copied to /localdisk/defaultRepo
• Repositoryname is the name of the repository
For example: admin# patch install test.tar.gz defaultRepo

17

18
CHAPTER 2
Licenses and Software Updates
• Prime Infrastructure Licensing , on page 19
• Controller Licensing, on page 23
• MSE Licensing , on page 25
• Assurance Licensing , on page 30
• Smart Licensing, on page 32
• Manage Software Updates, on page 40
Prime Infrastructure Licensing

You purchase licenses to access the Prime Infrastructure features required to manage your network. Each
license also controls the number of devices you can manage using those features.
The Administration > Licenses and Software Updates > Licenses page allows you to manage traditional
Cisco Prime Infrastructure, wireless LAN controllers, and Mobility Services Engine (MSE) licenses.
Although Prime Infrastructure and MSE licenses can be fully managed from the Administration > Licenses
and Software Updates > Licenses page, you can only view Cisco Wireless LAN Controllers (WLC). You
must use Cisco WLC or Cisco License Manager (CLM) to manage Cisco WLC licenses.
The Administration > Licenses and Software Updates > Smart Software Licensing page allows you to
manage smart licenses.
You need a base license and the corresponding feature licenses (such as Assurance licenses) to get full access
to the respective Prime Infrastructure features to manage a set number of devices.
If you have installed Prime Infrastructure for the first time you may access the lifecycle and assurance features
using the built-in evaluation license that is available by default. The default evaluation license is valid for 60
days for 100 devices. You can send a request to ask-prime-infrastructure@cisco.com if:
• You need to extend the evaluation period
• You need to increase the device count
• You already have a particular feature license and need to evaluate the other feature licenses
You will need to order a base license and then purchase the corresponding feature license before the evaluation
license expires. The license that you purchase must be sufficient to:
• Enable access to all the Prime Infrastructure features you want to use to manage your network.
• Include all the devices in your network that you want to manage using Prime Infrastructure.

19
Purchase Prime Infrastructure Licenses
To ensure you have the licenses to achieve these goals, do the following:
1. Familiarize yourself with the types of license packages available to you, and their requirements.
2. View the existing licenses. See for help on ordering and downloading licenses.
3. Calculate the number of licenses you will need, based both on the package of features you want and the
number of devices you need to manage.
4. Add new licenses.
5. Delete existing licenses.
Note As Prime Infrastructure no longer supports the node-locked licensing approach, the UDI information required
to generate licenses are limited to a standard syntax as shown below:
• PID = PRIME-NCS-APL (For Physical Appliance)
PID = PRIME-NCS-VAPL (For Virtual Appliance/Virtual Machine)
• SN = ANY:ANY
You must provide the subtleties in the mentioned format to generate new licenses.
For more information, see Cisco Prime Infrastructure Ordering and Licensing Guide.
Related Topics
Verify License Details , on page 20
Add Licenses , on page 21
Delete Licenses, on page 21
Purchase Prime Infrastructure Licenses

Prime Infrastructure licenses control the features you can use and the number of devices you can manage
using those features. For more information about Prime Infrastructure license types and how to order them,
see the Cisco Prime Infrastructure Ordering and Licensing Guide for the version of Prime Infrastructure that
you want to use.
You can ignore warning messages like “Base license is missing” or “Multiple base licenses present, use only
one” displayed in the Administration > Licenses and Software Updates > Licenses > Files > License Files
area.
Verify License Details

Before you order new licenses, you might want to get details about your existing licenses. For example,
number of devices managed by your system.
To verify license details, choose Administration > Licenses and Software Updates > Licenses.
Related Topics
Prime Infrastructure Licensing , on page 19
Controller Licensing, on page 23
MSE Licensing , on page 25
Assurance Licensing , on page 30

20
Add Licenses
Add Licenses
You need to add new licenses when:
• You have purchased a new Prime Infrastructure license.
• You are already using Prime Infrastructure and have bought additional licenses.
Step 1 Choose Administration > Licenses and Software Updates > Licenses.
Step 2 In the Summary folder, click Files, then click License Files.
Step 3 Click Add.
Step 4 Browse to the location of the license file, then click OK.
Related Topics
Troubleshoot Licenses, on page 21
MSE License Structure Matrix, on page 25
Verify Assurance License Details, on page 30
Delete Licenses
When you delete licenses from Prime Infrastructure, all licensing information is removed from the server.
Make a copy of your original license file in case you want to add it again later. There are several reasons you
might want to delete licenses:
• You installed temporary licenses and want to delete them before applying your permanent licenses.
• You want to move your licenses to a different server. You must first delete the licenses from the original
server, then send an email to licensing@cisco.com requesting a re-host for your licenses. You can then
apply the re-hosted licenses to the new server.
Step 2 Click Files > License Files.
Step 3 Select the license file you want to delete, then click Delete.
Related Topics
Troubleshoot Licenses
To troubleshoot licenses, you will need to get details about the licenses that are installed on your system. to:
• Get a quick list of the licenses you have: Click Help > About Prime Infrastructure.
• Get license details: Choose Administration > Licenses and Software Updates > Licenses.

21
Troubleshoot Licenses
When troubleshooting licenses, it is important to remember that Prime Infrastructure has six types of licenses:
• Base: Required for every Prime Infrastructure installation. The requirement stems primarily from the
need to do accurate royalty accounting by knowing how many Prime Infrastructure instances have been
purchased. A Base license is required for each instance of Prime Infrastructure, and is a prerequisite for
all other license types.
• Lifecycle: Regulates the total number of devices under Prime Infrastructure management. Lifecycle
license is consumed only for admin VDC in Prime Infrastructure. The child VDC does not consume any
license. It is either auto-added by admin or added separately.
• Assurance: Regulates the total number of NetFlow devices under Prime Infrastructure management.
• Collector: Regulates the total number of NetFlow data flows per second that Prime Infrastructure can
process.
Lifecycle and Assurance licenses are supplied in either evaluation or permanent form (there is no explicit
evaluation version of the Base or Collector licenses):
• Evaluation: These licenses permit or extend access to Prime Infrastructure for a pre-set period. You can
apply only one evaluation license of each type (that is, only one Lifecycle evaluation license, one Assurance
evaluation license, and so on). You cannot apply an evaluation license over a permanent form of the
same license.
• Permanent License: These permit access to Prime Infrastructure features as specified and are not
time-limited. Permanent licenses can be applied over evaluation licenses, and can also be applied
incrementally (that is, you can have multiple permanent Assurance licenses, and so on).
Prime Infrastructure also performs the following basic license checks:
• A Lifecycle license is a required prerequisite for Assurance licenses.
• An Assurance license is a required prerequisite for Collector licenses.
Also note that:
• From Release 3.0 Prime Infrastructure enables the user to set threshold limit for generating an alarm for
all licenses. To set threshold limit for licenses, see “Configuring Notifications” in Related Topics.
• Prime Infrastructure hides Assurance-related features, menu options and links until an Assurance license
is applied. Even if you have purchased an Assurance license, these features remain hidden until you
apply it.
• Whenever you apply an Assurance license, you automatically apply a Collector license permitting an
instance of Prime Infrastructure to process up to 20,000 NetFlow data flows per second. Collector licenses
permitting 80,000 flows per second can be applied only with the Professional or equivalent configurations,
due to the hard disk requirements imposed by this data rate.
• You can add Lifecycle and Assurance permanent licenses incrementally. However, you can add only
one Collector 80K license, and then only with the Professional or equivalent configuration.
The following table provides some scenarios and tips for troubleshooting.
Table 2: Troubleshooting Scenarios
Scenario Possible Cause Resolution
Prime Infrastructure The license file may be corrupted and unusable. 1. Delete the existing license.
reports a Licensing This can occur anyone attempts to modify the 2. Download and install a new license.
error. license file.

22
Controller Licensing
Scenario Possible Cause Resolution
Unable to add new Some types of license must be added in the correct 1. Add the Base license
licenses. order. The Base license is a prerequisite for adding 2. Add Lifecycle licenses
Lifecycle licenses. A Lifecycle license is a 3. Add Assurance licenses
prerequisite for adding an Assurance license. An 4. Add Datacenter licenses
Assurance license is a prerequisite for adding a
5. Add Collector licenses
Collector license (a Collector license is added
automatically with the Assurance license).
The state of the devices The device limit must be less than or equal to 1. Delete the additional devices.
has changed to lifecycle license limit. The state of the inventoried 2. The state of the devices will change to managed after
unmanaged. devices will change to unmanaged if you add or the 24 hours synchronization.
delete devices.
To verify that the status of the inventoried devices has
changed to “managed” after synchronization:
1. Choose Monitor > Network Devices.
2. Check the Inventory Collection Status column for
the row listing the devices in which you are
interested. This will give you a summary of current
collection status efforts for those devices.
3. For details about the collection status, hover the
mouse cursor over the cross-hair icon in the Inventory
Collection Status column.
Related Topics
Configure Notifications, on page 390
To view controller licenses, choose Administration > Licenses and Software Updates > Licenses, then
select Files > Controller Files from the left sidebar menu.
Note Prime Infrastructure does not directly manage controller licenses, rather it simply monitors the licenses. To
manage the licenses you can use command-line interface (CLI) commands, Web UI, or Cisco License Manager
(CLM), or Cisco Smart Software Manager (CSSM).
This page displays the following parameters:

• Controller Name
• Controller IP—The IP Address of the controller.
• Feature—License features include wplus-ap-count, wplus, base-ap-count, and base.

23
For every physical license installed, two license files display in the controller: a feature level license and an
ap-count license. For example if you install a “WPlus 500” license on the controller, “wplus” and
“wplus-ap-count” features are displayed. There are always two of these features active at any one time that
combine to enable the feature level (WPlus or Base) and the AP count.
You can have both a WPlus and a Base license, but only one can be active at any given time.
• AP Limit
AP Limit—The maximum capacity of access points allowed to join this controller.
• EULA status—Displays the status of the End User License Agreement and is either Accepted or Not
Accepted.
• Comments
Comments—User entered comments when the license is installed.
• Type
Type—The four different types of licenses are as follows:
• Permanent
Permanent—Licenses are node locked and have no usage period associated with them. They are
issued by Cisco licensing portal and must be installed using management interfaces on the device.
Upon installation of these licenses, you have the necessary permissions across different versions.
• Evaluation—Licenses are non-node locked and are valid only for a limited time period. They are
used only when no permanent, extension, or grace period licenses exist. Before using an evaluation
license, you must accept an End User License Agreement (EULA). Even though they are non-node
locked, their usage is recorded on the device. The number of days left displays for the evaluation
license with the fewest number of remaining active license days.
• Extension—Licenses are node locked and metered. They are issued by Cisco licensing portal and
must be installed using management interfaces on the device. Before using an extension license,
you must accept a EULA during installation.
• Grace Period—Licenses are node locked and metered. These licenses are issued by Cisco licensing
portal as part of the permission ticket to rehost a license. They are installed on the device as part of
the rehost operation, and you must accept a EULA as part of the rehost operation.
Types other than Permanent display the number of days left until the license expires. Licenses not currently
in use do not have their counts reduced until they become “In Use.”
• Status
• In Use—The license level and the license are in use.
• Inactive—The license level is being used, but this license is not being used.
• Not In Use—The license level is not being used and this license is not currently recognized.
• Expired In Use—The license is being used, but is expired and will not be used upon next reboot.
• Expired Not In Use—The license has expired and can no longer be used.
• Count Consumed—The ap-count license is In Use.
If you need to filter the list of license files, you can enter a controller name, feature, or type and click Go.

24
MSE Licensing
MSE Licensing
The MSE packages together multiple product features related to network topology, design such as NMSP,
Network Repository along with related Service Engines, and application processes, such as the following:
• Context-Aware Service
• Wireless Intrusion Prevention System(WIPS)
To enable smooth management of MSE and its services, various licenses are offered.
You must have a Cisco Prime Infrastructure license to use MSE and its associated services.
Related Topics
Sample MSE License File, on page 25
Revoke and Reuse an MSE License, on page 26
MSE Services Coexistence, on page 27
Manage MSE Licenses, on page 27
MSE License Structure Matrix

The following table lists the breakdown of the licenses between the High end, Low end and Evaluation licenses
for MSE, Location services, SCM, wIPS, and MIR.
Table 3: MSE License Structure Matrix
High End Low End Evaluation
MSE Platform High-end appliance and infrastructure Low-end appliance and infrastructure —
platform, such as the Cisco 3350 and 3355 platform, such as Cisco 3310 mobility
mobility services engines services engine
Context Aware 25,000 Tags 2000 Tags Validity 60 days, 100 Tags
Service and 100 Elements
25,000 Elements 2000 Elements
wIPS 3000 access points 2000 access points Validity 60 days, 20 access
points
Related Topics
Sample MSE License File

The following is a sample MSE license file:

25
Revoke and Reuse an MSE License
FEATURE MSE cisco 1.0 permanent uncounted \

VENDOR_STRING=UDI=udi,COUNT=1 \
HOST ID=ANY \
NOTICE="<LicFileID>MSELicense</LicFileID><LicLineID>0</LicLineID> \
<PAK>dummyPak</PAK>" \
SIGN="0C04 1EBA BE34 F208 404F 98ED 43EC \
45D7 F881 08F6 7FA5 4DED 43BC AF5C C359 0444 36B2 45CF 6EA6 \
1DB1 899F 413F F543 F426 B055 4C7A D95D 2139 191F 04DE"
This sample file has five license entries. The first word of the first line of any license entry tells you what type
of license it is. It can either be a Feature or Increment license. A feature license is a static lone item to license.
There can be multiple services engines running in MSE. An Increment license is an additive license. In MSE,
the individual service engines are treated as increment licenses.
The second word of the first line defines the specific component to be licensed. For example, MSE,
LOCATION_TAG. The third word depicts the vendor of the license, for example Cisco. The fourth word
denotes the version of the license, for example 1.0. The fifth word denotes the expiration date; this can be
permanent for licenses that never expire or a date in the format dd-mm-yyyy. The last word defines whether
this license is counted.
Related Topics
Revoke and Reuse an MSE License

You can revoke an MSE appliance license from one system and reuse it on another system. When you revoke
a license, the license file is deleted from the system. If you want to reuse the license on another system, then
the license needs to be rehosted.
If you want to reuse a license with an upgrade stock keeping unit (SKU) on another system, then you must
have the corresponding base license SKU installed in the system to which you want to reuse the upgrade SKU.
You cannot reuse the upgrade license SKU in a system if the corresponding base license SKU is deleted from
it.
When you revoke a license, MSE restarts the individual service engines to reflect the changes to the licenses.
Then the service engines receives the updated capacity from MSE during startup.
Related Topics

26
MSE Services Coexistence
MSE Services Coexistence

With MSE 6.0 and later, you can enable multiple services (Context Aware and wIPS) to run concurrently.
Before Version 6.0, mobility services engines only supported one active service at a time.
The following must be considered with coexistence of multiple services:
• Coexistence of services might be impacted by license enforcement. As long as the license is not expired,
you can enable multiple services.
Note Limits for individual services differ. For example, a low-end mobility services engine (MSE-3310) tracks a
total of 2,000 CAS elements; a high-end mobility services engine (MSE-3350) tracks a total of 25,000 CAS
elements.A low-end mobility services engine has a maximum limit of 2000 wIPS elements; a high-end mobility
services engine has a maximum limit of 3000 wIPS elements.
• Expired evaluation licenses prevent the service from coming up.

• If a CAS license is added or removed, this process restarts all services on the mobility services engine
including wIPS. If a wIPS license is added or removed, the process does not impact CAS; only wIPS
restarts.
• Other services can be enabled in evaluation mode even if a permanent license for the maximum number
of elements has been applied.
Whenever one of the services has been enabled to run with its maximum license, another service cannot be
enabled to run concurrently because the capacity of the MSE is not sufficient to support both services
concurrently. For example, on MSE-3310, if you install a wIPS license of 2000, then you cannot enable CAS
to run concurrently. However, evaluation licenses are not subject to this limitation.
Related Topics
Manage MSE Licenses

To view Mobility Services Engine (MSE) licenses, choose Administration > Licenses and Software Updates
> Licenses, then select Files > MSE Files from the left sidebar menu.
The page displays the MSE licenses found and includes the following information:
• MSE License File—Indicates the MSE License.
• MSE—Indicates the MSE name.
• Type—Indicates the type of mobility services engine (client elements, wIPS local mode or wIPS monitor
mode access points).
• Limit—Displays the total number of client elements or wIPS monitor mode access points licensed across
the mobility services engine.
• License Type—Permanent licenses are the only license types displayed on this page. Permanent licenses
are node locked and have no usage period associated with them. They are issued by Cisco licensing portal
and must be installed using management interfaces on the device. Upon installation of these licenses,
you have the necessary permissions across different versions.

27
Register Product Authorization Keys
Tag licenses are installed using the AeroScout System Manager only if the tags are tracked using the Partner
engine. Otherwise the tags will be counted along with the CAS element license. Because tag licenses are
added and managed using appropriate vendor applications, tag licenses are not displayed in this page. For
more information, see the AeroScout Support Page in Related Topics. Evaluation (demo) licenses are also
not displayed.
For more information, see AeroScout Support Page.
Related Topics
Register Product Authorization Keys, on page 28
Install Client and wIPS License Files, on page 29
Delete Mobility Services Engine License Files, on page 29
Register Product Authorization Keys

You receive a product authorization key (PAK) when you order a client, wIPS, or tag license from Cisco.
You must register the PAK to receive the license file for installation on the mobility services engine. License
files are emailed to you after successfully registering a PAK.
Client and wIPS PAKs are registered with Cisco.
Tag PAKs are registered with AeroScout. To register your tag PAK, navigate to the AeroScout Support Page
given in Related Topics.
To register a product authoritative key (PAK) and obtain a license file for installation, follow these steps:
Step 1 Point your browser to the Cisco Product License Registration Portal (see Related Topics).
You can also access this site by clicking the Product License Registration link located on the License Center page of
Prime Infrastructure.
Step 2 Enter the PAK and click SUBMIT.

Step 3 Verify the license purchase. Click Continue if correct. The licensee entry page appears.
If the license is incorrect, click the TAC Service Request Tool link to report the problem.
Step 4 In the Designate Licensee page, enter the mobility service engine UDI in the host ID text box. This is the mobility services
engine on which the license will be installed.
UDI information for a mobility services engine is found in the General Properties area at Services > Mobility Services
Engine > Device Name > System.
Step 5 Select the Agreement check box. Registrant information appears beneath the check box.
Modify information as necessary.
Ensure that the phone number does not include any characters in the string for the registrant and end user. For example,
enter 408 555 1212 rather than 408.555.1212 or 408-555-1212.
Step 6 If registrant and end user are not the same person, select the License (End-User) check box beneath registrant information
and enter the end-user information.
Step 7 Click Continue.
Step 8 At the Finish and Submit page, review registrant and end-user data. Click Edit Details to correct information, if necessary,
then click Submit. For more information, see AeroScout Support Page and Cisco Product License Registration Portal.

28
Install Client and wIPS License Files
Related Topics
Install Client and wIPS License Files

You can install CAS element licenses and wIPS licenses from Prime Infrastructure.
Tag licenses are installed using the AeroScout System Manager. See the AeroScout Support Page.
To add a client or wIPS license to Prime Infrastructure after registering the PAK, follow these steps
Step 2 From the left sidebar menu, choose Files > MSE Files.
Step 3 Click Add to open the Add a License File dialog box.
Step 4 From the MSE Name drop-down list, choose the mobility services engine to which you want to add the license file.
Note Verify that the UDI of the selected mobility services engine matches the one you entered when registering the
PAK.
Step 5 Enter the license file in the License File text box or browse to the applicable license file.
Step 6 Once displayed in the License File text box, click Upload. Newly added license appears in mobility services engine
license file list.
Note • A Context Aware Service (CAS) restarts if a client or tag license is installed; a wIPS service restarts if a
wIPS license is installed.
• Services must come up before attempting to add or delete another license.
Related Topics
Delete Mobility Services Engine License Files
Step 1 Choose Administration > Licenses and Software Updates > Licenses, then select Files > MSE Files from the left
sidebar menu.
Step 2 Select the check box of the mobility services engine license file that you want to delete.
Step 3 Click Delete, then click OK to confirm the deletion.
Related Topics
Register Product Authorization Keys, on page 28

29
Assurance Licensing
Assurance Licensing
As explained in “Purchasing Prime Infrastructure Licenses” (see Related Topics), licenses for Assurance
features are based on the number of NetFlow-monitored devices and Network Analysis Module (NAM) data
collection-enabled devices you have in your network. You manage, verify, and troubleshoot Assurance licenses
much as you do with other feature licenses, as explained in “Add Licenses”, “Delete Licenses” and
“Troubleshoot Licenses”.
In addition to these functions, Prime Infrastructure also lets you choose which NetFlow and NAM devices
you want to manage using Assurance features. For example, if you have only 50 Assurance feature licenses
and more than 50 NetFlow and NAM devices, you can choose to manage only your most critical devices. If
you later purchase additional Assurance licenses, you can add license coverage for the devices previously left
unmanaged.
Related Topics
Purchase Prime Infrastructure Licenses, on page 20
Verify Assurance License Details

Before you buy new Assurance licenses, you may want to get details about your existing Assurance licenses
and how they are being used. You can find Assurance license information using the resources in the following
table.
Table 4: Finding Assurance License Information
To see Choose
The NetFlow-enabled devices in your network that are under Assurance Administration > Licenses and Software Updates
management, as a percentage of the total number of Assurance licenses you > Licenses > Summary.
have.
The total number of Assurance licenses you have and the files associated with Administration > Licenses and Software Updates
them. > Licenses > Files.
A list of the devices sending NetFlow or NAM polling data to Prime Administration > Licenses and Software Updates
Infrastructure. > Licenses > Assurance Licenses (link is in upper
right corner of the page)
The number of Assurance Licenses in use.
The maximum number of Assurance licenses available to you.
By default, the total count of Assurance licenses on the Assurance Licenses page and on the Summary and
Files > License Files pages is always updated whenever you add or delete Assurance licenses. Addition or
removal of devices covered under these added or deleted Assurance licenses takes place as part of a System
Defined Job, which runs automatically once every 12 hours. It can take up to 12 hours for the added or deleted
devices to appear.

30
Add License Coverage For NetFlow and NAM Devices
You can always access the Administration > Licenses and Software Updates > Licenses > Assurance
Licenses page from the Assurance Licenses link in the upper right corner of the Administration > Licenses
and Software Updates > Licenses > Summary and Administration > Licenses and Software Updates >
Licenses > Files pages.
Related Topics
Add License Coverage For NetFlow and NAM Devices

You want to add license coverage for NetFlow or NAM devices when:
• You have purchased new or additional Assurance licenses.
• You have NetFlow and NAM devices not already licensed for Assurance management.
Step 1 Choose Administration > Licenses and Software Updates > Licenses > Assurance Licenses (the Assurance Licenses
link is in the upper right corner of the page).
Step 2 Above the list of devices currently under Assurance management, click Add Device.
Step 3 Select the check box next to each device you want to put under Assurance management, then click Add License. Prime
Infrastructure adds the devices immediately.
Step 4 When you are finished, click Cancel.
Related Topics
Delete License Coverage for NetFlow and NAM Devices, on page 31
Delete License Coverage for NetFlow and NAM Devices

You may need to delete license coverage for a NetFlow or NAM device when:
• You have too many NetFlow and NAM devices for the number of Assurance licenses you have.
• You want to stop using Assurance management features with one or more NetFlow and NAM devices.
Step 1 Choose Administration > Licenses and Software Updates > Licenses > Assurance Licenses (the Assurance Licenses
link is in the upper right corner of the page).
Prime Infrastructure displays the list of devices currently under Assurance management. It also displays the total number
of Assurance licenses you have, and the total number of devices under Assurance management.
Step 2 Select the check box next to each device you want to remove from Assurance management, then click Remove Device.
Related Topics
Add License Coverage For NetFlow and NAM Devices , on page 31

31
Smart Licensing
Smart Licensing
Smart Licensing feature provides a standardized licensing platform that simplifies user experience.When
Smart Licensing is first enabled, Prime Infrastructure is in Evaluation mode until you register Prime
Infrastructure with the Smart Software Manager (which resides on a centralized Cisco web site).
If you are currently using traditional licensing, Cisco recommends that you convert to Smart Licensing. For
information on the differences between the two types of licensing, refer to the Cisco Smart Licensing Overview
on Cisco.com .
The purpose of the smart licensing feature is to reduce license-related complexity by enabling users to:
• Purchase additional licenses and automatically update the information.
• Monitor current purchases and entitlements (duration and number of units).
• Monitor current usage information and trending information.
• Easily track if adequate licenses are purchased.
• Save time with the ability to transfer licenses across the company.
Note From Cisco Prime Infrastructure Release 3.5, Smart Licensing is supported for Operation Center.
The limitations of smart licensing feature are:

• In HA (High Availability), you can perform smart license actions (enable, register, deregister and disable)
on the HA Primary server and these actions are not permitted on the HA Secondary server.
• While performing backup and restore operation, the license supported during backup will be restored.
Smart licensing registration state cannot be restored on another server and in that case user has to register
once again on the restored setup.
• While performing an upgrade from an older version, the license supported in the older version will be
enabled by default in the new version.
Related Topics
Set Up Cisco Smart Licensing on Prime Infrastructure, on page 32
Set Up the Transport Mode Between Prime Infrastructure and Cisco Smart Software Manager, on page
33
Enable Smart License on Prime Infrastructure, on page 34
Register Prime Infrastructure with the Cisco Smart Software Manager, on page 35
Choose Smart Software Licenses, on page 36
Configure License Thresholds for the Prime Infrastructure License Dashboard, on page 37
Perform Additional Actions, on page 39
View the Licensing Dashboard, on page 37
Reference: Product Registration and License Authorization Statuses, on page 39
Set Up Cisco Smart Licensing on Prime Infrastructure

Follow these steps to set up Cisco Smart Licensing. If you are currently using traditional licensing, use these
same procedures to convert to Cisco Smart Licensing.

32
Set Up the Transport Mode Between Prime Infrastructure and Cisco Smart Software Manager
Step See:
1. Create a Smart Account with Cisco Systems. Go to: Smart Account Request and follow the
instructions on the web site
2. Set up communication between Prime Infrastructure and Setting Up the Transport Mode Between Prime
the Cisco Smart Software Manager (CSSM) on Infrastructure and Cisco Smart Software
Cisco.com. Manager
3. Enable Smart Licensing in Prime Infrastructure (you Enabling Smart License on Prime Infrastructure
will have to restart the web GUI).
4. Register Prime Infrastructure with the CSSM on Registering Prime Infrastructure with the Cisco
Cisco.com, then enter the license tokens into the Prime Smart Software Manager
Infrastructure web GUI (you will have to restart the web
GUI).
5. Choose the licenses you want to use in Prime Choosing Smart Software Licenses
Infrastructure.
6. Set up the Smart License Dashboard to signal when you Configuring License Thresholds for the Prime
are running out of licenses. Infrastructure License Dashboard
Set Up the Transport Mode Between Prime Infrastructure and Cisco Smart
Software Manager
Step 1 Choose Administration > Settings > System Settings > General > Account Credentials and select Smart Licensing
Transport tab.
Alternatively, you can click the link mentioned in the Smart Software Licensing page to direct you to the Smart
Licensing Transport tab to set up transport settings.
Step 2 You can select any of the following three modes:

• Direct mode—Select this option to send data directly to Cisco cloud. The Smart Call Home Server URL is a read-only
and cannot be modified.
• Transport Gateway—Uses a Cisco Call Home transport gateway or a Cisco Smart Licensing Software satellite. (A
Cisco Smart Licensing Software satellite is installed on customer premises and provides a subset of CSSM
functionality. See Cisco.com for more information about satellites.) Specify an appropriate DNS mapped URL for
the respective Smart Software Manager Satellite or Smart Software Manager. Refer Smart Software Manager User
Guide for details.
• HTTP Proxy—Select this option to use an intermediate HTTP/HTTPS proxy between Prime Infrastructure and the
Cisco cloud. To enable this option, you must first configure the proxy settings in the Proxy tab.
Step 3 Click Test Connectivity to test the connection status. Click Save to update the smart licensing transport mode.
Step 4 Proceed to Enabling Smart License on Prime Infrastructure .
Related Topics
Smart Licensing, on page 32

33
Enable Smart License on Prime Infrastructure

Enable Smart License on Prime Infrastructure

To enable smart license, follow these steps:
Before you begin

Make sure you have set up the transport mode. See "Set Up the Transport Mode Between Prime Infrastructure
and Cisco Smart Software Manager" in Related Topics.
Step 1 Choose Administration > Licenses and Software Updates > Smart Software Licensing.
Step 2 In the Licensing Settings tab, select Smart Software Licensing.
Step 3 Choose Prime Infrastructure from the Product Name drop-down list.
Step 4 Click Enable Smart Software Licensing. Prime Infrastructure displays a dialog box informing you that you must log
out of Prime Infrastructure and log back in, before you can proceed to the configuration step.
Step 5 Click OK in the dialog box.
Once the smart license is enabled and before it is registered, the product will be in Evaluation Mode for 90 days and
you can manage any number of devices.
Step 6 Perform one of the following:

a. If you have not yet registered with the CSSM on Cisco.com, proceed to Registering Prime Infrastructure with the
Cisco Smart Software Manager.
b. If you have registered with the CSSM, proceed to Choosing Smart Software Licenses.
Note If you prefer traditional licenses, then in the Licensing Settings tab, select Traditional Licensing as the
Licensing Mode and click Register. The Administration > Licenses and Software Updates > Licenses page
is displayed.
Related Topics
33
Disable Smart Licensing, on page 38

34
Register Prime Infrastructure with the Cisco Smart Software Manager
Register Prime Infrastructure with the Cisco Smart Software Manager

This procedure creates a token which you will use to register your product instance with the CSSM. For
information on how to use the CSSM, see the Cisco Smart Software Manager User Guide.
Note Refer to the Cisco Smart Software Manager User Guide for information on other actions you can perform
from the CSSM—for example, renewing license registration and license authorization, unregistering the
product from Cisco Smart Licensing, and so forth.
Related Topics
Generate Token ID, on page 35
Register Product Instance, on page 36
Generate Token ID
If this is a new installation (you are not converting from traditional licensing), follow these steps:
Before you begin

If your organization does not have a Smart Account, go to software.cisco.com, choose Request a Smart
Account (under Administration), and follow the instructions to create an account. If you are converting from
traditional licensing, refer Converting from Traditional Licensing.
Step 1 Go to the Cisco Software Central web site ( software.cisco.com ).

Step 2 On Cisco Software Central, choose License > Smart Software Licensing.
Step 3 Select the appropriate virtual account (virtual accounts are automatically created when you create a Smart Account).
Step 4 Click the General tab, then click New Token.
Step 5 Follow the instructions to provide a name, duration, and export compliance applicability before accepting the terms and
responsibilities.
Step 6 Click Create Token.
Step 7 Copy the Token ID to your clipboard and proceed to Registering Product Instance.
Convert from Traditional Licensing

If you are converting from traditional licensing, follow these steps:
Step 1 Go to the Cisco Software Central web site ( software.cisco.com ).

Step 2 On Cisco Software Central, choose License > Traditional Licensing.
Step 3 Click Continue to Product License Registration.
Step 4 In the Manage area of the Product License Registration page, click the PAKs/Tokens tab and choose the entitlements
you want to convert.
Step 5 From the Actions drop-down list, choose Convert to Smart Entitlements.

35
Register Product Instance
Step 6 Copy the Token ID to your clipboard and proceed to Registering Product Instance.
Register Product Instance

Enter the token IDs into the Prime Infrastructure web GUI and register the product.
Step 1 Choose Administration > Licenses and Software Updates > Smart Software Licensing.
Step 2 Under the Licensing Settings tab, paste your token into the Registration Token field.
Step 3 Click Register.
Step 4 Log out of Prime Infrastructure, then log back in.
Step 5 Proceed to Choosing Smart Software Licenses.
Related Topics
33
Choose Smart Software Licenses
Step 1 If this is the first time you are choosing Smart licenses:
After a few moments, Prime Infrastructure displays a dialog box informing you that you cannot access the page
because you are not using traditional licensing. This is normal.
Step 2 If you are already using Smart Licensing:
a) Choose Administration > Licenses and Software Updates > Smart Software Licensing.
b) Click the Licensing Settings tab.
Step 3 Click Smart Software Licensing radio button.
Step 4 Select the licenses in the Available Licenses dialog box, then click Save.
Step 5 Proceed to Configuring License Thresholds for the Prime Infrastructure License Dashboard.

36
Configure License Thresholds for the Prime Infrastructure License Dashboard
Configure License Thresholds for the Prime Infrastructure License Dashboard

To manage your licenses more efficiently, configure the License Dashboard to indicate when you are nearing
the point where your license count is depleted. The settings you configure here apply across the system.
Step 1 Choose Administration > Licenses and Software Updates > Smart Software Licensing, then click the License
Dashboard Settings tab.
Step 2 Select a license from the License Type drop-down list.
Step 3 Enter a value in the Threshold Value field.
Step 4 Click Save.
The threshold value is displayed as a straight line in the graphical representation of the License Summary and the Device
Distribution for License dashlets.
Related Topics
View the Licensing Dashboard

From the Licensing dashboard, you can determine whether traditional or smart software licensing is enabled
(indicated in the Active Licensing Mode field at the top of the dashboard) and view the number of licenses
that are currently in use. You can set the licensing mode from the Smart Software Licensing page
(Administration > Licenses and Software Updates > Smart Software Licensing).
To open this dashboard, do one of the following:
• Choose Administration > Dashboards > Licensing Dashboard.
• Click the Licensing Dashboard link from the top-right corner of the Smart Software Licensing page.
The information displayed in the dashboard depends on the licensing mode that is enabled. If smart software
licensing is currently enabled, the following dashlets are displayed:
• License Summary Count area—Displays the number of licenses consumed and the compliance status
for each license type. The number of licenses displayed is based on the current date.
• License Summary dashlet—Displays a bar chart that graphs the number of licenses consumed for each
license type during a particular time period. To view additional information, place your cursor over the
chart.
• Device Distribution for License dashlet—To view the device distribution chart for a particular license,
click its link from the top of the chart displayed in the License Summary dashlet. To view additional
information, place your cursor over the chart.

37
Disable Smart Licensing
Note The information displayed in the License Dashboard is refreshed daily after the SmartLicense job runs at
02:00 A.M. (its pre-configured run time). To view this job in the Job Dashboard, choose Administration >
Dashboards > Job Dashboard.
If traditional licensing is currently enabled, the Licensing dashboard displays the Traditional Licensing
dashlet. Specify whether you want to view information about Lifecycle or Assurance licenses by choosing
the corresponding option from the License Type drop-down list. The dashlet updates, displaying information
such as the device families with that license type, the number of tokens allocated to each device in those
families, as well as the number of tokens that are not being used at the moment.
Note The token consumption is based on the number devices, for example for a stack switch having 4 switches the
number of tokens consumed is 4.
Related Topics
Disable Smart Licensing
Step 1 Disable Smart licensing.

a) Choose Administration > Licenses and Software Updates > Smart Software Licensing, then click the Licensing
Settings tab.
b) At the bottom of the window, click Disable Smart Licensing and confirm your choice.
Step 2 Enable traditional licensing. (This is done from the Smart License Settings page.)
d) For the Licensing Mode, select Traditional Licensing.
e) Click Register.
Related Topics

38
Perform Additional Actions
Perform Additional Actions

Choose any of the following actions from the Actions drop-down list. To know more about the status of
licenses and product registration, refer Reference: Product Registration and License Authorization Statuses.
• Renew Authorization Now—Click Renew Authorization Now to renew authorization with CSSM to
enable Prime Infrastructure to remain compliant. By default, authorization periods are renewed every 30
days.
• Renew Registration Now—Click Renew Registration Now to renew the ID certificate that needs to be
renewed every year for Prime Infrastructure to remain registered.
• Deregister—Prime Infrastructure will be de-registered from Smart Software Licensing and goes back to
evaluation mode.
• Disable Smart Software Licensing—Prime Infrastructure will be unregistered from Smart Licensing and
will be unlicensed. Once disabled, only Administration menu will be available on logging in. See
Disable Smart Licensing.
Related Topics
33
Reference: Product Registration and License Authorization Statuses

Product Registration Status
The Product Registration Status reflects whether the product is properly registered with Cisco Smart Software
Licensing on Cisco.com.
Product Registration Status Description
Unregistered Smart Software Licensing is enabled on Prime Infrastructure, but Prime

Infrastructure is not registered with the CSSM.
Registered Prime Infrastructure is registered with the CSSM. Prime Infrastructure has
received an ID certificate that will be used for future communication with the
Cisco licensing authority.
Registration Expired Prime Infrastructure did not successfully renew its registration prior to the
expiration date and has been removed from CSSM.
License Authorization Status

The License Authorization Status reflects usage against purchased licenses and whether you are in compliance
with Cisco Smart Licensing. If you exceed the number of purchased licenses, you will be Out of Compliance.

39
Manage Software Updates
License Authorization Status Description
Evaluation Mode Prime Infrastructure is running in evaluation mode until the evaluation period
expires (90 days).
Authorized Prime Infrastructure has a valid Smart Account and is registered. All licenses
requested by the product are authorized for use.
Out of Compliance Prime Infrastructure has exceeded the number of licenses that were
purchased.The Virtual account containing the product instance has a shortage
of one or more of license types used.
Evaluation Expired The Evaluation period has expired and Prime Infrastructure will be in
unlicensed state.
Authorization Expired Prime Infrastructure did not successfully renew its license authorization prior
to the authorization expiration date.
Related Topics
Manage Software Updates

• What Are Software Updates?, on page 40
• View the Installed Product Software Version, on page 41
• Enable or Disable Notifications About Software Updates, on page 41
• View Installed Software Updates, on page 41
What Are Software Updates?

Cisco provides updates to the Prime Infrastructure software periodically. These updates fall into the following
three categories:
• Critical Fixes—Provide critical fixes to the software. We strongly recommend that you download and
apply all of these updates as soon as they are available.
• Device Support—Adds support for managing devices which Prime Infrastructure did not support at
release time.
• Add-ons—Provide new features, which can include GUI screens and functionality, to supplement the
Prime Infrastructure version you are using. This includes Prime Infrastructure maintenance packs and
maintenance pack point patches.
The update notifications that Prime Infrastructure displays depend on the Notification Settings specified by
your administrator. See Enable or Disable Notifications About Software Updates, on page 41 . All software
updates are packaged in .ubf files. A large update can contain individual smaller updates, from which you can
choose what you want to install. When you install an update, Prime Infrastructure does the following:

40
View the Installed Product Software Version
• Verifies that the file publisher is Cisco Systems and the file has not been tampered with.
• Automatically installs any other updates that are required.
If you have connectivity to http://www.cisco.com , you can download and install the updates directly from
Cisco.com. If you do not have internet connectivity, copy the update from a server that has the necessary
connectivity and install it from there.
View the Installed Product Software Version

Use one of these methods to check the Prime Infrastructure product version:
• From the UI, choose Help > About Prime Infrastructure.
• From the UI, Click settings icon on the top right of the page and click About Prime Infrastructure.
• From the CLI, execute the following command to view the Installed Product software version.
#show version
To use the CLI, see Establish an SSH Session With the Prime Infrastructure Server, on page 89.
View Installed Software Updates

If you are not logged in to the web GUI, you can view a pop-up window that lists the software updates by
clicking View Installed Updates from the login page.
If you are logged in to the web GUI, you can view the software updates in two ways:
• From the About Prime Infrastructure page, by clicking the settings icon at the top right of the page
and clicking About Prime Infrastructure, and then clicking View Installed Updates. (The View
Installed Updates link is also available from the login page.)
• By choosing Administration > Licenses and Software Updates > Software Update (this method
provides the most detail).
The Software Update page displays two tabs:

• Installed Updates—Updates that Prime Infrastructure is currently using.
• Uploaded Update Files—Update files that have been uploaded to the server (including those that are
not being used). The Corresponding Updates field lists any prerequisite updates that were also uploaded.
If an update file has not yet been installed, it can be deleted. Select the file and click the Delete button.
Enable or Disable Notifications About Software Updates

By default, Prime Infrastructure displays information about all available updates in the Software Updates
page. Because the list can be quite long, you may want to adjust what is displayed and the updates for which
you are notified. You can also disable all notifications and re-enable them later.
Step 1 Configure the default Cisco.com credentials so that Prime Infrastructure can get information about available updates.
a) Choose Administration > Settings > System Settings, then choose General > Account Settings.

41
Validate Images (ISO and OVA) Before Installing Them
b) Click the Cisco.com Credentials tab, enter the credentials, then click Save.
Step 2 Configure your software update notification settings.
a) Choose Administration > Settings > System Settings, then choose General > Software Update.
b) Under Notification Settings, select or deselect the update categories. To disable all notifications, make sure no
categories are selected. For an explanation of the categories, see What Are Software Updates?, on page 40
c) Click Save.
Validate Images (ISO and OVA) Before Installing Them

Before installing any software, you should verify the authenticity of the publisher by making sure the image
is signed. This ensures that the image is from Cisco Systems and that it has not been tampered with.
Prime Infrastructure software is provided in the following formats:
• .ubf files that you can download and install using the Software Update web GUI feature
• ISO or OVA images that are provided during major product releases and updates
You do not have to manually validate UBF packages that are downloaded using the Software Update feature.
This is because Prime Infrastructure automatically validates the .ubf files during the Software Update installation
process. If a file is not signed, Prime Infrastructure generates an error message and will not install the .ubf
file. If this occurs, contact your Cisco representative.
You do need to manually validate ISO and OVA images. Use the following procedure to validate them before
installation.
Step 1 If you do not have openssl installed, download and install it (see http://www.openssl.org).
Step 2 Place the following files in a temporary directory:
• The product file to be verified (*.iso or *.ova).
• The signature file (*.signature) that is packaged with the product file.
• The certificate file (*.pem). The same certificate is used to verify OVA and ISO images.
Step 3 Move to the temporary directory and run the following command as the Linux CLI root user (see Log In and Out as the
Linux CLI root User, on page 171):
openssl dgst -sha512 -verify cert-file -signature sig-file content-file
Where:
• cert-file is the Prime Infrastructure certificate file
• sig-file is the Prime Infrastructure signature file
• content-file is the Prime Infrastructure ISO file or OVA image to be verified
Step 4 If the result is Verified OK:

42
Download and Install a Software Update from Cisco.com
• For an ISO file, proceed with the installation (you do not have to perform any more steps as part of this validation
procedure).
• For an OVA package, proceed to the next steps.
Step 5 (OVA package only) Verify that Cisco Systems is the publisher.
a) In the VMware vSphere client, choose File > Deploy OVF Template.
b) Browse to the OVA file (*.ova), select it, and click Next.
c) Verify that the Publisher field in the OVF Template Details window displays Cisco Systems, Inc. with a green
check mark next to it. Proceed to the next step.
Note Do not validate the image using the Vendor field. This field does not authenticate Cisco Systems as the publisher.
Note Do not proceed if the Publisher field displays No certificate present. This indicates the image is not signed,
is not from Cisco Systems, or has been tampered with.
Step 6 Check the certificate chain.

a) In the OVF Template Details window, click the Cisco Systems, Inc. hyperlink in the Publisher field.
b) In the Certificate window, click the Certification Path tab.
c) In the Certification Path tab (which lists the certificate chain), ensure that the Certification Path area displays
Cisco Systems, Inc. and the Certification Status area displays The certificate is OK.
Download and Install a Software Update from Cisco.com

These steps explain how to download a software update from cisco.com and then install it on the Prime
Infrastructure server.
If you are using high availability, see How to Patch New HA Servers, on page 305.
Before you begin

Make sure you have an account on Cisco.com.
Step 1 Back up your data. See Perform a Manual Backup, on page 57.
Step 2 Download the file to your local machine, then upload it from your local machine to the Prime Infrastructure server.
a) Log into cisco.com and go to the Prime Infrastructure Software Download site.
b) Locate the .ubf file you want to download, and download it to your local machine.
Step 3 Copy the file from your local machine to the Prime Infrastructure server as described in Copy a File from a Client Machine
to the Prime Infrastructure Server, on page 44.
Step 4 Log in to the Prime Infrastructure web GUI as a user with Administrator privileges.
Step 5 Upload the file to the Prime Infrastructure server.
a) Choose Administration > Licenses and Software Updates > Software Update.
b) Click Upload at the top of the page.
c) Use one of the following options to upload the UBF file.
1. Upload from local computer

43
Copy a File from a Client Machine to the Prime Infrastructure Server
• Click the Upload from local computer radio button in the Upload Update window.
• Click Browse, navigate to the file, and click OK. After the successful upload, the software will appear under
the Files tab.
2. Copy from server's local disk

• Click the Copy from server's local disk radio button in the Upload Update window.
• Click Select , select the UBF file from the Select file from local disk pop-up and click Select. After the
successful upload, the software will appear under the Files tab.
Step 6 Select the software update, click Install, and then click Yes in the confirmation pop-up window.
Note If the .ubf file is not signed or has been modified since it was downloaded from Cisco.com, Prime Infrastructure
will abort the installation. Contact your Cisco representative.
Prime Infrastructure will auto-restart and the web GUI will not be accessible for some time. (If it does not, restart it by
following the procedure in Stop and Restart Prime Infrastructure, on page 93.)
Step 7 When the web GUI is accessible, log in and check the version on the Software Update page.
b) Verify the information under the Updates tab.
What to do next
Instruct all users to clear their browser cache before opening the Prime Infrastructure web GUI.
Copy a File from a Client Machine to the Prime Infrastructure Server

Use the following SCP command to retrieve files from your client machine and copy them to the Prime
Infrastructure server's default local repository (/localdisk/defaultRepo). You should run this command as the
Linux CLI root user (see Log In and Out as the Linux CLI root User, on page 171).
scp clientUsername@clientIP:/fullpath-to-file /localdisk/defaultRepo
Where:
• clientUsername is your username on the client machine
• clientIP is the IP address of the client machine where the file resides
• fullpath-to-file is the full pathname of the file on the client machine
For example:
scp jsmith@123.456.789.101:/temp/myfile.tar.gz /localdisk/defaultRepo
Before you begin

Make sure SCP is enabled on your client machine, and the required ports are open (see the Cisco Prime
Infrastructure Quick Start Guide).

44
CHAPTER 3
Backup and Restore
• Backup and Restore Concepts, on page 45
• Set Up and Manage Repositories, on page 50
• Set Up Automatic Application Backups, on page 55
• Perform a Manual Backup, on page 57
• Restore Prime Infrastructure Data, on page 59
• How to Manage Disk Space Issues During Backup and Restore, on page 61
• Backup and Restore with Operations Center, on page 63
Backup and Restore Concepts

• Backup Types: Application and Appliance, on page 45
• Backup Scheduling, on page 46
• Backup Repositories, on page 47
• Backup Filenames, on page 47
• Backup Validation Process, on page 48
• Information That Is Backed Up, on page 48
• Information That Is Not Backed Up, on page 50
Backup Types: Application and Appliance

Prime Infrastructure supports two types of backups:
• Application backups—Contain Prime Infrastructure application data but do not include platform data
(host-specific settings, such as the server hostname and IP address). Application backup should be used
during Prime Infrastructure upgrade, when you want to move only application data and not the
platform/host specific configurations.
• Appliance backups—Contain all application data and platform data (host-specific settings, including the
hostname, IP address, subnet mask, default gateway, and so on). Appliance backup should be used for
disaster recovery (or to recover from platform hardware or software failures). For example, to recover
from any disk or filesystem failure, the standard recovery process would be to reinstall Prime Infrastructure
and then restore from the appliance backup in order to restore all data as well as platform-specific
configurations. You would then need to manually reconstruct the HA configurations as they are not
included in the appliance backup.

45
Backup and Restore
Backup Scheduling
Note For details on what is considered application data and what is considered platform data, see Information That
Is Backed Up, on page 48.
Note the following about application and appliance backups.

• Application and appliance backups can be restored to the same or a new host, as long as the new host
has the same hardware and software configuration as the host from which the backup was taken.
• You can only restore an appliance backup to a host running the same version of the Prime Infrastructure
server software as the server from which the backup was taken.
• When upgrading to a later version of Prime Infrastructure, application backup and restore can run across
different releases, as long as the upgrade path is supported.
• You cannot restore an application backup using the appliance restore command, nor can you restore an
appliance backup using the application restore command.
We recommend the following best practices:

• If you are evaluating Prime Infrastructure, use the default automatic application backup to the local
repository.
• If you are running Prime Infrastructure in a production environment as a virtual appliance, take regular
application backups to a remote backup server. You can use the application backups to restore your server
for all failures except complete failure of the server hardware.
Backup Scheduling
Prime Infrastructure performs automatic scheduled application backups. This feature is enabled by default
and creates one application backup file every day in the default local backup repository.
You can change this schedule as needed. You can also take an automatic application backup at any time from
the web GUI. Appliance backups can only be taken from the command line.
Automatic application backups can create storage space problems if the backup repository is local to the Prime
Infrastructure server. While this is usually acceptable in test implementations, it is not intended to substitute
for routine scheduled backups to remote servers in a production environment.
We recommend the following for production environments:
• Set up remote repositories to store the backup files.
• Use the automatic schedule application backup to create backups on the remote repositories on a regular
schedule.
Even if you are using scheduled backups, you can still use the command line to create application or appliance
backups at any time.
Note By default, two minutes are added to the job execution time for job creation.

46
Backup and Restore
Backup Repositories
Backup Repositories
By default, automatic application backup feature stores backup files in the local backup repository
/localdisk/defaultRepo. You can use the web GUI to create a new local backup repository and then choose
it when you set up automatic application backups. You can also specify a remote repository but you must
create the repository first as described in Set Up and Manage Repositories, on page 50.
When taking application or appliance backups using the command line, you must specify the local or remote
repository you want the backup to be stored in. In a production environment, this is normally a remote repository
that is accessed via NFS, SFTP, or FTP. We recommend you use NFS because it is typically much faster and
more reliable than other protocols.
There is no difference between performing an application backup from the command line or performing it
from the web GUI. Both actions create the same backup file.
Whenever you use NFS to take backups or restore data from a remote backup, make sure the mounted NFS
server remains active throughout the backup or restore operation. If the NFS server shuts down at any point
in the process, the backup or restore operation will hang without warning or an error message.
Backup Filenames
Application backups launched from the web GUI—either automatically or manually—are assigned a
filename with the following format:
host-yymmdd-hhmm_VERver_BKSZsize_CPUcpus_MEMtarget_RAMram_SWAPswap_APP_CKchecksum.tar.gpg
Application backups launched from the CLI use the same format, except that the file starts with the
user-specified filename rather than the server name.
filename-yymmdd-hhmm_VERver_BKSZsize_CPUcpus_MEMtarget_RAMram_SWAPswap_APP_CKchecksum.tar.gpg
Appliance backups launched from the CLI have files that also start with the user-specified filename, but
the type is indicated as SYS, not APP.
filename-yymmdd-hhmm_VERver_BKSZsize_CPUcpus_MEMtarget_RAMram_SWAPswap_SYS_CKchecksum.tar.gpg
The following table describes the variables used by the backup files.
Variable Description
host Host name of the server from which the backup was taken (for application backups
launched from web GUI).
filename Filename specified by user in command line (for application backups launched from CLI,
and for appliance backups)
yymmdd-hhmm Date and time the backup was taken
ver Internal version.
size Total size of the backup
cpus Total number of CPUs in the server from which the backup was taken
target Total amount of system memory in the server from which the backup was taken
ram Total amount of RAM in the server from which the backup was taken

47
Backup and Restore
Backup Validation Process
swap Total size of the swap disk on the server from which the backup was taken
checksum Backup file checksum
Backup Validation Process

Prime Infrastructure performs the following steps to validate the backup files:
1. Before starting the backup process, validates disk size, fast-recovery area, and control files.
2. Validates the created backup database to ensure that it can be restored.
3. Validates the zipped application data against the files that were backed up.
4. Validates the TAR file to make sure it is correct and complete.
5. Validates the GPG file to ensure that it is correct.
If you manually transfer the backup file, or if you want to verify that the backup file transfer is completed,
view the file's md5CheckSum and file size.
Another best practice for validating a backup is to restore it to a standalone "test" installation of Prime
Infrastructure.
Information That Is Backed Up

The following table describes the information that is contained in backup files. This information is restored
to the server from backups.
See Information That Is Not Backed Up, on page 50 for details about data that is not saved by the backup
mechanism.
Note The /opt/CSCOlumos/conf/Migration.xml file contains all configuration files and reports that are backed up.
This file is included in the backup and is restored.
Data Feature Information Saved and Restored

Type

48
Backup and Restore
Information That Is Backed Up
Application Background job settings Data in the database

Data
Configuration archive Data in the database
(device configuration
files)
Configuration templates • Files in /opt/CSCOlumos:

• /conf/ootb
• /xmp_inventory/dar/customized-feature-parts/CONFIGURATION
• Data in the database
Credentials Data in the database
Device inventory data Data in the database
Licenses Files in /opt/CSCOlumos/licenses
Maps • Files in /opt/CSCOlumos/domainmaps

Reports • Files in /localdisk/ftp:

• /reports
• /reportsOnDemand
Managed device Data in the database

software image files
System settings Data in the database
User preferences • Files in /opt/CSCOlumos/conf/wap/datastore/webacs/xml/prefs

Prime Infrastructure Data in the database

users, groups, and roles
Virtual domains Data in the database

49
Backup and Restore
Information That Is Not Backed Up
Platform CLI settings All CLI information and settings are preserved. This includes the list of
Data backup repositories, the FTP user name, users created using the CLI,
AAA information specified via the CLI, and other CLI settings (such as
the terminal timeout).
Credentials Linux OS credentials file
Network settings Files in

/opt/CSCOlumos/conf/rfm/classes/com/cisco/packaging/PortResources.xml
Linux user preferences Linux data structure
Linux users, groups, Linux data structure

and roles
Information That Is Not Backed Up

Before performing a backup, make sure that you manually note the following information because it is not
saved as part of the backup process. You will need to reconfigure these settings after the data has been restored.
• High availability configurations
• Local customization (for example, report heap size)
Patch history information is also not saved.

For a list of information that is backed up, see Information That Is Backed Up, on page 48.
Set Up and Manage Repositories

Prime Infrastructure supports the following repository types:
• Local repositories
• Remote repositories—NFS, FTP, SFTP
See the following topics for information on how to set up and manage these different types of repositories.
Create a Local Backup Repository

Prime Infrastructure stores automatic backup files in the default local backup repository /localdisk/defaultRepo.
You can create a different local backup repository and use it if you prefer.
Step 1 Choose Administration > Dashboards > Job Dashboard.

Step 2 Choose System Jobs > Infrastructure.
Step 3 In the Jobs list, check the Server Backup check box.
Step 4 Click Edit (the pencil icon) to open the Edit Job Properties dialog box.
Step 5 Create the new local repository using the Edit Job properties dialog box.

50
Backup and Restore
Use a Remote Backup Repository
a. Click Create. The Create Backup Repository dialog box opens.

b. Enter the name of the local repository you want to create.
c. Enter the password if you want to make the backup password secured.
Note Make sure you remember the password to restore the backup.
d. If it is an FTP repository, check the FTP check box and enter the location and credentials.
e. Click Submit. The new repository is added to the Backup Repository drop-down list in the Edit Job Properties dialog
box.
Step 6 Click Save.

Step 7 If you want to use the repository for future automatic application backups, specify it as described in Specify the Backup
Repository for Automatic Backups, on page 56.
Use a Remote Backup Repository

In production environments, we recommend that you use remote repositories for backups so that your network
management data is protected from hardware and site failures. In most cases, this means you will need to:
1. Create one or more remote repositories to hold Prime Infrastructure backup files. You will need to set
these up yourself if your organization does not already have remote backup servers.
2. Specify the remote repository as the destination for automatic application backups.
3. If needed, specify the interval between automatic application backups and time of day to take them. You
will need to monitor and manually archive automatic application backups stored on remote repositories
(because the Max backups to keep setting does not apply to remote repositories).
4. Specify the remote repository as the backup destination when taking an application or appliance backup
using the CLI backup commands.
As with any resource that you plan to access remotely, specifying the correct server IP address and login
credentials during setup are a requirement for successful use of remote backup repositories with Prime
Infrastructure.
Use Remote NFS Backup Repositories

These topics explain how to use remote NFS backup repositories.
Before You Set Up the NFS Backup Configuration

• You know the IP address of the NFS server on which you want to stage and store backups. The staging
and storage folders can be on the same NFS server, or on separate NFS servers. If you plan to stage and
store on separate NFS servers, you will need IP addresses for both servers.
• You know the path names of the staging and storage folders on the NFS server. If you choose to stage
and store on the same NFS server, the staging and storage folders must have different names.
You can create backup repositories on a remote NFS server and configure the Prime Infrastructure server to
use them. The NFS server hosting your backups can be set up anywhere in your network, as long as the server:

51
Backup and Restore
Before You Set Up the NFS Backup Configuration
For the NFS server details to appear in the Backup Repository drop down list in UI, you should configure the
NFS server using CLI. You can configure the NFS server only using CLI.
SUMMARY STEPS
1. Open a CLI session with the Prime Infrastructure server. (see How to Connect Via CLI, on page 125).
2. Enter configuration mode:
3. Configure a symbolic link to the remote NFS server:
4. Verify creation of the symbolic link:
5. When taking backups at the command line, specify the new repository as the repository name in the backup
command. For example:
DETAILED STEPS
Step 1 Open a CLI session with the Prime Infrastructure server. (see How to Connect Via CLI, on page 125).
Step 2 Enter configuration mode:
PIServer/admin# configure terminal
Step 3 Configure a symbolic link to the remote NFS server:

pi-system-116/admin# conf t
pi-system-116/admin(config)# backup-staging-url nfs:// RemoteServerIP:/mnt/stagingfolder
pi-system-116/admin(config)# repository repositoryName
pi-system-116/admin(config-Repository)# url nfs:// RemoteServerIP:/mnt/sharefolder
pi-system-116/admin(config-Repository)# user userName password plain userPassword
pi-system-116/admin(config-Repository)# end
• RepositoryName is the name of the repository (for example: MyRepo or PrimeInfrastructure).
• RemoteServerIP is the IP address of the NFS server hosting the staging backup and shared backup folder. Note that
the example above specifies an absolute path to the shared folder.
To specify a relative path to the shared folder, use only one slash in the URL. For example:
nfs://RemoteServerIP/sharedfolder
• Stagingfolder is the name of the staging backup folder on the NFS server, where the initial data will be transferred
temporarily to tar the file later.
• Sharedfolder is the name of the shared backup folder on the NFS server, where the backups will be stored
• UserName is the name of a user with write privileges to the repository on the NFS server.
• UserPassword is the corresponding password for that user.
Step 4 Verify creation of the symbolic link:

PIServer/admin# show repository repositoryName
Step 5 When taking backups at the command line, specify the new repository as the repository name in the backup command.
For example:

52
Backup and Restore
How to Use Remote SFTP Backup Repositories
PIServer/admin# backup MyBackupFileName repository MyRepo application NCS
If you want to perform backups automatically, select the repository name you created as the repository name in the Prime
Infrastructure web interface.
How to Use Remote SFTP Backup Repositories

You can create backup repositories on a remote SFTP server and configure the Prime Infrastructure server to
use them.
The SFTP server hosting your backups can be set up anywhere in your network, as long as the server:
• Has an IP address accessible from the Prime Infrastructure server.
• Has a user with write access to the SFTP server disk.
• Has a local shared folder where the backups will be stored.
Other than these requirements, no other configuration is needed on the SFTP backup server.
We recommend using remote NFS repositories.
For the SFTP server details to appear in the Backup Repository drop down list in UI, you should configure
the SFTP server using CLI. You can configure the SFTP server only using CLI.
Step 1 Open a CLI session with the Prime Infrastructure server (see How to Connect Via CLI, on page 125).
Step 3 Configure a symbolic link to the remote SFTP server:

PIServer/admin(config)# repository repositoryName
PIServer/admin(config-Repository)# url sftp://RemoteServerIP//sharedfolder
PIServer/admin(config-Repository)# user userName password plain userPassword
PIServer/admin(config-Repository)# exit
PIServer/admin(config)# exit
Where:
• repositoryName is the name of the repository (for example: MyRepo or PrimeInfrastructure).
• RemoteServerIP is the IP address of the SFTP server hosting the shared backup folder. Note that the example above
specifies an absolute path to the shared folder. To specify a relative path to the shared folder, use only one slash in
the URL. For example: url sftp://RemoteServerIP//sharedfolder
• sharedfolder is the name of the shared backup folder on the SFTP server.
• userName is the name of a user with write privileges to the repository on the SFTP server.
• userPassword is the corresponding password for that user.

53
Backup and Restore
How to Use Remote FTP Backup Repositories

PIServer/admin# s how repository repositoryName
Step 5 When taking backups at the command line, specify the new repository as the repository name in the backup command.
For example:
Related Topics
Use Remote NFS Backup Repositories, on page 51
Perform an Immediate Application Backup Using the CLI, on page 58
Perform an Immediate Appliance Backup Using the CLI, on page 57
Specify the Backup Repository for Automatic Backups, on page 56
How to Use Remote FTP Backup Repositories

You can create backup repositories on a remote FTP server and configure the Prime Infrastructure server to
use them.
The SFTP server hosting your backups can be set up anywhere in your network, as long as the FTP server:
• Has an IP address accessible from the Prime Infrastructure server.
• Has a user (FTP user) with write access to the FTP server disk.
• Has a local subdirectory that matches the repository name you specify on the Prime Infrastructure server.
• Has a password of 15 characters or less.
Other than these requirements, no other configuration is needed on the FTP backup server.
We recommend using remote NFS repositories.
Step 3 Configure a symbolic link to the remote FTP server:

PIServer/admin(config)# repository repositoryName
PIServer/admin(config-Repository)# url ftp://RemoteServerIP/sharedfolder
PIServer/admin(config-Repository)# user userName password plain userPassword
PIServer/admin(config-Repository)# exit
PIServer/admin(config)# exit
Where:

54
Backup and Restore
Delete a Local Backup Repository
• repositoryName is the name of the repository (for example: MyRepo or PrimeInfrastructure).

• RemoteServerIP is the IP address of the FTP server hosting the shared backup folder.
• sharedfolder is the name of the shared backup folder on the FTP server.
• userName is the name of a user with write privileges to the repository on the FTP server.
• userPassword is the corresponding password for that user. This password must be 15 characters or less.

PIServer/admin# s how repository repositoryName
Step 5 When taking backups at the command line, specify the new FTP repository as the repository name in the backup command.
For example:
Related Topics
Use Remote NFS Backup Repositories, on page 51
Specify the Backup Repository for Automatic Backups, on page 56
Delete a Local Backup Repository

Use the following procedure to delete a local backup repository. This procedure ensures that the admin interface
has the updated information.
Step 1 Log into the server as a Prime Infrastructure CLI admin user (see Establish an SSH Session With the Prime Infrastructure
Server, on page 89).
Step 2 List the local application backup repositories and identify the one that you want to delete:
show running-config | begin repository
Step 3 Enter configuration mode and delete the repository:

configure terminal
(config)# no repository repositoryName
Step 4 Repeat step 2 to verify that the repository was deleted.
Set Up Automatic Application Backups

Automatic application backups are enabled by default after installation. You can customize the schedule,
specify a different backup repository, or adjust the number of backups that are saved.

55
Backup and Restore
Schedule Automatic Application Backups
To check what data is saved by the backup mechanism (and verify whether you need to manually save any
data that is not backed up), see these topics:
Schedule Automatic Application Backups

Automatic application backups are enabled by default but you can adjust the day and interval at which these
backups are performed. Performing a backup is resource-intensive and affects Prime Infrastructure server
performance. Avoid scheduling automatic backups to occur at peak traffic times.
If an automatic application backup fails, Prime Infrastructure generates a Backup Failure alarm (with major
severity). You can view these alarms just as you do other alarms .
Note After an automatic application backup fails, a pop-up message is displayed before every subsequent login
attempt. This message will continue to appear until you acknowledge the corresponding alarm.

Step 3 In the Jobs list, check the Server Backup check box, then click Edit Schedule. The Schedule dialog box opens.
Step 4 In the Schedule dialog box, select a start date, recurrence interval, and optional end time.
Step 5 Click Submit. These settings will now be used for future automatic application backups.
Specify the Backup Repository for Automatic Backups

You can use the Prime Infrastructure interface to specify a different backup repository for automatic application
backups. The backup repository can be local or remote. You can also use the interface to create a new local
backup repository if it does not already exist.
Before you begin

If you want to use a remote repository for automatic backups, you must create the repository first. Only local
repositories can be created using this procedure. See Set Up and Manage Repositories, on page 50.

Step 3 In the list of jobs, check the Server Backup check box.
Step 4 Click Edit (the pencil icon). The Edit Job Properties dialog box opens.
Step 5 Select a repository from the Backup Repository drop-down list, then click Save. Prime Infrastructure will use the new
repository when it performs the next automatic application backup.

56
Backup and Restore
Change the Number of Automatic Application Backups That Are Saved
Change the Number of Automatic Application Backups That Are Saved

Follow this procedure to adjust the number of automatic application backups that are saved on a local repository.
When a backup exceeds the number you specify here, Prime Infrastructure deletes the oldest backup from the
repository.
The Max UI backups to keep setting does not apply if you are using remote repositories for automatic
application backups. You must monitor and archive or delete old backups on remote repositories using your
own methods.

Step 3 In the Jobs list, check the Server Backup check box.
Step 4 Click Edit (the pencil icon) to open the Edit Job Properties dialog box.
Step 5 Enter a value in the Max UI backups to keep field, then click Save. Prime Infrastructure will enforce this setting at the
next backup.
Perform a Manual Backup

The topics in this section explain how to perform manual application or appliance backups.
To check what data is saved by the backup mechanism (and verify whether you need to manually save any
data that is not backed up), see these topics:
Perform an Immediate Appliance Backup Using the CLI
Step 2 Display the list of appliance backups:
PIServer/(admin)#show repository repositoryName
where repositoryName is the repository on which you want to store the appliance backup.
Step 3 Back up the appliance:

PIServer/(admin)#backup filename repository repositoryName
where filename is the name that you want to give the appliance backup file (for example, myBackup).The character length
of the file name is 26. Other information is appended to the filename automatically, as explained in Backup Filenames,
on page 47

57
Backup and Restore
Perform an Immediate Application Backup Using the Web GUI
Perform an Immediate Application Backup Using the Web GUI

Use this procedure to trigger an immediate application backup using the web GUI.

Step 3 In the Jobs list, check the Server Backup check box, then click Run.
Step 4 To view the backup status, scroll to the top of the table to locate the new job, then check its status and results.
Perform an Immediate Application Backup Using the CLI

Use this procedure to trigger an immediate application backup using the CLI.
Step 2 Display the list of backups, where repositoryName is the backup repository:
show repository repositoryName
Step 3 Start the remote backup.

backup filename repository repositoryName application NCS
You will be prompted to enter the password. Enter the password if you want to secure the backup with password, else
press Enter. You have to remember the password to restore the backup.
where, filename is the name that you want to give the application backup file (for example, myBackup). The character
length of the file name is 26. Other information is appended to the filename automatically, as explained in Backup
Filenames, on page 47.
Perform a Manual Appliance Backup

Use this procedure to perform an appliance backup to a remote repository.
Step 1 Make sure the remote host is available.

Step 2 Log into the Prime Infrastructure server as admin (see Establish an SSH Session With the Prime Infrastructure Server,
on page 89).
Step 3 Start the remote backup:
(admin)# backup filename repository repositoryName
Step 4 To verify that the backup transfer is complete, view the md5CheckSum and file size.

58
Backup and Restore
Restore Prime Infrastructure Data
Restore Prime Infrastructure Data

All restore operations are performed using the CLI. Data can be restored to the host where the backup is
executed (local host), or to a remote host. Backups can only be restored in their entirety; you cannot restore
only parts of a backup.
For more information, see the following topics.
• Restore an Application Backup, on page 59
• Restore an Appliance Backup, on page 60
Note If you trigger the restore process from clients such as putty or SSH, the server may not be up even after the
restoration is complete—if there was any network issue/failure during the restoration process. To avoid the
network issue/failure, it is recommended to perform restore for:
• Gen-2 Appliance—from KVM Console
• ESXi virtual machine—from VM Console
• Hyper-V Virtual Machine—from Hyper-V Virtual Machine Connection Console
Restore an Application Backup
Note To restore an appliance backup, use the procedure in Restore an Appliance Backup, on page 60.
When you restore an Application backup, make sure it is being restored to a machine having equal or higher
hardware configuration as that of backup machine, else the restore will fail.
Before you begin

If you are using high availability, read the guidelines in Remove HA During Restore, on page 329 before
restoring your data.
Step 2 If a previous restoration attempt failed, the database may have been corrupted. Run this command to recreate the database:
ncs run reset db
Step 3 List the saved application backups and identify the one that you want to restore. repositoryName is the repository that
contains the backup files.
Step 4 From the vmWare vSphere client (OVA) or the Cisco IMC server (Bare Metal), restore the data:

59
Backup and Restore
Restore an Appliance Backup
restore backupFileName repository repositoryName application NCS
Note You will be prompted to enter the password. Enter the password if backup is password protected, else press
enter.
Step 5 If you are using Cisco Smart Licensing, re-register Prime Infrastructure with the Cisco Smart Software Manager (CSSM)
on Cisco.com. See Register Prime Infrastructure with the Cisco Smart Software Manager, on page 35.
Restore an Appliance Backup
Note To restore an application backup, use the procedure in Restore an Application Backup, on page 59.
When you restore an appliance backup, we recommend that you change:

• The restored server’s IP address, if the restored host is on the same subnet as the old host, and the old
host is still active.
• The restored server's IP address, subnet mask, and default gateway if the restored host is on a different
subnet from the old host.
Before you begin

If you are using high availability, read the information in Remove HA During Restore, on page 329 before
restoring your data.
Step 2 If a previous restoration attempt failed, the database may have been corrupted. With the backup stored in an external
repository, reinstall the setup using the same release and then retry the restore.
Step 3 List the saved appliance backups and identify the one that you want to restore. repositoryName is the repository that
contains the backup files.
Step 4 From the vmWare vSphere client (OVA) or the Cisco IMC server (Bare Metal), restore the data:
restore backupFileName repository repositoryName
Step 5 Determine whether you should change the IP address, subnet mask, and default gateway.
a) Check if your installation meets the following criteria:
• The restored host is on the same subnet as the old host, and the old host is still active.
• The restored host is on a different subnet from the old host.
If it does, perform the next step.
b) Change the IP address, subnet mask, default gateway and (optionally) the host name on the restored server.
c) Write the changes to the server’s running configuration and restart Prime Infrastructure services. For example:

60
Backup and Restore
Recover from Failed Restores
configure terminal
(config)# int GigabitEthernet 0
(config-GigabitEthernet)# ip address IPAddress subnetMask
(config-GigabitEthernet)# exit
(config)# ip default-gateway gatewayIP
(config)# hostname hostname
(config)# exit
(admin)# write mem
(admin)# ncs stop
(admin)# ncs start
(admin)# exit
Step 6 If you are using Cisco Smart Licensing, re-register Prime Infrastructure with the Cisco Smart Software Manager (CSSM)
on Cisco.com. See Register Prime Infrastructure with the Cisco Smart Software Manager, on page 35.
Recover from Failed Restores

You may sometimes find that a restore does not complete, or reports a failure. Whenever a restore fails, you
run the risk of database corruption, which can prevent the further restoration or re-installation. Perform the
following steps to restore a corrupted database before attempting another restore or re-installation.
Step 1 Open a CLI session with the Prime Infrastructure server (see Establish an SSH Session With the Prime Infrastructure
Step 2 Enter the following command to reset the corrupted database:
ncs run reset db
How to Manage Disk Space Issues During Backup and Restore

If you are experiencing issues with disk space during a backup or restore, we suggest that you either:
• Use the VMware Edit Settings feature to increase the amount of disk space allocated to the virtual
machine (see Modify VM Resource Allocation Using VMware vSphere Client).
If you are using VMware ESXi 5.5 or later, use the vSphereWeb Client to adjust this setting (see Configuring
Virtual Machine Hardware in the vSphere Web Client).
• Use the method explained in Migrate to Another Virtual Appliance Using Backup and Restore, on page
62 (or Migrate to Another Physical Appliance Using Backup and Restore, on page 62) to move your
installation to a server with adequate disk space.
If you are unable to create a backup after a restore of your existing system, follow the steps explained in
Compact the Prime Infrastructure Database to free disk space and create a successful backup.
If you are still unable to create a backup after using the ncs cleanup command, set up and use a remote
repository (using FTP, SFTP, or NFS) for your backups, as explained in Use a Remote Backup Repository.
Related Topics
Modify VM Resource Allocation Using VMware vSphere Client, on page 115
Migrate to Another Physical Appliance Using Backup and Restore, on page 62

61
Backup and Restore
Migrate to Another Virtual Appliance Using Backup and Restore
Migrate to Another Virtual Appliance Using Backup and Restore, on page 62

Compact the Prime Infrastructure Database, on page 116
Use a Remote Backup Repository, on page 51
How to Manage Disk Space Issues, on page 143
Migrate to Another Virtual Appliance Using Backup and Restore

You will need to migrate your Prime Infrastructure data from an existing virtual appliance (OVA server
installation) to a new one whenever you want to:
• Replace the old server entirely, such as after a catastrophic hardware failure. In this case, you can use
your old installation media to re-create the new host on a replacement server, then migrate your application
data from the old host to the new host.
• Migrate to a larger or more powerful server, so you can use Prime Infrastructure to manage more of your
network. In this case, you will want to ensure that you have the OVA installation file and install it on
the new server using the larger installation option before retiring the older, smaller one. You can then
migrate your application data from the old host.
In both cases, it is relatively easy to migrate your old data to the new virtual appliance by restoring to the new
host an appliance or application backup taken from the old host.
Step 1 If you have not already done so, set up a remote backup repository for the old host, as explained in Use a Remote Backup
Repository, on page 51.
Step 2 Perform an application backup of the old host and save it to the remote repository (see Perform an Immediate Application
Backup Using the CLI, on page 58).
Step 3 Install the new host (See Cisco Prime Infrastructure Quick Start Guide).
Step 4 Configure the new host to use the same remote backup repository as the old host (see Use a Remote Backup Repository,
on page 51).
Step 5 Restore the application backup on the remote repository to the new host (see Restore an Application Backup, on page
59).
Migrate to Another Physical Appliance Using Backup and Restore

You will need to migrate your Prime Infrastructure data from an existing physical appliance to a new one
whenever you want to:
• Replace the old appliance entirely, such as after a catastrophic hardware failure. In this case, you can
order a replacement appliance, then migrate your data from the old appliance to the new appliance.
• Migrate to a newly installed appliance.
In both cases, it is relatively easy to migrate your old data to the new appliance by restoring to the new appliance
an appliance or application backup from the old host.
Step 1 If the old appliance is still functional:

a) If you have not already done so, set up a remote backup repository for the old appliance (see “Use a Remote Backup
Repositories” in Related Topics).

62
Backup and Restore
Backup and Restore with Operations Center
b) Take an appliance or application backup of the old appliance on the remote repository (see “Take Appliance Backups”
or “Take Application Backups”, as appropriate).
Step 2 Configure the new appliance to use the same remote backup repository as the old appliance (see “Use a Remote Backup
Repositories”).
Step 3 Restore the appliance or application backup on the remote repository to the new appliance (see “Restore From Appliance
Backups” or “Restore From Application Backups”, as appropriate). Be sure to follow the procedure appropriate for the
type of backup you are restoring. For example: If you took an application backup from the old appliance, you must restore
it using the procedure for restoring application backups, not appliance backups.
Related Topics
Restore an Appliance Backup, on page 60
Restore an Application Backup, on page 59

Prime Infrastructure instances running Operations Center and Operations center Server can support restores
of application backups taken using the CLI from versions 3.7.X, 3.8.x.
You cannot schedule automatic application backups from the Prime Infrastructure instance running Operations
Center.
For more details, see Use a Remote Backup Repository and Restore an Application Backup.

63
Backup and Restore

64
CHAPTER 4
Configure the Prime Infrastructure Server
• View the Prime Infrastructure Server Configuration, on page 65
• Available System Settings, on page 66
• Secure the Connectivity of the Prime Infrastructure Server, on page 81
• MIB to Prime Infrastructure Alert/Event Mapping, on page 87
• Establish an SSH Session With the Prime Infrastructure Server, on page 89
• Set Up NTP on the Server, on page 90
• Set Up the Prime Infrastructure Proxy Server , on page 91
• Configure Server Port and Global Timeout Settings, on page 91
• Set Up the SMTP E-Mail Server, on page 92
• Enable FTP/TFTP/SFTP Service on the Server, on page 92
• Configure Stored Cisco.com Credentials, on page 93
• Create a Login Banner (Login Disclaimer), on page 93
• Stop and Restart Prime Infrastructure, on page 93
• Configure Global SNMP Settings for Communication with Network Elements, on page 94
• Enable Compliance Services, on page 99
• Configure ISE Servers, on page 99
• Configure Software Image Management Servers, on page 100
• Add Device Information to a User Defined Field, on page 100
• Manage OUIs, on page 101
• Work With Server Internal SNMP Traps That Indicate System Problems, on page 102
• Set Up Defaults for Cisco Support Requests, on page 104
• Configure Cisco Product Feedback Settings, on page 104
• Migrating Data from Prime Infrastructure to Cisco Digital Network Architecture Center, on page 105
View the Prime Infrastructure Server Configuration

Use this procedure to view Prime Infrastructure server configuration information such as the current server
time, kernel version, operating system, hardware information, and so forth.
Step 1 Choose Administration > Dashboards > System Monitoring Dashboard.

Step 2 Click the Overview tab.

65
Available System Settings
Step 3 Click System Information at the top left of the dashboard to expand the System Information field.
Related Topics
Overview Dashboard, on page 111
Performance Dashboard, on page 112
Admin Dashboard, on page 113

The Administration > Settings > System Settings menu contains options to configure or modify Cisco Prime
Infrastructure settings. You will want to customize many of these settings when you are first implementing
Prime Infrastructure, but once in production, modify them only rarely.
The following table lists the types of settings you can configure or modify from the Administration > Settings
> System Settings menu.
Table 5: Available Prime Infrastructure System Settings Options
To do this: Choose Administration > Settings > System Settings >... Applicable
to:
Modify the stored General > Account Credentials Prime

Cisco.com Infrastructure
credentials (user appliance
name and
password) used to
log on to
Cisco.com and:
• Check for
Cisco
software
image
updates
• Open or
review Cisco
support
cases
You can also

access this page
from a link on the
Administration
> Settings >
System Settings
> Software
Update page.

66
to:
Configure proxies General > Account Credentials > Proxy Not

for the Prime Applicable
See Set Up the Prime Infrastructure Proxy Server .
Infrastructure
server and its
local
authentication
server.
Configure the General > Account Credentials > Support Request Wired
settings for and
See Set Up Defaults for Cisco Support Requests.
creating a wireless
technical support devices
request.
Configure General > Account Credentials > Smart Licensing Transport Prime
transport gateway Infrastructure
See Set Up the Transport Mode Between Prime Infrastructure and Cisco Smart Software Manager.
mode to send appliance
information over
the internet via
Smart Call Home
Transport
Gateway, while
smart licensing is
enabled.
Set the retention General > Data Retention Wired

period for the and
See About Historical Data Retention, on page 146.
following data wireless
types: Trends, devices
Device Health,
Performance,
Network Audit,
System Health.

67
to:
Configure the General > Guest Account Wireless

guest account devices
See Configure Guest Account Settings, on page 201.
settings to only
globally remove
all the guest
accounts whose
lifetime has
ended. By default,
Prime
Infrastructure
Lobby
Ambassador can
access all guest
accounts
irrespective of
who created them.
If you select the
Search and List
only guest
accounts created
by this lobby
ambassador
check box, the
Lobby
Ambassadors can
access only the
guest accounts
that have been
created by them.
To help Cisco General > Help Us Improve Wired

improve its and
See Configure Cisco Product Feedback Settings, on page 104.
products, Prime wireless
Infrastructure devices
collects the
product feedback
data and sends it
to Cisco.
Enable job General > Job Approval Wired

approval to and
See Configure Job Approvers and Approve Jobs, on page 207.
specify the jobs wireless
which require devices
administrator
approval before
the job can run.

68
to:
Change the General > Login Disclaimer Prime

disclaimer text Infrastructure
See Create a Login Banner (Login Disclaimer), on page 93.
displayed on the appliance
login page for all
users.
Set the path where General > Report Wired

scheduled reports and
See Control Report Storage and Retention, on page 151.
are stored and wireless
how long reports devices
are retained.
• Enable or General > Server Prime

disable FTP, Infrastructure
See Configure Server Port and Global Timeout Settings, on page 91.
TFTP, and appliance
HTTP/HTTPS
server
proxies, and
specify the
ports they
communicate
over.
• See the NTP
server name
and local
time zone
currently
configured
for Prime
Infrastructure

69
to:
• Specify that General > Software Update Wired

you do not and
want wireless
credentials devices
stored on
cisco.com
when Prime
Infrastructure
checks
cisco.com
for Cisco
software
image
updates
• Select the
kinds of
Prime
Infrastructure
software
updates for
which you
want to
receive
notifications
(includes
Critical
Fixes, new
Device
Support, and
Prime
Add-On
products)
To migrate Mega Menu > Cisco DNA Center coexistence Prime

inventory, site Infrastructure
See Migrating Data from Prime Infrastructure to Cisco Digital Network Architecture Center, on page
groups,user to Cisco
105
defined CLI DNA
and/or composite Center
templates, migration.
associated site
maps and cmx
data from Prime
Infrastructure to
Cisco DNA
Center.

70
to:
Enable Change Mail and Notification > Change Audit Notification Wired
Audit JMS and
See Enable Change Audit Notifications and Configure Syslog Receivers, on page 254.
Notification by wireless
selecting the devices
Enable Change
Audit JMS
Notification
check box.
To send job Mail and Notification > Job Notification Mail Wired
notification mail and
See Configure Job Notification Mail for User Jobs
for every user job wireless
devices
Enable email Mail and Notification > Mail Server Configuration Prime
distribution of Infrastructure
See Configure Email Server Settings , on page 391.
reports and alarm appliance
notifications.
• Set the Network and Device > CLI Session Wireless

protocol to devices
See .
be used for only
controller
and
autonomous
AP CLI
sessions.
• Enable
autonomous
AP
migration
analysis on
discovery.
Enable auto Network and Device > Controller Upgrade Wireless

refresh after a devices
See Refresh Controllers After an Upgrade, on page 271.
wireless controller only
upgrade, and
process the save
configuration
trap.
Enable Unified Network and Device > Unified AP Ping Reachability Wireless
AP ping devices
capability setting only
on the Cisco
Prime
Infrastructure.

71
to:
Modify the Network and Device > Plug & Play Wired
settings for Plug devices
and Play. only
Set global SNMP Network and Device > SNMP Wireless

polling devices
See Configure Global SNMP Settings, on page 94.
parameters, only
including trace
display values,
reachability
parameters and
the backoff
algorithm.
If you select
Exponential for
the Backoff
Algorithm, each
SNMP try waits
twice as long as
the previous try,
starting with the
specified timeout
for the first try. If
you choose
Constant
Timeout, each
SNMP try waits
the same,
specified amount
of time. If you
select to use
reachability
parameters, the
Prime
Infrastructure
defaults to the
global
Reachability
Retries and
Timeout that you
configure. If
unchecked, Prime
Infrastructure
always uses the
timeout and
retries specified.

72
to:
Configure rogue Network and Device > Switch Port Trace (SPT) > Auto SPT Wireless
AP settings to devices
See Configure SNMP Credentials for Rogue AP Tracing, on page 275.
enable Prime only
Infrastructure to
automatically
track the switch
port to which the
rogue access point
is connected in
the network.
Set the SNMP Network and Device > Switch Port Trace (SPT) > Manual SPT Wireless
credentials and devices
See Configure SNMP Credentials for Rogue AP Tracing, on page 275.
trace parameters only
to be used in
tracing rogue AP
switch ports.
Set basic and Network and Device > Switch Port Trace (SPT) > SPT Configuration Wired
advanced switch devices
See Configure Switch Port Tracing, on page 272.
port trace only
parameters.
View, add, or Network and Device> Switch Port Trace (SPT) > Known Ethernet MAC Address Prime
delete the Infrastructure
Ethernet MAC appliance
address available
in Prime
Infrastructure. if
you add multiple
Ethernet MAC
addresses to this
list, then Auto
Switch Port
Tracing will not
scan these ports
for Rogue AP.

73
to:
Set basic control Inventory > Configuration Wired

parameters used and
See Archive Device Configurations Before Template Deployment, on page 152.
when deploying a wireless
device devices
configuration,
such as enabling
backup of the
running
configuration,
rollbacks,
retrieval of show
command output
from the cache,
and the number of
CLI thread pools
to use.
Set basic Inventory > Configuration Archive Wired

parameters for the and
See Specify When and How to Archive WLC Configurations, on page 152.
configuration wireless
archive, such as devices
protocol, number
of configuration
versions to store,
and so forth.
Specify IPv4 or Inventory > Discovery Wired

IPv6 address and
preferences wireless
devices
Determine Inventory > Grouping Wired

whether you want and
to display groups wireless
that do not have devices
members or
children
associated with
them.
Configure global Inventory > Software Image Management Wired

preference and
See the Cisco Prime Infrastructur User Guide for information about Software Image Management.
parameters for wireless
downloading, devices
distributing, and
recommending
software Images.

74
to:
Enable inventory Inventory > Inventory Wired

collection to and
See Specify Inventory Collection After Receiving Events, on page 151.
allow Prime wireless
Infrastructure to devices
collect inventory
when it receives a
syslog event for a
device.
Store additional Inventory > User Defined Fields Wired

information about devices
See Add Device Information to a User Defined Field, on page 100.
a device. only
• Change Alarms and Events > Alarms and Events Wired

which and
See Specify Alarm Clean Up, Display and Email Options, on page 242.
alarms, wireless
events, and devices
syslogs are
deleted, and
how often.
• Set the alarm
types for
which email
notifications
are sent, and
how often
they are sent.
• Set the alarm
types
displayed in
the Alarm
Summary
view.
• Change the
content of
alarm
notifications
sent by
email.
• Change how
the source of
any failure is
displayed.

75
to:
Configure remote Mail and Notification > Notification Destination Wired

event and alarm and
See Configure Alarms Notification Destination, on page 239.
receivers who will wireless
receive Alarms and Events > Alarm Notification Policies devices
notifications from
See Customize Alarm Notification Policies, on page 240.
Prime
Infrastructure.
Alerts and events
are sent as
SNMPv2
notifications to
configured
notification
destination. If you
are adding a
notification
destination with
the notification
type UDP, the
destination you
add should be
listening to UDP
on the same port
on which it is
configured. By
default, only
INFO level events
are processed for
the selected
category. Only
SNMPV2 traps
are considered for
northbound
notification.
Set the severity Alarms and Events > Alarm Severity and Auto Clear Wired
level of any and
See Change Alarm Severity Levels, on page 245.
generated alarm. wireless
devices
Configure SNMP Alarms and Events > System Event Configuration Prime
traps and events Infrastructure
See Internal SNMP Trap Generation, on page 377.
generated for the appliance
Prime
Infrastructure
hardware
appliance.

76
to:
Client and User > Client Wired

and
See Configure Client Performance Settings, on page 117.
wireless
devices

77
to:
• Enable
automatic
troubleshooting
of clients on
the
diagnostic
channel.
• Enable
lookup of
client
hostnames
from DNS
servers and
set how long
to cache
them.
• Set how long
to retain
disassociated
clients and
their session
data.
• Poll Wired
clients to
identify their
sessions only
when a trap
or syslog is
received.
Note This is not a

recommended
option to be
used in a
network with
large number
of wireless
clients.
• Enable
discover
clients from
enhanced
traps to
discover
client and
session

78
to:
information
from
enhanced
trap received
from the
compatible
Cisco
WLCs.
You must
configure the
WLCs to send the
traps using the
following CLI
commands:
• config
trapflags
client
enhanced-802.11-associate
• config
trapflags
client
enhanced-8021.1-deauthenticate
• config
trapflags
client
enhanced-802.11-stats
• config
trapflags
client
enhanced-authentication

79
to:
• Enable
discover
wired clients
on trunk
ports to
discover the
unmanaged
entity other
than switch
and router,
which is
connected to
trunk ports.
• Disable
saving of
client
association
and
disassociation
traps and
syslogs as
events.
• Enable
saving of
client
authentication
failure traps
as events,
and how
long
between
failure traps
to save them.
Add a vendor Client and User > User Defined OUI Wired
Organizationally and
See Add a New Vendor OUI Mapping.
Unique Identifier wireless
(OUI) mapping devices
XML file.
Upload an Client and User > Upload OUI Wired

updated vendor and
See Upload an Updated Vendor OUI Mapping File.
OUI mapping wireless
XML file. devices

80
Secure the Connectivity of the Prime Infrastructure Server
to:
Configure the Services > Service Container Management Wired

Cisco WAAS devices
See Cisco WAAS Central Manager Integration (user guide).
Central Manager only
IP address in
Cisco Prime
Infrastructure.
Secure the Connectivity of the Prime Infrastructure Server

For data security, Prime Infrastructure encrypts data in transit using standard public key cryptography methods
and public key infrastructure (PKI). You can obtain more information about these technologies from the
internet. Prime Infrastructure encrypts the data that is exchanged between the following connections:
• Between the web server and the web client
• Between a CLI client and the Prime Infrastructure CLI shell interface (handled by SSH)
• Between the Prime Infrastructure and systems such as AAA and external storage
To secure communication between the web server and web client, use the public key cryptography services
that are built in as part of the HTTPS mechanism. For that you need to generate a public key for the Prime
Infrastructure web server, store it on the server, and then share it with the web client. This can be done using
the standard PKI certificate mechanism which not only shares the web server public key with the web client,
but also guarantees that the public key belongs to the web server (URL) you are accessing. This prevents any
third party from posing as the web server and collecting sensitive information that the web client is sending
to the web server.
These topics provide additional steps you can take to secure the web server:
• Cisco recommends that the Prime Infrastructure web server authenticate web clients using certificate-based
authentication.
• To secure connectivity between a CLI client and the Prime Infrastructure CLI interface, refer to the
security hardening procedures in Best Practices: Server Security Hardening, on page 369.
• To secure connectivity between the Prime Infrastructure and systems such as AAA and external storage,
refer to the recommendations in Best Practices: Server Security Hardening, on page 369.
Set Up HTTPS Access to Prime Infrastructure

Prime Infrastructure supports secure HTTPS client access. HTTPS access requires that you apply a private
key and corresponding certificate files to the Prime Infrastructure server and that users update their client
browsers to trust these certificates.
To accomplish this, you can use certificate files that are either:
• Self-signed. You can generate and apply self-signed certificates as explained in the related topic “Generate
and Apply Self-Signed Certificates”.

81
Generate and Apply Self-Signed Certificates
• Digitally signed by a Certificate Authority (CA). CAs are organizations (like Cisco and VeriSign) that
validate identities and issue certificates. Certificates issued by a CA bind a public key to the name of the
entity (such as a server or device) identified in the certificate. You can obtain CA certificates from a
third-party CA and apply them to the Prime Infrastructure server as explained in related topic “Import
CA-Signed Host Certificates”.
Note A private key and self-signed certificate with default parameters is generated at the timeof installation.
Related Topics
Generate and Apply Self-Signed Certificates, on page 82
Import CA-Signed Host Certificates, on page 82
Import Private Key, on page 84
Export Private Key, on page 84
Generate and Apply Self-Signed Certificates

Use Prime Infrastructure to generate and apply self-signed certificates.
Step 1 Start a CLI session with Prime Infrastructure (see How to Connect Via CLI, on page 125). Do not enter “configure terminal”
mode.
Step 2 Enter the following command to generate a new RSA key and self-signed certificate with domain information:
PIServer/admin# ncs key genkey –newdn
You will be prompted for the Distinguished Name (DN) fields for the certificate. It is important to specify the fully
qualified domain name (FQDN) of the server as the domain name that will be used to access Prime Infrastructure.
Step 3 To make the certificate valid, restart Prime Infrastructure (see Restart Prime Infrastructure Using CLI, on page 127).
To avoid login complaints, instruct users to add the self-signed certificate to their browsers’ trust stores when they next
access the Prime Infrastructure login page.
Import CA-Signed Host Certificates

Use Prime Infrastructure to generate a Certificate Signing Request (CSR) file and send it to a Certificate
Authority (CA) for validation. The method you use to send the CSR file to the CA will vary with the CA.
Once you have generated and sent the CSR file for certification, do not use the genkey command again to
generate a new key on the same Prime Infrastructure server. If you do, importing the CA-signed certificates
will result in mismatches between keys in the file and the server.
Note that signed server certificates are host-specific. They are preserved in Prime Infrastructure backups, but
are restored only if the backup and restore servers have the same host name.
Note High Availability Virtual IP is designed to simplify the server management. signed server certificate
configuration does not work with the Prime Infrastructure HA Virtual IP deployment.

82
Import CA-Signed Host Certificates
Step 1 Enter the following command to generate a CSR file in the default backup repository:
PIServer/admin# ncs key genkey -newdn -csr <csrfilename> repository <repositoryname>
where -newdn— Generates a new RSA key and self-signed certificate with domain information.
-csr—Generates a new CSR certificate.
Csrfilename—CSR filename. It is an arbitrary name of your choice (for example: MyCertificate.csr ).
repositoryname— file location. The file name can contain up to 80 alphanumeric characters.
Example:
PIServer/admin# ncs key genkey -newdn -csr CSRFile.csr repository <repositoryname>
The NCS server is running. Changes will take effect on the next server restart
Enter the fully qualified domain name of the server: <FQDN>
Enter the name of your organizational unit: <organization>
Enter the name of your organization: <organization>
Enter the name of your city or locality: <city>
Enter the name of your state or province: <state>
Enter the two letter code for your country: <country code>
Specify subject alternate names.
If none specified, CN will be used.
Use comma seperated list - DNS:<name>,IP:<address>
DNS:<FQDN>,IP:<IPADDRESS>
Specify the public key algorithm [rsa/ec] : rsa
Specify the RSA key size [2048/4096/8192] : 4096
Specify the signature algorithm [sha256/sha512] : sha256
Key and CSR/Certificate will be generated with following details
Subject : /C=US/ST=CA/L=SJ/O=Cisco Systems/OU=Prime Infra/CN=DNS:<FQDN>
Subject Alternate Name : DNS:<FQDN>,IP:<IPADDRESS>
Public Key Alg : rsa, 4096
Signature Alg : sha256
Continue [yes] : yes
Generating...
Completed...Changes will take affect on the next server restart

83
Import Private Key
Note If you does not provide "Subject Alternate Name" - the CA certificate can be imported only in this machine.
If you provide "Subject Alternate Name" - You can import the CA certificate to be received from CA in any
of the servers having the specified FQDN. To import CA certificate in SAN sepcified servers, you need to
export private key from the server where you have generated the CSR and import the private key along with
the signed certificate in other specified servers.
In SAN List, you should add the current server's FQDN.
Step 2 Send the CSR file to a Certificate Authority (CA) of your choice.
The CA will respond by sending you an signed server certificate and one or more CA certificate files. The CA response
will indicate which of the files is:
• The signed server certificate. This is typically given a filename that reflects the host name of the server to which
you will apply it.
• The CA certificates , which are typically given filenames that reflect the name of the CA.
Combine all the certificates in to one single file by concatenating them. Host certificate should be the first one in
the file followed by the CA certificates in the same order as in the chain.
For example, in linux the following command can be used to combine files:
cat host.pem subca.pem rootca.pem > servercert.pem
Note Certificates should be in PEM format
Step 3 Enter the following command to import the Signed certificate file into the Prime Infrastructure server:
PIServer/admin# ncs key importsignedcert <certificate_name> repository <repositoryname>
Note You must re-import the CA-signed certificate, if the imported certiifcate is removed from the trust store when
you are upgrading from the beta version.
Step 4 To activate the CA-signed certificates, restart Prime Infrastructure (see “Restarting Prime Infrastructure”).
If the CA who signed the certificate is not already a trusted CA in your organization: Instruct users to add the CA-signed
certificate to their browsers’ trust stores when they next access the Prime Infrastructure login page.
For more information, see How to Connect Via CLI, on page 125 and Restart Prime Infrastructure Using CLI, on page
127.
Import Private Key

You can generate the private key and signed certificate externally. If you are generating them external,
following command can be used to import both key and certificate together.
ncs key importkey <private_key_filename> <certificate_filename> repository <repository_name>
Export Private Key

The following is the command to export private key,
ncs key exportkey <private_key_filename> <certificate_filename> repository <repository_name>

84
Set Up Certificate Validation
After executing the above command private key will be generated and placed in the file location pointed in
the repository.
Set Up Certificate Validation

During secure transactions like TLS/HTTPS connection, user authentication (when certificate based
authentication is enabled), Prime Infrastructure will receive certificates from external entities. Prime
Infrastructure needs to validate these certificate to ascertain the integrity of the certificate and the identity of
the certificate holder. Certificate validation features allows the user to control how the certificates received
from other entities are validated.
When the certificate validation is enforced, certificates received from other entities would be accepted by
Prime Infrastructure only if that certificate is signed by certificate authority (CA) trusted by Prime Infrastructure.
Trust store is where user can maintain the trusted CA certificates. If the signed certificate chain is not rooted
to one of the CA certificates in the trust store, validation will fail.
Managing Trust Store

User can manage the trusted CAs in the trust store. Prime Infrastructure provides different trust stores namely
– pubnet, system, devicemgmt and user.
• pubnet – Used while validating certificates received from remote hosts when connecting to servers in
public network.
• system – Used while validating certificates received from remote systems when connecting to systems
within network.
• devicemgmt – Used while validating certificates received from managed devices.
• user – Used to validate user certificates (When certificate based authentication is enabled).
CLIs to Manage Trust Store

The following is the CLI used to manage the trsut store.
• Importing a CA certificate to Trust Store, on page 85
• Viewing a CA Certificate in a Trust Store, on page 85
• Deleting a CA certificate from a trust store, on page 85
Importing a CA certificate to Trust Store

The following is the command to import CA certificate to a trust store:
• ncs certvalidation trusted-ca-store importcacert alias <ALIAS> repository <Repository-name>
<certificate-file> truststore {devicemgmt | pubnet | system | user}
Viewing a CA Certificate in a Trust Store

The following is the command to view CA certificate in a trust store:
• ncs certvalidation trusted-ca-store listcacerts truststore {devicemgmt | pubnet | system | user}
Deleting a CA certificate from a trust store

The following is the command to delete CA certificate to a trust store:

85
Configuring Certificate Validation
• ncs certvalidation trusted-ca-store deletecacert alias <ALIAS> truststore {devicemgmt | pubnet | system
| user}
Configuring Certificate Validation

User can configure the certificate validation for the following category:
• Enable certificate validation
• Disable certificate validation
• TOFU (Trust-on-first-use) - Trust stores are not used instead the certificate received from remote host
is trusted when the connection is made for the first time. If the remote host sends a different certificate
for any sub-sequent connection, connection will be rejected.
Enable certificate validation

The following is the command to enable to certificate validation:
• ncs certvalidation certificate-check trust-on-first-use trustzone {devicemgmt | pubnet | system | user}
View Certificate Validation List

The following is the command to view to certificate validation list:
• ncs certvalidation tofu-certs listcerts
Delete Certificate Validation

The following is the command to delete to certificate validation:
• ncs certvalidation tofu-certs deletecert host <host>
Auto Updating CA List

From time to time, Cisco releases a standard set of CA certificates recommended by Cisco. These trust stores
can be configured automatically to update the CA list with Cisco trusted CA bundle during software update.
The following is the command to configure auto update CA list:
• ncs certvalidation trusted-ca-store auto-ca-update enable truststore {devicemgmt | pubnet | system | user}
Accessing Certificate Validation Page

Certificate generation is now possible through the Certificate Validation Page available on the UI. This lets
you to generate, import or export CSR directly without using the admin CLI command.
To access the Certificate Validation page, navigate to:
The Administration > Settings > Certificate menu contains options to create, import and export certificates
in Cisco Prime Infrastructure.
Trusted CAs and Settings:

The imported certificates and the categories are listed here.
• System - Communication that happens between PI and other server in system level can be enabled here.

86
Pinned TOFU certificates
• Pubnet - Communication that happens between PI and other server in pubnet level can be enabled here.
• Device management – Device management communication between PI and another server can be enabled
here.
• User – User communication between PI and another server can be enabled here.
Certificate Validation: Details about the validation used when importing or exporting certificates can be
selected here.
Pinned TOFU certificates

Lists all the TOFU certificates of other servers which communicates with PI server.
Custom OCSP Responder
Provides the validation details such as the issued date and expiry dates.
MIB to Prime Infrastructure Alert/Event Mapping

The following table summarizes how the CISCO_WIRELESS_NOTIFICATION_MIB fields and OIDs map
to Prime Infrastructure alerts and events.
Table 6: CISCO_WIRELESS_NOTIFICATION_MIB to Prime Infrastructure Alert/Event Mapping
Field Name and Object ID Data Type Prime Infrastructure Event/Alert Description
field
cWNotificationTimestamp DateAndTime createTime - NmsAlert Creation time for alarm/event.

eventTime - NmsEvent
cWNotificationUpdatedTimestamp DateAndTime modTime - NmsAlert Modification time for Alarm.

Events do not have modification
time.
cWNotificationKey SnmpAdminString objectId - NmsEvent Unique alarm/event ID in string

form.
entityString- NmsAlert

87
MIB to Prime Infrastructure Alert/Event Mapping
field
cwNotificationCategory CWirelessNotificationCategory NA Category of the Events/Alarms.

Possible values are:
unknown
accessPoints
adhocRogue
clients
controllers
coverageHole
interference
contextAwareNotifications
meshLinks
mobilityService
performance
rogueAP
rrm
security
wcs
switch
ncs
cWNotificationSubCategory OCTET STRING Type field in alert and This object represents the
eventType in event. subcategory of the alert.
cWNotificationServerAddress InetAddress N/A Prime Infrastructure IP address.
cWNotificationManagedObjectAddressType InetAddressType N/A The type of Internet address by

which the managed object is
reachable. Possible values:
0—unknown
1—IPv4
2—IPv6
3—IPv4z
4—IPv6z
16—DNS
Always set to “1” because Prime
Infrastructure only supports IPv4
addresses.

88
Establish an SSH Session With the Prime Infrastructure Server
field
cWNotificationManagedObjectAddress InetAddress getNode() value is used if getNode is populated for events

present and some alerts. If it is not null,
then it is used for this field.
cWNotificationSourceDisplayName OCTET STRING sourceDisplayName field in This object represents the display
alert/event. name of the source of the
notification.
cWNotificationDescription OCTET STRING Text - NmsEvent Alarm description string.

Message - NmsAlert
cWNotificationSeverity INTEGER severity - NmsEvent, NmsAlert Severity of the alert/event:

cleared(1)
critical(3)
major(4)
minor(5)
warning(6)
info(7)
cWNotificationSpecialAttributes OCTET STRING All the attributes in This object represents the
alerts/events apart from the base specialized attributes in alerts
alert/event class. like APAssociated,
APDisassociated, RogueAPAlert,
CoverageHoleAlert, and so on.
The string is formatted in
property=value pairs in CSV
format.
cWNotificationVirtualDomains OCTET STRING N/A Virtual Domain of the object that

caused the alarm. This field is
empty for the current release.
Establish an SSH Session With the Prime Infrastructure Server

When you connect to the server, use SSH and log in as the admin user. (See User Interfaces, User Types, and
How To Transition Between Them, on page 167 for more information.)
Step 1 Start your SSH session and log in as the Prime Infrastructure admin user.
• From the command line, enter the following, where server-ip is the Prime Infrastructure:
ssh admin server-ip

89
Set Up NTP on the Server
• Open an SSH client and log in as admin.

Note Users can now create and customize new algorithms to connect to SSH or PuTTY.
Step 2 Enter the admin password. The prompt will change to the following:
(admin)
To view a list of the operations the admin user can perform, enter ? at the prompt.
To enter admin config mode, enter the following command (note the change in the prompt):
(admin) configure terminal
(config)
Set Up NTP on the Server

Network Time Protocol (NTP) must be properly synchronized on all devices in your network as well as on
the Prime Infrastructure server. Failure to manage NTP synchronizations across your network can result in
anomalous results in Prime Infrastructure. This includes all Prime Infrastructure-related servers: Any remote
FTP servers that you use for Prime Infrastructure backups, secondary Prime Infrastructure high-availability
servers, and so on.
You specify the default and secondary NTP servers during Prime Infrastructure server installation. You can
also use Prime Infrastructure’s ntp server command to add to or change the list of NTP servers after installation.
Note Prime Infrastructure cannot be configured as an NTP server; it acts as an NTP client only. Up to three NTP
servers are allowed.
Step 1 Log in to the Prime Infrastructure server as the admin user and enter config mode. See Establish an SSH Session With
the Prime Infrastructure Server, on page 89.
Step 2 Set up the NTP server using one of the following commands.
For an unauthenticated NTP server setup:
ntp server ntp-server-IP
For an authenticated NTP server setup:

ntp server ntp-server-IP ntp-key-id ntp-type password
Where:
• ntp-server-IP is the IP address or hostname of the server providing the clock synchronization to the Prime Infrastructure
server
• ntp-key-id is the md5 key ID md5 key of the authenticated NTP server
• ntp-type can be plain or hash

90
Set Up the Prime Infrastructure Proxy Server
• password is the corresponding plain-text md5 password for the NTPv4 server
Set Up the Prime Infrastructure Proxy Server

Use this procedure to configure proxies for the server and, if configured, its local authentication server. If you
use a proxy server as a security barrier between your network and the Internet, you need to configure the
proxy settings as shown in the following steps:
Step 1 Choose Administration > Settings > System Settings, then choose General > Account Settings.
Step 2 Click the Proxy tab.
Step 3 Select the Enable Proxy check box and enter the required information about the server that has connectivity to Cisco.com
and will act as the proxy.
Step 4 Select the Authentication Proxy check box and enter the proxy server’s user name and password.
Step 5 Click Test Connectivity to check the connection to the proxy server.
Step 6 Click Save.
Configure Server Port and Global Timeout Settings

The Server page allows you to enable or disable Prime Infrastructure’s FTP, TFT, and HTTP/HTTPS services.
FTP and TFTP services are normally enabled by default. HTTP services are disabled by default. You should
enable HTTP services if you use the Plug and Play feature and your devices are configured to use HTTP to
acquire the initial configuration in the bootstrap configuration.
See the latest Prime Infrastructure Quick Start Guide for more information.
Step 1 Choose Administration > Settings > System Settings > General > Server.
Step 2 To modify the FTP, TFTP, or HTTP service status and ports that were established during installation, enter the port
number (or port number and root, where required) that you want to modify, then click Enable or Disable.
The Global Idle Timeout is enabled by default and is set to 10 minutes. The Global Idle Timeout setting overrides the
User Idle Timeout setting in the My Preferences page. Only users with administrative privileges can disable the Global
Idle Timeout value or change its time limit.
Step 3 Click Save.

Step 4 A server restart is required to apply your changes (see Restart Prime Infrastructure Using CLI, on page 127 ).

91
Set Up the SMTP E-Mail Server
Set Up the SMTP E-Mail Server

To enable Prime Infrastructure to send email notifications (for alarms, jobs, reports, and so forth), the system
administrator must configure a primary SMTP email server (and, preferably, a secondary email server).
Step 1 Choose Administration > Settings > System Settings, then choose Mail and Notification > Mail Server Configuration.
Step 2 Under Primary SMTP Server, complete the Hostname/IP, User Name, Password, and Confirm Password fields as
appropriate for the email server you want Prime Infrastructure to use. Enter the IP address of the physical server. and the
Enter the hostname of the primary SMTP server.
Note You cannot enter a virtual IP address in the Hostname/IP field, and the IP address cannot be behind a load
balancer.
Step 3 (Optional) Complete the same fields under Secondary SMTP Server. SMTP server username and password.
Step 4 Under Sender and Receivers, enter a legitimate email address for Prime Infrastructure.
Step 5 When you are finished, click Save.
Enable FTP/TFTP/SFTP Service on the Server

FTP/TFTP/SFTP is used to transfer files between the server and devices for device configuration and software
image file management. These protocols are also used in high availability deployments to transfer files to a
secondary server. These services are normally enabled by default. If you installed Prime Infrastructure in FIPS
mode, they are disabled by default. If you use this page to enable these services, Prime Infrastructure will
become non-compliant with FIPS.
SFTP is the secure version of the file transfer service and is used by default. FTP is the unsecured version of
the file transfer service; TFTP is the simple, unsecured version of the service. If you want to use either FTP
or TFTP, you must enable the service after adding the server.
Step 1 Configure Prime Infrastructure to use the FTP, TFTP, or SFTP server.
a) Choose Administration > Servers > TFTP/FTP/SFTP Servers.
b) From the Select a command drop-down list, choose Add TFTP/FTP/SFTP Server, then click Go.
• From the Server Type drop-down list, choose FTP, TFTP, SFTP, or All.
• Enter a user-defined name for the server.
• Enter the IP address of the server.
c) Click Save.
Step 2 If you want to use FTP or TFTP, enable it on the Prime Infrastructure server.
a) Choose Administration > Settings > System Settings, then choose General > Server.
b) Go to the FTP or TFTP area.
c) Click Enable.
d) Click Save.

92
Configure Stored Cisco.com Credentials
Step 3 Restart Prime Infrastructure to apply your changes. See Stop and Restart Prime Infrastructure, on page 93.
Configure Stored Cisco.com Credentials

Prime Infrastructure stores only the username and not the password to log in to Cisco.com while performing
the following tasks:
• Checks for product software updates
• Checks for device software image updates
To download the updates and open/review a support case, you are required to enter a password.
If these settings are not configured, Prime Infrastructure will prompt users for their credentials when they
perform these tasks. To configure a global Cisco.com user name and password:
Step 2 Under the Cisco.com Credentials tab, enter a user name and password, and click Save.
Create a Login Banner (Login Disclaimer)

When you have a message that you want to display to all users before they log in, create a login disclaimer.
The text will be displayed on the GUI client login page below the login and password fields.
Step 1 Choose Administration > Settings > System Settings, then choose General > Login Disclaimer.
Step 2 Enter (or edit) the login disclaimer text.
Note Carriage returns are ignored.
Your changes will take effect immediately.
Stop and Restart Prime Infrastructure

A Prime Infrastructure restart is needed in cases such as after a product software upgrade, log file setting
changes, hanging secure port settings, compressing report files, changing service discovery settings, and,
configuring LDAP settings. When you stop the Prime Infrastructure server, all user sessions are terminated.
To stop the server, open a CLI session with the server and enter:
ncs stop
To start or restart the server, open a CLI session with the server and enter:
ncs start

93
Configure Global SNMP Settings for Communication with Network Elements
Configure Global SNMP Settings for Communication with

Network Elements
The SNMP Settings page controls the how the server uses SNMP to reach and monitor devices. These settings
will determine when a device is considered unreachable. Any changes you make on this page are applied
globally and are saved across restarts, as well as across backups and restores.
Note The default network address is 0.0.0.0, which indicates the entire network. An SNMP credential is defined
per network, so only network addresses are allowed. 0.0.0.0 is the SNMP credential default and is used when
no specific SNMP credential is defined. You should update the prepopulated SNMP credential with your own
SNMP information.
Step 1 Choose Administration > Settings > System Settings, then choose Network and Device > SNMP.
Step 2 (Optional) Select the Trace Display Values check box to display mediation trace-level logging data values that are
fetched using SNMP.
Step 3 Choose an algorithm from the Backoff Algorithm drop-down list.
• Exponential—Each SNMP try will wait twice as long as the previous try, starting with the specified timeout for
the first try.
• Constant—Each SNMP try will wait the same length of time (timeout). This is useful on unreliable networks where
the desired number of retries is large. Because it does not double the timeout per try, it does not take as long to
timeout with a high number of retries.
Step 4 If you do not want to use the timeout and retries specified by the device, configure the following parameters.
Note If switch port tracing is taking a long time to complete, reduce the Reachability Retries value.
• Reachability Retries—Enter the number of global retries.
• Reachability Timeout—Enter a global timeout.
Step 5 In the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU fields, enter a number to indicate the
largest number of SNMP variable bindings allowed in a request or response PDU. These fields enable you to make
necessary changes when you have any failures associated to SNMP. For customers who have issues with PDU fragmentation
in their network, the number can be reduced to 50, which typically eliminates the fragmentation.
Step 6 Optionally adjust the Maximum Rows per Table.
Step 7 Click Save.
Configure Global SNMP Settings

The SNMP Settings page allows you to configure global SNMP settings for Prime Infrastructure.
Any changes you make on this page affect Prime Infrastructure globally. The changes are saved across restarts
as well as across backups and restores.

94
View SNMP Credential Details
The default network address is 0.0.0.0, which indicates the entire network. SNMP credentials are defined
per-network so only network addresses are allowed. 0.0.0.0 is the SNMP credential default and is used when
no specific SNMP credential is defined. You should update the pre-populated SNMP credential with your
own SNMP information.
Step 1 Choose Administration > Settings > System Settings > Network and Device > SNMP.
Step 2 (Optional) Select the Trace Display Values check box to display mediation trace-level logging data values fetched from
the controller using SNMP. If unselected, these values do not appear.
Step 3 From the Backoff Algorithm list, choose Exponential or Constant Timeout. If you choose Exponential, each SNMP
try waits twice as long as the previous try, starting with the specified timeout for the first try. If you choose Constant
Timeout, each SNMP try waits the same, specified amount of time.
Constant Timeout is useful on unreliable networks (such as satellite networks) where the desired number of retries is
large. Because it does not double the timeout per try, it does not take as long to timeout with a high number of retries.
Step 4 Determine if you want to use reachability parameters. If selected, Prime Infrastructure defaults to the global Reachability
Retries and Timeout that you configure. If unselected, Prime Infrastructure always uses the timeout and retries specified
per controller or per IOS access point.
Adjust this setting downward if switch port tracing is taking a long time to complete.
Step 5 In Reachability Retries, enter the number of global retries used for determining device reachability. This field is only
available if the Use Reachability Parameters check box is selected.
Adjust this setting downward if switch port tracing is taking a long time to complete.
Note You cannot edit the value of Reachability Timeout. The default value is 2 seconds.
Step 6 In the Maximum VarBinds per PDU field, enter a number to indicate the largest number of SNMP variable bindings
allowed in a request or response PDU.
This Maximum VarBinds per PDU field enables you to make necessary changes with when you have any failures associated
to SNMP.
For customers who have issues with PDU fragmentation in their network, this number can be reduced to 50, which
typically eliminates the fragmentation.
The maximum rows per table field is configurable. The configured value is retained even if you upgrade Prime Infrastructure
to a newer version.
Step 7 Click Save to confirm these settings.
Related Topics
View SNMP Credential Details, on page 95
Add SNMP Credentials, on page 96
Import SNMP Credentials, on page 97
View SNMP Credential Details

The SNMP credentials listed in this page will be used only for tracing the Rogue APs Switch Port.

95
Add SNMP Credentials
Step 1 Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Manual
SPT.
Step 2 Click the Network Address link to display the SNMP Credential Details page. The page displays the following information:
• General Parameters
• Add Format Type—Display only. For details, see “Add SNMP Credentials” in Related Topics.
• Network Address
• Network Mask
• SNMP Parameters—Choose the applicable versions for SNMP parameters. The SNMP credentials are validated
according to which SNMP versions are selected.
• Enter SNMP parameters for write access, if available. With display-only access parameters, the switch is added but
you cannot modify its configuration in Prime Infrastructure. Device connectivity tests use the SNMP retries and
timeout parameters.
• Retries—The number of times that attempts are made to discover the switch.
• Timeout—The session timeout value in seconds, which specifies the maximum amount of time allowed for a client
before it is forced to reauthenticate.
• SNMP v1 Parameters or v2 Parameters—If selected, enter the applicable community in the available text box.
• SNMP v3 Parameters—If selected, configure the following parameters:
• Username
• Auth. Type
• Auth. Password
• Privacy Type
• Privacy Password
If SNMP v1 or v2 with default community is configured, the network is open to easy attacks because default communities
are well known. SNMP v1 or v2 with a non default community is more secure than a default community, but SNMP v3
with Auth and Privacy type and no default user is the most secure SNMP connection.
Step 3 Click OK to save your changes.
Related Topics
Configure Global SNMP Settings, on page 94
Add SNMP Credentials

Prime Infrastructure needs device SNMP credentials to poll your network devices, back up and change their
configurations, and so on. You can add SNMP credentials by hand. You can also import them in bulk (see
“Importing SNMP Credentials” in Related Topics).

96
Import SNMP Credentials
SPT.
Step 2 Choose Select a command > Add SNMP Entries > Go.
Step 3 In the Add Format Type drop-down list, choose SNMP Credential Info.
Step 4 Enter the IP address of the switch you want to add. If you want to add multiple switches, use a comma between each IP
address.
Step 5 In the Retries field, enter the number of times that attempts are made to discover the switch.
Step 6 Provide the session timeout value in seconds. This determines the maximum amount of time allowed for a client before
it is forced to reauthenticate.
Step 7 Choose the applicable versions for the SNMP parameters. The SNMP credentials are validated according to which SNMP
versions are selected.
• If SNMP v1 Parameters or v2 Parameters is selected, enter the applicable community in the available text box.
• If SNMP v3 Parameters is selected, configure the following parameters:
• Username
• Auth. Type
• Auth. Password
• Privacy Type
• Privacy Password
If SNMP v1 or v2 with default community is configured, the network is open to easy attacks because default communities
are well known. SNMP v1 or v2 with a non-default community is more secure than a default community, but SNMP v3
with Auth and Privacy type and no default user is the most secure SNMP connection.
Step 8 Click OK.

If Prime Infrastructure can use the SNMP credential listed to access the switch, the switch is added for later use and
appears in the Network Devices page accessible via Configuration > Network > Network Devices. If you manually
add switches through the Network Devices page, switch port tracing uses the credentials from that page, not the ones
listed in the SNMP Credentials page. If the manually added switch credentials have changed, you need to update them
using the Network Devices pages.
Related Topics

Prime Infrastructure needs device SNMP credentials to poll your network devices, back up and change their
configurations, and so on. You can import SNMP credentials in bulk by importing them from a CSV file.You
can also add them by hand (see “Adding SNMP Credentials” in Related Topics).
Related Topics Make sure you have created a CSV file with the proper format, and that it is available for
upload from a folder on the client machine you use to access Prime Infrastructure. Here is a sample SNMP
credentials CSV file suitable for import:

97
ip_address,snmp_version,snmp_community,snmpv3_user_name,snmpv3_auth_type,snmpv3_auth_password,
snmpv3_privacy_type,snmpv3_privacy_password,network_mask 1.1.1.0,v2,private,user1,HMAC-MD5,
12345,DES,12345,255.255.255.0 2.2.2.0,v2,private,user1,HMAC-MD5,password3,DES,password4,
255.255.255.0 10.77.246.0,v2,private,user1,HMAC-MD5,12345,DES,12345,255.255.255.0
The first row of the file is mandatory, as it describes the column arrangement. The IP Address column is also
mandatory. The CSV file can contain the following fields:
• ip_address:IP address
• snmp_version:SNMP version
• network_mask:Network mask
• snmp_community:SNMP V1/V2 community
• snmpv3_user_name:SNMP V3 username
• snmpv3_auth_type:SNMP V3 authorization type. Can be None or HMAC-MD5 or HMAC-SHA
• snmpv3_auth_password:SNMP V3 authorization password
• snmpv3_privacy_type:SNMP V3 privacy type. Can be None or DES or CFB-AES-128
• snmpv3_privacy_password:SNMP V3 privacy password
• snmp_retries:SNMP retries
• snmp_timeout:SNMP timeout
SPT.
Step 2 Choose Select a command > Add SNMP Entries > Go.
Step 3 In the Add Format Type drop-down list, choose File.
Step 4 Click Browse to navigate to the CSV file you want to import and select it.
Step 5 Click OK to import the file.
If Prime Infrastructure can use the SNMP credential listed to access the switch, the switch is added for later use and
appears in the Network Devices page accessible via Configuration > Network > Network Devices. If you manually
add switches through the Network Devices page, switch port tracing uses the credentials from that page, not the ones
listed in the SNMP Credentials page. If the manually added switch credentials have changed, you need to update them
using the Network Devices pages.
Related Topics

98
Enable Compliance Services
Enable Compliance Services

Compliance Services allow Prime Infrastructure users to run Cisco PSIRT security and EOX obsolete-device
compliance reports. This feature also lets users establish baseline device configuration standards, and then
audit field configurations against these standards, identifying devices that are non-compliant and how their
configuration differ from standards.
Compliance Services are disabled by default. In order to use them, the Prime Infrastructure administrator must
enable the feature. You must also re-synchronize the server’s device inventory. All users must also log out
and then log back in to see the Configuration > Compliance menu option.
Compliance Services are available only on the following Prime Infrastructure server options:
• The Professional virtual appliance. For details, see the secions“Virtual Appliance Options” and
“Understanding System Requirements” in the latest latest Cisco Prime Infrastructure Quick Start Guide.
• The Cisco Unified Computing System (UCS) Gen 2 physical appliance. For details, see the sections
“Virtual Appliance Options” and “Understand System Requirements” in the latest Cisco Prime
Infrastructure Quick Start Guide.
• Standard Prime Infrastructure virtual appliance. For details, see the secion "Prime Infrastructure Minimum
Server Requirements" in the latest Cisco Prime Infrastructure Quick Start Guide.
Do not attempt to enable Compliance Services on Express, Express-Plus. If you do, the feature itself will not
work. In addition, if you enable it and then try to migrate your data to a newly installed Professional or Gen
2 UCS appliance, the settings in the migrated data from the source Express or Express-Plus will prevent
Compliance Services from working on the target appliance. You can avoid all this by simply leaving the
Compliance Services feature disabled on the Express or Express-Plus, and then migrating your data to the
Professional or Gen2 UCS appliance.
Step 2 Next to Compliance Services, click Enable.
Step 3 Click Save.
Step 4 Re-synchronize Prime Infrastructure’s device inventory: Choose Inventory > Network Devices, select All Devices, then
click the Sync icon.
Step 5 Ask any users who are currently logged in to Prime Infrastructure to log out. They will be able to see the new Configuration
> Compliance menu option when they log in again.
For details, see Virtual Appliance Options and Physical Appliance Options.
Configure ISE Servers

Step 1 Choose Administration > Servers > ISE Servers.
Step 2 Choose Select a command > Add ISE Server, then click Go.
Step 3 Enter the ISE server’s IP address, user name, and password.

99
Configure Software Image Management Servers
Step 4 Confirm the ISE server password.

Step 5 Click Save.
Configure Software Image Management Servers

You can add up to three software image management servers for image distribution.
Step 1 Click Administration > Servers > Software Image Management Servers.
Step 2 Click the add icon and complete the following fields:
• Server Name
• IP Address
• Sites Served
• Description
Step 3 Click Save.

Step 4 Click Manage Protocols to add the protocols.
Step 5 Click the add icon and complete the following fields:
• Protocol
• Username
• Password
• Protocol Directory
Note If you choose TFTP protocol, enter the relative path without a leading slash in the Protocol Directory field.
If you leave the Protocol Directory field empty, the image transfer will use the default home directory of your
external server.
Step 6 Click Save.
Add Device Information to a User Defined Field

The User Defined Fields (UDFs) are used to store additional information about devices, such as device location
attributes (for example: area, facility, floor, and so on). UDF attributes are used whenever a new device is
added, imported or exported.
Step 1 Choose Administration > Settings > System Settings > Inventory > User Defined Field.
Step 2 Click Add Row to add a UDF.
Step 3 Enter the field label and description in the corresponding fields.
Step 4 Click Save to add a UDF.

100
Manage OUIs
Manage OUIs
Prime Infrastructure relies on the IEEE Organizational Unique Identifier (OUI) database to identify the client
vendor name mapping. Prime Infrastructure stores vendor OUI mappings in an XML file named
vendorMacs.xml. This file is updated for each release of Prime Infrastructure. With the OUI update, you can
change the vendor display name for an existing OUI, add new OUIs to Prime Infrastructure and refresh the
vendorMacs.xml file with new vendor OUI mappings and upload it to Prime Infrastructure.
Related Topics
Add a New Vendor OUI Mapping, on page 101
Upload an Updated Vendor OUI Mapping File, on page 101
Add a New Vendor OUI Mapping

The User Defined OUI List page displays a list of vendor OUI mappings that you created. This page allows
you to add a new vendor OUI mapping, delete an OUI entry, and update the vendor name for an OUI that is
existing in the vendorMacs.xml file.
When you add an OUI, Prime Infrastructure verifies the vendorMacs.xml file to see if the OUI exists. If the
OUI exists, Prime Infrastructure updates the vendor name for the OUI. If the OUI does not exists, Prime
Infrastructure adds a new OUI entry to the vendor OUI mapping.
Step 1 Choose Administration > Settings > System Settings > Client and User > User Defined OUI. The User Defined OUI
page appears.
Step 2 Choose Add OUI Entries from the Select a Command drop-down list, then click Go.
Step 3 In the OUI field, enter a valid OUI. The format is aa:bb:cc.
Step 4 Click Check to verify if the OUI exists in the vendor OUI mapping.
Step 5 In the Name field, enter the display name of the vendor for the OUI.
Step 6 Select the Change Vendor Name check box to update the display name of the vendor, if the OUI exists in the vendor
OUI mapping, then click OK.
Upload an Updated Vendor OUI Mapping File

Prime Infrastructure allows you to get OUI updates online from the IEEE Registration Authority database
(see the link to the RA database in Related Topics). If Prime Infrastructure is unable to reach the IEEE database,
a message appears instructing you to save and upload the file to your Prime Infrastructure server.
Step 1 Choose Administration > Settings > System Settings > Client and User > Upload OUI. The Upload OUI From File
page appears.
Step 2 Click Update online from IEEE to get OUI updates from the IEEE Registration Authority database (see the link to the
RA database in Related Topics). If Prime Infrastructure is unable to reach the IEEE database, a message appears instruction
you to save and upload the file.
Step 3 Click OK after the update completes successfully.

101
Sample Log File from North-Bound SNMP Receiver
After you upload the vendorMacs.xml file in the Administration > Settings > System Settings > Upload OUI page: If
the vendor name is not reflected for existing unknown vendor clients in the Unique Clients and Users Summary report,
run the updateUnknownClient.sh script. This script is located in the /opt/CSCOlumos/bin folder.
For more information, see IEEE Registration Authority database.
Sample Log File from North-Bound SNMP Receiver

The following sample output shows the ncs_nb.log file generated by Prime Infrastructure. This log file is
located in the log file directory on Prime Infrastructure server (/opt/CSCOlumos/logs). The log output helps
you troubleshoot when alarms are not being received by the North Bound SNMP receiver.
2013-12-02 17:11:53,868 [main] INFO services - Queue type is order

2013-12-02 17:11:53,870 [main] INFO services - Starting the notification thread..
2013-12-02 17:11:53,871 [NBNotifier] INFO services - Fetching the head of the queue
2013-12-02 17:11:53,871 [NBNotifier] INFO services - The Queue is empty
2013-12-02 17:11:53,871 [main] INFO notification - Setting the NB process flag
2013-12-02 17:41:50,839 [Task Scheduler Worker-10] ERROR notification - Unable to get OSS
list
2013-12-03 08:56:18,864 [Task Scheduler Worker-8] ERROR notification - Unable to get OSS
list
Work With Server Internal SNMP Traps That Indicate System

Problems
Prime Infrastructure generates internal SNMP traps that indicate potential problems with system components.
This includes hardware component failures, high availability state changes, backup status, and so forth. The
failure trap is generated as soon as the failure or state change is detected, and a clearing trap is generated if
the failure corrects itself. For TCAs (high CPU, memory and disk utilization traps, and so forth), the trap is
generated when the threshold is exceeded.
A complete list of server internal SNMP traps is provided in Cisco Prime Infrastructure Alarms, Events, and
Supported SNMP Traps and Syslogs. Prime Infrastructure sends traps to notification destination on port 162.
This port cannot be customized at present.
You can customize and manage these traps as described in the following topics:
• Customize Server Internal SNMP Traps and Forward the Traps, on page 103
• Troubleshoot Server Internal SNMP Traps, on page 103

102
Customize Server Internal SNMP Traps and Forward the Traps
Customize Server Internal SNMP Traps and Forward the Traps

You can customize server internal SNMP traps by adjusting their severity or (for TCAs) thresholds. You can
also disable and enable the traps. You can find the server internal SNMP traps listed in Cisco Evolved
Programmable Network Manager Supported Alarms.
Note Prime Infrastructure does not send SNMPv2 Inform or SNMPv3 notifications.
Step 1 Choose Administration > Settings > System Settings, then choose Alarms and Events > System Event Configuration.
Step 2 For each SNMP event you want to configure:
a) Click on the row for that event.
b) Set the Event Severity to Critical, Major, or Minor, as needed.
c) For the CPU, disk, memory utilization, and other hardware traps, Enter the Threshold percentage (from 1–99). These
events will send the associated SNMP traps when the utilization exceeds the threshold limit. (You cannot set thresholds
for events for which the threshold setting is shown as NA.) These events send traps whenever the associated failure
is detected.
d) For backup threshold and certificate expiry (critical), enter the Threshold in days (from x–y, where x is the minimum
number of days and y is the maximum number of days).
e) To control whether a trap is to generated or not, set the Event Status.
Step 3 In the Other Settings, enter the desired value for Create and Clear Alarm Iteration.
Step 4 To save all of your trap changes, click Save (below the table).
Step 5 If you want to configure receivers for the server internal SNMP traps, refer to the procedures in the following topics,
depending on whether you want to send the information as an email or trap notification.
Troubleshoot Server Internal SNMP Traps

Cisco Prime Infrastructure Alarms, Events, and Supported SNMP Traps and Syslogs provides a complete list
of server internal SNMP traps, their probable cause, and recommended actions to remedy the problem. If that
document does not provide the information you need, follow this procedure to troubleshoot and get more
information about Prime Infrastructure server issues.
Step 1 Ping the notification destination from the Prime Infrastructure server to ensure that there is connectivity between Prime
Infrastructure and your management application.
Step 2 Check if any firewall ACL settings are blocking port 162, and open communications on that port if needed.
Step 3 Log in to Prime Infrastructure with a user ID that has Administrator privileges. Select Administration > Logging and
download the log files. Then compare the activity recorded in these log files with the activity you are seeing in your
management application:
• ncs_nbi.log: This is the log of all the northbound SNMP trap messages Prime Infrastructure has sent. Check for
messages you have not received.
• ncs-# -# .log: This is the log of most other recent Prime Infrastructure activity. Check for hardware trap messages
you have not received.

103
Set Up Defaults for Cisco Support Requests
• hm-# -# .log: This is the log of all Health Monitor activity. Check for recent messages about High Availability
state-changes and application-process failures that you have not received.
The messages you see in these logs should match the activity you see in your management application. If you find major
differences, open a support case with Cisco Technical Assistance Center (TAC) and attach the suspect log files with your
case. See Open a Cisco Support Case, on page 251.
Set Up Defaults for Cisco Support Requests

By default, users can create Cisco support requests from different parts of the Prime Infrastructure GUI. If
desired, you can configure the sender e-mail address and other e-mail characteristics. If you do not configure
them, users can supply the information when they open a case.
If you do not want to allow users to create requests from the GUI client, you can disable that feature.
Step 2 Click the Support Request tab.
Step 3 Select the type of interaction you prefer:
• Enable interactions directly from the server—Specify this option to create the support case directly from the Prime
Infrastructure server. E-Mails to the support provider are sent from the e-mail address associated with the Prime
Infrastructure server or the e-mail address you specify.
• Interactions via client system only—Specify this option to download the information required for your support case
to a client machine. You must then e-mail the downloaded support case details and information to the support
provider.
Step 4 Select your technical support provider:

• Click Cisco to open a support case with Cisco Technical Support, enter your Cisco.com credentials, then click Test
Connectivity to check the connectivity to the following servers:
• Prime Infrastructure mail server
• Cisco support server
• Forum server
• Click Third-party Support Provider to create a service request with a third-party support provider. Enter the
provider’s e-mail address, the subject line, and the website URL.
Configure Cisco Product Feedback Settings

To help Cisco improve its products, Prime Infrastructure collects the following data and sends it to Cisco:
• Product information—Product type, software version, and installed licenses.

104
Migrating Data from Prime Infrastructure to Cisco Digital Network Architecture Center
• System information—Server operating system and available memory.

• Network information—Number and type of devices on your network.
This feature is enabled by default. Data is collected on a daily, weekly, and monthly basis and is posted to a
REST URL in the Cisco cloud using HTTPS. Choose Administration > Settings > System Settings, then
choose General > Help Us Improve, and:
• To view the types of data Cisco collects, click What data is Cisco collecting?
• To disable this feature, select Not at this time, thank you, then click Save.
Note If you have upgraded from a previous version of Prime Infrastructure, the product
feedback data collection option you specified in the earlier version is retained
after the upgrade for the upgraded server and the restored server. If you had not
selected any option for product feedback data collection in the previous version,
it will be enabled by default in the upgraded version and the backup and restore
server.
If you have configured high availability, the data will be collected and sent either
from the primary or secondary HA server instance (it is not sent from both the
server).
Migrating Data from Prime Infrastructure to Cisco Digital

Network Architecture Center
You can now integrate Cisco Prime Infrastructure with Cisco Digital Network Architecture (DNA) Center
and utilize the intent-based networking solution for managing application user experience in the enterprise.
Cisco DNA Center supports the expression of intent for multiple use cases, including base automation
capabilities, fabric provisioning, and policy-based segmentation in the enterprise network. Cisco DNA Center
adds context to this journey through the introduction of Analytics and Assurance. To know more about Cisco
DNA Center, visit http://cisco.com/go/dna
You can migrate devices, location groups, associated site maps, user defined CLI and / or composite templates
and cmx data from Prime Infrastructure to Cisco DNA Center and manage your enterprise network over a
centralized dashboard.
Before you begin

Ensure that:
You have Root and Super Users access privileges of Prime Infrastructure server.
You have access credentials of Cisco DNA Center server.
You usePrime Infrastructure server version 3.9 that is compatible with the Cisco DNA Centerservers
mentionedin the below table.

105
Table 7: Supported/Recommended Cisco DNA Center Versions
DNAC Version Supported /Recommended
1.2.1 Supported
1.2.2 Supported
1.2.3 Supported
1.2.4 Supported
1.2.5 Supported
1.2.6 Supported
1.2.8 Supported
1.2.10 Supported
1.2.10.4 Supported
1.2.11 Supported
1.2.12 Supported
1.3.0 Supported
1.3.0.1 Supported
1.3.0.2 Supported
1.3.0.3 Supported
1.3.0.4 Supported
1.3.0.5 Supported & Recommended
1.3.1 Supported

106
DNAC Version Supported /Recommended
You use a single session of the migration at a time for the same Prime Infrastructure Cisco DNA Center server
pair.
Step 1 Click Cisco DNA Center coexistence in the Mega Menu page.
You can also launch Cisco DNA Center coexistence from the Getting Started page. Choose Settings > Getting Started
> Cisco DNA Center coexistence, and then click Launch Cisco DNA Center coexistence to open Prime Infrastructure
- Cisco DNA Center Coexistence page.
Step 2 Click Add Cisco DNA Center Server.

Step 3 Enter the following Cisco DNA Center server details:
a) Server IP Address or Hostname.
b) Username
c) Password
d) Confirm Password
Note You can integrate only one Cisco DNA Center server at a time.
Step 4 Click Save, to check server reachability.

Step 5 Click Next to go to Sync Settings.
Step 6 In the Sync Settings window:
a) You can check for the Supported/Available Limits of the Cisco DNA Center server for the Site Groups/Site Maps
and Devices. Supported/Available Limits of Cisco DNA Center will vary based on the Cisco DNA Center server
core(s) count.
The Supported/Available limits are specified in the below table:
Table 8: Supported/Available Limits
DNAC Core Site Groups/Site Maps Devices
44-Core 500 1000
56-Core 1000 4000
112-Core 2000 5000

107
b) Select the Enables automatic synchronization of data integrated with Cisco DNA Center checkbox to synchronize
already migrated data set for the groups and devices from Prime Infrastructure to Cisco DNA Center automatically
post modification.
c) Select the Include newly added data during dynamic synchronization checkbox to move newly created groups
and newly added devices during dynamic synchronization if any, from Prime Infrastructure to Cisco DNA Center
automatically post addition.
Note • This checkbox is enabled only if you select the Enables automatic synchronization of data
integrated with Cisco DNA Center checkbox.
• During force synchronization, if the Enables automatic synchronization of data integrated with
Cisco DNA Center checkbox is enabled, any modifications made through force synchronization to
the Location Group and Devices entities will be dynamically synced in Cisco DNA Center.
• If the Enables automatic synchronization of data integrated with Cisco DNA Center checkbox
is selected, CMX will be dynamically assigned to Cisco DNA Center floor groups, when Cisco
Prime Infrastructure imports maps to CMX. (Pre Req.: CMX dynamic sync will work only on already
migrated floor groups and CMX should exist in Cisco DNA Center server for CMX dynamic sync.)
d) If the Enable CMX settings checkbox is selected, CMX will be pushed with floor groups. If the Enable CMX
settings check is not selected, CMX data will not be pushed to the Cisco DNA Center server.
e) Select the Migrate User Defined CLI Templates checkbox to migrate the user defined CLI and/or Composite
Templates to Cisco DNA Center.
Step 7 Click Next to go to the Select Groups page.
Step 8 In the Select Groups window:
a) Select the location groups from the Cisco Prime Infrastructure Location Groups Selector pane. Upon selecting Site
Groups, by default the buildings, floors and associated maps also get selected.
Before adding Cisco Prime Infrastructure location groups to Cisco DNA Center, you can check the limitation status
bar for the selected/maximum devices and site groups of Cisco DNA Center.
The Cisco Prime Infrastructure Location groups selector pane lists all the Prime Infrastructure groups irrespective
of any virtual domain.
Note • Cisco Prime Infrastructure does not migrate devices assigned in a "Campus" to the Cisco DNA Center,
when the co-existence tool is used.
• As a workaround, you can assign your devices to a "Building" or "Floor" type location group before
using the co-existence tool.
• Civic location is mandatory for Location Groups / Site groups migration especially for Cisco DNA
Center 2.2.1.0 version.
• Enabling the proxy setting is mandatory for migrating country code along with location groups.
• Access Points positioned in the maps in Cisco Prime Infrastructure will migrate to Cisco DNA Center,
only if we manage its WLC devices with CLI Credentials.
• Devices assigned in the Location groups with 'Default' Group type will not migrate to DNAC
Step 9 Click Next.

Step 10 In the CMX Credentials window:

108
a) You can view the list of associated CMX for selected groups with the following details:
• Credential Status
• Server IP address
• Server Name
• Username
• Owner
• SSH Username
• SSH Password
b) You must update the SSH Username and SSH Password, if it is not available for the respective CMX.
c) If the associated CMX is not found, then click Next.
Note When the Cisco Prime Infrastructure – Cisco DNA Center migration tool is active and auto sync is enabled,
then CMX will be dynamically pushed to Cisco DNA Center floor groups. Cisco DNA Center will there by
track the location data for assigned groups.
Step 11 If "Migrate User Defined CLI Templates" checkbox is selected in 'Sync settings' page, then a new page "Select CLI
Templates" will be seen after CMX page.
Step 12 In the Select CLI Templates window:
a) Non-Migrated Templates will list all the applicable user defined CLI and/or Composite templates for the device
types in the selected groups for migration to Cisco DNA Center.
b) Migrated templates will list all the migrated templates available in Cisco DNA Center. You can either update or
delete these templates.
Note By default all the rows will be selected. Selected templates from the list will be updated and the deselected
templates will be deleted from Cisco DNA Center.
Step 13 Click Next.

Step 14 In the Summary window:
a) You can view the overall summary of selected location groups, devices, associated maps, CLI templates, and CMX
before migrating to the Cisco DNA Center.
b) You can also view the groups, devices, maps, CLI Templates, and CMX which is added, updated and deleted under
each respective tab.
c) Based on the group selection you can Add/Update or Delete the CLI/Composite templates in Cisco DNA Center.
d) You can also view the status of last synced date and time.
Step 15 Click Submit, to migrate all the Location Groups, Devices, Maps, user defined CLI Templates and /or composite
templates and CMX from Prime Infrastructure to Cisco DNA Center.
Step 16 Click Force Sync to push data to the Cisco DNA Center server after the first migration.
You will be asked for a confirmation DNAC data will be overwritten by PI data by the Force Sync. Click Yes to
proceed or No to stop Force Sync.

109

110
CHAPTER 5
Maintain Prime Infrastructure Server Health
• Overview Dashboard, on page 111
• Performance Dashboard, on page 112
• Admin Dashboard, on page 113
• How to Evaluate OVA Size and System Resources, on page 113
• How to Improve the Performance of Prime Infrastructure, on page 115
• Optimize Memory for Assurance Processing, on page 120
• Manage Data Sources, on page 123
• Special Administrative Tasks, on page 124
• How to Update Prime Infrastructure With Latest Software Updates, on page 137
• How to Configure Support Request Settings, on page 142
• How to Manage Disk Space Issues, on page 143
Overview Dashboard
The following table describes the information displayed on the Administration > Dashboards > System
Monitoring Dashboard > Overview dashboard.
Table 9: Administration Dashboards System Monitoring Dashboard Overview Information
To view this information... See this dashlet
PI server's hardware and software server details. System Information
The trend over time in CPU/Memory/Disk utilization Live Trend Information
Status of the data cleanup jobs over the selected period. Data Cleanup
Status of backup jobs, local and remote server backups and alarms on server backup over the selected Backup Information
period.
Physical memory and swap memory utilization displaying the set threshold limit. Also provides information Memory Utilization
on threads utilizing the memory when the threshold is breached.
CPU utilization and the set threshold limit. Also provides information on the processes and the jobs CPU Utilization
running in Prime Infrastructure that consumes more CPU when the threshold is breached.

111
Performance Dashboard
Disk utilization and the set threshold limit. Also provides information on the files and the tablespaces Disk Utilization
using the disk when the threshold is breached.
Virtual Domain Summary - Click on the summary icon to view the association between virtuals domains Virtual Domain
and the users. Also the members without virtual domain association. It allows you export the list of Summary
respective associations.
Available disk space. Disk Statistics
The successful restore information over the selected period, the backup name and the restoration time. Restore Information
Top 10 tables with highest number of rows inserted. Database Monitoring
Choose Administration > System Settings > System Event Configuration to set the threshold limit for
CPU/Disk/Memory utilization and to configure the alarm generation and clearance monitor settings.
The Memory Utilization, Disk Utilization and CPU Utilization dashlets have threshold markers indicated in
red color, and a time slider provided at the bottom to zoom-in to a particular time period. You can click the
pin icon in the tool-tip to extend the tool-tip display duration.
Related Topics
Performance Dashboard, on page 112
Admin Dashboard, on page 113
Performance Dashboard
Monitoring Dashboard > Performance Performance dashboard.
Table 10: Administration Dashboards System Monitoring Dashboard Performance Information
Incoming syslogs over the set collection time frame. Syslog
Incoming traps over the set collection time frame. Trap
Disk read and write over the set collection time frame. System Disk Throughput
Number of read/write requests that were issued to the server per second. System Disk IOPS
Number of requests waiting in the server queue. System Disk Outstanding I/O
The speed at which data is currently being transferred based on the traffic flowing through available Network Interface Traffic
network interfaces such as eth0, eth1, and I/O interfaces.
Collective information on the CPU usage, disk usage, and memory usage. Composite View

112
Admin Dashboard
Admin Dashboard
Monitoring Dashboard > Admin dashboard.
Table 11: Administration Dashboards System Monitoring Dashboard Admin Information
To view this information... Choose this And see this dashlet

tab...
Alarms and events issued against the Prime Infrastructure server itself, including a Health System Alarms
list of events, times events occurred, and their severities.
General health statistics for the Prime Infrastructure server, such as the number of System Information
jobs scheduled and running, the number of supported MIB variables, how much
polling the server is doing, and the number of users logged in.
The relative proportion of the Prime Infrastructure server database taken up by data DB Usage Distribution
on discovered device inventory (“Lifecycle Clients”), their current status and
performance data (“Lifecycle Statistics”), and the server’s own system data
(“Infrastructure” and “DB-Index”)
How quickly the Prime Infrastructure server is responding to user service requests API Health API Response Time Summary
for information, such device reachability, alarms and events, and so on. Shows the
maximum, minimum, and average response times for each API underlying a client
service.
The trend over time in how quickly the Prime Infrastructure server is responding to Service API Response Time Trend
user service requests. Details
The activity level for each of the logged-in Prime Infrastructure users, measured by API Calls Per Client Chart
the number of service requests each is generating.
The trend over time in the total number of service requests logged-in clients are API Request Count Trend
generating,
How to Evaluate OVA Size and System Resources

Your Prime Infrastructure system implementation should match the recommendations on appropriate OVA
sizes given in the “System Requirements” section of the Cisco Prime Infrastructure Quick Start Guide (see
Related Topics).
Note that the limits on devices, interfaces, and flow records given in the Quick Start Guide are all maximums;
an OVA of a given size has been tuned to handle no more than this number of devices, interfaces, and flows
per second. Also note that the system requirements for RAM, disk space, and processors are all minimums;
you can increase any of these resources and either store more data for a longer period, or process incoming
flows more quickly.

113
View the Number of Devices Prime Infrastructure Is Managing
As your network grows, you will approach the maximum device/interface/flow rating for your OVA. You
will want to check on this from time to time. You can do so using the information available to you on the
Admin dashboards, as explained in “Monitoring Prime Infrastructure Health”.
If you find Prime Infrastructure is using 80 percent or more of your system resources or the device/interface/flow
counts recommended for the size of OVA you have installed, we recommend that you address this using one
or more of the following approaches, as appropriate for your needs:
• Recover as much existing disk space as you can, following the instructions in “Compacting the Prime
Infrastructure Database”.
• Add more disk space—VMware OVA technology enables you to easily add disk space to an existing
server. You will need to shut down the Prime Infrastructure server and then follow the instructions
provided by VMware to expand the physical disk space (see “VMware vSphere Documentation” in
Related Topics). Once you restart the virtual appliance, Prime Infrastructure automatically makes use of
the additional disk space.
• Limit collection—Not all data that Prime Infrastructure is capable of collecting will be of interest to you.
For example, if you are not using the system to report on wireless radio performance statistics, you need
not collect or retain that data, and can disable the Radio Performance collection task. Alternatively, you
may decide that you need only the aggregated Radio Performance data, and can disable retention of raw
performance data. For details on how to do this, see “Specifying Data Retention by Category”.
• Shorten retention—Prime Infrastructure defaults set generous retention periods for all of the data it
persists and for the reports it generates. You may find that some of these periods exceed your needs, and
that you can reduce them without negative effects. For details on this approach, see “Controlling Report
Storage and Retention”, “Specifying Data Retention by Category”, and “Specifying Data Retention By
Database Table.”
• Off load backups and reports—You can save space on the Prime Infrastructure server by saving reports
and backups to a remote server. For details, see “Using Remote Backup Repositories”.
• Migrate to a new server—Set up a new server that meets at least the minimum RAM, disk space, and
processor requirements of the next higher level of physical or virtual appliance. Back up your existing
system, then restore it to a virtual machine on the higher-rated server. For details, see “Migrating to
Another OVA Using Backup and Restore”.
For more details, see "System Requirements", "Cisco Prime Infrastructure Quick Start Guide" and, "VMware
vSphere Documentation".
Related Topics
How Data Retention Settings Affect Web GUI Data, on page 145
Specify Data Retention By Database Table, on page 149
Control Report Storage and Retention, on page 151
View the Number of Devices Prime Infrastructure Is Managing

To check the total number of devices and interfaces that Prime Infrastructure is managing, choose
Administration > Licenses and Software Updates > Licenses.
To check the total system disk space usage, choose Administration > Settings > Appliance, then click the
Appliance Status tab. Then under Inventory, expand Disk Usage.

114
How to Improve the Performance of Prime Infrastructure
Related Topics
How to Evaluate OVA Size and System Resources, on page 113
How to Improve the Performance of Prime Infrastructure, on page 115
How to Improve the Performance of Prime Infrastructure

You can improve Prime Infrastructure’s speed and scalability using several techniques.
Related Topics
Tune the Server, on page 115
Configure Client Performance Settings, on page 117
Optimize Memory for Assurance Processing, on page 120
Monitor Assurance Memory Allocation and Demand, on page 121
Tune the Server

You can improve Prime Infrastructure’s performance and scalability by increasing the amount of RAM, CPU,
and disk space allocated to the Prime Infrastructure server and its virtual machine (or VM).
Successful server tuning requires you to complete the following workflow:
1. Changes to the VM include a risk of failure. Take an application backup before making any changes to
the VM (for details, see “Perform an Immediate Application Backup Using the Web GUI" in Related
Topics).
2. Perform the resource modifications in the VM, then restart the VM and the server (see “Modify VM
Resource Allocation Using VMware vSphere Client”).
Related Topics
Perform an Immediate Application Backup Using the Web GUI, on page 58
Modify VM Resource Allocation Using VMware vSphere Client

Use the following steps to make changes to the virtual appliance RAM, CPU or disk space resource allocations.
Be sure to back up the Prime Infrastructure server before attempting these types of changes (see “Backing Up
and Restoring Prime Infrastructure” in Related Topics).
Please note that Compliance Services features will not work if you expand the RAM, CPU or disk space
resource allocations after installation.
Tip For better performance: If you are changing RAM and CPU resource allocations for the virtual machine on
which you run Prime Infrastructure, and you have more than one virtual machine running on the same hardware,
you may also want to change your RAM and CPU resource reservations using the vSphere Client’s Resource
Allocation tab. For details, see “VMware vSphere documentation” in Related Topics.

115
Compact the Prime Infrastructure Database
Step 1 Open a CLI session with the Prime Infrastructure server (see “Connecting Via CLI”).
Step 2 Stop Prime Infrastructure using the ncs stop command (see “Stopping Prime Infrastructure”).
Step 3 Halt the VMware virtual appliance:
PIServer/admin# halt
Step 4 Launch the vSphere Client, right-click the virtual appliance, then click Edit Settings.
Step 5 To change the RAM allocation, select Memory and change the Memory Size as needed. Then click OK.
Step 6 To change the CPU allocation, select CPUs and select the Number of Virtual Processors from the drop-down list. Then
click OK.
Step 7 To add a new disk (you cannot expand the space of the existing disk):
a) Click Add.
b) Select Hard Disk, then click Next.
c) Check Create a new virtual disk, then click Next.
d) Enter the desired Disk Size and specify a Location for the new virtual disk, then click Next.
e) With the Advanced Options displayed, click Next, then click Finish.
Step 8 Power on the virtual appliance (see “Restarting Prime Infrastructure”)
For more details, see "Backing Up and Restoring Prime Infrastructure" and VMware vSphere Documentation.
Note Cisco Prime Infrastructure is installed only using the 1 Gbps ports. To disable the 10 Gbps ports and use the 1
Gbps ports to install Prime Infrastructure, perform the following steps.
a. Login to CIMC Console.
b. Navigate to Compute > BIOS > Configure BIOS > Advanced > LOM and PCle Slots Configuration.
c. Choose the Disabled option from the PCIe Slot:MLOM OptionROM and PCIe Slot:MLOM Link Speed
drop-down lists.
d. Click the Save button.
e. Navigate to Host Power, Power Cycle the machine and then Power ON.
Related Topics
How to Connect Via CLI, on page 125
Stop Prime Infrastructure, on page 127
Restart Prime Infrastructure Using CLI, on page 127
Compact the Prime Infrastructure Database

You can reclaim disk space by compacting the Prime Infrastructure database.
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to Connect Via CLI” in related topics).
Step 2 Enter the following command to compact the application database:

116
Configure Client Performance Settings
PIServer/admin# ncs cleanup
Step 3 When prompted, answer Yes to the deep cleanup option.
Related Topics
Configure Client Performance Settings

You can configure many client processes to improve Prime Infrastructure performance and scalability (see
Related Topics).
Related Topics
Enable Automatic Client Troubleshooting, on page 117
Enable DNS Hostname Lookup, on page 118
Specify How Long to Retain Client Association History Data, on page 118
Poll Clients When Receiving Client Traps/Syslogs, on page 118
Save Client Traps as Events, on page 119
Save 802.1x and 802.11 Client Traps as Events, on page 119
Enable Automatic Client Troubleshooting

The Administration > Settings > System Settings > Client and User > Client page allows you to enable
automatic client troubleshooting on a diagnostic channel for your third-party wireless clients running Cisco
Compatible Extensions (CCX).
With this feature enabled, Prime Infrastructure will process the client ccx test-association trap that invokes a
series of tests on each CCX client. Clients are updated on all completed tasks, and an automated troubleshooting
report is produced (it is located in dist/acs/win/webnms/logs). When each test is complete, the location of the
test log is updated in the client details pages, in the V5 or V6 tab, in the Automated Troubleshooting Report
area. Click Export to export the logs.
When this feature is not enabled, Prime Infrastructure still raises the trap, but automated troubleshooting is
not initiated.
Automatic client troubleshooting is only available for clients running CCX Version 5 or 6. For a list of
CCX-certified partner manufacturers and their CCX client devices, see the Cisco Compatible Extensions
Client Devices page, linked under Related Topics, below.
Step 1 Choose Administration > Settings > System Settings > Client and User > Client. The Client page appears.
Step 2 In the Process Diagnostic Trap area, select the Automatically troubleshoot client on diagnostic channel check box, then
click Save. For more details, see Cisco Compatible Extensions Client Devices page.
Related Topics

117
Enable DNS Hostname Lookup
Enable DNS Hostname Lookup

DNS lookup can take a considerable amount of time, so Prime Infrastructure has it disabled by default.
You can enable or disable the DNS lookup for client hostnames, and change how long Prime Infrastructure
retains the results of previous DNS lookups in its cache.
Step 1 Choose Administration > Settings > System Settings > Client and User > Client.
Step 2 Select the Lookup client host names from DNS server check box.
Step 3 Enter the number of days that you want the hostname to remain in the cache, then click Save.
Related Topics
Specify How Long to Retain Client Association History Data

Client association history can take a lot of database and disk space. This can be an issue for database backup
and restore functions. The retention duration of client association history can be configured to help manage
this potential issue.
Step 2 Under Data Retention, change the following parameters as needed:
• Dissociated Clients —Enter the number of days that you want Prime Infrastructure to retain the data. The valid
range is 1 to 30 days.
• Client session history—Enter the number of days that you want Prime Infrastructure to retain the data. The valid
range is 7 to 365 days.
• Number of Rows To Keep—Enter the maximum number of client session records to maintain. The default is
8,000,000.
Step 3 Click Save.
Related Topics
Poll Clients When Receiving Client Traps/Syslogs

Under normal circumstances, Prime Infrastructure polls clients on a regular schedule, every few minutes,
identifying session information during the poll. You can also choose to have Prime Infrastructure poll clients
immediately whenever traps and syslogs are received from them. This helps you discover new clients and
their sessions quickly.
This option is disabled by default, as it can affect Prime Infrastructure performance. Busy networks with many
clients can generate large amounts of traps and syslogs, especially during peak periods when clients are

118
Save Client Traps as Events
roaming and associating/disassociating often. In this case, polling clients every time you receive a trap or
syslog may be an unnecessary processing burden.
If you enable the Wireless Polling Clients when Receiving Client Traps/Syslogs option, Prime Infrastructure
enables Client Authentication, Client Deauthentication, and Client Disassociate Traps on the WLC even if
you previously disabled the traps on the WLC. Prime Infrastructure triggers the WLC Sync operation, which
enables the client traps on WLC.
Step 1 Choose Administration > Settings > System Settings > Client.
Step 2 Select the Poll clients when client traps/syslogs received check box. Prime Infrastructure will poll clients as soon as a
trap or syslog is received, to identify client sessions.
Step 3 Click Save.
Related Topics
Save Client Traps as Events

In some deployments, Prime Infrastructure might receive large amounts of client association and disassociation
traps. Saving these traps as events can cause slow server performance. In addition, other events that might be
useful could be aged out sooner than expected because of the amount of traps being saved.
Follow the steps below to ensure that Prime Infrastructure does not save client association and disassociation
traps as events.
Step 2 Unselect the Save client association and disassociation traps as events check box.
Step 3 Click Save to confirm this configuration change. This option is disabled by default.
Related Topics
Save 802.1x and 802.11 Client Traps as Events

You must enable Save 802.1x and 802.11 client authentication failed traps as events for debugging purposes.
Step 2 Select the Save 802.1x and 802.11 client authentication fail traps as events check box.
Step 3 Click Save to confirm this configuration change.
Related Topics

119
Enable Enhanced Client Traps
Enable Enhanced Client Traps

To enable enhanced client traps:
Step 2 Select the Discover Clients from enhanced client traps check box.
Step 3 Make sure that the Prime Infrastructure server is registered as a Trap receiver on Cisco WLC for receiving Client traps.
The following trap flags need to be enabled on the devices for enhanced client trap to work:
• config trapflags client enhanced-802.11-associate enable
• config trapflags client enhanced-802.11-deauthenticate enable
• config trapflags client enhanced-authentication enable
• config trapflags client enhanced-802.11-stats enable
Step 4 To log the incoming enhanced client traps on the Prime Infrastructure side, you can enable client trap logging via ssh to
root shell. This generates clientTraps.log file under the /opt/CSCOlumos/logs file.
• /opt/CSCOlumos/bin/setLogLevel.sh com.cisco.client.traps TRACE
Note Enhanced clients traps from Prime Infrastructure is supported from WLC version 8.0 onwards.
Optimize Memory for Assurance Processing

Prime Infrastructure’s Assurance features depend heavily on high-volume NetFlow data forwarded to the
Prime Infrastructure server by devices, including NAMs. Because Prime Infrastructure always aggregates
NetFlow data before storing it, supporting Assurance features with appropriate data is a memory-intensive
process.
With more working memory to hold NetFlow data during aggregation, Prime Infrastructure can get this job
done faster and more efficiently. This can lead to important performance improvements if your organization
licenses Assurance features and makes heavy use of them.
Prime Infrastructure offers features to help you:
• Determine how much memory is currently allocated to Assurance-related data processing, and how
completely individual Assurance features are using that memory pool.
• Increase the default pool of memory used to process Assurance-related data.
• Balance the memory allocated to individual Assurance features, so those with the greatest demand for
memory get what they need.
The amount of performance improvement you can get from using these features depends on the memory
available and how you use Assurance features, but can be substantial. For example: Given a Prime Infrastructure
Professional implementation with the recommended minimum hardware Prime Infrastructure can process up
to 414,000 NetFlow host records in a single five-minute aggregation cycle. With Assurance memory
optimization, maximum processing for the same type of data is closer to 800,000 records per cycle.

120
Monitor Assurance Memory Allocation and Demand
You can increase the Assurance memory pool without balancing Assurance memory allocations, and vice
versa. But using these two optimization options together is the best way to improve Prime Infrastructure
performance when Assurance features are used.
Related Topics
Monitor Assurance Memory Allocation and Demand, on page 121
Increase the Assurance Memory Pool Via CLI, on page 121
How to Balance the Assurance Memory Allocation, on page 122
Reset Assurance Memory Allocation, on page 122
Reset the Assurance Memory Pool, on page 122
Monitor Assurance Memory Allocation and Demand

You can quickly see Prime Infrastructure’s current Assurance-related memory allocation and usage.
Step 1 Select Services > Application Visibility & Control > Data Sources.
Step 2 Select the text link Assurance Memory Statistics (in the upper right corner of the page). Prime Infrastructure displays:
• The current memory allocation in megabytes for each of the main Assurance feature categories, including Traffic,
Performance Routing, Applications, Voice-Video data, Device Health, Lync and other data.
• The usage of each area’s memory allocation over the last 24 hours. The percentage represents the peak memory
usage over that period (that is, if 100 percent of the memory allocation is used at any point in the past 24 hours, the
usage percentage shown will be 100 percent).
Related Topics
How to Balance the Assurance Memory Allocation, on page 122
Increase the Assurance Memory Pool Via CLI

You can use the Prime Infrastructure command line to allocate more memory to all types of Assurance-related
data processing. Note that using the ncs tune-resources assurance command requires a server restart. Once
restarted, the server will increase the total pool of memory allocated to all Assurance-related data processing.
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to Connect Via CLI”).
Step 2 Enter the following command:
PIServer/admin# ncs tune-resources assurance
Step 3 Restart the Prime Infrastructure server (see “Restart Prime Infrastructure”).
Related Topics

121
How to Balance the Assurance Memory Allocation
How to Balance the Assurance Memory Allocation

You can use the Prime Infrastructure interface to automatically balance the allocation of the total Assurance
memory pool to individual categories of Assurance-related data processing, ensuring that those Assurance
features that need memory the most are getting it.
Step 2 Select the text link Assurance Memory Statistics (in the upper right corner of the Data Sources page).
Step 3 Click Rebalance.
Prime Infrastructure will change Assurance memory allocations to individual features as needed, reducing allocations
for less-used features and increasing allocations for features where usage over the past 24 hours was at or near 100 percent.
Related Topics
Reset Assurance Memory Allocation

You can use the Prime Infrastructure interface to cancel Assurance memory balancing, returning the allocation
for each Assurance-related feature to its default value.
Step 2 Select the text link Assurance Memory Statistics (in the upper right corner of the Data Sources page).
Step 3 Click Reset.
Related Topics
Reset the Assurance Memory Pool

You can use the Prime Infrastructure command line to return the Assurance memory pool to the default
allocation, disabling all changes created using the ncs tune-resources assurance command explained in
“Increase the Assurance Memory Pool Via CLI”.
PIServer/admin# ncs tune-resources default
Step 3 Restart the Prime Infrastructure server (see “Restart Prime Infrastructure”).

122
Manage Data Sources
Related Topics
Manage Data Sources

Prime Infrastructure depends on a variety of sources for accurate gathering and reporting of device, performance
and assurance data. These sources include specialized monitoring devices such as NAMs, and protocols
running on normal devices, such as Cisco Medianet, NetFlow, Flexible NetFlow, Network Based Application
Recognition (NBAR), Performance Monitoring (PerfMon), and Performance Agent.
You will want to manage these sources to ensure that only the correct data is gathered from active sources.
The Data Sources page allows you to review your current data sources, and delete those that are no longer
active.
For details on the data sources used in dashlets, see “Advanced Monitoring” in Related Topics. For details
on setting up individual data sources, see the data-source configuration sections of “Administrator Setup
Tasks”, also listed in Related Topics.
Related Topics
View Current Data Sources, on page 123
Delete Data Sources, on page 124
Advanced Monitoring
Administrator Setup Tasks, on page 4
Configure Data Sources for Cisco Prime Infrastructure With Assurance, on page 10
Enable Medianet NetFlow, on page 12
Enable NetFlow and Flexible NetFlow, on page 14
Deploy Network Analysis Modules NAMs, on page 15
Enable Performance Agent, on page 15
View Current Data Sources

Use the Data Sources page to review Prime Infrastructure’s current data sources. Access to this page requires
administrator privileges
Select Services > Application Visibility & Control > Data Sources. Prime Infrastructure displays a summary page that
lists each device data source’s:
• Device Name–The host name of the data source
• Data Source–The IP address of the data source.
• Type–The type of data the source is sending to Prime Infrastructure (e.g., “Netflow”).
• Exporting Device–The IP address of the device exporting the data to Prime Infrastructure.
• Last 5 min Flow Read Rate–The amount of data Prime Infrastructure has received from this source during the last
five minutes.

123
Delete Data Sources
• Last Active Time–The latest date and time that Prime Infrastructure received data from this source.
For each Cisco NAM data collector sources, the page lists:
• Name–The host name of the NAM.
• Type–The type of data the NAM is collecting and sending to Prime Infrastructure (e.g., “Cisco Branch Routers
Series Network Analysis Module”).
• Host IP Address–The IP address of the NAM.
• Data Usage in System–Whether the data forwarded by this NAM is enabled for use in Prime Infrastructure.
• Last Active Time–The latest date and time that Prime Infrastructure received data from this NAM.
Related Topics
Special Administrative Tasks, on page 124
Delete Data Sources, on page 124
Delete Data Sources

Use the Data Sources page to delete inactive Prime Infrastructure data sources. Access to this page requires
administrator privileges.
Note that you cannot delete a NetFlow data source until seven full days have elapsed without receipt of any
data from that data source. This delay helps protect the integrity of NetFlow data (which Prime Infrastructure
identifies and aggregates according to the source) by giving network operators a full week to ensure that the
data source has been retired. If the source remains active during that period and sends data to Prime
Infrastructure, data from that source will still be identified and aggregated properly with other data from the
same source (instead of being identified as a new source).
Step 2 Select the checkbox next to the inactive data source you want to delete.
Step 3 Click Delete.
Step 4 Click OK to confirm the deletion.
Related Topics
View Current Data Sources, on page 123
Special Administrative Tasks

Prime Infrastructure provides administrators with special access in order to perform a variety of infrequent
tasks, including
• Connecting to the server via an SSH command-line interface (CLI) session.
• Changing server hardware setup and resource allocations.
• Starting, stopping, and checking on the status of Prime Infrastructure services.

124
How to Connect Via CLI
• Running Prime Infrastructure processes accessible only via the CLI.

• Managing access rights, including changing passwords for user IDs with special tasks.
• Removing or resetting Prime Infrastructure.
Related Topics
Start Prime Infrastructure, on page 126
Check Prime Infrastructure Server Status, on page 126
Check Prime Infrastructure Version and Patch Status, on page 127
How to Remove Prime Infrastructure, on page 128
Reset Prime Infrastructure to Defaults, on page 129
Change the Prime Infrastructure Host Name, on page 129
Enable the FTP User, on page 130
Change the Root User Password, on page 130
How to Recover Administrator Passwords on Virtual Appliances, on page 131
How to Recover Administrator Passwords on Physical Appliances, on page 133
How to Get the Installation ISO Image, on page 136
Check High Availability Status, on page 303
How to Connect Via CLI

Administrators can connect to the Prime Infrastructure server via its command-line interface (CLI). CLI access
is required when you need to run commands and processes accessible only via the Prime Infrastructure CLI.
These include commands to start the server, stop it, check on its status, and so on.
Note Disabling the SSH legacy ciphers may impact associating with the Prime Infrastructure that utilizes the legacy
SSH client.
Before you begin

Before you begin, make sure you:
• Know the user ID and password of an administrative user with CLI access to that server or appliance.
Unless specifically barred from doing so, all administrative users have CLI access.
• Know the IP address or host name of the Prime Infrastructure server.
Step 1 Start up your SSH client, start an SSH session via your local machine’s command line, or connect to the dedicated console
on the Prime Infrastructure physical or virtual appliance.
Step 2 Log in as appropriate: If you are using a GUI client: Enter the ID of an active administrator with CLI access and the IP
address or host name of the Prime Infrastructure server. Then initiate the connection. If you are using a command-line
client or session: Log in with a command like the following:[localhost]# ssh username@IPHost -Whereusername is the
user ID of a Prime Infrastructure administrator with CLI access to the server.IPHost is the IP address or host name of the

125
Start Prime Infrastructure
Prime Infrastructure server or appliance. If you are using the console: A prompt is shown for the administrator user name.
Enter the user name.
Prime Infrastructure will then prompt you for the password for the administrator ID you entered.
Step 3 Enter the administrative ID password. Prime Infrastructure will present a command prompt like the following:
PIServer/admin#.
Step 4 If the command you need to enter requires that you enter “configure terminal” mode, enter the following command at
the prompt:
The prompt will change from PIServer/admin# to PIServer/admin/conf#.
Related Topics
Start Prime Infrastructure

To start Prime Infrastructure:
Step 2 Enter the following command to start the Prime Infrastructure server or appliance:
PIServer/admin# ncs start
Related Topics
Check Prime Infrastructure Server Status

You can check on the status of all Prime Infrastructure server or appliance processes at any time, without
stopping the server. Technical Assistance personnel may ask you to perform this task when troubleshooting
a problem with Prime Infrastructure.
You can also check on the current health of the server using the dashlets on the Admin Dashboard (see
“Monitoring Prime Infrastructure Health”).
You can check on the status of High Availability options enabled on the server using the command ncs ha
status (see “Checking High Availability Status”).
Step 1 Open a CLI session with the Prime Infrastructure server (see “Connecting Via CLI”).
Step 2 Enter the following command to display the current status of Prime Infrastructure processes and services:
PIServer/admin# ncs status

126
Check Prime Infrastructure Version and Patch Status
For more details, see "Checking High Availability Status".
Related Topics
Check Prime Infrastructure Version and Patch Status

You can check on the version of a Prime Infrastructure server and the patches applied to it at any time, without
stopping the server. You will usually need to do this when upgrading or patching the server software.
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to Connect via CLI”).
Step 2 Enter the following command to display the current status of Prime Infrastructure processes and services:
PIServer/admin# show version
Related Topics
Stop Prime Infrastructure

You can stop a Prime Infrastructure server or appliance at any time using the command line interface. Any
users logged in at the time you stop Prime Infrastructure will have their sessions stop functioning.
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to connect via CLI”).
Step 2 Enter the following command to stop the Prime Infrastructure server or appliance:
PIServer/admin# ncs stop
Related Topics
Restart Prime Infrastructure Using CLI
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to Connect via CLI”).
Step 2 Enter the following command to stop the Prime Infrastructure server or appliance:
PIServer/admin# ncs stop
Step 3 Wait for the previous command to complete.

127
Restart Prime Infrastructure Using GUI
Step 4 Enter the following command to restart the Prime Infrastructure server or appliance:
PIServer/admin# ncs start
Related Topics
Restart Prime Infrastructure Using GUI, on page 128
Restart Prime Infrastructure Using GUI

To restart the Prime Infrastructureserver from the server GUI, do the following.
Before you begin

You must have Root or Super User privilege to restart the Prime Infrastructure server using GUI.
Step 1 Choose Administration > System Settings > Server.

Step 2 Click Restart Prime Infrastructure.
Step 3 Check the Restart acknowledgment check box in the pop-up window and click Restart.
Related Topics
How to Remove Prime Infrastructure

You may need to remove Prime Infrastructure in preparation for a clean “from scratch” re-installation. You
can do so by following the steps below
Note that this procedure will delete all your existing data on the server, including all server settings and local
backups. You will be unable to restore your data unless you have a remote backup or access to disk-level data
recovery methods.
Step 1 Stop the server (see “Stop Prime Infrastructure”).

Step 2 In the VMware vSphere client, right-click the Prime Infrastructure virtual appliance.
Step 3 Power off the virtual appliance.
Step 4 Right click on the powered-off virtual appliance and select Delete from Disk option.
Related Topics

128
Reset Prime Infrastructure to Defaults
Reset Prime Infrastructure to Defaults

You may need to reset the installed Prime Infrastructure server to factory defaults, removing all user data and
customizations, but preserving the installation itself. You can do so by following the steps below.
Note that this procedure will delete all your existing data on the server host except for the default settings
supplied with Prime Infrastructure. You will be unable to restore your data unless you have a remote backup
or access to disk-level data recovery methods.
Step 1 Stop the server (see “Stop Prime Infrastructure”).

Step 2 Download the installation ISO image appropriate for your installed version of the Prime Infrastructure virtual or physical
appliance server software and burn it to DVD (see “How to Get the Installation ISO Image”).
Step 3 Power off the virtual appliance.
Step 4 Reinstall the appliance or OVA by booting the host from the DVD.
Related Topics
Change the Prime Infrastructure Host Name

Prime Infrastructure prompts you for a host name when you install the server. For a variety of reasons, you
may find there is a mismatch between the host name on the Prime Infrastructure server and the host name
elsewhere. If so, you can recover without reinstalling by changing the host name on the server.
Note Setting the hostname using hostnamectl changes the uppercase letters to lowercase. Although Redhat 7 and
CentOS 7 provide hostnamectl to set the hostname permanently, the real hostname will only be lowercase
even if the users specify any uppercase letters.
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to Connect Via CLI”). Be sure to enter “configure
terminal” mode.
PIServer/admin(config)# hostname newHostName
Where newHostName is the new host name you want to assign to the Prime Infrastructure server.
Step 3 Restart the Prime Infrastructure server using the ncs stop and ncs start commands, as explained in "Restart Prime
Infrastructure" .
Related Topics

129
Enable the FTP User
Enable the FTP User

To use Prime Infrastructure as an FTP server for file transfers and software image management, an administrator
must configure an FTP account. Use the steps below to enable the account and set a password for it.
After you enable the ftp-user, you can FTP files to and from the /localdisk/ftp folder on standalone or, if
configured, High Availability primary servers only. You cannot use change directory (cd) or list directory
(ls) functionality with ftp-user.
PIServer/admin#ncs password ftpuser ftp-user password password
Where:
• ftp-user is the username for FTP operation.
• password is the login password for ftp-user.
Note The username for FTP must be ftp-user.
For example:
pi-system-999/admin# ncs password ftpuser root password MyPassword
Updating FTP password.
Saving FTP account password in credential store
Syncing FTP account password to database store - location-ftp-user
Syncing FTP account password to system store
Completed FTP password update
pi-system-999/admin#
Related Topics
Change the Root User Password

Administrators can change the password associated with this special administrative ID.
Step 1 Open a CLI session with the Prime Infrastructure server (see “How to Connect Via CLI”) in Related Topics.
PIServer/admin# ncs password root password password
Where password is the root user login password. You can enter a password not exceeding 80 characters.
For example:

130
Change the Admin Password using CLI
PIServer/admin# ncs password root password #password#

pi-system-198/admin# ncs password root password #password#
Password updated for web root user
pi-system-198/admin#
Related Topics
Change the Admin Password using CLI

A new ClI command “change-password” is introduced. Using this user can change their own passwords. This
command is available for all roles.
The following CLI users roles are applicable:
• Super-user (admin): Only one super-user is allowed which is created during the initial setup.
• Security-admin: Has highest privilege after super user.
• Network-admin: Has privilages to do network related configuration
• User: Has privilages for read only permissions.
Step 1 Open a CLI session with the Prime Infrastructure.

pi-cluster-54/admin# change-password
Changing password for user admin
Changing password for admin.
(current) UNIX password
Note When upgrading from previous 3.8 releases:
• User with name "admin" is converted to Super-user (admin).
• Users name which does not contain "admin" account from which upgrade is performed gets coverted to
super-user(admin).
• All the other admin users are converted to security-admin.
How to Recover Administrator Passwords on Virtual Appliances

You can recover (that is, reset) administrator passwords on Prime Infrastructure virtual machines (also known
as OVAs) installed on your own hardware.

131
How to Recover Administrator Passwords on Virtual Appliances
Before you begin

Ensure that you have:
• Physical access to the Prime Infrastructure server.
• A copy of the installation ISO image appropriate for your version of the software. See “How to Get the
Installation ISO Image” in Related Topics.
• Access to the VMware vSphere client, and to the vSphere inventory, Datastores and Objects functions.
If you do not have such access, consult your VMware administrator. You should avoid accessing ESX
directly from the vSphere client.
Step 1 Launch your VMware vSphere Client and connect to the ESXi host or vCenter server.
Step 2 Upload the installation ISO image to the data store on the OVA virtual machine, as follows:
a) In the vSphere Server, click Inventory > Summary > Datastores.
b) On the Objects tab, select the datastore to which you will upload the file.
c) Click the Navigate to the datastore file browser icon.
d) If needed, click the Create a new folder icon and create a new folder.
e) Select the folder that you created or select an existing folder, and click the Upload a File icon.
If the Client Integration Access Control dialog box appears, click Allow to allow the plug-in to access your operating
system and proceed with the file upload.
f) On the local computer, find the ISO file and upload it.
g) Refresh the datastore file browser to see the uploaded file in the list.
Step 3 With the ISO image uploaded to a datastore, make it the default boot image, as follows:
a) Using the VMware vSphere client, right-click the deployed OVA and choose Power > Power Off.
b) Select Edit Settings > Hardware, then select CD/DVD drive 1.
c) Under Device Type, select Datastore ISO File, then use the Browse button to select the ISO image file you uploaded
to the datastore.
d) Under Device Status, select Connect at power on.
e) Click the Options tab and select Boot Options. Under Force BIOS Setup, select Next time VM boots, force entry
into BIOS setup Screen. This will force a boot from the virtual machine BIOS when you restart the virtual machine.
f) Click OK.
g) In the VMware vSphere client, right-click the deployed OVA and choose Power > Power On.
h) In the BIOS setup menu, find the option that controls the boot order of devices and move DVD/CDROM to the top.
Step 4 Follow the steps below to reset a server administrator password:
a) Save your BIOS settings and exit the BIOS setup menu. The virtual machine will boot from the ISO image and display
a list of boot options.
b) Enter 3 if you are using the keyboard and monitor to access the OVA, or 4 if you are accessing via command line or
console. The vSphere client displays a list of administrator user names.
c) Enter the number shown next to the administrator username for which you want to reset the password.
d) Enter the new password and verify it with a second entry.
e) Make sure to disconnect ISO image before confirming the changes using the vSphere client.
f) Click the CD icon and select Disconnect ISO image.
g) Enter Y to save your changes and reboot.

132
How to Recover Administrator Passwords on Physical Appliances
Step 5 Log in with the new administrator password.
Related Topics
How to Recover Administrator Passwords on Physical Appliances

You can recover (reset) administrator passwords on Prime Infrastructure physical appliances.
Before You Begin
• Physical access to the Prime Infrastructure appliance.
• A copy of the appliance recovery CD that was supplied with the shipped appliance.
If you have lost the appliance recovery CD, download and burn a DVD copy of the ISO image, as explained
in “How to Get the Installation ISO Image”. You can then use the DVD to reset administrator passwords on
the appliance (see “How to Recover Administrator Passwords on Virtual Appliances” for detailed steps).
You can reset the password using,
• Console: KVM Console (Other console options are VGA Console and Serial Console/Serial Over
Lan-SOL)
• DVD mount option: KVM mapped DVD (Other mount options are CIMC mapped DVD and Physical
External DVD)
See Cisco Prime Infrastructure Hardware Installation Guide for additional information.
To recover the password using KVM Console, follow these steps:
Step 1 Launch Cisco Integrated Management Controller .

Step 2 Choose Server > Summary from the left navigation pane.
Step 3 Under Actions, click Launch KVM Console.
Step 4 In the console, choose Virtual Media > Activate Virtual Devices.
Step 5 Select Accept the session radio button and click Apply.
Step 6 In the console, choose Virtual Media > Map CD/DVD.
Step 7 Browse to the location of the Prime Infrastructure ISO image and click Map Device.
Step 8 In the console, choose Power > Reset System(warm boot).
Step 9 A confirmation message appears. Click Yes.
Step 10 The machine reboots and prompts to enter F6 for boot option. Press the function-key F6.
You may need to press F6 multiple times to see Enter boot selection menu... in the screen. You must wait for a few
minutes to get the boot device option.
Step 11 Select the desired DVD mount option and in this case, you must select Cisco vKVM-Mapped vDVD1.22.
Step 12 The vSphere client displays a list of boot options. Enter 3 to select the Recover administrator password
(Keyboard/Monitor) boot option.

133
Note If you are using Serial Console to recover password, then you must enter 4 to select the Recover administrator
password (Serial Console) boot option.
Step 13 The vSphere client displays a list of administrator user names. Enter the number shown next to the administrator user
name for which you want to recover (reset) the password and press Enter.
Step 14 Enter the new password and verify it with a second entry.
Step 15 Enter Y to save your changes and reboot the system.
Step 16 Login to the admin CLI with the new administrator password.
Note You can follow the same steps to recover password using VGA console and Serial console.
To recover the password using Serial Console/Serial Over Lan-SOL, follow these steps:
Step 1 Launch Cisco Integrated Management Controller server using SSH .

# ssh admin@(server IP)
Enter the admin password
Step 2 Map the ISO image.
C220-FCH1840V0BL# scope vmedia

C220-FCH1840V0BL /vmedia # map-www <VOLUME_NAME> <LOCATION> <ISO_FILE>
Server username: anonymous
Server password:
Confirm password:
C220-FCH1840V0BL /vmedia # show mappings
Volume Map-Status Drive-Type Remote-Share Remote-File
Mount-Type
---------------- ------------------------ ---------- ------------------------ ------------------------
-------- ------------------------
<VOLUME_NAME> OK CD <LOCATION> <IMAGE_NAME> www
C220-FCH1840V0BL /vmedia #
Step 3 Reboot the server:
# scope chasis
# power off
This operation will change the server's power state.
Do you want to continue?[y|N]y
#
#
# power on
This operation will change the server's power state.
Do you want to continue?[y|N]y
# exit
Step 4 Connect to Serial Over Lan Console.
# scope sol
# show detail
Serial Over LAN:
Enabled: yes
Baud Rate(bps): 9600

134
How to Recover Administrator Passwords on Hyper-V Virtual Appliances
Com Port: com0

# set enabled yes
# set baud-rate 9600
# commit
# connect host // to connect sol cosole
Step 5 The machine reboots and prompts to enter F6 for boot option. Press the function-key F6.
You may need to press F6 multiple times to see Enter boot selection menu... in the screen. You must wait for a few
minutes to get the boot device option.
Step 6 Select the desired DVD mount option and in this case, you must select Cisco CIMC-Mapped vDVD1.22.
Step 7 The vSphere client displays a list of boot options. Enter 4 to select the Recover administrator password (Serial
Console) boot option.
Note To recover administrator password for Gen 3 appliances, it is recommended to use Serial Over Lan
(Serial console)
Step 8 The vSphere client displays a list of administrator user names. Enter the number shown next to the administrator user
name for which you want to recover (reset) the password and press Enter.
Step 9 Enter the new password and verify it with a second entry.
Step 10 Enter Y to save your changes and reboot the system.
Step 11 Login to the admin CLI with the new administrator password.
How to Recover Administrator Passwords on Hyper-V Virtual Appliances

You can recover (reset) administrator passwords on Prime Infrastructure Hyper-V Virtual appliances.
Before You Begin
• Physical access to the Prime Infrastructure appliance.
• A copy of the installation ISO image appropriate for your version of the software. See How to Get the
Installation ISO Image, on page 136.
• Access to the Hyper-V Machine, and to the Hyper-V manager. If you do not have the access, get help
from your Hyper-V administrator.
Step 1 Launch your Hyper-V Machine and make sure ISO image available in your Hyper-V Machine.
Step 2 Connect to the Hyper-V Manager.
a) Right-click the virtual machine for which you want to reset the password and select Connect.
The Virtual Machine Connection window opens.
b) Choose Media > DVD Drive > Insert Disk.
c) Browse and select the ISO image.
d) Turn Off and Start the virtual machine as follows:
• Choose Action > Turn Off.
• Click Turn Off in the Turn Off Machine pop-up.

135
How to Get the Installation ISO Image
• Choose Action > Start.
Step 3 The virtual machine will boot from the ISO image and will display a list of boot options.
a) Enter 3 (The option for recovering Administrator password)
b) Enter the number shown for the administrator username for which you want to reset the password.
c) Enter the new password and verify it with a second entry.
d) Enter Y to save your changes and reboot.
e) Wait until the machine gets rebooted.
Step 4 Log in with the new administrator password.
How to Get the Installation ISO Image

Copies of the Prime Infrastructure installation ISO image are needed for some special maintenance operations,
such as resetting administrator passwords.
Prime Infrastructure ISO image files have the format PI-APL-version-K9.iso , where version is the version
number of the product. The version number will often contain extended numbering indicating the patch level
of the product. For example: If you were using a fully-updated version of Prime Infrastructure 3.9, you
wouldmust download the PI-APL-3.9.0.0.219-1-K9.iso from Cisco.com
If you do not have a copy of the ISO image, you can download it from Cisco.com using the steps below:
Step 1 On a browser with internet access, link to the Cisco Software Download Navigator (see Related Topics).
Step 2 Use the Find box to search for “Cisco Prime Infrastructure”.
Step 3 From the results list, select the software version you are using.
Step 4 Select Prime Infrastructure Software to display the list of ISOs and other downloadable image files for that software
version.
Step 5 Download the ISO image from the page.
Step 6 When the download is complete, check that the MD5 checksum of the downloaded file matches the checksum shown for
the file on its Cisco.com download page. If the checksums do not match, the file is corrupt, and you will need to download
it from Cisco.com again.
Step 7 If you need the ISO image on disk: Burn the ISO image to a Dual Layer DVD using DVD authoring software. For reliable
results, we recommend that you conduct the burn at single (1X) speed and with the “Verify” option turned on.
For more details, see https://software.cisco.com/download/navigator.html and Cisco Prime Infrastructure 3.9 Appliance
Hardware Installation Guide
Related Topics

136
How to Update Prime Infrastructure With Latest Software Updates
How to Update Prime Infrastructure With Latest Software

Updates
Cisco provides updates to Prime Infrastructure software periodically. These updates fall into the following
categories:
• Critical Fixes—Provide critical fixes to the software. We strongly recommend that you download and
apply all of these updates as soon as they are available.
• Device Support—Adds support for managing devices which Prime Infrastructure did not support at
release time. These updates are published on a monthly basis.
• Add-Ons—Provide new features, which can include new GUI screens and functionality, to supplement
the Prime Infrastructure version you are using.
For details on how to find these updates, and how to get notifications when they are released, see “View
Installed and Available Software Updates” in Related Topics.
The update notifications that Prime Infrastructure displays are based on the Notification Settings you specify
using Administration > Settings > System Settings > Software Update. For details, see “Configuring
Software Update Notifications”.
For details on installing these updates, see “Install Software Updates”.
For details on streamlining your software update notifications and installations using your Cisco.com account,
see “How to Use Your Cisco.com Account Credentials with Prime Infrastructure”.
Related Topics
View Installed and Available Software Updates, on page 137
Configure Software Update Notifications, on page 138
Install Software Updates, on page 139
How to Use Your Cisco.com Account Credentials with Prime Infrastructure, on page 141
View Installed and Available Software Updates

Prime Infrastructure allows you to:
• Receive notifications when new software updates become available.
• Modify how and when you are notified that new software updates are available.
• View the details of each update.
• See which software updates have been installed.
The following topics explain how to perform each of these tasks.
Related Topics
How to Get Software Update Notifications, on page 138
View Details of Installed Software Updates, on page 138
View Installed Updates From the Login Page, on page 139
View Installed Updates From the About Page, on page 139
How to Update Prime Infrastructure With Latest Software Updates, on page 137

137
How to Get Software Update Notifications
How to Get Software Update Notifications

When properly configured, Prime Infrastructure will notify you automatically when new software updates
are available.
Step 1 Choose Administration > Settings > System settings > Account Settings.
Step 2 Enter a valid Cisco.com user name and password.
Step 3 Click Save.
Step 4 Choose Administration > Settings > System Settings > General > Software Update.
Step 5 Under Notification Settings, select the categories for which you want updates displayed on the Administration > Software
Update page.
Step 6 Click Save.
To see notifications: Click on the notifications icon at the top right, next to the alarms icon.
Related Topics
How to Use Your Cisco.com Account Credentials with Prime Infrastructure, on page 141
Configure Software Update Notifications

You can modify the update notifications that Prime Infrastructure displays on the Administration > Software
Update page. For example, if you do not want to install any updates to Prime Infrastructure, you can disable
all notification and prevent Prime Infrastructure from displaying notifications of available updates.
Step 1 Choose Administration > Settings > System Settings > General > Software Update.
Step 2 Under Notification Settings, select the categories for which you want updates displayed on the Administration > Software
Update page.
Step 3 Click Save.
Related Topics
How to Get Software Update Notifications, on page 138
View Details of Installed Software Updates
Step 1 Choose Administration Settings > Licenses and Software Updates > Software Update.
Step 2 Click the Updates tab to see the Name, Type, Version, Status and Date of each installed software update.
To filter this list, click the Filter icon at the right side of the Updates tab and select the categories of installed updates you
want to see.

138
View Installed Updates From the Login Page
Step 3 Click the Files tab to see the list of installed UBF files and downloaded UBF files which have yet to be installed.
To delete a software update file that has not yet been installed, select the file and click Delete.
Related Topics
View Installed Updates From the Login Page
Step 1 Launch or log out of Prime Infrastructure. The login page displays.
Step 2 Click View installed updates. Prime Infrastructure displays a popup list of the names and versions of all installed software
updates.
Step 3 Click the Close button to close the popup list.
Related Topics
View Installed Updates From the About Page
Step 1 Click the settings icon at the upper right corner of any Prime Infrastructure page.
Step 2 Click About Prime infrastructure. The About page appears, listing the version of the product and other details.
Step 3 Click View installed updates. Prime Infrastructure displays a popup list of the names and versions of all installed software
updates.
Step 4 Click the Close button to close the popup list.
Related Topics
Install Software Updates

Prime Infrastructure periodically provides critical fixes, device support, and add-on updates that you can
download and install by choosing Administration > Software Update. Depending on your connectivity and
preference, you can install software updates by:
• Downloading updates directly from cisco.com to the Prime Infrastructure server.
To use this method, your Prime Infrastructure server must be able to connect externally to Cisco.com.
For details, see “Install Software Updates from Cisco.com” in Related Topics.

139
Install Software Updates from Cisco.com
• Downloading software update files to a client or server with external connectivity,

then uploading them to and installing them on the Prime Infrastructure server. For details, see “Upload
and Install Downloaded Software Updates” in Related Topics.
Related Topics
Install Software Updates from Cisco.com, on page 140
Upload and Install Downloaded Software Updates, on page 140
Install Software Updates from Cisco.com

The following steps explain how to install software updates directly from Cisco.com. This procedure assumes
that Prime Infrastructure has external connectivity to Cisco.com and that you want to download updates
directly from Cisco.com.
Step 1 Choose Administration > Licenses and Software Updates > Software Update.
Step 2 Click the download link at the top of the page to get the latest updates from Cisco.com.
Step 3 Enter your Cisco.com login credentials. Prime Infrastructure lists the available updates.
If you receive an error indicating there was a problem connecting to cisco.com, verify your proxy settings by choosing
Administration > Settings > System Settings > General > Account Settings > Proxy. If your proxy settings are not
working, deselect Enable Proxy, then click Save.
Step 4 Click Show Details to see the details about the updates.
Step 5 Click Download next to the update you want to install.
Step 6 After the update has been downloaded, click Install.
Step 7 Click Yes in the pop-up message. The server will restart automatically.
Step 8 When the restart is complete, choose Administration > Licenses and Software Updates > Software Update. The
Updates table should show the update as “Installed”.
Related Topics
Upload and Install Downloaded Software Updates

The following steps explain how to upload and install software updates. This procedure is useful when your
Prime Infrastructure server does not have external connectivity, or you prefer to download files on a different
server.
Step 1 Choose Administration > Licenses and Software Updates > Software Update.
Step 2 Click the upload link at the top of the page.
Step 3 On the Upload Update window, click Cisco Download, which displays Cisco.com’s “Download Software” page.
Step 4 Select Products > Cloud and Systems Management > Routing and Switch Management > Network Management
Solutions > Prime Infrastructure.

140
How to Use Your Cisco.com Account Credentials with Prime Infrastructure
Step 5 Select the correct version of Prime Infrastructure.

Step 6 Select an update software type (such as “Prime Infrastructure Device Packs”).
Step 7 From the page that appears, click Download next to the file containing the updates you want. The file will have a UBF
filename extension.
If you have not already stored your Cisco.com credentials (see “Saving Cisco.com Account Credentials in Prime
Infrastructure” in Related Topics), you will be prompted to log in to Cisco.com, and to accept your organization’s active
license agreement with Cisco, before you can download the update file.
Be sure to download software updates that match your Prime Infrastructure version. For example, if you were running
Prime Infrastructure 3.9, be sure to download software updates for version 3.9 only.
Step 8 With the update file downloaded to your client machine, return to the Prime Infrastructure tab and choose Administration
> Licenses and Software Updates > Software Update.
Step 9 Click Upload and browse to locate and select the update file you downloaded.
Step 10 Click Install.
Step 11 Click Yes in the pop-up message. The server will restart automatically.
Step 12 When the restart is complete, choose Administration > Licenses and Software Updates > Software Update. The
Updates table should show the update as “Installed”.
Related Topics
Save Cisco.com Account Credentials in Prime Infrastructure, on page 141
How to Use Your Cisco.com Account Credentials with Prime Infrastructure

You can store your Cisco.com account user name and password in Prime Infrastructure. Doing so will allow
you to streamline download and installation of software updates, and speed automatic checking and notification
of updates.
Note that Prime Infrastructure stores only one set of Cisco.com credentials at a time. The password is stored
in secure, encrypted form. It will use this stored user name and password to do all software update notification
checks until such time as another user either deletes the stored credentials (as explained in “Deleting Cisco.com
Account Credentials” in Related Topics) or overwrites them by entering a new Cisco.com user name and
password.
Related Topics
Save Cisco.com Account Credentials in Prime Infrastructure, on page 141
Deleting Cisco.com Account Credentials, on page 142
Save Cisco.com Account Credentials in Prime Infrastructure
Step 1 Choose Administration > Settings > System settings > Account Settings
Step 2 Enter a valid Cisco.com user name and password.

141
Deleting Cisco.com Account Credentials
Step 3 Click Save.
Related Topics
Install Software Updates from Cisco.com, on page 140
Deleting Cisco.com Account Credentials
Step 1 Choose Administration > Settings > System settings > Account Settings.
Step 2 Click Delete.
Step 3 Click Yes to confirm the deletion.
Related Topics
How to Configure Support Request Settings

The Support Request Settings page allows you to configure the general support and technical support
information.
Step 1 Choose Administration > Settings > System Settings > Support Request. The Support Request Settings page appears.
Step 2 Configure the following parameters:
• General Support Settings:
• Enable interactions directly from the server—Select this check box to allow interactions for support requests
directly from the server.
• Sender E mail Address—Enter the email address of the support request sender.
• Interactions via client system only—Select this check box to allow interactions for support requests only through
client system.
• Technical Support Provider Information:

• Cisco—Select this check box if the technical support provider is Cisco.
• Default Cisco.com Username—Enter a default username to log in to Cisco.com. Click Test Connectivity to
test the connections to the mail server, Cisco support server, and forum server.
• Third-Party Support Provider—Select this check box if the technical support provider is a third party other than
Cisco. Enter the email address, email subject line format, and website URL of the support provider.

142
How to Manage Disk Space Issues
Step 3 Click Save Settings.
Related Topics
Open a Cisco Support Case, on page 251
Join the Cisco Support Community, on page 252

Whenever disk space on the physical or virtual Prime Infrastructure server reaches 90 percent, the server will
trigger a Major alert indicating that the server is low on disk space.
Threshold crossings for these alarms are calculated based on the usage of the Prime Infrastructure optvol and
localdiskvol partitions only. The optvol partition contains the Oracle database used to store all of Prime
Infrastructure’s inventory and network data, while localdiskvol stores local application backups, WLC and
MSE backups, and reports. The settings that trigger the alarms are defined in the file
PackagingResources.properties, which you can find in the Prime Infrastructure server in the folder
/opt/CSCOlumos/conf/rfm/classes/com/cisco/packaging.
We recommend that administrators take action to increase disk space immediately upon receiving the Major
alert. You can do this using any combination of the following methods:
• Free up existing database space as explained in “Compacting the Prime Infrastructure Database”.
• Reduce the storage load on the localdiskvol partition by setting up and using remote backup repositories,
as explained in “Using Remote Backup Repositories”.
• Reduce the storage load on the optvol partition by reducing the amount and storage period for which you
retain inventory and network data:
• Reduce the length of time you store client association data and related events, as explained in
“Specifying How Long to Retain Client Association History Data” and “Saving Client Traps as
Events”.
• Reduce the length of time you store reports, as explained in “Controlling Report Storage and
Retention”.
• Reduce the retention period for network inventory, performance, and other classes of data, as
explained in “Specifying Data Retention by Category” and “Enabling DNS Hostname Lookup”.
• Increase the amount of existing virtual disk space allocated to Prime Infrastructure, as explained in
“Modifying VM Resource Allocation Using VMware vSphere Client”. If you are using VMware ESXi
5.5 or later, use the vSphere Web Client to adjust disk space allocation (for details, see the “VMware
vSphere documentation” in Related Topics). You can also install additional physical disk storage and
then use VMware Edit Settings or the vSphere Web Client to allocate the additional storage to Prime
Infrastructure.
• Move the Prime Infrastructure server installation to a server with adequate disk space, as explained in
“Migrating to Another OVA Using Backup and Restore” and “Migrating to Another Appliance Using
Backup and Restore”. For more details, see "VMware vSphere Documentation".
Related Topics
Specify How Long to Retain Client Association History Data, on page 118
Save Client Traps as Events, on page 119

143
How Data Retention Settings Affect Web GUI Data, on page 145
Specify Data Retention By Database Table, on page 149
Enable DNS Hostname Lookup, on page 118
Migrate to Another Physical Appliance Using Backup and Restore, on page 62

144
CHAPTER 6
Data Collection and Background Tasks
• Control Data Collection Jobs, on page 145
• How Data Retention Settings Affect Web GUI Data, on page 145
• About Historical Data Retention, on page 146
• Performance and System Health Data Retention, on page 147
• Alarm, Event, and Syslog Purging, on page 153
• Log Purging, on page 154
• Report Purging, on page 154
• Backup Purging, on page 155
• Device Configuration File Purging, on page 155
• Software Image File Purging, on page 155
• Control System Jobs, on page 155
• Migrate Data from Cisco Prime LMS to Cisco Prime Infrastructure, on page 165
Control Data Collection Jobs

All data collection tasks (and data purging tasks) are controlled from the Jobs Dashboard. See Manage Jobs
Using the Jobs Dashboard. Data collection jobs are listed under About System Jobs.
How Data Retention Settings Affect Web GUI Data

Changes you make on the Data Retention page determine the information that is displayed in the web GUI.
You can open the data retention page by choosing Administration > Settings > System Settings, then
choosing General > Data Retention.
For example, if you do not need any historical performance data older than 7 days, you can modify the
performance data retention values as follows:
• Short-term Data Retention Period—1 day
• Medium-term Data Retention Period—3 days
• Long-term Data Retention Period—7 days

145
About Historical Data Retention
If you specify these settings, all data displayed in performance reports and on performance dashboards will
be for the previous 7 days only. When you generate a performance report, even if you select a reporting period
longer than the last 7 days, the report will contain data from the last 7 days only (because that is all of the data
you selected to retain).
Similarly, if you view a performance dashboard and select a time frame longer than one week, the dashboard
will contain date from the last 7 days only.
When you create the monitoring policy for interfaces, you can define the polling interval for every 15 minutes
or every 5 minutes or every 1 minute. According to the selected polling interval, the device data is polled and
stored in Oracle Database. The data is aggregated every 1 hour into the AHxxx table; once a day into the
ADxxx table irrespective of the polling interval is set to1/5/15 minutes.
In the Interface Health Policy tab, if the frequency is set at 5 mins, you can view 12 samples for each hour.
Every hour the data moves to the aggregated table and an average or mean interface statistics is calculated ,
and there will be one entry in the hourly aggregated table. The aggregation is the same for all the policies no
matter what the polling interval is.
You can view data retention details and the age of the data storage, the event time in milliseconds and for
each database the entity ID and the event time.View the performance data and aggregate data in the Performance
Dashlet, > Interfaces > Traffic Utilization tab.
About Historical Data Retention

Prime Infrastructure retains two types of historical data:
1. Non-aggregated historical data—Numeric data that cannot be gathered as a whole or aggregated. Client
association history is one example of non-aggregated historical data.
You can define a retention period (and other settings) for each non-aggregated data collection task. For
example, you can define the retention period for client association history in Administration > Settings >
System Settings > Client. By default, the retention period for all non-aggregated historical data is 31 days
or 1 million records. This retention period can be increased to 365 days.
1. Aggregated historical data—Numeric data that can be gathered as a whole and summarized as minimums,
maximums, or averages. Client count is one example of aggregated historical data.
Types of aggregated historical data include:
• Trend: This includes wireless-related historical information such as client history, AP history, AP
utilization, and client statistics.
• Device health: This includes SNMP polled data for wired and wireless devices, such as device availability,
and CPU, memory, and interface utilization, and QoS.
• Network audit records: This includes audit records for configuration changes triggered by users, and so
on.
• Performance: This includes Assurance data such a traffic statistics, application metrics, and voice metrics.
• System health records: This includes most data shown on Prime Infrastructure administrator dashboards.
The retention periods for these aggregation types are defined as Default, Minimum, and Maximum (see the
table below). Use the Administration > Settings > System Settings > General > Data Retention page to
define aggregated data retention periods. Aggregation types include hourly, daily, and weekly.
Table 12: Retention Periods for Aggregated Historical Data
Trend Data Retention Periods

146
Performance and System Health Data Retention
Period Default Minimum Maximum
Hourly 7 days 1 days 31 days
Daily 90 days 7 days 365 days
Weekly 54 weeks 2 weeks 108 weeks
Device Health Data Retention Periods
Hourly 15 days 1 day 31 days
Daily 90 days 7 days 365days
Weekly 54 weeks 2 weeks 108 weeks
Performance Data Retention Periods
Short-Term Data 7 days 1 day 31 days‘
Medium-Term Data 31 days 7 days 365 days
Long-Term Data 378 days 2 days 756 days
Network Audit Data Retention Period
All audit data 7 days 7 weeks 365 days
System Health Data Retention Periods
Hourly 7 days 1 day 31 days
Daily 31 days 7 days 365 days
Weekly 54 weeks 7 weeks 365 days
User Job Data Retention Periods
Weekly 7 days 7 days 7 days
The performance data is aggregated as follows:

• Short-term data is aggregated every 5 minutes.
• Medium-term data is aggregated every hour.
• Long-term is aggregated daily.
Note Cisco recommends you do not change the retention periods for trend, device health, system health, and
performance data because the default settings are optimized to get the most helpful information from interactive
graphs.

147
The following table describes the information shown on the Data Retention page.
Type of Data Description Default Retention Settings Retention

Settings
Range
Trend Data Device-related historical information. Trend Hourly data retain period: 15 Hourly data:
Retain data is gathered as a whole and summarized (days) 1 to 31
Periods as minimums, maximums, or averages. (days)
Daily data retain period: 90
(days) Daily data: 7
to 365 (days)
Weekly data retain period: 54
(weeks) Weekly data:
2 to 108
(weeks)
Device SNMP-polled device data such as device Hourly data retain period: 15 Hourly data:
Health Data reachability, and utilization for CPU, (days) 1 to 31
Retain memory, and interfaces. (days)
Periods
(days) Daily data: 7
to 365 (days)
(weeks) Weekly data:
2 to 108
(weeks)
Performance Assurance data such as traffic statistics. Short term data retain period: 7 Short term
Data Retain (days) range: 1 to
• Short-term data is aggregated every 5
Periods 31 (days)
minutes. Medium term data retain period:
31 (days) Medium term
• Medium-term data is aggregated every range: 7 to
hour. Long term data retain period:
365 (days)
378 (days)
• Long-term is aggregated daily. Long term
range: 2 to
Note You can click Advanced Settings 756 (days)
to configure the Age (In days)
and Max Records of the available
attributes.
Network Audit records for configurations triggered by Audit data retain period: 90 7 to 365
Audit Data users, and so on. (days) (days)
Retain Period
User Job Data All records for the user jobs in the completed User job data retain period: 7 2 to 365
Retain Period state. (days) (days)

148
Specify Data Retention By Database Table
Type of Data Description Default Retention Settings Retention

Settings
Range
System Includes most data shown on the Admin Hourly data retain period: 1 Hourly data
Health Data dashboards (days) range: 1 to
Retain 31 (days)
Periods
(days) Daily data
range: 7 to
365 (days)
(weeks)
Weekly data
range: 2 to
108 (weeks)
Specify Data Retention By Database Table

Administrators can use the “Other Data Retention Criteria” section of the Data Retention page to configure
retention periods for specific Prime Infrastructure database tables. You specify the retention period using the
following attributes:
• Age (in hours): Specifies the maximum data retention period in hours for all records in the database.
• Max Records: Specifies the maximum number of records to retain in a particular database table. A Max
Records value of NA means that the only retention criteria considered is the Age attribute.
The section is categorized into multiple subsections. Each subsection list each database table name, along
with the current Age and Max Records used to determine whether an individual record in the table will be
retained or discarded. The page also lists the table Age Attribute used to compute the age of the data in the
table. The Optical Devices category is not applicable for Prime Infrastructure.
We strongly recommend you to consult with Cisco Technical Assistance Center before changing the values
for any of the tables in this section. Doing so without help may affect system performance negatively.
Step 1 Choose Administration > Settings > System Settings > General > Data Retention.
Step 2 Expand the Other Data Retention Criteria section.
Step 3 Expand the database table subsection for which you want to specify Age and Max Records values.
Step 4 Click on the database table listing and enter the new values as needed.
Step 5 Click Save.
Specify Client Data Retrieval and Retention

Administrators can use Prime Infrastructure’s Client page to configure parameters affecting retention of data
on network clients, including:
• Data on disassociated clients. The default is seven days, and this applies irrespective of whether the
clients will ever attempt to associate again.
• Data on client session histories. You can also specify the maximum number of session entries to keep,
specified as rows in the Prime Infrastructure database.

149
Enable Data Deduplication
• Cached client host names retrieved from a DNS server.

In addition to these data-retention options, the page allows you to enable and disable options to:
• Automatically troubleshoot clients using a diagnostic channel when traps are received from these clients.
• Automatically retrieve client host names from a DNS server.
• Poll clients when traps or syslogs are received from these clients
• Discover clients from enhanced client traps.
• Discover wired clients on trunk ports .
• Save as Prime Infrastructure events routine client association and disassociation traps and syslogs. This
option is disabled by default, to avoid Prime Infrastructure performance problems on large networks
during periods (such as network setup) when these kinds of traps and syslogs may be numerous. You
may want to enable this option at all other times.
• Save all 802.1x and 802.11 client authentication-failure traps as Prime Infrastructure events. This option
is disabled by default, to avoid Prime Infrastructure performance problems on large networks during
periods (such as network setup) when these kinds of traps and syslogs may be numerous. You may want
to enable this option if your network is stable.
Step 2 Under Data Retention, modify the values as required.
Step 3 Click Save.
Enable Data Deduplication

Data deduplication allows you to identify authoritative sources for each of the following classes of application
data:
• Application Response Time data for TCP applications
• Traffic analysis data for all applications
• Voice/Video data for RTP applications
Prime Infrastructure stores all data it receives about network elements and protocols, including any duplicate
data that it may receive from multiple sources. When you specify authoritative data sources, only the data
from the specified sources is displayed when you view a particular location or site.
The Data Deduplication page allows you to specify one or more authoritative data sources at a specific location.
For example, if you have a Network Analysis Module (NAM) at a branch office as well as NetFlow data that
is sent from the same branch, you can choose to have Prime Infrastructure display only the NAM or the
NetFlow data for that location.
Step 1 Choose Services > Application Visibility & Control > Data Deduplication.
Step 2 Select the Enable Data Deduplication checkbox and click Apply. The Data Deduplication page displays the list of your
defined location groups.
Step 3 To automatically detect authoritative sources at all locations, click Auto-Detect. If it can identify them, Prime Infrastructure
will fill in the address of an authoritative source in the list box under the column listing sources for each of the classes
of application data.

150
Control Report Storage and Retention
Step 4 To specify authoritative sources for a class of application data at a specific location:
a) Click the location group name.
b) Click the drop-down list box under the class of application data for which you want to specify an authoritative source
(for example: click in the list box under “Application Response Time”).
c) From the drop-down list, select the data sources you want to specify as authoritative for that location and application
data type. Then click OK.
d) Click Save to save your selections.
Repeat this step as needed for each location and application data type for which you want to specify authoritative
data source.
Step 5 When you are finished, click Apply to save your changes.
Control Report Storage and Retention

All scheduled reports are stored in the Scheduled Reports Repository. You will want to ensure that scheduled
reports are retained in the report repository for reasonable lengths of time only, and deleted on a regular basis.
Step 1 Choose Administration > Settings > System Settings > General > Report . The Report page appears.
Step 2 In Repository Path, specify the report repository path on the Prime Infrastructure server.
Step 3 In File Retain Period, specify the maximum number of days reports should be retained.
Step 4 In the External Server Settings section, provide SFTP details such as Server Host, Server Port, User Name, Password,
and the Repository Path (where the reports need to be stored in the external server).
Step 5 Click Save.
Specify Inventory Collection After Receiving Events

The Inventory page allows you to specify if Prime Infrastructure must collect inventory when a syslog event
is received for a device.
Step 1 Choose Administration > Settings > System Settings > Inventory . The Inventory page appears.
Step 2 Select the Enable event based inventory collection check box to allow Prime Infrastructure to collect inventory when
it receives a syslog event for a device.
Step 3 Select the Enable Syslog and Traps on device check box to allow Prime Infrastructure to enable syslog and trap
notifications on newly added devices.
Note This feature is not supported on the Cisco Nexus devices.
Step 4 Click Save.

151
Control Configuration Deployment Behavior
Control Configuration Deployment Behavior

Administrators can choose to have device configurations backed up or rolled back whenever Prime Infrastructure
users deploy new device configuration templates. They can also control how Cisco WLC configurations are
archived, as explained in the following related topics.
Related Topics
Archive Device Configurations Before Template Deployment, on page 152
Roll Back Device Configurations on Template Deployment Failure, on page 152
Specify When and How to Archive WLC Configurations, on page 152
Archive Device Configurations Before Template Deployment

With Backup Device Configuration enabled, Prime Infrastructure automatically backs up all device running
and startup configurations before deploying new configuration templates.
Step 1 Choose Administration > Settings > System Settings > Inventory > Configuration.
Step 2 Select the Backup Device Configuration check box.
Step 3 Click Save.
Related Topics
Roll Back Device Configurations on Template Deployment Failure, on page 152
Roll Back Device Configurations on Template Deployment Failure

With Rollback Configuration enabled, Prime Infrastructure automatically rolls back each device to its last
archived running and startup configurations when any attempt to deploy a new configuration template to the
device has failed.
Step 1 Choose Administration > Settings > System Settings > Configuration.
Step 2 Select the Rollback Configuration check box.
Step 3 Click Save.
Specify When and How to Archive WLC Configurations

By default, Prime Infrastructure keeps a backup archive of startup configurations for each device running
Cisco Wireless LAN Controller (WLC) software whenever it:
• Collects initial out-of-box inventory for these devices
• Receives notification of a configuration change event for these devices
Prime Infrastructure provides configuration archive support for devices running Cisco WLC software. The
configuration archive includes only startup configurations. The running configurations are excluded from
configuration archive.
You can change many of the basic parameters controlling Cisco WLC configuration archiving, including:
• The maximum timeout on all Cisco WLC configuration operations (fetch, archive or rollback).

152
Alarm, Event, and Syslog Purging
• The maximum time to to wait before updating the Cisco WLC configuration archive summary information.
• Whether or not to archive configurations at initial inventory collection, after each inventory
synchronization, and on receipt of configuration change events.
• Whether or not to mask security information when exporting archived configurations to files.
• The maximum number of archived configurations for each device and the maximum number of days to
retain them.
• The maximum number of thread pools to devote to the archive operation. Increasing the default can be
helpful with Prime Infrastructure performance during archiving of changes involving more than 1,000
devices.
You can also tell Prime Infrastructure to ignore for archive purposes any change that involves specified
commands on devices of a given family, type, or model. This is useful when you want to ignore insignificant
or routine changes in a few parameters on one or many devices.
Step 1 Choose Administration > Settings > System Settings > Configuration Archive.
Step 2 On the Basic tab, change the basic archive parameters as needed.
Note The option of masking the security content while exporting is included in the Inventory > Device Management
> Configuration Archive page. See Download Configuration Files for more information.
Step 3 To specify devices and configuration commands to exclude from archived configurations:
a) Click the Advanced tab.
b) In the Product Family list, choose the device(s) for which you want to specify configuration commands to exclude.
Use the List/Tree View dropdown, or click the > icons to drill down to individual product types and models for which
you want to specify exclude commands.
c) In the Command Exclude List, enter (separated by commas) the configuration commands you want to exclude for
the currently selected device family, type, or model.
If the device(s) you select has configuration changes and Prime Infrastructure detects that the change is one of the
specified commands in the Exclude List, Prime Infrastructure will not create an archived version of the configuration
with this change.
d) Click Save.
e) To remove a specified set of command exclusions for a device family, type or model, select the device(s) in the
Product Family list and click Reset.
Alarm, Event, and Syslog Purging
Note These default purging settings are provided to ensure optimal performance. Use care when adjusting these
settings, especially if Prime Infrastructure is managing a very large network (where increasing these settings
may have an adverse impact).
Prime Infrastructure stores a maximum of 8000000 events and 2000000 syslogs in the database.

153
Log Purging
To protect system performance, Prime Infrastructure purges alarms, events, and syslogs according to the
settings in the following table. All of these settings are enabled by default. Data is deleted on a daily basis.
Alarm tables are checked hourly, and if the alarm table exceeds the 300,000 limit, Prime Infrastructure deletes
the oldest cleared alarms until the alarms table size is within the limit.
Data Type Deleted after: Default Setting
Alarms—Cleared security alarms 30 days Enabled
Alarms—Cleared non-security alarms 7 days Enabled
Events 30 days Enabled
Syslogs 30 days Enabled
Alarms 30 days Disabled
To change the settings, choose Administration > Settings > System Settings, then choose Alarms and
Events > Alarms and Events and modify the settings in the Alarm and Event Cleanup Options area.
Log Purging
You can adjust the purging settings for logs by choosing Administration > Settings > Logging . Logs are
saved until the reach the maximum size. At that point, a number is appended to the log file and a new log is
started. When the number of logs exceeds the maximum, the oldest log is deleted.
The following table lists the default purging values for General and SNMP logs.
Log Type Size of Logs Number of Logs To change the setting, see:
General 10 MB 10 Adjust General Log File Settings and Default Sizes,

on page 257
SNMP 10 MB 5 View and Manage General System Logs, on page 256
Report Purging
By default, reports are stored in a repository named /localdisk/ftp/reports and are deleted after 31 days from
that directory. Reports filters that you set from the filters page are saved in the database and are not purged.
Step 1 Choose Administration > Settings > System Settings, then choose General > Reports.
Step 2 If required, adjust the location for the reports repository on the server. The repository must reside under the FTP root
partition.
Step 3 If you want to change the default purging age, enter a new value in the File Retain Period field
Step 4 Click Save.

154
Backup Purging
Backup Purging
By default, 2 backups are saved for backups in local repositories. If you are using remote repositories, there
is no automatic backup purging mechanism; you must manually delete old backups. See Change the Number
of Automatic Application Backups That Are Saved, on page 57.
Device Configuration File Purging

For each device, 5 configuration files are saved in the configuration archive. Any file that is older than 30
days is purged. Device configuration files cannot be manually deleted. .
Software Image File Purging

Device software image files are not automatically purged from the database. They must be manually removed
using the GUI client.
Control System Jobs

Prime Infrastructure performs scheduled data collection jobs on a regular basis. You can change each job’s
schedule, pause or resume it, or execute it immediately.
Disabling or limiting these System jobs can have a direct impact on how you use Prime Infrastructure, especially
for reporting. To help you consider these impacts, take note of the reports this data is used in.
Related Topics
Schedule Data Collection Jobs, on page 155
Resume Data Collection Jobs, on page 156
Run Data Collection Jobs Immediately, on page 156
About System Jobs, on page 156
Schedule Data Collection Jobs

System jobs run on a regular default schedule, as described in About System Jobs . You can re-schedule them
as needed.
Step 1 Choose Administration > Dashboards > Job Dashboard > System Jobs.
Step 2 Select the category of data collection job you want to re-schedule (e.g., APIC-EM Integration, Assurance and Health
Summary, Infrastructure, Inventory and Discovery, or Status and Wireless Monitoring).
Step 3 Click the check box next to the system job you want to re-schedule.
Step 4 Click Edit Schedule and specify the schedule you want the job to run on.
You can select the date and time the job is executed. You can choose to have the job recur on a minute, hourly, daily,
weekly, monthly or annual basis. No end time has been specified by default.

155
Resume Data Collection Jobs
Step 5 When you are finished, click Submit.
Resume Data Collection Jobs

You can pause any scheduled data collection job, and resume it if already paused.
Step 2 Select the category of data collection job you want to pause or resume (e.g., APIC-EM Integration, Assurance and
Health Summary, Infrastructure, Inventory and Discovery, or Status and Wireless Monitoring).
Step 3 Click the check box next to the system job you want.
Step 4 Click Pause Series to stop the job from executing.
If the job is already paused, click Resume Series to resume execution on the current schedule.
Run Data Collection Jobs Immediately

In addition to the steps below, you can run a job immediately by rescheduling it and selecting the time to
execute as Now and submit. Then select the job and click run.
Step 2 Select the category of data collection job you want to run (e.g., APIC-EM Integration, Assurance and Health Summary,
Infrastructure, Inventory and Discovery, or Status and Wireless Monitoring).
Step 3 Click the check box to select the system job you want to run immediately.
Step 4 Click Run.
About System Jobs

The following table describes the background data collection jobs Prime Infrastructure performs.
Note You must increase the frequency of the Infrastructure and Inventory jobs with caution as it impacts the
performance of Prime Infrastructure over a while as these jobs are high I/O intensive operations.
Table 13: Inventory Data Collection Jobs
Task Name Default Schedule Description Editable options
APIC EM Integration Jobs

156
About System Jobs
APIC-EM Site Sync 6 hours Schedules synchronization of Select Edit Schedule >
sites and devices between Recurrence and select the
APIC-EM and Prime appropriate settings to schedule
Infrastructure. the job.
APIC Server Status Periodic 5 minutes Schedules checks on APIC-EM Select Edit Schedule >
server reachability. Recurrence and select the
appropriate settings to schedule
the job.
Ping Network Devices 5 minutes Schedules ICMP Ping Select Edit Schedule >
reachability and updates the Recurrence and select the
device reachability status and appropriate settings to schedule
latency time. the job.
PnP Bulk Import 5 minutes Schedules bulk import of Select Edit Schedule >
device profiles from APIC-EM Recurrence and select the
to Prime Infrastructure. appropriate settings to schedule
the job.
PnP Status Polling 5 minutes Tracks the status of the PnP Select Edit Schedule >
devices created on APIC-EM Recurrence and select the
and adds them to Prime appropriate settings to schedule
Inventory when successful. the job.
Post PnP Job Schedules validation of Select Edit Schedule >

post-PnP configurations on Recurrence and select the
devices. appropriate settings to schedule
the job.
Assurance and Health Summary

Jobs
AGGREGATION_HEALTH_SUMMARY Disabled Aggregates the health scores of Non Editable

device metrics (Routers,
Switches and Access Points).
Assurance DataSource Update Disabled Synchronizes the list of data Non Editable
sources between two different
processes in PI.
Assurance License Update Disabled Fetches the devices and AP Non Editable
which netflow associated with
it every 12 hours.
Assurance Lync Aggregation Disabled Computes the Lync call Non Editable
statistics.
BASELINE_DAILY Disabled Aggregates the hourly baseline Non Editable

values to daily values for the
application data.

157
About System Jobs
BASELINE_HOURLY Disabled Computes hourly baseline data Non Editable

points for application data.
DAHealth_SITE Disabled Synchronizes the site rules Non Editable

between two different processes
in PI.
HEALTH_SUMMARY_5MIN Disabled Computes the health scores for Non Editable

applications.
PushCollectionPlanToDA Disabled Pushes the collection plan to Non Editable

DA.
WUserSyncJob_USER Disabled Fetches the list of current Non Editable

clients from the Station Cache
to update the netflow user
cache.
Infrastructure jobs
Bulk Recompute RF Prediction 15 days Schedules status polling of Select Edit Schedule >
Bulk Recompute RF Prediction. Recurrence and select the
the job.
Connected Mobility Reachability 5 minutes Schedules stauts polling of Select Edit Schedule >
Status Connected Mobility Recurrence and select the
Reachability appropriate settings to schedule
the job.
Controller Configuration Backup 1 day Displays the controller Select Edit Schedule >
configuration backup activities. Recurrence and select the
the job.
Data Cleanup 2 hours Schedules daily data file Select Edit Schedule >
cleanup. Recurrence and select the
the job.

158
About System Jobs
Device Config Backup-External 15 minutes Transfers device configuration Select Edit Schedule >
periodically to external Recurrence and select the
repository.You can configure appropriate settings to schedule
or create the repository using the job.
CLI commands and the
Click the edit icon, and check the
supported repositories are FTP,
Export only Latest
SSH FTP (SFTP) and Network
Configuration check box, to
File System (NFS).
transfer only the latest
configuration.
You can edit the job properties
based on the user permission set
in Role Based Access Control
(RBAC).
Guest Accounts Sync 1 day Schedules guest account polling Select Edit Schedule >
and synchronization. Recurrence and select the
the job.
Index serach Entities 3 hours Schedules the Index Search Select Edit Schedule >
Entities job. Recurrence and select the
the job.
Mobility Service Backup 7 days Schedules automatic mobility Select Edit Schedule >
services backups. Recurrence and select the
the job.
Mobility Service Status 5 minutes Schedules mobility services Select Edit Schedule >
status polling. Recurrence and select the
the job.
Mobility Service Synchronization 1 hour Schedules mobility services Select Edit Schedule >
synchronization. Recurrence and select the
the job.
On Demand Reports Cleanup 6 hours Schedules reports cleanup. Select Edit Schedule >
Recurrence and select the
the job.
Server Backup 1 day Schedules automatic Prime Select Edit Schedule >
Infrastructure server backups. Recurrence and select the
The backups created are appropriate settings to schedule
application backups. the job.

159
About System Jobs
Smart License Compliance Status Disabled Runs for Smart License for the Non Editable.
default schedule.
wIPS Alarm Sync 2 hours Schedules wIPS alarm Select Edit Schedule >
synchronization. Recurrence and select the
the job.
Inventory and Discovery Jobs
Autonomous AP Inventory 1 day Collects inventory information Select Edit Schedule >
for autonomous APs. Recurrence and select the
the job.
Switch Inventory 1 day Collects inventory information Select Edit Schedule >
for Switches. Recurrence and select the
the job.
Wireless Controller Inventory 1 day Collects inventory information Select Edit Schedule >
for Wireless Controllers. Recurrence and select the
the job.
Status Jobs
Appliance Status 5 minutes Schedules appliance polling. Select Edit Schedule >
This task populates the Recurrence and select the
appliance polling details from appropriate settings to schedule
the Administration > Appliance the job.
> Appliance Status page. It also
populates information like the
performance and fault checking
capabilities of the appliance.
Autonomous Client Status 5 minutes Lets you schedule status polling Select Edit Schedule >
of autonomous AP clients. Recurrence and select the
the job.
Autonomous AP Operational 5 minutes Schedules status polling of Select Edit Schedule >
Status autonomous wireless access Recurrence and select the
points. appropriate settings to schedule
the job.
Controller Operational Status 5 minutes Schedules controller Select Edit Schedule >
operational status polling. Recurrence and select the
the job.

160
About System Jobs
Device Data Collector 30 minutes Schedules data collection based Select Edit Schedule >
on specified command-line Recurrence and select the
interface (CLI) commands at a appropriate settings to schedule
configured time interval. the job.
Identity Services Engine Status 15 minutes Schedules Identity Services Select Edit Schedule >
Engine polling. Recurrence and select the
the job.
Interferers 15 minutes Schedules interferer Select Edit Schedule >

information collection. Recurrence and select the
the job.
Learn Unified AP Ping Capability This Job remains suspended Schedules Unified AP Ping Non-Editable.
and runs on-demand. Capability information
collection.
License Status 4 hours Schedules the license-status Select Edit Schedule >
information collection. Recurrence and select the
the job.
Lightweight AP Ethernet Interface 1 minute Schedules Lightweight AP Select Edit Schedule >
Status Ethernet Interface Status Recurrence and select the
information collection. appropriate settings to schedule
the job.
Lightweight AP Operational Status 5 minutes Schedules Lightweight AP Select Edit Schedule >
Operational Status information Recurrence and select the
collection. appropriate settings to schedule
the job.
Lightweight Client Status 5 minutes Schedules information Select Edit Schedule >
collection for Lightweight AP Recurrence and select the
Clients from Network. appropriate settings to schedule
the job.
Mobility Service Performance 15 minutes Schedules status polling of Select Edit Schedule >
mobility services performance. Recurrence and select the
the job.
Mobility Status Task 15 minutes Schedules status polling of Select Edit Schedule >
mobility services engines. Recurrence and select the
the job.

161
About System Jobs
OSS Server Status 5 minutes Schedules status polling of OSS Select Edit Schedule >
Servers. Recurrence and select the
the job.
Redundancy Status 1 hour Schedules redundancy status Select Edit Schedule >
polling of primary and Recurrence and select the
secondary controllers. appropriate settings to schedule
the job.
Switch NMSP and Location Status 4 hours Schedules Switch Network Select Edit Schedule >
Mobility Services Protocol Recurrence and select the
(NMSP) and Civic Location appropriate settings to schedule
status polling. the job.
Switch Operational Status 5 minutes Schedules switch operational Select Edit Schedule >
status polling. Recurrence and select the
the job.
Third Party Access Point 3 hours Schedules operational status Select Edit Schedule >
Operational Status polling of third party APs. Recurrence and select the
the job.
Third Party Controller Operational 3 hours Schedules operational status Select Edit Schedule >
Status polling of third party Recurrence and select the
Controllers. appropriate settings to schedule
the job.
Unmanaged APs 15 minutes Collects poll information for Select Edit Schedule >
unmanaged access points. Recurrence and select the
the job.
Wired Client Status 2 hours Schedules Wireless Client Select Edit Schedule >
status polling Recurrence and select the
the job.
Wireless AP Discovery 5 minutes Schedules Wireless AP Select Edit Schedule >

discovery. Recurrence and select the
the job.
Wireless Configuration Audit 1 day Schedules Wireless Select Edit Schedule >
Configuration Agent audit Recurrence and select the
collection. appropriate settings to schedule
the job.
Wireless Monitoring Jobs

162
About System Jobs
AP Ethernet Statistics 15 minutes Schedules AP Ethernet Select Edit Schedule >

statistics collection. Recurrence and select the
the job.
AP Image Pre-Download Status 15 minutes Allows you to see the Image Select Edit Schedule >
Predownload status of the Recurrence and select the
associated APs in the appropriate settings to schedule
controllers. To see the status of the job.
the access points, the
“Pre-download software to
APs” checkbox should be
selected while downloading
software to the controller.
Autonomous AP CPU and 15 minutes Schedules collection of Select Edit Schedule >
Memory Utilization information on memory and Recurrence and select the
CPU utilization of Autonomous appropriate settings to schedule
APs. the job.
Autonomous AP Radio 15 minutes Schedules collection of Select Edit Schedule >

Performance information about radio Recurrence and select the
performance information as appropriate settings to schedule
well as radio up or down status the job.
for autonomous APs.
Autonomous AP Tx Power and 15 minutes Schedules collection of Select Edit Schedule >
Channel Utilization information about radio Recurrence and select the
performance of Autonomous appropriate settings to schedule
APs. the job.
CCX Client Statistics 1 hour Schedules collection of the Select Edit Schedule >
Dot11 and security statistics for Recurrence and select the
CCX Version 5 and Version 6 appropriate settings to schedule
clients. the job.
CleanAir Air Quality 15 minutes Schedules collection of Select Edit Schedule >
information about CleanAir air Recurrence and select the
quality. appropriate settings to schedule
the job.
Client Statistics 15 minutes Schedules retrieval of statistical Select Edit Schedule >
information for autonomous Recurrence and select the
and lightweight clients. appropriate settings to schedule
the job.
Map Info Polling Job 1 minute Select Edit Schedule >

Recurrence and select the
the job.

163
About System Jobs
Media Stream Clients 15 minutes Schedules collection of Select Edit Schedule >
information about media stream Recurrence and select the
clients. appropriate settings to schedule
the job.
Mesh Link Status 5 minutes Schedules collection of status Select Edit Schedule >
of mesh links. Recurrence and select the
the job.
Mesh link Performance 10 minutes Schedules collection of Select Edit Schedule >
information about the Recurrence and select the
performance of mesh links. appropriate settings to schedule
the job.
Radio Performance 15 minutes Schedules collection of Select Edit Schedule >

statistics from wireless radios. Recurrence and select the
the job.
Radio Voice Performance 15 minutes Schedules collection of voice Select Edit Schedule >
statistics from wireless radios. Recurrence and select the
the job.
Rogue AP 2 hours Schedules collection of Select Edit Schedule >

information about rogue access Recurrence and select the
points. appropriate settings to schedule
the job.
Switch CPU and Memory Poll 30 minutes Schedules polling of switch Select Edit Schedule >
CPU and memory information. Recurrence and select the
the job.
Traffic Stream Metrics 8 minutes Retrieves traffic stream metrics Select Edit Schedule >
for the clients. Recurrence and select the
the job.
Wireless Controller Performance 30 minutes Schedules collection of Select Edit Schedule >
performance statistics for Recurrence and select the
wireless controllers. appropriate settings to schedule
the job.
Wireless QoS Statistics 15 minutes Schedules collection of Select Edit Schedule >
information QoS Statistics for Recurrence and select the
Wireless Controllers. appropriate settings to schedule
the job.

164
Migrate Data from Cisco Prime LMS to Cisco Prime Infrastructure
Migrate Data from Cisco Prime LMS to Cisco Prime

Infrastructure
Prime Infrastructure supports data migration from Cisco Prime LAN Management Solution (LMS) version
4.2.5 on all platforms. The following LMS data can be imported into Prime Infrastructure using the CAR CLI:
• Device Credential and Repository (DCR) Devices
• Static Groups
• Dynamic Groups
• Software Image Management Repository Images
• User Defined Templates (Netconfig)
• LMS Local Users
• MIBs
Only the Dynamic Groups containing the rule with the following attributes can be imported from LMS.
• PI attribute Name—LMS attribute name
• Contact—System.Contact
• Description—System.Description
• Location— System.Location
• Management_Address—Device.ManagementIpAddress
• Name—System.Name
• Product_Family—Device.Category
• Product_Series—Device.Series
• Product_Type—Device.Model
• Software_Type—System.OStype
• Software_Version—Image.Version
To migrate LMS data to Prime Infrastructure, follow these steps:
Step 1 Identify the server where LMS backup data is stored.

Step 3 Enter the following commands to configure the backup location:
admin# configure terminal
admin(config)# repository carsapps
admin(config-Repository)# url location
admin(config-Repository)# user root password plain password
admin(config-Repository)# end
where:
a. location is a fully qualified URL, including access protocol, for the location of the LMS backup data. For example:
ftp://10.77.213.137/opt/lms , sftp://10.77.213.137/opt/lms , or fdisk:foldername .
b. password is the root user password

165
Migrate Data from Cisco Prime LMS to Cisco Prime Infrastructure
Step 4 Import the LMS backup into Prime Infrastructure using the following command:
admin# lms migrate repository carsapps
Step 5 Exit your CLI session, log back in to the Prime Infrastructure user interface, and verify that your LMS data was imported
properly. The following table shows where to look in Prime Infrastructure for the imported LMS data.
LMS Data Prime Infrastructure Location
DCR Devices Inventory > Network Devices
Static Group Inventory > Network Devices > User Defined Group
Dynamic Group Inventory > Network Devices > User Defined Group
Software Image Management Repository Inventory> Software Images

Images
User Defined Templates (Netconfig) Configuration > Templates > Features & Technologies
LMS Local Users Administration > Users, Roles & AAA > Users
MIBs Monitor > Monitoring Policies. In the menu, click Add, then select
Policy Types > Custom MIB Polling.

166
CHAPTER 7
User Permissions and Device Access
• User Interfaces, User Types, and How To Transition Between Them, on page 167
• Enable and Disable root Access for the Linux CLI and the Prime Infrastructure Web GUI, on page 172
• Control the Tasks Web Interface Users Can Perform (User Groups), on page 173
• Add Users and Manage User Accounts, on page 198
• Configure Guest Account Settings, on page 201
• Use Lobby Ambassadors to Manage Guest User Accounts, on page 202
• Find Out Which Users Are Currently Logged In, on page 206
• View the Tasks Performed By Users (Audit Trail), on page 207
• Configure Job Approvers and Approve Jobs, on page 207
• Configure Job Notification Mail for User Jobs, on page 208
• Configure Global Password Policies for Local Authentication, on page 209
• Configure the Global Timeout for Idle Users, on page 209
• Set Up the Maximum Sessions per User, on page 210
• Create Virtual Domains to Control User Access to Devices, on page 211
• Configure Local Authentication, on page 219
• Configure External Authentication, on page 220
User Interfaces, User Types, and How To Transition Between

Them
These topics describe the GUI and CLI interfaces used by Prime Infrastructure, and how to transition between
the Prime Infrastructure and Linux CLI interfaces.
• User Interfaces and User Types, on page 167
• How to Transition Between the CLI User Interfaces in Prime Infrastructure, on page 169
User Interfaces and User Types

The following table describes the user interfaces employed by Prime Infrastructure , and the types of users
that can access each interface.

167
User Interfaces and User Types
Prime Infrastructure Interface Description Prime Infrastructure User Types

User Interface
Prime Infrastructure Web interface that facilitates day-to-day Prime Infrastructure web GUI everyday users—Created by
web GUI and administration operations using the web GUI root user . These users have varying degrees of
web GUI. These users can have varying privileges and are classified into role-based access control
degrees of privileges and are classified (RBAC) classes and subclasses called user groups (Admin, Super
into role-based access control (RBAC) Users, Config Managers, and so forth). For information on the
classes and subclasses. user groups, see Types of User Groups, on page 173.
This interface provides a subset of Prime Infrastructure web GUI root user—Created at
operations that are provided by the Prime installation and intended for first-time login to the web GUI, and
Infrastructure CLI admin and CLI config for creating other user accounts. This account should be disabled
users. after creating at least one web GUI user that has Admin
privileges—that is, a web GUI user that belongs to the Admin
or Super Users user group. See Disable and Enable the Web GUI
root User, on page 172.
Note The Prime Infrastructure web GUI root user is not
the same as the Linux CLI root user, nor is it the same
as the Prime Infrastructure CLI admin user.
.
Prime Infrastructure Cisco proprietary shell which provides Prime Infrastructure CLI Admin user—Created at installation
Admin CLI secure and restricted access to the system time and used for administration operations such as stopping
(as compared with the Linux shell). This and restarting the application and creating remote backup
Admin shell and CLI provide commands repositories. (A subset of these administration operations are
for advanced Prime Infrastructure available from the web GUI).
administration tasks. These commands are
To display a list of operations this user can perform, enter ? at
explained throughout this guide. To use
the prompt.
this CLI, you must have Prime
Infrastructure CLI admin user access. You Some tasks must be performed in config mode. To transition to
can access this shell from a remote config mode, use the procedure in Transition Between the Prime
computer using SSH. Infrastructure admin CLI and Prime Infrastructure config CLI,
on page 170.
Prime Infrastructure Cisco proprietary shell which is restricted
Config CLI and more secure than the Linux shell. This The admin CLI user can create other CLI users for a variety of
Config shell and CLI provide commands reasons, using the following command:
for Prime Infrastructure system (config) username username password role {admin|user}
configuration tasks. These commands are password
explained throughout this guide. To use
this CLI, you must have admin-level user
access (see the information in the User
Types column of this table). You can
access this shell from the Admin CLI
shell.

168
How to Transition Between the CLI User Interfaces in Prime Infrastructure
Prime Infrastructure Interface Description Prime Infrastructure User Types

User Interface
Linux CLI Linux shell which provides all Linux Linux CLI admin user—Created at installation time and used
commands. The Linux shell should only for Linux-level administration purposes.
be used by Cisco technical support
This admin user can get root-level privileges by following the
representatives. Regular system
procedure in Log In and Out as the Linux CLI root User, on page
administrators should not use the Linux
171. Tasks that require root-level permissions should only be
shell. You cannot reach this shell from a
performed by Cisco Support teams to debug product-related
remote computer using SSH; you can only
operational issues. For security purposes, the Linux CLI admin
reach it through the Prime Infrastructure
and root users should be disabled; see Disable and Enable the
admin shell and CLI.
Linux CLI Users in Prime Infrastructure, on page 172.
How to Transition Between the CLI User Interfaces in Prime Infrastructure

The following figure illustrates how to transition between the Prime Infrastructure and Linux CLI user interfaces
on deployments running Prime Infrastructure.

169
Transition Between the Prime Infrastructure admin CLI and Prime Infrastructure config CLI
Transition Between the Prime Infrastructure admin CLI and Prime Infrastructure config CLI
To move from the Prime Infrastructure admin CLI to the Prime Infrastructure config CLI, enter config at the
admin prompt.
(admin)# config
(config)#
To move from the config CLI back to the admin CLI, enter exit or end at the config prompt:
(config)# exit
(admin)#

170
Log In and Out as the Linux CLI root User
Log In and Out as the Linux CLI root User

The Linux CLI has two shell users: One with administrative access (Linux CLI admin user), and another with
root access (Linux CLI root user). The diagram in How to Transition Between the CLI User Interfaces in
Prime Infrastructure, on page 169 illustrates the flow for logging in and out as the various CLI users.
To log in as the Linux CLI root user, you will have to transition from being the Prime Infrastructure CLI
admin user to the Linux CLI admin user to the Linux CLI root user. The following procedure gives you the
exact steps you must follow.
Before you begin

If the Linux CLI user is disabled, re-enable it. See Disable and Enable the Linux CLI Users in Prime
Infrastructure, on page 172.
Step 1 To log in as the Linux CLI root user:

a) Start an SSH session with the Prime Infrastructure server and log in as the Prime Infrastructure CLI admin user.
b) As the Prime Infrastructure CLI admin user, log in as the Linux CLI admin user:
shell
Enter shell access password: password
c) Log in as the Linux CLI root user.

sudo -i
By default, the Linux CLI shell prompt is the same for the Linux CLI admin and root user. You can use the whoami
command to check the current user.
Step 2 To exit:
a) Log out as the Linux CLI root user.
exit
b) Log out as the Linux CLI admin user.

exit
You are now logged in as the Prime Infrastructure CLI admin user.
What to do next
For security purposes, disable the Linux CLI root user. See Disable and Enable the Linux CLI Users in Prime
Infrastructure, on page 172.

171
Enable and Disable root Access for the Linux CLI and the Prime Infrastructure Web GUI
Enable and Disable root Access for the Linux CLI and the Prime
Infrastructure Web GUI
As described in How to Transition Between the CLI User Interfaces in Prime Infrastructure, on page 169, after
installation, you should disable the Prime Infrastructure web GUI root user after creating at least one other
web GUI user that has Admin or Super Users privileges. See Disable and Enable the Web GUI root User, on
page 172.
The Linux CLI root user is disabled after installation time. If you need to re-enable it, follow the procedure
in Disable and Enable the Linux CLI Users in Prime Infrastructure, on page 172.
Disable and Enable the Linux CLI Users in Prime Infrastructure

This procedure shows you how to disable and enable the Linux CLI admin shell in deployments running Prime
Infrastructure. When you disable the shell, you will no longer be able to log in as the Linux CLI admin or
root users. When the shell is enabled, users can log in by following the procedure in How to Transition Between
the CLI User Interfaces in Prime Infrastructure, on page 169.
Before you begin

Make sure you have the password for the Linux CLI admin user.
Step 1 Log in to Prime Infrastructure as the Prime Infrastructure CLI admin user. See Establish an SSH Session With the Prime
Infrastructure Server, on page 89.
Step 2 Disable the Linux CLI admin shell (which disables the Linux CLI admin and root users):
shell disable
Enter shell access password: passwd
shell access is disabled
Step 3 To re-enable the Linux CLI admin shell (you must run this command as the Prime Infrastructure CLI admin user):
shell
Shell access password is not set
Configure password for shell access
Password: passwd
Password again: passwd
Shell access password is set

Run the command again to enter shell
Disable and Enable the Web GUI root User
Step 1 Log into the Prime Infrastructure web GUI as root, and create another web GUI user that has root privileges—that is, a
web GUI user that belongs to the Admin or Super Users user group. See Add Users and Manage User Accounts, on page
198. Once this is done, you can disable the web GUI root account.

172
Control the Tasks Web Interface Users Can Perform (User Groups)
Step 2 Disable the Prime Infrastructure web GUI root user account. (The web GUI admin account, which remains active, can
perform all required CLI functions.)
ncs webroot disable
Step 3 To re-enable the account:

ncs webroot enable
Control the Tasks Web Interface Users Can Perform (User

Groups)
For Web Interface users, in Prime Infrastructure user authorization is implemented through user groups. A
user group contains a list of tasks that control which parts of Prime Infrastructure a user can access and the
tasks the user can perform in those parts.
While user groups control what the user can do, virtual domains control the devices on which a user can
perform those tasks. Virtual domains are described in Create Virtual Domains to Control User Access to
Devices, on page 211.
Prime Infrastructure provides several predefined user groups. If a user belongs to a user group, the user inherits
all of the authorization settings for that group. A user is normally added to user groups when their account is
created.
These topics explain how to manage user authorization:
• Types of User Groups, on page 173
• View and Change the Tasks a User Can Perform, on page 175
• View and Change the Groups a User Belongs To, on page 176
• View User Groups and Their Members, on page 176
• Create a Customized User Group, on page 194
• View and Change the Tasks a Group Can Perform, on page 196
• Use Prime Infrastructure User Groups with RADIUS and TACACS+, on page 197
Types of User Groups

Prime Infrastructure provides the following predefined user groups:
• User Groups—Web UI, on page 173
• User Groups—NBI, on page 174
For information about CLI users, see User Interfaces and User Types, on page 167.
User Groups—Web UI
Prime Infrastructure provides the default web GUI user groups listed in the following table. You can assign
users to multiple groups, except for users that belong to the Monitor Lite user group (because Monitor Lite
is meant for users who should have very limited permissions).

173
User Groups—NBI
See View and Change the Tasks a Group Can Perform, on page 196 for information on the tasks that pertain
to each user group and the default settings.
User Group Group Task Focus
Root All operations. The group permissions are not editable. The root web UI user is available
after installation and is described in User Interfaces and User Types, on page 167. A best
practice is to create other users with Admin or Super Users privileges, and then disable
the root web UI user as described in Disable and Enable the Web GUI root User, on
page 172.
Super Users All operations (similar to root). The group permissions are editable.
Admin Administer the system and server. Can also perform monitoring and configuration
operations. The group permissions are editable.
Config Managers Configure and monitor the network (no administration tasks). The permissions assigned
to this group are editable.
System Monitoring Monitor the network (no configuration tasks). The group permissions are editable.
Help Desk Admin Only has access to the help desk and user preferences related pages. Members of this
user group cannot be members of any other user group. This is a special group which
lacks access to the user interface.
Lobby User administration for Guest users only. Members of this user group cannot be members
Ambassador of any other user group.
User–Defined 1–4 these are blank groups and can be edited and customized as needed.
Monitor Lite View network topology and use tags. The group permissions are not editable. Members
of this user group cannot be members of any other user group.
North Bound API Access to the SOAP APIs.

Note No acesss restriction for admin owned templates.
User Assistant Local Net user administration only. Members of this user group cannot be members of
any other user group.
mDNS Policy mDNS policy administration functions.

Admin
Note We recommend you to not use RADIUS, TACACS+ or SSO to create users
to be included in the “mDNS Policy Admin” group, because the AAA server
do not have the required multicast DNS settings.
User Groups—NBI
Prime Infrastructure Cisco Prime Infrastructure provides the default NBI user groups listed in the following
table. The permissions in these groups are not editable.
See View and Change the Tasks a Group Can Perform, on page 196 for information on the tasks that pertain
to each user group and the default settings.

174
View and Change the Tasks a User Can Perform
User Group Provides access to:
NBI Credential The Northbound Interface Credential API

(Deprecated)
NBI Read The Northbound Interface Read API.
NBI Write The Northbound Interface Write API.
View and Change the Tasks a User Can Perform

The tasks a user can perform is controlled by the user groups the user belongs to. Follow these steps to find
out which groups a user belongs to and which tasks a user is authorized to perform.
Note If you want to check the devices a user can access, see Assign Virtual Domains to Users, on page 217.
Step 1 Choose Administration > Users > Users, Roles & AAA and locate the user name.
Step 2 Locate the user name and check the Member of column to find out which user groups the user belongs to.
Step 3 Click a user group hyperlink. The Group Detail window lists the tasks that group members can and cannot perform.
• A checked check box means group members have permission to perform that task. If a checked box is greyed-out,
it means you cannot disable the task. For example, Prime Infrastructure does not allow you to remove the "View
tags" task for the Monitor Lite user group because it is an integral task for that user group.
• A blank check box means group members cannot perform that task. If a blank check box is greyed out, it means you
cannot enable the task for the user group.
The web GUI root and Monitor Lite groups, and the NBI groups, are not editable.
Step 4 If you want to change permissions, you have these choices:

Note Be careful. Selecting and deselecting tasks in the Group Detail window will apply your changes to all group
members.
• Change permissions for all user group members. See View and Change the Tasks a Group Can Perform, on page
196.
• Add the user to a different user group. The predefined user groups are described in User Groups—Web UI, on page
173 and User Groups—NBI, on page 174. Those topics also describe any group restrictions; for example, if a user
belongs to the predefined Monitor Lite user group, the user cannot belong to any other groups.
• Remove the user from this group. See View and Change the Groups a User Belongs To, on page 176.
• Use a customized user group and add the user to that group. To find out which customized groups already exist, see
View and Change the Tasks a Group Can Perform, on page 196. To create a new customized group, see Create a
Customized User Group, on page 194.

175
View and Change the Groups a User Belongs To
View and Change the Groups a User Belongs To

The tasks users can perform is determined by the user groups they belong to. This is normally configured
when a user account is created (see Add and Delete Users, on page 200). User groups are described in Types
of User Groups, on page 173.
This procedure explains how to view the groups a user belongs to and, if necessary, change the user's group
membership.
Step 1 Choose > Administration > Users, Roles & AAA Users, then choose Users.
Step 2 In the User Name, column, locate and click the user name hyperlink to open the User Details window. All user groups
are listed under the General tab.
• A checked check box means the user belongs to that group. If a checked box is greyed-out, it means you cannot
remove the user from that group. For example, Prime Infrastructure will not allow you to remove the user named
root from the root user group.
• A blank check box means the user does not belong to that group. If a blank check box is greyed-out, it means you
cannot add the user to that group.
(To check the tasks that a group can perform, choose User Groups from the left sidebar menu and click a group name.)
Step 3 To change the groups the user belongs to, select and unselect the appropriate groups in the User Details window, then
click Save.
View User Groups and Their Members

Users can belong to multiple groups, unless they belong to a very restricted group such as Monitoring Lite.
This procedure explains how to view existing user groups and their members.
Step 1 Choose Administration > Users > Users, Roles & AAA, then choose User Groups.
The User Groups page lists all existing user groups and a short list of their members. For a description of these groups,
see Types of User Groups, on page 173.
Step 2 To view all members of a group, click a group hyperlink to open the Group Details window, then click the Members
tab.
Step 3 If you want to make changes to these groups, see:
• View and Change the Tasks a Group Can Perform, on page 196
• View and Change the Groups a User Belongs To, on page 176
User Group Permissions and Task Description

The following table describes user group permissions and task descriptions.

176
Table 14: User Group Permissions and Task Description
Task Group Name Task Name Description
APIC-EM Controller Apic Controller Read Access Allows user to read APIC-EM
controller details.
Apic Controller Write Access Allows user to create or update

APIC-EM controller details.
Apic Global PnP Read Access Allows user to read the Apic
Global PnP/Ztd settings.
Apic Global PnP Write Access Allows user to create or update the
Apic Global PnP/Ztd settings.
Active Sessions Force Logout Access Allows user to force logout other
user active sessions.

177
Administrative Operations Appliance Gives the user access to the

Administration > Settings >
Appliance menu.
Application Server Management Access Allows user to manage NAM

server lists.
Application and Services Access Allows user to create, modify, and

delete custom applications and
services.
Data Migration
Design Endpoint Site Association Access Allows user to create Assurance

site classification rules.
Device Detail UDF Allows user to access Device

details UDF.
Export Audit Logs Access Allows user to access Import Policy

Update through Admin Mega
menu.
Health Monitor Details Allows user to modify Site Health

Score definitions.
High Availability Configuration Allows user to configure High

Availability for pairing primary and
secondary servers.
Import Policy Update Allow user to manually download

and import the policy updates into
the compliance and Audit manager
engine.
License Center/Smart License Allows user to access license

center/smart license..
Logging Gives access to the menu item

which allows user to configure the
logging levels for the product.
Scheduled Tasks and Data Collection Controls access to the screen to

view the background tasks.
System Settings Controls access to the

Administration > System Settings
menu.
Tools Allows user to access the

Administration > System Settings
menu.

178

User Preferences Controls access to the
Administration > User
Preference menu.
View Audit Logs Access Allows user to view Network and

System audits.
Alerts and Events Ack and Unack Alerts Allows user to acknowledge or
unacknowledge existing alarms.
Alarm Policies Allows user to access alarm

policies.
Alarm Policies Edit Access Allows user to edit alarm policies.
Delete and Clear Alerts Allows user to clear and delete

active alarms.
Notification Policies Read Access Allows user to view alarm

notification policy.
Notification Policies Read-Write Access Allows user to configure alarm

notification policy.
Pick and Unpick Alerts Allows user to pick and unpick

alerts.
Syslog Policies Grants access to the Syslog Policies

page.
Syslog Policies Edit Access Allows creating, modifying and

deleting syslog policies.
Troubleshoot Allows user to do basic

troubleshooting, such as traceroute
and ping, on alarms.
View Alert Condition Allows user to view alert condition.
View Alerts and Events Allows user to view a list of events

and alarms.
Configuration Archive Configuration Archive Read-Only Task Allows user to view the archived
configurations and schedule
configuration archive collection
jobs.
Configuration Archive Read-Write Task Allows user to perform all

configuration archive jobs.
Diagnostic Tasks Diagnostic Information Controls access to diagnostic page.

179
Feedback and Support Tasks Automated Feedback Allows acess to automatic

feedback.
TAC Case Management Tool Allows user to open a TAC case.
Global Variable Global Variable Access Allows user to access global

Configuration variables.
Groups Management Add Group Members Allows user to add an entity, such
as a device or port, to groups.
Add Groups Allows user to create groups.
Delete Group Members Allows user to remove members

from groups.
Delete Groups Allows user to delete groups.
Export Groups Allows user to export groups.
Import Groups Allows user to export groups.
Modify Groups Allows user to edit group attributes

such as name, parent, and rules.

180
Job Management Approve Job Allows user to submit a job for

approval by another user.
Cancel Job Allows user to cancel the running

jobs.
Delete Job Allows user to delete jobs from job

dashboard.
Edit Job Allows user to edit jobs from job

dashboard.
Pause Job Allows user to pause running and

system jobs.
Schedule Job Allows user to schedule jobs.
View Job Allows user to schedule jobs.
Config Deploy Edit Job Allows user to edit config

delployed jobs.
Device Config Backup Job Edit Access Allows user to change the external
backup settings such as repository
and file encrytion password.
Job Notification Mail Allows user to configure

notification mails for various job
types.
Run Job Allows user to run paused and

scheduled jobs.
System Jobs Tab Access Allows user to view the system

jobs.
Maps Client Location Allows user to view client locations

on Map.
Maps Read Only Allows user to view the map in a

read-only mode.
Maps Read Write Allows user to view and also

manipulate elements within the
maps such as AP placement.
Planning Mode Allows user to launch the planning

mode tool.
Rogue Location Allows user to view rogue AP

locations on Map

181
Mobility Services Mobility Service Management Allows user to edit properties and
parameters, view session and Trap
destinations,manage user and group
accoounts,and monitor status
information for mobility services
engine.
View CAS Notifications Only Allows user to view the CAS

notifications

182
Network Configuration Add Device Access Allows user to add devices to Prime
Infrastructure.
Admin Templates Write Access Check thois check-box for enabling

admin templates write access for
user defind role.
Auto Provisioning Allows access to auto provisioning.
Compliance Audit Fix Access Allows user to view, schedule and

export compliance fix job/ report.
Compliance Audit PAS Access Allows user to view, schedule and

export "PSIRT" and "EOX" job/
report
Compliance Audit Policy Access Allows user to create, modify,

delete, import and export
compliance policy.
Compliance Audit Profile Access Allows user to view, schedule and

export compliance audit job or
report view and download
violations summary.
Compliance Audit Profile Edit Access Allows user to create, modify and
delete compliance profiles view
and schedule export compliance
audit job or report view and
download violations summary.
Configuration Templates Read Access Allows to access configuration

templates in read only mode.
Configure ACS View Servers Allows acess to manage ACS View

Servers.
Configure Access Points Allows users to configure access

points.
Configure Autonomous Access Point Allows access to configure

Templates Autonomous AP Templates on
Configure Choke Points Allows users to Configure Choke

Points.
Configure Config Groups Allows access to Config Groups.
Configure Controllers Allows users to configure the

Wireless Controller features.

183

Configure Ethernet Switch Ports Controls access to the config ability
when viewing ethernet details in
DWC for any device.
Configure Ethernet Switches Controls access to the config ability

when viewing ethernet details in
DWC for any device.
Configure ISE Servers Allows users to manage ISE servers

on Prime Infrastructure
Configure Lightweight Access Point Allows users to configure

Templates Lightweight Access Point
Templates on Prime Infrastructure
Configure Mobility Devices Allows user to configure the

CAS,WIPS,Mobile concierge
service, location analytics service,
and provide the mobility
procedures
Configure Spectrum Experts Allows users to Configure

Spectrum Experts.
Configure Switch Location Configuration Allow the user to modify

Templates Configuration templates
Configure Templates Allow the user to do the CRUD

operation of Feature Templates on
DWC and configuration Template
Configure Third Party Controllers and Allows users to configure Third

Access Point Party Controllers and Access Points
on Prime Infrastructure.
Configure WIPS Profiles Allows users to access WIPS

Profiles.
Configure WiFi TDOA Receivers Allows users to configure WiFi

TDOA Receivers.
Credential Profile Add_Edit Access Allows user to Add and edit

credential profile.
Credential Profile Delete Access Allows user to delete credential

profile.
Credential Profile View Access Allows user to view credential

profile.
Delete Device Access Allows user to delete devices from


184

Deploy Configuring Access Allows user to deploy
Configuration and IWAN
templates.
Design Configuration Template Access Allows user to create Configuration

> Shared Policy Object templates
and Configuration Group
templates.
Device Bulk Import Access Allows user to perform bulk import

of devices from CSV files.
Device View configuration Access Allows user to configure devices

in the Device Work Center.
Edit Device Access Allows user to edit device

credentials and other device details.
Export Device Access Allows user to export the list of

devices, including credentials, as a
CSV file.
Global SSID Groups Allows users to configure Global

SSID Groups.
Migration Templates Allows user to create autonomous

AP migration templates
Network Devices Allows user to access to the

Network devices.
Network Topology Edit Allows user to create devices, links

and network in the topology map,
edit the manually created link to
assign the interfaces.
Scheduled Configuration Tasks Allows user to create and schedule

a configuration
template,configuration
group,software download task and
template.
TrustSec Readiness Assessment Access to the TrustSec menu which

allows users to configure TrustSec
in their network.
View Compute Devices Access to Data Center compute

servers and virtual elements such
as Hosts and Virtual Machines
managed in Prime Infrastructure.
WIPS Service

185

Allows users to configure WIPS
Service.
Wireless Security Allows user to configure Rogue

Policy, Rogur Rule and wIPS
profile using Wireless Security
Configuration wizard.

186
Network Monitoring Ack and Unack Security Index Issues Allows users to Acknowledge or
Unacknowledge Security Index
Violations.
Admin Dashboard Access Allows user to access the Admin

Dashboard.
Config Audit Dashboard Allows users to access Config

Audit Dashboard.
Data Collection Management Access Allow user to access the Assurance

Data Sources page.
Details Dashboard Access Allow user to access the Detail

dashboards.
Disable Clients Allows users to access Disabled

Clients page.
Identify Unknown Users Allows users to access Identify

Unknown Users page.
Incidents Alarms Events Access Allows user to access incidents

alarms events.
Latest Config Audit Report Allows user to view the latest

config audit reports.
Lync Monitoring Access Allows the user to access and view

the Lync monitoring page
Monitor Access Points Allows users to view Monitor

Access Points page.
Monitor Chokepoints Allows users to access Monitor

Chokepoints page.
Monitor Clients Allows users to access Monitor

Clients page.
Monitor Ethernet Switches Allows user to monitor ethernet

interfaces,VLAN switch port,and
VLAN trunk of ethernet switches.
Monitor Interferers Allows users to access Monitor

Interferers pages.
Monitor Media Streams

187

Allows user to monitor the media
stream configuration information
such as name, start and end address
,maximum bandwidth,operational
status,average packet size,RRC
updates, priority and violation.
Monitor Mobility Devices Allows user to monitor mobility

group events such as mobility
statistics,mobility responder
statistics,mobility initiator statistics.
Monitor Security Allows user to monitor controller

security information such as
RADIUS authentication,RADIUS
accounting,management frame
protection,Rogue AP rules and
guest users.
Monitor Spectrum Experts Allows users to monitor spectrum

experts.
Monitor Tags Allows user to monitor tags.
Monitor Third Party Controllers and Allows users to access Monitor

Access Point Third Party Controllers and Access
Point pages.
Monitor WiFi TDOA Receivers Allows users to access Monitor

WiFi TDOA Receivers pages.
Monitoring Policies Allows user to identify the most

used rules, troubleshoot a specific
rule, and verify hits for the selected
rule.
Network Topology Allows users to launch the Network

Topology map and view the
devices and links in the map.
Packet Capture Access Allow user to initiate packet

captures on NAM and supported
routers.
Performance Dashboard Access Allow user to access the

Performance dashboard.
PfR Monitoring Access Allows the user to access and view

the PfR Monitoring page
RRM Dashboard Allows users to access RRM

Dashboard page.

188
Remove Clients Allows users to access Remove

Clients page.
Service Health Access Allows the user to access and view

the Service Health page.
Site Visibility Access Allows user to access site visibility.
Track Clients Allows users to access Track

Clients page.
View Security Index Issues Allows users to access Security

Index Issues page.
Voice Diagnostics Allows users to access Voice

Diagnostics information.
Wireless Dashboard Access Allows user to view the wireless

dashboard.
Operations Center Tasks Administrative privileges under Manage Allows for administrative tasks
and Monitor Servers page such as Add/Delete/Edit/Activate
and deactivate of servers under
M&M page.
Allow report/dashlet use for users with Enable this option for users with
only NBI Read access NBI Read access so they can
generate reports and populate all
dashlets.
Manage and Monitor Servers Page Access Allows access to the Manage &
Monitor Servers Page.

189
Plug n Play Configuration PnP Deploy History Read Access Allows user to read provisioned
devices status.
PnP Deploy History Read-Write Access Allows user to read and delete
operations on provisioned devices.
PnP Preferences Read Access Allows user to view Plug and Play
preferences.
PnP Preferences Read-Write Access Allows user to edit Plug and Play
preferences.
PnP Profile Deploy Read Access Allows user to view Plug and Play
provisioning profiles.
PnP Profile Deploy Read-Write Access Allow user to create, modify, and
delete Plug and Play provisioning
profiles.
PnP Profile Read Access Allow user to view Plug and Play
profiles.
PnP Profile Read-Write Access Allow user to create, delete, and

modify Plug and Play profiles.
WorkflowsReadWriteAccess Allows user to set up configure the

cisco IOS switches and access
devices
Product Usage Product Feedback Allows the user to access the Help
Us Improve page.

190
Reports Autonomous AP Reports Allows user to create new

Autonomous AP Reports.
Autonomous AP Reports Read Only Allows user to view Autonomous

AP Reports
CleanAir Reports Allows user to create new CleanAir

Reports.
CleanAir Reports Read Only Allows user to view CleanAir

Reports
Client Reports Allow user to create Client Reports
Client Reports Read Only Allow user to view Client Reports.
Compliance Reports Allows user to customize the

configuration audit ,network
discrepancy,PCI DSS detailed and
PCI DSS summary reports,PSIRT
detailed and PSIRT summary
reports.
Compliance Reports Read Only Allows user to configuration

audit,network discrepancy,PCI
DSS detailed and PCI DSS
summary reports,PSIRT detailed
and PSIRT summary reports.
Context Aware Reports Allows user to run context

aware/location-specific reports.
Context Aware Reports Read Only Allows user to run context

aware/location-specific reports.
Custom Composite Report Allow user to create 'custom' report

with two or more (upto 5 reports )
existing report templates into a
single report.
Custom NetFlow Reports Allow user to access custom

NetFlow reports
Custom NetFlow Reports Read Only Allow user to view custom

NetFlow reports.
Device Reports Allow user to run reports specific

to monitoring specific report
related to Devices.
Device Reports Read Only Allows user to read generated

device reports

191

Guest Reports Allow user to create Guest Reports
Guest Reports Read Only Allow user to view Guest Reports.
MSAP Reports Allows user to run Mobile

Concierge reports.
MSAP Reports Read Only Allows user to run Mobile

Concierge reports.
Mesh Reports Allow user to create Mesh Reports.
Mesh Reports Read Only Allow user to view Mesh Reports.
Network Summary Reports Allows user to create and run

network summary reports
Network Summary Reports Read Only Allows user to view all Summary
reports.
Performance Reports Allows user to create performance

reports.
Performance Reports Read Only Allows user to view performance

reports.
Raw NetFlow Reports Allows user to view NetFlow

reports.
Raw NetFlow Reports Read Only Allows user to view Raw NetFlow
reports.
Report Launch Pad Allows user to access the Report

page.
Report Run History Allows user to view report history.
Run Reports List Allows user to run reports.
Saved Reports List Allows user to save reports.
Saved Reports List Read Only Allows user to view saved reports.
Security Reports Allows user to create Security

Reports.
Security Reports Read Only Allows users to view wireless

security reports related to rogue
APs, wIPS etc.
Virtual Domains List Allows user to create the Virtual

Domain related report.
Voice Audit Report

192

Allows user to create the Virtual
Domain related report
Software Image Add Software Image Management Servers Allows user to add software
Management imagemanagement servers.
Software Image Access Privilege Allows user to access Inventory >

Software Images.
Software Image Activation Allows user to upgrade and

downgrade software versionss to
manage devices in their network.
Software Image Collection Allows user to collect images from

different locations such as from
devics, Cisco.com or from URLs.
Software Image Delete Allows user to delete an image

from the Software Images page,
except for images that are included
in Plug and Play profiles.
Software Image Details View Allows user to view the image

details.
Software Image Distribution Allows user to distribute software

verisons to managed devices in the
network.
Software Image Info Update Allows the user to edit and save
image properties such as minimum
RAM, minimum FLASH and
minimum boot ROM version.
Software Image Management Allows user to manage protocol

Server-Manage Protocols
Software Image Preference Save Allows user to save preference

options on Software Images page.
Software Image Recommendation Allows user to recommend images

from Cisco.com and from the local
repository.
Software Image Upgrade Analysis Allows user to analyze software

images to determine if the hardware
upgrades (boot ROM, flash
memory, RAM, and boot flash, if
applicable) are required before
performing a software upgrade.

193
Create a Customized User Group
User Administration Audit Trails Allows user to access the Audit

trails on user login and logout.
RADIUS Servers Allows user to access the RADIUS

Servers menu.
SSO Server AAA Mode Allows user to access the AAA

menu
SSO Servers Allows user to access the SSO

menu
TACACS+ Servers Allows user to access the

TACACS+ Servers menu
Users and Groups Allows user to access the Users and

Groups menu.
Virtual Domain Management Allows user to access the Virtual

Domain Management menu.
Virtual Elements Tab Access When creating virtual domain or

adding members to a virtual
domain, allows uses to access the
virtual elements tab, so as to allow
user to add virtual elements
(Datacenters, Clusters and Hosts)
to virtual domain.
View Online Help OnlineHelp Allows user to access the Prime

Infrastructure online help.
Create a Customized User Group

Prime Infrastructure provides a set of predefined user groups that help you control user authorization. These
groups are described in Types of User Groups, on page 173 and include four User Defined groups which you
can customize to create a user group that is specific to your deployment. The following procedure explains
how to create a customized group using one of the four predefined User Defined group templates.
Step 2 Locate a User Defined group that has no members, then click its group name hyperlink.
Step 3 Customize the group permissions by checking and unchecking tasks in the Group Detail window. If a task is greyed-out,
it means you cannot adjust its setting. You cannot change the group name.
Step 4 Click Save to save your group settings.
Step 5 If you want to add a new User Defined group Click Add Groups. Enter the Group Name, select the required task
permissions and click Save.
Step 6 If you want to delete any User defined group select the group and click Delete Groups. A warning message appears to
check whether you want to delete the group. Click Ok .

194
Add User with Wireless Persona
Note You can not delete any predefined groups and groups associated to any user.
Step 7 Add members to your group by editing the relevant user accounts and adding the user to your new group. See Add and
Delete Users, on page 200 for information on adjusting user accounts.
Add User with Wireless Persona

You can add a local user with wireless persona so that the user can view only wireless related navigation menu
items.
Note You cannot add AAA user or remote user with wireless persona.
Step 1 Log in to Cisco Prime Infrastructure as an administrator.

Step 2 Choose Administration > Users > Users, Roles & AAA , then choose Users.
Step 3 From the Select a command drop-down list, choose Add User, then click Go.
Step 4 Configure the user account.
a) Enter a username and password.
b) Control the actions the user can perform by selecting one or more user groups. For descriptions of user groups, see
View User Groups and Their Members, on page 176.
c) Control the devices a user can access by clicking the Virtual Domains tab and assigning domains to the user. For
more information, see Create Virtual Domains to Control User Access to Devices, on page 211.
Step 5 In the Persona pane, check the Wireless check box. Hover your mouse cursor over the help text question mark to view
the menu items that are removed from the navigation.
Step 6 Click Save.

195
View and Change the Tasks a Group Can Perform
Note The following user groups do not support the wireless persona-based menu:
1. Root
2. Lobby Ambassador
3. Lobby Ambassador + NBI Credential
4. Lobby Ambassador + NBI Read
5. Lobby Ambassador + NBI Write
6. Lobby Ambassador + (NBI Credential + NBI Read)
7. Lobby Ambassador + (NBI Read + NBI Write)
8. Lobby Ambassador + (NBI Credential + NBI Write)
9. Lobby Ambassador + (NBI Credential + NBI Read +NBI Write)
10. Help Desk Admin
11. Help Desk Admin + NBI Credential
12. Help Desk Admin + NBI Read
13. Help Desk Admin + NBI Writer
14. Help Desk Admin + (NBI Credential + NBI Read)
15. Help Desk Admin + (NBI Read + NBI Write)
16. Help Desk Admin + (NBI Credential + NBI Write)
17. Help Desk Admin + (NBI Credential + NBI Read +NBI Write)
18. mDNS Policy Admin
View and Change the Tasks a Group Can Perform

Follow these steps to get information about existing user groups and the tasks group members can perform.
The predefined user groups are described in View User Groups and Their Members, on page 176.
Note If you want to change device access, see Assign Virtual Domains to Users, on page 217.
The User Groups page lists all existing user groups.
Step 2 Click a user group hyperlink. The Group Detail window lists the group permissions.

196
Use Prime Infrastructure User Groups with RADIUS and TACACS+
• A checked task means group members have permission to perform that task. If a checked box is greyed-out, it means
you cannot disable the task.
• A blank check box means group members cannot perform that task. If a blank check box is greyed out, it means you
cannot enable the task for the user group.
The web GUI root and Monitor Lite groups, and the NBI groups, are not editable.
Step 3 If you want to change the group permissions—which will affect all group members—check and uncheck tasks, then click
Save.
Note Selecting and deselecting the tasks will affect only that group and not all groups.
Use Prime Infrastructure User Groups with RADIUS and TACACS+

Your RADIUS or TACACS+ servers must be configured to recognize the user groups that exist in Prime
Infrastructure. You can do this using the procedure in Export the Prime Infrastructure User Group and Role
Attributes for RADIUS and TACACS+, on page 197.
Note From Prime Infrastructure Release 3.2, Role based based TACACS+ authentication is enabled by default, so
it is sufficient to add user roles and virtual domains alone. Tasks will be retrieved from Prime Infrastructure
based on the roles given in the ISE/ACS profile.
If you want to use the task based TACACS authentication, you must set the value of the tacsacsServerTaskPref
property in the file /opt/CSCOlumos/conf/usermgmt.properties to true and click Save in Administration >
Users > Users, Roles & AAA > AAA Mode Settings Page . When you are copying the custom attributes
(role, task and virtual domain) of users belonging to multiple user groups from the Administration > Users
> Users, Roles & AAA > User Groups page in Prime Infrastructure, and pasting them in ACS, make sure
that the custom attributes remain unique in order to avoid duplicate attributes. Also ensure that you paste the
currently supported tasks in the ACS and add the Home Menu Access task. It is mandatory.
Export the Prime Infrastructure User Group and Role Attributes for RADIUS and TACACS+
If you are using RADIUS or TACACS+, you must copy all Prime Infrastructure user group and role information
into your Cisco Access Control Server (ACS) or Cisco Identity Services Engine (ISE) server. You can do this
using the Task List dialog box provided in the Prime Infrastructure web GUI. If you do not export the data
into your Cisco ACS or Cisco ISE server, Prime Infrastructure will not allow users to perform their assigned
tasks.
The following information must be exported:
• TACACS+—Requires virtual domain and role information (tasks are automatically added).
• RADIUS—Requires virtual domain and role information (tasks are automatically added).
Information in the Task List dialog is preformatted for use with the Cisco ACS server.

197
Add Users and Manage User Accounts
Note When you add tasks to the external server, be sure to add the Home Menu Access task. It is mandatory for
all users.
Before you begin

Make sure you have added the AAA server and configured the AAA mode as explained in Configure External
Authentication.
Step 1 In Prime Infrastructure:

a) Choose Administration > Users > User Groups.
b) From the User Groups table, copy the role for each user group by clicking the Task List hyperlink (at the end of a
user group row).
• If you are using RADIUS, right-click the role0 line in the RADIUS Custom Attributes field and choose Copy.
• If you are using TACACS+, right-click the role0 line in the TACACS+ Custom Attributes field and choose
Copy.
Step 2 Paste the information into your Cisco ACS or Cisco ISE server. These steps show how to add the information to an
existing user group in Cisco ACS. If you have not yet added this information to Cisco ACS or Cisco ISE, see:
• Use Cisco ACS With RADIUS or TACACS+ for External Authentication
• Use Cisco ISE With RADIUS or TACACS+ for External Authentication , on page 222
a) Navigate to User or Group Setup.

b) For the applicable user or group, click Edit Settings.
c) Paste the attributes list into the appropriate text box.
d) Select the check boxes to enable these attributes, then click Submit + Restart.
Add Users and Manage User Accounts

• Create Web GUI Users with Administrator Privileges, on page 199
• Add and Delete Users, on page 200
• Disable (Lock) a User Account, on page 201
• Change a User’s Password, on page 201
Change User Group Memberships

You can quickly change a user’s privileges in Prime Infrastructure by changing the user groups to which the
user belongs.
You can also assign sites or devices to which a virtual domain has access. For details, see “Create Virtual
Domains to Control User Access to Devices ” in Related Topics.

198
Create Web GUI Users with Administrator Privileges
Prime Infrastructure will not permit certain combinations of user group membership. For example, a user
cannot be a member of the “Root” and “Lobby Ambassador” user groups at the same time (for details, see
the table in “Control the Tasks Users Can Perform (User Groups) ”, in Related Topics). If you are using
RADIUS to authenticate Prime Infrastructure users, make sure that you do not insert invalid user-group
membership combinations into the RADIUS user attribute/value pairs.
Step 1 Log in to Prime Infrastructure as an administrator.

Step 2 Choose Administration > Users > Users, Roles & AAA > Users.
Step 3 Click on the user name for the user whose memberships you want to change. The User Details page appears.
Step 4 On the General tab, under Groups Assigned to This User:
• Select the checkbox next to each user group to which you want the user to belong.
• Unselect the checkbox next to each user group from which you want the user to be removed.
Related Topics
Control the Tasks Web Interface Users Can Perform (User Groups), on page 173
View and Change the Tasks a Group Can Perform, on page 196
Create Virtual Domains to Control User Access to Devices, on page 211
Create Web GUI Users with Administrator Privileges

After installation, Prime Infrastructure has a web GUI root account named root. This account is used for
first-time login to the server to create:
• Web GUI users with Administrator privileges who will manage the product and features
• All other user accounts
You should not use the web GUI root account for normal operations. For security purposes, create a new web
GUI user with Administrator privileges (and access to all devices), and then disable the web GUI root account.
Step 1 Choose Administration > Users > Users, Roles & AAA, then choose Users.
Step 2 Click Add User.
Step 3 Enter the username in the Username text box.
Step 4 Enter a password. The new password must satisfy the conditions specified in the password policy. Click the ? icon to
view the password policy.
(Optional) Click the Generate New Password button to set a secured system-generated password. On clicking this button,
a new password will be displayed in the adjacent text box. The same is also displayed in the New Password and Confirm
Password text boxes. Click the eye icon in the text box to view or hide the password. You can also copy the password
to clipboard by clicking the Copy button.
Click the Reset button to clear the values in the text box.
Step 5 (Optional) Enter the First Name, Last Name, and Description for the user.
Step 6 Enter the email address in the Email Address text box.

199
Add and Delete Users
Step 7 In the General tab under Groups Assigned to This User, click Admin.
Step 8 Click the Virtual Domains tab to specify which devices the user can access. You should have at least one Admin web
GUI user that has access to all devices (ROOT-DOMAIN). For more information on virtual domains, see Create Virtual
Domains to Control User Access to Devices, on page 211.
Note If you select a parent virtual domain the child (subordinate) virtual domains under it will also get selected.
Step 9 Click Save.

Note Cisco Prime Infrastructure uses SHA-256 encoder from Spring Security.
What to do next
If you have not done so already, for security purposes, disable the web GUI root account as described in
Disable and Enable the Web GUI root User, on page 172.
Add and Delete Users

Before you create user accounts, create virtual domains to control device access so you can apply them during
account creation. Otherwise you will have to edit the user account to add the domain access. See Create Virtual
Domains to Control User Access to Devices, on page 211.
If you want to temporarily disable an account (rather than delete it), see Disable (Lock) a User Account, on
page 201.
Step 1 Choose Administration > Users > Users, Roles & AAA, then choose Users.
Step 2 Click Add User.
Step 3 Configure the user account.
a) Enter a username and password.
b) Enter the first name, last name, and a description for the user.
c) Control the actions the user can perform by selecting one or more user groups. For descriptions of user groups, see
View User Groups and Their Members, on page 176.
d) Control the devices a user can access by clicking the Virtual Domains tab and assigning domains to the user. (see
Create Virtual Domains to Control User Access to Devices, on page 211).
Step 4 Click Save.
Step 5 To delete user accounts, select a users, Click Delete User.
When you are deleting a stale local user, a popup window opens. Do one of the following:
• Click Delete/Pause Job(s), if you want to delete or pause the jobs associated with the deleted user. The jobs will
be displayed in the same page. Select the job(s), click Pause Job(s) or Delete Job(s) and click Proceed.
• Click Skip in the popup, if you want to delete the user without deleting or pausing the associated job(s).
• Click Cancel, if you do not want to delete the user.

200
Disable (Lock) a User Account
Disable (Lock) a User Account

Disable a user account when you temporarily want to disallow a user from logging in to the Prime Infrastructure
GUI. You might want to do this if a user is temporarily changing job functions. If the user tries to log in,
Prime Infrastructure displays a message saying the login failed because the account is locked. You can unlock
the account later without having to re-create the user. If you want to delete a user account, see Add and Delete
Users, on page 200.
User accounts may be disabled automatically if the password is not changed before expiration. Only an
administrator can reset the password in this case. See Change a User’s Password, on page 201 and Configure
Global Password Policies for Local Authentication, on page 209.
Step 1 Choose Administration > Users > Users, Roles & AAA, then click Users.
Step 2 Select the user whose access you want to disable or enable.
Step 3 Click Lock User(s) (or Unlock User(s)).
Change a User’s Password

You can force users to change their passwords on a regular basis using password rules (see Configure Global
Password Policies for Local Authentication, on page 209). Users can change their own passwords . If you need
to make an immediate change to a user's password, use this procedure.
Step 1 Choose Administration > Users > Users, Roles & AAA, then click Users.
Step 2 Click the username hyperlink.
Step 3 Enter the new password in the password fields, then click Save.
Configure Guest Account Settings

Prime Infrastructure administrators can choose to:
• Force all expired guest accounts to be deleted automatically.
• Limit Lobby Ambassadors' control over guest accounts to just those accounts they have created.
Both of these options impose restrictions on the latitude lobby ambassadors have to manage these temporary
guest accounts. For details on using lobby ambassador accounts, see "Using Lobby Ambassadors to Manage
Guest User Accounts" in Related Topics.

Step 2 Choose Administration > Settings > System Settings > General > Guest Account.
Step 3 Change radio button selections as follows:

201
Use Lobby Ambassadors to Manage Guest User Accounts
• Select Automatically remove expired guest accounts to have guest accounts whose lifetimes have ended moved
to the Expired state. Guest accounts in the Expired state are deleted from Prime Infrastructure automatically.
• Select Search and List only guest accounts created by this lobby ambassador to restrict Lobby Ambassadors to
modifying only the guest accounts that they have created. By default, any Lobby Ambassador can modify or delete
any guest account, irrespective of who created that account.
Step 4 Click Save.
Related Topics
Use Lobby Ambassadors to Manage Guest User Accounts, on page 202
Control the Tasks Web Interface Users Can Perform (User Groups), on page 173
Create Virtual Domains to Control User Access to Devices, on page 211
Use Lobby Ambassadors to Manage Guest User Accounts

Lobby ambassador accounts are a special kind of Prime Infrastructure administrative account used to add,
manage and retire temporary guest user accounts. Lobby ambassador accounts have very limited network
configuration privileges specified in the lobby ambassador profile, and have access only to those Prime
Infrastructure functions used to manage guest accounts.
Typically, an enterprise-supplied guest network allows access to the Internet for a guest without compromising
the enterprise's hosts. Web authentication is usually provided without a specialized client, so most guests will
need to initiate a VPN tunnel to their desired destination.
Prime Infrastructure permits both wired and wireless guest user access. Wired guest access enables guest users
to connect to the guest access network from a wired Ethernet connection designated and configured for guest
access. Wired guest access ports may be available via a guest office or through specific ports in a conference
room. Like wireless guest user accounts, wired guest access ports are added to the network using the lobby
ambassador feature.
The lobby ambassador can create the following types of guest user accounts:
• A guest user account with a limited lifetime. After the specified time period, the guest user account
automatically expires.
• A guest user account with an unlimited lifetime. This account never expires.
• A guest user account that is activated at a predefined time in the future. The lobby ambassador defines
the beginning and end of the valid time period.
Related Topics
Manage Guest User Accounts: Workflows, on page 202
Save Guest Accounts on a Device, on page 206
Edit Guest User Credentials, on page 206
Manage Guest User Accounts: Workflows

Lobby ambassadors can manage guest user accounts following this workflow
1. Create guest user accounts—While logged in as a lobby ambassador, create guest user accounts as needed.

202
Create Lobby Ambassador Accounts
2. Schedule guest user accounts—While logged in as a lobby ambassador, schedule automatic creation of
guest user accounts.
3. Print or email guest user details—While logged in as a Lobby Ambassador, print or email the guest user
account details to the host or person who will be welcoming the guests.
Prime Infrastructure administrators with full access can manage lobby ambassadors and their work using this
workflow:
1. Create lobby ambassador accounts—While logged in as a Prime Infrastructure administrator, create lobby
ambassador accounts as needed.
2. View lobby ambassador activities—While logged in as a Prime Infrastructure administrator, supervise
the lobby ambassador’s activities using the log.
Create Lobby Ambassador Accounts, on page 203
Create Guest User Accounts as a Lobby Ambassador, on page 204
Schedule Guest User Accounts, on page 204
Print or Email Guest User Details, on page 204
View Lobby Ambassador Activities, on page 205
Create Lobby Ambassador Accounts

Before you begin creating Lobby Ambassador accounts, you must ensure that you have proper time settings
on the devices (if you do not, you will incorrect account lifetimes on Guest User accounts after they are
discovered).

Step 2 Choose Administration > Users, Roles & AAA> Users.
Step 3 Choose Select a command > Add User > Go.
Step 4 Complete the required fields as follows:
a) In the Groups Assigned to this User section, select the Lobby Ambassador check box to access the Lobby Ambassador
Defaults tab.
b) Complete the required fields on the Lobby Ambassador Defaults tab.
c) Click the Virtual Domains tab to assign a virtual domain for this lobby ambassador account.
d) In the Available Virtual Domains list, click to highlight the virtual domain you want this user to access. Then click
Add to add it to the Selected Virtual Domains list.
Step 5 Click Save.
Related Topics
Login as a Lobby Ambassador

You must use the lobby ambassador username and password to log into the Prime Infrastructure user interface.
When you log in as a lobby ambassador, the Guest User page appears and provides a summary of all created
Guest Users.

203
Create Guest User Accounts as a Lobby Ambassador
Related Topics
Create Guest User Accounts as a Lobby Ambassador
Step 1 Log in to Prime Infrastructure as a lobby ambassador.

Step 2 Choose Select a command > Add User Group > Go.
Step 3 Complete the required fields on the General and Advanced tabs.
See reference guide for field descriptions.
Step 4 Click Save.
Related Topics
Schedule Guest User Accounts

Step 2 Choose Select a command > Schedule Guest User > Go.
Step 3 Configure the required parameters:
If the Generate new password on every schedule and No. days of the week check boxes are selected, then the user will
have one password for the entire time the account is active.
If the Generate new password on every schedule and Any days of the week check boxes are selected, then the user will
have a new password for each day.
Step 4 Click Save.
Related Topics
Print or Email Guest User Details

The lobby ambassador can print or e-mail the guest user account details to the host or person who welcomes
guests. The email or printed sheet will show the following account details:
• Guest user account name.

204
View Lobby Ambassador Activities
• Password for the guest user account.

• Start date and time when the guest user account becomes active.
• End date and time when the guest user account expires.
• Profile ID assigned to the guest user. Your administrator can advise which Profile ID to use.
• Disclaimer information for the guest user.

Step 2 On the Guest User page, select the check box next to the user name whose account details you want to send.
Step 3 Choose Select a command > Print/E-mail User Details > Go. Then proceed as follows:
• If you are printing, click Print. From the Print page, select a printer, and click Print.
• If emailing, click Email. From the Email page, enter the subject-line text and the email address of the recipient, then
click Send.
Related Topics
View Lobby Ambassador Activities

Prime Infrastructure administrators can supervise lobby ambassadors using the Audit Trail feature.
Step 1 Log into Prime Infrastructure as an administrator.

Step 2 Choose Administration > Users > Users, Roles & AAA > User Groups.
Step 3 Click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail page for the lobby
ambassador appears. This page enables you to view a list of lobby ambassador activities over time.
• User login name
• Type of operation audited
• Time when the operation was audited
• Login success or failure
• Indicates the reason for any login failure (for example, “invalid password”).
Related Topics

205
Save Guest Accounts on a Device
Save Guest Accounts on a Device
Step 1 Log into Prime Infrastructure as a lobby ambassador.

Step 2 On the Guest User page, choose Save Guest Accounts on Device check box to save guest accounts to a Cisco Wireless
LAN Controller (WLC) flash so that they are maintained across WLC reboots.
Related Topics
Edit Guest User Credentials

Step 3 Click the user name whose credentials you want to edit.
Step 4 Modify the required credentials.
While editing, if the Profile selection is removed (changed to Select a profile ), the defaults are removed for this lobby
ambassador. The user must reconfigure the defaults to reinforce them.
Step 5 Click Save.
Related Topics
Find Out Which Users Are Currently Logged In

Use this procedure to find out who is currently logged into the Prime Infrastructure server. You can also view
a historical list of the actions performed by the user in the current web GUI session and past sessions.
Step 1 Choose Administration > Users > Users, Roles & AAA, then choose Active Sessions. Prime Infrastructure lists all
users that are currently logged in to the Prime Infrastructure server, including their client machine IP address. If the user
performed any actions on managed devices (for example, the user added new devices to Prime Infrastructure), the device
IP addresses are listed in the Device IP Address column.
Step 2 To view a historical list of all actions performed by this user, click the Audit Trail icon that corresponds to the user name.
Step 3 If you do not want any particular user to be logged in, select the user and click Force Log Out in the upper rigt corner.
Note Force Log Out is not applicable for SSO users.

206
View the Tasks Performed By Users (Audit Trail)
View the Tasks Performed By Users (Audit Trail)

Prime Infrastructure maintains a history of all actions performed by users in active and past web GUI sessions.
Follow these steps to view a historical list of tasks performed by a specific user or by all members of a specific
user group. The audit information includes a description of the task, the IP address of the client from which
the user performed the task, and the time at which the task was performed. If a task affects a managed device
(for example, a user adds a new device), the affected device's IP address is listed in the Device IP Address
column. If a change is made to multiple devices (for example, a user deploys a configuration template to
10 switches), Prime Infrastructure displays an audit entry for each switch.
To find out which users are currently logged into the Prime Infrastructure web GUI, see Find Out Which
Users Are Currently Logged In, on page 206.
To view audits that are not user-specific, see these topics:
• Audit Actions Executed from the GUI (System Audit), on page 255
• Audit Configuration Archive and Software Image Management Changes ( Change Audit Dashboard) ,
on page 253
• Audit Changes Made By Users (Change Audit), on page 253
Step 1 Choose Administration > Users > Users, Roles & AAA.
Step 2 To view the tasks performed by a specific user:
a. Choose Users.
b. Locate the user name, then click the Audit Trail icon corresponding to that user.
Step 3 To view a historical list of the tasks performed by all members of a user group:
a. Choose User Groups.
b. Locate the user group name, then click the Audit Trail icon corresponding to that group.
Configure Job Approvers and Approve Jobs

Use job approval when you want to control jobs that could significantly impact the network. If a job requires
approval, Prime Infrastructure sends an e-mail to the users configured as job approvers and does not run the
job until one of them approves it. If a job is rejected by an approver, the job is removed from the database.
By default, all jobs do not require approval.
If job approval is already enabled and you want to view jobs that need approval, approve a job, or reject a
job, choose Administration > Dashboards > Job Dashboard, then click the Job Approval link.
Selecting the check box against a job name enables the Approve and Reject buttons. This page displays
information such as, Job Name, Job Type, Creation Time, Created By, Approved By, and Status. You
can also view the devices that are scheduled for a particular job by clicking the > icon besides a job name.
This displays information such as, Device IP, Device Name, and Configuration in a tabular format. You can

207
Configure Job Notification Mail for User Jobs
filter the devices to be deployed based on the device IP and device name attributes by selecting either quick
filter or advanced filter options. You can also view the following information by the clicking the i icon.
• For a rollback job, it displays the running configuration and start-up configuration details.
• For an overwrite job, it explains the operation to be performed.
The Discovery and Config Archive options are removed from the Job Approval page from Cisco Prime
Infrastructure 3.2. If you have chosen the Discovery and Config Archive options in the previous versions of
Cisco Prime Infrastructure, the options will be available in higher versions of Cisco Prime Infrastructure, until
you deselect them.
Note Job approval is applicable only for scheduled jobs. When immediate jobs are triggered, the job will be expired
on approval.
To enable job approval and configure the jobs that require approval before running:
Step 1 Choose Administration > Settings > System Settings, then choose General > Job Approval.
Step 2 Check the Enable Job Approval check box.
Step 3 Find the jobs you want to configure for approval, and move them from the left field to the right field.
Step 4 Check the Enable Mail for Job Approval check box. By default this checkbox is unchecked.
Step 5 Enter the email addresses of the job approvers. By default the email address configured in the Mail Server Configuration
settings or the pre-configured email addresses will appear in the Approve Email ID textbox.
Step 6 Click Save.
Configure Job Notification Mail for User Jobs

You can configure Prime Infrastructure to send job notification mail for every user job if the Last_Run_Status
shows: Failure, Partial Success, and Success.Failure, SuccessCanceled, Scheduled or
Expired-Before-Approval.
Use this procedure to configure the job notification mail settings for user jobs.
Step 1 Select Administration > Settings > System Settings, then choose Mail and Notification > Job Notification Mail.
Step 2 Check the Enable Job Notification Mail check box to enable notifications.
Step 3 Enter the email addresses in the To text box. By default, the email address configured in the Mail Server Configuration
settings or the pre-configured email addresses appear in the To text box. You can configure an email server by performing
the steps explained in Configure Email Server Settings , on page 391
Step 4 Enter the subject of the job notification mail in the Subject text box. The subject is automatically appended by the job
name.
Step 5 Select the Job Status. You can select either Success, Partial Success, or Failure status options or both the options and
provide the recipient address.

208
Configure Global Password Policies for Local Authentication
Note Select the desired job type and click the checkbox under Job Success/Job Partial and/or Job Failure. The job
notification mails are triggered for the selected job status option(s).
Step 6 Select the Compliance Audit Job and Compliance Fix Job check boxes. The job notification mails are triggered for
the selected jobs.
Step 7 Click Save. The job notification mail is triggered only for the job status that you select and is sent only after the job
completion. You will not receive a job notification mail if the file size exceeds the size specified in the configured mail
server.
Configure Global Password Policies for Local Authentication

If you are using local authentication (Prime Infrastructure's authentication mechanism), you control the global
password policies from the web GUI. If you are authenticating Prime Infrastructure users using external
authentication, the policies are controlled by an external application (see Set Up External AAA Via CLI, on
page 372).
By default, users are not forced to change passwords after any period of time. To enforce password changes
and configure other password rules, choose Administration > Users > Users, Roles & AAA, then choose
Local Password Policy.
Note You must select the Change password on the first login check box to prompt the new users to change the
default password on their initial login to Prime Infrastructure. De-selecting this check box will launch the
Home Dashboard page on logging in.
Configure the Global Timeout for Idle Users

Prime Infrastructure provides two settings that control when and how idle users are automatically logged out:
• User Idle Timeout—You can disable or configure this setting, which ends your user session automatically
when you exceed the timeout. It is enabled by default and is set to 10 minutes.
• Global Idle Timeout—The Global Idle Timeout setting overrides the User Idle Timeout setting. The
Global Idle Timeout is enabled by default and is set to 10 minutes. Only users with administrative
privileges can disable the Global Idle Timeout setting or change its time limit.
By default, client sessions are disabled and users are automatically logged out after 15 minutes of inactivity.
This is a global setting that applies to all users. For security purposes, you should not disable this mechanism,
but you can adjust the timeout value using the following procedure. To disable/change the timeout for an idle
user, see Disable Idle User Timeout, on page 210
Step 1 Choose Administration > Settings > System Settings, then choose General > Server.
Step 2 In the Global Idle Timeout area, make sure the Logout all idle users check box is selected (this means the mechanism
is enabled).
Step 3 Configure the timeout by choosing a value from the Logout all idle users after drop-down list.

209
Disable Idle User Timeout
Step 4 Click Save. You will need to log out and log back in for this change to take effect.
Disable Idle User Timeout

By default, client sessions are disabled and users are automatically logged out after certain period of inactivity.
This is a global setting that applies to all users. To avoid being logged out during the installation, it is
recommended to disable automatic logout of idle users in the system settings using the following procedure.
Note The Global Idle Timeout setting overrides the User Idle Timeout setting. To configure Global Idle Timeout
settings, see CiscoPrime Infrastructure Administrator Guide.
Irrespective of the customer disabling the "Logout all idle users" in system settings and / Or disabling the
"Logout idle user" in the Root user my preference setting, the session will ultimately be timed out once the
web-server's session time out is reached. This is essentially to maintain the security posture. For more guidelines
on increasing/decreasing the session time out, see https://owasp.org/www-community/Session_Timeout
Note Session will be timed out only if it is inactive whereas active user sessions are not timed
Step 1 Choose Administration > Settings > System Settings, then choose General > Server.
Step 2 In the Global Idle Timeout area, uncheck the Logout all idle users check box and click Save.
Step 3 Click at the top right of web GUI window and choose My Preferences.
Step 4 In the User Idle Timeout area, uncheck the Logout idle user check box and click Save.
If you need to change the idle timeout value, then select Logout idle user check box and from the Logout idle user after
drop-down list, choose one of the idle timeout limits. (But this cannot exceed the value set in the Global Idle Timeout
settings.)
Step 5 Click Save. You will need to log out and log back in for this change to take effect.
Set Up the Maximum Sessions per User

Use this procedure to configure the maximum sessions per user using the web GUI.
Step 2 To set the maximum sessions per user, enter the value in the Max Sessions text box. You can enter any value from 1 to
50 and the default value is 5.
Step 4 Restart the Cisco Prime Infrastructure server to apply the changes.

210
Create Virtual Domains to Control User Access to Devices
Note The session limit is applicable only for Local, RADIUS, and TACACS+ servers. The session limit is not
applicable for HA and SSO modes.
Create Virtual Domains to Control User Access to Devices

• What Are Virtual Domains?, on page 211
• How Virtual Domains Affect Prime Infrastructure Features, on page 211
• Create New Virtual Domains, on page 213
• Import a List of Virtual Domains, on page 215
• Add Network Devices to Virtual Domains, on page 215
• Assign Virtual Domains to Users, on page 217
• Export the Prime Infrastructure Virtual Domain Attributes for RADIUS and TACACS+
• Edit a Virtual Domain, on page 217
• Delete a Virtual Domain, on page 217
What Are Virtual Domains?

Virtual domains are logical groupings of devices, sites, and other NEs, and are used to control who has access
to those NEs. You choose which elements are included in a virtual domain and which users have access to
that virtual domain. Virtual domains can be based on physical sites, device types, user communities, or any
other designation you choose. All devices belong to ROOT-DOMAIN, which is the parent domain for all new
virtual domains.
Virtual domains work in conjunction with user groups. Virtual domains control the devices a user can access,
while user groups determine the actions a user can perform on those devices. Users with access to a virtual
domain (depending on their privileges) can configure devices, view alarms, and generate reports for the NEs
in their virtual domain.
You can create virtual domains after you have added devices to Prime Infrastructure. Each virtual domain
must have a name and can have an optional description, email address, and time zone. Prime Infrastructure
uses the email address and time zone that you specify to schedule and email domain-specific reports.
Users work in one virtual domain at a time. Users can change the current virtual domain by choosing a different
one from the Virtual Domain drop-down list .
Before you set up virtual domains, determine which users are responsible for managing particular areas of
the network. Then organize your virtual domains according to those needs—for example, by geography, by
device type, or by the user community served by the network.
How Virtual Domains Affect Prime Infrastructure Features

Virtual domains are organized hierarchically. The ROOT-DOMAIN domain includes all virtual domains.

211
Reports and Virtual Domains
Because network elements are managed hierarchically, user views of devices—as well as some associated
features and components—are affected by the user's virtual domain. The following topics describe the effects
of virtual domains on these features.
• Reports and Virtual Domains, on page 212
• Search and Virtual Domains, on page 212
• Alarms and Virtual Domains, on page 212
• Maps and Virtual Domains, on page 212
• Configuration Templates and Virtual Domains, on page 212
• Config Groups and Virtual Domains, on page 213
• Email Notifications and Virtual Domains, on page 213
Reports and Virtual Domains

Reports only include components that belong to the active virtual domain. A parent virtual domain cannot
view reports from its child domains. New components are only reflected in reports that are generated after
the components were added.
Search and Virtual Domains

Search results only include components that belong to the active domain. You can only view saved search
results if you are in the same domain from which the search was performed and saved. When working in a
parent domain, you cannot view the results of searches performed in child domains.
Alarms and Virtual Domains

When a component is added to a virtual domain, no previous alarms for that component are visible to that
virtual domain . Only new alarms are visible. For example, if a network element is added to Prime Infrastructure,
and that network element generated alarms before and after it was added, its alarm history would only include
alarms generated after it was added.
Note For alarm email notifications, only the ROOT-DOMAIN virtual domain can enable Location Notifications,
Location Servers, and Prime Infrastructure email notifications.
Maps and Virtual Domains

Maps only display network elements that are members of the active virtual domain.
Configuration Templates and Virtual Domains

When you create or discover a configuration template in a virtual domain, it can only be applied to network
elements in that virtual domain. If you apply a template to a device and then add that device to a child domain,
the template is also available to the same device in the child domain.

212
Config Groups and Virtual Domains
Note If you create a child domain and then apply a configuration template to both network elements in the virtual
domain, Prime Infrastructure might incorrectly reflect the number of partitions to which the template was
applied.
Config Groups and Virtual Domains

A parent domain can view the network elements in a child domain's configuration groups. The parent domain
can also edit the child domain's configuration groups.
Email Notifications and Virtual Domains

Email notifications can be configured per virtual domain.
For alarm email notifications, only the ROOT-DOMAIN can enable Location Notifications, Location Servers,
and email notifications.
Create New Virtual Domains

To create a new virtual domain, use one of the following procedures depending on the desired hierarchy of
the virtual domain.
To create a new virtual domain (new-domain) here: See this procedure:
ROOT-DOMAIN > new-domain Create Virtual Domains Directly Under

ROOT-DOMAIN, on page 213
ROOT-DOMAIN > existing-domain > new-domain Create Child Virtual Domains

(Subdomains), on page 214
ROOT-DOMAIN > existing-domain > existing-domain >
new-domain
(etc.)
Create Virtual Domains Directly Under ROOT-DOMAIN

The following procedure creates an empty virtual domain under ROOT-DOMAIN. You can also create
multiple virtual domains at one time by using the procedure in Import a List of Virtual Domains, on page 215.
If a virtual domain already exists under ROOT-DOMAIN, and you want to create a new domain under it (a
child domain), see Create Child Virtual Domains (Subdomains), on page 214.
Step 1 Choose Administration > Users > Virtual Domains.

Step 2 In the Virtual Domains sidebar menu, click the + icon (Add New Domain).
Step 3 Enter a name in the Name text box. This is required.
Step 4 (Optional) Enter the new domain's time zone, email address and description.
Step 5 Click Submit to view a summary of the newly-created virtual domain.

213
Create Child Virtual Domains (Subdomains)
What to do next
Add devices to the virtual domain as described in Add Network Devices to Virtual Domains, on page 215.
Create Child Virtual Domains (Subdomains)

The following procedure creates a child virtual domain (also called a subdomain). A child virtual domain is
a domain that is not directly under ROOT-DOMAIN; it is under a domain that is under ROOT-DOMAIN.
Do not use this procedure if you want the new virtual domain to appear directly under ROOT- DOMAIN. In
that case, see Create Virtual Domains Directly Under ROOT-DOMAIN, on page 213.

Step 2 In the Virtual Domains sidebar menu:
a) Locate the domain under which you want to create a new child domain. (This is called the parent domain.) In this
example, the parent domain is California.
b) Click the information (i) icon next to the domain name. This opens a data popup window.
c) In the popup window, click Create Sub Domain. The navigation pane switches to the list view, with the parent
domain California displayed above Untitled.
Step 3 Enter a name in the Name text box. This is required. In this example, the new child domain is named Los Angeles. (The
name in the navigation pane will not change from Untitled to Los Angeles until you save the new child domain.)
Step 4 (Optional) Enter the new domain's time zone, email address and description.
Step 5 Click Submit and confirm the creation of the new child domain. To revert back to the hierarchical view, click the view
toggle button at the top of the navigation pane.
The view reverts to the hierarchical view.

214
Import a List of Virtual Domains
What to do next
Add devices to the virtual domain as described in Add Network Devices to Virtual Domains, on page 215.
Import a List of Virtual Domains

If you plan to create many virtual domains, or give them a complex hierarchy, you will find it easier to specify
them in a properly formatted CSV file, and then import it. The CSV format allows you to specify a name,
description, time zone, and email address for each virtual domain you create, as well as each domain's parent
domain. Adding network elements to the virtual domains must be performed separately.

Step 2 Click the Import Domain(s) icon, download a sample CSV file from the link provided in the popup, and prepare the
CSV file.
Step 3 Click Choose File and navigate to your CSV file.
Step 4 Click Import to import the CSV and create the virtual domains you specified.
What to do next
Add devices to the virtual domains as explained in Add Network Devices to Virtual Domains, on page 215.
Add Network Devices to Virtual Domains

Use this procedure to add network devices to a virtual domain. When you add a new network device to an
existing virtual domain, the device becomes immediately accessible to users with access to that domain (users
do not have to restart the web GUI).

215
Add Groups to Virtual Domains
Step 2 From the Virtual Domains sidebar menu, click the virtual domain to which you want to add network devices.
Step 3 Click Network Devices tab. You can either add network devices by group or add a network device to a specific location
group.
Step 4 To add devices from groups, in the Selected Network Devices by Group section, click Add, and the Add Group pop-up
appears, which lists the applicable location and user-defined groups. Select the group to which you need to add the device
and click Select to add the groups to the Selected Network Devices by Group table. These groups will not have create,
read, update and delete privileges.
Step 5 In the Selected Network Devices section, click Add and the Select Network Devices pop-up appears. Here, a Filter By
drop-down list is available to filter the network devices based on functionality.
Step 6 From the Filter By drop-down list, choose a network device. Select the required devices from the Available Network
Devices table and click Select to add the devices to the Selected Network Devices table. These devices will not have
create, read, update and delete privileges.
Step 7 Click Submit to view the summary of the virtual domain contents.
Step 8 Click Save to confirm your changes.
What to do next
Give users access to the virtual domain as described in Assign Virtual Domains to Users, on page 217.
Add Groups to Virtual Domains

Use this procedure to add device groups to a virtual domain.

Step 3 From the Virtual Domains sidebar menu, click a virtual domain to which you want to add a location group.
Step 4 On the Groups tab, click Add to view the list of available location and user-defined groups.
The Add Group window appears.
Step 5 The Add Group window lists only those groups that are applicable to you, which can be added to the virtual domains.
Select the required group check box under All Locations, and click Select to add the devices to the Selected Groups table.
Note If the selected group is a parent group, all of its child groups gets automatically added to the virtual domain.
Step 6 Click Submit to view the summary of the virtual domain.

Step 7 Click Save to confirm the changes.
These groups added from the Groups tab will have create, read, update and delete privileges.
Step 8 Proceed to create Users accounts.

216
Assign Virtual Domains to Users
Assign Virtual Domains to Users

Once a virtual domain is assigned to a user account, the user is restricted to viewing and performing operations
on the devices in their assigned domain(s).
Note When using external AAA, be sure to add the custom attributes for virtual domains to the appropriate user or
group configuration on the external AAA server. See Use Prime Infrastructure Virtual Domains with RADIUS
and TACACS+, on page 218.
Step 2 Select the user to whom you want to grant device access.
Step 3 Click the Virtual Domains tab.
Step 4 Use the Add and Remove buttons to make your assignment changes, then click Save.
Edit a Virtual Domain

To adjust a virtual domain, choose it from the Virtual Domain Hierarchy on the left sidebar menu to view or
edit its assigned network devices. You cannot edit any of the settings for ROOT-DOMAIN.

Step 2 Click the virtual domain you want to edit in the Virtual Domains sidebar menu.
Step 3 To adjust the name, email address, time zone, or description, enter your changes in the text boxes.
Step 4 To adjust device members:
• To add devices, click Add and follow the instructions in Add Network Devices to Virtual Domains, on page 215.
• To delete devices, select the devices using their check boxes, then click Delete.
Step 5 Click Submit, then check the summary of your changes.

Step 6 Click Save to apply and save your edits.
Delete a Virtual Domain

Use this procedure to delete a virtual domain from Prime Infrastructure. This procedure only deletes the virtual
domain; it does not delete the network elements from Prime Infrastructure (the network elements will continue
to be managed by Prime Infrastructure).
Before you begin

You can only delete a virtual domain if:
• The virtual domain does not contain any network elements and does not have any child domains.

217
Use Prime Infrastructure Virtual Domains with RADIUS and TACACS+
• It is not the only domain a user can access. In other words, if a Prime Infrastructure user has access to
only that domain, you cannot delete it.
• No users are logged into the domain.

Step 2 In the Virtual Domains sidebar menu, click the information (i) icon next to the virtual domain name. This opens a data
popup window.
Step 3 In the popup window, click Delete.
Step 4 Click OK to confirm deleting the virtual domain.
Use Prime Infrastructure Virtual Domains with RADIUS and TACACS+

Your RADIUS or TACACS+ servers must be configured to recognize the virtual domains that exist in Prime
Infrastructure. You can do this using the procedure in Export the Prime Infrastructure Virtual Domain Attributes
for RADIUS and TACACS+.
If your RADIUS or TACACS+ server does not have any virtual domain information for a user, the following
occurs, depending on the number of virtual domains that are configured in Prime Infrastructure:
• If Prime Infrastructure has only one virtual domain (ROOT-DOMAIN), the user is assigned the
ROOT-DOMAIN by default.
• If Prime Infrastructure has multiple virtual domains, the user is prevented from logging in.
Export the Prime Infrastructure Virtual Domain Attributes for RADIUS and TACACS+
If you are using RADIUS or TACACS+, you must copy all Prime Infrastructure virtual domain information
into your Cisco ACS or Cisco ISE server. You can do this using the Prime Infrastructure Virtual Domains
Custom Attributes dialog box provided in the web GUI. If you do not export the data into your Cisco ACS
or Cisco ISE server, Prime Infrastructure will not allow users to log in.
The following information must be exported, depending on the protocol you are using:
• TACACS+—Requires virtual domain, role, and task information.
• RADIUS—Requires virtual domain and role information (tasks are automatically added).
When you create a child domain for an existing virtual domain, the sequence numbers for the
RADIUS/TACACS+ custom attributes are also updated in the parent virtual domain. These sequence numbers
are for representation only and do not impact AAA integration.
Information in the Virtual Domains Custom Attributes dialog is preformatted for use with Cisco ACS server.
Note When you add tasks to the external server, be sure to add the Home Menu Access task. It is mandatory for
all users.

218
Configure Local Authentication
Before you begin

Make sure you have added the AAA server and configured the AAA mode as explained in Configure External
Authentication.
Step 1 In Prime Infrastructure:

a) Choose Administration > Users > Virtual Domains.
b) Click Export Custom Attributes at the top right of the window. This opens the Virtual Domain Custom Attributes
dialog.
c) Copy the attributes list.
• If you are using RADIUS, right-click all of the text in the RADIUS Custom Attributes field and choose Copy.
• If you are using TACACS+, right-click all of text in the TACACS+ Custom Attributes field and choose Copy.
Step 2 Paste the information into your Cisco ACS or Cisco ISE server. If you have not yet added this information to Cisco ACS
or Cisco ISE, see:
• Use Cisco ISE With RADIUS or TACACS+ for External Authentication
Configure Local Authentication

Prime Infrastructure uses local authentication by default, which means that user passwords are stored and
verified from the Prime Infrastructure database. To check the authentication mode that is being used, choose
Administration > Users > Users, Roles & AAA, then choose AAA Mode Settings. The selection is displayed
on the AAA Mode Settings page. If you are using local authentication, be sure to configure strong password
policies. See Configure Global Password Policies for Local Authentication, on page 209.
If you want to use SSO with local authentication, see Use SSO With Local Authentication, on page 219.
Use SSO With Local Authentication

To use SSO with local authentication, you must add the SSO server and then configure Prime Infrastructure
to use SSO in local mode.
Prime Infrastructure does not support localization on the SSO sign-in page.
The following topics describe how to configure SSO for external authentication, but you can use the same
procedures to configure SSO for local authentication. The only difference is that when you configure the SSO
mode on the Prime Infrastructure server, choose Local mode (not RADIUS or TACACS+).
• Add the SSO Server
• Configure SSO Mode on the Prime Infrastructure Server, on page 234

219
Configure External Authentication
Configure External Authentication

Users with web GUI root user or SuperUser privileges can configure Prime Infrastructure to communicate
with external RADIUS, TACACS+, and SSO servers for external authentication, authorization, and accounting
(AAA). If you choose to configure external authentication, the user groups, users, authorization profiles,
authentication policies, and policy rules must be created in the external server through which all access requests
to Prime Infrastructure will be routed.
You can use a maximum of three AAA servers. Users are authenticated on the second server only if the first
server is not reachable or has network problems.
If you want to configure external authentication from the CLI, see Set Up External AAA Via CLI.
See the following topics for more information.
• Use RADIUS or TACACS+ for External Authentication
• Use Cisco ISE With RADIUS or TACACS+ for External Authentication
• Use SSO with External Authentication
Integrate Prime Infrastructure with an LDAP Server

Prime Infrastructure supports external authentication using an LDAP server. If you are interested in this
configuration, contact your Cisco representative.
Use RADIUS or TACACS+ for External Authentication

This topic explains how to configure to use RADIUS or TACACS+ servers.
• Add a RADIUS or TACACS+ Server to Cisco Prime Infrastructure
Add a RADIUS or TACACS+ Server to Prime Infrastructure

TACACS uses three way handshake packet approach to authenticate and authorize the login credentials. As
per TACACS+ RFC standard it is expected to have 2 authentication packet/1 authorization packet for PAP
mode and 1 authentication packet/1 authorization packet for CHAP mode.
To add a RADIUS or TACACS+ server to Prime Infrastructure:
Step 1 Choose Administration > Users > Users, Roles & AAA, then choose RADIUS Servers.
Step 2 Select the type of server you want to add.
• For RADIUS, choose RADIUS Servers > click Add RADIUS Server.
• For TACACS+, choose TACACS+ Servers > click Add TACACS+ Server.
Note You can use Move Up and Move Down arrow to reorder the available IP address.

220
Configure RADIUS or TACACS+ Mode on the Prime Infrastructure Server
Step 3 Enter the required information—IP address, DNS Name, and so forth. For Prime Infrastructure to communicate with the
external authentication server, the shared secret you enter on this page must match the shared secret configured on the
RADIUS or TACACS+ server. You can use alphabets, numbers, and special characters except ‘ (single quote) and “
(double quote) while entering the shared secret key for a third-party TACACS+ or RADIUS server.
Step 4 Select the authentication type.
• PAP—Password-based authentication is the protocol where two entities share a password in advance and use the
password as the basis of authentication.
• CHAP—Challenge-Handshake Authentication Protocol requires that both the client and server know the plain text
of the secret, although it is never sent over the network. CHAP provides greater security than Password Authentication
Protocol (PAP).
Step 5 If you have enabled the High Availability feature and configured a virtual IP address for the Local Interface IP, choose
either the virtual IP address or the physical IP address of the primary server. See Cisco Prime Infrastructure Quick Start
Guide.
Note The IP address configured in the external authentication server must match the Local Interface IP.
Step 6 Click Test to check the connectivity of the AAA server. The connectivity test will pass only if the port, authentication
type and shared key you have entered matches with the TACACS or RADIUS server.
Note Only server reachability is tested for RADIUS server.
Step 7 Click Save.

Note You can search for a server(s) with the search field provide below the headers.
Note To delete any of the servers added, select the server(s) to be deleted from the list and click:
• Delete RADIUS Server, to delete Radius server.
• Delete TACACS Sever, to delete TACACS server.
Configure RADIUS or TACACS+ Mode on the Prime Infrastructure Server
Step 1 Log in to Prime Infrastructure as Super User.

Step 2 Choose Administration > Users > Users, Roles & AAA, then choose AAA Mode.
Step 3 Select TACACS+ or RADIUS.
Note We recommend you to set the value as "true" for the field AAARemoteAddressEnabled in the
/opt/CSCOlumos/conf/ usermgmt.properties file through CLI, in order to display the client IP or System IP as
the value of Remote Address under TACACS reports in the ACS server.
Step 4 Check the Enable Fallback to Local check box to enable the use of the local database when the external AAA server is
down.
Step 5 If you want to revert to local authentication if the external RADIUS or TACACS+ server goes down, perform the following
steps:
a) Select Enable Fallback to Local. If you disable this option Prime Infrastructure will read only the first server and
the users added in the first server will be authenticated.
b) Specify the conditions under which the fallback to local Prime Infrastructure user account authentication occurs:

221
• ONLY on no server response: Only when the external server is unreachable or has network problems. If you
select this option, you will be able to login as AAA user only.
• on authentication failure or no server response : Either w hen the external server is unreachable or has network
problems or the external AAA server cannot authenticate the user. If you select this option, you will be able to
login as both local user and AAA user.
For AAA mode, SuperUser is always locally authenticated.
Step 6 Click Save.
Note Cisco Prime Infrastructure supports only Cisco ACS and ISE servers in the AAA mode.

If you change the IP address of the Prime Infrastructure server after you add a TACACS+ or RADIUS server,
you must manually configure the TACACS+ or RADIUS server with the new IP address of the Prime
Infrastructure server. Prime Infrastructure stores in cache the local interface on which the RADIUS or
TACACS+ requests are sent, and you need to manually edit the RADIUS or TACACS+ server configurations
to make sure the Prime Infrastructure IP address is updated.
Related Topics
Renew AAA Settings After Installing a New Prime Infrastructure Version, on page 222
Renew AAA Settings After Installing a New Prime Infrastructure Version

If you were using external RADIUS or TACACS+ user authentication before migrating your existing data to
a new version of Prime Infrastructure, you must transfer the expanded Prime Infrastructure user task list to
your AAA server. After you upgrade Prime Infrastructure, you must re-add any permissions on the TACACS+
or RADIUS server and update the roles in your TACACS server with the tasks from the Prime Infrastructure
server.
Related Topics
Required TACACS+/RADIUS Configurations After Prime Infrastructure IP Address Changes, on page
222
Use Cisco ISE With RADIUS or TACACS+ for External Authentication

Cisco Identity Services Engine (ISE) uses the RADIUS or TACACS+ protocols for authentication, authorization,
and accounting (AAA). You can integrate Prime Infrastructure with Cisco ISE to authenticate the Prime
Infrastructure users using the RADIUS or TACACS+ protocols. When you use external authentication, the
details such as users, user groups, passwords, authorization profiles, authorization policies, and policy rules
that are required for AAA must be stored and verified from the Cisco ISE database.
Complete the following tasks to use Cisco ISE with the RADIUS or TACACS+ protocol for external
authentication:

222
Supported Versions of Cisco ISE in Prime Infrastructure
Tasks to be completed to use Cisco ISE for external authentication For information, see:
Make sure you are using a supported version of Cisco ISE Supported Versions of Cisco ISE
in Prime Infrastructure, on page 223
Add Prime Infrastructure as an AAA client in Cisco ISE Add Prime Infrastructure as a
Client in Cisco ISE, on page 224
Create a user group in Cisco ISE Create a User Group in Cisco ISE,
on page 224
Create a user in Cisco ISE and add the user to the user group that is Create a User and Add the User to
created in Cisco ISE a User Group in Cisco ISE, on page
224
(If using RADIUS) Create an authorization profile for network access Create an Authorization Profile for
in Cisco ISE, and add the RADIUS custom attributes with user roles RADIUS in Cisco ISE, on page 224
and virtual domains created in Prime Infrastructure
Note For RADIUS, you do not need to add the attributes for user
tasks. They are automatically added based on the user roles.
(If using TACACS+) Create an authorization profile for network access Create an Authorization Profile for
in Cisco ISE, and add the TACACS+ custom attributes with user roles TACACS+ in Cisco ISE, on page
and virtual domains created in Prime Infrastructure 225
Note For TACACS+, you need not add the attributes for user tasks.
They are automatically added based on the user roles.
Create an authorization policy in Cisco ISE and associate the policy Configure an Authorization Policy
with the user groups and authorization profile created in Cisco ISE for RADIUS in Cisco ISE, on page
227Configure an Authorization
Policy for TACACS in Cisco ISE,
on page 227
Create an authentication policy to define the protocols that Cisco ISE Create an Authentication Policy in
must use to communicate with Prime Infrastructure, and the identity Cisco ISE, on page 228
sources that it uses for authenticating users to Prime Infrastructure
Add Cisco ISE as a RADIUS or TACACS+ server in Prime Add a RADIUS or TACACS+
Infrastructure Server to Prime Infrastructure
Configure the RADIUS or TACACS+ mode on the Prime Infrastructure Configure RADIUS or TACACS+
server Mode on the Prime Infrastructure
Server, on page 221
Supported Versions of Cisco ISE in Prime Infrastructure

Prime Infrastructure supports Cisco ISE from 2.1 Release onwards.

223
Add Prime Infrastructure as a Client in Cisco ISE
Add Prime Infrastructure as a Client in Cisco ISE
Step 1 Log in to Cisco ISE as the admin user.

Step 2 Choose Administration > Network Resources > Network Devices.
Step 3 In the Network Devices page, click Add.
Step 4 Enter the device name and IP address of the Prime Infrastructure server.
Step 5 Check the Authentication Settings check box, and then enter the shared secret.
Note Ensure that this shared secret matches the shared secret you enter when adding the Cisco ISE server as the
RADIUS server in Prime Infrastructure.
Step 6 Click Submit.
Create a User Group in Cisco ISE

Step 2 Choose Administration > Identity Management > Groups.
Step 3 In the User Identity Groups page, click Add.
Step 4 In the Identity Group page, enter the name and description of the user group.
Create a User and Add the User to a User Group in Cisco ISE

Step 2 Choose Administration > Identity Management > Identities.
Step 3 In the Network Access Users page, click Add.
Step 4 From the Select an item drop-down list, choose a user group to assign the user to.
Create an Authorization Profile for RADIUS in Cisco ISE

You create authorization profiles to define how different types of users are authorized to access the network.
For example, you can define that a user attempting to access the network over a VPN connection is treated
more strictly than a user attempting to access the network through a wired connection.
When you create an authorization profile for device administration, you must add the RADIUS custom
attributes that are associated with user roles, tasks, and virtual domains created in Prime Infrastructure.

224
Create an Authorization Profile for TACACS+ in Cisco ISE
Note For RADIUS, you can add the user role attributes without adding the task attributes. The tasks are automatically
added with the user roles.
For more information about Cisco ISE authorization profiles, see the information on managing authorization
policies and profiles in the Cisco Identity Services Engine Administrator Guide.
To create an authorization profile for RADIUS in Cisco ISE:
Before you begin

Make sure you have the complete list of the following Prime Infrastructure custom attributes for RADIUS.
You will need to add this information to Cisco ISE in this procedure.
• Prime Infrastructure user roles and tasks—see Export the Prime Infrastructure User Group and Role
Attributes for RADIUS and TACACS+, on page 197
• Prime Infrastructure virtual domains—see Export the Prime Infrastructure Virtual Domain Attributes
for RADIUS and TACACS+

Step 2 Choose Policy > Policy Elements > Results.
Step 3 From the left sidebar, choose Authorization > Authorization Profiles.
Step 4 In the Standard Authorization Profiles page, click Add.
Step 5 In the Authorization Profile page, enter the name and description of the authorization profile.
Step 6 From the Access Type drop-down list, choose ACCESS_ACCEPT.
Step 7 In the Advanced Attributes Settings area, paste in the complete list of RADIUS custom attributes for:
• User roles
• Virtual domains
Note If you do add user tasks, be sure to add the Home Menu Access task. It is mandatory.
Note For Operations Center, you must export NBI Read and NBI Write attributes.

When you create an authorization profile for device administration, you must add the TACACS+ custom
attributes that are associated with user roles and virtual domains created in Prime Infrastructure.

225
Note • For TACACS+, you need not add the attributes for user tasks. They are automatically added based on
the user roles.
• In Release 8.5.135.0, the creation of Authorization server is deprecated. To create an Authorization
server, you must create an Authentication server and duplicate it as an Authorization server. Due to this
change in functionality, an alarm is generated in Cisco Prime Infrastructure 3.2 as follows:
1.Successfully created Authentication server. 2.Failed to create
authorization server:SNMP operation to Device failed: Set Operation
not allowed for TACACS authorization server.1.Successfully created
Accounting server.
The workaround on Cisco Prime Infrastructure is to uncheck the Authorization server on the template.
For more information, see CSCvm01415.
For more information about Cisco ISE authorization profiles, see the information on managing authorization
policies and profiles in the Cisco Identity Services Engine Administrator Guide.
To create an authorization profile for TACACS+ in Cisco ISE:

Step 2 Choose Work Centers > Device Administration > Policy Elements > Results.
Step 3 From the left sidebar, choose TACACS Profiles.
Step 4 In the TACACS Profiles page, click Add.
Step 5 In the TACACS Profile page, enter the name and description of the authorization profile.
Step 6 In the Raw View area, paste in the complete list of TACACS+ custom attributes for:
• User roles, including the tasks
• Virtual domains
Note • From Prime Infrastructure Release 3.2 role based TACACS+ authentication is enabled by default.
• It is sufficient to add User roles and Virtual domains alone. If you do add user tasks, be sure to add the
Home Menu Access task.
• You must set the value of the tacsacsServerTaskPref property in the file
/opt/CSCOlumos/conf/usermgmt.properties to true and click Save in Administration > Users > Users,
Roles & AAA > AAA Mode Settings Page, in order to enable task based TACACS authentication.

226
Configure an Authorization Policy for RADIUS in Cisco ISE
Configure an Authorization Policy for RADIUS in Cisco ISE

An authorization policy consists of a rule or a set of rules that are user-defined and produce a specific set of
permissions, which are defined in an authorization profile. Based on the authorization profile, access requests
to Prime Infrastructure are processed.
There are two types of authorization policies that you can configure:
• Standard—Standard policies are intended to be stable and are created to remain in effect for long periods
of time, to apply to a larger group of users, devices, or groups that share a common set of privileges.
• Exception—Exception policies are created to meet an immediate or short-term need, such as authorizing
a limited number of users, devices, or groups to access network resources. An exception policy lets you
create a specific set of customized values for an identity group, condition, or permission that are tailored
for one user or a subset of users.
For more information about authorization policies, see the “Manage Authorization Policies and Profiles”
chapter in the Cisco Identity Services Engine Administrator Guide.
To create an authorization policy in Cisco ISE:

Step 2 Choose Policy > Authorization.
Step 3 In the Standard area, click the down arrow on the far right and select either Insert New Rule Above or Insert New
Rule Below.
Step 4 Enter the rule name and choose identity group, condition, attribute, and permission for the authorization policy.
For example, you can define a user group as Prime Infrastructure-System Monitoring-Group and choose this group from
the Identity Groups drop-down list. Similarly, define an authorization profile as Prime Infrastructure-System
Monitoring-authorization profile and choose this profile from the Permissions drop-down list. Now, you have defined a
rule where all users belonging to the Prime Infrastructure System Monitoring identity group receive an appropriate
authorization policy with system monitoring custom attributes defined.
Step 5 Click Done, and then click Save.
Configure an Authorization Policy for TACACS in Cisco ISE

To create an authorization policy for TACACS in Cisco ISE:

Step 2 Choose Device Work Centers > Device Administration > Device admin Policy Sets.
Step 3 Choose Default in the left side pane.
Step 4 In the Authorization Policy area, click the down arrow on the far right and select either Insert New Rule Above or
Insert New Rule Below.
Step 5 Enter the rule name and choose identity group, condition, Shell Profile for the authorization policy.
For example, you can define a user group as Prime Infrastructure-SystemMonitoring-Group and choose this group from
the Identity Groups drop-down list. Similarly, define an authorization profile as Prime
Infrastructure-SystemMonitoring-authorization profile and choose this profile from the Permissions drop-down list. Now,

227
Create an Authentication Policy in Cisco ISE
you have defined a rule where all users belonging to the Prime Infrastructure System Monitoring identity group receive
an appropriate authorization policy with system monitoring custom attributes defined.
Step 6 Click Save.
Create an Authentication Policy in Cisco ISE

Authentication policies define the protocols that Cisco ISE uses to communicate with Prime Infrastructure,
and the identity sources that it uses for authenticating users to Prime Infrastructure. An identity source is an
internal or external database where the user information is stored.
You can create two types of authentication policies in Cisco ISE:
• Simple authentication policy - In this policy, you can choose the allowed protocols and identity sources
to authenticate users.
• Rule-based authentication policy - In this policy, you can define conditions that allow Cisco ISE to
dynamically choose the allowed protocols and identity sources.
For more information about authentication policies, see the "Manage Authentication Policies" chapter in the
Cisco Identity Services Engine Administrator Guide.
To create an authentication policy in Cisco ISE:
Step 1 Log in to Cisco ISE as the Super Admin or System Admin user.
Step 2 Choose Policy > Authentication.
Step 3 Choose the Policy Type as Simple or Rule-Based to create the required authentication policy.
Step 4 Enter the required details based on the policy type selected.
Step 5 Click Save.
Use Cisco ACS With RADIUS or TACACS+ for External Authentication

Cisco Secure Access Control System (ACS) uses RADIUS and TACACS+ protocol for authentication,
authorization, and accounting (AAA).You can integrate Prime Infrastructure with Cisco ACS to authenticate
the Prime Infrastructure users using the RADIUS or TACACS+ protocol. When you use an external
authentication, the details such as users, user roles, passwords, authorization profiles, authorization policies,
and policy rules that are required for AAA must be stored and verified from the Cisco ACS database.
Complete the following tasks to use Cisco ACS with the RADIUS or TACACS+ protocol for external
authentication:
Tasks to be completed to use Cisco ACS for external authentication For information, see:
Make sure you are using a supported version of Cisco ACS Supported Versions of Cisco ACS
in Prime Infrastructure
Add Prime Infrastructure as an AAA client in Cisco ACS Add Prime Infrastructure as a
Client in Cisco ACS
Create a user group in Cisco ACS Create a User Group in Cisco ACS

228
Supported Versions of Cisco ACS in Prime Infrastructure
Create a user in Cisco ACS and add the user to the Cisco ACS user Create a User and Add the User to
group a User Group in Cisco ACS
(If using RADIUS) Create an authorization profile for network access Create an Authorization Profile for
in Cisco ACS, and add the RADIUS custom attributes for user roles and RADIUS in Cisco ACS
virtual domains created in Prime Infrastructure.
Note For RADIUS, you do not need to add the attributes for user
tasks. They are automatically added based on the user roles.
(If using TACACS+) Create an authorization profile for device Create an Authorization Profile for
administration in Cisco ACS, and add the TACACS+ custom attributes TACACS+ in Cisco ACS
with user roles and virtual domains created in Prime Infrastructure.
Note For TACACS+, you need not add the attributes for user tasks.
They are automatically added based on the user roles.
Create an access service in Cisco ACS and define a policy structure for Create an Access Service for Prime
the access service. Infrastructure in Cisco ACS
Create an authorization policy rule in Cisco ACS, and map the Create an Authorization Policy
authorization or shell profile based on the access type (network access Rule in Cisco ACS
or device administration).
Configure a service selection policy in Cisco ACS and assign an access Configure a Service Selection
service to an incoming request. Policy in Cisco ACS
Add Cisco ACS as a RADIUS or TACACS+ server in Prime Add a RADIUS or TACACS+
Infrastructure. Server to Prime Infrastructure
Configure the RADIUS or TACACS+ mode on the Prime Infrastructure Configure RADIUS or TACACS+
server. Mode on the Prime Infrastructure
Server
Supported Versions of Cisco ACS in Prime Infrastructure

Prime Infrastructure supports Cisco ACS 5.x releases.
Add Prime Infrastructure as a Client in Cisco ACS
Step 1 Log in to Cisco ACS as the admin user.

Step 2 From the left sidebar, choose Network Resources > Network Devices > Network Devices and AAA Clients.
Step 3 In the Network Devices page, click Create.
Step 4 Enter the device name and IP address of the Prime Infrastructure server.
Step 5 Choose the authentication option as RADIUS or TACACS+, and enter the shared secret.
Note Ensure that this shared secret matches the shared secret you enter when adding the Cisco ACS server as the
RADIUS or TACACS+ server in Prime Infrastructure.

229
Create a User Group in Cisco ACS
Create a User Group in Cisco ACS

Step 2 From the left sidebar, Choose Users and Identity Stores > Identity Groups.
Step 3 In the Identity Groups page, click Create.
Step 4 Enter the name and description of the user group.
Step 5 Select a network device group parent for the user group.
Create a User and Add the User to a User Group in Cisco ACS

Step 2 From the left sidebar, Choose Users and Identity Stores > Internal Identity Stores > Users.
Step 3 In the Internal Users page, click Create.
Step 4 Enter the required details.
Step 5 In the Identity Group field, click Select to choose a user group to assign the user to.
Create an Authorization Profile for RADIUS in Cisco ACS

When you create an authorization profile for device administration, you must add the RADIUS custom
attributes that are associated with user roles, tasks, and virtual domains created in Prime Infrastructure.
Note For RADIUS, you can add the user role attributes without adding the task attributes. The tasks are automatically
added with the user roles.
For more information about Cisco ACS authorization profiles and policies, see chapters on managing policy
elements and access policies in the User Guide for Cisco Secure Access Control System.
To create an authorization profile for RADIUS in Cisco ACS:
Before you begin

Make sure you have the complete list of the following Prime Infrastructure custom attributes for RADIUS.
You will need to add this information to Cisco ACS in this procedure.
for RADIUS and TACACS+

230
Create an Authorization Profile for TACACS+ in Cisco ACS

Step 2 From the left sidebar, choose Policy Elements > Authorizations and Permissions > Network Access > Authorization
Profiles.
Step 3 Click Create.
Step 4 On the General tab, enter the name and description of the authorization profile.
Step 5 Click the RADIUS Attributes tab, and paste in the complete list of RADIUS custom attributes for:
• User roles
• Virtual domains
Note If you do add user tasks, be sure to add the Home Menu Access task. It is mandatory.
Create an Authorization Profile for TACACS+ in Cisco ACS

When you create an authorization profile for device administration, you must add the TACACS+ custom
attributes that are associated with user roles and virtual domains created in Prime Infrastructure.
Note For TACACS+, you need not add the attributes for user tasks. They are automatically added based on the user
roles.
For more information about Cisco ACS authorization profiles and policies, see chapters on managing policy
elements and access policies in the User Guide for Cisco Secure Access Control System.
To create an authorization profile for TACACS+ in Cisco ACS:
Before you begin

Make sure you have the complete list of the following Prime Infrastructure custom attributes. You will need
to add this information to Cisco ACS in this procedure.
for RADIUS and TACACS+.

Step 2 From the left sidebar, choose Policy Elements > Authorizations and Permissions > Device Administration > Shell
Profiles.
Step 4 On the General tab, enter the name and description of the authorization profile.
Step 5 Click the Custom Attributes tab, and paste in the complete list of TACACS+ custom attributes for:

231
Create an Access Service for Prime Infrastructure in Cisco ACS
• User roles, including the tasks

• Virtual domains
Create an Access Service for Prime Infrastructure in Cisco ACS

Access services contain the authentication and authorization policies for access requests. You can create
separate access services for different use cases; for example, device administration (TACACS+), network
access (RADIUS), and so on.
When you create an access service in Cisco ACS, you define the type of policies and policy structures that it
contains; for example, policies for device administration, network access, and so on.
Note You must create access services before you define service selection rules, although you do not need to define
the policies in the services.
To create an access service for Prime Infrastructure requests:

Step 2 From the left sidebar, choose Access Policies > Access Services.
Step 4 Enter the name and description of the access service.
Step 5 Choose one of the following options to define a policy structure for the access service:
• Based on service template—Creates an access service containing policies based on a predefined template.
• Based on existing service—Creates an access service containing policies based on an existing access service.
However, the new access service does not include the existing service's policy rules.
• User selected service type—Provides you the option to select the access service type. The available options are
Network Access (RADIUS), Device Administration (TACACS+), and External Proxy (External RADIUS or
TACACS+ servers).
Step 6 Click Next.

Step 7 Choose the authentication protocols that are allowed for the access service.
Step 8 Click Finish.
Create an Authorization Policy Rule in Cisco ACS

Step 2 From the left sidebar, choose Access Policies > Access Services > service > Authorization.
Step 4 Enter the name of the rule and then choose the rule status.

232
Configure a Service Selection Policy in Cisco ACS
Step 5 Configure the required conditions for the rule.

For example, you can create a rule based on the location, device type, or user group that you have created.
Step 6 If you are creating an authorization policy rule for network access (RADIUS), choose the required authorization profile(s)
to map to the authorization policy rule.
Alternatively, if you are creating an authorization policy rule for device administration (TACACS+), choose the required
shell profile(s) to map to the authorization policy rule.
Note If you are using multiple authorization profiles or shell profiles, make sure you order them in priority.
Step 7 Click OK.
Configure a Service Selection Policy in Cisco ACS

A service selection policy determines which access service applies to an incoming request. For example, you
can configure a service selection policy to apply the device administration access service to any access request
that uses the TACACS+ protocol.
You can configure two types of service selection policy:
• Simple service selection policy—Applies the same access service to all requests.
• Rule-based service selection policy—Contains one or more conditions and a result, which is the access
service that will be applied to an incoming request.
To configure a service selection policy:

Step 2 From the left sidebar, choose Access Policies > Access Services > Service Selection Rules.
Step 3 If you want to configure a simple service selection policy, click the Single result selection radio button, and then choose
an access service to apply to all requests.
Alternatively, if you want to configure a rule-based service selection policy, click the Rule based result selection radio
button, and then click Create.
Step 4 Enter the name of the rule and then choose the rule status.
Step 5 Choose either RADIUS or TACACS+ as the protocol for the service selection policy.
Step 6 Configure the required compound condition, and then choose an access service to apply to an incoming request.
Step 7 Click OK, and then click Save Changes.
Use SSO with External Authentication

To set up and use SSO (with or without a RADIUS or TACACS+ server), see these topics:
• Add the SSO Server
• Configure SSO Mode on the Prime Infrastructure Server, on page 234
Prime Infrastructure does not support localization on the SSO sign-in page.

233
Add the SSO Server
Add the SSO Server

Prime Infrastructure can be configured with a maximum of three AAA servers.
Step 1 Choose Administration > Users > Users, Roles & AAA, then choose SSO Servers.
Step 2 Click Add SSO Servers.
Step 3 Enter the SSO information.
The maximum number of server retries for an SSO server authentication request is 3.
Step 4 Click Save.

Note You can search the server(s) entering the server details in the search field below the headers.
Note If you wish to delete any of the servers added, select the server(s) to be deleted from the list and click Delete
SSO Server(s).
Note You can also add yourself as a server with the Add self as SSO Server button.
Configure SSO Mode on the Prime Infrastructure Server

Single Sign-On Authentication (SSO) is used to authenticate and manage users in multi-user, multi-repository
environments. SSO servers store and retrieve the credentials that are used for logging in to disparate systems.
You can set up Prime Infrastructure as the SSO server for other instances of Prime Infrastructure.
Note If you are using this procedure to configure SSO but are using local authentication, choose Local in Step 2.
Step 1 Choose Administration > Users > Users, Roles & AAA > SSO Server Settings.
Step 2 Select the SSO Server AAA Mode you want to use. The options are: Local, RADIUS, or TACACS+.
Step 3 Click Save.

234
CHAPTER 8
Fault Management Administration Tasks
• Event Receiving, Forwarding, and Notifications, on page 235
• Configure Default Settings for E-Mail Notifications, on page 242
• Specify Alarm Clean Up, Display and Email Options, on page 242
• Configure Global Display and Search Settings for Acknowledged, Cleared, and Assigned Alarms, on
page 245
• Change Alarm Severity Levels, on page 245
• Change Alarm Auto-Clear Intervals, on page 246
• Change the Information Displayed in the Failure Source for Alarms, on page 247
• Change the Behavior of Expedited Events, on page 247
• Customize Generic Events That Are Displayed in the Web GUI, on page 248
• Troubleshoot Fault Processing Errors, on page 250
• Get Help from the Cisco Support Community and Technical Assistance Center (TAC), on page 251
Event Receiving, Forwarding, and Notifications

Prime Infrastructure processes syslogs and SNMPv1, v2, and v3 traps that it receives from devices. The server
automatically listens for these events on UDP port 162. You do not have to perform any event listening
configuration on the server, but you do have to configure devices to forward traps and syslogs to Prime
Infrastructure on the appropriate port.
Notifications are forwarded in SNMPv2 or SNMPv3 format. They are also forwarded to email recipients
when you setup corresponding Notification Policies. If you are adding a notification destination with the
notification type UDP, the destination you add should be listening to UDP on the same port on which it is
configured. Only INFO level events are processed for the selected category and alarms are processed with
critical, major, minor and warning levels.
Prime Infrastructure can forward alarms and events that are generated by the processing of received syslogs,
traps, and TL/1 alarms to northbound notification destination. Information can be forwarded in email format
or SNMP trap format, See Configure Alarms Notification Destination.
You can also use the SNMP trap notification mechanism to forward SNMP traps that indicate server problems.
Alerts and events are sent as SNMPv2.

235
User Roles and Access Permissions for Configuring Alarm Notification Settings
UserRolesandAccessPermissionsforConfiguringAlarmNotificationSettings
This table describes the user roles and access permissions for configuring notification destination and creating
customized notification policies.
Note Ensure that you enable the following Task Permissions for any user roles to view, create, and edit notification
destination and notification policy:
• Notification Policies Read-Write Access under Alerts and Events
• Virtual Domains List (under Reports)
For more information, see View and Change the Tasks a User Can Perform, on page 175.
User Role Access Permission
Root user with root domain View, create, delete and edit notification destination
and notification policy.
Root user with non-root domain View, create, edit and delete notification destination
and notification policy created under their respective
virtual domain.
Admin user with root domain View, create, delete and edit notification destination
and notification policy.
Super user with root domain View, create, delete and edit notification destination
and alarm notification policy.
System monitoring user with root domain View notification destination and notification policy.
Config manager with root domain View notification destination and notification policy.
Admin user with non-root domain View, create, edit and delete notification destination
virtual domain.
Super user with non-root domain View, create, edit and delete notification destination
virtual domain.
System monitoring user with non-root domain View notification destination and notification policy
created under their respective virtual domain.
Config manager with non-root domain View notification destination and notification policy
created under their respective virtual domain.
Points to Remember While Adding a New Notification Policy

The following table explains you some points you must remember while adding a new notification policy.

236
Category selected under Notification Policy Page Points to Remember
Email • Each virtual domain must have a unique Contact

Name and email address (email recipient).
• Email recipients can be added, modified, and
deleted only from the ROOT-DOMAIN.
• Same email address can be associated with
multiple virtual domains.
• Prime Infrastructure does not use the Telephone
Number, Cell Number, and Postal Address
details for sending alarm notifications.
Trap Receiver • Contact Name is unique for each trap receiver.

• Trap receivers can be added, modified, and
deleted only from the ROOT-DOMAIN. Trap
receivers are applicable only in
ROOT-DOMAIN.
• Only North Bound trap receivers can receive
alarms/events forwarded from the Notification
Policy engine.
• Guest-Access trap receivers will receive only
alarms related to guest clients.

237
Category selected under Notification Policy Page Points to Remember
Notification Policy • Each notification policy consists of following

criteria: alarm categories, alarm severities, alarm
types, device groups, notification destinations,
and time range.
• Each notification policy is associated with a
unique virtual domain.
• While selecting the required conditions, you can
drill down the tree view drop-down list and select
the individual categories (for example, Switches
and Routers) and the severity (for example,
Major). You can further select the specific Alarm
types (for example, link down).
• Alarms that match the criteria in a policy are
forwarded to the respective notification
destinations.
• If an alarm is matched against multiple policies
in the same virtual domains and these policies
have the same destinations, only one notification
is sent to each destination.
• If the virtual domain associated with a
notification policy is deleted, no alarm will match
this policy. Though, this notification policy will
be listed in the main Notification Policy page,
you cannot modify or view the details of this
notification policy. However, you can delete this
policy.
• If one or more device groups specified in a policy
is deleted, no alarm will match this policy.
Though, this notification policy will be listed in
the main Notification Policy page, you cannot
modify or view the details of this notification
policy. However, you can delete this policy.
• Alarms that are suppressed due to an existing
alarm policy will not be forwarded to the
notification destinations.
• If a notification policy that includes both system
and non-system category alarms in the rule
criteria, you must select the device group(s) for
the non-system category alarms.
• The alarms generated in the specified duration
alone are sent to the notification destination. For
example, if you specify the duration as 8:00 to
17:00, the alarms will be notified from 8.00 a.m.
to 5.00 p.m.

238
Configure Alarms Notification Destination
Configure Alarms Notification Destination

You can configure the email notification and Northbound trap receiver settings to notify the alarms generated
by Prime Infrastructure.
Step 1 Choose Administration > Settings > System Settings > Mail and Notification > Notification Destination.
Step 2 Click the Add icon to create a new notification destination.
Step 3 To configure Email Destination, do the following:
a) From the Select Contact Type drop-down list, choose Email.
b) Enter the Contact Name in the text box.
c) Enter a valid email ID in the Email To text box.
The email is sent to the email ID entered in the Email To field.
d) Enter the Contact Full Name.
e) Choose the virtual domain from the Virtual Domain drop-down list.
f) Enter the Telephone Number, Mobile Number, and Postal Address.
g) Click Save.
Step 4 To configure a Northbound trap receiver using IP Address, do the following:
a) From the Select Contact Type, choose Northbound Trap Receiver.
b) Select the IP Address radio button and enter the IP Address and Server Name.
c) Choose the required Receiver Type and Notification Type.
d) Enter the Port Number, and choose the SNMP Version.
e) If you choose the SNMP Version as v2c, enter the Community settings as required.
f) If you choose the SNMP Version as v3, enter the Username, Mode, Auth.Type, Auth.Password, Confirm
Auth.Password, Privacy Type, Privacy Password and Confirm Privacy Password.
g) Click Save.
Step 5 To configure a Northbound trap receiver using DNS, do the following:
a) From the Select Contact Type, choose Northbound Trap Receiver.
b) Select the DNS radio button and enter the DNS Name.
c) Choose the required Receiver Type and Notification Type.
d) Enter the Port Number, and choose the SNMP Version.
e) If you choose the SNMP Version as v2c, enter the Community settings as required.
f) If you choose the SNMP Version as v3, enter the Username, Mode, Auth.Type, Auth.Password, Confirm
Auth.Password, Privacy Type, Privacy Password and Confirm Privacy Password.
g) Click Save.

239
Customize Alarm Notification Policies
Note • If you choose the Receiver Type as Guest Access, Prime Infrastructure will not forward the alarms to
the Northbound trap receiver using the notification policy. The Guest Access receiver receives only
guest-client related events. The notification policy uses only Northbound trap receivers. Make sure that
you use the same Engine ID and same auth and priv passwords when configuring the external SNMPv3
trap receiver.
• While updating the Notification Destination Trap Receiver, the operational status shows the previous
Trap Receiver status until the status is updated by the next polling.
• You can also navigate to Notification Policies page by choosing Monitor > Monitoring Tools > Alarm
Notification Policies.
• If recipient email id is configured in multiple Notification policies, alarm will be forwarded only once
to the email id, when condition matches.
• You will not be allowed to delete Notification Destinations which are associated with Notification Policies.
Customize Alarm Notification Policies

You can add a new alarm notification policy or edit an existing alarm notification policy to send notifications
on specific alarms of interest that are generated on particular device groups, to specific recipients: either email
recipients or northbound trap receivers or both.
Step 1 Choose Administration > Settings > System Settings > Alarms and Events> Alarm Notification Policies. To add a
new alarm notification policy, do the following:
a) Click the Add icon and choose the required virtual domain in the Select a Virtual Domain pop-up window.
Cisco Prime Infrastructure matches the alarms that are received from devices from a virtual domain against the
notification policies for the same virtual domain. The system category alarms generated by Prime Infrastructure can
be matched against all the alarm notification policies.
Note For a non-root domain, the alarms from a device will be forwarded only if the device or device group(s)
containing the device was added or selected under Network Devices tab in virtual domain page.
b) Click OK.
The Notification Policies wizard appears.
c) Choose the severity, category, and event condition for which the notifications must be triggered. By default all the
severity types, categories, and conditions are selected.
d) Click Next and choose the device groups for which you want the alarm notifications to be triggered.
The alarm notifications are triggered only for the device groups that you select.
For instance, if you select the User Defined device group type, then the alarm notification is triggered for all the
configured user defined device groups. Similarly, if you select both the User Defined and Locations device group
types, then the alarm notifications are triggered for all the configured user defined and location device groups.
Select the desired device group type to abstain from receiving insignificant alarm notifications from other device
groups.
If you choose only system category alarms in the previous step, a message "Device Groups are not applicable when
only 'System' based alarms are selected" is displayed under the Device Group tab. However, if you choose a non-system
category alarm, you must select at least one device group.

240
Convert Old Email and Trap Notification Data to New Alarm Notification Policy
e) Click Next and choose the required destination in the Notification Destination page.
If you choose root-domain in Step 1-a, all the Email and Northbound trap receiver destinations created in Prime
Infrastructure will be listed in the Notification Destination page. If you choose, non-root domain, the Email destinations
created under that particular domain will be listed in the Notification Destination page. See Configure Alarms
Notification Destination, on page 239
f) Alternately, choose the Email or Northbound Trap Receiver option from the Add icon drop-down list and complete
the required fields.
g) Choose the notification destination and click Change Duration.
h) Choose the From and To timings in the Set Duration pop-up window and click OK.
The alarms generated in the specified duration alone are sent to the notification destination.
i) Click Next and enter the Name and Description for the alarm notification policy in the Summary page.
j) Click Save.
Note "Interface" is a reserved word and hence don't use it as the name for Alarm Notification Policy.
Step 2 To edit an alarm notification policy, do the following:

a) Choose the policy and click the Edit icon.
The Notification Policies wizard appears.
b) Choose the Conditions, Device Groups, and Destination as explained in Step 1.
c) Click Save.
Note Notifications will not be sent to email recipient for North Bound trap receiver, if you change the severity of
an alarm type from Monitor > Monitoring Tools > Alarm Policies.
Related Topics
Configure Alarms Notification Destination, on page 239
Convert Old Email and Trap Notification Data to New Alarm Notification Policy
The email and trap notification data created in previous Prime Infrastructure releases is converted in to new
alarm notification policies while upgrading or migrating Prime Infrastructure from previous release to the
latest version.
The migrated alarm notification policies can be viewed in the Alarms and Events Notification Policies pages.
The following Alarm categories are supported in Prime Infrastructure Release 3.7:
• Change Audit
• Generic
• System
• Application Performance
• Compute Servers
• Nexus VPC switch
• Switches and Routers
• AP
• Adhoc Rogue

241
Configure Default Settings for E-Mail Notifications
• Clients
• Context Aware Notifications
• Controller
• Coverage Hole
• Mesh Links
• Mobility Service
• Performance
• RRM
• Rogue AP
• SE Detected Interferers
• Security
• Third Party AP
• Third Party Controller
The following Alarm categories are not supported in Prime Infrastructure Release 3.6:
• Autonomous AP
• Cisco UCS Series
• Routers
• Switches and Hubs
• Wireless Controller
To edit the migrated alarm notification polices, see Customize Alarm Notification Policies.
Configure Default Settings for E-Mail Notifications

If you have not configured the mail server, perform the instructions in Set Up the SMTP E-Mail Server, on
page 92. Otherwise notifications will not be sent.
You can configure certain default settings that are applied across all alarm and event e-mail notifications.
These settings can be overwritten when users configure individual notifications and receivers.
By default, the email subject line will include the alarm severity and category. The following settings are also
available but are disabled by default.
• Subject line—Include the prior alarm severity or add custom text. Alternatively you can replace all of
the subject line with custom text.
• Body of the email—Include custom text, the alarm condition, and a link to the alarm detail page.
• Secure message mode—Enabling this mode masks the IP address and controller name.
To enable, disable, or adjust these settings, choose Administration > Settings > System Settings, then
Alarms and Events > Alarms and Events. Make your changes in the Alarm Email Options area.
Specify Alarm Clean Up, Display and Email Options

The Administration > Settings > System Settings > Alarms and Events page enables you to specify when
and how to clean up, display and email alarms.

242
Step 1 Choose Administration > Settings > System Settings > Alarms and Events > Alarms and Events.
Step 2 Modify the Alarm and Event Cleanup Options:
• Delete active and cleared alarms after—Enter the number of days after which active and cleared alarms are deleted.
• Delete cleared security alarms after—Enter the number of days after which Security, Rogue AP, and Adhoc Rogue
alarms are deleted.
• Delete cleared non-security alarms after—Enter the number of days after which non-security alarms are deleted.
Non-security alarms include all alarms that do not fall under the Security, Rogue AP, or Adhoc Rogue categories.
• Delete all events after—Enter the number of days after which all the events are deleted.
• Max Number of Events to Keep—Enter the number of events that needs to be maintained in the database.
Cisco Prime Infrastructure deletes old alarms and events, as part of normal data cleanup tasks, and checks the storage
size of the database alarm table once in every 2 hours, by default. When the alarm table exceeds the 300,000 limit, Prime
Infrastructure deletes the oldest cleared alarms until the alarm table size is within the limit. If you want to keep cleared
alarms for more than seven days, then you can specify a value more than seven days in the Delete cleared non-security
alarms after text box, until the alarm table size reaches the limit.
Step 3 Modify the Syslog Cleanup Options:

• Delete all Syslogs after—Enter the number of days after which all aged syslogs are to be deleted.
• Max Number of Syslog to Keep—Enter the number of Syslogs that needs to be maintained in the database.
Step 4 Modify the Alarm Display Options as needed:

• Hide acknowledged alarms—When the check box is selected, Acknowledged alarms do not appear in the Alarm
page. This option is enabled by default. Emails are not generated for acknowledged alarms, regardless of severity
change.
• Hide assigned alarms—When the check box is selected, assigned alarms do not appear in the Alarm page.
• Hide cleared alarms—When the check box is selected, cleared alarms do not appear in the Alarm Summary page.
This option is enabled by default.
• Add device name to alarm messages—Select the check box to add the name of the device to alarm messages.
Changes in these options affect the Alarm page only. Quick searches for alarms for any entity will display all alarms for
that entity, regardless of alarm state.
Step 5 Modify the alarm Failure Source Pattern:

• Select the category you need to customize and click Edit.
• Select the failure source pattern from the options available and click OK.
• Select the category for which you want to customize the separator and click Edit Separator. Select one of the options
available, then click OK.
The alarms generated for the selected category will have the customized pattern that you set. For example, if you select
the Clients category, and then edit the separator to be #, when any supported client alarm is generated, when you select
Monitor > Monitoring Tools > Alarms and Events, the Failure Source column for that alarm will be MACaddress
#Name.
Note Failure Source is not supported for Custom traps, Syslog generated events and Custom syslog translation.
Step 6 Modify the Alarm Email Options:

• Add Prime Infrastructure address to email notifications—Select the check box to add the Prime Infrastructure address
to email notifications.

243
• Include alarm severity in the email subject line—Select the check box to include alarm severity in the email subject
line. This option is enabled by default.
• Include alarm Category in the email subject line—Select the check box to include alarm category in the email subject
line. This option is enabled by default.
• Include prior alarm severity in the email subject line—Select the check box to include prior alarm severity in the
email subject line.
• Include custom text in the email subject line—Select the check box to add custom text in the email subject line. You
can also replace the email subject line with custom text by selecting the Replace the email subject line with custom
text check box.
• Include custom text in body of email—Select the check box to add custom text in the body of email.
• Include alarm condition in body of email—Select the check box to include alarm condition in the body of email.
• Include alarm application category data in body of email—Select the check box to include alarm category in the
body of email.
• Add link to Alarm detail page in body of email—Select the check box to add a link to the Alarm detail page in the
body of email.
• Enable Secure Message Mode—Select the check box to enable a secure message mode. If you select the Mask IP
Address and Mask Controller Name check boxes, the alarm emails are sent in secure mode where all the IP addresses
and controller names are masked.
• Email Send Interval—Specify the time interval in which the email has to be sent.
Note Prime Infrastructure sends alarm notification email for the first instance of an alarm and the subsequent
notification is sent only if the alarm severity is changed.
• Skip to send first alarm separately as email notification-The first alarm will be sent in as a seperate email notification.
Note Disabling this option, an email notification will be sent immediately after the first alarm of the specified
Email Send Interval duration. The remaining alarms will be grouped in the second email. Enabling this
option will send only one email notification on the specified Email Send Interval duration. The first email
alert will be grouped into the existing list.
Step 7 Modify the Alarm Other Settings:

• Controller License Count Threshold - Enter a threshold percentage. An alarm is triggered if the number of access
points connected to a controller reaches the specified rate of the licenses available on the controller. For example,
if a controller is configured with 100 access point licenses and 80% threshold, an alarm will be triggered when the
number of access points connected to a controller exceeds 80.
• Controller Access Point Count Threshold - Enter a threshold percentage. An alarm is triggered if the number of
access points connected to a controller reaches the specified rate of the maximum number of access points supported
by the controller. For example, if a controller supports a maximum of 6000 access points and threshold is configured
as 80%, an alarm will be triggered when the number of access points connected to the controller exceeds 4800.
• Unacknowledge and Unassign Alarm on Clear - Unselect the checkbox if the acknowledged and assigned alarms
once cleared from the list should remain unacknowledged and unassigned to the same owner if they reoccur. Select
the checkbox if the alarms are unacknowledged and unassigned while clearing the alarm which was acknowledged
or assigned to the previous owner.
Step 8 Click Save.

244
Configure Global Display and Search Settings for Acknowledged, Cleared, and Assigned Alarms
Configure Global Display and Search Settings for

Acknowledged, Cleared, and Assigned Alarms
The following table lists some display options for acknowledged, cleared, and assigned alarms. These settings
cannot be adjusted by individual users (in their display preferences) because, for very large systems, a user
could make a change that will impact system performance.
Other settings shown on the Alarms and Events page can be adjusted by users, but you can set the global
defaults here. For information on those settings, see Alarm, Event, and Syslog Purging, on page 153
• Alarm, Event, and Syslog Purging, on page 153
Step 1 Choose Administration > Settings > System Settings, then choose Alarms and Events > Alarms and Events.
Step 2 Under the Alarm Display Options area, enable or disable these settings, as desired:
Alarm Display Options Description Does setting also

affect search
results?
Hide acknowledged Do not display Acknowledged alarms in the Alarms list or include them Yes
alarms in search results
Hide assigned alarms Do not display assigned alarms in the Alarms list or in search results Yes
Hide cleared alarms in Do not display cleared alarms in the Alarms list or in search results No
alarm browser
Add device name to Include device name in e-mail notifications No

alarm messages
Step 3 To apply your changes, click Save at the bottom of the Alarms and Events window.
Change Alarm Severity Levels

Each alarm in Prime Infrastructure has a severity. The alarm severity is determined by the most severe event
associated to the alarm. You can adjust the severity for alarms by changing the severity for newly-generated
events.
Note For alarms that are related to Prime Infrastructure system administration, such as high availability, refer to
Customize Server Internal SNMP Traps and Forward the Traps, on page 103.
• Specific alarms—Use the procedure in this section.

245
Change Alarm Auto-Clear Intervals
Step 1 Choose Administration > System Settings, then choose Alarms and Events > Alarm Severity and Auto Clear.
Step 2 Expand the categories available under the Alarm Condition column, or search for the Alarm Condition you want by
entering all or part of the event text in the Alarm Condition search field just below the column heading.
Step 3 Change the alarm severity by performing one of the following tasks:
• Click the Severity field and select a severity level from the drop-down list.
• Select the check box of the alarm condition whose severity level you want to change, click Severity Configuration,
and choose a severity level from the Configure Severity Level drop-down list, ans click OK.
Note When you change the severity of an alarm condition, the Notification Policy associated with that alarm condition
will remain unchecked in the Notification Policy Page, and the alarm will not be forwarded.
Change Alarm Auto-Clear Intervals

You can configure an alarm to auto-clear after a specific period of time. This is helpful in cases, for example,
where there is no clearing event. Auto-clearing an alarm will not change the severity of the alarm's correlated
events.
Alarm auto clear is supported for only few alarms. For more information, see Cisco Prime Infrastructure
Alarms, Events, and Supported SNMP Traps and Syslogs
Step 1 Choose Administration > Settings > System Settings, then choose Alarms and Events > Alarm Severity and Auto
Clear.
Step 2 Expand the categories available under the Event Types column, or search for the event type you want by entering all or
part of the event text in the Event Types search field just below the column heading.
Step 3 To change the auto-clear duration for an event or group of events:
• For a single event, check the event's check box, click in the Auto Clear Duration field, enter the new duration, then
click Save.
• For multiple events, select the events, then click Alarm Auto Clear, enter the new duration in the dialog box, then
click OK.
Step 4 Change the Auto Clear Interval by performing one of the following tasks:
• Click on the Auto Clear Duration field, enter the new interval, and click Save.
• Select the check box of the event type, click Alarm Auto Clear, enter the new interval, and click OK.

246
Change the Information Displayed in the Failure Source for Alarms
Change the Information Displayed in the Failure Source for

Alarms
When an alarm is generated, it includes information about the source of the failure. Information is presented
using a specific format. For example, performance failures use the format MACAddress:SlotID. Failure sources
for other alarms may include the host name, IP address, or other properties. Adjust the properties and separators
(a colon, dash, or number sign) that are displayed in the alarm's failure source using the following procedure.
Step 1 Choose Administration > Settings > System Settings, then choose Alarms and Events > Alarms and Events.
Step 2 In the Failure Source Pattern area, select the alarm category you want to customize.
Step 3 Adjust the failure source format as follows:
• To customize the properties that are displayed, click Edit, select the properties, then click OK. If a property is
greyed-out, you cannot remove it.
• To customize the separators that are displayed between the properties, click Edit Separator.
Step 4 To apply your changes, click Save at the bottom of the Alarms and Events settings window.
Change the Behavior of Expedited Events

When Prime Infrastructure receives a configuration change event from a device, it waits for a certain time
interval before starting inventory collection, in case other related events are sent. This prevents multiple
collection processes from running at the same time. This is called the inventory collection hold off time and
is set to 10 minutes by default. This setting is controlled from the Inventory system settings page
(Administration > Settings > System Settings > Inventory).
The following events are processed by Prime Infrastructure within the default time interval of 10 minutes:
Type Supported Events
Link LINK-3-UPDOWN
Card Protection CARD_PROTECTION-4-PROTECTION

CARD_PROTECTION-4-ACTIVE
VLAN PORT_SECURITY-6-VLAN_REMOVED
PORT_SECURITY-6-VLAN_FULL

247
Customize Generic Events That Are Displayed in the Web GUI
Type Supported Events
ICCP SM L2-L2VPN_ICCP_SM-4-REMOTE_CORE_ISOLATION
L2-L2VPN_ICCP_SM-4-REMOTE_CORE_ISOLATION_CLEAR
L2-L2VPN_ICCP_SM-3-CONFIG_LOCAL_ERROR
L2-L2VPN_ICCP_SM-3-CONFIG_REMOTE_ERROR
L2-L2VPN_ICCP_SM-4-LOCAL_CORE_ISOLATION
L2-L2VPN_ICCP_SM-4-LOCAL_CORE_ISOLATION_CLEAR
L2-L2VPN_ICCP_SM-4-PEER_REACHABILITY_FAILURE
L2-L2VPN_ICCP_SM-4-PEER_REACHABILITY_CLEAR
L2-L2VPN_ICCP_SM-4-REMOTE_ACCESS_MAIN_PORT_FAILURE
L2-L2VPN_ICCP_SM-4-REMOTE_ACCESS_MAIN_PORT_FAILURE_CLEAR
INFRA-ICCP-5-ISOLATION
INFRA-ICCP-5-ISOLATION_CLR
INFRA-ICCP-5-NEIGHBOR_STATE_UP
INFRA-ICCP-5-NEIGHBOR_STATE_DOWN
INFRA-ICCP-6-BACKBONE_INTERFACE_STATE_UP
INFRA-ICCP-6-BACKBONE_INTERFACE_STATE_DOWN
L2-BM-6-ACTIVE_CLEAR
L2-BM-6-ACTIVE_PROBLEM
L2-L2VPN_ICCP_SM-3-CONFIG_INVALID_NODEID
L2-L2VPN_ICCP_SM-3-CONFIG_INVALID_NODEID_CLEAR
Satellite PKT_INFRA-ICPE_GCO-5-SATELLITE_STATUS_PROBLEM
PKT_INFRA-ICPE_GCO-5-SATELLITE_STATUS_CLEAR
Cluster PLATFORM-REDDRV-7-ROLE_CHANGE
PLATFORM-CE_SWITCH-6-UPDN
PLATFORM-CLUSTER_CLM-6-UPDN
LINK_UP
LINK_DOWN
Celeborn cards UEA_SPA_MODE-6-UEA_SPA_MODE_CHG
Configuration Commit MGBL-CONFIG-6-DB_COMMIT

SYS-5-CONFIG_I
syslogs
However, in case of the following critical events, Prime Infrastructure performs a full discovery of the device
immediately when the event occurs:
SYS-5-RELOAD
SYS-5-RESTART
OIR-6-INSCARD
OIR-SP-6-INSCARD
SWT_CEFC_STATUS_CHANGE
cefcFRURemoved
cefcFRUInserted
Customize Generic Events That Are Displayed in the Web GUI

You can customize the description and severity for generic events generated by SNMP traps and syslogs.
Your customization will be displayed in the Events tab for SNMP trap events. If a MIB module is not loaded,
you can load it manually and then customize the notifications provided in that MIB.
See Customize Generic Events Based on SNMP Traps, on page 249, for information on how to customize
these generic events.

248
Disable and Enable Generic Trap and Syslog Handling
Disable and Enable Generic Trap and Syslog Handling

By default Prime Infrastructure does not drop any received syslogs or traps. Prime Infrastructure maintains
an event catalog that determines whether Prime Infrastructure should create a new event for incoming syslogs
or traps (and if it creates a new event, whether it should also create an alarm). If Prime Infrastructure does not
create an event, the trap or syslog is considered a generic event .
By default, Prime Infrastructure does the following:
• Displays the generic events in the Events list.
All of these events are assigned the MINOR severity, regardless of the trap contents, and fall under the alarm
category Generic.
Disable and Enable Generic Trap Processing

Use the genericTrap.sh command to manage generic syslogs.
To do the following: Use this command:
Turn off generic trap /opt/CSCOlumos/bin/genericTrap.sh -l

processing
Turn on generic trap /opt/CSCOlumos/bin/genericTrap.sh -u

processing
Disable and Enable Generic Syslog Processing

Use the genericSyslog.sh command to manage generic syslogs.
To do the following: Use this command:
Turn off generic syslog /opt/CSCOlumos/bin/genericSyslog.sh -l

processing
Turn on generic syslog /opt/CSCOlumos/bin/genericSyslog.sh -u

processing
Customize Generic Events Based on SNMP Traps

Prime Infrastructure supports the customized representation of generic events in the GUI. Managed objects
normally generate SNMP traps and notifications that contain an SNMP trap object identifier (SnmpTrapOID)
and a variable bind object identifier (VarBindOIDs) in numerical format. Prime Infrastructure translates the
numeric SnmpTrapOIDs and VarBindOIDs into meaningful names using customized MIB modules, then
displays the generic events in the web GUI (in the event tables, Device 360 view, and so forth).
Using the SNMP MIB files that are packaged with Prime Infrastructure, you can customize the defined MIBs
for your deployment's technology requirement.
The following table illustrates how ObjectIDs are decoded and displayed in the GUI.

249
Troubleshoot Fault Processing Errors
Table 15: Example: ObjectID Representation
OIDs before Decoding OIDs after Decoding

snmpTrapOID = 1.3.6.1.4.1.9.10.120.0.1', mplsL3VpnVrfDown,
Values: values: mplsL3VpnVrfOperStatus.("vrf1").(1) = 1
1.3.6.1.4.1.9.10.119.1.1.2.1.11.7.1=1
Follow the steps below to create customized generic events.
Step 1 Select Monitor > Monitoring Tools > Alarms and Events.
Step 2 Click the Events tab.
Step 3 Click Custom Trap Events and then click Upload New Mibs.
Step 4 In the Upload Mib window, click Upload New MIB to upload a MIB file.
Step 5 If you upload a new MIB file, wait until the file upload is complete, and then click Refresh MIBs to have the newly
added MIB included in the MIB drop-down list.
Step 6 Click OK.
Prime Infrastructure creates a new event type and alarm condition for the specified trap.
Troubleshoot Fault Processing Errors

If your deployment is having fault processing problems, follow this procedure to check the fault logs.
Step 1 Log in to Prime Infrastructure with a user ID that has Administrator privileges.
Step 2 Select Administration > Settings > Logging, then choose the Global Settings tab.
Step 3 Click Download to download all the server log files.
Step 4 Compare the activity recorded in these log files with the activity you are seeing in your management application:
console.log
ncs-x-x.log
decap.core.java.log
xmp_correlation.log
decap.processor.log
What to do next
You can also get help from the Cisco support community. If you do need to open a support case, attach the
suspect log files with your case. See Get Help from the Cisco Support Community and Technical Assistance
Center (TAC), on page 251.

250
Get Help from the Cisco Support Community and Technical Assistance Center (TAC)
Get Help from the Cisco Support Community and Technical

Assistance Center (TAC)
• Open a Cisco Support Case, on page 251
• Join the Cisco Support Community, on page 252
Open a Cisco Support Case

When you open a support case from the web GUI, Prime Infrastructure automatically populates the case form
with information it can retrieve from a device. This includes technical details about the device, configuration
changes on the device, and all device events that occurred in the last 24 hours. You can also attach your own
files to the case.
Before you begin

You can open a support case from the web GUI if:
• Your administrator has configured Prime Infrastructure to allow you to do so. See Set Up Defaults for
Cisco Support Requests section in Cisco Prime Infrastructure Administrator Guide.
• The Prime Infrastructure server has a direct connection to the internet, or a connection by way of a proxy
server.
• You have a Cisco.com username and password.
Step 1 Choose one of the following:

• From Monitor > Monitoring Tools > Alarms and Events. Click a single alarm, then choose Troubleshoot >
Support Case. If you do not see the Troubleshoot button, widen your browser window.
• From the Device 360 view. Hover your mouse over a device IP address, then click the information icon. Choose
Support Request from the Actions drop-down menu.
Step 2 Enter your Cisco.com username and password.

Step 3 Click Create. Prime Infrastructure populates the form with data it retrieves from the device.
Step 4 (Optional) Enter a Tracking Number that corresponds to your own organization’s trouble ticket system.
Step 5 Click Next and enter a description of the problem.
Prime Infrastructure populates the form with data it retrieves from the device and automatically generates the necessary
supporting documents.
If desired, upload files from your local machine.
Step 6 Click Create Service Request.

251
Join the Cisco Support Community
Join the Cisco Support Community

You can access and participate in discussion forums in the online Cisco Support Community. You will need
a Cisco.com username and password.
Step 1 Choose one of the following:

• From Monitor > Monitoring Tools > Alarms and Events. Click a single alarm, then choose Troubleshoot >
Support Forum. If you do not see the Troubleshoot button, widen your browser window.
• From the Device 360 view. Hover your mouse over a device IP address, then click the information icon. Choose
Support Community from the Actions drop-down menu.
Step 2 In the Cisco Support Community Forum page, enter your search parameters to find what you need.

252
CHAPTER 9
Audits and Logs
• Audit Configuration Archive and Software Image Management Changes ( Change Audit Dashboard) ,
on page 253
• Audit Changes Made By Users (Change Audit), on page 253
• Audit Actions Executed from the GUI (System Audit), on page 255
• System Logs, on page 256
Audit Configuration Archive and Software Image Management

Changes ( Change Audit Dashboard)
The Change Audit Dashboardwindow displays changes made to devices using the Configuration Archive
and Software Image Management features. To view these changes, choose Monitor > Tools > Change Audit
Dashboard. Prime Infrastructure lists the most recent devices changes including the type of change
(Configuration Archive, Software Image Management).
You can also view the most recent changes for a device in the Recent Changes tab of its Device 360 view.
Audit Changes Made By Users (Change Audit)

Prime Infrastructure supports managing change audit data in the following ways:
Generate a Change Audit Report

The Change Audit report lists the actions that users have performed using the Prime Infrastructure features.
The following table provides examples of what may appear in a Change Audit report.
Feature Examples
Device management Device '209.165.202.159' Added
User management User ‘mmjones' added

253
Audits and Logs
Enable Change Audit Notifications and Configure Syslog Receivers
Feature Examples
Administration Logout successful for user jlsmith from 209.165.202.129

Authentication Failed. Login failed for user fjclark from 209.165.202.125
Configuration changes CLI Commands : ip access-list standard testremark test
Monitoring policies Monitoring Template 'IF Outbound Errors (Threshold)' Created
Configuration templates Configuration Template 'Add-Host-Name-IOS-Test' Created
Jobs 'Show-Users-On-Device-IOS_1' job of type Config Deploy - Deploy View

scheduled.
Inventory Logical File '/bootflash/tracelogs/inst_cleanup_R0-0.log.19999.20150126210302'

deleted.
Configuraion Archive STARTUP-CONFIG Changed

DELETED:dot11 guest
INSERTED:archive
INSERTED:log config
INSERTED:Permit icmp any any nd-na
Software Image Distribute Image File

Management Name(s):[ct5760-ipservicesk9.SPA.03.03.04.SE.150-1.EZ4.bin]
You can schedule a Change Audit report to run on a regular basis and, if desired, Prime Infrastructure can
e-mail the results to you. You can also forward this information in a Change Audit notification (see Enable
Change Audit Notifications and Configure Syslog Receivers, on page 254).
Step 1 Choose Reports > Report Launch Pad, then choose Compliance > Change Audit.
Step 2 Click New to configure a new report.
Step 3 In the Settings area, enter the report criteria (time frame, when to start the report, and so forth).
Step 4 If you want to schedule the report to run at a later time, enter your settings in the Schedule area. You can also specify an
e-mail address that the report should be sent to.
Step 5 If you want to run the report immediately, click Run at the bottom of the window.
The Report Run Result lists all users and the changes they made during the specified time period.
Enable Change Audit Notifications and Configure Syslog Receivers

If desired, you can configure Prime Infrastructure to send a change audit notification when changes are made
to the system. These changes include device inventory and configuration changes, configuration template and
monitoring template operations, and user operations such as logins and logouts and user account changes.
You can configurePrime Infrastructure to:

254
Audits and Logs
View Change Audit Details
• Forward changes as change audit notifications to a Java Message Server (JMS).

• Send these messages to specific syslog receivers.
For example, when a config archive is collected, Prime Infrastructure receives the syslog, generates trap and
sends email to the configured notification destination.
If you configure syslog receivers but do not receive syslogs, you may need to change the anti-virus or firewall
settings on the destination syslog receiver to permit reception of syslog messages.
Step 1 Select Administration > Settings > System Settings, then choose Mail and Notification > Change Audit Notification.
Step 2 Select the Enable Change Audit Notification check box to enable notifications.
Step 3 If you want to send the messages to specific syslog receivers:
a) Click the Add button (+) to specify a syslog receiver.
b) In the Syslog Receivers area, enter the IP address, protocol (TCP/UDP/TLS), and port number of the syslog receiver.
You can repeat these steps as needed to specify additional syslog receivers.
Step 4 Click Save.
View Change Audit Details
Step 1 Log in to Prime Infrastructure as an administrator

Step 2 Choose Monitor > Tools > Change Audit Dashboard.
The Change Audit Dashboard displays the network audit logs and change audit data of device management, user
management, Virtual Domain, logging, Change Audit Notification, Configuration Archive,configuration template
management, device community and credential changes, and inventory changes of devices. The Change Audit report
and Change Audit dashboard display the details irrespective of the virtual domain you are logged in.
The Change Audit Dashboard screen now displays the Device Name apart from other subtleties such as IP Address,
Audit Description, Audit Name, and Client IP Address. Additionally, click the i icon besides the IP Address to view the
Device 360 details.
Note The audit details of the deleted devices will be available under Root-Domain only.
You can click the export icon to download the audit details as CSV or PDF file.
Audit Actions Executed from the GUI (System Audit)
Note Prime Infrastructure sends all change audit notifications in XML format to the topic ChangeAudit.All. You
must be subscribed to ChangeAudit.All to receive the notifications.

255
Audits and Logs
System Logs
The System Audit window lists all Prime Infrastructure GUI pages that users have accessed. To view a System
Audit, choose Administration > Settings > System Audit.
The following table shows some of the information you can find from the System Audit page using the quick
filter. To enable the quick filter, choose Quick Filter from the Show drop-down list.
Find actions performed: Do the following:
By a specific user Enter the username in the Username quick filter field
By all users in a user group Enter the group name in the User Group quick filter field
On devices in a specific virtual Enter the virtual domain name in the Active Virtual Domain quick
domain filter field
By the web GUI root user Select Root User Logs from the Show drop-down list
On a specific device Enter the IP address in the IP Address quick filter field
On a specific day Enter the day in the Audit Time quick filter filed (in the format
yyyy–mmm–dd)
System Logs
Prime Infrastructure provides three classes of logs which are controlled by choosing Administration >
Settings > Logging.
Logging Type Description See:
General Captures information about actions in the system. View and Manage General System
Logs, on page 256
SNMP Captures interactions with managed devices. Enable SNMP Traces and Adjust
SNMP Log Settings (Levels, Size), on
page 267
Syslog Forwards Prime Infrastructure audit logs (as syslogs) Forward System Audit Logs As
to another recipient. Syslogs, on page 266
View and Manage General System Logs

You can view system logs after downloading them to your local server.
View the Logs for a Specific Job
Step 1 Choose Administration > Dashboards > Job Dashboard .

Step 2 Choose a job type from the Jobs pane, then select a job instance from the Jobs window.
Step 3 At the top left of the Job instance window, locate the Logs field, then click Download.

256
Audits and Logs
Adjust General Log File Settings and Default Sizes
Note You can download the logs for Configuration Archive Software, Configuration Rollback, Configuration
Overwrite, and Configuration Deploy job types.
Step 4 Open or save the file as needed.
Adjust General Log File Settings and Default Sizes

By default, Prime Infrastructure logs all error, informational, and trace messages generated by all managed
devices. It also logs all SNMP messages and Syslogs that it receives. You can adjust these settings, changing
logging levels for debugging purposes.
To do the following: From Administration > Settings > Logging:
Change the size of logs, Adjust the Log File Settings.

number of logs saved, and
Note Change these settings with caution to avoid impacting the system.
the file compression options
As per log4j MaxBackupIndex, there will be one main file
accompanied by the set number of backup files. For example, if the
number of log files is set to 3, there is one main file (.log) and 3
backup files (.log.1, .log.2, and .log.3).
If the Number of files is modified to a value lower than the one
previously set, the log file settings are applied only to the newly
generated files. For example, if the preset value was 5 and now you
modify it to 2, the settings will only be applied to files .log, .log.1
and .log.2. There is no changes to the files .log.3, .log.4, and .log.5.
If you select the Compression (Zip) option, log files are compressed
and archived in the ./logs/backup/[logging_module]
folder of the process. Retention of the compressed log files is subject
to the criteria:
• Storage (MB): Maximum size of the folder in MB
• Number of Days: Maximum age of the log files
The purge is triggered when either of the criteria is met.

Optionally, if Backup to external location is enabled, log files
marked for cleanup are copied to the specified external repository
prior to deletion.

257
Audits and Logs
Download and E-Mail Log Files for Troubleshooting Purposes
To do the following: From Administration > Settings > Logging:
Change the logging level for In the General Log Settings, select the files and the desired level, and click
specific modules Save. For example, from the Message Level drop-down list, choose one of
the following as current logging level:
• Error—Captures error logs on the system.
• Information—Captures informational logs on the system.
• Trace—Reproduces problems of managed devices on the system so the
details can be captured in the logs.
• Debug—Captures debugging logs on the system.
You will have to restart Prime Infrastructure for the changes to take effect.
Download log files for In the Global Settings tab, click Download.
troubleshooting purposes
E-mail log files (for Enter a comma-separated list of e-mail IDs and click Send.
example, to the Cisco
Technical Center)
Note This procedure sets and log message levels to Trace. Be sure to return the log message levels to their original
setting so system performance is not impacted.
Step 1 Choose Administration > Settings > Logging, then choose Log File Settings.
Step 2 Note the setting in the Message Level drop-down list because you will need to reset it later.
Step 3 In the Enable Log Modules area, select the desired Log Modules.
Log Modules Description
AAA This log module enables the ncs-0-0.log, nms_sys_error.log,

usermgmt.log, and XmpUserMgmtRbac.log files. The logs
are printed when the user logs in. The AAA mode changes
like local, tacacs, radius, and sso mode changes are
performed.
Access Work Flow This log module enables the ifm_access_workflow.log file.
Actions Framework This log module enables the nms-actions.log file.
admin This log module enables the admin.log file which then
captures the file size, message level, and so on.
Alertcache This log module enables the alertcache.log and

alertcache_error.log files.

258
Audits and Logs
Apic This log module enables the ifm_apic.log file which captures
the log that occurs when a PNP profile gets synced against
APIC.
APICPIIntegration This log module enables the apic_pi_integration.log file

that captures the logs when the profiles are synced in
APICEM as sites.
AppNav This log module enables the appNav.log file to capture the
logs when saving the ACL configuration in a template,
deleting ACL from a template, creating and updating WAAS
interface, and when creating, updating, and deleting the
service node group and controller group.
Assurance AppClassifier This log module enables the assurance_appclassifier.log

file that captures information related to NBAR classification
on incoming AVC/Wireless Netflow data. This is for
application classification/identification for flow record, as
a part of the netflow processing in Prime Infrastructure.
Assurance Netflow This log module enables the assurance_netflow.log file that
captures information pertaining to the processing of
incoming Netflow data being sent from various Netflow
devices to Prime Infrastructure. It logs information related
to netflow processing performed on flow exports received
on UDP port 9991.
Assurance PfR This log module enables the assurance_pfr.log file that
captures information related to the PfRMonitoring process.
Assurance WirelessUser This log module enables the assurance_wirelessuser.log file

that captures the information when the WirelessUser job
runs to read the user data and populate it in the memory
caches that are added by the WIRELESS_ASSURANCE
trigger.
Assurance WSA This log module enables the wsa_collector.log, access_log

, assurance_wsa.log, and error_log files that captures
information while WLC processes data from device to Prime
Infrastructure. Logs are generated as a part of the Wireless
Controller data collection.
AVC Utilities This log module enables the aems_avc_utils.log file. The
AVC configuration feature-specific utility flow logs are
generated as a part of this component.
CIDS Device Logs This log module captures information related to device pack
operation of few devices that are not migrated to XDE.
Circuits/VCs Trace This log module enables the nms-multilayer.log file.

259
Audits and Logs
cluster_core This log module enables the cluster.core.log file.
Collection This log module captures the information of the dashlet that
is launched to check the readiness of a device.
Common Helper This log module captures the XMP common related
information.
Compliance This log module enables the ifm_compliance.log files.
Configuration This log module enables the ifm_config.log file when the
templates such as CLI, Composite, and MBC are deployed
to the devices. The service business logic execution debug
logs are captured.
Configuration Archive This log module enables the ifm_config_archive.log and

ifm_config_archive_core.log files. The logs are captured
based on the selected log level in GUI and logs are logged
for all the Configuration Archive module supported
operations like Configuration Archive Collection,
Configuration Archive Overwrite, Configuration Archive
Rollback, and Configuration Archive Deploy.
Configuration Archive Core This log module enables the ifm_config_archive_core.log

file which captures the information on the interaction
between service layer and device pack while performing
the operations like Configuration Archive Collection,
Configuration Archive Overwrite, Configuration Archive
Rollback, and Configuration Archive Deploy.
Configuration Templates This log module enables the ifm_config.log and

ifm_template.log files. These files are logged when a System
template, Custome CLI template, Composite Template, or
Feature Template is deployed to a device and the deploy
job is created. The logs are captured in based on the selected
log level [INFO, DEBUG, TRACE] in GUI and are logged
for all the Configuration templates that is deployed to the
devices.
Container Management This log module enables the logs for ifm_container.log file.
This file is logged when the container management performs
the life cycle operations (Install, Activate, Uninstall, and
Deactivate) of the virtual appliances.
Config This log module enables config.log which comprises of

Node level configuration, Template deployment, Service
Provisioning, and so on.
Credential Management This log module enables the logs from NMS_SysOut.log
file.

260
Audits and Logs
Credential Profile This log module enables the ifm_credential_profile.log file

that captures the profile creation, deletion, and profile update
information.
DA This log module enables the ifm_da.log and da_daemon.log

files.This module captures the information such as SNMP
polling, NAM polling and Packet Capture work flows.
Database This log module enables the rman.log and db_migration.log

files.
Datacenter This log module enables the datacenterevent.log and

ifm_datacenter.log files. These files contain debug
information while adding, editing, and deleting devices
(Discovery Sources, UCS, Nexus). Inventory module logs
also contain the debug information about Datacenter
devices.
Device Credential Verification This log module enables the XDE.log file.
Discovery This log module enables the ifm_discovery.log and

existenceDiscovery.log files that captures logs while
creating, editing, and deleting discovery settings or
discovery job, and running discovery job.
Distributed Cache This log module enables the distributed-cache.log file.
DSM This log module captures the information related to Virtual

Inventory Discovery Source Manager.
ems_assurance This log module enables the ems-assurance.log file.
epnm_lcm This log module enables the epnm-lcm.log file used by the
Life Cycle Manager (LCM) component.
epnm_mcn This log module enables the epnm-mcn.log file used by the
Model Changes Notifier (MCN) component.
epnm_remote This log module enables the epnm-remote.log file.
Eventprocessing This log module enables the assurance_fault_error.log and

assurance_fault.log files.
Fault Management This log module enables the ifm_fault.log,

xmp_correlation.log, and xmp_syslog.log files.
Faults This log module enables the ifm_fault.log,

xmp_correlation.log, and xmp_syslog.log files.
Firewall and AVC Configuration This log module enables the aems_config.log file that
captures the AVC, ZBFW, QoS, and NAT configuration
details.

261
Audits and Logs
Firewall and AVC Inventory This log module enables the

aems_zbfw_ice_post_processors.log file that catures the
device inventory time read on AVC, ZBFW, QoS, and NAT
configuration.
Firewall and AVC REST API This module enables the aems_config_access_layer.log file
that captures the REST API call details for AVC, ZBFW,
QoS, NAT, and PPM features.
Firewall and AVC Utilities This log module enables the aems_utils.log file that captures
the common utility calls in AVC/ZBFW/QoS, NAT and
PPM features.
Firewall Utilities This log module enables the aems_zbfw_utils.log file that
captures the ZBFW utility calls.
General This log module enables the ifm_common.log files.
Geo Server This log module enables the nms-geoserver.log files.
Grouping This log module enables the ifm_grouping.log,

grouping-spring.log files. It captures data while adding,
editing, and deleting groups, and adding and deleting
members. It also captures the log while importing or
exporting groups in CSV format and creating port groups,
editing, and deleting port groups.
gui This log module enables the xmp-wap.log file.
IFMCommon This log module enables the ifm_common_log.log and

ifm_common_helper.log files.
Inventory This log module enables the inventory.log,

ifm_inventory.log,existenceInventory.log, and xde.log files.
It captures the data while adding, editing, and deleting
devices and performing inventory collection.
Key Certificate Management This log module enables the key_admin_web.log files.
MBC UI Framework This log module enables the mbcui_fw.log file.
Mobility This log module captures the information related to the

mobility anchor devices that are added to the server.
Monitor This log module captures the information related to the APIs
that appears while launching the monitor dashlets such as
Top N Memory and Top N CPU.
MSAP This log module enables the ncs.log file. It captures the data
related to MSE High Avaliabilty actions such as Proxy
configuration and BBX configuration.

262
Audits and Logs
MSE This log module enables the ncs.log file. It captures the data
related to Mobility Service Engine actvities such as adding,
editing, and deleting MSE and Controller and SiteMap
synchronization with MSE.
NBIFW This log module allows you to change the logging level of
the NBI API framework. You can view the information in
the xmpNbiFw.log file.
ncs_nbi This log module allows you to change the logging level of
the Statistics NBI Services. You can view the information
in the ncs_nbi.log file.
Network Technology Overlay This log module enables the technology-overlay.log and
synce-technology-overlay.log files.
Network Technology Overlay Provider This log module enables the technology-overlay.log file.
Network Topology This log module enables the nms-topology.log and

xmptopology.log files. This log module captures logs related
to the Maps > Network Topology page. Information such
as adding and deleting links between devices are captured.
NFVOS This log module is used for tracking esa dna integration
process.
Nice This log module captures the topology related information

after adding a device.
NMS Assurance Persistence Logger This log module enables the nms-assurance-persistence.log
file.
Nms Common Trace This log module enables the nms-common.log file.
nms_assurance This log module enables the nms-assurance.log file.
Notifications This log module captures information from the ncs-0-0.log,

ncs_nb.log and alarm_notification_policy.log files.
Optical This log module enables the nms-optical.log,

nms-optical-fault.log, nms-optical-event.log, and
nms-optical-cerberus.log files.
PA This log module enables the ifm_sam.log and

sam_daemon.log files. The information such as application
and service, dashboard and dashlet service API calls, NAM
configuration, NAM polling, and Packet Capture feature
work flow are captured.
Participating Circuit Service This log module enables the nms-paticipating-circuit.log

files.

263
Audits and Logs
Ping This log module captures information related to network

device polling interval job. Once the job is completed, each
device in the system receives a ping.
PKI This log module enables the pki.log files.
Plug and Play You can enable this module to capture the information
related to PNP profile creation and provisioning, bootstrap
initial configuration, APIC EM sync timeframe. The logs
are captured in the ifm_pnp.log and ifm_apic.log files.
Pnpgateway This log module enables the pnp_gateway_cns.log,

pnp_gateway_image.log, and pnp_gateway.log files.
Protocol Pack Management This module enables the aems_ppm_service.log,

ifm_container.log , jobManager.log and
ifm_jobscheduler.log files. This logs the information related
to protocol pack import, distribution of protocol packs, and
the jobs details.
QoS This log module enables the qos_config.log file when QoS
policies such as class maps or policy maps are created,
deployed to the devices and associate or disassociate with
the interfaces.
Reports You can enable this module to view the report related
queries, memory consumption, and time frame of report
generation.
Rest Service This log module enables the nms-rest-service.log file.
RTTS This log module enables the ifm_RTTS.log file.
Service Discovery This log module enables the nms-service-discovery.log and

nms-service-discovery-distributed.log files used by services.
Service History This log module enables the nms-service-history.log file.
Service Impact Analysis This log module enables the sia.log file used by the Service
Impacting Analysis feature in fault.
Service Multi Layer This log module enables the nms-service-multilayer.log

file.
Service Provisioning UI This log module enables the provisioning-ui.log file.
Smart Licensing This log module enables the ifm_smartagent.log and

smart_call_home.log files. The ifm_smartagent.log file
contains licensing logs related to smart licensing and
smart_call_home.log contains call home logs that captures
information transmitted to CSSM (Cisco Smart Software

264
Audits and Logs

Manager). These logs are captured in Periodic events and
User action based events.
SNMP This log module enables the snmp.log and mibLibrary.log

files.
Specific This log module enables the ifm_app.log file.
SWIM You can enable this module to log the Software Image
Management module logs in the ifm_swim.log file. The
logs will be captured as per the selected log level in GUI.
It logs the information related to the Software Image
Management operations like Software Image
Recommendation, Software Image Upgrade Analysis,
Software Image Import, Software Image Distribution,
Software Image Activation, and Software Image Commit.
System This log module enables the jobManager.log,

lockManager.log, preference.log, grouping-spring.log,
updates.log, poller.log, xmptopology.log, audit.log,
connmanager.log, dpl_rest.log, datacenterevent.log,
xmp-syslog.log, and webcontainer_filters.log files.
System Monitoring This log module enables the ifm_sysmon.log file. This logs
information pertaining to the rule start time and end time
as well as the operations performed in between.
Technology Collection This log module enables the technology_collection.log files.
ThreadManager This log module enables the xmp _threadmanager.log file

that captures the hybernate related information.
Threshold You can enable this module to view the details of the events
processed by the Threshold Monitor.
TrustSec You can enable this module to capture the TrustSec

readiness devices, devices capable for enforcement, device
classification, and capable devices information. The list is
displayed in Service-TrustSec-Readiness. You can view the
logs in the ifm_trustsec.log file.
Wlan AVC Configuration This log module enables the aems_config_wlan.log file to
view the WLAN configuration work flow related
information.
XDE This log module enables the xde.log file.
XMLMED You can enable this module to capture the SOAP requests
and responses. You can also view these logs in the ncs.log
files.

265
Audits and Logs
Forward System Audit Logs As Syslogs
Step 4 Select Trace from the Message Level drop-down list.

Step 5 Reproduce the problem on the system so the details can be captured in the logs.
Step 6 In the Download Log File area, click Download. The download zip file will have the name:
NCS-hostname-logs-yy-mm-dd-hh-mm-ss.
The file includes an HTML file that lists all files included in the zip file.
The information captured in the ifm_da.log and ifm_sam.log files are now split-up into the accompanying classes:
• assurance_wirelessuser.log
• assurance_pfr.log
• assurance_netflow.log
• assurance_appclassifier.log
The ifm_da.log file logs the information related to the Netflow devices and their respective pcaps, post device inclusion
on Prime Infrastructure. The assurance_wirelessuser.log file logs the information that is captured when the WirelessUser
job runs to read the user data and populate in the memory caches that are added by WIRELESS_ASSURANCE. The
assurance_pfr.log file stores the PfR monitoring related information. The assurance_netflow.log file logs the processing
of incoming Netflow data being sent from various Netflow devices to Prime Infrastructure. The assurance_appclassifier.log
file stores the logs for NBAR classification on incoming AVC/Wireless Netflow data.
Step 7 In the E-Mail Log File area, enter a comma-separated list of e-mail IDs.
Step 8 Revert to the original setting in the Message Level drop-down list.
Forward System Audit Logs As Syslogs
Before you begin

To work with Forward System Audit Logs as Syslogs, the user must configure Enable Change Audit
Notifications and Configure Syslog Receivers.
Step 1 Choose Administration > Settings > Logging, then choose Syslog tab to view Syslog Logging Options.
Step 2 Select the Enable Syslog check box to enable collecting and processing system logs.
Step 3 In the Syslog Host field, enter the IP address of the destination server to which the message is to be transmitted.
Step 4 From the Syslog Facility drop-down list, choose any of the eight local use facilities for sending syslog messages. The
local use facilities are not reserved and are available for general use.
Step 5 Click Save.
Note If you enable system logs forwarding to remote server through an admin CLI, logs will not be registered to
ade.log file.

266
Audits and Logs
Enable SNMP Traces and Adjust SNMP Log Settings (Levels, Size)
Enable SNMP tracing to access more detailed information about the packets sent and received through SNMP.
You may want to do this when troubleshooting, such as when a trap is dropped.
To make the following changes, choose Administration > Settings > Logging, then select the SNMP Log
tab.
If you want to: Do the following:
Enable SNMP tracing In the SNMP Log Settings area:

on specific devices
1. Select the Enable SNMP Trace check box and the Display Values check boxes.
2. Enter the IP addresses and/or DNS addresses of the devices you want to trace
and click Save.
Change the size of In the SNMP Log File Settings area:

logs and number of
Note Be careful when you change these settings so that you do not impact system
logs saved
performance (by saving too much data).
1. Adjust the maximum number of files and file size.

2. Restart Prime Infrastructure for your changes to take effect. See Stop and Restart
Prime Infrastructure, on page 93.

267
Audits and Logs

268
CHAPTER 10
Configure Controller and AP Settings
• Configure Protocols for CLI Sessions, on page 269
• Enable Unified AP Ping Reachability Settings on the Prime Infrastructure, on page 269
• Refresh Controllers After an Upgrade, on page 271
• Track Switch Ports to Rogue APs, on page 271
• Configure Switch Port Tracing, on page 272
Configure Protocols for CLI Sessions

Many Prime Infrastructure wireless features, such as autonomous access point and controller command-line
interface (CLI) templates and migration templates, require executing CLI commands on the autonomous
access point or controller. These CLI commands can be entered by establishing Telnet or SSH sessions. The
CLI session page allows you to select the session protocol.
In CLI templates, you are not required to answer the question responses (such as Yes or No answer to a
command, Press enter to continue , and so on.). This is automatically performed by Prime Infrastructure.
Step 1 Choose Administration > Settings > System Settings > Network and Device > CLI Session.
Step 2 Select the Controller Session Protocol (you can choose SSH or Telnet; SSH is the default).
Step 3 Select the Autonomous AP Session Protocol (you can choose SSH or Telnet; SSH is the default).
Step 4 The Run Autonomous AP Migration Analysis on discovery radio button is set to No by default. Choose Yes if you
want to discover the autonomous APs as well as perform migration analysis
Step 5 Click Save.
Enable Unified AP Ping Reachability Settings on the Prime

Infrastructure
Whenever a Unified AP is discovered in Cisco Prime Infrastructure, the Prime Infrastructure determines if
the AP is ping capable or not and updates the ping capability status accordingly in the Prime Infrastructure
database.
Various alarms are raised based on the following conditions:

269
Enable Unified AP Ping Reachability Settings on the Prime Infrastructure
• If the Unified AP is disassociated and is in FlexConnect mode, then the Prime Infrastructure checks if
the AP is reachable or not. If the AP is ping capable and ping reachable, then it raises a low severity
alarm. If the AP is not ping capable or reachable, then it raises a high severity alarm.
• If the Unified AP is disassociated and is not in FlexConnect mode, then the Prime Infrastructure raises
a high severity alarm.
By default, the Unified AP ping reachability feature is enabled in Prime Infrastructure versions 3.3 onwards.
However, it is disabled in verions 3.2 and earlier. To enable, follow these steps:
Step 1 Choose Administration > Settings > System Settings > Network and Device > Unified AP Ping Reachability.
Step 2 Select the Allow Prime to learn about AP Reachability radio button to allow Cisco Prime Infrastructure to learn if the
AP is reachable or not. A background task is triggered which pings each access point and stores the result in the Prime
Infrastructure database.
Step 3 You are prompted with an alert saying that the background job is triggered to learn about ping reachability. Click OK to
continue.
A background job is triggered and is run against all the associated APs in the Prime Infrastructure to learn about the AP
capabilities. A new job is created in the Job Dashboard with this information.
Step 4 If you select All access points are ping reachable from Prime radio button, then the Administrator marks all the Unified
APs as ping capable.
Step 5 Choose Administration > Dashboards > Job Dashboard > System Jobs > Status to view job status.
Step 6 To search job details, use Quick filter option and enter Learn Unified AP Ping Capability in the Name search field.
The result is displayed in the Status table. The table contains the following information:
• Job Type
• Status
• Last Run Status
• Last Start Time
• Duration
• Next Start Time
• Click the Learn AP Ping Reachability link to view more details. The Learn AP Ping Reachability page displays
the following information. Click Show All to view details about all job instances.
• Recurrence
• Interval
• Run ID
• Status
• Duration
• Start Time

270
Refresh Controllers After an Upgrade
• Completion Time
Refresh Controllers After an Upgrade

The Controller Upgrade page allows you to auto-refresh after a controller upgrade so that it automatically
restores the configuration whenever there is a change in the controller image.
Step 1 Choose Administration > Settings > System Settings > Network and Device > Controller Upgrade .
Step 2 Select the Auto refresh After Upgrade check box to automatically restore the configuration whenever there is a change
in the controller image.
Step 3 Select the Sync on Save Config Trap check box to trigger a Sync on the controller when the Prime Infrastructure receives
a Save Config trap. When this check box is selected, you can choose either of the following options:
• Retain the configuration in the Prime Infrastructure database
• Use the configuration on the controller currently
Step 4 Click Save.
Track Switch Ports to Rogue APs

Prime Infrastructure can automatically identify the network switch port to which each rogue access point is
connected. Note that this feature relies on Automatic Switch Port Tracing, which requires a full Prime
Infrastructure license to work.
Step 1 Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Auto
SPT. The Auto SPT page appears.
Step 2 Select the Enable Auto Switch Port Tracing check box to allow Prime Infrastructure to automatically trace the switch
ports to which rogue access points are connected. Then specify the parameters for auto port tracing, including:
• How long to wait between rogue AP-to-port traces (in minutes)
• Whether to trace Found On Wire rogue APs
• Which severities to include (Critical, Major, or Minor)
Step 3 Select the Enable Auto Containment check box to allow Prime Infrastructure to automatically contain rogue APs by
severity. Then specify the parameters for auto containment, including:
• Whether to exclude Found On Wire rogue APs detected by port tracing
• Which severities to include in the containment (Critical, Major)
• The containment level (up to 4 APs)

271
Configure Switch Port Tracing
Step 4 Click OK.
Configure Switch Port Tracing

Currently, Prime Infrastructure provides rogue access point detection by retrieving information from the
controller. The rogue access point table is populated with any detected BSSID addresses from any frames that
are not present in the neighbor list. At the end of a specified interval, the contents of the rogue table are sent
to the controller in a CAPWAP Rogue AP Report message. With this method, Prime Infrastructure gathers
the information received from the controllers. This enhancement allows you to react to found wired rogue
access points and prevent future attacks. The trace information is available only in Prime Infrastructure log
and only for rogue access points, not rogue clients.
A rogue client connected to the rogue access point information is used to track the switch port to which the
rogue access point is connected in the network. If you try to set tracing for a friendly or deleted rogue, a
warning message appears.
For Switch Port Tracing to successfully trace the switch ports using v3, all of the OIDs should be included in
the SNMP v3 view and VLAN content should be created for each VLAN in the SNMP v3 group. The Switch
Port Trace page allows you to run a trace on detected rogue access points on the wire.
To correctly trace and contain rogue access points, you must correctly provide the following information:
• Reporting APs — A rogue access point has to be reported by one or more managed access points.
• AP CDP Neighbor— Access point CDP neighbor information is required to determine the seed switches.
• Switch IP address and SNMP credentials— All switches to be traced must have a management IP address
and must have SNMP management enabled. You can add network address based entries instead of only
adding individual switches. The correct “write” community string must be specified to enable/disable
switch ports. For tracing, “read” community strings are sufficient. Network addresses using /32 subnet
masks are not supported in global SNMP credentials configuration. For more guidance, see “Frequently
Asked Questions on Rogues and Switch Port Tracing” in Related Topics.
• Switch port configuration— Trunking switch ports must be correctly configured. Switch port security
must be disabled.
• Switch Port Tracing is supported only on Cisco Ethernet switches and the following Catalyst switches:
2960, 3560, 3560-E, 3750-E, 3850, 4500 series.
• Switch VLAN settings must be configured accurately. Prime Infrastructure gets switch IP addresses
using Cisco Discovery Protocol neighbor information. It then uses VLAN information in the switch to
read the switch CAM table entries. If the VLAN information in the switch is not configured properly,
Prime Infrastructure will not be able to read the CAM table entries, which results in not being able to
trace rogue APs in the switch.
• CDP protocol must be enabled on all switches.
• An Ethernet connection must exist between the rogue access point and the Cisco switch.
• There must be traffic between the rogue access point and the Ethernet switch, for reliable detection of
rogue Ethernet Switch Port information, when the difference in the Ethernet mac address is more or less
than two.
• The rogue access point must be connected to a switch within the max hop limit.
• If SNMPv3 is chosen, use the context option and create one for each VLAN, in addition to the one for
the main group (which is required for non-VLAN-based MIBs).

272
Configuring SNMP credentials
Note For effective use of Vendor OUI match to eliminate false positive matches, the switch ports must have their
location information configured. The switch ports that are not configured will remain for OUI match after
elimination by location.
Related Topics
Frequently Asked Questions on Rogues and Switch Port Tracing, on page 276
Configuring SNMP credentials

To view the switch port trace details, follow these steps:
Step 1 Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > SPT
Configuration.
Step 2 Configure the following basic settings:
• MAC address +1/-1 search—Select the check box to enable.
This search involves the MAC address +1/-1 convention where the wired-side MAC address of the rogue access point is
obtained by adding or subtracting the radio MAC address by one.
• Rogue client MAC address search—Select the check box to enable.
When a rogue access point client exists, the MAC address of the client is added to the searchable MAC address list.
• Vendor (OUI) search— Select the check box to enable. OUI refers to Organizational Unique Identifier search which
searches the first three bytes in a MAC address.
• Exclude switch trunk ports— Select the check box to exclude switch trunk ports from the switch port trace.
Note When more than one port is traced for a given MAC address, additional checks are performed to improve
accuracy. These checks include the: trunk port, non-AP CDP neighbors present on the port, and whether or not
the MAC address is the only one on this port.
• Exclude device list— Select the check box to exclude additional devices from the trace. Enter into the device list
text box each device that you want to exclude from the switch port trace. Separate device names with a comma.
• Max hop count— Enter the maximum number of hops for this trace. Keep in mind that the greater the hop count,
the longer the switch port trace takes to perform.
Note This hop count value is not applicable for Auto SPT.
• Exclude vendor list— Enter in the vendor list text box any vendors that you want to exclude from the switch port
trace. Separate vendor names with commas. The vendor list is not case sensitive.
Step 3 Configure the following advanced settings:

• TraceRogueAP task max thread— Switch port tracing uses multiple threads to trace rogue access points. This field
indicates the maximum number of rogue access points that can be traced on parallel threads.
• TraceRogueAP max queue size— Switch port tracing maintains a queue to trace rogue access points. Whenever
you select a rogue access point for tracing, it is queued for processing. This field indicates the maximum number of
entries that you can store in the queue.
• SwitchTask max thread— Switch port tracing uses multiple threads to query switch devices. This field indicates the
maximum number of switch devices that you can query on parallel threads.

273
View the switch port trace details
The default value for these parameters should be good for normal operations. These parameters directly impact the
performance of switch port tracing and Prime Infrastructure. Unless required, we do not recommend that you alter these
parameters.
• Select CDP device capabilities— Select the check box to enable.
Prime Infrastructure uses CDP to discover neighbors during tracing. When the neighbors are verified, Prime Infrastructure
uses the CDP capabilities field to determine whether or not the neighbor device is a valid switch. If the neighbor device
is not a valid switch, it is not traced.
Step 4 Click Save to confirm changes made. Click Reset to return the page to the original settings. Click Factory Reset to return
settings to the factory defaults.
View the switch port trace details

To view the switch port trace details, follow these steps:
Step 1 Add switches with full licenses using the Configuration > Network > Network Devices page.
Step 2 Enable Auto switch port tracing in Administration > Settings > System Settings > Network and Device > Switch Port
Trace (SPT) > Auto SPT page.
Step 3 Schedule to run wired client status Major Polling background task in Administration > Dashboards > Job Dashboard
page.
Step 4 Click the Trace switch port icon in Rogue AP detail page. New pop up will show details of switch port traced. Click the
detail status to check trace status such as started/Found, and so on.
Note Manual SPT will work, even if you do not add any switch to Prime Infrastructure. But you should configure
the SNMP credentials correctly in Administration > Settings > System Settings > Network and Device >
Switch Port Trace (SPT) > Manual SPT page. “Private” is the default credential, and will be used during
manual Switch Port Tracing if you do not configure it.
• If a switch is added to Prime Infrastructure by selecting Configuration > Network > Network Devices,
the SNMP credentials entered for the switch will override any switch SNMP credentials entered here,
and will be used for switch port tracing. You can change the switch SNMP credentials in the
Configuration > Network > Network Devices page. Prime Infrastructure will not require any license
for adding switch with SPT and will not display wired clients connected to the switches. The Monitor
> Managed Elements > Network Devices > Device Groups > Device Type > Switches and Hubs
page will not display the switch details added with SPT.
• Prime Infrastructure requires full license for adding switch. The Monitor > Managed Elements >
Network Devices > Device Groups > Device Type > Switches and Hubs page will display the switch
details added with full license. Prime Infrastructure will also display wired clients connected to switches.
Location of switches is tracked with MSE.

274
Establish Switch Port Tracing
Establish Switch Port Tracing
Step 1 Choose Dashboard > Wireless > Security.

Step 2 In the Malicious Rogue APs, Unclassified Rogue APs, Friendly Rogue APs, Custom Rogue APs, and Adhoc Rogues
dashlets: Click the number links showing how many rogues have been identified in the Last Hour, last 24 Hours, or Total
Active. The Alarms window opens, showing alarms for the suspected rogues.
Step 3 Choose the rogue for which you want to set up switch port tracking by selecting the check box next to it.
Step 4 Expand the applicable alarm and manually select the Trace Switch Port button under the Switch Port Tracing subsection
of the alarm details.
When one or more searchable MAC addresses are available, Prime Infrastructure uses CDP to discover any switches
connected up to two hops away from the detecting access point. The MIBs of each CDP discovered switch is examined
to see if it contains any of the target MAC addresses. If any of the MAC addresses are found, the corresponding port
number is returned and reported as the rogue switch port.
See Switch Port Tracing Details, on page 275 for additional information on the Switch Port Tracing Details dialog box.
Configure SNMP Credentials for Rogue AP Tracing

The SNMP Credentials page allows you to specify credentials to use for tracing rogue access points. Use this
option when you cannot find a specific entry using a number-based entry. When a switch credential is not
added to Cisco Prime Infrastructure, you can use SNMP credentials on this page to connect to the switch.
Step 1 ChooseAdministration > Settings > System Settings, then choose Network and Device > Switch Port Trace (SPT) >
Manual SPT . The Manual SPT page appears.
Step 2 View or edit the details for a current SNMP credential entry by clicking the Network Address link for that entry.
For details on this task, see “Configure Global SNMP Settings” and “View SNMP Credential Details” in related topics.
Note that the default entry is for network 0.0.0.0, which indicates the entire network. SNMP credentials are defined per
network, so only network addresses are allowed. The SNMP credentials defined for network 0.0.0.0 is the SNMP credential
default. It is used when no specific SNMP credential is defined. You should update the pre-populated SNMP credential
with your own SNMP information.
Step 3 To add a new SNMP entry, choose Select a command > Add SNMP Entries > Go (see “Add SNMP Credentials”).
Related Topics
Switch Port Tracing Details

In the Switch Port Tracing Details dialog box, you can enable or disable switch ports, trace switch ports, and
view detail status of the access point switch trace.

275
Switch Port Tracing Troubleshooting
For more information on Switch Port Tracing, see the following related topics:
In the Switch Port tracing Details dialog box, do one of the following:
• Click Enable/Disable Switch Port(s)— Enables or disables any selected ports.
• Click Trace Switch Port(s)— Runs another switch port trace.
• Click Show Detail Status— Displays details regarding the switch port traces for this access point.
• Click Close.
Related Topics
Configure Switch Port Tracing, on page 272
Configure SNMP Credentials for Rogue AP Tracing, on page 275
Switch Port Tracing Troubleshooting

Switch Port Tracing (SPT) works on a best-effort basis. SPT depends on the following information to correctly
trace and contain rogue APs:
• Reporting access points— A rogue access point must be reported by one or more managed access points.
• Access point CDP neighbor— Access point Cisco Discovery Protocol (CDP) neighbor information is
required to determine the seed switches.
• Switch IP address and SNMP credentials
• All the switches that need to be traced should have a management IP address and SNMP management
enabled.
• With the new SNMP credential changes, instead of adding the individual switches to Prime
Infrastructure, network address based entries can be added.
• The new SNMP credential feature has a default entry 0.0.0.0 with default community string as
private for both read/write.
• The correct write community string has to be specified to enable/disable switch ports. For tracing,
a read community string should be sufficient.
• Switch port configuration
• Switch ports that are trunking should be correctly configured as trunk ports.
• Switch port security should be disabled.
• Switch Port Tracing is supported only on Cisco Ethernet switches and the following Catalyst switches:
2960, 3560, 3560-E, 3650, 3750-E, 3750-X, 3850, 4500 and 6500 series.
• Switch VLAN settings should be properly configured.
• CDP protocol should be enabled for all the switches.
• An Ethernet connection should exist between the rogue access point and the Cisco switch.
• There should be some traffic between the rogue access point and the Ethernet switch.
• The rogue access point should be connected to a switch within the max hop limit. Default hop is 2. Max
hop is 10.
• If SNMPv3 is used, then make sure you use the context option and create one for each VLAN in addition
to the one for the main group (which is required for non-VLAN based MIBs).
Frequently Asked Questions on Rogues and Switch Port Tracing

The following related topics answer a variety of questions about Prime Infrastructure rogue AP detection and
switch port tracing (SPT).

276
How Do You Configure Auto SPT?
Related Topics
How Do You Configure Auto SPT?, on page 277
How Does Auto SPT Differ From Manual SPT?, on page 277
Where Can I See SPT Results (Manual and Auto)?, on page 278
How Can I Ensure Auto SPT Runs Smoothly
Why Does Auto SPT Take Longer to Find Wired Rogues?, on page 278
How Can I Detect Wired Rogues on Trunk Ports?, on page 279
How Can I Use the Auto SPT “Eliminate By Location” Feature? , on page 280
What is the Difference Between “Major Polling” and “Minor Polling”?, on page 280
How Do You Configure Auto SPT?

Follow the steps below to configure automatic SPT:
Step 1 Use Configuration > Network > Network Devices > Add Device to add switches with a License Level of Full.
Step 2 Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > Auto SPT
and select Enable Auto Switch Port Tracing. Click OK.
Step 3 Select Administration > Settings > Background Tasks > Wired Client Status. Make sure this task is enabled and that
it is scheduled to run at least twice a day.
Related Topics
Where Can I See SPT Results (Manual and Auto)?, on page 278
How Can I Ensure Auto SPT Runs Smoothly?
How Does Auto SPT Differ From Manual SPT?

Manual SPT runs against individual rogue AP alarms. You must trigger it by clicking on the Trace Switch
Port icon on the details page for a rogue AP alarm.
Auto SPT runs on batches of alarms, automatically, on the schedule defined for the Wired Client Status
background task.
Note that manual SPT triggering depends on CDP being enabled on the access points and switches with
appropriate SNMP community strings. For more information on manual SPT and how it works, see the WCS
Switch Port Trace Demonstration link in related topics.
Auto and manual SPT also differ in the way they handle licensing and the switch “license level”, which can
be set to either “Full” or “Switch Port Trace Only” when adding the switch. These three cases demonstrate
the differences:
• Adding switches with “Full” license level: Prime Infrastructure consumes a license for every added
switch with a full license level. All the wired clients connected to switches can be seen by selecting
Monitor > Managed Elements > Network Devices > Device Type > Switches and Hubs. You can
also use MSE to track switch locations. A “Full” license level is mandatory for Auto SPT to be functional.
• Adding no Switches: Manual SPT will still work even without adding any switches. But you must
remember to configure SNMP credentials appropriately for all switches, using Administration > Settings
> System Settings > Network and Device > Switch Port Trace (SPT) > Manual SPT.
• Adding switches with “Switch Port Trace Only” license level: If you add a switch to Prime
Infrastructure using Configuration > Network > Network Devices > Add Device, but select a Switch

277
Where Can I See SPT Results (Manual and Auto)?
Port Trace Only license level, the SNMP credentials you enter when adding the switch will override
the SNMP credentials entered using Administration > Settings > System Settings > Network and
Device > Switch Port Trace (SPT) > Manual SPT. The entered credentials will be used for switch port
tracing. This is the main difference between not adding switches and adding switches with a license level
of “Switch Port Tracing Only”. Prime Infrastructure will not consume any licenses for switches with an
SPT-only license level, will not show these switches under Monitor > Managed Elements > Network
Devices > Device Type > Switches and Hubs, and will not show wired clients connected to these
switches.
For more information, See WCS Switch Port Trace Demonstration.
Related Topics
Where Can I See SPT Results (Manual and Auto)?
Step 1 Display details for the Rogue AP alarm in which you are interested. For example:
a) Click the Alarm Summary icon at the top of any Prime Infrastructure page. A list of alarm categories appears.
b) Click the Rogue AP link in the list. Prime Infrastructure displays the list of rogue AP alarms.
c) Expand the rogue AP alarm you want. The details page for that alarm appears.
Step 2 In the Switch Port Tracing pane, click the Trace Switch Port icon. The Switch Port Trace window shows the details
of the traced switch port.
If no SPT has been performed, click Trace Switch Port(s) to start tracing. Click the Show Detail Status button to get
details on the status of the trace as it progresses.
Related Topics
Why Does Auto SPT Take Longer to Find Wired Rogues?

Auto SPT takes relatively longer to find wired rogues than does manual SPT for the following reasons:
1. Auto SPT depends on the wired client discovery process, which happens only when the Wired Client
Status major polling background task runs. By default, the major poll for this background task is scheduled
to run only after every two minor polls, or once every four hours.
2. Even though the wired rogue AP is connected to a switch, Prime Infrastructure will discover a wired port
only when the wired rogue AP is in the “associated” state. Prime Infrastructure always checks whether a
wired client’s status is associated or disassociated. If the wired client status is disassociated, Prime
Infrastructure shows this as no port connected.
3. Rogue tracing is done in batches. The time taken to find a particular wired rogue depends on the batch in
which Prime Infrastructure processes it. If a particular rogue was processed in the previous batch, it takes
more time to trace it.
4. The time taken to discover any wired rogue depends upon the number of rogue alarms present in Prime
Infrastructure and the interval between Wired Client Status major polls.
Related Topics

278
How Can I Detect Wired Rogues on Trunk Ports?
How Can I Detect Wired Rogues on Trunk Ports?

You can detect wired rogues on trunk ports by following the steps below.
Note that if you are trying to detect rogues on trunk ports for Cisco 2950 switches, you must first install the
updated 2950 support in Prime Infrastructure Device Pack 5.0.
Step 1 Choose Administration > Settings > System Settings > Network and Device > Switch Port Trace (SPT) > SPT
Configuration.
Step 2 Uncheck the Exclude switch trunk ports check box, then click Save.
Step 4 Check the Discover wired clients on trunk ports check box, then click Save.
Switches will start detecting wired clients on trunk ports starting with the next execution of a major poll by the Wired
Client Status background task.
Related Topics
How Do You Configure Switch Port Location?

Follow the steps below to configure Switch Port Location:
Step 1 Use Configuration > Network > Network Devices > Switches and Hubs.
Step 2 Click a Device Name. By default, Configuration tab opens.
Step 3 Click Switch Port Location in the top right corner.
Step 4 Select the check box(es) of one or more ports to configure location, and from choose Configure Location from the
drop-down list, then click Go.
Step 5 In the Map Location group, you can configure the following:
• From the Campus/Site drop-down list, choose the campus map for the switch or switch port.
• From the Building drop-down list, choose the building map location for the switch or switch port.
• From the Floor drop-down list, choose the floor map.
• If you have already saved a file with the Campus/Site, Building, and Floor details, click Import Civic. This imports
civic information for the MSE using Prime Infrastructure. Enter the name of the text file or browse for the filename,
and click Import.
Step 6 In the ELIN and Civic Location group box, you can configure the following:
• Enter the Emergency Location Identifier Number (ELIN) in the ELIN text box. ELIN is a number that can be used
by the local public safety answering point (PSAP) to look up the geographic location of the caller in a master database
known as the automatic location information (ALI) database. The ELIN also allows the PSAP to contact the emergency
caller directly in the event the phone call is disconnected.
• Complete the required fields on the Civic Address and Advanced tabs.

279
How Can I Use the Auto SPT “Eliminate By Location” Feature?
• If you have the ELIN and Civic location information saved in a file, you can import it by clicking Import Switch
Location.
Step 7 Click Save.
Related Topics
How Can I Ensure Auto SPT Runs Smoothly?
How Can I Use the Auto SPT “Eliminate By Location” Feature?

“Eliminate by location” is one of the algorithms Prime Infrastructure uses to detect wired rogues. It uses the
rogue AP location information to search for the associated switch ports. It helps to reduce false positives
during Auto SPT processing, using the floor ID of the detecting APs, and increases accuracy in tracking wired
rogues.
When “Eliminate by location” is enabled, the Wired Client Status background task discovers all the wired
clients from managed switches. The next time auto SPT runs, switch ports will be filtered based on the
“eliminate by location” algorithm.
Follow these steps to enable “eliminate by location”:
Step 1 Integrate Cisco Mobility Service Engine (MSE) with Prime Infrastructure.
Step 2 Ensure that MSE is in sync with the defined floor area where the detecting APs are placed. MSE should be able to track
the rogues.
Step 3 Add all switches to Prime Infrastructure.
Step 4 After all switches are added to PI and are in the managed state, all switch ports need to be configured for the algorithm
to work. If all switches are not configured with switch ports, then the false positive results occur. You can configure from
the Configuration > Network > Network Devices > Switches and Hubs > click on a Device Name > click Switch Port
Location in the top right corner.
Step 5 Place the detecting access points on the map and make sure that the Cisco MSE is synchronized and rogues APs are
detected on the floor.
Eliminate By Location algorithm takes the floor ID of detecting APs and eliminates all others. If some switch ports are
not configured, then the value of those ports will be set to Zero and will be considered. Hence the results may contain
false positives, which contains the exact floor ID and floor ID which has the value zero.
Step 6 Configure switch port locations to ensure that all ports are assigned to the correct floor area.
Related Topics
How Do You Configure Switch Port Location?, on page 279
What is the Difference Between “Major Polling” and “Minor Polling”?

The Wired Client Status background task that triggers auto SPT Definitions are as follows:

280
Major Polling: During a major poll, Prime Infrastructure triggers client discovery on all wired device ports
by syncing all of the essential client information with the database. In Prime Infrastructure 2.2, the frequency
of this poll was reduced from twice a day. It is now fully configurable.
Minor Polling: During a minor poll, Prime Infrastructure triggers client discovery only on device interfaces
and ports which became active recently. Prime Infrastructure uses interface uptime data to detect when a port
or interface is recently added or removed by any client.
Related Topics
How Does Auto SPT Differ From Manual SPT?, on page 277
Why Does Auto SPT Take Longer to Find Wired Rogues?, on page 278

281

282
CHAPTER 11
Configure High Availability
• How High Availability Works, on page 283
• Planning HA Deployments, on page 291
• Set Up High Availability, on page 297
• How to Patch HA Servers, on page 305
• Monitor High Availability, on page 312
• High Availability Reference Information, on page 324
• Configure MSE High Availability , on page 331
How High Availability Works

The following figure shows the main components and process flow for a Prime Infrastructure High Availability
(HA) setup with the primary server in the active state.

283
How High Availability Works
Figure 1: HA Deployment
An HA deployment consists of two Prime Infrastructure servers: a primary and a secondary. Each of these
servers has an active database and a standby backup copy of the active database. Under normal circumstances,
the primary server is active: It is connected to its active database while it manages the network. The secondary
server is passive, connected only to its standby database, but in constant communication with the primary
server.
The Health Monitor processes running on both servers monitor the status of its opposite server. Oracle Recovery
Manager (RMAN) running on both servers creates the active and standby databases and synchronizes the
databases when there are changes, with the help of Oracle Data Guard Broker running on the primary server.
When the primary server fails, the secondary takes over, connecting to its active database, which is in sync
with the active primary database. You can trigger this switch, called a “failover”, either manually, which is
recommended, or have it triggered automatically, You then use the secondary server to manage the network
while working to restore access to the primary server. When the primary is available again, you can initiate
a switch (called a “failback”) back to the primary server and resume network management using the primary.
If you choose to deploy the primary and secondary servers on the same IP subnet, you can configure your
devices to send a notifications to Prime Infrastructure at a single virtual IP address. If you choose to disperse
the two servers geographically, such as to facilitate disaster recovery, you will need to configure your devices
to send notifications to both servers.
Related Topics
About the Primary and Secondary Servers, on page 285
Sources of Failure, on page 285
File and Database Synchronization, on page 285
HA Server Communications, on page 286

284
About the Primary and Secondary Servers
Health Monitor Process, on page 286

Health Monitor Web Page, on page 287
Using Virtual IP Addressing With HA, on page 288
How to Use SSL Certificates in an HA Environment?, on page 289
Import Client Certificates Into Web Browsers, on page 290
About the Primary and Secondary Servers

In any Prime Infrastructure HA implementation, for a given instance of a primary server, there must be one
and only one dedicated secondary server.
Typically, each HA server has its own IP address or host name. If you place the servers on the same subnet,
they can share the same IP using virtual IP addressing, which simplifies device configuration. The primary
and secondary servers of Prime Infrastructure must be enabled on a network interface ethernet0 (eth0) during
HA implementation.
Once HA is set up, you should avoid changing the IP addresses or host names of the HA servers, as this will
break the HA setup (see “Reset the Server IP Address or Host Name” in Related Topics).
Related Topics
How High Availability Works, on page 283
Reset the HA Server IP Address or Host Name, on page 331
Sources of Failure
Prime Infrastructure servers can fail due to issues in one or more of the following areas:
• Application Processes: Failure of one or more of the Prime Infrastructure server processes, including
NMS Server, MATLAB, TFTP, FTP, and so on. You can view the operational status of each of these
application processes by running the ncs status command through the admin console.
• Database Server: One or more database-related processes could be down. The Database Server runs as
a service in Prime Infrastructure.
• Network: Problems with network access or reachability issues.
• System: Problems related to the server's physical hardware or operating system.
• Virtual Machine (VM): Problems with the VM environment on which the primary and secondary servers
were installed (if HA is running in a VM environment).
For more information, see How High Availability Works
File and Database Synchronization

Whenever the HA configuration determines that there is a change on the primary server, it synchronizes this
change with the secondary server. These changes are of two types:
1. Database: These include database updates related to configuration, performance and monitoring data.
2. File: These include changes to configuration files.
Oracle Recovery Manager (RMAN) running on both servers creates the active and standby databases and
synchronizes the databases when there are changes, with the help of Oracle Data Guard Broker running on
the primary server.

285
HA Server Communications
File changes are synchronized using the HTTPS protocol. File synchronization is done either in:
• Batch: This category includes files that are not updated frequently (such as license files). These files are
synchronized once every 500 seconds.
• Near Real-Time: Files that are updated frequently fall under this category. These files are synchronized
once every 11 seconds.
By default, the HA framework is configured to copy all the required configuration data, including:
• Report configurations
• Configuration Templates
• TFTP-root
• Administration settings
• Licensing files
Related Topics
HA Server Communications
The primary and secondary HA servers exchange the following messages in order to maintain the health of
the HA system:
• Database Sync: Includes all the information necessary to ensure that the databases on the primary and
secondary servers are running and synchronized.
• File Sync: Includes frequently updated configuration files. These are synchronized every 11 seconds,
while other infrequently updated configuration files are synchronized every 500 seconds.
• Process Sync: Ensures that application- and database-related processes are running. These messages fall
under the Heartbeat category.
• Health Monitor Sync: These messages check for the following failure conditions:
• Network failures
• System failures (in the server hardware and operating system)
• Health Monitor failures
Related Topics
Health Monitor Process

Health Monitor (HM) is the main component managing HA operations. Separate instances of HM run as an
application process on both the primary and the secondary server. HM performs the following functions:
• Synchronizes database and configuration data related to HA (this excludes databases that sync separately
using Oracle Data Guard).
• Exchanges heartbeat messages between the primary and secondary servers every five seconds, to ensure
communications are maintained between the servers.
• Checks the available disk space on both servers at regular intervals, and generates events when storage
space runs low.
• Manages, controls and monitors the overall health of the linked HA servers. If there is a failure on the
primary server then it is the Health Monitor’s job to activate the secondary server.

286
Health Monitor Web Page
Related Topics
Health Monitor Web Page

You control HA behavior using the Health Monitor web page. Each Health Monitor instance running on the
primary server or secondary server has its own web page. The following figure shows an example of the
Health Monitor web page for a secondary server in the “Primary Active” and "Secondary Syncing" state.
Figure 2: Health Monitor Web Page (Secondary Server )
1 Settings area displays Health Monitor state and configuration detail in five separate
sections.
2 Status indicates current functional status of the HA setup (green check mark indicates
that HA is on and working).
3 Check Failover Readiness field displays the values of system failback and system failover
details of the checklist items.
For more details, see "Check Failover Readiness" given below the table.
4 Primary IP Address identifies the IP of the peer server for this secondary server (on the
primary server, this field is labeled “Secondary IP Address”).
5 Events table displays all current HA-related events, in chronological order, with most
recent event at the top.
6 Message Level field lets you change the logging level (your choice of Error, Informational,
or Trace). You must press Save to change the logging level.
7 Logging Download area lets you download Health Monitor log files.
8 State shows current HA state of the server on which this instance of Health Monitor is
running.
9 Failover Type shows whether you have Manual or Automatic failover configured.
10 Identifies the HA server whose Health Monitor web page you are viewing.

287
Using Virtual IP Addressing With HA
11 Action shows actions you can perform, such as failover or failback. Action buttons are
enabled only when Health Monitor detects HA state changes needing action.
Check Failover Readiness section description:
Checklist Name Description
SYSTEM - CHECK DISK IOPS This validates the disk iops in both primary and secondary
server.
The minimum expected disk iops is 200 MBps.
NETWORK - CHECK NETWORK This checks if the eth0 interface speed matches the
INTERFACE BANDWIDTH recommended speed of 100 Mbps in both primary and
secondary sever.
This test will not measure network bandwidth by
transmitting data between primary and secondary server.
NETWORK - CHECK NETWORK This checks if the network bandwidth speed matches the
BANDWIDTH SPEED recommended speed of 100 Mbps in both primary and
secondary sever.
This test will measure network bandwidth by transmitting
data between primary and secondary server.
Note In Cisco Prime Infrastructure 3.9, the network
bandwidth speed test is calculated only in Mbps.
Therefore, GBps, MBps, KBps, and Mbps are
changed over to Mbps and given as an input to
the speed test.
DATABASE - SYNC STATUS This ensures the oracle data guard broker configuration
which syncs the primary and secondary database.
Trend Graph for Check Failover Readiness :

• Click Click here link in the Trend Graph to check the trend graphs for all the check failover readiness
test. The trend graphs shows the historical summary of the test and status on the stability of the
System/Network.
• Click Select Date Range to modify date and time, Click Apply. By default, trend graphs displays the
latest 6 hours value.
Related Topics
How to Resolve Database Synchronization Issues, on page 324
Using Virtual IP Addressing With HA

Under normal circumstances, you configure the devices that you manage using Prime Infrastructure to send
their syslogs, SNMP traps and other notifications to the Prime Infrastructure server’s IP address. When HA
is implemented, you will have two separate Prime Infrastructure servers, with two different IP addresses. If

288
How to Use SSL Certificates in an HA Environment?
we fail to reconfigure devices to send their notifications to the secondary server as well as the primary server,
then when the secondary Prime Infrastructure server goes into Active mode, none of these notifications will
be received by the secondary server.
Setting all of your managed devices to send notifications to two separate servers demands extra device
configuration work. To avoid this additional overhead, HA supports use of a virtual IP that both servers can
share as the Management Address. The two servers will switch IPs as needed during failover and failback
processes. At any given time, the virtual IP Address will always point to the correct Prime Infrastructure
server.
Note that you cannot use virtual IP addressing unless the addresses for both of the HA servers and the virtual
IP are all in the same subnet. This can have an impact on how you choose to deploy your HA servers (see
“Planning HA Deployments” and “Using the Local Model” in Related Topics).
Also note that a virtual IP address is in no way intended as a substitute for the two server IP addresses. The
virtual IP is intended as a destination for syslogs and traps, and for other device management messages being
sent to the Prime Infrastructure servers. Polling of devices is always conducted from one of the two Prime
Infrastructure server IP addresses. Given these facts, if you are using virtual IP addressing, you must open
your firewall to incoming and outgoing TCP/IP communication on all three addresses: the virtual IP address
as well as the two actual server IPs.
You can also use virtual IP addressing if you plan to use HA with Operations Center. You can assign a virtual
IP as SSO to the Prime Infrastructure instance on which Operations Center is enabled. No virtual IP is needed
for any of the instances managed using Operations Center (see “Enable HA for Operations Center”).
You can enable virtual IP addressing during HA registration on the primary server, by specifying that you
want to use this feature and then supplying the virtual IPv4 (and, optionally, IPv6) address you want the
primary and secondary servers to share (see “How to Register HA on the Primary Server”).
To remove Virtual IP addressing after it is enabled, you must remove HA completely (see “Remove HA Via
the GUI”).
Related Topics
What If I Cannot Use Virtual IP Addressing?, on page 294
Planning HA Deployments, on page 291
Using the Local Model, on page 292
How to Register HA on the Primary Server, on page 299
Remove HA Via the GUI, on page 328
How to Use SSL Certificates in an HA Environment?

If you decide to use SSL certification to secure communications between Prime Infrastructure server and
users, and also plan to implement HA, you will need to generate separate certificates for both the primary and
secondary HA servers.
These certificates must be generated using the FQDN (Fully Qualified Domain Name) for each server. To
clarify: You must use the primary server’s FQDN to generate the certificate you plan to use for the primary
server, and the secondary server’s FQDN to generate the certificate you plan to use for the secondary server,
Once you have generated the certificates, import the signed certificates to the respective servers.
Do not generate SSL certificates using a virtual IP address. The virtual IP address feature is used to enable
communications between Prime Infrastructure and your network devices.

289
Import Client Certificates Into Web Browsers
To set up HTTPS access for Cisco Prime Infrastructure, see Set Up HTTPS Access to Prime Infrastructure
Import Client Certificates Into Web Browsers

Users accessing Prime Infrastructure servers with certificate authentication must import client certificates into
their browsers in order to authenticate. Although the process is similar across browsers, the actual details vary
with the browser. The following procedure assumes that your users are using a Prime Infrastructure compatible
version of Firefox.
You must ensure that the user importing the client certificates has:
• Downloaded a copy of the certificate files to a local storage resource on the client machine
• If the certificate file is encrypted: The password with which the certificate files were encrypted.
Step 1 Launch Firefox and enter the following URL in the location bar: about:preferences#advanced.
Firefox displays its Options > Advanced tab.
Step 2 Select Certificates > View Certificates > Your Certificates, then click Import....
Step 3 Navigate to the downloaded certificate files, select them, then click OK or Open.
Step 4 If the certificate files are encrypted: You will be prompted for the password used to encrypt the certificate file. Enter it
and click OK.
The certificate is now installed in the browser.
Step 5 Press Ctrl+Shift+Del to clear the browser cache.

Step 6 Point the browser to the Prime Infrastructure server using certificate authentication.
You will be prompted to select the certificate with which to respond to the server authentication requested. Select the
appropriate certificate and click OK.
Hot Standby Behavior

When the primary server is active, the secondary server is in constant synchronization with the primary server
and runs all Prime Infrastructure processes for fast switch over. When the primary server fails, the secondary
server immediately takes over the active role within two to three minutes after the failover.
Once issues in the primary server are resolved and it is returned to a running state, the primary server assumes
a standby role. When the primary server is in the standby role, the Health Monitor GUI shows “Primary
Syncing” state during which the database and files on the primary start to sync with the active secondary.
When the primary server is available again and a failback is triggered, the primary server again takes over the
active role. This role switching between the primary and secondary servers happens within two to three
minutes.
Related Topics

290
Planning HA Deployments
Planning HA Deployments
Prime Infrastructure’s HA feature supports the following deployment models:
• Local: Both of the HA servers are located on the same subnet (giving them Layer 2 proximity), usually
in the same data center.
• Campus: Both HA servers are located in different subnets connected via LAN. Typically, they will be
deployed on a single campus, but at different locations within the campus.
• Remote: Each HA server is located in a separate, remote subnet connected via WAN. Each server is in
a different facility. The facilities are geographically dispersed across countries or continents.
The following sections explain the advantages and disadvantage of each model, and discusses underlying
restrictions that affect all deployment models.
HA will function using any of the supported deployment models. The main restriction is on HA’s performance
and reliability, which depends on the bandwidth and latency criteria discussed in “Network Throughput
Restrictions on HA”. As long as you are able to successfully manage these parameters, it is a business decision
(based on business parameters, such as cost, enterprise size, geography, compliance standards, and so on) as
to which of the available deployment models you choose to implement.
Related Topics
Network Throughput Restrictions on HA, on page 291
Using the Campus Model, on page 293
Using the Remote Model, on page 293
Automatic Versus Manual Failover, on page 294
Network Throughput Restrictions on HA

Prime Infrastructure HA performance is always subject to the following limiting factors:
• The net bandwidth available to Prime Infrastructure for handling all operations. These operations include
(but are not restricted to) HA registration, database and file synchronization, and triggering failback.
• The net latency of the network across the links between the primary and secondary servers. Irrespective
of the physical proximity of these two servers, high latency on these links can affect how Prime
Infrastructure maintains sessions between the primary and secondary servers.
• The net throughput that can be delivered by the network that connects the primary and secondary servers.
Net throughput varies with the net bandwidth and latency, and can be considered a function of these two
factors.
These limits apply to at least some degree in every possible deployment model, although some models are
more prone to problems than others. For example: Because of the high level of geographic dispersal, the
Remote deployment model is more likely to have problems with both bandwidth and latency. But both the
Local and Campus models, if not properly configured, are also highly susceptible to problems with throughput,
as they can be saddled by low bandwidth and high latency on networks with high usage.
You will rarely see throughput problems affecting a failback or failover, as the two HA servers are in more
or less constant communication and the database changes are replicated quickly. Most failovers and failbacks
take approximately two to three minutes.

291
Using the Local Model
The main exception to this rule is the delay for a full database copy operation. This kind of operation is
triggered when the primary server has been down for more than the data retention period and you then bring
it back up. The data retention period for the express, express-plus and standard configurations server is six
hours and for professional and Gen 2 appliance server it is12 hours.
Prime Infrastructure will trigger a full database copy operation from the secondary to the primary. No failback
is possible during this period, although the Health Monitor page will display any events encountered while
the database copy is going on. As soon as the copy is complete, the primary server will go to the “Primary
Synching” state, and you can then trigger failback. Be sure not to restart the primary server or disconnect it
from the network while the full database copy is in progress.
Variations in net throughput during a full database copy operation, irrespective of database size or other
factors, can mean the difference between a database copy operation that completes successfully in under an
hour and one that does not complete at all. Cisco has tested the impact of net throughput on HA deployment
in configurations following the Remote model, using typical Prime Infrastructure database sizes of between
105 GB and 156 GB. Based on these tests, Cisco recommends for a typical database of 125 GB (generating
a 10 GB backup file):
• For best results: With sub-millisecond latency, and net throughput of 977 Mbps or more, expect a complete
database copy time of one hour or less.
• For good results: With latency of 70 milliseconds, and net throughput of 255 Mbps or more, expect a
complete database copy time of two hours or less.
• For acceptable results: With latency of 220 milliseconds or less, and net throughput of 86 Mbps or more,
expect a complete database copy time of 4.5 hours or less.
With latencies of 330ms or higher, and throughput of 46Mbps or less, you run the risk of the database copy
not completing successfully.
Related Topics
Using the Local Model

The main advantage of the Local deployment model is that it permits use of a virtual IP address as the single
management address for the system. Users can use this virtual IP to connect to Prime Infrastructure, and
devices can use it as the destination for their SNMP trap and other notifications.
The only restriction on assigning a virtual IP address is to have that IP address in the same subnet as the IP
address assignment for the primary and secondary servers. For example: If the primary and secondary servers
have the following IP address assignments within the given subnet, the virtual IP address for both servers can
be assigned as follows:
• Subnet mask: 255.255.255.224 (/27)
• Primary server IP address: 10.10.101.2
• Secondary server IP address: 10.10.101.3
• Virtual IP address: 10.10.101.[4-30] e.g., 10.10.101.4. Note that the virtual IP address can be any of a
range of addresses that are valid and unused for the given subnet mask.
In addition to this main advantage, the Local model also has the following advantages:
• Usually provides the highest bandwidth and lowest latency.
• Simplified administration.
• Device configuration for forwarding syslogs and SNMP notifications is much easier.

292
Using the Campus Model
The Local model has the following disadvantages:

• Being co-located in the same data center exposes them to site-wide failures, including power outages
and natural disasters.
• Increased exposure to catastrophic site impacts will complicate business continuity planning and may
increase disaster-recovery insurance costs.
Related Topics
Using the Campus Model

The Campus model assumes that the deploying organization is located at one or more geographical sites within
a city, state or province, so that it has more than one location forming a “campus”. This model has the following
advantages:
• Usually provides bandwidth and latency comparable to the Local model, and better than the Remote
model.
• Is simpler to administer than the Remote model.
The Campus model has the following disadvantages:
• More complicated to administer than the Local model.
• Does not permit use of a virtual IP address as the single management address for the system, so it requires
more device configuration (see “What If I Cannot Use Virtual IP Addressing?” in Related Topics).
• May provide lower bandwidth and higher latency than the Local model. This can affect HA reliability
and may require administrative intervention to remedy (see “Network Throughput Restrictions on HA”
in Related Topics).
• While not located at the same site, it will still be exposed to city, state, or province-wide disasters. This
may complicate business continuity planning and increase disaster-recovery costs.
Related Topics
Using the Remote Model

The Remote model assumes that the deploying organization has more than one site or campus, and that these
locations communicate across geographical boundaries by WAN links. It has the following advantages:
• Least likely to be affected by natural disasters. This is usually the least complex and costly model with
respect to business continuity and disaster recovery.
• May reduce business insurance costs.
The Remote model has the following disadvantages:
• More complicated to administer than the Local or Campus models.

293
What If I Cannot Use Virtual IP Addressing?
• Does not permit use of a virtual IP address as the single management address for the system, so it requires
more device configuration (see “What If I Cannot Use Virtual IP Addressing?” in Related Topics).
• Usually provides lower bandwidth and higher latency than the other two models. This can affect HA
reliability and may require administrative intervention to remedy (see “Network Throughput Restrictions
on HA” in Related Topics).
Related Topics
What If I Cannot Use Virtual IP Addressing?

Depending on the deployment model you choose, not configuring a virtual IP address may result in the
administrator having to perform additional steps in order to ensure that syslogs and SNMP notifications are
forwarded to the secondary server in case of a failover. The usual method is to configure the devices to forward
all syslogs and traps to both servers, usually via forwarding them to a given subnet or range of IP addresses
that includes both the primary and secondary server.
This configuration work should be done at the same time HA is being set up: that is, after the secondary server
is installed but before HA registration on the primary server. It must be completed before a failover so that
the chance of losing data is eliminated or reduced. Not using a virtual IP address entails no change to the
secondary server install procedure. The primary and secondary servers still need to be provisioned with their
individual IP addresses, as normal.
This workaround is not available to you if you want to use HA with Operations Center. Enabling virtual IP
addressing is a firm requirement in this case (see “Enable HA for Operations Center”).
Related Topics
Automatic Versus Manual Failover

Configuring HA for automatic failover reduces the need for network administrators to manage HA. It also
reduces the time taken to respond to the conditions that provoked the failover, since it brings up the secondary
server automatically.
However, we recommend that the system be configured for Manual failover under most conditions. Following
this recommendation ensures that Prime Infrastructure does not go into a state where it keeps failing over to
the secondary server due to intermittent network outages. This scenario is most likely when deploying HA
using the Remote model. This model is often especially susceptible to extreme variations in bandwidth and
latency (see “Planning HA Deployments” and “Network Throughput Restrictions on HA” in Related Topics)

294
Enable HA for Operations Center
If the failover type is set to Automatic and the network connection goes down or the network link between
the primary and secondary servers becomes unreachable, there is also a small possibility that both the primary
and secondary servers will become active at the same time. We refer to this as the “split brain scenario”.
To prevent this, the primary server always checks to see if the secondary server is Active. As soon as the
network connection or link is restored and the primary is able to reach the secondary again, the primary server
checks the secondary server's state. If the secondary state is Active, then the primary server goes down on its
own. Users can then trigger a normal, manual failback to the primary server.
Note that this scenario only occurs when the primary HA server is configured for Automatic failover.
Configuring the primary server for Manual failover eliminates the possibility of this scenario. This is another
reason why we recommend Manual failover configuration.
Automatic failover is especially ill-advised for larger enterprises. If a particular HA deployment chooses to
go with Automatic failover anyway, an administrator may be forced to choose between the data that was
newly added to the primary or to the secondary. This means, essentially, that there is a possibility of data loss
whenever a split-brain scenario occurs. For help dealing with this issue, see “How to Recover From Split-Brain
Scenario” in Related Topics.
To ensure that HA is managed correctly, Cisco recommends that Prime Infrastructure administrators always
confirm the overall health of the HA deployment before initiating failover or failback, including:
• The current state of the primary.
• The current state of the secondary.
• The current state of connectivity between the two servers.
Related Topics
How to Trigger Failback, on page 313
How to Recover From Split-Brain Scenario, on page 323

Operations Center is compatible with Prime Infrastructure’s High Availability (HA) framework. You can
easily enable HA for Operations Center by setting up primary and secondary Operations Center servers, much
as you do when implementing HA for normal Prime Infrastructure server instances that you manage using
Operations Center.
No additional Operations Center license is required on the secondary server. HA for Operations Center supports
both manual and automatic failover. In the event of a failover, when the secondary Operations Center server
becomes active, all managed instances from the primary Operations Center server are automatically carried
over to the secondary server. You can enable HA on your primary Operations Center server whether the
primary is new or already running Operations Center.
Enabling HA for Operations Center is optional. However, if you choose to enable HA for Operations Center,
you may also enable virtual IP addressing while HA registration on Operations Center. Use of virtual IP
addressing also requires that the primary and secondary servers be on the same subnet.
To set up HA for Operations Center using virtual IP, follow this workflow:
1. Determine the virtual IP address you will use for both servers. For details, see “Using Virtual IP Addressing
With HA” and “Before You Begin Setting Up High Availability”, in Related Topics.
2. Install Prime Infrastructure on the server you plan to use as your primary Operations Center HA server.

295
If you already have a Prime Infrastructure server with Operations Center enabled, and wish to use it as
your primary Operations Center server with HA: Remove Single Sign On (SSO) servers from the Operations
Center instance and all the Prime Infrastructure instances managed by that Operations Center server. You
can easily do this by selecting Administration > Users > Users, Roles & AAA > SSO Servers and then
using the Delete SSO Server(s) command.
3. Install the secondary server and configure it for use with HA. For details, see “How to Install the HA
Secondary Server ” in Related Topics.
4. Register the secondary server on the primary, specifying that you want to Enable virtual IP and supplying
the virtual IP address you selected. Logout from the Server and login back with the virtual IP. For details,
see “How to Register HA on the Primary Server” in Related Topics.
5. If this is a new primary HA server: Apply the Operations Center license file to the primary server to
transform it into an Operations Center instance. For details, see “Activate Your Operations Center License”.
6. Setup the virtual IP address as the SSO server on the primary server, specifying the virtual IP address as
the IP address for the SSO server.For details, see “Enable SSO for Operations Center” in Related Topics.
Note By default TOFU is enabled in the primary server and if no CA certificate is deployed in primary or secondary,
then after failover, delete the Virtual IP TOFU from the PI instances and secondary server. After failback
repeat the same from primary server. To remove TOFU for Virtual IP from SSO (primary) client server:
ncs certvalidation tofu-certs deletecert host <virtual ip>
Note Post the upgrade of Prime Infrastructure Operations center to 3.7, if you have a self-signed certificate then
before adding the Prime Infrastructure instance to Operations center, you must remove the VIP from TOFU
check.
7. Repeat the virtual IP SSO server setup on all instances of Prime Infrastructure that will be managed by
the primary Operations Center server. Make sure you have deleted any old SSO configuration and launch
PI server with its own IP.
8. Log out of all Prime Infrastructure instances and log back into the Operations Center instance, using the
virtual IP address as the Operations Center server IP.
9. If this is a new primary HA server: Add Prime Infrastructure instances to the Operations Center server,
as explained in “Add Cisco Prime Infrastructure Instances to Operations Center” in the Related Topics.
For more information, see "Activate Your Operations Center License" in Related Topics.
Note It is recommended to use either the host-name or the IP address uniformly for both managed servers and SSO
configuration. Including both IP address and host-name may cause unexpected behaviour in SSO when cross
launching from OPC to managed PI's.
To set up HA for Operations Center without using virtual IP, follow this workflow:
1. Install Prime Infrastructure on the server you plan to use as your primary Operations Center HA server.
If you already have a Prime Infrastructure server with Operations Center enabled, and wish to use it as
your primary Operations Center server with HA: Remove Single Sign On (SSO) servers from the Operations
Center instance and all the Prime Infrastructure instances managed by that Operations Center server. You

296
Set Up High Availability
can easily do this by selecting Administration > Users > Users, Roles & AAA > SSO Servers and then
using the Delete SSO Server(s) command.
2. Install the secondary server and configure it for use with HA. For details, see “How to Install the HA
Secondary Server ” in Related Topics.
3. Register the secondary server on the primary.
4. If this is a new primary HA server: Apply the Operations Center license file to the primary server to
transform it into an Operations Center instance. For details, see “Activate Your Operations Center License”.
5. Repeat the primary Server IP address setup on all instances of Prime Infrastructure that will be managed
by the primary Operations Center server.
6. Log out of all Prime Infrastructure instances and log back into the Operations Center instance, using the
Primary IP address as the Operations Center server IP.
7. If this is a new primary HA server: Add Prime Infrastructure instances to the Operations Center server,
as explained in “Add Cisco Prime Infrastructure Instances to Operations Center” in the Related Topics.
For more information, see "Activate Your Operations Center License" in Related Topics.
Related Topics
Before You Begin Setting Up High Availability, on page 298
How to Install the HA Secondary Server, on page 299
Activate Your Operations Center License, on page 4
Add Cisco Prime Infrastructure Instances to Operations Center, on page 6
Set Up High Availability

To use the HA capabilities in Prime Infrastructure, you must:
1. Ensure you have the information and settings you need to enable HA. For details, see “ Before You Begin
Setting Up High Availability ” in Related Topics.
2. Install a second Prime Infrastructure server, and configure it to act as your secondary HA server. For
details, see “ How to Install the HA Secondary Server ”.
3. Configure High Availability mode on the primary server, specifying the installed secondary server as the
HA fallback server. For details, see “ How to Register HA on the Primary Server ”.
Related Topics
What Happens During HA Registration, on page 304
Monitor High Availability, on page 312
Access the Health Monitor Web Page, on page 312
High Availability Reference Information, on page 324

297
Before You Begin Setting Up High Availability
Before You Begin Setting Up High Availability

Before you begin, you will need:
• The Prime Infrastructure installation software. You will use this software to create the secondary HA
server. The version of this software must match the version of Prime Infrastructure installed on your
primary server. You can use the CLI show versioncommand to verify the current version of the primary
server software.
• If you have applied patches to your primary server, you must also patch the secondary server to the same
level. Choose Administration > Licenses and Software Updates > Software Update to see a list of
the patches applied to the primary server. Then, after setting up High Availability, follow the procedure
in “How to Patch Paired High Availability Servers” to patch the secondary server to the same level as
the primary server.
• A secondary server with hardware and software specifications that match or exceed the requirements for
your primary server. For example: If your primary server was installed as a Prime Infrastructure Standard
size OVA, your secondary server must also be installed as a Standard server, and must meet or exceed
all requirements given for Standard size servers in the Cisco Prime Infastructure Quick Start Guide.
• The IP address or host name of the secondary server. You will need these when configuring HA on the
primary server.
• If you plan to use virtual IP addressing: The virtual IPv4 and IPv6 IP address you want to use as the
virtual IP for both HA servers. This is required only if you plan to use the virtual IP feature (see “Using
Virtual IP Addressing with HA” in Related Topics). Note that virtual IP addressing requires that both
HA servers are on the same subnet. You must use virtual IP addressing if you plan to use HA with
Operations Center (see “Enable HA for Operations Center” in Related Topics)
• An authentication key of any length. It must contain at least three of the following types of characters:
lowercase letters, uppercase letters, digits and special characters. You will enter this authentication key
when you install the secondary server. The HA implementation uses this key to authenticate
communications between the primary and secondary servers. Administrators also use the key to configure
HA in the primary server, and to log on to the secondary server's Health Monitor page to monitor the
HA implementation and troubleshoot problems with it.
• A Prime Infrastructure user ID with Administrator privileges on the primary server.
• A valid email address to which HA state-change notifications can be set. Prime Infrastructure will send
email notifications for the following changes: HA registration, failure, failover, and failback.
• For acceptable results: Latency of 220 milliseconds or less, and net throughput of 86 Mbps or more, over
the link between the primary and secondary servers. Failure to provide at least this link quality will
interfere with data replication and may lead to HA failures. For advice on the range of acceptable
performance requirements, see “Network Throughput Restrictions on HA”.
• If there is a firewall configured between the primary and the secondary servers, ensure that the firewall
permits incoming and outgoing TCP/UDP on the following ports:
• 8082: Used by the Health Monitor porcess to exchange hearbeat messages.
• 1522: Used by Oracle to synchronize data.
• 8085: Used by the Health Monitor process to check network bandwidth speed between Primary and
Secondary servers when the user executes readiness test under High Availability.
• If you plan on using Operations Center with an HA implementation of Prime Infrastructure: Ensure that
all of your HA-enabled Prime Infrastructure servers (both primary and secondary) have fully resolved
host names.
For more information, see Cisco Prime Infastructure Quick Start Guide

298
How to Install the HA Secondary Server
Related Topics
Set Up High Availability, on page 297
How to Install the HA Secondary Server

If your primary server has been patched, be sure to apply the same patches to your secondary server after
installation and before registering HA on the primary server.
Make sure you have already decided on an authentication key, as explained in “Before You Begin Setting Up
High Availability” in Related Topics.
Step 1 Begin installing the Prime Infrastructure server software on your secondary server just as you would for a primary server.
For instructions on installing the server, see the Cisco Prime Infrastructure Quick Start Guide.
Step 2 During the installation, you will be prompted as follows:
Will this server be used as a secondary for HA? (yes/no)
Enter yes at the prompt.
Step 3 You will then be prompted for the HA authentication key, as follows:
Enter Authentication Key:
Enter the authentication key at the prompt. Enter it again at the confirmation prompt.
Step 4 When the secondary server is installed:

a) Use the CLI show version command on both servers, to verify that they are at the same version and patch level (see
“Check Prime Infrastructure Version and Patch Status”).
b) Run the ncs status command to verify that all processes are up and running on the secondary server (see “Check
Prime Infrastructure Server Status”).
c) Register HA on the primary server (see “How to Register HA on the Primary Server”).
Related Topics
Check Prime Infrastructure Version and Patch Status, on page 127
How to Register HA on the Primary Server

To enable HA, you must register HA on the primary server. The primary server needs no configuration during
installation in order to participate in the HA configuration. The primary needs to have only the following
information:
• The IP address or host name of the secondary HA server you have already installed and configured (see
“How to Install the HA Secondary Server” in Related Topics)

299
How to Register HA on the Primary Server
• The authentication key you set during installation of the secondary server.
• One or more email addresses, to which notifications will be sent.
• The Failover Type (see “Automatic Versus Manual Failover”).
If you plan to use virtual IP addressing (see “Using Virtual IP Addressing With HA”), you will also need to:
• Select the Enable Virtual IP checkbox.
• Specify the IPv4 virtual IP address to be shared by the primary and secondary HA servers. You may also
specify an IPv6 virtual IP address, although this is not required.
The following steps explain how to register HA on the primary server. You follow these same steps when
re-registering HA.
Step 1 Log in to Prime Infrastructure with a user ID and password that has administrator privileges.
Step 2 From the menu, select Administration > Settings > High Availability. Prime Infrastructure displays the HA status page.
Step 3 Select HA Configuration and then complete the fields as follows:
a. Secondary Server: Enter the IP address or the host name of the secondary server.
Note We always recommend to use DNS server for resolving the host name to IP address. If you are using the
"/etc/hosts" file instead of DNS server, you should enter the secondary IP address instead of host name.
b. Authentication Key: Enter the authentication key password you set during the secondary server installation.
c. Email Address: Enter the address (or comma-separated list of addresses) to which notification about HA state changes
should be mailed. If you have already configured email notifications using the Mail Server Configuration page (see
“Configure Email Server Settings”), the email addresses you enter here will be appended to the list of addresses
already configured for the mail server.
d. Failover Type: Select either Manual or Automatic. We recommend that you select Manual.
Step 4 If you are using the virtual IP feature: Select the Enable Virtual IP checkbox, then complete the additional fields as
follows:
a. IPV4 Virtual IP: Enter the virtual IPv4 address you want both HA servers to use.
b. IPV6 Virtual IP: (Optional) Enter the IPv6 address you want both HA servers to use.
Note that virtual IP addressing will not work unless both servers are on the same subnet. You should not use IPV6 address
block fe80, it is been reserved for link-local unicast addressing.
Step 5 Click Check Readiness to ensure if the HA related environmental parameters are ready for the configuration.
For more details, see "Check Readiness for HA Registration/Configuration".
Step 6 Click Register to view the Milestone progress bar, to check the 100% completion of Pre-HA Registration, Database
Replication and Post HA Registration as shown below. Prime Infrastructure initiates the HA registration process. When

300
Check Readiness for HA Registration/Configuration
registration completes successfully, Configuration Mode will display the value Primary Active.
For more information, see Configure Email Server Settings , on page 391.
Related Topics
Check Readiness for HA Registration/Configuration, on page 301

During the HA registration, other environmental parameters related to HA like system specification, network
configuration and bandwidth between the servers determine the HA configuration.
An approximate of 15 checks are run in the system to ensure the HA configuration completion without any
error or failure. The checklist name and the corresponding status with recommendations if any, will be displayed
when you run the Check Readiness feature.
To check readiness for HA configuration, follow these steps:
Step 1 Log in to Prime Infrastructure with a user ID and password that has administrator privileges.
Step 2 From the menu, select Administration > Settings > High Availability. Prime Infrastructure displays the HA status page.
Step 3 Select HA Configuration.

301
Step 4 Provide the secondary server IP address in the Secondary Server field and secondary Authentication Key Authentication
Key field .
Step 5 Click Check Readiness.
A pop up window with the system specifications and other parameters will be displayed. The screen will show the
Checklist Item name, Status, Impact and Recommendation details.
Below, is the list of checklist test name and the description displayed for Check Readiness:
Table 16: Checklist name and description
Checklist Test Name Test Description
SYSTEM - Check CPU Count This validates the CPU count in primary and secondary
server.
The CPU count in primary server can be less than or equal
to the secondary server.
DATABASE - LISTENER STATUS This checks if the database listeners are up and running in
both primary and secondary server.
If there is a failure, the test will restart and report the status.
This checks if all the wcs instances exist under oracle
"listener.ora" file. This is executed in both primary and
secondary server.
DATABASE - CHECK MEMORY TARGET This checks for "/dev/shm" database memory target size
for HA setup.
DATABASE - CHECK LISTENER CONFIG This checks for all the database instances exist under
CORRUPTION database listener configuration.
This is executed in both primary and secondary server.
SYSTEM - HEALTH MONITOR STATUS This checks whether the health monitor process is running
in both primary and secondary server.
SYSTEM - CHECK DISK IOPS This validates the disk IOPS in both primary and secondary
server.
The minimum expected disk IOPS is 200 MBps.
NETWORK - CHECK FIREWALL FOR DATABASE This checks if the database port 1522 is open in the system
PORT ACCESSIBILITY firewall.
If the port is disabled, the test will grant permission for 1522
in the iptables list.
NETWORK - CHECK NETWORK INTERFACE This checks if the eth0 interface speed matches the
BANDWIDTH recommended speed of 100 Mbps in both primary and
secondary sever.
This test will not measure network bandwidth by
transmitting data between primary and secondary server.

302
Check High Availability Status
NETWORK - CHECK NETWORK BANDWIDTH SPEED This checks if the network bandwidth speed matches the
recommended speed of 100 Mbps in both primary and
secondary sever.
This test will measure network bandwidth by transmitting
data between primary and secondary server.
DATABASE - CHECK ONLINE STATUS This checks if the database files status is online and
accessible in both primary and secondary server.
DATABASE - CHECK TNS CONFIG CORRUPTION This validates if the tnsping is successful in both primary
and secondary server.
DATABASE - TNS REACHABILITY STATUS This checks if all the wcs instances exist under oracle
"listener.ora" file.
This is executable in both primary and secondary server.
DATABASE - VALIDATE STANDBY DATABASE This validates if the standby database instance (stbywcs) is
INSTANCE available in both primary and secondary server.
SYSTEM - CHECK RAM SIZE This checks if the disk size of primary server less than or
equal to secondary server.
SYSTEM - CHECK SERVER PING REACHABILITY This ensures that the primary server can run ping check
with the remote (secondary) server.
Step 6 Once the check is completed for all the parameters, check their status and click Clear to close the window.
Note The validation failback and failover events during Check Readiness will be sent to the Alarms and Events page;
whereas, the registration failure event will not be present in the Alarms and Evens page.
Check High Availability Status

You can check on the status of the High Availability enabled on a Prime Infrastructure server.
Step 2 Enter the following command to display the current status of Prime Infrastructure HA processes:
PIServer/admin# ncs ha status
Related Topics

303
What Happens During HA Registration
What Happens During HA Registration

Once you finish entering configuration information and click the Save button on the HA Configuration page,
the primary and secondary HA servers will register with each other and begin copying all database and
configuration data from the primary to the secondary server.
The time required to complete the copying is a function of the amount of database and configuration data
being replicated and the available bandwidth on the network link between the two servers. The bigger the
data and the slower the link, the longer the replication will take. For a relatively fresh server (in operation for
a few days), with 100 devices and a 1 GB-per-second link, copying will take approximately 25 minutes.
During HA registration, the primary and secondary server state will go through the following state transitions:
Primary HA State Transitions... Secondary HA State Transitions...
From: HA Not Configured From: HA Not Configured
To: HA Initializing To: HA Initializing
To: Primary Active To: Secondary Syncing
You can view these state changes on the HA Status page for the primary server, or the Health Monitor web
pages for either of the two servers. If you are using the HA Status page, click Refresh to view progress. Once
the data is fully synchronized, the HA Status page will be updated to show the current state as “Primary
Active”, as shown in the following figure.
After registration is initiated, Prime Infrastructure initiates synchronization between the primary and the
secondary HA servers. The synchronization should not have any impact on user activity, although users may
observe slow system response until the synchronization is complete. The length of the synchronization is a
function of the total database size and, is handled at the Oracle database level by the Oracle RMAN and Data
Guard Broker processes. There is no impact on the execution of user- or system-related activity during the
sync.
During registration, Prime Infrastructure performs a full database replication to the secondary server. All
processes on the secondary server will be running, but the server itself will be in passive mode. If you execute
the Prime Infrastructure CLI command ncs status on the secondary server while the secondary server is in
the “Secondary Syncing” state, the command output will show all processes as running.
Related Topics

304
How to Patch HA Servers
How to Patch HA Servers

You can download and install UBF patches for your HA servers in one of the following ways, depending on
your circumstances:
• Install the patch on HA servers that are not currently paired. Cisco recommends this method if you have
not already set up HA for Prime Infrastructure.
• Install the patch on existing paired HA servers
For details on each method, see the Related Topics.
Related Topics
How to Patch New HA Servers, on page 305
How to Patch Paired HA Servers, on page 307
How to Patch New HA Servers

If you are setting up a new Prime Infrastructure High Availability (HA) implementation and your new servers
are not at the same patch level, follow the steps below to install patches on both servers and bring them to the
same patch level.
Step 1 Download the patch and install it on the primary server:

a) Point your browser to the software patches listing for Cisco Prime Infrastructure (see Related Topics) .
b) Click the Download button for the patch file you need to install (the file name ends with a UBF file extension), and
save the file locally.
c) Log in to the primary server using an ID with administrator privileges and choose Administration > Licenses and
Software Updates > Software Update.
d) Click the Upload link at the top of the page .
e) Use one of the following options to upload the UBF file.
the Files tab.

f) When the upload is complete: On the Software Upload page, verify that the Name, Published Date and Description
of the patch file are correct.
g) Select the patch file and click Install.

305
How to Patch New HA Servers
h) Click Yes in the warning pop-up. When the installation is complete, the server will restart automatically. The restart
typically takes 15 to 20 minutes.
i) After the installation is complete on the primary server, verify that the Status of Updates table on the Software Update
page shows “Installed” for the patch.
Step 2 Install the same patch on the secondary server:
a) Access the secondary server’s Health Monitor (HM) web page by pointing your browser to the following URL:
https://ServerIP:8082
where ServerIP is the IP address or host name of the secondary server.
Note You will be prompted for the username and authentication key. Enter the username as 'root' and authkey
and click Login.
Note Verify that the secondary server state displayed on the HM web page is in the Secondary Syncing state.
b) You will be prompted for the username and authentication key. Enter the username as 'root' and authkey and click
Login.
c) Click the HM web page’s Software Update link. You will be prompted for the authentication key a second time.
Enter it and click Login again.
d) Click the Upload link at the top of the page.
the Files tab.

f) When the upload is complete: On the Software Upload page, confirm that the Name, Published Date and Description
i) After the installation is complete on the secondary server, verify that the Status of Updates table on the Software
Update page shows “Installed” for the patch.
Step 3 Verify that the patch status is the same on both servers, as follows:
a) Log in to the primary server and access its Software Update page as you did in step 1, above. The “Status” column
should show “Installed” for the installed patch.
b) Access the secondary server’s Health Monitor page as you did in step 2, above. The “Status” column should show
“Installed” for the installed patch
Step 4 Register the servers.

306
How to Patch Paired HA Servers
For more information, see "Software patches listing for Cisco Prime Infrastructure", "Restart Prime Infrastructure Using
CLI" and "Check Prime Infrastructure Server Status".
Related Topics
How to Patch HA Servers, on page 305
How to Patch Paired HA Servers

If your current Prime Infrastructure implementation has High Availability servers that are not at the same
patch level, or you have a new patch you must install on both your HA servers, follow the steps below.
Patching paired HA servers is not supported. You will receive a popup error message indicating that you
cannot perform an update on Prime Infrastructure servers while HA is configured. So, you must first disconnect
the primary and secondary servers before attempting to apply the patch.
1. Follow the steps in “Remove HA Via the GUI” (see Related Topics) to disconnect the primary and
secondary servers.
2. Follow the steps in “How to Patch New HA Servers” to apply the patch.
3. Follow the steps in “Set Up High Availability” to restore your HA configuration.
Related Topics
How to Patch Paired HA Servers Set for Manual Failover

You must start the patch install with the primary server in “Primary Active” state and the secondary server
in “Secondary Syncing” state.
Patching of primary and secondary HA servers set for manual failover takes approximately 30 minutes, and
does not require failover or failback. Patching of the primary and secondary HA servers takes approximately
30 minutes. Downtime during the primary patch installation restart takes 15 to 20 minutes.
In some cases, you may receive a popup error message indicating that you cannot perform an update on Prime
Infrastructure servers while HA is configured. If so, you must first disconnect the primary and secondary
servers before attempting to apply the patch. In this case, you cannot use the steps in this procedure. Instead,
be sure to:
secondary servers.
2. Follow the steps in “How to Patch New HA Servers” to apply the patch.

307
Note You will be prompted for the username and authentication key Entered when HA was enabled. provie the
username as 'root' and authentication key and click Login.
3. Follow the steps in “Set Up High Availability” to restore your HA configuration.
Step 1 Ensure that your HA implementation is enabled and ready for update:
a) Log in to the primary server using an ID with Administrator privileges.
b) Select Administration > Settings > High Availability, The primary server state displayed on the HA Status page
should be “Primary Active”.
c) Select HA Configuration. The current Configuration Mode should show “HA Enabled”. We recommend that you
set the Failover Type to “manual” during the patch installation.
d) Access the secondary server’s Health Monitor (HM) web page by pointing your browser to the following URL:
e) Verify that the secondary server state displayed on the HM web page is in the “Secondary Syncing” state.
Step 2 You will be prompted for the user name and authentication key entered when HA was enabled. Enter username as 'root'
with authentication key and click Login.
Step 3 Download the UBF patch and install it on the primary server:
d) Click the Upload link at the top of the page .
the Files tab.

• Click Select , select the UBF file form the Select file from local disk pop-up and click Select. After the

308
i) After the server restart is complete on the primary server, select Administration > Settings > High Availability,
The primary server state displayed on the HA Status page should be “Primary Active”.
j) Verify that the Status of Updates table on the Software Update page shows “Installed” for the patch.
Step 4 Install the same patch on the secondary server once patching is complete on the primary server:
a) Access the secondary server’s HM web page and login if needed.
b) Click the HM web page’s Software Update link. You will be prompted for the authentication key a second time.
c) Click the Upload link at the top of the page.
d) Use one of the following options to upload the UBF file.
the Files tab.

• Click Select , select the UBF file form the Select file from local disk pop-up and click Select. After the
e) When the upload is complete: On the Software Upload page, confirm that the Name, Published Date and Description
f) Select the patch file and click Install.
g) Click Yes in the warning pop-up. When the installation is complete, the server will restart automatically. The restart
h) After the server restart is complete on the secondary server, log in to the secondary HM page (https://serverIP:8082)
and verify that the secondary server state displayed on the HM web page is “Secondary Syncing”.
i) Verify that the Status of Updates table on the Software Update page shows “Installed” for the patch.
Step 5 Once the server restart is complete, verify the patch installation as follows:
on the Status of Updates > Update tab should show “Installed” for the patch.
b) Access the secondary server’s Software Update page as you did in step 3, above. The “Status” column on the Status
of Updates > Updates tab should show “Installed” for the patch.
For more information, see
• Software patches listing for Cisco Prime Infrastructure.
• Start Prime Infrastructure, on page 126
• Stop Prime Infrastructure, on page 127
• Check Prime Infrastructure Server Status, on page 126
Related Topics

309
How to Patch Paired HA Servers Set for Automatic Failover

How to Patch Paired HA Servers Set for Automatic Failover, on page 310

You must start the patch install with the primary server in “Primary Active” state and the secondary server
in “Secondary Syncing” state.
Patching of primary and secondary HA servers set for automatic failover takes approximately one hour, and
requires both failover and failback. Downtime during the failover and failback lasts 10 to 15 minutes.
In some cases, you may receive a popup error message indicating that you cannot perform an update on Prime
Infrastructure servers while HA is configured. If so, you must first disconnect the primary and secondary
servers before attempting to apply the patch. In this case, you cannot use the steps in this procedure. Instead,
be sure to:
secondary servers.
2. Follow the steps in “How to Patch New HA Servers” (see Related Topics)to apply the patch.
3. Follow the steps in “Set Up High Availability” (see Related Topics) to restore your HA configuration.
Step 1 Ensure that your HA implementation is enabled and ready for update:
a) Log in to the primary server using an ID with Administrator privileges.
b) Select Administration > Settings > High Availability, The primary server state displayed on the HA Status page
should be “Primary Active”.
c) Select HA Configuration. The current Configuration Mode should show “HA Enabled”.
d) Access the secondary server’s Health Monitor (HM) web page by pointing your browser to the following URL:
e) You will be prompted for the user name and authentication key entered when HA was enabled. Enter username as
'root' with authentication key and click Login.
f) Verify that the secondary server state displayed on the HM web page is in the “Secondary Syncing” state.
Step 2 Download the UBF patch and install it on the primary server:
d) Click the upload link at the top of the page and browse to the location where you saved the patch file.
e) Select the UBF file and then click OK to upload the file.

310

h) Click Yes in the warning pop-up. Failover will be triggered and the primary server will restart automatically. Failover
will take 2 to 4 minutes to complete. After the failover is complete, the secondary server will be in “Secondary Active”
state.
i) After the primary server is restarted, run the ncs status command (see “Check Prime Infrastructure Server Status”)
to verify that the primary’s processes have re-started. Before continuing: Access the primary server’s HM web page
and verify that the primary server state displayed is “Primary Synching”.
Step 3 Failback to the primary using the secondary server’s HM web page:
b) Click Failback to initiate a failback from the secondary to the primary server. It will take 2 to 3 minutes for the
operation to complete. As soon as failback completes, the secondary server will be automatically restarted in the
standby mode. It will take a maximum of 15 minutes for the restart to complete, and it will be synched with the
primary server.
You can verify the restart by logging into the secondary server’s HM web page and looking for the message “Prime
Infrastructure stopped successfully” followed by “Prime Infrastructure started successfully.”
After failback is complete, the primary server state will change to “Primary Active”
c) Before continuing: Run the ncs ha status command on both the primary and secondary servers. Verify that the
primary server state changes to “Primary Active” and the secondary server state is “Secondary Synching”.
Step 4 Once failback completes, verify the patch installation by logging in to the primary server and accessing its Software
Update page (as you did in step 2, above). The “Status” column on the Status of Updates > Update tab should show
“Installed” for the patch.
Step 5 Install the same patch on the secondary server once patching is complete on the primary server:
b) Click the HM web page’s Software Update link. You will be prompted for the authentication key a second time.
c) Click Upload Update File and browse to the location where you saved the patch file.
d) Select the UBF file and then click OK to upload the file.
e) When the upload is complete: On the Software Upload page, confirm that the Name, Published Date and Description
f) Select the patch file and click Install.
g) Click Yes in the warning pop-up. The server will restart automatically. The restart typically takes 15 to 20 minutes.
h) After the installation is complete on the secondary server, verify that the Status of Updates table on the Software
Update page shows “Installed” for the patch.
i) After the server restart is complete on the secondary server, log in to the secondary HM page and verify that the
secondary server state displayed on the HM web page is “Secondary Syncing”.
Step 6 Once server restart is complete, verify the patch installation as follows:
on the Status of Updates > Update tab should show “Installed” for the patch.
b) Access the secondary server’s Software Update page as you did in step 5, above. The “Status” column on the Status
of Updates > Updates tab should show “Installed” for the patch.
For more information, see Software patches listing for Cisco Prime Infrastructure, Stop Prime Infrastructure, Start
Prime Infrastructure and Check Prime Infrastructure Server Status.

311
Monitor High Availability
Related Topics
How to Patch Paired HA Servers Set for Manual Failover, on page 307
Monitor High Availability

Once you have configured HA and registered it on the primary server, most of your interactions with HA will
involve accessing the server Health Monitor web page and responding to email notifications by triggering a
failover or failback. These processes, as well as special situations requiring more complicated responses, are
covered in the following related topics.
Related Topics
How to Trigger Failover, on page 313
Force Failover, on page 314
Respond to Other HA Events, on page 314
Access the Health Monitor Web Page

You can access the Health Monitor web page for the primary or secondary server at any time by pointing your
browser to the following URL:
https://Server:8082
where Server is the IP address or host name of the primary or secondary server whose Health Monitor web
page you want to see.
Note You will be prompted for the username and authentication key .Enter the username as 'root' and authentication
key and click Login.
You can also access the Health Monitor web page for the currently active server by logging in to Prime
Infrastructure, selecting Administration > Settings > High Availability, and then clicking the Launch
Health Monitor link at the top right of the HA Status page.
Related Topics

312
How to Trigger Failover
How to Trigger Failover

Failover is the process of activating the secondary server in response to a detected failure on the primary.
Health Monitor (HM) detects failure conditions using the heartbeat messages that the two servers exchange.
If the primary server is not responsive to three consecutive heartbeat messages from the secondary, it is
considered to have failed. During the health check, HM also checks the application process status and database
health; if there is no proper response to these checks, these are also treated as having failed.
The HA system takes approximately 10 to 15 seconds to detect a process failure on the primary server and
initiate a failover. If the secondary server is unable to reach the primary server due to a network issue, it might
take more time to initiate a failover. In addition, it may take additional time for the application processes on
the secondary server to be fully operational.
As soon as HM detects the failure, it sends an email notification. The email includes the failure status along
with a link to the secondary server's Health Monitor web page.
If HA is currently configured for automatic failover, the secondary server will activate automatically and there
is no action you need to perform.
If HA is currently configured for manual failover, you must trigger the failover as mentioned in the below
procedure.
Failover should be considered temporary. The failed primary Prime Infrastructure instance should be restored
to normal as soon as possible, and failback should be re-initiated.
Step 1 Access the secondary server's Health Monitor web page using the web link given in the email notification, or using the
steps in “Accessing the Health Monitor Web Page”.
Step 2 Trigger the failover by clicking the Failover button.
Related Topics
How to Trigger Failback

Failback is the process of re-activating the primary server once it is back online. It also transfers Active status
from the secondary server to the primary, and stops active network monitoring processes on the secondary.
During failback, the secondary server is available except during the period when processes are re-started on
the secondary. Both servers’ Health Monitor web pages are accessible for monitoring the progress of the
failback. Additionally, users can also connect to the secondary server to access all normal functionality, except
for these caveats:
• Do not initiate configuration or provisioning activity while the failback is in progress.
• Be aware that, after a successful failback, the secondary server will go into passive (“Secondary Syncing”)
mode and control will switch over to the primary server. During this process, Prime Infrastructure will
be inaccessible to the users for a few moments.

313
Force Failover
You must always trigger failback manually, as follows:
Step 1 Access the secondary server's Health Monitor web page using the link given in the email notification, or using the steps
in “Accessing the Health Monitor Web Page”.
Step 2 Trigger the failback by clicking the Failback button.
The secondary server is automatically restarted in the standby mode after the failback and is automatically synced with
the primary server. The primary server will now be the available Prime Infrastructure server.
Related Topics
Force Failover
A forced failover is the process of making the secondary server active while the primary server is still up.
You will want to use this option when, for example, you want to test that your HA setup is fully functional.
Forced failover is available to you only when the primary is active, the secondary is in the “Secondary syncing”
state, and all processes are running on both servers. Forced failover is disabled when the primary server is
down. In this case, only the normal Failover is enabled.
Once the forced failover completes, the secondary server will be active and the primary will restart in standby
automatically. You can return to an active primary server and standby secondary server by triggering a normal
failback.
Step 1 Access the secondary server's Health Monitor web page using the steps in “Accessing the Health Monitor Web Page”.
Step 2 Trigger the forced failover by clicking the Force Failover button. The forced failover will complete in 2 to 3 minutes.
Related Topics
Respond to Other HA Events

All the HA related events are displayed on the HA Status page, the Health Monitor web pages, and under the
Prime Infrastructure Alarms and Events page. Most events require no response from you other than triggering
failover and failback. A few events are more complex, as explained in the related topics.

314
HA Registration Fails
Related Topics
HA Registration Fails, on page 315
Network is Down (Automatic Failover), on page 315
Network is Down (Manual Failover), on page 316
Process Restart Fails (Manual Failover), on page 319
Primary Server Restarts During Sync (Manual Failover), on page 320
Secondary Server Restarts During Sync, on page 320
Both HA Servers Are Down, on page 320
Both HA Servers Are Down and the Secondary Will Not Restart, on page 322
Replace Primary MSEs, on page 348
How to Recover From Split-Brain Scenario, on page 323
HA Registration Fails
If HA registration fails, you will see the following HA state-change transitions for each server (instead of
those detailed in “What Happens During HA Registration”:
From: HA Initializing From: HA Initializing
To: HA Not Configured To: HA Not Configured
To recover from failed HA registration, follow the steps below.
Step 1 Use ping and other tools to check the network connection between the two Prime Infrastructure servers. Confirm that the
secondary server is reachable from the primary, and vice versa.
Step 2 Check that the gateway, subnet mask, virtual IP address (if configured), server hostname, DNS, NTP settings are all
correct.
Step 3 Check that the configured DNS and NTP servers are reachable from the primary and secondary servers, and that both
are responding without latency or other network-specific issues.
Step 4 Check that all Prime Infrastructure licenses are correctly configured.
Step 5 Once you have remedied any connectivity or setting issues, try the steps in “How to Register High Availability on the
Primary Server” again in related topics.
Related Topics
Network is Down (Automatic Failover)

If there is a loss of network connectivity between the two Prime Infrastructure servers, you will see the
following HA state-change transitions for each server, assuming that the Failover Type is set to “Automatic”:

315
Network is Down (Manual Failover)
From: Primary Active From: Secondary Syncing
To: Primary Lost Secondary To: Secondary Lost Primary
To: Primary Lost Secondary To: Secondary Failover
To: Primary Lost Secondary To: Secondary Active
You will get an email notification that the secondary is active.
Step 1 Check on and restore network connectivity between the two servers. Once network connectivity is restored and the primary
server can detect that the secondary is active, all services on the primary will be restarted and made passive automatically.
You will see the following state changes:
From: Primary Lost Secondary From: Secondary Active
To: Primary Failover To: Secondary Active
To: Primary Syncing To: Secondary Active
Step 2 Trigger a failback from the secondary to the primary. You will then see the following state transitions:
From: Primary Syncing From: Secondary Active
To: Primary Failback To: Secondary Failback
To: Primary Failback To: Secondary Post Failback
Related Topics

If there is a loss of network connectivity between the two Prime Infrastructure servers, you will see the
following HA state-change transitions for each server, assuming that the Failover Type is set to “Manual”:

316
You will get email notifications that each server has lost the other.
Step 1 Check on and, if needed, restore the network connectivity between the two servers.
You will see the following state changes once network connectivity is restored.:
From: Primary Lost Secondary From: Secondary Lost Primary
No administrator response is required.
Step 2 If network connection cannot be restored for any reason, use the HM web page for the secondary server to trigger a
failover from the primary to the secondary server. You will see the following state changes:
From: Primary Lost Secondary From: Secondary Lost Primary
To: Primary Lost Secondary To: Secondary Failover
You will get an email notification that the secondary server is now active.
Step 3 Check and restore network connectivity between the two servers. Once network connectivity is restored and the primary
server detects that the secondary server is active, all services on the primary server will be restarted and made passive.
You will see the following state changes:
From: Primary Lost Secondary From: Secondary Active
Step 4 Trigger a failback from the secondary to the primary.

You will then see the following state transitions:

317
Process Restart Fails (Automatic Failover)
Related Topics
Process Restart Fails (Automatic Failover)

The Prime Infrastructure Health Monitor process is responsible for attempting to restart any Prime Infrastructure
server processes that have failed. Generally speaking, the current state of the primary and secondary servers
should be “Primary Active” and “Secondary Syncing” at the time any such failures occur.
If HM cannot restart a critical process on the primary server, then the primary server is considered to have
failed. If your currently configured Failover Type is “automatic”, you will see the following state transitions:
To: Primary Uncertain To: Secondary Lost Primary
To: Primary Failover To: Secondary Failover
When this process is complete, you will get an email notification that the secondary server is now active.
Step 1 Restart the primary server and ensure that it is running. Once the primary is restarted, it will be in the state “Primary
Syncing”. You will see the following state transitions:
From: Primary Failover From: Secondary Active
To: Primary Preparing for Failback To: Secondary Active
Related Topics

318
Process Restart Fails (Manual Failover)
Process Restart Fails (Manual Failover)

The Prime Infrastructure Health Monitor process is responsible for attempting to restart any Prime Infrastructure
server processes that have failed. Generally speaking, the current state of the primary and secondary servers
should be “Primary Active” and “Secondary Syncing” at the time any such failures occur. If HM cannot restart
a critical process on the primary server, then the primary server is considered to have failed. You will receive
an email notification of this failure. If your currently configured Failover Type is “Manual”, you will see the
following state transitions:
To: Primary Uncertain To: Secondary Lost Primary
Step 1 Trigger on the secondary server a failover from the primary to the secondary. You will then see the following state
transitions:
From: Primary Uncertain From: Secondary Syncing
To: Primary Failover To: Secondary Failover
Step 2 Restart the primary server and ensure that it is running. Once the primary server is restarted, the primary’s HA state will
be “Primary Syncing”. You will see the following state transitions:
From: Primary Failover From: Secondary Active
To: Primary Preparing for Failback To: Secondary Active
Related Topics

319
Primary Server Restarts During Sync (Manual Failover)

Primary Server Restarts During Sync (Manual Failover)

If the primary Prime Infrastructure server is restarted while the secondary server is syncing, you will see the
following state transitions:
To: Primary Alone To: Secondary Lost Primary
The “Primary Alone” and “Primary Active” states occur immediately after the primary comes back online.
No administrator response should be required.
Related Topics
Secondary Server Restarts During Sync

If the secondary Prime Infrastructure server is restarted while syncing with the primary server, you will see
the following state transitions:
To: Primary Lost Secondary From: Secondary Lost Primary
No administrator response should be required.

Related Topics
Both HA Servers Are Down

If both the primary and secondary servers are down at the same time, you can recover by bringing them back
up in the correct order, as explained in the steps below.
Step 1 Restart the secondary server and the instance of Prime Infrastructure running on it. If for some reason you cannot restart
the secondary server, see “Both HA Servers Are Down and Secondary Will Not Restart” in Related Topics.
Step 2 When Prime Infrastructure is running on the secondary, access the secondary server’s Health Monitor web page. You
will see the secondary server transition to the state “Secondary Lost Primary”.

320
Both HA Servers Are Powered Down
Step 3 Restart the primary server and the instance of Prime Infrastructure running on it. When Prime Infrastructure is running
on the primary, the primary will automatically sync with the secondary. To verify this, access the primary server’s Health
Monitor web page. You will see the two servers transition through the following series of HA states:
Related Topics
Both HA Servers Are Powered Down

If both the primary and secondary servers are powered down at the same time, you can recover by bringing
them back up in the correct order, as explained in the steps below.
Step 1 Power on the secondary server and the instance of Prime Infrastructure running on it.
The secondary HA restart will fail at this stage because the primary is not reachable. However, the secondary Health
Monitor process will be running with an error.
Step 2 When Prime Infrastructure is running on the secondary, access the secondary server’s Health Monitor web page. You
will see the secondary server transition to the state “Secondary Lost Primary”.
Step 3 Power on the primary server and the instance of Prime Infrastructure running on it.
Step 4 When Prime Infrastructure is running on the primary, the primary will automatically sync with the secondary. To verify
this, access the primary server’s Health Monitor web page. You will see the two servers transition through the following
series of HA states:
Step 5 Restart the secondary server and the instance of Prime Infrastructure running on it. This is required because not all
processes will be running on the secondary at this point.
If for some reason you cannot restart the secondary server, see “Both HA Servers Are Down and Secondary Will Not
Restart” in Related Topics.
Step 6 When Prime Infrastructure finishes restarting on the secondary server, all processes should be running. Verify this by
running the ncs status command (see “Check Prime Infrastructure Server Status” in Related Topics).
Related Topics

321
Both HA Servers Are Down and the Secondary Will Not Restart

Both HA Servers Are Down and the Secondary Will Not Restart
If both HA servers are down at the same time and the secondary will not restart, you will need to remove the
HA configuration from the primary server in order to use it as a standalone until you can replace or restore
the secondary server.
The following steps assume that you have already tried and failed to restart the secondary server.
Step 1 Attempt to restart the primary instance of Prime Infrastructure. If the primary is able to restart at all, the restart will abort
with an error message indicating that you must remove the HA configuration.
Step 2 Open a CLI session with the primary Prime Infrastructure server (see How to Connect Via CLI, on page 125).
Step 3 Enter the following command to remove the HA configuration on the primary server:
PIServer/admin# ncs ha remove
Step 4 You will be prompted to confirm that you want to remove the HA configuration. Answer Y to the prompt.
You should now be able to restart the primary instance of Prime Infrastructure without the error message and use it as a
standalone.
When you are able to restore or replace the secondary server, proceed as explained in “How to Register High Availability
on the Primary Server” in Related Topics.
Related Topics
Remove HA Via the CLI, on page 329
How to Replace the Primary Server

Under normal circumstances, the state of your primary and secondary servers will be “Primary Active” and
“Secondary Syncing”, respectively. If the primary server fails for any reason, a failover to the secondary will
take place, either automatically or manually.
You may find that restoring full HA access requires you to reinstall the primary server using new hardware.
If this happens, you can follow the steps below to bring up the new primary server without data loss.
Step 1 Ensure that the secondary server is currently in “Secondary Active” state. If you have set the Failover Type on the primary
server to “manual”, you will need to trigger the failover to the secondary manually.
Step 2 Ensure that the old primary server you are replacing has been disconnected from the network.
Step 3 Ensure that the new primary server is ready for use. This will include connecting it to the network and assigning it the
same server IP, subnet mask, gateway as the old primary server. You will also need to enter the same authentication key
that you entered when installing the secondary server.

322
How to Recover From Split-Brain Scenario
Step 4 Ensure that both the primary and secondary servers are at the same patch level and if you want to replace the primary
server, then you must :
a) Ensure the primary and secondary server are in TOFU Mode.
b) Login to Secondary server admin CLI.
c) Execute the following command in the secondary server CLI:
d) PIServer/admin# ncs certvalidation tofu-certs deletecert host <primaryserver's-hostname>
This is required to re-establish the communication between the Primary and Secondary servers.
Step 5 Trigger a failback from the secondary to the newly installed primary. During failback to the new primary HA server, a
full database copy will be performed, so this operation will take time to complete depending on the available bandwidth
and network latency (see “Network Throughput Restrictions on HA” in Related Topics). You will see the two servers
transition through the following series of HA states:
From: HA not configured From: Secondary Active
Related Topics
How to Recover From Split-Brain Scenario

As explained in “Automatic Versus Manual Failover” (see Related Topics), the possibility of data loss always
exists on the rare occasions when a “split-brain scenario” occurs. In this case, you can choose to save the
newly added data on the secondary and forget the data that was added on the primary, as explained in the
following steps.
Step 1 Once the network is up, and the secondary server is up, the primary will restart itself automatically, using its standby
database. The HA status of the primary server will be, first, “Primary Failover” transitioning to “Primary Synching”. You
can verify this by logging on to the primary server’s Health Monitor web page.
Step 2 Once the primary server’s status is “Primary Syncing, confirm that a user can log into the secondary server’s Prime
Infrastructure page using the web browser (for example, https://x.x.x.x:443). Do not proceed until you have verified this.
Step 3 Once access to the secondary is verified, initiate a failback from the secondary server's Health Monitor web page (see
How to Trigger Failback, on page 313 ). You can continue to perform monitoring activities on the secondary server until
the switchover to the primary is completed.

323
How to Resolve Database Synchronization Issues
For more information, see Restart Prime Infrastructure Using CLI, on page 127.
Related Topics
How to Resolve Database Synchronization Issues

To resolve the database synchronization issue, when the primary server is in "Primary Active" state and the
secondary server is in "Secondary Syncing" state, do the following:
Step 1 Remove HA, see Remove HA Via the CLI, on page 329 and Remove HA Via the GUI, on page 328.
Step 2 After both the primary and secondary servers reaches "HA not configured" state, perform the HA registration. See Set
Up High Availability, on page 297
High Availability Reference Information

The following sections supply reference information on HA.
Related Topics
HA Configuration Mode Reference, on page 324
HA State Reference, on page 325
HA State Transition Reference, on page 326
High Availability CLI Command Reference, on page 328
Reset the HA Authentication Key, on page 328
Remove HA During Restore, on page 329
Remove HA During Upgrade, on page 330
Using HA Error Logging, on page 330
Reset the HA Server IP Address or Host Name, on page 331
HA Configuration Mode Reference

The following table lists all possible HA configuration modes.
Table 17: High Availability Modes
Mode Description
HA not configured HA is not configured on this Prime Infrastructure server
HA initializing The HA registration process between the primary and secondary server has started.

324
HA State Reference
Mode Description
HA enabled HA is enabled between the primary and secondary server.
HA alone Primary server is now running alone. HA is enabled, but the primary server is out of sync with the secondary,
or the secondary is down or otherwise unreachable.
Related Topics
HA State Reference
The following table lists all possible HA states, including those that require no response from you.
Table 18: High Availability States
State Server Description
Stand Alone Both HA is not configured on this Prime Infrastructure server
Primary Alone Primary Primary restarted after it lost secondary. Only Health Monitor is running in this state.
HA Initializing Both HA Registration process between the primary and secondary server has started.
Primary Active Primary Primary server is now active and is synchronizing with secondary server.
Primary Database Copy Failed Primary Primary servers being restarted will always check to see if a data gap has occurred due
to the primary being down for 24 hours or more. If it detects such a gap, it will
automatically trigger a data copy from the active secondary server. In rare cases, this
database copy can fail, in which case this transition state is set on the primary. All
attempts to failback to the primary are blocked until the database copy completes
successfully. As soon as it does, the primary state is set to “Primary Syncing”.
Primary Failover Primary Primary server detected a failure.
Primary Failback Primary Failback triggered by the User is currently in progress.
Primary Lost Secondary Primary Primary server is unable to communicate with the secondary server.
Primary Preparing for Failback Primary This state will be set on primary server startup after a failover to the secondary. This
state signifies that the primary server has started up in standby mode (because the
secondary server is still active) and is ready for failback. Once the primary server is
ready for failback, its state will be set to “Primary Syncing”.
Primary Syncing Primary Primary server is synchronizing the database and configuration files from the active
secondary. Primary gets into this state when primary processes are brought up after
failover to secondary and secondary is playing the active role.
Primary Uncertain Primary Primary server's application processes are not able to connect to its database.
Secondary Alone Secondary Primary server is not reachable from secondary after primary server restart.
Secondary Syncing Secondary Secondary server is synchronizing the database and configuration files from the primary.

325
HA State Transition Reference
State Server Description
Secondary Active Secondary Failover from the primary server to the secondary server has completed successfully.
Secondary Lost Primary Secondary Secondary server is not able to connect to the primary server (occurs when the primary
fails or network connectivity is lost).
In case of automatic failover from this state, the secondary will automatically move to
Active state. In case of a manual failover, the user can trigger a failover to make the
secondary active.
Secondary Failover Secondary Failover triggered and in progress.
Secondary Failback Secondary Failback triggered and in progress (database and file replication is in progress).
Secondary Post Failback Secondary This state occurs after failback is triggered, replication of database and configuration
files from the secondary to the primary is complete, and Health Monitor has initiated
changes of the secondary server's status to Secondary Syncing and the primary server's
status to Primary Active. These status changes and associated process starts and stops
are in progress.
Secondary Uncertain Secondary Secondary server's application processes are not able to connect to secondary server's
database.
Related Topics

The following figure details all possible state transitions for the primary server.

326
The following figure details all possible state transitions for the secondary server.
Related Topics

327
High Availability CLI Command Reference
High Availability CLI Command Reference

The following table lists the CLI commands available for HA management. Log in as admin to run these
commands on the primary server (see How to Connect Via CLI, on page 125):
Table 19: High Availability Commands
Command Description
ncs ha ? Get help with high availability CLI commands
ncs ha authkey authkey Update the authentication key for high availability
ncs ha remove Remove the High Availability configuration
ncs ha status Get the current status for High Availability
Related Topics
Reset the HA Authentication Key

Prime Infrastructure administrators can change the HA authentication key using the ncs ha authkey command.
You will need to ensure that the new authorization key meets the password standards.
Step 1 Connect to the primary server via CLI. Do not enter “configure terminal” mode.
Step 2 Enter the following at the command line:
admin# ncs ha authkey MyNewAuthKey
Where MyNewAuthKey is the new authorization key. For more information, see How to Connect Via CLI, on page 125.
Related Topics
Remove HA Via the GUI

The simplest method for removing an existing HA implementation is via the GUI, as shown in the following
steps. You can also remove the HA setup via the command line.
Note that, to use this method, you must ensure that the primary Prime Infrastructure server is currently in the
“Primary Active” state. If for any reason the secondary server is currently active, perform a failback and then
try to remove the HA configuration after the failback is complete and the secondary’s automatic restart has
finished.
Step 1 Log in to the primary Prime Infrastructure server with a user ID that has administrator privileges.
Step 2 Select Administration > Settings > High Availability > HA Configuration.

328
Remove HA Via the CLI
Step 3 Select Remove. Removing the HA configuration takes from 3 to 4 minutes.

Once the removal is complete, ensure that the HA configuration mode displayed on the page now reads “HA Not
Configured”.
Related Topics
Remove HA Via the CLI

If for any reason you cannot access the Prime Infrastructure GUI on the primary server, administrators can
remove the HA setup via the command line, using the steps below.
Note that, to use this method, you must ensure that the primary Prime Infrastructure server is currently in the
“Primary Active” state. If for any reason the secondary server is currently active, perform a failback and then
try to remove the HA configuration after the failback is complete and the secondary’s automatic restart has
finished.
Step 1 Connect to the primary server via CLI. Do not enter “configure terminal” mode.
Step 2 Enter the following at the command line:
admin# ncs ha remove. For more information, see How to Connect Via CLI, on page 125.
Related Topics
Remove HA During Restore

Prime Infrastructure does not back up configuration settings related to High Availability.
In order to restore a Prime Infrastructure implementation that is using HA, be sure to restore the backed up
data to the primary server only. The restored primary will automatically replicate its data to the secondary
server. Running a restore on the secondary server is not needed and will generate an error message if you
attempt it.
To restore a Prime Infrastructure implementation that uses HA, follow the steps below.
Step 1 Use the GUI to remove the HA settings from the primary server (see “Remove HA Via the GUI” in Related Topics).
Step 2 Restore the primary server as needed.
Step 3 Once the restore is complete, perform the HA registration process again.

329
Remove HA During Upgrade
For more information, see Restore Prime Infrastructure Data, on page 59 and How to Connect Via CLI, on page 125.
Related Topics
Remove HA During Upgrade

To upgrade a Prime Infrastructure implementation that uses HA, follow the steps below.
Step 1 Use the GUI to remove the HA settings from the primary server (see “Remove HA Via the GUI” in Related Topics,
below).
Step 2 Upgrade the primary server as needed.
Step 3 Re-install the secondary server using the current image.
Note that upgrading the secondary server from the previous version or a beta version is not supported. The secondary
server must always be a fresh installation.
Step 4 Once the upgrade is complete, perform the HA registration process again.
Note After upgrade, health montior page will display the below health monitor event message:
Primary Authentication Key was changed by Admin
For more information, see How to Connect Via CLI, on page 125.
Related Topics
Using HA Error Logging

Error logging for the High Availability feature is disabled by default, to save disk space and maximize
performance. If you are having trouble with HA, the best place to begin is by enabling error logging and to
examine the log files.
Step 1 View the Health Monitor page for the server having trouble.
Step 2 In the Logging area, in the Message Level dropdown, select the error-logging level you want.
Step 3 Click Save.
Step 4 When you want to download the log files: In the Logs area, click Download. You can open the downloaded log files
using any ASCII text editor.

330
Reset the HA Server IP Address or Host Name
Related Topics
Reset the HA Server IP Address or Host Name

Avoid changing the IP address or hostname of the primary or secondary HA server, if possible. If you must
change the IP address or hostname, remove the HA configuration from the primary server before making the
change. When finished, re-register HA.
Related Topics
Resolve TOFU Failure at Any State

When the primary and secondary servers communicate, there is a possibility of the below TOFU error
occurrence.
You must correct the following error(s) before proceeding. 'A Trust-on-first-use (TOFU) based Certificate is
configured for this connection. The current certificate on the remote host is different than what was used
earlier.'
To rectify this issue, you must perform the following.
• Clear the existing certificate using the NCS CLI command on both the primary and secondary servers.
ncs certvalidation tofu-certs deletecert host <server-hostname>
Configure MSE High Availability

The Cisco Mobility Services Engine (MSE) is a platform for hosting multiple mobility applications. Under
an MSE high availability (HA) configuration, an active MSE is backed up by another inactive instance of
MSE. The active MSE is called the primary MSE and the inactive MSE is called the secondary MSE.
Related Topics
Overview of the MSE High Availability Architecture, on page 331
Set Up MSE High Availability: Workflow, on page 334
Overview of the MSE High Availability Architecture

The main component of MSE high availability is the health monitor. The health monitor configures, manages,
and monitors the HA setup on each MSE. Heartbeat is maintained between the primary and secondary MSE.
Health monitor is responsible for setting up the database, file replication, and monitoring the application.
When the primary MSE fails and the secondary MSE takes over, the virtual address of the primary MSE is
switched transparently to the secondary MSE. Note that:

331
MSE High Availability Pairing Matrix
• Every active primary MSE is backed up by another inactive instance. The purpose of the secondary MSE
is to monitor the availability and state of the primary MSE. The secondary MSE becomes active only
after the failover procedure is initiated.
• One secondary MSE can support one primary MSE.
The MSEs, Synchronize Services, Synchronization History, High Availability, Context Aware Notifications,
and Mobile Concierge pages on the Services tab are available only in the virtual domain in Release 7.3.
The following related topics provide additional details on the MSE high availability architecture.
Related Topics
MSE High Availability Pairing Matrix, on page 332
Guidelines and Limitations for MSE High Availability, on page 332
Failover Scenario for MSE High Availability, on page 333
Failback Scenario for MSE High Availability, on page 333
Licensing Requirements for MSE High Availability, on page 334
Configure MSE High Availability , on page 331
MSE High Availability Pairing Matrix

The following table lists the types of MSE servers that can be paired in a high-availability configuration.
Table 20: MSE High Availability Server Pairing Matrix
Primary Server Type Secondary Server Type
3355 VA-2 VA-3 VA-4 VA-5
3355 Y N N N N
VA-2 N Y Y Y Y
VA-3 N N Y Y Y
VA-4 N N N Y Y
VA-5 N N N N Y
Related Topics
Guidelines and Limitations for MSE High Availability

Administrators implementing MSE High Availability and planning to manage it via Prime Infrastructure
should observe the following guidelines and limitations:
• Both the health monitor IP and virtual IP should be accessible from Prime Infrastructure.
• The health monitor IP and virtual IP should always be different. The health monitor and virtual interface
can be on the same network interface or different interfaces.
• You can use either manual or automatic failover. Failover should be considered temporary. The failed
MSE should be restored to normal as soon as possible, and failback should be re-initiated. The longer it

332
Failover Scenario for MSE High Availability
takes to restore the failed MSE, the longer you are running with a single MSE without high availability
support.
• You can use either manual or automatic failback.
• Both the primary and secondary MSE should be running the same software version.
• High Availability over WAN is not supported.
• High Availability over LAN is supported only when both the primary and secondary MSEs are in the
same subnet.
• The ports over which the primary and secondary MSEs communicate must be open (not blocked with
network firewalls, application fireways, gateways, and so on). The following input/output ports should
be opened: 80, 443, 8080, 8081, 22, 8001, 1521, 1411, 1522, 1523, 1524, 1525, 9006, 15080, 61617,
59000, 12091, 1621, 1622, 1623, 1624, 1625, 8083, 8084, and 8402.
Related Topics
MSE High Availability Pairing Matrix, on page 332
Failover Scenario for MSE High Availability

When a primary MSE failure is detected, the following events occur:
• The primary MSE is confirmed as non-functioning (hardware fail, network fail, and so on) by the health
monitor on the secondary MSE.
• If automatic failover isn enabled, the secondary MSE starts immediately.
• If manual failover is enabled, an e-mail is sent to the administrator asking if they want to manually start
failover. This e-mail is sent only if the e-mail is configured for MSE alarms.
• The result of the failover operation is indicated as an event in the Health Monitor UI, and a critical alarm
is sent to Prime Infrastructure.
Related Topics
Failback Scenario for MSE High Availability

When the primary MSE is restored to its normal state, if the secondary MSE is already in failover state for
the primary, then failback can be invoked.
Failback can occur only if the secondary MSE is in one of the following states for the primary instance:
• The secondary MSE is actually failing over for the primary MSE.
• Manual failover is configured but the administrator did not invoke it.
• The primary MSE failed but the secondary MSE cannot take over because it has encountered errors.
• Failback can occur only if the administrator starts up the failed primary MSE.
Related Topics
Licensing Requirements for MSE High Availability, on page 334

333
Licensing Requirements for MSE High Availability
Licensing Requirements for MSE High Availability

For high availability, an activation license is required on the primary and secondary virtual appliances. No
other service license is required on the secondary MSE. It is required only on the primary MSE.
Related Topics
Set Up MSE High Availability: Workflow

During the installation of the MSE software (or using the MSE setup script), configure some critical elements.
Pair up the primary and secondary MSE from the Prime Infrastructure UI.
By default, all MSEs are configured as primary. If you do not want high availability support and are upgrading
from an earlier release, you can continue to use the IP address for the MSE. If you want to set up high
availability, then you must configure the health monitor IP address. The health monitor then becomes a virtual
IP address.
Configuring MSE high availability consists of the following steps:
1. Prepare the MSEs for High Availability
2. Configure the Primary MSE
3. Configure the Secondary MSE
You may also need to reconfigure MSE high availability if you must replace the primary MSE server.
For details, see the corresponding Related Topics, below.
Related Topics
Prepare the MSEs for High Availability, on page 334
Configure MSE High Availability on Primary MSEs, on page 335
Configure MSE High Availability on Secondary MSEs, on page 343
Configure MSE High Availability
Prepare the MSEs for High Availability

To prepare your primary and secondary MSEs for high availabililty, follow these steps:
Step 1 Ensure that the network connectivity between the primary and secondary MSEs is functioning and that all the necessary
ports are open.
Step 2 Install the correct version of MSE on the primary MSE.
Step 3 Make sure that the same MSE version is installed on the secondary MSE.
Related Topics

334
Configure MSE High Availability on Primary MSEs

To configure a primary MSE for high availabililty, follow these steps:
Step 1 On the intended primary MSE, enter the following command:

/opt/mse/setup/setup.sh
The setup script displays the following prompts, which you can answer using the suggested responses given in bold
(in this and later steps):
--------------------------------------------------------------
Welcome to the Cisco Mobility Services Engine Appliance Setup.
You may exit the setup at any time by typing <Ctrl+c>.
-----------------------------------------------------------
Would you like to configure MSE using:
1. Menu mode
2. Wizard mode
Choose 1 or 2: 1
--------------------------------------------------
Mobility Services Engine Setup
Please select a configuration option below and enter the requested information. You may exit setup at any time by
typing <Ctrl +C>.
You will be prompted to choose whether you wish to configure a parameter, skip it, or reset it to its initial default value.
Skipping a parameter will leave it unchanged from its current value.
Please note that the following parameters are mandatory and must be configured at lease once.
-> Hostname
-> Network interface eth0
-> Timezone settings
-> Root password
-> NTP settings
-> Prime Infrastructure password
You must select option 24 to verify and apply any changes made during this session.
--------------------------------------------------------------
PRESS <ENTER> TO CONTINUE:
--------------------------------------------------------------
Configure MSE:
1) Hostname * 13) Remote syslog settings
2) Network interface eth0 settings* 14) Host access control settings

335
3) Timezone settings* 15) Audit Rules

4) Root password * 16) Login banner
5) NTP settings * 17) System console restrictions
6) Prime Infrastructure password * 18) SSH root access
7) Display current configuration 19) Single user password check
8) Domain 20) Login and password settings
9) High availability role 21) GRUB password
10) Network interface eth1 settings 22) Root access control
11) DNS settings 23) Auto start MSE on system boot up
12) Future restart time 24) ## Verify and apply changes ##
Please enter your choice [1 - 24]:
--------------------------------------------------------------
Step 2 Configure the primary MSE hostname:

Please enter your choice [1 - 24]: 1
Current Hostname=[mse]
Configure Hostname? (Y)es/(S)kip/(U)se default [Skip]: y
The host name should be a unique name that can identify the device on the network. The hostname should start with a
letter, end with a letter or number, and contain only letters, numbers, and dashes.
Enter a Host name [mse]:mse1
Step 3 Configure the primary MSE domain:

Please enter your choice [1-24]: 8
Current domain=[ ]
Configure domain name? (Y)es/(S)kip/(U)se default [Skip]: S
Step 4 Configure the primary MSE network interface eth0 settings.

Current eth0 interface IP address=[10.0.0.1]
Current eth0 interface netmask=[255.0.0.0]
Current IPv4 gateway address=[172.20.104.123]
Configure eth0 interface parameters? (Y)es/(S)kip/(U)se default [Skip]: y
Enter an IP address for first Ethernet interface of this machine.
Enter eth0 IP address [10.0.0.2]:
Enter the network mask for IP address 172.21.105.126
Enter network mask [255.255.255.224]:
Enter the default gateway address for this machine.

336
Note that the default gateway must be reachable from the first Ethernet interface.
Enter default gateway address [172.20.104.123]:
Step 5 Configure the primary MSE root password:

Root password has not been configured
Configure root password? (Y)es/(S)kip/(U)se default [Skip]: Y
Changing password for user root.
You can now choose the new password.
A valid password should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character
long password with characters from all of these classes. An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.
Enter new password: password
Step 6 Configure the primary MSE’s high availability role:

Current role=[Primary]
Configure High Availability? (Y)es/(S)kip/(U)se default [Skip]: y
High availability role for this MSE (Primary/Secondary)
Select role [1 for Primary, 2 for Secondary] [1]: 1
Health monitor interface holds physical IP address of this MSE server.
This IP address is used by Secondary, Primary MSE servers and Prime Infrastructure to communicate among themselves
Select Health Monitor Interface [eth0/eth1] [eth0]: eth0
-------------------------------------------------------------------
Direct connect configuration facilitates use of a direct cable connection between the primary and secondary MSE
servers.
This can help reduce latencies in heartbeat response times, data replication and failure detection times.
Please choose a network interface that you wish to use for direct connect. You should appropriately configure the
respective interfaces.
"none" implies you do not wish to use direct connect configuration.
-------------------------------------------------------------------
Select direct connect interface [eth0/eth1/none] [none]:
Enter a Virtual IP address for the Primary MSE server
Enter Virtual IP address [1.1.1.1]: 10.10.10.11
Enter network mask for IP address 10.10.10.1
Enter network mask [1.1.1.1]: 255.255.255.0
Select to start the server in recovery mode.
You should choose yes only if this primary MSE was paired earlier and you have now lost the configuration from this
box.

337
And, now you want to restore the configuration from Secondary via Cisco Prime Infrastructure
Do you wish to start this MSE in HA receovery mode?: (yes/no} [no]:no
Current IP address = [1.1.1.10]
Current eth0 netmask=[255.255.255.0]
Current gateway address=[1.1.1.1]
Configure eth0 interface parameters? (Y)es/(S)kip/(U)se default [Skip]:
Enter an IP address for first Ethernet interface of this machine.
Enter eth0 IP address [1.1.1.10]: 10.10.10.12
Enter network mask [255.255.255.0]: 255.255.255.0
Enter an default gateway address for this machine.
Note that the default gateway must be reachable from the first Ethernet interface. Enter default gateway address
[1.1.1.1]:10.10.10.1
The second Ethernet interface is currently disabled for this machine.
Configure eth1 interface parameters? (Y)es/(S)kip/(U)se default [Yes]: S
Step 7 Configure the primary MSE timezone settings:

Current Timezone=[America/New_York]
Configure Timezone? (Y)es/(S)kip/(U)se default [Skip]: y
Enter the current date and time.
Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) UTC - I want to use Coordinated Universal Time.
#? 2
Please select a country.
1) Anguilla 27) Honduras

338
2) Antigua & Barbuda

5) Bahamas 31) Montserrat
6) Barbados 32) Netherlands Antilles
7) Belize 33) Nicaragua
8) Bolivia 34) Panama
9) Brazil 35) Paraguay
10) Canada 36) Peru
11) Cayman Islands 37) Puerto Rico
12) Chile 38) St Barthelemy
13) Colombia 39) St Kitts & Nevis
14) Costa Rica 40) St Lucia
41) St Martin (French part)
16) Dominica 42) St Pierre & Miquelon
17) Dominican Republic 43) St Vincent
18) Ecuador 44) Suriname
19) El Salvador 45) Trinidad & Tobago
20) French Guiana 46) Turks & Caicos Is
21) Greenland 47) United States
22) Grenada 48) Uruguay
23) Guadeloupe 49) Venezuela
24) Guatemala 50) Virgin Islands (UK)
25) Guyana 51) Virgin Islands (US)
26) Haiti
#? 47
Please select one of the following time zone regions.
1) Eastern Time
2) Eastern Time - Michigan - most locations
3) Eastern Time - Kentucky - Louisville area
4) Eastern Time - Kentucky - Wayne County
5) Eastern Time - Indiana - most locations
6) Eastern Time - Indiana - Daviess, Dubois, Knox & Martin Counties
7) Eastern Time - Indiana - Pulaski County
8) Eastern Time - Indiana - Crawford County
9) Eastern Time - Indiana - Pike County

339
10) Eastern Time - Indiana - Switzerland County

12) Central Time - Indiana - Perry County
13) Central Time - Indiana - Starke County
14) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties
15) Central Time - North Dakota - Oliver County
16) Central Time - North Dakota - Morton County (except Mandan area)
18) Mountain Time - south Idaho & east Oregon
20) Mountain Standard Time - Arizona
21) Pacific Time
22) Alaska Time
23) Alaska Time - Alaska panhandle
24) Alaska Time - Alaska panhandle neck
25) Alaska Time - west Alaska
26) Aleutian Islands
27) Hawaii
#? 21
The following information has been given:
United States
Pacific Time
Therefore TZ='America/Los_Angeles' will be used.
Local time is now: Sun Apr 6 18:45:27 PDT 2020. Universal Time is now: Mon Apr 7 01:45:27 UTC 2020. Is the
above information OK?
1) Yes
2) No
#? 1
Step 8 Configure the primary MSE DNS settings:

Domain Name Service (DNS) Setup
Enable DNS (yes/no) [no]: y
Default DNS server 1=[8.8.8.8]
Enter primary DNS server IP address:
DNS server address must be in the form #.#.#.#, where # is 0 to 255 or hexadecimal :
separated v6 address
Enter primary DNS server IP address [8.8.8.8]:
Enter backup DNS server IP address (or none) [none]:

340
Step 9 Configure the primary MSE NTP settings:

Network Time Protocol (NTP) Setup.
If you choose to enable NTP, the system time will be configured from NTP servers that you select. Otherwise, you will
be prompted to enter the current date and time.
NTP is currently disabled.
Configure NTP related parameters? (Y)es/(S)kip/(U)se default [Skip]: y
Enter whether or not you would like to set up the
Network Time Protocol (NTP) for this machine.
Enable NTP (yes/no) [no]: y
Default NTP server 1=[time.nist.gov] Enter NTP server name or address:
NTP server address must be in the form #.#.#.3, where # is 0 to 255 hexadecimal :
separated v6 address.
Enter NTP server name or [time.nist.gov]:
Enter another NTP server IP address (or none) [none]:
Configure NTP Authentication? (Y)es/(S)kip/(U)se default [Skip]: y
Enter NTP Auth key Number [1]:
Enter NTP Auth key Value (String) [Secret]: Do you want to continue (yes/no) [no]: y
Step 10 Configure the Prime Infrastructure password:

Cisco Prime Infrastructure communication password has not been configured. Configure Prime Infrastructure password?
(Y)es/(S)kip/(U)se default [Yes]:
Enter a password for the admin user.
The admin user is used by the Prime Infrastructure and other northbound systems to authenticate their SOAP/XML
session with the server. Once this password is updated, it must correspondingly be updated on the NCS page for MSE
General Parameters so that the Prime Infrastructure can communicate with the MSE.
Step 11 Verify and apply your changes:

Please enter your choice: 24
Please verify the following setup information.
-----------------------------BEGIN------------------------------------------- Hostname=mse1
Role= 1, Health Monitor Intercace=eth0, Direct connect interface=none
Virtual IP Address=10.10.10.11, Virtual IP Netmask=255.255.255.0
Eth0 IP address=10.10.10.12, Eth0 network mask=255.0.0.0
Default Gateway=10.10.10.1

341
Time zone=America/Los_Angeles
Enable DNS=yes, DNS servers=8.8.8.8
Enable NTP=yes, NTP servers=time.nist.gov
Root password is changed.
Cisco Prime Infrastructure password is changed.
------------------------------END-----------------------------
You may enter "yes" to proceed with configuration, "no" to make
more changes.
Configuration Changed
Is the above information correct (yes or no): yes
--------------------------------------------------------------
Checking mandatory configuration information...
Root password: Not configured
**WARNING**
The above parameters are mandatory and need to be configured.
-------------------------------------------------------------
Ignore and proceed (yes/no): yes
Setup will now attempt to apply the configuration. Restarting network services with new settings. Shutting down
interface eth0:
The system is minimally configured right now. It is strongly recommended that you run the setup script under
/opt/mse/setup/setup.sh command to configure all appliance related parameters immediately after installation is complete.
PRESS <ENTER> TO EXIT THE INSTALLER:
Step 12 Reboot the system:

[root@mse1]# reboot Stopping MSE Platform
Flushing firewall rules: [OK]
Setting chains to policy ACCEPT: nat filter [OK] Unloading iptables modules: [ok]
Broadcast message from root (pts/0) (Tue Apr29 14:15:27:2014):
The system is going down for reboot NOW:
Step 13 Start the MSE services:

[root@mse1]# /etc/init.d/msed start
Starting MSE Platform.
Starting Health Monitor, Waiting to check the status. Starting Health Monitor, Waiting to check the status. Health
Monitor successfully started
Starting Admin process... Started Admin process. Starting database .....

342
Configure MSE High Availability on Secondary MSEs
Database started successfully. STarting framework and services....... Framework and services successfully started
Step 14 After all services have started, confirm MSE services are working properly by entering the following command:
[root@mse1]# getserverinfo
Related Topics
Configure MSE High Availability on Secondary MSEs, on page 343

To prepare your secondary MSE for high availabililty, follow these steps:
Step 1 On the intended secondary MSE, enter the following command:

/opt/mse/setup/setup.sh
The setup script displays the same prompts as for the primary MSE:
Step 2 Configure the secondary MSE hostname:

Current hostanme=[mse1]
Configure hostname? (Y)es/(S)kip/(U)se default [Yes]: yes
The host name should be a unique name that can identify the device on the network. The hostname should start with a
letter, end with a letter or number, and contain only letters, numbers, and dashes.
Enter a hostname [mse]: mse2
Step 3 Configure the secondary MSE domain:

Please enter your choice [1-24]: 8
Current domain=[ ]
Configure domain name? (Y)es/(S)kip/(U)se default [Skip]: S
Step 4 Configure the secondary MSE high availability role:

Current role=[Primary]
Configure High Availability? (Y)es/(S)kip/(U)se default [Skip]: High availability role for this MSE (Primary/Secondary)
Select role [1 for Primary, 2 for Secondary] [1]: 2
Health monitor interface holds physical IP address of this MSE server.
This IP address is used by Secondary, Primary MSE servers and Prime Infrastructure to communicate among themselves
Select Health Monitor Interface [eth0/eth1] [eth0]: eth0
-------------------------------------------------------------------

343
Direct connect configuration facilitates use of a direct cable connection between the primary and secondary MSE
servers.This can help reduce latencies in heartbeat response times, data replication and failure detection times.Please
choose a network interface that you wish to use for direct connect. You should appropriately configure the respective
interfaces.
"none" implies you do not wish to use direct connect configuration.
-------------------------------------------------------------------
Select direct connect interface [eth0/eth1/none] [none]:
Current IP address=[1.1.1.10]
Current eth0 netmask=[255.255.255.0] Current gateway address=[1.1.1.1]
Configure eth0 interface parameters? (Y)es/(S)kip/(U)se default [Yes]:
Enter an IP address for first Ethernet interface of this machine. Enter eth0 IP address [1.1.1.10]: 10.10.10.13
Enter network mask [255.255.255.0]:
Enter an default gateway address for this machine.
Note that the default gateway must be reachable from the first Ethernet interface. Enter default gateway address
[1.1.1.1]:10.10.10.1
The second Ethernet interface is currently disabled for this machine. Configure eth1 interface parameters? (Y)es/(S)kip/(U)se
default [Yes]: S
Step 5 Configure the secondary MSE timezone settings:

Current Timezone=[America/New_York]
Configure Timezone? (Y)es/(S)kip/(U)se default [Skip]: y
Enter the current date and time.
Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) UTC - I want to use Coordinated Universal Time.
#? 2

344
Please select a country.

1) Anguilla 27) Honduras
2) Antigua & Barbuda
5) Bahamas 31) Montserrat
6) Barbados 32) Netherlands Antilles
7) Belize 33) Nicaragua
8) Bolivia 34) Panama
9) Brazil 35) Paraguay
10) Canada 36) Peru
11) Cayman Islands 37) Puerto Rico
12) Chile 38) St Barthelemy
13) Colombia 39) St Kitts & Nevis
14) Costa Rica 40) St Lucia
41) St Martin (French part)
16) Dominica 42) St Pierre & Miquelon
17) Dominican Republic 43) St Vincent
18) Ecuador 44) Suriname
19) El Salvador 45) Trinidad & Tobago
20) French Guiana 46) Turks & Caicos Is
21) Greenland 47) United States
22) Grenada 48) Uruguay
23) Guadeloupe 49) Venezuela
24) Guatemala 50) Virgin Islands (UK)
25) Guyana 51) Virgin Islands (US)
26) Haiti
#? 47
Please select one of the following time zone regions.
1) Eastern Time
2) Eastern Time - Michigan - most locations
3) Eastern Time - Kentucky - Louisville area
4) Eastern Time - Kentucky - Wayne County
5) Eastern Time - Indiana - most locations
6) Eastern Time - Indiana - Daviess, Dubois, Knox & Martin Counties
7) Eastern Time - Indiana - Pulaski County

345
8) Eastern Time - Indiana - Crawford County

9) Eastern Time - Indiana - Pike County
10) Eastern Time - Indiana - Switzerland County
11) Central Time
12) Central Time - Indiana - Perry County
13) Central Time - Indiana - Starke County
14) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties
15) Central Time - North Dakota - Oliver County
16) Central Time - North Dakota - Morton County (except Mandan area)
17) Mountain Time
18) Mountain Time - south Idaho & east Oregon
19) Mountain Time - Navajo
20) Mountain Standard Time - Arizona
21) Pacific Time
22) Alaska Time
23) Alaska Time - Alaska panhandle
24) Alaska Time - Alaska panhandle neck
25) Alaska Time - west Alaska
26) Aleutian Islands
27) Hawaii
#? 21
The following information has been given: United States
Pacific Time
Therefore TZ='America/Los_Angeles' will be used.
Local time is now: Sun Apr 6 18:45:27 PDT 2014. Universal Time is now: Mon Apr 7 01:45:27 UTC 2014. Is the above
information OK?
1) Yes
2) No
#? 1
Step 6 Configure the secondary MSE NTP settings:

Network Time Protocol (NTP) Setup.
NTP is currently disabled.

346
Configure NTP related parameters? (Y)es/(S)kip/(U)se default [Skip]: y

Enter whether or not you would like to set up the Network Time Protocol (NTP) for this machine.
Enable NTP (yes/no) [no]: y
Default NTP server 1=[time.nist.gov] Enter NTP server name or address:
NTP server address must be in the form #.#.#.3, where # is 0 to 255 hexadecimal :
separated v6 address.
Enter NTP server name or [time.nist.gov]:
Enter another NTP server IP address (or none) [none]:
Configure NTP Authentication? (Y)es/(S)kip/(U)se default [Skip]: y
Enter NTP Auth key Number [1]:
Enter NTP Auth key Value (String) [Secret]: Do you want to continue (yes/no) [no]: y
Step 7 Verify and apply your changes:

Please enter your choice: 24
Please verify the following setup information.
-----------------------------BEGIN------------------------------------------- Hostname=mse2
Role= 2, Health Monitor Intercace=eth0, Direct connect interface=none
Eth0 IP address=10.10.10.13, Eth0 network mask=255.255.255.0
Default Gateway=10.10.10.1
Enable NTP=yes, NTP servers=time.nist.gov
------------------------------END-----------------------------
You may enter "yes" to proceed with configuration, "no" to make more changes.
Configuration Changed
Is the above information correct (yes or no): yes
--------------------------------------------------------------
Checking mandatory configuration information...
Root password: Not configured
**WARNING**
The above parameters are mandatory and need to be configured.
-------------------------------------------------------------
Ignore and proceed (yes/no): yes
Setup will now attempt to apply the configuration.

347
Replace Primary MSEs
Restarting network services with new settings. Shutting down interface eth0:
The system is minimally configured right now. It is strongly recommended that you run the setup script under
/opt/mse/setup/setup.sh command to configure all appliance related parameters immediately after installation is complete.
PRESS <ENTER> TO EXIT THE INSTALLER:
Step 8 Reboot the system:

[root@mse2 installers]# reboot
Stopping MSE Platform
Flushing firewall rules: [OK]
Setting chains to policy ACCEPT: nat filter [OK] Unloading iptables modules: [ok]
Broadcast message from root (pts/0) (Tue Apr29 14:15:27:2014):
The system is going down for reboot NOW:
Step 9 Start the MSE services:

[root@mse2]# /etc/init.d/msed start
Starting MSE Platform.
Starting Health Monitor, Waiting to check the status. Starting Health Monitor, Waiting to check the status. Health Monitor
successfully started
Starting Admin process... Started Admin process. Starting database .....
Database started successfully. STarting framework and services....... Framework and services successfully started
Related Topics

If for any reason you need to replace a primary MSE, you will want to recover the current pairing information
to a newly configured primary MSE, as explained in the followng steps.
Step 1 Configure the MSE as a primary using the setup script.

Step 2 Set up a pairing between the primary and secondary MSE using Prime Infrastructure.
Step 3 Initiate failover from the primary MSE to the secondary MSE.
Step 4 Configure the replacement MSE as a primary using the setup script. The new primary MSE must have the same version
of the software as the secondary, and the same settings as the old primary MSE.
Step 5 Choose the recovery mode and follow the instructions.
Step 6 Initiate the failback to the new primary using Prime Infrastructure.

348
A new license is required on the this new primary MSE, as the original license will not match the UDI of the primary,
and will not work.
Related Topics

349

350
CHAPTER 12
Configure Wireless Redundancy
• About Wireless Controller Redundancy, on page 351
• Prerequisites and Limitations for Redundancy, on page 351
• Configure Redundancy Interfaces, on page 352
• Configure Redundancy on Primary Controllers, on page 352
• Configure Redundancy on Secondary Controllers, on page 353
• Monitor Redundancy States, on page 354
• Configure Peer Service Port IPs and Subnet Mask, on page 354
• Add Peer Network Routes, on page 355
• Reset and Upload Files from the Secondary Server, on page 355
• Disable Redundancy on Controllers, on page 356
About Wireless Controller Redundancy

In a redundancy architecture, one wireless controller is in the Active state and a second controller is in the
Standby state. The Standby controller continuously monitors the health of the Active controller via a redundant
port. Both controllers share the same configurations, including the IP address of the management interface.
The Standby or Active state of a controller is based on the redundancy Stock Keeping Unit (SKU), which is
a manufacturing ordered unique device identification (UDI). A controller with redundancy SKU UDI is in
the Standby state for the first time when it boots and pairs with a controller that runs a permanent count license.
For controllers that have permanent count licenses, you can manually configure whether the controller is in
the Active state or the Standby state.
In this release, a stateful switchover of access points (AP SSO) is supported. An AP SSO ensures that the AP
sessions are intact even after a switchover.
Stateful switchover of clients is not supported. This means that nearly all clients are deauthenticated and forced
to re-associate with the new controller in the Active state. The only exceptions to this rule are clients on locally
switched WLANs on access points in FlexConnect mode.
Prerequisites and Limitations for Redundancy

Before configuring wireless controller redundancy, you must consider the following prerequisites and
limitations:
• Wireless controller redundancy is supported only on the 3500, 5500, 7500, 8500, and Wism2 controllers.

351
Configure Redundancy Interfaces
• The primary and secondary controllers must be of the same hardware model.
• The primary and secondary controllers must be running the same Controller software release.
• The IP addresses of the management, redundancy management, and peer redundancy management
interfaces must be in the same subnet.
• The service port IP address and route information is maintained for each device.
• If the redundancy is enabled on a controller, the Prime Infrastructure or any other device cannot manage
the standby controller.
• You cannot enable the redundancy on a controller if the controller is added to the Prime Infrastructure
through the service port. You must delete the controller and add it through the management interface to
enable the redundancy on that controller.
• When there is an audit mismatch between a controller and the Prime Infrastructure, you must not restore
the redundancy parameters from the Prime Infrastructure on to the controller. However, you can refresh
the redundancy parameters in the Prime Infrastructure.
• Before you enable the redundancy, you must download the certificates for each device.
• Configuration is downloaded from the network to the active controller, and then the details are transferred
to the standby controller through the redundancy interface.
• When an old active controller pairs up with the new active controller, the control is not transferred back
to the old active controller and it becomes the standby controller for the new active controller.
Configure Redundancy Interfaces

There are two redundancy interfaces: redundancy-management interface and redundancy-port interface. The
redundancy-management interface is a local physical management interface that shares the subnet mask,
gateway, and VLAN ID from the management interface. You must configure only the IP address for the
redundancy-management interface to enable redundancy on the primary and secondary controllers. The IP
address for the redundancy-port interface is auto-generated and it is used internally.
Step 1 Choose Configuration > Network > Network Devices.

Step 2 In the Device Groups area, expand Device Type, then expand Wireless Controller.
Step 3 Select the group of wireless controllers that match the device you have chosen as the primary controller (for example:
Cisco 5500 Series Wireless LAN Controllers). Members of this device group are displayed on the right.
Step 4 Click on the Device Name of the primary controller.
Step 5 Click the Configuration tab.
Step 6 From the left sidebar menu, choose Redundancy > Global Configuration. The Global Configuration page appears.
Step 7 In the Redundancy-Management IP text box, enter an IP address that belongs to the management interface subnet.
Step 8 Click Save.
Configure Redundancy on Primary Controllers


352
Configure Redundancy on Secondary Controllers
Step 3 Select the group of wireless controllers that match the device for which you have configured the redundancy-management
interface IP address (for example: Cisco 5500 Series Wireless LAN Controllers). Members of this device group are
displayed on the right.
Step 4 Click on the Device Name of the controller for which you have configured the redundancy-management interface IP
address.
Step 7 You must configure the following parameters before you enable the redundancy mode for the primary controller:
a. Redundancy-Management IP—The IP address of the local physical management interface, which you had configured
in the redundancy-management interface details page is displayed. You can also modify the IP address.
b. Peer Redundancy-Management IP—Enter the IP address of the peer redundancy-management interface.
c. Redundant Unit—Choose Primary.
d. Mobility MAC Address—Enter the virtual MAC address for the redundancy pair. Ensure that the mobility MAC
address that you enter is the same for both primary and secondary controllers.
Step 8 Click Save. The Enabled check box for the redundancy mode becomes available.
Step 9 Select the Enabled check box for the redundancy mode to enable the redundancy on the primary controller.
After you enable the redundancy, you cannot modify the Redundancy-Management IP, Peer Redundancy-Management
IP, Redundant Unit, and Mobility MAC Address parameters.
You cannot configure this controller during the redundancy pair-up process.
Step 10 Click Save. The configuration is saved and the system reboots.
Configure Redundancy on Secondary Controllers

Step 3 Select the group of wireless controllers that match the device you have selected to act as the secondary controller (for
example: Cisco 5500 Series Wireless LAN Controllers). Members of this device group are displayed on the right.
Step 4 Click on the Device Name of the secondary controller.
Step 7 You must configure the following parameters before you enable the redundancy mode for the secondary controller:
a. Redundancy-Management IP—Enter the IP address of the local physical management interface. This IP address
must be the same as the IP address of the peer redundancy-management interface of the primary controller.
b. Peer Redundancy-Management IP—Enter the IP address of the peer physical management interface. This IP address
must be the same as the IP address of the local physical management interface of the primary controller.
c. Redundant Unit—Choose Secondary.

353
Monitor Redundancy States
d. Mobility MAC Address—Enter the virtual MAC address of the redundancy pair. Ensure that the mobility MAC
address that you enter is the same for both primary and secondary controllers.
Step 8 Click Save. The Enabled check box for the redundancy mode becomes available for editing.
Step 9 Select the Enabled check box for the redundancy mode to enable the redundancy on the secondary controller.
After you enable the redundancy, you cannot modify the Redundancy-Management IP, Peer Redundancy-Management
IP, Redundant Unit, and Mobility MAC Address parameters.
You cannot configure the primary controller during the redundancy pair-up process.
Monitor Redundancy States

After redundancy mode is enabled on the primary and secondary controllers, the system reboots. The redundancy
state for both the controllers becomes Enabled in the Wireless Controller Members list page. The following
traps are triggered:
• RF_SWITCHOVER_ACTIVITY—This trap is triggered when the standby controller becomes the new
active controller.
• RF_PROGRESSION_NOTIFY—This trap is triggered by the primary or active controller when the peer
state changes from Disabled to StandbyCold, and then to StandbyHot.
• RF_HA_SUP_FAILURE_EVENT—This trap is triggered when the redundancy fails because of a
discrepancy between the active and the standby controllers.
For more information about these traps, see Cisco Prime Infrastructure Alarms and Events.
You can view the redundancy state details, including the local and peer state, unit, IP addresses of the
redundancy management, peer redundancy management, redundancy port, peer redundancy port, and peer
service port of the paired controller.
To view these details, choose Monitor > Managed Elements > Network Devices > Device Type > Wireless
Controller > Controller Group > Controller > Device Details > Redundancy > Redundancy States.
Configure Peer Service Port IPs and Subnet Mask

You can configure a peer service port IP address and a subnet mask only when the state of the peer controller
is in StandbyHot. Ensure that DHCP is disabled on the local service port before you configure the peer service
port IP address.

Step 3 Select the group of wireless controllers that contains the primary or active controller. Members of this device group are
displayed on the right.
Step 4 Click on the Device Name of the primary or active controller.

354
Add Peer Network Routes
Step 6 From the left sidebar menu, choose me Redundancy > Global Configuration. The Global Configuration page appears.
Step 7 Complete the following fields:
a. Peer Service Port IP—Enter the IP address of the peer service port.
b. Peer Service Netmask IP—Enter the IP address of the peer service subnet mask.
Step 8 Click Save.
Add Peer Network Routes

You can add a peer network route on an active controller only when the state of the peer controller is in
StandbyHot. A new network route table is maintained. When the standby controller becomes active, the entries
of the network route table swaps with the entries of the peer network route table.

Step 3 Select the group of wireless controllers that contains the controller for which you have configured the
redundancy-management interface IP address. Members of this device group are displayed on the right.
Step 4 Click the Device Name of the controller for which you have configured the redundancy-management interface IP address.
Step 6 From the left sidebar menu, choose Redundancy > Peer Network Route > .
Step 7 Choose Select a command > Add Peer Network Route > Go. The Peer Network Route Details page appears.
Step 8 Complete the following fields:
a. IP Address—Enter the IP address of the peer network route.
b. P Netmask—Enter the subnet mask of the peer network route.
c. Gateway IP Address—Enter the IP address of the peer network route gateway
Step 9 Click Save. The peer network route is added.
Reset and Upload Files from the Secondary Server

You can reset the secondary server when the secondary server is in the StandbyHot state and the
high-availability pairing process is complete. You can also upload the files from the secondary server to the
primary server.


355
Disable Redundancy on Controllers
Step 3 Select the group of wireless controllers that contains the controller for which you have configured the
redundancy-management interface IP address. Members of this device group are displayed on the right.
Step 4 Click on the Device Name of the controller for which you have configured the redundancy-management interface IP
address.
Step 6 From the left sidebar menu, choose Redundancy > Redundancy Commands.
Step 7 Under Administrative Commands, choose Select a command > Reset Standby > Go to reset the secondary server.
Step 8 Under Upload/Download Commands:
a) Choose the transport protocol you want to use when uploading files from the secondary to the primary server (TFTP
is the default).
b) ChooseSelect a command > Upload File from Standby Controller > Go to upload files from the secondary to the
primary server.
Disable Redundancy on Controllers

When you disable redundancy on the controller, both active and standby controllers reboot. You must refresh
the configuration from the device to remove any audit mismatches in the redundancy parameters. The active
controller becomes a standalone controller and the standby controller reboots with all the ports disabled.

Step 3 Select the group of wireless controllers that contains the controller on which you want to disable redundancy. Members
of this device group are displayed on the right.
Step 4 Click on the Device Name of the controller on which you want to disable redundancy.
Step 6 From the left sidebar menu, choose Redundancy > Global Configuration. The Global Configuration details page
appears.
Step 7 Unselect the Enabled check box for the Redundancy Mode on the selected controller.

356
CHAPTER 13
Manage Traffic Metrics
• How to Manage Traffic Metrics, on page 357
How to Manage Traffic Metrics
Note The mediatrace feature has been deprecated from the latest IOS releases.
Prime Infrastructure supports tracing Real-Time Transport Protocol (RTP) and TCP application traffic paths
across endpoints and sites. Tracing data paths depends on Cisco Medianet and Web Services Management
Agent (WSMA). Both are built-in features of Cisco IOS software and Catalyst switches that help isolate and
troubleshoot problems with RTP and TCP data streams. Prime Infrastructure supports all versions of Cisco
Medianet and WSMA and makes it easy to enable them on any router.
Where Cisco Network Analysis Module (NAM) traffic monitoring data is not available, Prime Infrastructure
supports RTP service path tracing (Mediatrace) using Cisco Medianet Performance Monitor and Cisco IOS
NetFlow. When properly configured, Mediatrace can be your most valuable tool when troubleshooting RTP
and TCP application problems.
Related Topics
Prerequisites for Traffic Metrics With Mediatrace, on page 357
Configure Mediatrace on Routers and Switches, on page 359
Configure WSMA and HTTP(S) Features on Routers and Switches, on page 359
Prerequisites for Traffic Metrics With Mediatrace

Before you can use Prime Infrastructure Mediatrace feature, you must complete the prerequisite setup tasks
shown under Related Topics, below. These prerequisite tasks are required to enable Cisco routers (ISRs, ISR
G2s, ASRs) and NAM devices to act as data (metrics collection) sources to monitor network traffic (RTP and
TCP) performance metrics.
Related Topics
Configure Cisco Prime Infrastructure to Use NAM Devices as Data Sources, on page 358
Configure Cisco Prime Infrastructure to Use Routers and Switches as Data Sources, on page 358

357
Configure Cisco Prime Infrastructure to Use NAM Devices as Data Sources
Configure Cisco Prime Infrastructure to Use NAM Devices as Data Sources

If your network uses Cisco NAMs to monitor network traffic, complete the following steps to trace service
paths for both RTP and TCP traffic.
Step 1 Add NAMs to the system. You can do this either automatically using Discovery, or manually using bulk import or the
Device Work Center (see the section Add and Organize Devices in Cisco Prime Infrastructure User Guide).
Step 2 Enable NAM Data collection. To do this:
a) Choose Services > Application Visibility & Control > Data Sources.
b) In the NAM Data Collector section, select each NAM and click Enable to enable data collection on the selected
NAMs (see the section Enable NAM Data Collection in Cisco Prime Infrastructure User Guide).
Step 3 Create a site structure for your organization and assign your principal routers to the appropriate sites:
a) Choose Maps > Site Maps.
b) Add one or more campuses, buildings, and floors.
Step 4 Associate your sites with authorized data sources:
a) Choose Services > Application Visibility & Control > Data Deduplication.
b) Click Enable Data Deduplication, then click Apply. You can then assign authoritative sources for ART, Traffic
Analysis and Voice/Video data (see Enable Data Deduplication, on page 150).
Step 5 Associate your sites with endpoint subnets:
a) Choose Services > Application Visibility & Control > Endpoint Association.
b) Associate subnets with your sites. (see the section Associate Endpoints with a Site inCisco Prime Infrastructure User
Guide).
If you fail to do this, the data collected for these endpoints will have their sites set to “Unassigned.”
Step 6 Configure your routers for Mediatrace and WSMA (see the section Troubleshoot RTP and TCP Flows Using Mediatrace
in Cisco Prime Infrastructure User Guide).
For more details, see Control System Jobs".
Configure Cisco Prime Infrastructure to Use Routers and Switches as Data Sources
If your network uses Cisco routers and switches to monitor network traffic, complete the following steps to
enable path tracing for both RTP and TCP flows.
Step 1 Create a site structure for your organization and assign your principal routers to the appropriate sites:
a) Choose Maps > Site Maps.
b) Add one or more campuses, buildings, and floors (for details, see the section Work With Site Maps in Cisco Prime
Infrastructure User Guide).
Step 2 Associate your sites with authorized data sources:
a) Choose Services > Application Visibility & Control > Data Deduplication.
b) Click Enable Data Deduplication, then click Apply. You can then assign authoritative sources for ART, Traffic
Analysis and Voice/Video data (see Enable Data Deduplication, on page 150).
Step 3 Associate your sites with endpoint subnets:

358
Configure Mediatrace on Routers and Switches
a) Choose Services > Application Visibility & Control > Endpoint Association.
b) Associate subnets with your sites. (see the section Associate Endpoints with a Site in Cisco Prime Infrastructure User
Guide).
If you fail to do this, by default the data collected for these endpoints will have their sites set to “Unassigned.”
Step 4 Configure your compatible routers for Cisco Medianet Performance Monitor (see Configure Mediatrace on Routers and
Switches).
Step 5 Configure your routers for Mediatrace and WSMA (see the section Troubleshoot RTP and TCP Flows Using Mediatrace
in Cisco Prime Infrastrucutre User Guide).
Related Topics
Enable Data Deduplication, on page 150
Configure Mediatrace on Routers and Switches

Prime Infrastructure supplies an out-of-the-box template that configures Mediatrace on routers and switches.
You must apply this configuration to every router and switch that you want to include in your results whenever
you are tracing service paths.
See Deploying Templates , to get a list of all the supported routers and switches for Mediatrace.
Before You Begin
You must complete the following tasks:
• Configuring Prime Infrastructure to Use NAM Devices as Data Sources
• Configuring Prime Infrastructure to Use Routers and Switches as Data Sources
To configure the Mediatrace-Responder-Configuration template, follow these steps:
Step 1 Choose Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI >
Mediatrace -Responder-Configuration.
Step 2 Enter the required information for the template (see the Field reference for the template).
Step 3 Click Save as New Template and give the new template a name and description. Click Save.
Step 4 Click Deploy to deploy the new template .
For more details, see Enabling NetFlow Data Collection, Field Reference: Mediatrace-Responder-Configuration and
Deploying Templates .
Configure WSMA and HTTP(S) Features on Routers and Switches

To trace service path details, the Web Services Management Agent (WSMA) over HTTP protocol must run
Mediatrace commands on your routers and switches. Configure this feature on the same set of routers and
switches as you did when following the instructions in “Configure Mediatrace on Routers and Switches” (see
Related Topics).

359
Configure WSMA and HTTP(S) Features on Routers and Switches
Step 1 Choose Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI >
HTTP-HTTPS Server and WSMA Configuration-IOS.
Step 2 Enter the required information for the template (see the Field reference for the template.
Be sure to enable the HTTP protocol. WSMA over HTTPS is not supported in the current version of Prime Infrastructure.
Step 3 Click Save as New Template and give the new template a name and description. Click Save.
Step 4 Click Deploy to deploy the new template.
When adding a device to Prime Infrastructure, you must provide the HTTP user and password for the device.
For more details, see Field Reference: HTTP-HTTPS Server and WSMA Configuration-IOS, Deploying Templates and
Add Devices to Prime Infrastructure .
Related Topics
Configure Mediatrace on Routers and Switches, on page 359

360
CHAPTER 14
Plan Network Capacity Changes
• How to Plan the Network Capacity Changes, on page 361
How to Plan the Network Capacity Changes

Cisco Prime Infrastructure with Assurance allows you to view and report a variety of key performance
indicators that are critical for maintaining and improving your network’s operational readiness and performance
quality. This information is especially critical in adapting to ever increasing network loads.
Note To use the features described in this chapter, your Prime Infrastructure implementation must include Assurance
licenses. These features are supported on ASR platforms only.
In the following workflow, we take the role of a network administrator who has just been told that a large
staff expansion is planned for a branch office. This change will add more users to the branch LAN, many of
whom will be using WAN applications. We want to monitor the branch’s key interfaces for usage and traffic
congestion, so we can see if more users on the branch LAN will mean degraded WAN application performance
for those users. To be certain we have an adequate picture, we will need to look at both short- and long-term
performance trends for all the WAN applications the branch uses.
Before You Begin
• Set up the Top N WAN Interfaces by Utilization dashlet:
• Choose Monitor > Monitoring Policies and create an Interface Health template.
• Choose Inventory > Group Management > Port Groups, select the interfaces and click Add to
Group, then select WAN Interfaces as the group.
• Enable SNMP polling.
Step 1 Choose Dashboard > Overview > General.

Step 2 To view the usage statistics for the WAN interfaces on the routers connecting remote branches to the WAN, choose
Network Interface
Step 3 If it is not already there, add the Top N Interface Utilization dashlet. For each interface, this dashlet shows the Device
Name and IP of the device hosting the WAN interface, the interface name and speed, and Transmit/Receive maximum,
average and last-polled utilization.

361
Step 4 To see the utilization statistics for the past month, click the Clock icon next to the Top N Interface Utilization dashlet
title to change the Time Frame on the Filters line to Past 4 Weeks.
Step 5 In the Top N Interface Utilization dashlet, find the WAN interface for the branch to which you are adding users.
Step 6 In the Interface column, click the interface’s name to display the Dashboard > Performance > Interface page for that
interface. The page shows the following dashlets for this single interface:
• Interface Details
• Interface Tx and Rx Utilization
• Top N Applications
• Top N Clients
• Number of Clients Over Time
• DSCP Classification
• QoS Class Map Statistics
• oS Class Map Statistics Trend
• Top Application Traffic Over Time
Step 7 Concentrate on the Top Application Traffic Over Time dashlet on this page. This dashlet gives a color-coded map of
the top ten applications with the heaviest traffic over this interface.
Step 8 To get a better idea of the longer-term performance trend, click the Clock icon next to the Top Application Traffic Over
Tim dashlet title to change the Time Frame to Past 24 Hours, Past 4 Weeks, or Past 6 Months.
To zoom in on particular spikes in the graph, use the Pan and Zoom handles in the lower graph.
Step 9 For a quick report of the same data as the interface page, choose Reports > Report Launch Pad. Then choose
Performance > Interface Summary. Specify filter and other criteria for the report, select the same interface in Report
Criteria, then click Run.
What to do next
The following table shows the ISP profile used to test against (it is very similar to the Caida.org Internet
profile).
Table 21: Internet Profile - Traffic Profile per 1Gbps
TCP UDP HTTP RTP Total
Connection Rate (flows per second) 5,000 5,000 800 10 10,000
Concurrent Flows 150,000 150,000 50,000 300 300,000
Packet Rate 150,000 40,000 50,000 15,000 199,000
Related Bandwidth (bps) 900Mbps 100Mbps 295Mbps 25Mbps 1GBps
Packet Size (derived) 750 313 738 208 658

362
TCP UDP HTTP RTP Total
Number of Parallel Active Users 60,000 Derived from the number of flows

363

364
CHAPTER 15
Enable Backward Compatibility
• Enable Backward Compatibility between Catalyst 9800 WLC Devices and Prime Infrastructure 3.9, on
page 365
Enable Backward Compatibility between Catalyst 9800 WLC

Devices and Prime Infrastructure 3.9
Cisco Prime Infrastructure 3.9 will support Catalyst 9800 17.x by default, but we have an option to toggle the
Catalyst 9800 16.12.x version. Follow the instructions below to toggle the versions.
Important At any point of time only one version of controller will be active (either 16.12.x or 17.x). By default when
you first install Prime Infrastructure 3.9, support for Catalyst 9800 17.4.x will be active.
Procedure to enable Backward Compatibility between Catalyst 9800 Devices and Prime Infrastructure
3.9
Before you begin

Install Cicso Prime Infrastructure 3.9 System patch as mentioned in the System Patch 3.9 section given below.
Ensure you have the administrative previlages right to access nscdiag.
Enable ncsdiag. For more details, see ncs run diag section in the latest Command Reference Guide for Cisco
Prime Infrastructure 3.9.
Step 1 Change the Catalyst 9800 version using https://<prime ip>/ncsdiag/coralService.html url.
Step 2 In the Coral Service page, click Change coral to change the current Catalyst 9800 version supported by Prime Infrastructure
3.9.
Example: If the Coral Service page shows the Current Coral verison is "Coral 17", once you click Change Coral you
will be swapped to "Coral 16".

365
Enable Backward Compatibility between Catalyst 9800 WLC Devices and Prime Infrastructure 3.9
Figure 3: Coral Service
Step 3 When Prime Infrastructure is in High Availability mode:

• If you are using Catalyst 9800 17.x and you chose to toggle to Catalyst 9800 16.12.x, you have to wait for the Primary
and Secondary Prime Infrastructure instances to synchronize.
• If you are using Catalyst 9800 16.12.x and you chose to toggle to Catalyst 9800 17.x, you have to delete .coral16
file from /opt/CSCOlumos path in standby Prime Infrastructure manually.
Step 4 When Prime Infrastructure is not on High Availability mode, please skip to Step 5.
Step 5 Restart Prime Infrastructure
Important Restarting the server after toggling the version is essential for the new Catalyst 9800 changes to take effect.
Step 6 Go to the directory /opt/CSCOlumos/coralinstances/coral2/coral/bin to verify if the Catalyst 9800 version has changed
by running the ./coral version 1 commands:
When you have changed to version Catalyst 9800 17.x below will be the expected result:
ade # sudo ./coral version 1
BuildTime: 2020-11-26_22.33
ReleaseDate: Thu-26-Nov-20-17:24
BuildArch: x86_64
Platform: CORAL
Build: 17.04.01
BuildPath: /scratch/mcpre/release/BLD-V17_04_01_FC5/binos
Version: 17.04.01.0.173.1606458801..Bengaluru
InstallVersion: 1.0.0
BootArch: Linux Name Space Container
Host System uptime: 0 days, 1 hours, 5 minutes, 22 seconds [3922.9 sec]
Coral service uptime: 0 days, 0 hours, 16 minutes, 11 seconds [971.38 sec]
ade #
When you have changed to version Catalyst 9800 16.12.x below will be the expected result:
ade # sudo ./coral version 1
BuildTime: 2019-07-30_16.43
ReleaseDate: Tue-30-Jul-19-08:15
BuildArch: x86_64
Platform: CORAL
Build: 16.12.01
BuildPath: /scratch/mcpre/release/BLD-V16_12_01_FC4/binos
Version: 16.12.1.0.544.1564530231..Gibraltar
InstallVersion: 1.0.0
BootArch: Linux Name Space Container
Host System uptime: 4 days, 22 hours, 24 minutes, 7 seconds [426247.80 sec]

366
Installing Cisco Prime Infrastructure System Patch 3.9
Coral service uptime: 4 days, 0 hours, 16 minutes, 28 seconds [346588.20 sec]
ade #

Before you begin
Make sure you have an account on Cisco.com.
Step 1 Back up your data. See Perform a Manual Backup, on page 57.
Step 2 Download the file to your local machine, then upload it from your local machine to the Prime Infrastructure server.
a) Log into cisco.com and go to the Prime Infrastructure Software Download site.
b) Locate the PI_3_9_Oct_Oracle_patch-1.0.8.ubf file you want to download, and download it to your local machine.
Step 3 Copy the file from your local machine to the Prime Infrastructure server as described in Copy a File from a Client Machine
to the Prime Infrastructure Server, on page 44.
Step 4 Log in to the Prime Infrastructure web GUI as a user with Administrator privileges.
Step 5 Upload the file to the Prime Infrastructure server.
b) Click Upload at the top of the page.
c) Use one of the following options to upload the UBF file.
the Files tab.

Step 6 Select the software update, click Install, and then click Yes in the confirmation pop-up window.
Note If the .ubf file is not signed or has been modified since it was downloaded from Cisco.com, Prime Infrastructure
will abort the installation. Contact your Cisco representative.
Prime Infrastructure will auto-restart and the web GUI will not be accessible for some time. (If it does not, restart it by
following the procedure in Stop and Restart Prime Infrastructure, on page 93.)
Step 7 When the web GUI is accessible, log in and check the version on the Software Update page.

367
b) Verify the information under the Updates tab.

368
APPENDIX A
Best Practices: Server Security Hardening
The following sections explain how to enhance server security by eliminating or controlling individual points
of security exposure.
• Disable Insecure Services , on page 369
• Disable Root Access, on page 369
• Use SNMPv3 Instead of SNMPv2, on page 370
• Authenticate With External AAA, on page 372
• Enable NTP Update Authentication, on page 373
• Set Up Local Password Policies, on page 374
• Disable Individual TCP/UDP Ports, on page 374
• Check On Server Security Status, on page 375
Disable Insecure Services

You should disable non-secure services if you are not using them. For example: TFTP and FTP are not secure
protocols. These services are typically used to transfer firmware or software images to and from network
devices and Prime Infrastructure. They are also used for transferring system backups to external storage. We
recommend that you use secure protocols (such as SFTP or SCP) for such services.
To disable FTP and TFTP services:
Step 1 Log in to Prime Infrastructure with a user ID with administrator privileges.

Step 2 Select Administration > Settings > System Settings > General > Server.
Step 3 Select the Disable buttons for FTP and TFTP.
Step 4 Restart Prime Infrastructure to apply the updated settings.
Disable Root Access

Administrative users can enable root shell access to the underlying operating system for trouble shooting
purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We
recommend that you keep this access disabled, and enable it only when required. To disable root access, run
the command root_disable from the command line (see How to Connect Via CLI, on page 125).

369
Use SNMPv3 Instead of SNMPv2
During installation, Prime Infrastructure also creates a web root user account, prompting the installer for the
password to be used for this account. The web root account is needed to enable first-time login to the Prime
Infrastructure server and its web user interface. We recommend that you never use this account for normal
operations. Instead, use it to create user IDs with appropriate privileges for day-to-day operations and network
management, and administrative user IDs for managing Prime Infrastructure itself. Once these user accounts
are created, disable the default “web root” account created at install time, and create user accounts using your
administrative user IDs thereafter.
If you forget the shell password, you can recover (and then reset) the shell password by following the steps
to recover the administrator password. See Recovering Administrator Passwords on Virtual Appliances .
Because recovering the administrator password requires the Prime Infrastructure server to reboot, your system
might go down for approximately 20 minutes.
To disable the root accounts:
Step 1 Open a CLI session with the Prime Infrastructure server (seeHow to Connect Via CLI, on page 125 ). Do not enter
“configure terminal” mode.
Step 2 Disable the web root account by entering the following command:
PIServer/admin# ncs webroot disable
Prime Infrastructure disables the web root account.
Step 3 Disable the root shell account by entering the following command at the prompt:
PIServer/admin# shell disable
Prime Infrastructure will prompt you for the root shell account password. Enter it to complete disabling of the root shell
account.
Use SNMPv3 Instead of SNMPv2

SNMPv3 is a higher-security protocol than SNMPv2. You can enhance the security of communications
between your network devices and the Prime Infrastructure server by configuring the managed devices so
that management takes place using SNMPv3 instead of SNMPv2.
You can choose to enable SNMPv3 when adding new devices, when importing devices in bulk, or as part of
device discovery. See Related Topics for instruction on how to perform each task.
Related Topics
Use SNMPv3 to Add Devices, on page 370
Use SNMPv3 to Import Devices, on page 371
Use SNMPv3 to Run Discovery, on page 371
Use SNMPv3 to Add Devices

To specify SNMPv3 when adding a new device:
Step 1 Select Inventory > Device Management > Network Devices

370
Use SNMPv3 to Import Devices
Step 2 Choose Add Device.

Step 3 In the SNMP Parameters area, in Version, select v3.
Step 4 Complete the other fields as appropriate, then click Add.
Related Topics
Use SNMPv3 Instead of SNMPv2, on page 370
Use SNMPv3 to Import Devices

To specify use of SNMPv3 when importing devices in bulk:
Step 1 Select Inventory > Device Management > Network Devices.

Step 2 Choose Bulk Import. The Bulk Import page appears.
Step 3 Download the device add sample template from the “here” link on the Bulk Import page.
Step 4 Edit the template file using any CSV-compatible application. For each row representing a device in the CSV import file:
a) In the snmp version column, enter 3.
b) Enter appropriate values in the snmpv3_user_name, snmpv3_auth_type, snmpv3_auth_password, snmpv3_privacy_type,
and snmpv3_privacy_password columns.
c) Complete other columns as appropriate for your devices.
Step 5 Select Inventory > Device Management > Network Devices, then click Bulk Import and import your modified CSV
file.
Related Topics
Use SNMPv3 to Run Discovery

To specify SNMPv3 as part of device discovery:
Step 1 Select Inventory > Device Management > Discovery. The Discovery Jobs page appears.
Step 2 Click the Discovery Settings link in the upper right corner of the page. The Discovery Settings page appears.
Step 3 Choose New to add new SNMP v3 credentials.
Step 4 Complete the fields as needed.
Step 5 Click Save to save the SNMPv3 settings and use them thereafter.
Related Topics

371
Authenticate With External AAA
Authenticate With External AAA

User accounts and password are managed more securely when they are managed centrally, by a dedicated,
remote authentication server running a secure authentication protocol such as RADIUS or TACACS+.
You can configure Prime Infrastructure to authenticate users using external AAA servers. You will need to
access the Administration > Users > Users, Roles & AAA page to set up external authentication via the
Prime Infrastructure graphic user interface (GUI). You can also set up external authentication via the command
line interface (CLI). See Related Topics for instructions on how to set up AAA using each method.
Related Topics
Set Up External AAA Via GUI, on page 372
Set Up External AAA Via CLI, on page 372
Set Up External AAA Via GUI

To set up remote user authentication via the GUI:
Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.
Step 2 Select Administration > Users > Users, Roles & AAA > TACACS+ or Administration > Users > Users, Roles &
AAA > RADIUS.
Step 3 Enter the TACACS+ or RADIUS server IP address and shared secret in the appropriate fields.
Step 4 Select Administration > Users > Users, Roles & AAA > AAA Mode Settings.
Step 5 Set the AAA mode as appropriate.
Related Topics
Authenticate With External AAA, on page 372
Set Up External AAA Via CLI, on page 372
Set Up External AAA Via CLI

To set up remote user authentication via the CLI:
Step 1 Log in to Prime Infrastructure using the command line, as explained in How to Connect Via CLI, on page 125 . Be sure
to enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to setup an external TACACS+ server:
PIServer/admin/terminal# aaa authentication tacacs+ server tacacs-ip key plain shared-secret
Where:
• tacacs-ip is the IP address of an active TACACS+ server.
• shared-secret is the plain-text shared secret for the active TACACS+ server.

372
Enable NTP Update Authentication
Step 3 At the prompt, enter the following command to create a user with administrative authority, who will be authenticated by
the above AAA server:
PIServer/admin/terminal# username username password remote role admin email emailID
Where:
• username is the name of the user ID.
• password is the plain-text password for the user.
• emailID is the email address of the user (optional).
Related Topics
Authenticate With External AAA, on page 372
Set Up External AAA Via GUI, on page 372
Enable NTP Update Authentication

Network Time Protocol (NTP) version 4, which authenticates server date and time updates, is an important
way to harden server security. Note that you can configure a maximum of three NTP servers with Prime
Infrastructure.
To set up authenticated NTP updates:
Step 1 Log in to Prime Infrastructure using the command line, as explained in How to Connect Via CLI, on page 125 .Be sure
to enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to setup an external NTPv4 server:
PIServer/admin/terminal# ntp server serverIP userID plain password
Where:
• serverIP is the IP address of the authenticating NTPv4 server you want to use.
• userID is the md5 key id of the NTPv4 server.
• password is the corresponding plain-text md5 password for the NTPv4 server.
For example: ntp server 10.81.254.131 20 plain MyPassword
Step 3 To ensure that NTP authentication is working correctly, test it by executing the following commands:
• To check the NTP update details: sh run
• To check NTP sync details: sh ntp

373
Set Up Local Password Policies
Set Up Local Password Policies

If you are authenticating users locally, using Prime Infrastructure’s own internal authentication, you can
enhance your system’s security by enforcing rules for strong password selection.
Note that these policies affect only the passwords for local Prime Infrastructure user IDs. If you are
authenticating Prime Infrastructure users via a centralized or remote AAA server, you can enforce similar
protections using the functions of the AAA server.
To enforce local password policies:
Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.
Step 2 Select Administration > Users > Users, Roles & AAA > Local Password Policy.
Step 3 Select the check boxes next to the password policies you want to enforce, including:
• The minimum number of characters passwords must contain.
• No use of the username or “cisco” as a password (or common permutations of these).
• No use of “public” in root passwords.
• No more than three consecutive repetitions of any password character.
• Passwords must contain at least one character from three of the following character classes: upper case, lower case,
digit, and special character.
• Whether the password must contain only ASCII characters.
• Minimum elapsed number of days before a password can be reused.
• Password expiration period.
• Advance warnings for password expirations.
If you enable any of the following password policies, you can also specify:
• The minimum password length, in number of characters.
• The minimum elapsed time between password re-uses.
• The password expiry period.
• The number of days in advance to start warning users about future password expiration.
Step 4 Click Save.
Disable Individual TCP/UDP Ports

The following table lists the TCP and UDP ports Prime Infrastructure uses, the names of the services
communicating over these ports, and the product’s purpose in using them. The “Safe” column indicates
whether you can disable a port and service without affecting Prime Infrastructure’s functionality.

374
Check On Server Security Status
Table 22: Prime Infrastructure TCP/UDP Ports
Port Service Name Purpose Safe?
21/tcp FTP File transfer between devices and server Y
22/tcp SSHD Used by SCP, SFTP, and SSH connections to and from the system N
69/udp TFTP File transfer between devices and the server Y
80/tcp HTTP Provisioning of Nexus devices Y
162/udp SNMP-TRAP To receive SNMP Traps N
443/tcp HTTPS Primary Web Interface to the product N
514/udp SYSLOG To receive Syslog messages N
1522/tcp Oracle Oracle/JDBC Database connections: These include both internal server N
connections and for connections with the High Availability peer server.
8080 apache httpd For establishing comminution between WLC and Prime Infrastrucuture N
in Assurance (wsa_collector)
8082/tcp HTTPS Health Monitoring N
8087/tcp HTTPS Software updates on HA Secondary Systems N
9991/udp NETFLOW To receive Netflow streams (enabled if Assurance license installed) N
9992/tcp PI Tomcat Lync Monitoring in Assurance N

Process
61617/tcp JMS (over SSL) For interaction with remote Plug&Play Gateway server Y
Check On Server Security Status

Prime Infrastructure administrators can connect to the server via CLI and use the show security-status
command to display the server’s currently open TCP/UDP ports, the status of other services the system is
using, and other security-related configuration information. For example:
Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI . Do not enter “configure
terminal” mode.
Step 2 Enter the following command at the prompt:
pi-33-aws/admin# show security-status
Depending on your settings, you will see output like the following:
Open TCP Ports : 21 22 80 443 1522 8082 9992 61617
Open UDP Ports : 69 162 514 9991
FIPS Mode : disabled

375
SSH DH Group1 : enabled

TFTP Service : enabled
FTP Service : enabled
JMS port (61617) : enabled
Root Access : disabled
Client Auth : enabled
TLS versions : TLSv1, TSLv1.1TLSv1.2
TLS ciphers : tls-ecdhe,tls-dhe,tls-static
Note The output shows currently configured values. If you had made any changes after last system start, that will be
effective only after next restart.

376
APPENDIX B
Internal SNMP Trap Generation
• About Internal Trap Generation, on page 377
• Prime Infrastructure SNMP Trap Types, on page 378
• Generic SNMP Trap Format, on page 380
• Northbound SNMP Trap-to-Alarm Mappings, on page 381
• Prime Infrastructure SNMP Trap Reference, on page 384
• Configure Prime Infrastructure Traps , on page 389
About Internal Trap Generation

When properly configured, Prime Infrastructure will send SNMP traps to notification destination, to notify
them on the following events, occurring within the Prime Infrastructure system itself:
• Any crash or failure of an internal software process on the Prime Infrastructure server.
• High Availability (HA) state changes, including Registration, Failover, and Failback.
• High CPU, memory or disk utilization.
• CPU, disk, fan, or Power Supply Unit (PSU) failures.
• Backup failure, certification expiry and licenses violations.
You can edit the severity associated with each of these internal SNMP traps. You can also change the threshold
limits on CPU, memory and disk utilization traps (these SNMP traps are sent when the system hardware
exceeds the configured thresholds).
For other events (such as CPU, disk, fan, and PSU failures, or HA state changes), an SNMP trap is sent as
soon as the failure or HA state-change is detected.
SNMP traps are generated based on customized threshold and severities for the following:
• Server Process Failures
• High Availability Operations
• CPU Utilization
• Memory Utilization
• Disk Utilization
• Disk Failure
• Fan Failure
• PSU Failure
• Backup Failure

377
Prime Infrastructure SNMP Trap Types
• Certificate Expiry
Prime Infrastructure does not send SNMPv2 Inform or SNMPv3 notifications.
Note Prime Infrastructure displays the alarms, stating the port unavailability, even if the traps are disabled for a
device.
Prime Infrastructure SNMP Trap Types

The following table lists the SNMP traps that Prime Infrastructure generates for its own functions. The listing
is by trap type. The table describes the circumstances under which each trap is generated as well as suggested
operational responses (where applicable).
Table 23: Prime Infrastructure SNMP Trap Types
Trap Type Trap Description
Appliance Process FTP, MATLAB, Whenever the FTP, MATLAB, or TFTP process on Prime Infrastructure server fails,
Failure TFTP the server will generate a failure trap and the server's instance of Health Monitor will
try to restart the process automatically. If Health Monitor cannot restart it after 3 tries,
the HA server will send another failure trap.
Appliance Process NMS Whenever the NMS process on a server starts or fails, the Prime Infrastructure server's
Failure Health Monitor thread will generate a corresponding trap.
To stop or restart the process, connect to the server via CLI and log in as admin. Then
execute the nms stop or nms start command, as appropriate.
HA Operations Registration Trigger Prime Infrastructure generates this trap whenever the primary server initiates HA
registration (whether registration fails or succeeds).Once HA registration is triggered,
the primary server generates the trap, indicating the start of the operation.
HA Operations Registration Success When HA registration is successful, the primary server generates this trap, indicating
success.
HA Operations Registration Failure When HA registration fails for any reason, the primary or secondary server on which
the failure occurred, generates a trap indicating the failure. The trap contains details
about the failure. For assistance, contact the Cisco Technical Assistance Center (TAC).
HA Operations Failover Trigger This trap is generated whenever the Prime Infrastructure primary server fails and, as
part of a failover, the secondary server tries to become active (whether failover fails or
succeeds, and whether the secondary server comes up or fails to do so). If the HA
configuration (set during registration) has a Manual failover type, users must trigger
the failover. Otherwise, the Health Monitor will trigger failover to the secondary server
automatically.
One trap will be generated to indicate that the failover was triggered. Because the trap
is sent before the failover completes, it will not be logged on the secondary server.
HA Operations Failover Success When the triggered failover operation is successful, the secondary server generates a
trap indicating success. Users can view the trap in the secondary server's alarm browser.

378
HA Operations Failover Failure When the triggered failover operation fails, a trap will be generated indicating the
failure. Users can view the trap in the hm-#-#.log (see How to Troubleshoot Prime
Infrastructure SNMP Traps, on page 393). The trap contains details about the failure.
For assistance, contact Cisco TAC. As with other failure traps, alarms and a “clear”
trap are sent if the failure corrects itself.
HA Operations Failback Trigger This trap is generated whenever a failback to the primary server is triggered on the
secondary server (whether or not the failback is successful). Once the primary server
is restored, a user must trigger a failback from the secondary server to the primary
server using the Failback button on the secondary server Health Monitor web page
(there is no automatic Failback option). Once triggered, the secondary server generates
the trap indicating the start of the operation.
HA Operations Failback Success When the triggered failback operation is successful, the secondary server generates a
trap indicating success. Failback success sets the primary server to the ‘Active’ state
and the secondary server to the ‘Sync’ state.
HA Operations Failback Failure When the triggered failback operation fails, a trap will be generated indicating this
failure. Since the failure can occur on either server, the server on which it occurred will
generate the trap. Users can view the trap in the hm-#-#.log and on the northbound
management server.
A failback failure triggers an automatic rollback, in which the secondary server tries
to return to its previous ‘Active’ state. Failure of this operation will cause the secondary
server to generate an additional trap indicating rollback failure. The failure traps contain
details about the failures. For assistance, contact Cisco TAC. As with other failure traps,
alarms and a “clear” trap are sent if the failure corrects itself.
Hardware Traps CPU Utilization Traps will be sent only when the usage exceeds the preset threshold value for CPU
utilization. To view these traps, check the jobs and active sessions for the server that
generated the trap.
Hardware Traps Disk Utilization Traps will be sent only when the disk usage exceeds the set threshold limit for Disk
utilization. To respond, try to free up disk space under the /opt and /localdisk partitions.
Do not delete folders under /opt/CSCOlumos without guidance from Cisco TAC.
Hardware Traps Memory Utilization Traps will be sent to the SNMP trap receiver, only when memory usage exceeds the
set threshold limit for memory utilization.
Hardware Traps Disk Failure Traps will be sent to the SNMP trap receiver when disk failure is detected. Contact
your local system administrator for corrective action. As with other failure traps, alarms
and a “clear” trap are sent if the failure corrects itself.
Hardware Traps Fan Failure Traps will be sent to the SNMP trap receiver when fan failure is detected. The bad or
missing fan will be identified in the trap or alarm message. Contact your local system
administrator for corrective action. As with other failure traps, alarms and a “clear”
trap are sent if the failure corrects itself.
Hardware Traps PSU Failure Traps will be sent to the SNMP trap receiver when PSU failure is detected. The
problematic power supply will be identified in the trap or alarm message. Contact your
local system administrator for corrective action. As with other failure traps, alarms and
a “clear” trap are sent if the failure corrects itself.

379
Generic SNMP Trap Format
Threshold Traps Backup Failure Traps will be sent to the SNMP trap receiver when failure of the daily background task
of Prime Infrastructure server backup is detected. The background task runs everyday
and takes a backup of the server at the scheduled time. If the backup fails due to
insufficient disk space, the event will be processed. If the backup is taken successfully,
the alarm will be cleared.
Threshold Traps Backup Threshold Informs users when Prime Infrastructure scheduled daily backup has not been taken
for a threshold number of days. The default threshold is seven days. If no backup has
been taken for seven days, users are notified by this event.
Threshold Traps Certificate Expiry Traps will be sent to the SNMP trap receiver when the certificate is about to expire. A
critical trap is sent when the certificate is set to expire in 15 days and a major trap is
sent when the certificate expiry is in 60 days.
System Traps Lifecycle Lifecycle license is used to manage devices. Alarm is generated when the license usage
exceeds the configured threshold percentage. By default, traps will be sent when the
usage exceeds 80%. However, this can be customized.
System Traps Assurance Assurance License is used to display the devices that pump NetFlow to Prime
Infrastructure. Alarm is generated when the license usage exceeds the configured
threshold percentage. By default, traps will be sent when the usage exceeds 80%.
However, this can be customized.
System Traps Collector Collector License is used to display the volume of NetFlow pumped to Prime
Infrastructure. Alarm is generated when the license usage exceeds the configured
threshold percentage. By default, traps will be sent when the usage exceeds 80%.
However, this can be customized.
System Traps Lifecycle License Traps will be sent when the expiry period of the License goes below the threshold limit.
By default, traps will be sent when the limit is 30 days. However, you can customize
the limit between 1-99 days. This event is considered only when you use Evaluation
License.
System Traps Assurance License Traps will be sent when the expiry period of the License goes below the threshold limit.
License.
System Traps Collector License Traps will be sent when the expiry period of the License goes below the threshold limit.
License.
Generic SNMP Trap Format

The following shows the syntax of SNMP trap notifications for Prime Infrastructure:
Component: Component Name, Server: Primary, Secondary or Standalone, Type: Process, Sync, Activity,
etc., Service: Service Name, When: Phase in the Prime Infrastructure Lifecycle, State: HA and HM state of

380
Northbound SNMP Trap-to-Alarm Mappings
the server, Result: Warning, Failure, Success, Information, Exception, MSG: Free-form text of the message
for a given SNMP Trap
Table A-2 describes possible values for each of the generic trap format attributes.
Table 24: Values for Generic SNMP Trap Format Attributes
Attribute Value
Component Health Monitor or High Availability
Server From which server (Primary, Secondary or Standalone) was this trap sent?
Type Which type of action (Process, Sync, Activity, etc.) resulted in this trap?
Service Which Prime Infrastructure service reported this issue? The possible values include Registration, Failover, Failback,
NMS, NCS, Health Monitor, All, Prime Infrastructure, Database, Disk Space, and so on.
When At what point in the Prime Infrastructure server's life cycle (Startup, Shutdown, etc.) did this happen?
State What is the server state (Standalone, Failover, Failback, Registration, etc.)?
Result For which condition is this SNMP trap being reported?
MSG Freeform text providing more details specific to each SNMP trap.
Northbound SNMP Trap-to-Alarm Mappings

The following table describes how northbound traps are mapped to Prime Infrastructure events and alarms.
The entries in the “Events” column in the table below refer to the names of columns in the “Events” tab of
the Prime Infrastructure Supported Events document that contain additional information. For example, for
the MIB variable “cWNotificationSubCategory” in this table, you would look in the “Event/Alarm Condition”
column of the Supported Events document to look up the type of problem being reported or resolved in the
forwarded event or alarm.
Table 25: Northbound SNMP Trap-to-Alarm Mappings
MIB Variable Name Field From Associated GUI Name Events Details
Alarm
cWNotificationIndex None. Uniquely generated None None Index value that increases
for each trap. with each northbound trap
sent until it wraps back to
one.
cWNotificationTimestamp alarmCreationTime Alarm Found At None Time that the associated

alarm was created.
cWNotificationUpdatedTimestamp lastModifiedTimestamp Timestamp (column), None Time that the associated

Alarm Last Updated At alarm was last updated.

381
Alarm
cWNotificationKey applicationSpecificAlarmID None None An (opaque) string that

uniquely identifies the
alarm condition. This is
basically the alarm
“identifier”. If two
northbound traps are
received (first one with
non-cleared severity,
second one with cleared
severity) with the same
cWNotificationKey, it
can be determined that
the second trap clears
issue reported in the first.
cWNotificationCategory category Category Default Category Category of the

associated alarm. The
actual value is a numeric
and can be mapped to the
actual category name
contained in the Prime
Infrastructure Supported
Events document. The
mapping is available in
the MIB.
cWNotificationSubCategory eventType Condition Event/Alarm Indication of the type of

Condition problem being reported
or resolved.
cWNotificationManagedObjectAddressType None None None Indicates IPV4.
WNotificationManagedObjectAddress reportingEntityAddress None None Address of device

reporting the issue. May
not be the actual address
the trap was sent from. If
a device is added to Prime
Infrastructure with one
address as its
management address but
sends traps from a
different address, this
value will be the address
the device had when it
was added.
cWNotificationSourceDisplayName displayName Failure Source None A representation of the

name of the affected
resource.

382
Alarm
cWNotificationDescription description Message Prime Infrastructure A message indicating the

(ciscoLwappIpsType, Message issue or resolution that
ciscoLwappIpsDescId, occurred. This usually
ciscoLwappIpsDescriptionParams) comes from the alarm
description, but in the
case of WIPS alarms, it is
pulled from other fields
(see the “Field from
Associated Alarm”
column at left).
cWNotificationSeverity severity Severity Default Severity The severity of the alarm.

This is a numerical
representation of the
alarm severity defined in
the CISCO-TC MIB. The
values are: cleared(1),
indeterminate(2),
critical(3), major(4),
minor(5), warning(6),
info(7). Since you can
change the desired
severity for an event type,
the value may not match
the severity in Prime
Infrastructure Supported
Events if the severity has
been modified. Severity
can be modified as a way
to control which alarm
changes are notified via
northbound traps (that is,
you could specify only
CRITICAL alarms should
become northbound traps,
and change the severity
for an unwanted alarm
from CRITICAL to
MAJOR).
cWNotificationSpecialAttributes All alarm fields Various, based on specific Various, based on Contains the contents of
alarm field specific alarm field the alarm itself (fields and
values)

383
Prime Infrastructure SNMP Trap Reference
Alarm
cWNotificationType None None None Indication if trap is based

on alarm creation/update
or event creation. Since
some events (if severity
is Informational) do not
create alarms, it is
possible to get north
bound traps for these
informational events.
cWNotificationVirtualDomains None None None From the MIB: “This

object represents the
name of one or multiple
virtual domains (comma
separated) the source of
the network condition
represented by
cWNotificationType is
logically assigned to”.
For example, “root,
California, San Jose”
indicates that the source
of the network condition
is logically assigned to
these multiple virtual
domains.
Prime Infrastructure SNMP Trap Reference

The tables below provide details for each class of SNMP trap notification generated in Prime Infrastructure.
The mapped OID for the WCS northbound notification MIB is 1.3.6.1.4.1.9.9.712.1.1.2.1.12. This OID is
referenced by Prime Infrastructure's software- and hardware-related traps. The trap OID for the northbound
MIB will always be 1.3.6.1.4.1.9.9.712.0.1. For more details, consult the listing for
CISCO-WIRELESS-NOTIFICATION-MIB and the related topic, Northbound SNMP Trap-to-Alarm Mappings
.
Table 26: Appliance Process Failure
Purpose Informs users that a specific Prime Infrastructure server service is down and
that the Health Monitor is attempting to restart it.
When Sent The trap is sent when Health Monitor tries to restart the process.
OID 1.3.6.1.4.1.9.9.712.1.1.2.1.12

384
Example Component: Health Monitor, Server: Primary, Type: Process, Service: NCS,
When: Startup, State: Stand Alone, Result: Warning, MSG: FTP service is
down and an attempt will be made to automatically restart the service
MSG Content PI servername: serviceName service is down; an attempt will be made to

automatically restart the service.
Value Type, Range and Constraints The servername parameter in the MSG attribute will take the value of the
Prime Infrastructure server’s host name. This parameter can take one of the
following values: NMS Server, FTP, TFTP or MATLAB.
Table 27: Failback
Purpose Informs users that a failback from the secondary server to the
primary server has been initiated.
When Sent This trap is sent when a failback is initiated from the secondary
server to the primary server, irrespective of whether the failback
operation fails or succeeds.
OID 1.3.6.1.4.1.9.9.712.1.1.2.1.12
Example Component: High Availability, Server: Secondary, Type: Process,

Service: Database, When: Failback, State: Primary Failback, Result:
Failure, MSG: Error in Failback: Failed to recover the primary
database using Duplicate DB.
Table 28: Failover
Purpose Informs users when the secondary server comes up.
When Sent When the primary server is down and, as part of failover, the
secondary server comes up, traps are generated, irrespective of
whether the failover operation fails or succeeds.
OID 1.3.6.1.4.1.9.9.712.1.1.2.1.12
Example Component: High Availability, Server: Secondary, Type: Process,

Service: Failover, When: Failover, State: Secondary Synching,
Result: Success, MSG: Completed failover from
primaryAddressInfo to secondaryAddressInfo.
MSG Content The primaryAddressInfo and secondaryAddressInfo in the MSG

attribute will take the IP address or host name of the servers.
Table 29: CPU Utilization
Purpose Informs users that CPU utilization has crossed the set threshold limit.

385
When Sent After the CPU utilization crosses the set threshold, the trap is generated on the next polling cycle.
The system poller job runs every 5 minutes. A trap is also generated when the threshold limit is
changed on the Prime Infrastructure Event Configuration web page.
OID .1.3.6.1.4.1.9.9.712.0.1.
Example CPU Utilization is at 85% and has violated threshold limit of 80%.
Value Type, Range and All percentage ranges are from 1 to 99. Do not enter the percentage character ("%") when specifying
Constraints a threshold limit.
Wire Format [OctetString] applicationSpecificAlarmID=Appliance_CPU, lastModifiedTimestamp=12 Jun 2014

11:12:32 UTC, alarmCreationTime=12 Jun 2014 11:12:32 UTC, ownerID=, eventCount=1,
mayBeAutoCleared=false, instanceId=8178170, severity=4,
eventType=APPLIANCE_CPU_VIOLATED_THRESHOLD, previousSeverity=CLEARED,
category=System(17), transientNameValue={}, source=CPU,
notificationDeliveryMechanism=SYNTHETIC_EVENT, instanceVersion=0, description=Component:
Appliance, Server: primary, Type: Hardware, Message: CPU Utilization is at 3% and has violated
threshold limit of 1%, isAcknowledged=false, displayName=NMS:192.168.115.141
Constraints and Caveats Traps are not generated if the issue is resolved before the next polling cycle.
Table 30: Disk Utilization
Purpose Informs users that disk utilization has crossed the set threshold limit.
When Sent After the disk utilization crosses the set threshold, the trap is generated on the next polling cycle. The
system poller job runs every 5 minutes. A trap is also generated when the threshold limit is changed
on the Prime Infrastructure Event Configuration web page.
OID .1.3.6.1.4.1.9.9.712.0.1
Examples PI opt disk volume utilization is at 85% and has violated threshold limit of 0%.
PI opt disk volume is within the recommended disk usage range, less than 80% used.
PI local disk volume utilization is at 85% and has violated threshold limit of 80%.
PI local disk volume is within the recommended disk usage range, less than 80% used.
Wire Format [OctetString] applicationSpecificAlarmID=LocaldiskDiskSpace,

reportingEntityAddress=10.77.240.246,lastModifiedTimestamp=Sun Mar 23 08:44:06 UTC 2014,
alarmCreationTime=2014-03-14 13:29:31.069, eventCount=1, mayBeAutoCleared=false,
instanceId=483484, severity=1, eventType=NCS_LOW_DISK_SPACE, authEntityId=93093,
previousSeverity=MAJOR, category=System(17), transientNameValue={}, source=10.77.240.246,
notificationDeliveryMechanism=SYNTHETIC_EVENT, instanceVersion=0, description=PI localdisk
volume is within the recommended disk usage range, less than 70% used., isAcknowledged=false,
authEntityClass=983576643, displayName=NCS 10.77.240.246

386
Table 31: Memory Utilization
Purpose Informs users that memory utilization has crossed the set threshold limit.
When Sent After the memory utilization crosses the set threshold, the trap is generated on the next polling cycle.
The system poller job runs every 5 minutes. A trap is also generated when the threshold limit is
changed on the Prime Infrastructure Event Configuration web page.
OID .1.3.6.1.4.1.9.9.712.0.1.
Examples Memory Utilization is at 85% and has violated threshold limit of 80%.
Wire Format [OctetString] applicationSpecificAlarmID=Appliance_MEMORY, lastModifiedTimestamp=12 Jun

2014 11:12:32 UTC, alarmCreationTime=12 Jun 2014 11:12:32 UTC, ownerID=, eventCount=1,
eventType=APPLIANCE_MEM_VIOLATED_THRESHOLD, previousSeverity=CLEARED,
category=System(17), transientNameValue={}, source=MEMORY,
Appliance, Server: primary, Type: Hardware, Message: MEMORY Utilization is at 38% and has
violated threshold limit of 1%, isAcknowledged=false, displayName=NMS:192.168.115.141
Table 32: Disk Failure
Purpose Informs users that a drive is missing or bad.
When Sent Once a disk drive issue is detected, a trap will be generated on the next polling cycle. The system poller
job runs every 5 minutes.
OID .1.3.6.1.4.1.9.9.712.0.1
Example Component: Appliance, Server: Standalone, Type: Hardware, Message: A problem was detected in the
RAID device. A rebuild is in progress. Device at enclosure 252 slot ZERO is bad or missing. Drive0 is
missing or bad.
Constraints and Caveats Traps are not generated if the issue is resolved before the next polling cycle. If the drive is unplugged at
the time of system restart, the trap is generated.
Table 33: Fan Failure
Purpose Informs users when a fan fails.
When Sent When a fan fails, a trap is generated on the next polling cycle. The system poller job runs every 5 minutes.
OID .1.3.6.1.4.1.9.9.712.0.1
Example Fan is either bad or missing.

387
Wire Format [OctetString] applicationSpecificAlarmID=Appliance_Fan1, lastModifiedTimestamp=Sun Apr 13 15:24:11

IST 2014, alarmCreationTime=Sun Apr 13 15:24:11 IST 2014, ownerID=, eventCount=1,
eventType=APPLIANCE_FAN_BAD_OR_MISSING, previousSeverity=CLEARED, category=System(17),
transientNameValue={}, source=Fan1, notificationDeliveryMechanism=SYNTHETIC_EVENT,
instanceVersion=0, description=Fan is either bad or missing, isAcknowledged=false, displayName=NMS:
10.77.240.246
Constraints and Caveats Traps are not generated if the issue is resolved before the next polling cycle, or the fan is unplugged at the
time of system restart.
Table 34: PSU Failure
Purpose Informs users that a power supply unit is unplugged.
When Sent When a power supply is unplugged, a trap is generated on the next polling cycle. The system poller job
runs every 5 minutes.
OID .1.3.6.1.4.1.9.9.712.0.1
Example Component: Appliance, Server: Standalone, Type: Hardware, Message: Power supply: PSx is either bad
or missing.
Wire Format [OctetString] applicationSpecificAlarmID=Appliance_PS1, lastModifiedTimestamp=19 Aug 2015 01:41:26

UTC, alarmCreationTime=19 Aug 2015 01:41:26 UTC, ownerID=, eventCount=1,
eventType=APPLIANCE_POWER_SUPPLY_BAD_OR_MISSING, previousSeverity=CLEARED,
category=System(17), transientNameValue={}, source=x.x.x.x,
Appliance, Server: Standalone, Type: Hardware, Message: Power supply: PSx is either bad or missing,
isAcknowledged=false, displayName=NMS:x.x.x.x
Constraints and Caveats If the PSU is unplugged, a Power Supply alarm will be seen in Prime Infrastructure and a trap will be sent.
If the PSU is unplugged at the time of system shutdown, and Prime Infrastructure is not up till restart, an
alarm will not be generated.
Table 35: Identify Services Engine down
Purpose Informs users when an ISE is unreachable.
When Sent When an ISE is down or unreachable, the trap is generated via polling.
Note This is a system generated trap. Hence it does not have any
corresponding OID.
Example Identity services engine ISEIPAddress is unreachable.
Table 36: License violation
Purpose Informs users when the number of devices Prime Infrastructure is actually managing exceeds the number of devices it
is licensed to manage.

388
Configure Prime Infrastructure Traps
When Sent At 2:10AM, on the day following the completion of the job that added the extra devices to Prime Infrastructure inventory
Note This is a system generated trap. Hence it does not have any corresponding OID.
Example Number of managed devices N is greater than licensed devices N. Please purchase and install a license that will cover
the number of managed devices, or remove unused devices from the system.
Table 37: Prime Infrastructure does not have enough disk space for backup
Purpose Informs users when Prime Infrastructure does not have sufficient space in the specified directory to perform a backup.
When Sent Whenever Prime Infrastructure runs a server backup job and the backup repository specified (or “defaultrepo”) is 100
percent full. The trap is generated after the job completes.
Example Prime Infrastructure with address localIPAddress does not have sufficient disk space in directory directoryName for
backup. Space needed: Needed GB, space available Free GB.
Table 38: Prime Infrastructure email failure
Purpose Informs users that an attempt to send an email notification has failed.
When Sent This trap is generated by polling when Prime Infrastructure attempts to send an email notification to an invalid user,
or email notification is enabled without specifying the email server in Prime Infrastructure.
Example Prime Infrastructure with address localIPAddress failed to send email. This may be due to possible SMTP
misconfiguration or network issues.
Table 39: Northbound OSS server unreachable
Purpose Informs users that a northbound notification server is unreachable.
When Sent This trap is generated by polling when a destination northbound notification server is down or unreachable.
OID .1.3.6.1.4.1.9.9.712.0.1
Example Northbound notification server OSSIPAddress is unreachable. NCS alarms will not be processed for this server until
it is reachable.
Configure Prime Infrastructure Traps

The following sections explain how to configure and use Prime Infrastructure trap notifications.
Related Topics
Port Used To Send Traps , on page 391

389
Configure Notifications
View Events and Alarms for SNMP Traps, on page 391

Filter Events and Alarms for SNMP Traps, on page 392
Purge Alarms for SNMP Traps, on page 393
How to Troubleshoot Prime Infrastructure SNMP Traps, on page 393
Configure Notifications
For Prime Infrastructure to send northbound SNMP trap notifications, you must configure the correct settings
on both the Prime Infrastructure Event Notification and Notification Destiantion pages. Once configured,
traps will be generated based on the values associated with the Threshold and Severity for the following SNMP
Events:
• Appliance Process Failure
• HA Operations
• CPU, disk and memory utilization
• Disk, fan and PSU Failure
• Backup failure, certification expiry and licenses violations
You can edit the threshold and severity associated with each event, and enable or disable trap generation for
the associated event.
Step 1 Log in to Prime Infrastructure using a user ID with root domain privileges.
Step 2 Select Administration > Settings > System Settings > Alarms and Events > System Event configuration.
Step 3 For each SNMP event you want to configure:
a) Click on the row for that event.
b) Set the Event Severity level to Critical, Major, or Minor, as needed.
c) For the CPU, disk, memory utilization, life cycle, assurance, and collector traps: Enter the Threshold percentage
(from 1-99). These events will send the associated SNMP traps when the utilization exceeds the threshold limit. You
cannot set thresholds for events for which the threshold setting is shown as NA. These events send traps whenever
the associated failure is detected.
d) For backup threshold, certificate expiry, certificate expiry (critical), lifecycle license, assurance license, and collector
license trap: Enter the Threshold in days (from x-y, where x is the minimum value and y is the maximum value in
days).
e) Set the Event Status to Enabled or Disabled. If set to Enabled, the corresponding trap will be generated for this event.
f) For the CPU, disk, memory utilization, enter the Create and Clear Alarm Iteration value. The default value is two.
The first polling after setting the iteration value will take two times the iteration value entered in minutes. All the
future polling will take 20 minutes only.
The default polling time is 20 minutes.
Step 4 When you are finished, click Save to save your changes.
Related Topics
Configure Alarms Notification Destination, on page 239

390
Port Used To Send Traps
Port Used To Send Traps

Prime Infrastructure sends traps to notification destination on port 162. This port cannot be customized at
present. The northbound management system has to register itself through the Notification destination web
page (see Configure Alarms Notification Destination, on page 239 ).
Configure Email Server Settings

To enable Prime Infrastructure to send email notifications, the system administrator must configure a primary
SMTP email server (and, preferably, a secondary email server).
Step 1 Log in to Prime Infrastructure using a user ID with administrator privileges.

Step 2 Select Administration > Settings > System Settings > Mail and Notification > Mail Server Configuration.
Step 3 Under Primary SMTP Server, complete the Hostname/IP, User Name, Password, Port, and Confirm Password
fields as appropriate for the email server you want Prime Infrastructure to use. Enter the IP address of the physical server.
You cannot enter a virtual IP address in the Hostname/IP field, and the IP address cannot be behind a load balancer.
Step 4 Choose any one of the options from the Connection Security drop-down list. The available options are Plain Text,
STARTTLS, and SSL/TLS.
Note You must enter the corresponding port number in the Port text box.
Step 5 (Optional) Complete the same fields under Secondary SMTP Server.
Step 6 Under Sender and Receivers, enter a legitimate email address for the Prime Infrastructure server.
Step 7 (Optional) Enter a subject line in the Subject text box.
Related Topics
Purge Alarms for SNMP Traps, on page 393
View Events and Alarms for SNMP Traps

Events and Alarms for all of Prime Infrastructure’s internal SNMP traps fall under the System category. You
can view them in the Prime Infrastructure Alarms and Events dashboard.
Step 1 Log in to Prime Infrastructure.


391
Filter Events and Alarms for SNMP Traps
Filter Events and Alarms for SNMP Traps

You can use the Prime Infrastructure Filter feature to narrow the display of alarms to just those in the System
category, or use a combination of criteria and operators to focus the list on very specific alarms. The following
sections explain how to do this.
Related Topics
Filter for SNMP Traps Using Quick Filters, on page 392
Filter for SNMP Traps Using Advanced Filters, on page 392
Filter for SNMP Traps Using Quick Filters

Prime Infrastructure's Quick Filters allow you to quickly focus on the data inside a table by applying a filter
for a specific table column or columns.

Step 3 From the Show drop-down list, select Quick Filter. Prime Infrastructure displays a table header listing fields on which
you can perform a quick filter, including Severity, Message, and Category.
Step 4 In the Category field, enter System. Prime Infrastructure displays only System alarms.
Step 5 To clear the Quick Filter, click the funnel icon shown next to the Show box.
Filter for SNMP Traps Using Advanced Filters

Prime Infrastructure's Advanced Filter allows you to narrow down the data in a table by applying a filter
combining multiple types of data with logical operators (such as “Does not contain”, “Does not equal”, “Ends
with”, and so on). For example, you can choose to filter the table of alarms based on the Category, then further
reduce the data by filtering on Severity (as shown in the steps below). You can also save an Advanced Filter
for later re-use.

Step 3 From the Show drop-down list, select Advanced Filter. Prime Infrastructure displays a table header showing criteria for
the first rule in the filter.
Step 4 Complete the first rule as follows:
a) In the first field, select Category from the drop-down list.
b) In the second field, select Contains from the drop-down list.
c) In the third rule field, enter System.
d) Click Go. Prime Infrastructure displays only System alarms.
Step 5 Click the plus sign icon to add another rule, then complete the second rule as follows:
a) In the first field, select Severity from the drop down list
b) In the second field, select equals (=) from the drop-down list.
c) In the third rule field, select Major from the drop-down list.
d) Click Go. Prime Infrastructure displays only System alarms with Major Severity.

392
Purge Alarms for SNMP Traps
Repeat this step as needed.
Step 6 To save the Advanced filter, click the Save icon and supply a name for the filter.
Step 7 To clear the Advanced Filter, click Clear Filter.
For more details, see Purge Alarms for SNMP Traps, on page 393.
Related Topics
Purge Alarms for SNMP Traps

You can remove an alarm from the list of alarms by changing its status to Acknowledged or Cleared. No
e-mails will be generated for these alarms.

Step 3 Select an alarm, then choose Change Status > Acknowledge or Change Status > Clear.
How to Troubleshoot Prime Infrastructure SNMP Traps

If you are having trouble with Prime Infrastructure's internal traps and related notifications, check the following:
Step 1 Ping the notification destination from the Prime Infrastructure server, to ensure that there is connectivity between Prime
Infrastructure and your management application.
Step 2 Check if any firewall ACL settings are blocking port 162, and open communications on that port if needed.
Step 3 Log in to Prime Infrastructure with a user ID that has administrator privileges. Select Administration > Settings >
Logging and download the log files. Then compare the activity recorded in these log files with the activity you are seeing
in your management application:
• ncs_nb.log: This is the log of all the northbound SNMP trap messages Prime Infrastructure has sent. Check for
messages you have not received.
• ncs-# -# .log: This is the log of other recent Prime Infrastructure activity. Check for hardware trap messages you
have not received.
• hm-# -# .log: This is the complete log of Health Monitor activity. Check for recent messages about High Availability
state-changes and application-process failures that you have not received.

393
The messages you see in these logs should match the activity you see in your management application. If you find
major differences, open a support case with Cisco Technical Assistance Center (TAC) and attach the suspected log
files with your case.
Related Topics
Prime Infrastructure SNMP Trap Types, on page 378
Prime Infrastructure SNMP Trap Reference, on page 384
Configure Prime Infrastructure Traps , on page 389

394
APPENDIX C
Configure High Availability for Plug and Play
Gateway
• How Cisco Plug and Play Gateway HA Works, on page 395
• Cisco Plug and Play Gateway HA Prerequisites, on page 395
• Set up Standalone Cisco Plug and Play Gateway for Prime Infrastructure HA, on page 396
• Cisco Standalone Plug and Play Gateway Server HA Setup, on page 397
• Cisco Plug and Play Gateway Status, on page 398
• Remove Cisco Plug and Play Gateway in HA, on page 399
• Cisco Plug and Play Gateway HA and Cisco Prime Infrastructure Combinations, on page 400
• Limitations of Cisco Plug and Play Gateway HA, on page 400
How Cisco Plug and Play Gateway HA Works

Earlier releases of Prime Infrastructure supported a single Cisco Plug and Play Gateway in either of these
modes:
• Plug and Play Gateway standalone server mode
• Plug and Play Gateway integrated server mode
HA was not available in both these solutions, and Cisco Plug and Play Gateway does not connect to the
secondary Prime Infrastructure server automatically. It has to be manually redirected to the secondary Prime
Infrastructure server.
Prime Infrastructure supports Plug and Play Gateway in HA in current release. The Cisco Plug and Play HA
feature aims at providing the following:
• HA on a standalone server Plug and Play Gateway by providing a secondary standby Plug and Play
Gateway.
• HA support between the standalone Plug and Play Gateway and Prime Infrastructure HA.
• HA support for Prime Infrastructure integrated Plug and Play Gateway.
Cisco Plug and Play Gateway HA Prerequisites

Before using the HA feature on Cisco Plug and Play Gateway, you must:

395
Configure High Availability for Plug and Play Gateway
Set up Standalone Cisco Plug and Play Gateway for Prime Infrastructure HA
• Configure the primary and secondaryPrime Infrastructure servers and these must be accessible from Plug
and Play Gateway standalone servers. See Configure High Availability, on page 283for more details.
• Ensure that the primary and secondary Prime Infrastructure SSL server certificates used for Message
Queue Ports 61617 and Health Monitor port 8082 are available for extraction from primary and secondary
servers for Prime Infrastructure HA mode with different IP addresses. See Set Up High Availability, on
page 297 for more details.
• For virtual IP Address based HA, both primary and secondary servers must have the virtual IP address
and certificates. See Using Virtual IP Addressing With HA, on page 288 for more details.
• At least one of the Prime Infrastructureserver Message Queue port 61617 port must be active at all times
depending on the service which will take the HA role.
• Install the primary and secondary Plug and Play Gateway Virtual Machines. See the latest Cisco Prime
Infrastructure Quick Start Guide for details of installation of virtual machines from OVA file.
Set up Standalone Cisco Plug and Play Gateway for Prime

Infrastructure HA
The Cisco Prime Infrastructure server in HA can be configured in two modes:
• Virtual IP addresses for primary and secondary servers. See Using Virtual IP Addressing With HA, on
page 288 for more details.
• Different IP addresses for primary and secondary servers. See Set Up High Availability, on page 297 for
more details.
The standalone Cisco Plug and Play Gateway can be configured to work in both of these modes with a slight
modification in the setup procedure.
Related Topics
Cisco Prime Infrastructure in HA with Virtual IP Address, on page 396
Cisco Prime Infrastructure in HA with Different IP Address, on page 396
Cisco Prime Infrastructure in HA with Virtual IP Address

Prime Infrastructure can be configured with a virtual IP address which floats across the primary and secondary
servers, depending on the server that is active. Enter the virtual IP address of Prime Infrastructure in HA while
setting up Cisco Plug and Play Gateway.
Integrated Plug and Play Gateway within Prime Infrastructure will work if the same virtual IP address is
transferred to the active node. Cisco Plug and Play Gateway integrated with Prime Infrastructure will be
configured automatically to use the Prime Infrastructure virtual IP address. No specific configuration is required
to configure Cisco Plug and Play Gateway.
Related Topics
Cisco Prime Infrastructure in HA with Different IP Address, on page 396
Cisco Prime Infrastructure in HA with Different IP Address

Prime Infrastructure can be configured with primary and secondary servers having different IP addresses. For
configuring Cisco Plug and Play Gateway, run the pnp setup advance command in the advanced setup and
enter the following information:

396
Cisco Standalone Plug and Play Gateway Server HA Setup
• Primary IP address.
• Enter y, when prompted if a secondary server is to be configured.
• Secondary IP address.
See Command Reference Guide for Cisco Prime Infrastructure for more details about running the commands.
Note Cisco Plug and Play Gateway integrated with Prime Infrastructure will not work when the primary and
secondary servers have different IP addresses because the bootstrap configuration needs to be changed
according to the active node.
Related Topics
Cisco Plug and Play Gateway HA Prerequisites, on page 395
Set up Standalone Cisco Plug and Play Gateway for Prime Infrastructure HA, on page 396
Remove Cisco Plug and Play Gateway in HA, on page 399
Cisco Standalone Plug and Play Gateway Server HA Setup, on page 397
Cisco Plug and Play Gateway HA and Cisco Prime Infrastructure Combinations, on page 400
Cisco Standalone Plug and Play Gateway Server HA Setup

Cisco Standalone Plug and Play Gateway can also be configured in HA with a secondary server for failover.
Cisco Plug and Play Gateway in HA is always configured with a virtual IP address on the active node. For
setting up the standalone Plug and Play Gateway in HA you must:
• Install two reachable Cisco Plug and Play Gateways with different IP addresses.
• Run the pnp setup or pnp setup advance command on the primary Cisco Plug and Play Gateway. See
Command Reference Guide for Cisco Prime Infrastructure for more details.The primary server will
automatically configure secondary Cisco Plug and Play Gateway at the end of the setup.
• Enter y when prompted, if you want to configure HA with primary Cisco Plug and Play Gateway HA
server.
Note The standalone Cisco Plug and Play Gateway with Prime Infrastructure in HA has automatic failover from
primary to secondary. Manual failover is not available.
The standalone Cisco Plug and Play Gateway with Prime Infrastructure in HA can be configured to failback
manually or automatically from the secondary to primary server.
Enter the Cisco Plug and Play Gateway virtual IP address, virtual host name, IP address and username and
password of the secondary server as part of pnp setup. Enter 0 for manual failback and 1 for automatic failback
when prompted during the setup.
Note We recommend manual failback. Automatic failback is not recommended because in case of scenarios like
flapping interface, failover and failback happens continuously.

397
Cisco Plug and Play Gateway Status
Related Topics
Cisco Plug and Play Gateway Status, on page 398
How Cisco Plug and Play Gateway HA Works, on page 395
Setting up Cisco Plug and Play Gateway HA
Cisco Plug and Play Gateway Status

The Cisco Plug and Play Gateway status interface provides additional information regarding the following:
Prime Infrastructure HA Status:
• f the virtual IP address has been entered during setup, the status will display only the address. Cisco Plug
and Play Gateway status cannot identify whether it is connected to the primary or secondary server.
• Cisco Plug and Play HA Status:
Along with the status for the different Cisco Plug and Play Gateway processes, it will also display the Cisco
Plug and Play Gateway in active mode when both the gateways are up. The status will also show the connection
status between the primary and secondary servers as an additional value in the table.
To check the status of the Cisco Plug and Play Gateway server, log in to the gateway server and run the pnp
status command. The gateway server status is displayed.
See Command Reference Guide for Cisco Prime Infrastructure for more details on running the commands.
SERVICE | MODE | STATUS | ADDITIONAL INFO

------------------------------------------------------------------------------------------
System | | UP |
------------------------------------------------------------------------------------------
Event Messaging Bus | PLAIN TEXT | UP | pid: 6808
CNS Gateway Dispatcher | PLAIN TEXT | UP | pid: 7189, port:
11011
CNS Gateway | PLAIN TEXT | UP | pid: 7223, port:
11013
11015
11017
11019
11021
CNS Gateway Dispatcher | SSL | UP | pid: 7551, port:
11012
CNS Gateway | SSL | UP | pid: 7627, port:
11014
11016
11018
11020
11022
HTTPD | | UP |
Image Web Service | SSL | UP |
Config Web Service | SSL | UP |
Resource Web Service | SSL | UP |

398
Remove Cisco Plug and Play Gateway in HA
Image Web Service | PLAIN TEXT | UP |

Config Web Service | PLAIN TEXT | UP |
Resource Web Service | PLAIN TEXT | UP |
Prime Infrastructure Broker | SSL | UP | Connection: 1,
Connection Detail: ::ffff:10.104.105.170:61617
bgl-dt-pnp-ha-216/admin#
SERVICE | MODE | STATUS | ADDITIONAL INFO
------------------------------------------------------------------------------------------
System | | UP |
------------------------------------------------------------------------------------------
Event Messaging Bus | PLAIN TEXT | UP | pid: 6426
CNS Gateway Dispatcher | PLAIN TEXT | UP | pid: 7107, port:
11011
11013
11015
11017
11019
11021
CNS Gateway Dispatcher | SSL | UP | pid: 7381, port:
11012
11014
11016
11018
11020
11022
HTTPD | | UP |
Image Web Service | SSL | UP |
Config Web Service | SSL | UP |
Resource Web Service | SSL | UP |
Image Web Service | PLAIN TEXT | UP |
Config Web Service | PLAIN TEXT | UP |
Resource Web Service | PLAIN TEXT | UP |
Prime Infrastructure Broker | SSL | UP | Connection: 1,
Connection Detail: ::ffff:10.104.105.170:61617
PnP Gateway Monitoring | SSL | UP | port: 11010
PnP Gateway HA | SSL | UP | Primary Server
is in Active state
bgl-dt-pnp-ha-217/admin#
Remove Cisco Plug and Play Gateway in HA

To delete the HA configuration for Prime Infrastructure with different primary and secondary IP addresses
in the standalone Cisco Plug and Play Gateway, run the pnp setup advance advanced setup command and
enter n when prompted.
For deleting Cisco Plug and Play Gateway HA, run the pnp setup or pnp setup advance command and enter
n when prompted.
See Command Reference Guide for Cisco Prime Infrastructure for more details.

399
Cisco Plug and Play Gateway HA and Cisco Prime Infrastructure Combinations
Note When deleting Cisco Plug and Play Gateway HA, the administrator must manually modify the dynamic port
allocation cns event command and decommission the secondary server, if HA is being turned off. The Cisco
Plug and Play Gateway secondary server will continue to run with the virtual IP address if it is not
decommissioned.
Related Topics
Limitations of Cisco Plug and Play Gateway HA, on page 400
Cisco Plug and Play Gateway HA and Cisco Prime Infrastructure

Combinations
The Cisco Plug and Play Gateway functionality allows different configurations for HA with Prime Infrastructure.
The various combinations, as per the configuration options available, are:
• Standalone Cisco Plug and Play Gateway without HA (Single Cisco Plug and Play Gateway)
• The Prime Infrastructure server without HA.
• The Prime Infrastructure server with HA with the virtual IP address.
• Prime Infrastructure server with HA with the primary and secondary servers having two IP addresses.
• Standalone Cisco Plug and Play Gateway with HA and virtual IP address (Two Cisco Plug and Play
Gateways)
• Prime Infrastructure server without HA.
• Prime Infrastructure server with HA with the virtual IP address.
• Prime Infrastructure server with HA with the primary and secondary servers having two IP addresses.
• Integrated Cisco Plug and Play Gateway within Prime Infrastructure
• Prime Infrastructure server without HA.
• Prime Infrastructure server with HA with the virtual IP Address.
Related Topics
Limitations of Cisco Plug and Play Gateway HA, on page 400
Cisco Plug and Play Gateway Status, on page 398
Limitations of Cisco Plug and Play Gateway HA

The Cisco Plug and Play Gateway HA feature has the following limitations:

400
• Any Plug and Play requests that are partially completed on the Cisco Plug and Play Gateway during
failover and failback (the Prime Infrastructure and Cisco Plug and Play Gateway standalone server) will
remain incomplete in the Prime Infrastructure server and these may not be configured successfully on
the device.
• Failover and failback takes five to ten minutes during which Cisco Plug and Play Gateway provisioning
does not happen. Devices that have received bootstrap with cns config initial will continue to reach Cisco
Plug and Play Gateway for provisioning. Command Reference Guide for Cisco Prime Infrastructure for
more details.
• Devices take time to connect to the backup server once the IP address is moved from the active to standby
server depending on the configuration available in the cns event command for reconnect time.
• Prime Infrastructure integrated Plug and Play Gateway will support HA if the HA configuration in Prime
is based on a virtual IP address. Prime Infrastructure HA with different IP addresses for primary and
secondary servers will not support the Plug and Play Gateway HA functionality in the integrated server.
• For the Prime Infrastructure integrated Plug and Play Gateway, SSLv3 is disabled by default on all
Gateway SSL ports (for example, ports 11012, 11014, and so on).
• Related Topics
Related Topics

401

402

Cisco Prime Infrastructure 3.9 Administrator Guide

Uploaded by

Copyright:

Available Formats

Cisco Prime Infrastructure 3.9 Administrator Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Prime Infrastructure 3.9 Administrator Guide

Uploaded by

Copyright:

Available Formats

Cisco Prime Infrastructure 3.

Full Cisco Trademarks with Software License ?

CHAPTER 1 Set Up the Prime Infrastructure Server 1

Server Setup Tasks 1

CHAPTER 2 Licenses and Software Updates 19

Prime Infrastructure Licensing 19