Cisco Prime Infrastructure 3...© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 63 Cisco Prime Infrastructure 3.0

© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 63

Cisco Prime Infrastructure 3.0

Deployment Guide

Guide


Contents

Scope ........................................................................................................................................................................ 5 Introduction .............................................................................................................................................................. 5 Overview ................................................................................................................................................................... 5 Design Overview ...................................................................................................................................................... 6

Prerequisites ......................................................................................................................................................... 6 Cisco Prime Infrastructure Deployment Models .................................................................................................... 7 Cisco Prime Infrastructure Form Factors .............................................................................................................. 7 Server Sizing Matrix .............................................................................................................................................. 7

Installing Cisco Prime Infrastructure ..................................................................................................................... 9 Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance ............................................................... 9 Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance .................................................................... 9

Accessing Cisco Prime Infrastructure GUI ............................................................................................................ 9 Client Requirements ............................................................................................................................................. 9 Logging In to Cisco Prime Infrastructure for the First Time ................................................................................. 10

Licensing ................................................................................................................................................................ 10 Upgrading Cisco Prime Infrastructure ................................................................................................................. 11 Migrating Data from Previous Versions ............................................................................................................... 11 Device Packs and Software Updates ................................................................................................................... 12 Application Setup .................................................................................................................................................. 12

System Setup ...................................................................................................................................................... 12 Users and User Group Management .............................................................................................................. 12 Connection to Cisco.com ................................................................................................................................ 14 Proxy Settings ................................................................................................................................................ 14 Cisco.com Settings ......................................................................................................................................... 14 Single Sign On (SSO) .................................................................................................................................... 15 RADIUS/TACACS+ Integration ...................................................................................................................... 15 Email Server Settings ..................................................................................................................................... 16 Credential Profile ............................................................................................................................................ 16

Discovering Your Network .................................................................................................................................... 16 Preparing the Network for Discovery .................................................................................................................. 17 Discovery Settings .............................................................................................................................................. 17 Scheduling Discovery ......................................................................................................................................... 18 Quick Discovery .................................................................................................................................................. 18 Importing Devices Manually ................................................................................................................................ 18 Data Center Discovery ........................................................................................................................................ 19

Validate Discovery ................................................................................................................................................. 20 Fixing Credential Errors ...................................................................................................................................... 20

Grouping ................................................................................................................................................................. 21 Device Grouping ................................................................................................................................................. 21 Port Grouping ...................................................................................................................................................... 22

Topology and Maps ............................................................................................................................................... 23 Viewing Network Topology.................................................................................................................................. 23 Wireless Planning Tool ....................................................................................................................................... 23 Wireless Site Map ............................................................................................................................................... 24

Create Sites .................................................................................................................................................... 25 Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure .................................................................... 26

Configuration Management .................................................................................................................................. 26


Managing Configuration Archives ....................................................................................................................... 26 Comparing Configuration .................................................................................................................................... 27

Image Management................................................................................................................................................ 27 Setting Up Image Management .......................................................................................................................... 27 Importing Software Images ................................................................................................................................. 28 Image Distribution ............................................................................................................................................... 28

Configuration Templates ....................................................................................................................................... 29 Choosing a Configuration Template .................................................................................................................... 29 Defining Shared Policy Objects ........................................................................................................................... 30

Wireless Controller Configuration........................................................................................................................ 31 RRM/Clean Air .................................................................................................................................................... 31 Build RF Profiles ................................................................................................................................................. 32

Apply RF Profiles to AP Groups ..................................................................................................................... 33

Automated Deployment ......................................................................................................................................... 34 Compliance ............................................................................................................................................................ 35

Prerequisites ....................................................................................................................................................... 35 Creating Compliance Policy ................................................................................................................................ 35 Creating Policy Profiles ....................................................................................................................................... 36 Run Compliance Audit ........................................................................................................................................ 36 View Violation Summary ..................................................................................................................................... 37 PSIRT and EoX Reports ..................................................................................................................................... 37

Clients and Users .................................................................................................................................................. 38 Client Troubleshooting ........................................................................................................................................ 38

ISE Integration ................................................................................................................................................ 39 MSE Integration .............................................................................................................................................. 40

Monitoring .............................................................................................................................................................. 41 Monitoring Policies .............................................................................................................................................. 41 Viewing Alarms and Events ................................................................................................................................ 42 Configuring Alarm Severity ................................................................................................................................. 43 Customizing Traps and Syslogs .......................................................................................................................... 43

Defining Custom Trap Events ......................................................................................................................... 43 Defining Custom Syslog Events ..................................................................................................................... 44

Forwarding Alarms as Traps to Notification/Trap Receivers ............................................................................... 44 AVC and QoS Configuration ................................................................................................................................. 45

Monitoring Application and Services ................................................................................................................... 45 Prerequisites ....................................................................................................................................................... 45 AVC Supported Platforms ................................................................................................................................... 45 Readiness Assessment ...................................................................................................................................... 45 AVC Configuration .............................................................................................................................................. 46

Different Approaches to Enable AVC ............................................................................................................. 46 Enabling AVC on Wireless Controllers ........................................................................................................... 46 Associate Endpoints to Sites .......................................................................................................................... 46

Managing Netflow Data Sources ......................................................................................................................... 46 Viewing AVC Metrics .......................................................................................................................................... 47 Classify Unknown Traffic by Defining Custom Application .................................................................................. 47 Updating Application Definitions (NBAR2 Protocol Pack) ................................................................................... 48 Multi-NAM Capabilities within Cisco Prime Infrastructure ................................................................................... 48 Netflow Dashlets ................................................................................................................................................. 48

Lync Monitoring ..................................................................................................................................................... 48 Setting Up Microsoft Lync Monitoring ................................................................................................................. 49 Monitoring Microsoft Lync ................................................................................................................................... 49

PfR Monitoring ....................................................................................................................................................... 50 Site-to-Site PfR Topology.................................................................................................................................... 51


Comparing WAN Interfaces ................................................................................................................................ 51 Dashboards ............................................................................................................................................................ 52

Dashboard Customization ................................................................................................................................... 52 Customizing the Dashlet Content ........................................................................................................................ 53

Remediation Tools ................................................................................................................................................. 53 Wireless Remediation ......................................................................................................................................... 53 Wired Remediation ............................................................................................................................................. 54 Trigger Packet Capture from Cisco Prime Infrastructure .................................................................................... 54

Manual Packet Capture from Cisco Prime Infrastructure ............................................................................... 54 Automating Packet Capture Using Cisco Prime Infrastructure ....................................................................... 55 Decoding Packet Capture Using Cisco Prime Infrastructure .......................................................................... 55

Reports ................................................................................................................................................................... 56 REST API ................................................................................................................................................................ 56 High Availability ..................................................................................................................................................... 56

Prerequisites ....................................................................................................................................................... 57 Licensing ............................................................................................................................................................. 57 High-Availability Setup ........................................................................................................................................ 57 HA Modes ........................................................................................................................................................... 57

Failover ........................................................................................................................................................... 57 Failback .......................................................................................................................................................... 58

Manual/Automatic Options .................................................................................................................................. 58 Automatic Failover .......................................................................................................................................... 58 Manual Failover .............................................................................................................................................. 58

Configuring Cisco Prime Infrastructure Backup .................................................................................................. 59 Advanced System Settings ................................................................................................................................... 59

Data Retention .................................................................................................................................................... 59 Server Tuning ..................................................................................................................................................... 59

Disabling Insecure Services ........................................................................................................................... 59 Disabling Root Access.................................................................................................................................... 59

Using SNMPv3 Instead of SNMPv2 .................................................................................................................... 59 Authenticating with External AAA ........................................................................................................................ 60 Importing Client Certificates into Web Browsers ................................................................................................. 60 Enabling NTP Update Authentication .................................................................................................................. 60 Enabling Certificate-Based OCSP Authentication ............................................................................................... 60 Setting Up Local Password Policies .................................................................................................................... 60 Disabling Individual TCP/UDP Ports ................................................................................................................... 60 Checking Server Security Status ........................................................................................................................ 61

Miscellaneous ........................................................................................................................................................ 61 Accessing Cisco Prime Infrastructure Through CLI ............................................................................................ 61 How to Enable CLI Root User in Cisco Prime Infrastructure Server ................................................................... 61 Start/Stop Cisco Prime Infrastructure Services ................................................................................................... 61 Verifying IOPS for Cisco Prime Infrastructure Virtual Machine ........................................................................... 61

References ............................................................................................................................................................. 62 Cisco Prime Infrastructure 3.0 Links ................................................................................................................... 62 Cisco Product Pages .......................................................................................................................................... 62 Ordering and Licensing ....................................................................................................................................... 62


Scope

This guide covers the installation, set up, and basic operation of Cisco Prime™

Infrastructure. For more information,

see the “Design overview” section in this guide.

Introduction

Network administrators have a demanding, tedious job overseeing all the devices on a network. To complicate

matters, network devices are sometimes added to or removed from the network. As an organization grows, so

does the number of devices to be managed. The needs of the network management administrators include:

● Configuration backup and archive—Administrators need to make backup copies of device configurations

and store them in a protected location. Performing this task manually is extremely time-consuming and

tedious. An automated means of collecting and archiving device configuration files is a valuable aid to

network administrators.

● Configuration deployment— Change in the network/services it supports, requires changes to device

configurations. This results in manually connecting to and configuring all the affected devices, which can

take many hours to make similar, if not identical, changes to device configurations. A means of automating

the deployment of such configuration changes, including support for device-specific values, can greatly

improve the speed and also the accuracy of updating the network.

● Software image management—A centralized way of viewing the operating system versions running on all

the network devices is very helpful, but the administrators also need to get the necessary software images

from a trusted source and then to propagate those images to many network devices.

● Monitoring, troubleshooting, and reporting—Running a network requires knowing about the state of the

network and the state of individual devices. It also requires notification of events on the network,

troubleshooting tools, and an ability to generate reports about many aspects of the network.

Cisco Prime Infrastructure is the one management solution for converged access enterprise-class network. It

provides a single pane of glass solution for managing the wired and wireless networks and end-to-end visibility

from the branch to the campus and all the way to the data center.

This deployment guide helps to choose the right deployment model and the steps to deploy Cisco Prime

Infrastructure to manage the wired and wireless networks using some of the essential network management

features.

Overview

Cisco Prime Infrastructure is a sophisticated network management tool that can help support the end-to-end

management of the network technologies and services that are critical to the operation of your organization; it

aligns the network management functionality with the way that network administrators do their jobs. Cisco Prime

Infrastructure provides an intuitive, web-based graphical user interface (GUI) that can be accessed from anywhere

from within the network and gives you a full view of a network use and performance.

Cisco Prime Infrastructure provides comprehensive lifecycle management, assurance visibility and troubleshooting

capabilities across the network - from the user in the branch office, across the WAN, and to the data center. In

essence, it is one management and one assurance for one network.


Cisco Prime Infrastructure lets you manage your network more efficiently and effectively so you can achieve the

highest levels of wired and wireless network performance, service assurance, and application-centric end-user

experience.

Figure 1 depicts the campus network architecture documented in the Campus Wired LAN Technology Design

Guide and Campus Wireless LAN Technology Design Guide. With such a network and the services that it can

support, Cisco Prime Infrastructure can play a critical role in day-to-day network operations.

Figure 1. Campus Wired and Wireless LAN Architecture

Design Overview Prerequisites

Cisco Prime Infrastructure software runs on either a dedicated Cisco Prime Infrastructure appliance or on a

VMware ESXi version 5.1 or 5.5 server. The Cisco Prime Infrastructure software image does not support the

installation of any other packages or applications on this dedicated platform. You cannot install Cisco Prime

Infrastructure on a standalone operating system such as Red Hat Linux, because Cisco Prime Infrastructure is

available as a physical or virtual appliance that comes preinstalled with a secure and hardened version of Red Hat

Linux as its operating system and bundled with Oracle 11.2.0.


Cisco Prime Infrastructure Deployment Models

● Standalone: Cisco Prime Infrastructure can be deployed as a standalone Physical/Virtual appliance to

manage the wired and wireless network infrastructure.

● High Availability (Recommended): The Cisco Prime Infrastructure High Availability (HA) implementation

allows one primary Cisco Prime Infrastructure server to failover to one secondary (backup) Cisco Prime

Infrastructure server. The secondary server sizing should be larger than or equal to that of the primary

server in order to take over Cisco Prime Infrastructure operation, in the event that the primary Cisco Prime

Infrastructure system fails. For example, if the primary Cisco Prime Infrastructure server is the Standard

OVA, then the secondary Cisco Prime Infrastructure server must be the Standard or Pro OVA.

In Cisco Prime Infrastructure, the only HA configuration supported is 1:1(Active, Standby) i.e., 1 primary

system, and 1 secondary system.

● Distributed Deployment: Large or global organizations often distribute network management by domain,

region, or country. For reasons of geography, scalability, resilience, or visibility, Cisco customers may

deploy more than one instance of Cisco Prime Infrastructure to manage their network. If you’re one of those

customers, you also need to manage all those instances together as one.

Cisco Prime Infrastructure Operations Center enables centralized management of multiple Cisco Prime

Infrastructure instances. Operations Center streamlines how your administrators access and interact with

multiple instances of Cisco Prime Infrastructure. You no longer need to generate reports one by one and

manually consolidate results. Nor do you have to check for alarms at each dashboard. These tasks take

time and may result in human errors. With Cisco Prime Infrastructure Operations Center, you get easier

access to information about the health of your entire network managed by multiple instances.

Cisco Prime Infrastructure Form Factors

Cisco Prime Infrastructure comes in two main forms:

● Virtual: The Cisco Prime Infrastructure virtual appliance is packaged as an Open Virtualization Archive

(OVA) file, which must be installed on a user-supplied, qualified VMware ESXi server. This form allows you

to run on the server hardware of your choice. You can also install the virtual appliance in any of the four

configurations, each optimized for a different size of enterprise network. For hardware requirements and

capacities for each of the virtual appliance’s size options, see Virtual Appliance Options.

● Physical: The physical appliance is packaged as a rack-mountable server, with Cisco Prime Infrastructure

preinstalled and configured for you. For physical appliance hardware specifications and capacities, see

Physical Appliance Options.

Server Sizing Matrix

Table 1 should help users to pick the right OVA size image for Cisco Prime Infrastructure virtual appliance.

Note: Compliance is supported on the Professional virtual appliance (OVA) and the Gen 2 physical appliance

based on Cisco UCS® only.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/quickstart/guide/cpi_qsg.html#31094



Table 1. Server Sizing Matrix

Device Type Express Express-Plus Standard Professional Hardware Appliance (Gen2)

Network Devices

● Max Unified APs 300 2500 5,000 10,000 20,000

● Max Wired Devices 300 1000 6,000 10,000 13,000

● Max Autonomous Aps 300 500 1500 2500 3,000

● Max NAMs 5 5 500 800 1,000

● Max Controllers 5 25 500 800 1000

● Maximum number of devices (combination of wired and wireless devices)

500 3000 10000 14000 24000

Clients

● Max Wireless (Roaming) Clients 4,000 30,000 75,000 150000 200,000

● Max Changing (Transient) Clients 1,000 5,000 25,000 30000 40,000

● Max Wired Clients 6,000 50,000 50,000 50,000 50,000

● Mobility Services Engine (MSEs) 1 1 6 10 12

Monitoring

● Max Interfaces 12,000 50,000 250,000 250,000 350,000

● Max Net flows Rate (flows/sec) 3,000 3,000 16,000 40,000 80,000

● Max Events (events/sec) 100 100 300 500 1,000

● Max Trap Rate 20 20 60 100 300

● Max Syslog Rate 70 70 210 350 600

● Max NAM Data Polling Enabled 5 5 20 30 40

● Max Polling Interfaces (Polling of trunk ports)

2400 8000 48000 10000 10000

● Max hourly Host Records 144,000 720,000 2,100,000 6,000,000 12,000,000

System

● Max Number of Sites per Campus 200 500 2,500 2,500 2,500

● Max Virtual Domains 100 500 750 750 750

● Max Groups (Total): User-Defined + Out of the Box + Device Groups + Port Groups

50 100 150 150 150

● Max Concurrent GUI Clients 5 10 25 50 50

● Max Concurrent API Clients 2 2 5 5 5

Refer to the Cisco Prime Infrastructure 3.0 Quick Start Guide for the latest sizing information.

Table 2 lists the hardware requirements for the virtual appliance based on wired/wireless scale.

Table 2. Hardware Requirements for Virtual Appliance

Virtual Appliance Size

Virtual CPU Memory (DRAM) HDD Size Throughput (Disk I/O)** Max Concurrent Clients/Users API Clients

Express 4 12 GB 300 GB 200 MB/s 5 2

Express-Plus 8 16 GB 600 GB 200 MB/s 10 2

Standard 16 16 GB 900 GB 200 MB/s 25 5

Professional 16 24 GB 1. 2 TB 320 MB/s 50 5

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/quickstart/guide/cpi_qsg.html#pgfId-67786


Note: You can configure any combination of sockets and cores, the product of which must equal the number of

virtual CPUs required. For example, if 16 virtual CPUs are required, you can configure 4 sockets with 4 cores, or 2

sockets with 8 cores, etc.

Installing Cisco Prime Infrastructure

Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance

The Cisco Prime Infrastructure 3.0 comes preinstalled on a next-generation Cisco UCS appliance. For some

reason, if the physical appliance comes without any software, application may be installed from the ‘.iso’ image

(burnt on DVD). The procedure, once the server boots up, will be similar to the ones described for virtual appliance.

Use the ‘.iso’ image instead of the ‘.ova’ image, if installing on a Cisco Prime Infrastructure Physical Appliance. For

more details, see the Cisco Prime Infrastructure Hardware Appliance Installation Guide.

Cisco Prime Infrastructure Physical Appliance comes with the specifications shown in Table 3.

Table 3. Cisco Prime Appliance Specifications

Physical Appliance

Physical CPU Memory (DRAM) HDD Size Throughput (Disk I/O)

Max Concurrent Clients/Users

API Clients

Cisco Prime Appliance

10 Cores (20 Threads)

64 GB 3600 GB

(8x900 GB RAID10)

320 MB/s 50 5

Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance

Cisco Prime Infrastructure is delivered as a virtual appliance or OVA file. OVA files allow you to easily deploy a

prepackaged virtual machine (VM) - an application along with a database and an operating system. Please follow

the link below for detailed instruction on installing Cisco Prime Infrastructure Virtual Application.

● Before You Begin

● Deploying the OVA from the VMware vSphere Client

● Installing the Server

Accessing Cisco Prime Infrastructure GUI Client Requirements

Table 4 shows all the supported browsers that can be used to access Cisco Prime Infrastructure. See the Cisco

Prime Infrastructure 3.0 Quick Start Guide for the latest client requirements.

Table 4. Client Requirements

Supported Browser Browser Version Additional Note

Internet Explorer 10, or 11 No plug-ins are required

Mozilla Firefox Firefox 35 or later Latest Firefox version may be used, but it may not be tested depending on when it was released.

Mozilla Firefox ESR ESR 31, 38

Google Chrome Chrome 40 or later Latest Chrome version may be used, but it may not be tested depending on when it was released.

Display resolution—Cisco Prime Infrastructure supports 1366 x 768 or higher, but we recommend that you set the

screen resolution to 1600 x 900.

Cisco Prime Infrastructure user interface is based on HTML 5 and removes any dependency on Adobe Flash.

http://www.cisco.com/en/US/docs/net_mgmt/prime/infrastructure/3.0/install/guide/Cisco_PI_Hardware_Appliance_Installation_Guide.html.










TIP: It is strongly recommended to use a client with at least 4 GB or more. Adding more memory will definitely

enhance the end-user experience.

Logging In to Cisco Prime Infrastructure for the First Time

Once the Cisco Prime Infrastructure server has been installed and configured, it is now ready to be accessed from

the web. The server URL would be https://server_hostname or https://<ip-address>. To login, use the following

credentials for the first time login.

Username: root

Password: <the root password is the one that was entered during the install script>

After the server has been configured, it is advisable to log in with a non-root user to keep the root user for system

level configurations as and when needed. More information can be found at Cisco Prime Infrastructure 3.0 Quick

Start Guide at Logging into the Cisco Prime Infrastructure User Interface.

Licensing

You can access the lifecycle and assurance features of the newly installed Cisco Prime Infrastructure using the

built-in evaluation license that is available by default. The default evaluation license is valid for 60 days for 100

devices. You need to purchase the licenses to continue using Cisco Prime Infrastructure before the evaluation

license expires.

License files can be added to Cisco Prime Infrastructure by navigating to Administration > Licenses and

Software Updates > Licenses in the GUI.

Figure 2. Adding License Files



Table 5 lists the different licenses available for Cisco Prime Infrastructure.

Table 5. License Types in Cisco Prime Infrastructure

Licenses Types License Purpose

Base Required for every Cisco Prime Infrastructure installation and is a prerequisite for all other license types.

Management (Lifecycle, Assurance, APIC-EM/PnP)

Regulates the total number of devices, NetFlow devices under Cisco Prime Infrastructure management.

High Availability High Availability Right To Use (RTU) License.

Collector Regulates the total number of NetFlow data flows per second that Cisco Prime Infrastructure can process.

Data Center Regulates the number of blade servers being managed by Cisco UCS device(s) in Cisco Prime Infrastructure. The license count matches the number of blades or rack units associated with any Cisco UCS device.

Data Center Hypervisor Regulates the total number of host(s) managed by Cisco Prime Infrastructure management. This license manages Discovery Sources (vCenter) in Cisco Prime Infrastructure.

Operations Center base License

Operations Center base License is required in case of distributed deployment of Cisco Prime Infrastructure and when the customer wants to deploy Operations center to centrally manage the Cisco Prime Infrastructure Instances.

Operations Center Server License

Required to manage the Cisco Prime Infrastructure instances in Operations Center.

Note: Licenses are supplied in either evaluation or permanent form. For more information on Cisco Prime

Infrastructure licensing, you can also refer to the Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide.

Upgrading Cisco Prime Infrastructure

Cisco Prime Infrastructure can be upgraded to version 3.0 from the below versions:

● Cisco Prime Infrastructure 2.2.3


● Data Center Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1

● Wireless Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1


● Cisco Prime Infrastructure 2.2

If your product/version is not in this list, to upgrade to 3.0, you must first upgrade to version 2.2.x at a minimum. For

In-line Upgrade, follow the steps listed in the Cisco Prime Infrastructure 3.0 Quick Start Guide.

Note: You cannot upgrade to Cisco Prime Infrastructure 3.0 if you have installed version 2.2.x in FIPS mode.

Migrating Data from Previous Versions

Data migration is supported only from Cisco Prime Infrastructure 2.2.x versions. Follow the data migration steps

listed in the Cisco Prime Infrastructure 3.0 Quick Start guide.

http://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/prime-infrastructure/presentation-c97-735996.pdf




Device Packs and Software Updates

Cisco Prime Infrastructure periodically provides critical fixes, device support, and add-on updates that you can

download and install by choosing Administration >Licenses and Software Updates> Software Update.

Depending on the connectivity and preference, you can install software updates by:

● Downloading updates directly from Cisco.com to the Cisco Prime Infrastructure server. To use this method,

Cisco Prime Infrastructure server must be able to connect externally to Cisco.com. For details, see Installing

Software Updates from Cisco.com.

● Downloading software update files to a client or server with external connectivity, then uploading them to

and installing them on the Cisco Prime Infrastructure server. For details, see Uploading and Installing

Downloaded Software Updates.

Figure 3. Device Packs and Software Updates

Application Setup System Setup

Users and User Group Management

It is not advisable to use the root user to log in for normal purposes. Role based Access control can be enforced by

creating new users and assigning them to relevant User groups and Virtual Domain.

Manage User Groups

User groups are synonymous with roles. All the roles except the user-defined roles are preconfigured. User-defined

groups can be modified by navigating to Administration > Users > Users, Roles & AAA > User Groups > User

Defined #. By clicking the task list, you can perform the following activities:

● Modify other groups and roles.

● Add users.

● See audit trail.

● Export the TACACS+/RADIUS command sets.

User-defined roles can be modified by clicking the User Defined link in Figure 4. Once clicked, all the collapsed

user access controls are expanded as shown in the figure. You can select the whole category, for example,

Network Configuration, or a few of the options within that category to customize the role. Once the group/role is

created, multiple users can then be assigned to that group.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/administrator/guide/PIAdminBook/maint_sys_health.html#pgfId-1110495





Figure 4. User Group Administration

Manage Users

You can add new users by navigating to Administration > Users > Users, Roles & AAA > Users > Add Users

and selecting “Add Users” from the drop-down on the right side. Once you get into the add user workflow, enter

the username, password, and local authorization for this user as shown in Figure 5. Map the user to the

appropriate Role and assign Virtual Domains. It doesn’t really matter whether you create users or groups first.

Figure 5. User Groups Creation

Virtual Domain

Virtual domains allow you to control who has access to specific sites and devices. After you add devices to Cisco

Prime Infrastructure, you can configure virtual domains. Virtual domains are logical groupings of devices and are

used to control the administration of the group. By creating virtual domains, an administrator allows users to view

information relevant to them specifically and restricts their access to other areas. Virtual domain filters allow users

to configure devices, view alarms, and generate reports for their assigned part of the network only.


Virtual domains are organized hierarchically. Subsets of an existing virtual domain contain the network elements

that are contained in the parent virtual domain. The “ROOT-DOMAIN” domain includes all virtual domains.

Virtual Domain can be added by navigating to Administration > Users > Virtual Domain.

A virtual domain can also be assigned to the users when you define their roles by selecting the virtual domain on

the left side and moving it to the right side as shown in Figure 6.

Figure 6. Virtual Domain

Connection to Cisco.com

Cisco.com connection is required for some of the advanced features such as Smart Interactions (TAC service

requests, and support forums), importing software images, Software Update, and many others. It is vital for the

Cisco Prime Infrastructure server to be able to connect to cisco.com to pull the data for those reasons. There are

two parts to making this work:

● Proxy settings

● Cisco.com user settings

Proxy Settings

If Cisco Prime Infrastructure requires a proxy to connect to internet, you can enter the proxy information by

navigating to Administration > Settings > System Settings > Proxy. You can enable proxy settings and enter all

the proxy information there. Authentication proxies are also supported in Cisco Prime Infrastructure.

Cisco.com Settings

You can enter your cisco.com credentials at the following places:

● Administration > Settings > System Settings > Inventory > Account Credential

● Administration > Settings > System Settings > General > Support Request


Single Sign On (SSO)

Cisco Prime Infrastructure supports Single Sign on. You can configure more than one SSO server for Cisco Prime

Infrastructure. Authentication will fall back to the second SSO server, and so on.

To add SSO servers, navigate to Administration > Users > Users, Roles & AAA > SSO Servers. Select Add

SSO servers. SSO Servers settings can be configured by navigating to Administration > Users > Users, Roles

& AAA > SSO Server Settings.

Figure 7. SSO Server Settings

RADIUS/TACACS+ Integration

Cisco Prime Infrastructure supports local authentication as well as TACACS+ and RADIUS AAA. To add

TACACS+ or RADIUS server, navigate to Administration > Users > Users, Roles & AAA. For Cisco Prime

Infrastructure to communicate with the TACACS+ server, the shared secret you enter on this page must match the

shared secret configured on the TACACS+ server.

Figure 8. Adding TACACS+ Server


Email Server Settings

Administrators must configure email parameters to enable Cisco Prime Infrastructure to email reports, alarm

notifications, and so on. You must configure the primary SMTP server before you can set the email parameters.

Choose Administration > Settings > System Settings > Mail and Notification > Mail Server Configuration.

Credential Profile

Credential profiles are set of device credentials. The credentials provided in a credential profile can include SNMP,

Telnet, SSH and HTTP/HTTPS credentials.

Choose Inventory > Device Management > Credential Profiles to add, edit, delete or copy credential profiles.

You can apply a credential profile during device discovery, when manually adding a device, or during bulk import of

devices.

Figure 9. Creating Credential Profile

Discovering Your Network

Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols such as ping, SNMP

(v1, v2c, and v3), Cisco® Discovery Protocol, Link Layer Discovery Protocol (LLDP), and Open Shortest Path First

(OSPF) to discover the network automatically. This section will focus on how best to configure the discovery

settings once and to automate the discovery, going forward.

You can add devices to Cisco Prime Infrastructure in one of the following ways:

● Use an automated process

◦ Discovery Settings

◦ Quick Discovery

● Import devices from a CSV file.

● Add devices manually by entering IP address and device credential information.


Preparing the Network for Discovery

Devices must be configured with Cisco Discovery Protocol/LLDP, SNMP (V2, V3), or Telnet/SSH. Advanced

protocols OSPF and BGP can also be used.

For successfully managing a device using Cisco Prime Infrastructure, it is crucial that all the essential protocols be

defined in the device credential for a given device. The following matrix shows what protocols are needed for

various wired and wireless device types.

Device Family SNMP RW Telnet/SSH HTTP

Wireless controllers

Wireless controllers (Cisco IOS® XE Software)

Access points

Routers/switches

Medianet-capable routers and switches

Network Analysis Module

Third-party devices

These credentials are sufficient to discover wired as well as wireless networks.

Discovery Settings

This method is recommended if you want to specify settings and rerun discovery in the future using the same

settings. Discovery settings can be used to have a complete control over the discovery process.

You can specify various protocols, list of seed devices to be used, subnet range, credential profile/credential, and

management IP address that needs to be used to discover the network. For various discovery settings supported

by Cisco Prime Infrastructure, see the Cisco Prime Infrastructure User Guide.

You can create multiple discovery settings. These specify which protocols are to be used by Cisco Prime

Infrastructure while discovering the network. Discovery can be easily accessed from the Getting Started page

when you log in for the first time or by navigating to Inventory > Device Management > Discovery.

Select Discovery Settings to create a profile and reuse it for discovering the devices in the future. Now click New

in the discovery settings modal pop-up. Discovery Settings window will pop-up, where you can configure all the

discovery settings. You will observe that the pop-up is broken down into four sections: Protocol Settings, Filters,

Credential Settings, and Preferred Management IP.

You need to select at least one item from Protocol Settings, SNMP and Telnet/SSH from Credential Settings,

and Preferred Management IP. You can add your subnets manually or use the Import CSV File button to import

all your subnets from a simple CSV file.

After creating discovery settings, you can discover the wired and wireless network. Select the saved discovery

settings and click the Run Now button as shown in the figure. Discovery job will be created and status of the

discovery job can be monitored in the same page in real time.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/gettingstarted.html#pgfId-1055123


Figure 10. Discovery Profile Settings

Scheduling Discovery

In addition to running discovery in real time, you can schedule discovery to run when you want it. Select the

required discovery settings and click Schedule. You will get a modal pop to specify the schedule. Scheduling is

extremely flexible in Cisco Prime Infrastructure. You can run every x minutes to y years.

Figure 11. Discovery Job Schedule

Quick Discovery

Quick Discovery ping sweeps the network quickly based on the seed IP address you provide and also uses SNMP

polling to get details on the devices.

Importing Devices Manually

If the device list and its credentials are maintained in an excel sheet, you have an option in Cisco Prime

Infrastructure to import the device list. Navigate to Inventory > Device Management>Network Devices, select

Bulk Import. The Bulk import pop-up is displayed as shown in Figure 12.

Figure 12. Bulk Import


TIP: Export the device template using the first “here” link. Use the exported CSV file to populate the device

information. This will make sure your import goes through successfully.

Data Center Discovery

Cisco Prime Infrastructure extends coverage to the data center and to the compute infrastructure management

supporting inventory, fault, configuration and performance for Cisco UCS B-series blade and C-series rack servers.

Integration with VMware vCenter supports monitoring and visualization of virtualized servers and VMware

hypervisors operating on Cisco UCS underlay hosts.

VMware vCenter details (Protocol—HTTP/HTTPS, Server—Host Name/IP address of vCenter, Port—443 for

HTTPS or 80 for HTTP, User Name/Password—vCenter Credential) are needed to discover the complete inventory

of compute resources like data center, cluster, hosts and VMs (Inventory > Device Management >Compute

Devices > Discovery Sources- Add Device). You need to add Data Center Hypervisor license for collecting the

inventory of VMware vCenter server.

Figure 13. Adding VMware vCenter Details

Compute devices provide a consolidated view of all the devices that provide compute capability within a Data

Center. You can manage Cisco UCS devices in the same way other network devices are managed.

You can create user defined Hosts and VMs Sub-groups similar to device groups.

Figure 14. Compute Device Details


Validate Discovery

To validate and view the complete list of devices discovered by Cisco Prime Infrastructure, navigate to Inventory >

Device Management>Network Devices to see the entire inventory that has been discovered. The left pane allows

you to filter the devices based on the device types or user-defined group that you create.

Figure 15. Discovered Device Inventory

Fixing Credential Errors

At times, you will encounter a few devices that don’t have the SNMP strings or the CLI access that you thought

they would have. You can either streamline or change the information on the devices, or if you have another set of

credentials for a different subnet, you could add that by creating new credential profile and rerun the discovery. If

you have a handful of changes, you can select the particular devices and then click Edit to modify the credentials.

Figure 16. Edit Device Discovery Credential


Figure 17. Device Inventory Status and Credential Verification

Cisco Prime Infrastructure allows the user to export devices with credentials directly from the GUI. Navigate to

Inventory > Device Management>Network Devices to view the Export Device as shown in Figure 18.

Figure 18. Export Device Discovery Credential Information

User can export the device credentials, change them using a spreadsheet application, and import them back.

TIP: If you need to change the credentials for devices in bulk, this method can be used to do that.

Grouping Device Grouping

Cisco Prime Infrastructure provides the following types of grouping:

● Device type groups—By default, Cisco Prime Infrastructure creates rule-based device groups and assigns

devices to the appropriate Device Type folder. You cannot edit these device groups. The device type

groups are not used for network topology maps.

● Location groups—Create location-based groups. Location groups allow you to group devices by location.

You can create a hierarchy of location groups (such as theater, country, region, campus, building, and floor)

by adding devices manually or dynamically.

Figure 19. Adding Devices to the Location Group Dynamically


● User defined groups— Allows to create your own device groups. These groups can be static or dynamic.

Figure 20. Device Groups in Cisco Prime Infrastructure

Port Grouping

Port grouping helps the user to simplify monitoring and configuration tasks. Cisco Prime Infrastructure allows you

to create groups in addition to the default preconfigured port groups. Port groups creation can be accessed from

Inventory>Group Management>Port Groups. If a custom port group needs to be created, you can hover over

User Defined and click the (i) icon to access a pop-up menu for adding a new group.

Figure 21. Creating Port Groups

The WAN Interfaces port group is a special preconfigured port group. The interfaces in this group are your WAN

interfaces that need to be actively monitored. In order to add WAN interfaces to this group, select all the groups

and filter the WAN interfaces based on your interfaces type, IP address, interface description, or any other

attributes that are used to denote a WAN interface group. It is highly recommended to populate this group with the

WAN interface to get the most out of this application.


Topology and Maps Viewing Network Topology

Cisco Prime Infrastructure topology maps are based on location groups. Cisco Prime Infrastructure provides a

visual map of your network’s physical topology, including the network devices and the links that connect them. You

must enable Cisco Discovery Protocol on the devices to visualize the links.

Figure 22. Network Topology Maps

Wireless Planning Tool

Cisco Prime Infrastructure provides a built-in planning tool that can be used by network administrators to determine

what is required in the deployment of a wireless network. As part of the planning process, various criteria are

inputted in the planning tool. Complete these steps:

1. Specify the AP prefix and AP placement method (automatic versus manual).

2. Choose the AP type and specify the antenna for both the 2.4 GHz and 5 GHz bands.

3. Choose the protocol (band) and minimum desired throughput per band that is required for this plan.

4. Enable planning mode for advanced options for data, voice, and location. Data and voice provide safety

margins for design help. Safety margins help design for certain RSSI thresholds, which is detailed in online

help. Monitor mode factors in APs could be deployed to augment location accuracy. The location typically

requires a denser deployment than data, and the location check box helps plan for the advertised location

accuracy.

5. Both the Demand and Override options allow for planning for any special cases where there is a high density

of client presence such as conference rooms or lecture halls.

Generated proposal contains these:

● Floor plan details

● Disclaimer/scope/assumptions

● Proposed AP placement

● Coverage and data rate heat map

● Coverage analysis


Wireless Site Map

Cisco Prime Infrastructure site maps represent the geographical locations and physical structures where your

organization maintains network assets. Site maps display the physical locations of network devices including

wireless access points, client devices like laptops, tablets and mobile phones. It also helps to visualize wireless

network coverage, including “heatmap,” which displays of signal strength and quality, the locations of RF

interferers, chokepoints, and so on.

Site maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and

floors. Cisco Prime Infrastructure allows the user to add maps and view their managed system on realistic campus,

building, and floor.

The features of Cisco Prime infrastructure site maps are:

● Supports .PNG, .JPG, JPEG, or .GIF formats.

● Automatically converts images like DXF or DWG CAD files, Qualcomm MET files to your choice of PNG,

JPG, JPEG, or GIF file formats.

● Automatically resizes the maps to fit the workspace.

● Supports importing Google Earth Maps.

It is recommended not to have more than 100 APs per floor area. If you have monitor mode access points on the

floor plan, coverage heatmap excludes monitor mode access points.

Figure 23. Wireless Site Maps: Floor Settings


Create Sites

There are two way of creating sites. You can manually create the sites by navigating to Inventory > Device

Management > Network Devices > Device Groups > Select ‘Create Sites’.

Figure 24. Site Creation by User Manually

If your access points follow a very consistent naming convention, you can automatically create a site tree map

based on the hostname. Figure 25 shows how a device hostname separated by hyphens can be used as a

delimiter to create a site map tree automatically.

Figure 25. Automatic Hierarchy Creation

To create automatic site hierarchies, go to Maps>Wireless Maps > Automatic Hierarchy Creation. Enter the AP

Hostname and a suitable regular expression (or generate one as mentioned in the tip below). Click Test to see

how the site is created from the hostname. Change the pull-down to map to the appropriate campus, building, floor,

device, and so on.

TIP: After entering a sample hostname for an AP, you can click Create basic regex based on delimiter to

automatically generate the regular expression.


Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure

If you have already created sites for the wireless network in a previous version of WCS or NCS, you can export

from those applications and import the information into Cisco Prime Infrastructure as well. You can go to Maps >

Wireless Maps > Site Maps > Choose File.

Figure 26. Importing Wireless Site Maps

Configuration Management Managing Configuration Archives

Cisco Prime Infrastructure archives and maintains multiple versions of running and startup configurations.

Configuration Archive settings control how Cisco Prime Infrastructure should manage the archives. Configuration

archive settings can be configured by navigating to Administration > Settings > System Settings > Inventory >

Configuration Archive.

The Basic tab allows users to define protocol order, SNMP timeout, the number of days and the versions to retain,

thread pool count, and other such variables. The Advanced tab allows users to define a command to exclude list

for each of the device family types.

Figure 27. Configuration Archive Settings


Comparing Configuration

You can use Cisco Prime Infrastructure to view and compare device configurations. To compare configurations,

navigate to Inventory > Device Management >Network Devices > Select the device. Select Configuration

Archive tab. Select the version of the configuration to compare and select the compare options. Now you can see

the color-coded configuration differences instantly as shown in Figure 28.

Figure 28. Configuration Archive

Image Management

Upgrading software image of the devices to the latest version can be error prone and time consuming, if manual

process is followed. Cisco Prime Infrastructure simplifies the deployment of software images to one or many

devices at the same time by providing plan, schedule, download, and monitor software image update jobs. Cisco

Prime Infrastructure provides software image details, lists recommended software images, and deletes software

images.

Setting Up Image Management

Cisco Prime Infrastructure provides number of knobs that can be accessed from Administration > Settings

>System Settings> Inventory>Image Management. These include team shared cisco.com username/password,

job failure handling options, image and configuration protocol options, and so on. You are recommended to set it

up initially so that preferred preferences are applied when distributing images on managed devices.

Figure 29. Image Management


Importing Software Images

Cisco Prime Infrastructure allows you to import images to software image library from devices, local file system and

by other means.

Figure 30. Import Images

Image Distribution

Images can easily be added to the local repository by choosing Inventory >Device Management >Software

Images >Import. Follow the wizard to import images. Images can be deployed to devices by navigating to

Inventory>Device Management>Software Image. Select the image from the list (once it has been added to the

repository) and click Distribute Images. Once the devices are selected to be upgraded/downgraded, a prerun

status is shown, which avoids the job failure in the first place. Click Upgrade Analysis to generate a report on this.

Figure 31. Image Repository

Figure 32. Distributing Selected Image to Device


Configuration Templates

Configuration templates follow design, approve and deploy workflow. When you have a site, office, or branch that

uses a similar set of devices and configurations, you can use configuration templates to build a generic

configuration that you can apply to one or more devices.

Choosing a Configuration Template

Cisco Prime Infrastructure provides the following types of templates:

● Features and technologies templates - These out-of-the-box templates are specific to a feature or a

technology based on CVD or Cisco best practice recommendation. Features and Technologies templates

are based on device configuration(s) that focus on specific features or technologies in a device

configuration. These templates can configure various wired and wireless features on the devices. One can

even customize these templates by duplicating these templates, editing the templates and saving them as

your own custom template.

Figure 33. Configuration Templates Features and Technologies

● CLI templates - CLI templates use Cisco IOS Software CLI commands. Cisco Prime Infrastructure supports

system defined CLI templates and custom CLI templates.

● System templates - CLI - These are CLI based customizable out-of-the-box templates. You can modify

and save it as a new template, but you cannot delete a System Template. In this page, you can import or

export any template. You cannot import a template under the system defined folder.

To view the list of CLI templates, choose Configuration > Templates > Features and Technologies > CLI

Templates > System Templates - CLI.

● CLI - This is primarily meant for creating custom configuration templates. CLI uses set of reusable device

configuration commands with the ability to parameterize select elements of the configuration as well as add

control logic statements. This template is used to generate a device deployable configuration by replacing

the parameterized elements (variables) with actual values and evaluating the control logic statements. CLI

templates are based on Apache velocity template language. CLI templates do not have an option to

undeploy.


Figure 34. CLI Templates

● Composite templates - You can create a composite template if you have a collection of existing feature or

CLI templates that you want to apply collectively to devices. You specify the order in which the templates

contained in the composite template are applied to devices. If you have multiple similar devices replicated

across a branch, you can create and deploy a "master" composite template to all the devices in the branch.

This master composite template can also be used later when you create new branches.

To create composite template, choose Configuration > Templates > Features and Technologies >

Composite Templates > System Templates – Composite

Figure 35. Composite Template

Defining Shared Policy Objects

Policy objects enable you to define logical collections of elements. They are reusable, named components that can

be used by other objects and policies. They also eliminate the need to define a component each time that you

define a policy.

Interface roles configuration allows you to group a set of interfaces according to a set of rules and apply the AVC

configuration for that group of interfaces. Navigate to Configuration -> Templates -> Shared Policy Objects.

Select Interface Role. Create the new interface roles.


Figure 36. Shared Policy Objects

Wireless Controller Configuration

You can use the system templates to configure the wireless controllers. Another way to achieve this along with

other benefits is by means of controller configuration groups. Configuration groups are an easy way to group

controllers logically. This feature provides a way to manage controllers with similar configurations. You can first

create templates to configure different features and apply them to a particular configuration group. Templates can

be also extracted from existing controllers to provision new controllers. Configuration groups can also be used to

schedule configuration sets from being provisioned. Controller reboots can also be scheduled or cascaded

depending on operational requirements. Mobility groups, Dynamic Channel Assignment (DCA), and controller

configuration auditing can also be managed using configuration groups.

Figure 37. WLAN Configuration

Configuration groups are used for grouping sites together for easier management (mobility groups, DCA, and

regulatory domain settings) and for scheduling remote configuration changes. Configuration groups can be

accessed from Configuration > Templates > Controller Configuration Groups.

RRM/Clean Air

RF profiles and groups are supported in Cisco Prime Infrastructure for both RF profile creation templates and AP

group templates. If you use Cisco Prime Infrastructure to create the RF profiles through the creation of templates,

this gives the administrator a simple way to create and apply templates consistently to groups of controllers.


Build RF Profiles

Cisco Prime Infrastructure provides two ways for building or managing an RF profile. Navigate to Configuration >

Network > Network Devices > Select a controller and click Configuration tab and choose 802.11 > RF Profiles

in order to access profiles for an individual controller.

Figure 38. RF Profiles

Figure 39 displays all the RF profiles currently present on the chosen controller and allows you to make changes to

profiles or AP group assignments.

Figure 39. RF Profile Template

When you create a new profile, Cisco Prime Infrastructure prompts you to choose an existing template. When

accessing the first time, you are directed to the Template Creation dialogue for an 802.11 controller template.

Figure 40. Features and Technologies RF Profile Template


Also, you can choose Configuration> Templates > Features & Technologies > Controller > 802.11 > RF

Profiles (see Figure 41) to navigate to the controller template launch pad directly.

In both cases, a new RF profile is created in Cisco Prime Infrastructure through the use of a template. This is a

recommended method, since it allows the administrator to use the workflow of Cisco Prime Infrastructure and apply

templates and configurations to all or select groups of controllers and reduce configuration errors and mismatches.

Apply RF Profiles to AP Groups

New RF profiles can be applied to a controller through the use of AP groups they are assigned to. Choose

Configuration > Templates > Features & Technologies > Controller > WLANs and choose AP Groups as

shown in Figure 41.

Figure 41. Select an AP Group and RF Profile

In Cisco Prime Infrastructure, you can choose the Venue Group tab to add venue information as well.

(See Figure 42.)

Figure 42. Venue Group


When you save the template, a warning message may appear. Changing the interface that the assigned WLAN

uses disrupts the VLAN mappings for FlexConnect APs applied in this group. Make sure that the interface is the

same before you proceed. Choose Deploy.

Choose the controllers to which the template needs to be applied as shown in Figure 43.

Figure 43. Choose Controllers

Only those access points attached to the controllers where the AP group was deployed successfully with the RF

profiles applied (click the Apply to Access Points) are available to select from.

Note: Until this point, no real changes were made to the RF infrastructure, but this changes when APs that

contain new RF profiles are moved into the group. When an AP is moved into or out of an AP group, the AP

reboots to reflect the new configuration.

Choose the APs you want to add to the AP group and click OK. A warning message appears. Cisco Prime

Infrastructure displays the status of the change.

Automated Deployment

Cisco Prime Infrastructure helps automate the deployment of new devices on the network by obtaining and

applying the necessary software image and configuration on a new network device. Using features such as Cisco

Network Services (CNS) call-home, APIC-EM (Application Policy Infrastructure Controller) call-home and Cisco

IOS Software auto-install (which uses DHCP and TFTP), Cisco Prime Infrastructure reduces the time a new device

takes to join the network and become functional.

The Plug and Play feature of Cisco Prime Infrastructure allows you to create templates to define features and

configurations that you can reuse and apply to new devices. You can streamline new device deployment by

creating bootstrap templates, which define the necessary initial configuration, to communicate with Cisco Prime

Infrastructure. You can specify (and predeploy) software images and configurations that will be added to the

devices in the future. See the Cisco Prime Infrastructure User Guide for detailed steps using automated

deployment.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/plugandplay.html


Compliance

Cisco Prime Infrastructure allows to define device configuration baselines and audit policies which help to identify

and fix any device configuration deviations from the baseline. You can schedule a compliance audit job against

multiple devices and get an audit report that indicates if any configurations deviate from the specified baseline.

Prerequisites

Compliance Baseline Audit is available when Cisco Prime Infrastructure is deployed using either of the below

options:

● Professional OVA Virtual appliance

● Cisco Unified Computing System™

(Cisco UCS) Gen 2 physical appliances

By default, Compliance Service feature is disabled. To enable compliance auditing, choose Administration >

Settings > System Settings > General >Server, then enable Compliance Service (see Figure 44).

Figure 44. Enabling Compliance Service in Cisco Prime Infrastructure 3.0

Cisco Prime Infrastructure server will have to be restarted for the changes to take effect. No additional licenses are

required to use the compliance baseline audit feature.

Creating Compliance Policy

A Compliance policy is a set of conditional rules required to validate against your network devices’ configuration.

You can use the predefined policies or choose to create their own policies.

In order to create a new compliance policy, navigate to Configuration > Compliance > Policies. Click Add (+)

button to create Compliance Policy, and enter a name for the Policy.

Upon policy creation, you can define one or more conditional rules for each compliance policy. Refer to the Cisco

Prime Infrastructure User Guide for more details on the rule inputs and parameterization of user inputs.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/compliance.html#pgfId-1076968

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/compliance.html#pgfId-1076968


Figure 45. Compliance Policies

Creating Policy Profiles

Once compliance policies have been defined, group one or more policies under a Compliance Profile. Profiles are

sets of one or more policies, intended as a unit of comparison against the network device configurations.

Follow the below steps to create policy profile.

Browse to Configuration > Compliance > Profiles and add a new profile.

● Once profile is created, use the Compliance Policy selector to select the desired policies, from the

system-defined or user-defined policies to be grouped.

● Multiple policies can be selected and grouped.

● For each compliance policy, you have an option to use one or more of the rules defined.

Figure 46. Compliance Policy Profile

Run Compliance Audit

Once a policy profile is created by grouping the compliance policies, compliance baseline auditing can be

performed. Follow the below steps to run the compliance audit job.

● Choose Configuration > Compliance > Profiles, select a profile and click Run compliance Audit icon

(lightning bolt icon).

● Select the devices to be audited and the corresponding configuration to be checked (use latest archived

configuration or use current configuration).

● Specify the desired job scheduling and recurrence (standard Cisco Prime Infrastructure job framework

selection options are available).


Compliance Job Dashboard lists the compliance audit jobs as well as violation fix jobs. To view the details of a job

result, Click Last Run Result. Results may be exported in PDF and CSV formats.

● You can view details of “Violations by Device” and select the specific fixes to be included in a Fix Job, along

with an option to preview the Fix CLI.

Figure 47. View Compliance Audit Job

View Violation Summary

Violations raised during the compliance audit, can be viewed under Compliance > Jobs > Violation Summary.

Violation summary can also be exported in PDF and CSV formats.

Figure 48. Violation Summary

PSIRT and EoX Reports

Cisco Prime Infrastructure helps to determine if any managed devices in the network have any security

vulnerabilities as identified by the Cisco Product Security Incident Response Team (PSIRT). The report also

includes documentation about the specific vulnerability that describes the impact of vulnerability and any potential

steps needed to be applied.

Cisco Prime Infrastructure also gives you an option to run a report to determine if any Cisco device hardware or

software in the network has reached its end of life (EOX). This can help determine the product upgrade and

substitution options.

Browse to Reports>Reports> PSIRT and EOX.


Figure 49. PSIRT Reports

Figure 50. EoX Reports

Clients and Users

All clients (wired and wireless) available in the network and discovered by Cisco Prime Infrastructure are displayed

in the Clients and Users page (Monitor -> Monitoring Tools -> Clients and Users).

Figure 51. Clients and Users

Wired clients display AP name as N/A. Switch port information is provided in interfaces column, as shown in

Figure 51.

Client Troubleshooting

Cisco Prime Infrastructure also provides monitoring and troubleshooting for wired and wireless clients. SNMP is

used to discover clients and collect client data. Cisco Identity Service Engine (ISE) is polled periodically to collect

client statistics and other attributes to populate related dashboard components and reports. In order to launch the

client-troubleshooting tool, select the client, and click Troubleshoot.


Figure 52. Client Troubleshooting Tool

Log messages can be retrieved from the controller using the use of the Log Analysis tool, as shown in Figure 53.

Figure 53. Debug Client Issues

Event history tool and Test analysis (CCX5 clients) tools can also be used for wireless client troubleshooting. Cisco

Prime Infrastructure can also be used for troubleshooting wired clients.

Cisco Prime Infrastructure manages the wired and the wireless clients in the network. You can get enhanced

information using the Cisco Identity Services Engine (ISE) or Cisco Secure Access Control (ACS) View servers or

Cisco Mobility Services Engine (MSE). Hence, Cisco Prime Infrastructure provides a complete visibility of users

and managed clients.

ISE Integration

When Cisco ISE is used as a RADIUS server to authenticate clients, Cisco Prime Infrastructure collects additional

information about these clients from Cisco ISE and provides all client relevant information to be visible in a single

console.

You can get enhanced information about managed clients using the Cisco ISE.


If Cisco Prime Infrastructure is integrated with an ISE server (to access endpoint information), you can:

● Check the endpoint type.

● One can identify possible problems with the end user’s authentication and authorization for network access.

● View the bandwidth utilization for wired clients.

Note: Cisco Prime Infrastructure displays ISE Profiling attributes only for authenticated endpoints.

A maximum of two ISEs can be added to Cisco Prime Infrastructure. If you add two ISEs, one should be primary

and the other should be standby. When you are adding a standalone node, you can add only one standalone node

and cannot add a second node.

To add an Identity Services Engine, browse to Administration -> Servers -> ISE Servers.

From the Select a command drop-down list, choose Add ISE Server, then click Go. Complete the required fields,

then click Save.

Figure 54. Identity Services Engine

Note: The credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.

MSE Integration

Cisco Prime Infrastructure when integrated with Cisco Mobility Service Engine can provide a single unified view by

extracting location and posture information of managed clients. WIPS profiles can also be deployed.

You can add an MSE by navigating to Services -> Mobility Services -> Mobility Services Engines. Select Add

Mobility Services Engine from the command drop-down list, and click Go.

In this dialog box, you can add licensing files, tracking parameters, and assign maps to the MSE. If you launch the

wizard with an existing MSE for configuration, then the Add MSE option appears as Edit MSE Details.

Figure 55. Mobility Service Engine


For detailed information on MSE, see the Cisco Prime Infrastructure User guide.

Monitoring Monitoring Policies

Cisco Prime Infrastructure uses monitoring policies to monitor devices against the thresholds you specify. When

the thresholds that you specify are reached, Cisco Prime Infrastructure issues an alarm.

By default, Cisco Prime Infrastructure polls:

● Device health metrics on supported routers, switches and hubs. Storage devices and Cisco UCS series

devices are not monitored by the default health policy.

● Port group health metrics.

● Interface health metrics on WAN interface groups, AVC, and Cisco UCS.

Note: Cisco Prime Infrastructure uses monitoring policies only for wired devices.

Choose Monitor -> Monitoring Tools -> Monitoring Policies -> Auto monitoring. Cisco Prime Infrastructure

polls SNMP objects to gather monitoring information for the device and interface parameters.

Figure 56. Auto Monitoring

You can add new monitoring policies to monitor network device metrics and alert you of changing conditions before

the issues impact their operation. Choose Monitor > Monitoring Tools > Monitoring Policies > My Policies.

Then click Add. We can select the Policy Types, and configure the parameters and thresholds, and click “Save

and Activate” to activate the policy on the selected devices.

Figure 57. Monitoring Policy

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/net-services.html


Cisco Prime Infrastructure displays the summary information in several different dashboards that contain graphs

and visual indicators. Overview dashboards displays dashlet specific to network device summary graph, system

health, interface health metrics, Top N CPU and memory utilization, etc.

Viewing Alarms and Events

Alarms and events provide a single page view of all alarms and events for wired and wireless infrastructure. Alarms

can be viewed by navigating to Monitor > Monitoring Tools > Alarms and Events.

Almost all of the tables in Cisco Prime Infrastructure have a quick filter widget. This quickly allows you to filter

through the table, especially when there are many rows involved. This is very useful with alarms and events or

clients and users. Figure 58 shows different quick filtering options available for you.

Figure 58. Quick Filter

The Advanced Filter, as the name implies, allows you to filter on the content with complex rules. These filters can

be saved for one-click use, the next time they are needed.

Figure 59. Advanced Filter


Configuring Alarm Severity

Choose Administration -> Settings -> System Settings to change the alarm’s default severity level. Under

Alarms and Events section, select Alarm Severity and Auto Clear. Select the Event type and click Severity

Configuration. From the Configure Severity Level drop-down list, choose a severity level.

Figure 60. Severity Configuration Page

Customizing Traps and Syslogs

Defining Custom Trap Events

Cisco Prime Infrastructure recognizes additional traps and helps to customize and create events and alarms for

these traps. You can specify a trap notification name, specify the event severity, and message to use when the

specified trap is received. Cisco Prime Infrastructure creates an event with the settings you specify. Choose

Monitor -> Monitoring Tools -> Alarms & Events.

Figure 61. Adding Custom Trap Event

In Events tab, click Custom Trap Events. Click Add in the Custom Trap Events window, and select a MIB,

Notification Name, and mention the default severity level, and then click OK.


Cisco Prime Infrastructure creates a new event type and alarm condition for the specified trap.

Defining Custom Syslog Events

You can enable Cisco Prime Infrastructure to create events for particular syslog. You can specify a syslog

message identifier, and specify the event severity and message to use when the specified syslog is received. Cisco

Prime Infrastructure creates an event with the settings you specify.

Choose Monitor -> Monitoring Tools -> Alarms & Events. In the Syslog tab, click Custom Syslog Events.

Click Add and complete all the required fields, and click OK.

Figure 62. Adding Custom Syslog Event

Forwarding Alarms as Traps to Notification/Trap Receivers

Notification receivers can be configured, which supports North Bound access and guest access. Alerts and events

are sent as SNMPv2 and SNMPv3 notifications to the configured notification receivers. You can add and remove

notification receivers from Administration > Settings > System Settings > Alarms and Events > Notification

Receivers.

Figure 63. Notification Receivers


AVC and QoS Configuration

Monitoring Application and Services

Network administrators need to gain visibility into applications running on the network and their performance, and

to see the different types of traffic and their performance in greater detail. They should be able to quickly isolate

and troubleshoot application performance issues. They can define policies to control and tune the performance of

the different applications. Service assurance dashboards in Cisco Prime Infrastructure help to provide a granular

and detailed view of assurance features.

The Cisco Application Visibility and Control (AVC) is a solution which offers application awareness in the network.

AVC incorporates application recognition and performance monitoring capabilities. When coupled with network

management tools, AVC provides a powerful and pervasive integrated solution for discovering and controlling

applications within the network.

Prerequisites

● Make sure that the devices on which you have to enable AVC are fully managed (In Device Work Center).

● Make sure that the sites/location based groups are created and the endpoints (devices) that need to be

monitored are associated with corresponding sites.

● Interface role (Shared Policy Objects) should be created for the wired devices, before using the AVC

template.

AVC Supported Platforms

Platforms Minimum Software version required

ASR 1000 15.3(1)S1 and later

ISR G2 15.2(4)M2 and later

ISR 4451-X 15.3(2)S

CSR 1000 15.3(2)S

WLC 7.4

Readiness Assessment

Readiness assessment allows you to analyze the routers in your network and determine whether these devices are

capable of running AVC.

Choose Services -> Application Visibility and Control -> Readiness Assessment.

Figure 64. Readiness Assessment


The table view provides all the relevant information for the devices and also suggests whether these devices are

AVC capable or not. It provides recommendations for AVC capable devices to make them AVC configurable.

AVC Configuration

Different Approaches to Enable AVC

There are three different approaches to enable AVC on routers.

● Use the one-click option to enable it on a single or multiple interface of a router, if this is your first time with

AVC.

● Use the template option to enable AVC on multiple devices based on the interface role.

● Enable AVC on multiple interfaces and multiple devices for which you could use the location- and device-

based filters. This method will also allow you to configure QoS if needed. See the AVC Solution Guide for

more details.

Enabling AVC on Wireless Controllers

Feature design templates in Cisco Prime Infrastructure can be used to enable AVC on the controllers. You will first

need to create an exporter configuration template followed by creating a monitor template mapping the exporter

template and deploy the monitor template on the controllers. See the AVC Solution Guide for more details.

Associate Endpoints to Sites

Now that you have created all the sites where your network equipment is staged, it is time to map those sites to

their respective subnets, data sources, and VLANs. This allows Cisco Prime Infrastructure to see the traffic flow,

especially when it comes to application performance. In order to create an endpoint, you can navigate to Services

>Application Visibility & Control > Endpoint Association. Figure 65 shows how various sites are mapped to

their subnets. In addition to the subnet mask, you can also specify the default data source desired for that site.

Figure 65. Endpoint Association

Managing Netflow Data Sources

Cisco Prime Infrastructure can collect NetFlow from data sources directly. In case of Cisco Prime Network Analysis

Module (NAM), Cisco Prime Infrastructure collects all the information from the NAM natively.

To view all the data sources exporting NetFlow to Cisco Prime Infrastructure, navigate to Service -> Application

Visibility & Control -> Data Sources. The Device Data Sources lists all the devices that are actively sending

NetFlow data to Cisco Prime Infrastructure. The NAM Data Collector lists all the NAMs that have been discovered

or added to the inventory. You can select a NAM and enable/disable data collection from them.

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/solution_overview_c22-728972.html#_Toc428598034

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/solution_overview_c22-728972.html#_Toc428598035


Figure 66. Data Sources

Viewing AVC Metrics

Cisco Prime Infrastructure shows performance related metrics for applications in the following dashboards:

● Dashboard -> Overview -> Service Assurance

● Services -> Application Visibility and Control -> Service Health

● Dashboard -> Performance (all of the dashboards)

Classify Unknown Traffic by Defining Custom Application

Cisco Prime Infrastructure helps to define custom applications that you can deploy on the device and let Cisco

Prime Infrastructure monitor these applications. Choose Services -> Application Visibility & Control ->

Applications and Services and click Create.

Figure 67. Application and Services


Provide an application name and the selector ID. Select the Business Critical check-box if you would like this

custom application to be marked so.

Updating Application Definitions (NBAR2 Protocol Pack)

NBAR2 Protocol packs can be uploaded to Cisco Prime Infrastructure to recognize any new applications. Choose

Services -> Application Visibility & Control -> NBAR2 Protocol Pack Management. Using the Import option,

you can update the protocol pack.

Multi-NAM Capabilities within Cisco Prime Infrastructure

Cisco Prime Infrastructure can serve as a central manager of managers (MoM) if multiple NAMs are deployed in

the network. Some of the functionality that Cisco Prime Infrastructure can help with includes:

● Centralized monitoring of NAM health.

● Deploying configurations to multiple NAMs using the CLI configuration templates.

● Upgrading NAMs using software image management capabilities.

● Using one-click packet capture from multiple NAMs based on a capture policy.

● Proactively capturing packets using threshold breaches.

All of these allow you to use Cisco Prime Infrastructure to effectively manage the NAMs, thus making it a very good

and stable data source for application visibility.

Netflow Dashlets

The following table lists the dashlets which help in monitoring the Netflow data in Cisco Prime Infrastructure.

Grouping of Dashlets Dashlet Names

Site Specific Dashlets Application Usage Summary

Top N Application Groups

Top N Applications

Top N Applications with Most Alarms

Top N Clients (In and Out)

Top N VLANs

Application Specific Dashlets Application Configuration

Top N Applications

Top Application Traffic over Time

DSCP Classification

IP Traffic Classification

Client Conversations

Top N Clients (In and Out)

Client Traffic

Number of Clients over Time

Lync Monitoring

Cisco Prime Infrastructure can monitor the Microsoft Lync traffic in your network. It processes and filters Microsoft

Lync quality update messages and aggregates Microsoft Lync calls. You can view volume trends over time and get

a summary of call types, including filtering based on time and location groups. You can also view individual calls

and troubleshoot individual call streams.


Setting Up Microsoft Lync Monitoring

Cisco Prime Infrastructure must be registered as a receiver of Microsoft Lync data in order to monitor and provide a

centralized view of how Microsoft Lync is deployed in your network.

On your Microsoft Lync SDN server, edit the LyncDialogListener.exe.config file to add the following lines. The

LyncDialogListener.exe.config file is located in the Lync SCN API installation directory at the following default

location: C:\Program Files\Microsoft Lync Server\Microsoft Lync SDN API.

<add key=“submituri” value=“https://PI_server_name/webacs/lyncData”/>

Where https://PI_server_name is the name of your Cisco Prime Infrastructure as specified in the Trusted Root

Certification Authorities certificate.

<add key= “clientcertificateid” value=“value”/>

Where value is the certificate value of your Cisco Prime Infrastructure server as specified in the Trusted Root

Certification Authorities certificate.

Alternately, if you use the Microsoft SDN interface to enter your Cisco Prime Infrastructure server details, you must

accept the SSL certificate in order to enable XML communication over secure HTTP. After you register Cisco

Prime Infrastructure as a receiver of Microsoft Lync data, all Microsoft Lync details are sent to Cisco Prime

Infrastructure.

Monitoring Microsoft Lync

To monitor Microsoft Lync data, browse to Services -> Application Visibility & Control -> Lync Monitoring.

Colored bars represent the different call types and the respective call volume over the specified time period. The

Lync Conversations table lists the aggregated conversations for the call type you select from the bar chart. Click

the arrow next to a Caller to expand and view the details of that conversation, from the Caller to the Callee.

Cisco Prime Infrastructure displays the call metrics for the selected conversation.

Figure 68. Lync Monitoring


PfR Monitoring

Performance Routing (PfR) monitors network performance and selects the best path for each application based on

advanced criteria such as reachability, delay, jitter and packet loss. PfR can evenly distribute traffic to maintain

equivalent link utilization levels using an advanced load balancing technique.

PfR Version 3 (PfRv3) is an intelligent path control of the IWAN initiative and provides a business-class WAN over

internet transports. PfR allows customers to protect critical applications from fluctuating WAN performance while

intelligently load balancing traffic over all WAN paths.

Cisco IOS Software PfR makes real-time routing adjustments based on application criteria such as response time,

packet loss, jitter, path availability, interface load, and circuit cost minimization.

Browse to Services -> Application Visibility & Control -> PfR Monitoring. The PfR landing page includes Site to

Site PfR Events table, a filter panel, Metrics panel (Metrics Crossing Thresholds versus Service Provider(s)), and a

time slider.

Figure 69. PfR Monitoring

The Metrics panel displays the metrics gathered using the TCA, as charts. Each service provider is represented by

a unique color in the chart. The charts available in the Metrics panel are:

● Unreachability over time

● Maximum Delay over time

● Maximum Jitter over time

● Maximum Packet loss% over time

The Site to Site PfR events table displays site to site PfR events including Threshold Crossing Alert (TCA), Route

change (RC) and Immitigable event (IME). The PfR events that occurred over last 72 hours are displayed, by

default.


Site-to-Site PfR Topology

The site to site topology consists of nodes representing border router, master controller, and service provider. The

egress and ingress orange links represent the WAN link connectivity between border routers and service provider,

and blue links connect the border router and master controller.

Click a node to view the device metrics pop-up window from where you can navigate to the corresponding device

context page. Click a link to view the link metrics pop-up window from where you can navigate to the link context

page. Click Launch Interface Dashboard in the Link Metrics pop-up window to view the Interface dashlets in the

Performance dashboard.

Figure 70. Site-to-Site PfR Topology

Comparing WAN Interfaces

The Compare WAN Interfaces page shows the WAN link usage and performance of the selected WAN interfaces.

This compares the Egress Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and number of

applications routed, for the selected WAN Interfaces.

Figure 71. Comparing WAN Interfaces


Dashboards

Cisco Prime Infrastructure user interface is based on HTML5, which makes the application tablet friendly. Flash is

removed from the product.

Dashboard Customization

Easy visualization and customization of data views is possible in Cisco Prime Infrastructure. There are two different

ways of customizing the dashboards:

● Adding your own dashboard in addition to the existing dashboards.

● Adding/moving dashlets (also known as portlets) from one dashboard to another.

Navigate to any of the existing dashboards under Dashboards menu. Use the Settings in the top right corner of

the dashboard to add new dashboard. A new dashboard will be created under the current dashboard tree. A new

tab is reflected immediately.

Figure 72. Add Dashboard

The next step is to populate the new dashboard that you created with dashlets. There are about 50 preconfigured

dashlets that you can use for various dashboards.

Figure 73. Add Dashlet

A new dashlet can be added to the dashboard where you want it to appear. Use the Add Dashlet(s) from the

Settings to view the list. Once you see the list of dashlets, you can add the appropriate Dashlet to the dashboard.


Customizing the Dashlet Content

Figure 74. Dashlet Customization

We can customize the dashboard and also the content within the dashlets. You can select the pencil icon in the

title bar of any dashlet to customize the dashlet content. This will expose all the configurations that can be tweaked

for a given dashlet. You can use the various options available to select and configure as needed. Each dashlet has

its own configuration parameters. Once you are done, click Save and Close to view the data.

Remediation Tools Wireless Remediation

The following tools available within Cisco Prime Infrastructure may be used in order to remediate wireless issues:

● Cisco CleanAir

● Client Troubleshooting

● AP Troubleshooting

● Audit Tool

● Security Dashboard

● Switch port Tracing (SPT)

● Contextual device 360-degree views for easy access to assorted tools:

◦ Ping

◦ Traceroute

◦ Cisco Discovery Protocol Neighbors

◦ WLAN and SSID information

◦ Active AP and client count

Apart from these key tools, you can find more tools by navigating to “Monitor > Wireless Technologies” or

“Monitor > Tools”.


Wired Remediation

The following tools within Cisco Prime Infrastructure can be used to remediate wired issues:

● Wired Client Troubleshooting

● Ad Hoc and Automated Packet Capture

● Device Work Center

● Contextual device 360-degree views for easy access to assorted tools:

◦ Ping

◦ TraceRoute

◦ Cisco Discovery Protocol Neighbors

◦ Config Diffs

◦ Inventory Details

◦ Network Audits

◦ Support Forums

Figure 75. Device 360 Views

Trigger Packet Capture from Cisco Prime Infrastructure

Cisco Prime Infrastructure provides a very flexible solution for capturing packets throughout your network. You can

either manually trigger a packet capture or automatically specify the capture based on some advanced parameters,

so that it will be triggered once a threshold level is breached. In both of these solutions, packets can be captured

locally on the NAM or they can be stitched from multiple NAMs and stored in Cisco Prime Infrastructure. Packet

captures can also be triggered on the ASR 1Ks.

Manual Packet Capture from Cisco Prime Infrastructure

In order to do an ad hoc packet capture, you can navigate to Monitor > Tools > Packet Capture> Capture

Sessions. In order to create a new profile, click Create and fill in all the criteria for capturing a particular traffic. If

you need to capture a particular type of traffic all the time, it may be a good idea to proactively create those profiles

and test them before automating them, as described in the next section.


Figure 76. Packet Capture Session

Automating Packet Capture Using Cisco Prime Infrastructure

There are times when you want to capture packets based on a trigger. There is no way to anticipate the time of the

trigger. For example, if you are trying to meet the SLA for AvgRespTime for an application, you may want to start

the packet capture if the response time exceeds the predefined time. You can easily achieve this by combining

threshold and packet capture in Cisco Prime Infrastructure. Navigate to Monitor > Monitoring Tools > Monitoring

Policies > Add > Traffic Analysis. By clicking on threshold template, you can create a new instance from it. In

order to change any of them, simply select that row and edit the threshold as shown in Figure 77. You can see that

we have chosen to alert and start capturing SharePoint traffic if the AvgRespTime exceeds the default value.

Figure 77. Automate Packet Capture

Decoding Packet Capture Using Cisco Prime Infrastructure

Once the packets are captured, there are two options to decode them. The easiest way is to select the packet

capture session and click Decode from the Packet Capture homepage (Monitor > Tools > Packet Capture). The

capture decode is shown in a pop-up window, which makes it extremely easy to evaluate each and every packet.

You could also click Export and the .pcap file will be downloaded directly on the client PC. This is useful if you

need to perform advance troubleshooting on the capture decode. There is a dimmed Merge button between the

Decode button and the Export button, which can be used to merge the .pcap files if more than one file is selected.

TIP: If the capture file is not very large (that is, not on the order of GB), it makes sense to decode it in Cisco Prime

Infrastructure instead of jumping over to the NAM. Otherwise, you should use NAM instead of Cisco Prime

Infrastructure for decoding very large capture files.


Figure 78. Packet Capture

Reports

Wide variety of preconfigured reports can be used for up-to-date information on the network, including detailed

inventory, configuration, compliance, audit, capacity, and end of sale, security vulnerabilities, and many more.

Reports can be scheduled or run immediately, emailed, or saved as PDFs for future viewing purposes. Composite

reports help to group multiple reports. Navigate to “Reports > Report Launchpad” to generate various reports.

Figure 79. Report Launch Pad

REST API

Cisco Prime Infrastructure R/W REST APIs can be used to integrate with any in-house OSS systems. For details,

see the REST API documents in the Cisco Prime Infrastructure 3.0 API Reference Guide.

High Availability

The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco Prime Infrastructure

server to failover to one secondary (backup) Cisco Prime Infrastructure server. A second server is required that

has sufficient resources (CPU, hard drive, network connection) in order to take over Cisco Prime Infrastructure

operation in the event that the primary Cisco Prime Infrastructure system fails. In Cisco Prime Infrastructure, the

only HA configuration is supported is 1:1 - 1 primary system, 1 secondary system.

http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/products-programming-reference-guides-list.html


Prerequisites

The size of the secondary server must be larger than or equal to that of the primary server; for example, if the

primary Cisco Prime Infrastructure server is the Express Plus OVA, then the secondary Cisco Prime Infrastructure

server must be the Express Plus or larger.

The primary and secondary server cannot be a mix of a physical and a virtual appliance. For example, if the

primary Cisco Prime Infrastructure server is a virtual appliance, the secondary server can’t be a physical appliance.

Secondary server should be a virtual appliance with same or large OVA.

Customers must be running the same version of Cisco Prime Infrastructure and should be at the same patch level

on both the primary and secondary Cisco Prime Infrastructure servers.

The Cisco Prime Infrastructure HA feature is transparent to the wireless controller, that is, there is no software

version requirement for the Cisco Wireless LAN Controller (WLC), access points (APs), and the Cisco Mobility

Services Engine (MSE).

Licensing

An RTU (right-to-use) license is required to deploy Cisco Prime Infrastructure in HA implementation. Only one

Cisco Prime Infrastructure server license needs to be purchased. There is no need to purchase a license for the

secondary Cisco Prime Infrastructure server. The secondary server will use the license from the primary when a

failover occurs. The same Cisco Prime Infrastructure license file resides on both the primary and secondary Cisco

Prime Infrastructure servers. The license file is only active on one system at any given point in time.

High-Availability Setup

Cisco Prime Infrastructure HA can also be deployed with geographic separation of the primary and secondary

servers. This type of deployment is also known as disaster recovery or geographic redundancy.

HA Modes

There are two HA modes: failover and failback. After initial deployment of Cisco Prime Infrastructure – HA, the

entire configuration of the primary Cisco Prime Infrastructure server is replicated to the host of the secondary Cisco

Prime Infrastructure server. During normal operation (that is, when the primary Cisco Prime Infrastructure server is

operational), the database and application data files from the primary server are replicated to the secondary Cisco

Prime Infrastructure server. Replication frequency is 11 seconds (for real‐time files) and 500 seconds (for batch

files).

Failover

Failover is the process of activating (Automatically or manually) the secondary server in response to a detected

failure on the primary server. Health Monitor (HM) detects failure conditions using the heartbeat messages that the

two servers exchange. If the primary server is not responsive to three consecutive heartbeat messages from the

secondary, it is considered to have failed. During the health check, HM also checks the application process status

and database health; if there is no proper response to these checks, these are also treated as having failed.


Failback

When the issues on the server that host the primary Cisco Prime Infrastructure server have been resolved, failback

can be manually initiated. Once this is done, the screen is displayed on the secondary Cisco Prime Infrastructure

server. When you initiate failback, the Cisco Prime Infrastructure database on the secondary Cisco Prime

Infrastructure server and any other files that have changed since the secondary Cisco Prime Infrastructure server

took over Cisco Prime Infrastructure operation are synchronized between the secondary and the primary Cisco

Prime Infrastructure servers.

Figure 80. Health Monitor Details in Fallback

Manual/Automatic Options

Automatic Failover

Automatic failover is a much simpler process. The configuration steps are the same except that automatic failover

is selected. Once automatic failover is configured, the network administrator does not need to interact with the

secondary HM for the failover operation to take place. Only during failback is human intervention required.

Manual Failover

This is the recommended mode of Failover in Cisco Prime Infrastructure High Availability deployment. When the

secondary Cisco Prime Infrastructure server is configured with manual failover mode, the network administrator is

notified through an email that the primary Cisco Prime Infrastructure server has experienced a down condition. The

Health Monitor (HM) on the secondary Cisco Prime Infrastructure server detects the failure condition of the primary

Cisco Prime Infrastructure server. Because manual failover has been configured, the network administrator needs

to manually trigger the secondary Cisco Prime Infrastructure server to take over Cisco Prime Infrastructure

functionality from the primary Cisco Prime Infrastructure server. This is done if you log in to the secondary HM.

Even though the secondary Cisco Prime Infrastructure server is not running, you can connect to the secondary HM

using the following syntax: https://<Secondary_PI_IP_Address>:8082/.

The secondary HM displays messages in regard to events that are seen. Because manual failover has been

configured, the secondary HM waits for the network administrator to invoke the failover process. Once manual

failover has been chosen, the message is displayed as The Secondary Cisco Prime Infrastructure Server

Starts. Once the failover process has been completed, which means that the Cisco Prime Infrastructure database

replication process is completed and the secondary Cisco Prime Infrastructure JVM process has started, then the

secondary Cisco Prime Infrastructure server is the active Cisco Prime Infrastructure server.


Health Monitor on the secondary Cisco Prime Infrastructure server provides status information on both the primary

and secondary Cisco Prime Infrastructure servers. Failback can be initiated through the secondary HM once the

primary Cisco Prime Infrastructure server has recovered from the failure condition. The failback process is always

initiated manually so as to avoid a flapping condition that can sometimes occur when there is a network

connectivity problem. More details on how to deploy Cisco Prime Infrastructure 3.0 HA can be found at Cisco

Prime Infrastructure Administration Guide.

Configuring Cisco Prime Infrastructure Backup

It is strongly advisable to configure the backup plan in a more proactive manner. Backup can be configured by

navigating to Administration > Settings>Background Tasks > Prime Infrastructure Server Backup.

You can either use the default repository defaultRepo, or create an external backup repository. Enter credentials

for the remote repository and other relevant information and click Submit to create this new remote backup

repository.

Advanced System Settings Data Retention

This feature allows you to specify how long the data is to be stored in Cisco Prime Infrastructure. By default you

can store the performance data as short, medium, and long-term data for 7, 31, and 378 days, respectively. You

can modify these numbers based on the available hard drive space. Navigate to Administration -> Settings ->

System Settings. Select Data Retention under General Tab to configure the data retention.

Server Tuning

The following sections explain how to enhance server security by eliminating or controlling individual points of

security exposure.

Disabling Insecure Services

You must disable non-secure services if not using them. For example: TFTP and FTP are not secure protocols.

These services are typically used to transfer firmware or software images to and from network devices and Cisco

Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend using

secure protocols (such as SFTP or SCP) for such services.

Disabling Root Access

Administrative users can enable root shell access to the underlying operating system for trouble shooting

purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We

recommend that you keep this access disabled, and enable it only when required. To disable root access, run the

command root_disable from the command line.

Using SNMPv3 Instead of SNMPv2

SNMPv3 is a higher security protocol than SNMPv2. You can enhance the security of communications between

their network devices and the Cisco Prime Infrastructure server by configuring the managed devices so that

management takes place using SNMPv3 instead of SNMPv2.

You can choose to enable SNMPv3 when adding new devices, importing devices in bulk, or as part of device

discovery.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/administrator/guide/PIAdminBook/config_HA.html

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/administrator/guide/PIAdminBook/config_HA.html


Authenticating with External AAA

User accounts and password are managed more securely when they are managed centrally, by a dedicated,

remote authentication server running on a secure authentication protocol such as RADIUS or TACACS+. You can

configure Cisco Prime Infrastructure to authenticate users using external AAA servers.

Importing Client Certificates into Web Browsers

You must import client certificates into your browsers to authenticate while accessing Cisco Prime Infrastructure

servers with certificate authentication. Although the process is similar across browsers, the actual details vary with

each browser.

Enabling NTP Update Authentication

Network Time Protocol (NTP) version 4 (which authenticates server date and time updates) is an efficient setting to

harden server security. Note that you can configure a maximum of three NTP servers with Cisco Prime

Infrastructure.

Enabling Certificate-Based OCSP Authentication

You can further enhance the security of Cisco Prime Infrastructure’s interaction with its web clients by setting up

certificate-based client authentication using the Online Certificate Status Protocol (OCSP).

With this form of authentication, Cisco Prime Infrastructure validates the web client’s certificate and its revocation

status before permitting you to access the login page. Checking the revocation status makes sure that the issuing

Certificate Authority (CA) has not already revoked the certificate.

Setting Up Local Password Policies

If you are authenticating users locally, using Cisco Prime Infrastructure’s own internal authentication, you can

enhance your system’s security by enforcing rules for strong password selection.

Disabling Individual TCP/UDP Ports

Table 6 lists the TCP and UDP ports Cisco Prime Infrastructure uses, the names of the services communicating

over these ports, and the product’s purpose in using them. The “Safe” column indicates whether you can disable a

port and service without affecting Cisco Prime Infrastructure’s functionality.

Table 6. Cisco Prime Infrastructure TCP/UDP Ports

Cisco Prime Infrastructure TCP/UDP Ports

Port Service Name Purpose Safe?

21/tcp FTP File transfer between devices and server Y

22/tcp SSHD Used by SCP, SFTP, and SSH connections to and from the system N

69/udp TFTP File transfer between devices and the server Y

162/udp SNMP-TRAP To receive SNMP Traps N

443/tcp HTTPS Primary Web Interface to the product N

514/udp SYSLOG To receive Syslog messages N

1522/tcp Oracle Oracle/JDBC Database connections: These include both internal server connections and for connections with the High Availability peer server.

N

8082/tcp HTTPS Health Monitoring N


Cisco Prime Infrastructure TCP/UDP Ports

8087/tcp HTTPS Software updates on HA Secondary Systems N

9991/udp NETFLOW To receive Netflow streams (enabled if Assurance license installed) N

61617/tcp JMS (over SSL) For interaction with remote Plug&Play Gateway server Y

Checking Server Security Status

Cisco Prime Infrastructure administrators can connect to the server via CLI and use the show security-status

command to display the server’s currently open TCP/UDP ports, the status of other services the system is using,

and other security-related configuration information.

Miscellaneous

Accessing Cisco Prime Infrastructure Through CLI

In normal circumstances, you may not need to access the CLI, but if there is a need to access some service

requirements, the Cisco Prime Infrastructure server may be accessed through Secure Shell Protocol Version 2

(SSH2) by the admin user. The admin user is provided with a Cisco IOS Software-like shell, which is the preferred

shell for carrying out most operational tasks. The password for this admin user is configured during the initial

installation and configuration, as mentioned in the “Option 2: Installing the Cisco Prime Infrastructure Virtual

Appliance” section. Please note that the root password that is prompted in the install script is only for web access

and not access to the CLI.

How to Enable CLI Root User in Cisco Prime Infrastructure Server

The root user is not enabled by default, but you can enable the root user for the first time using the root_enable

command at the admin console. Once the root user is enabled, log out of the admin shell and log in using the root

user and the previously defined password for root.

Start/Stop Cisco Prime Infrastructure Services

In normal circumstances, you don’t stop or start PI services. The services will start automatically once installation is

complete, and no manual startup of services is required. If there is a need to restart the services for some reason,

the following commands may be executed by the admin user from the command-line interface (CLI):

<piserver>/admin# ncs stop - Stops the Cisco Prime Infrastructure server

<piserver>/admin# ncs status - Shows the Cisco Prime Infrastructure server status

<piserver>/admin# ncs start - Starts the Cisco Prime Infrastructure server

Verifying IOPS for Cisco Prime Infrastructure Virtual Machine

Until Cisco Prime Infrastructure 1.x, there was no easy way to verify data store input/output operations per second

(IOPS) for the virtual infrastructure. With the addition of the following new command, users can now verify the raw

performance before proceeding any further.

<piserver>/admin# ncs run test iops

Testing disk write speed...

8388608+0 records in

8388608+0 records out

8589934592 bytes (8.6 GB) copied, 38.3538 seconds, 224 MB/s


Note: If you run this command when Cisco Prime Infrastructure server is “running”, the results will be really

skewed. This test needs to be run after shutting down Cisco Prime Infrastructure server using ncs stop command

from the admin shell.

After shutting down ncs, here are they new results:

Pi30/admin# ncs run test iops

Testing disk write speed...

8388608+0 records in

8388608+0 records out

8589934592 bytes (8.6 GB) copied, 27.0878 seconds, 317 MB/s

The recommended value is the result from the command after “shutting down” ncs (ncs stop). Note that the

recommended value for the IOPS is 200 MBps.

References

Cisco Prime Infrastructure 3.0 Links

● Cisco Prime Infrastructure 3.0 Quick Start Guide

● Cisco Prime Infrastructure 3.0 Administrator Guide

● Cisco Prime Infrastructure 3.0 User Guide

● Cisco Prime Infrastructure 3.0 Release Notes

● Cisco Prime Infrastructure 3.0 Data Sheet

● Cisco Prime Infrastructure 3.0 Supported Devices

● Ports used by Cisco Prime Infrastructure

● Cisco Prime Infrastructure Alarms and Events

● Cisco Prime Infrastructure 3.0 API Reference Guide

● Password Recovery for Cisco Prime Infrastructure

● AVC Solution Guide

Cisco Product Pages

● Cisco Prime Infrastructure

● Cisco Identity Security Engine (ISE)

● Cisco Prime Network Analysis Module (NAM)

● Cisco Application Visibility and Control

● Product Downloads

Ordering and Licensing

● Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide

● Cisco Ordering Tools

● Product Evaluation

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/quickstart/guide/cpi_qsg.html

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/administrator/guide/PIAdminBook.html

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug.html

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/release/notes/cpi_rn.html

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/datasheet-c78-735696.html

http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/supported/devices/pi30-supported-devices-list.xlsx


http://www.cisco.com/c/dam/en/us/td/docs/wireless/prime_infrastructure/1-3/configuration/guide/CPI_Alarms_Events.xls

http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/api_reference/guide/cpi_apiref30.zip

http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/prime-infrastructure/115622-ppr.html

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-infrastructure/solution_overview_c22-728972.pdf

http://www.cisco.com/go/primeinfrastructure

http://www.cisco.com/go/ise

http://www.cisco.com/go/nam

http://www.cisco.com/go/avc

http://www.cisco.com/cisco/web/support/index.html#~shp_download

http://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/prime-infrastructure/presentation-c97-735996.pdf

http://www.cisco.com/go/ordering

http://www.cisco.com/go/nmsevals


Printed in USA C07-736611-00 02/16

Documents

Cisco Prime Infrastructure 3...© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 63 Cisco Prime Infrastructure 3.0