Cisco Prime Infrastructure 3.0 User Guide

Cisco Prime Infrastructure 3.0 User Guide

Cisco Prime Infrastructure 3.0 User Guide

November 9, 2015

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

800 553-NETS (6387)

Text Part Number: OL-32122-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco Prime Infrastructure 3.0 User Guide

© 2011-2015 Cisco Systems, Inc. All rights reserved.

P A R T

1

C H A P T E R

1

C H A P T E R

2

C H A P T E R

3

C H A P T E R

4

C H A P T E R

5

OL-32122-01

C O N T E N T S

Getting Started

Introduction to Cisco Prime Infrastructure

1-1

Prime Infrastructure Organization

1-1

Adding Licenses

2-1

Adding a License to Access Features

2-1

Adding Devices to Prime Infrastructure

3-1

Methods for Adding Devices

3-1

Adding Devices Using Discovery

3-1

Understanding the Discovery Process

3-1

Running Discovery

3-2

Running Quick Discovery

3-5

Verifying Discovery

3-5

Importing Devices from Another Source

3-6

CSV File Requirements for Importing Devices

3-7

Adding Devices Manually

3-8

Enabling IPSec Communication When Adding Devices

3-8

About Adding Wireless Devices

3-9

Validating That Devices Were Added Successfully

3-10

Verifying Device Credentials

3-10

Editing Device Parameters

3-10

Synchronizing Devices

3-11

Adding NAM HTTP/HTTPS Credentials

3-11

Exporting Devices

3-12

Next Steps

3-12

Grouping Devices

4-1

Grouping Devices by Device Type

4-1

Setting Up Network Monitoring

5-1

Monitoring Port Groups and Interfaces

5-1

Cisco Prime Infrastructure 3.0 User Guide iii

Contents

C H A P T E R

6

C H A P T E R

7

Setting Up WAN Interface Monitoring

5-2

Getting Enhanced Client Information by Integrating with Cisco Identity Services Engine (ISE)

5-3

Adding an Identity Services Engine

5-3

Configuring ACS View Servers

5-3

Integrating Prime Infrastructure with Prime Insight

5-4

Setting Up Assurance for Performance Monitoring

5-4

Enabling NAM Data Collection

5-5

Defining NAM Polling Parameters

5-5

Enabling NetFlow Data Collection

5-5

Changing User Settings

6-1

Changing Your User Preferences

6-1

Changing Your Idle-User Timeout

6-1

Changing List Length

6-2

Viewing and Managing Dashboards

7-1

Viewing Dashboards

7-1

Overview Dashboards

7-2

Wireless Dashboards

7-3

Performance Dashboards

7-3

Network Summary Dashboards

7-5

Data Center Dashboards

7-6

Managing and Editing Dashboards

7-7

Understanding Dashlet Icons

7-7

Adding Dashboards

7-9

Adding Dashlets

7-9

Default Dashlets

7-9

Time Filters for Dashboards and Dashlets

7-15

Overriding a Dashlet Filter

7-15

Creating Generic Dashlets

7-15

Restoring Dashboards

7-16

Monitoring Your Network

P A R T

2

C H A P T E R

8

Monitoring Devices

8-1

Monitoring Network Devices

8-1

Network Devices Page

8-1

Monitoring Jobs

8-2

Cisco Prime Infrastructure 3.0 User Guide iv OL-32122-01

C H A P T E R

9

OL-32122-01

Monitoring Background Tasks

8-3

Using Packet Capture to Monitor and Troubleshoot Network Traffic

8-3

Securing Network Services

8-4

Monitoring Wireless Devices

9-1

Monitoring Controllers

9-1

Monitoring System Parameters

9-1

Spanning Tree Protocol

9-3

Management Frame Protection

9-3

Rogue AP Rules

9-3

Monitoring Third Party Controllers

9-4

Monitoring Switches

9-4

Configuring the Switch List Page

9-4

Monitoring Switch System Parameters

9-5

Monitoring Switch Interfaces

9-6

Monitoring Switch Clients

9-7

Monitoring Access Points

9-7

Searching for Access Points

9-8

Viewing a List of Access Points

9-8

Configuring the List of Access Points Display

9-8

Types of Reports for Access Points

9-9

Generating Reports for Access Points

9-10

Monitoring Traffic Load

9-11

Monitoring Dynamic Power Control

9-11

Monitoring Access Points Noise

9-11

Monitoring Access Points Interference

9-12

Monitoring Access Points Coverage (RSSI)

9-12

Monitoring Access Points Coverage (SNR)

9-13

Monitoring Access Points Up/Down Statistics

9-13

Monitoring the Access Points Voice Statistics

9-13

Monitoring the Access Points Voice TSM Table

9-14

Monitoring the Access Points Voice TSM Reports

9-14

Monitoring Access Points 802.11 Counters

9-15

Monitoring Access Points AP Profile Status

9-15

Monitoring Access Points Radio Utilization

9-15

Monitoring Access Points Traffic Stream Metrics

9-15

Monitoring Access Points Tx Power and Channel

9-15

Monitoring VoIP Calls

9-16

Monitoring Voice Statistics

9-16

Cisco Prime Infrastructure 3.0 User Guide

Contents v

Contents

Monitoring Air Quality

9-17

Monitoring Access Points Details

9-17

Monitoring Rogue Access Points

9-18

Detecting Rogue Devices

9-18

Classifying Rogue Access Points

9-19

Monitoring Rogue AP Alarms

9-22

Viewing Rogue AP Alarm Details

9-22

Viewing Rogue Client Details

9-23

Viewing Rogue AP History Details

9-23

Monitoring Ad hoc Rogues

9-24

Monitoring Ad hoc Rogue Alarms

9-24

Viewing Ad hoc Rogue Alarm Details

9-24

Searching Rogue Clients Using Advanced Search

9-25

Monitoring Rogue Access Point Location, Tagging, and Containment

9-25

Detecting Access Points

9-26

Monitoring Rogue Alarm Events

9-27

Viewing Rogue AP Event Details

9-27

Monitoring Ad hoc Rogue Events

9-27

Viewing Ad hoc Rogue Event Details

9-28

Troubleshooting Unjoined Access Points

9-28

Monitoring Spectrum Experts

9-29

Monitoring WiFi TDOA Receivers

9-29

Searching WiFi TDOA Receivers

9-30

Monitoring Media Streams

9-30

Viewing Media Stream Details

9-30

Radio Resource Management

9-31

Viewing the RRM Dashboard

9-31

Monitoring Access Point Alarms

9-31

Monitoring Air Quality Alarms

9-32

Monitoring CleanAir Security Alarms

9-32

Monitoring Cisco Adaptive wIPS Alarms

9-33

Monitoring Cisco Adaptive wIPS Alarm Details

9-33

Monitoring Failure Objects

9-34

Monitoring Events for Rogue Access Points

9-35

Monitoring Events for Ad hoc Rogues

9-36

Monitoring Cisco Adaptive wIPS Events

9-37

Monitoring CleanAir Air Quality Events

9-37

Monitoring Interferer Security Risk Events

9-38

Monitoring Health Monitor Events

9-39

Cisco Prime Infrastructure 3.0 User Guide vi OL-32122-01

C H A P T E R

10

C H A P T E R

11

C H A P T E R

12

OL-32122-01

Creating Monitoring Policies and Thresholds

10-1

Default Monitoring Policies

10-1

Modifying Default Monitoring Policies

10-4

Creating New Monitoring Policies

10-4

GETVPN Monitoring Policies

10-4

DMVPN Monitoring Policies

10-7

Monitoring Third-Party Devices By Polling MIBs

10-8

Example: Monitoring IP SLA

10-9

Polled Data in Dashlets and Reports

10-9

Monitoring Alarms

11-1

What Is an Event?

11-1

Recurring Alarms and Events

11-2

What Is an Alarm?

11-2

Defining Alarm Thresholds

11-4

Where to Find Alarms

11-4

Display Options

11-5

Viewing Options for Alarms, Events, and Syslogs

11-5

Displaying Alarm Icons

11-6

Changing Alarm Display Behavior

11-6

Customizing the Alarm Summary

11-7

Changing Alarm Status

11-8

When to Acknowledge Alarms

11-8

Including Acknowledged and Cleared Alarms in Searches

11-9

Changing Alarm and Event Options

11-9

Configuring Alarm Severity Levels

11-9

Customizing Alarms and Events For Traps

11-10

Modifying a Customized Trap Event

11-10

Getting Help for Alarms

11-11

Where to Find Syslogs

11-11

Supported Syslog Formats for Event Based Inventory

11-11

Customizing Alarms and Events For Syslogs

11-13

Modifying a Customized Syslog Event

11-13

Monitoring Clients and Users

12-1

About Wired and Wireless Clients

12-1

Client Dashlets on the General Dashboard

12-2

Cisco Prime Infrastructure 3.0 User Guide

Contents vii

Contents

Client Dashboard

12-2

Monitoring Clients and Users

12-2

Filtering Clients and Users

12-3

Viewing Clients and Users

12-4

When to Use the Client Troubleshooting Tool

12-5

Launching the Client Troubleshooting Tool

12-6

About the Client Troubleshooting Page

12-6

How the Client Troubleshooting Tool Gives Advice

12-8

Searching for Clients

12-11

Analyzing Client Connection Logs

12-11

Viewing Client Event History and Event Logs

12-12

Checking Client ISE Authentication History and Identity Services

12-12

Checking Client Clean Air Environment

12-13

Running Diagnostic Tests on Problem Clients

12-13

When to Run Diagnostic Tests on Problem Clients

12-13

Pinging Problem Clients with Text Messages

12-14

Viewing Real Time Troubleshooting (RTTS) Details

12-14

Debug Commands for RTTS

12-15

Tracking Clients

12-16

Tracking Multiple Clients

12-17

Specifying Notification Settings

12-17

When to Assign a Username

12-18

Identifying Unknown Users

12-19

Modifying the Clients and Users Page

12-19

Enabling Automatic Client Troubleshooting

12-19

When to Obtain Radio Measurements for a Client

12-20

Obtaining Radio Measurements for a Client

12-20

Radio Measurement Results for a Client

12-21

Viewing Client V5 Statistics

12-22

Viewing Client Operational Parameters

12-23

Viewing Client Profiles

12-25

Disabling Current Clients

12-25

Removing Current Clients

12-26

Enabling Mirror Mode

12-26

Mapping Recent Client Locations

12-26

Mapping Current Client Locations

12-27

Cisco Prime Infrastructure 3.0 User Guide viii OL-32122-01

C H A P T E R

13

C H A P T E R

14

OL-32122-01

Running Client Sessions Reports

12-27

Viewing Client Roam Reason Reports

12-27

Viewing Detecting Access Point Details

12-28

Viewing Client Location History

12-28

Viewing Voice Metrics for a Client

12-28

Performance Routing Version 3 Based Network Monitoring

13-1

Performance Routing

13-1

Getting Access to PfR Monitoring for a User Group

13-1

PfR Monitoring Landing Page

13-2

Site to Site PfR Events Table

13-2

PfR Filter Panel

13-3

Metrics Crossing Thresholds Vs Service Provider(s)

13-3

Time Slider

13-4

PfR Site To Site Details Page

13-4

Site to Site PfR Topology

13-5

Comparing WAN Interfaces

13-7

Monitoring Wireless Technologies

14-1

Monitoring Radio Resource Management

14-1

Channel Change Notifications

14-2

Transmission Power Change Notifications

14-2

RF Grouping Notifications

14-2

RRM Dashboard

14-2

Monitoring Interferers

14-4

Configuring the Search Results Display

14-4

Monitoring RFID Tags

14-5

Searching RFID Tags

14-5

Checking RFID Tag Search Results

14-5

Viewing Tag List

14-6

Monitoring Media Streams

14-6

Troubleshooting Unjoined Access Points

14-7

Monitoring Chokepoints

14-8

Adding a Chokepoint to the Prime Infrastructure Database

14-8

Adding a Chokepoint to a Prime Infrastructure Map

14-8

Removing a Chokepoint from the Prime Infrastructure Database

14-9

Removing a Chokepoint from a Prime Infrastructure Map

14-9

Editing a Chokepoint

14-10

Cisco Prime Infrastructure 3.0 User Guide

Contents ix

Contents

Monitoring WiFi TDOA Receivers

14-10

Enhancing Tag Location Reporting with WiFi TDOA Receivers

14-10

Adding WiFi TDOA Receivers to Prime Infrastructure and Maps

14-11

C H A P T E R

15

C H A P T E R

16

Using Monitoring Tools

15-1

Monitoring Wireless Voice Audit

15-1

Monitoring Wireless Voice Diagnostics

15-2

Monitoring Wireless Configuration Audit

15-2

Monitoring Autonomous AP Migration Analysis

15-3

Monitoring Location Accuracy

15-3

Enabling the Location Accuracy Tool

15-4

Scheduling a Location Accuracy Test

15-4

Running an On-Demand Location Accuracy Test

15-6

Monitoring Packet Capture

15-7

Viewing Performance Graphs

16-1

Creating Performance Graphs

16-1

Viewing Multiple Metrics on a Single Performance Graph

16-1

Performance Graphs Options

16-2

C H A P T E R

17

Troubleshooting

17-1

Getting Help from Cisco

17-1

Launching the Cisco Support Community

17-1

Opening a Support Case

17-2

Checking an End User’s Network Session Status

17-2

Troubleshooting Authentication and Authorization

17-3

Troubleshooting Network Attachments

17-4

Troubleshooting Network Attachment Devices

17-4

Troubleshooting Site Network Devices

17-4

Troubleshooting the User Application and Site Bandwidth Utilization

17-5

Troubleshooting User Problems

17-6

Troubleshooting the User’s Experience

17-6

Troubleshooting Voice/Video Delivery to a Branch Office

17-7

Troubleshooting Unjoined Access Points

17-7

Troubleshooting Wireless Performance Problems

17-9

Root Cause and Impact analysis of Physical and Virtual Data Center Components

17-9

Troubleshooting UCS Hardware Problems

17-9

Cisco Prime Infrastructure 3.0 User Guide x OL-32122-01

C H A P T E R

18

P A R T

4

C H A P T E R

19

C H A P T E R

20

OL-32122-01

Viewing Bandwidth on Fabric Interconnect Ports

17-10

Monitoring Multiple Prime Infrastructure Instances

18-1

Viewing the Operations Center Dashboards

18-2

Monitoring Your Network Using Operations Center

18-2

Monitoring Devices Using Operations Center

18-3

Using Virtual Domains With Operations Center

18-3

Role Based Access Control Support in Operations Center

18-5

Managing and Monitoring Prime Infrastructure Servers Using Operations Center

18-5

Viewing the Prime Infrastructure Server Status Summary in Operations Center

18-6

Viewing Alarms and Events Using Operations Center

18-6

Viewing Clients and Users Using Operations Center

18-8

Cross-Launching Prime Infrastructure Using Operations Center

18-8

Running Reports With Operations Center

18-8

Operations Center FAQs

18-9

Configuring Devices

Configuring Network Devices

19-1

Contents

Using Templates to Configure Devices

20-1

Guidelines for Planning Your Network Design

20-1

Creating Feature-Level Configuration Templates

20-2

Creating Features and Technologies Templates

20-2

Creating CLI Templates

20-4

Tagging Templates

20-11

Creating Composite Templates

20-12

Shared Policy Objects

20-13

Interface Roles

20-14

Creating Interface Roles

20-14

Creating Network Objects

20-14

Creating a Security Rule Parameter Map

20-15

Creating a Security Service Group

20-15

Creating a Security Zone

20-15

Grouping Configuration Templates with Devices

20-16

Controller Configuration Groups

20-17

Creating Controller Configuration Groups

20-17

Adding or Removing Controllers from Configuration Groups

20-18

Cisco Prime Infrastructure 3.0 User Guide xi

Contents

Configuring Multiple Country Codes

20-18

Applying or Scheduling Configuration Groups

20-19

Auditing Configuration Groups

20-20

Rebooting Configuration Groups

20-20

Retrieving Configuration Group Reports

20-21

Creating Wireless Configuration Templates

20-21

Creating Lightweight AP Configuration Templates

20-21

Creating Autonomous AP Configuration Templates

20-22

Creating Controller WLAN Configuration Policy Templates

20-22

Creating Autonomous AP Migration Templates

20-23

Creating Switch Location Configuration Templates

20-23

Creating Wireless Templates

20-24

Controller Templates

20-24

Creating System Templates

20-27

About WLAN Templates

20-34

Creating WLAN Configuration Templates

20-35

Client Profiling

20-35

Creating FlexConnect Templates

20-41

Creating Security Templates

20-44

Creating General Security Controller Templates

20-45

Creating File Encryption Templates

20-46

RADIUS Authentication Templates

20-46

Creating RADIUS Accounting Templates

20-48

Creating RADIUS Fallback Templates

20-49

LDAP Server Templates

20-49

TACACS+ Server Templates

20-50

Local EAP General Templates

20-51

Local EAP Profile Templates

20-52

EAP-FAST Templates

20-54

Creating Network User Priority Templates

20-54

Local Network Users Templates

20-55

Guest User Templates

20-56

User Login Policies Templates

20-57

Creating a MAC Filter Template

20-57

Access Point or MSE Authorization Templates

20-58

Creating a Manually Disabled Client Template

20-59

Access Point Authentication and MFP Templates

20-60

Web Authentication Templates

20-61

Creating External Web Auth Server Templates

20-64

Cisco Prime Infrastructure 3.0 User Guide xii OL-32122-01

OL-32122-01

Creating a Security Password Policy Template

20-64

Creating Security - Access Control Templates

20-65

Creating an Access Control List Template

20-65

Creating a FlexConnect Access Control List Template

20-67

Creating an ACL IP Groups Template

20-69

Creating an ACL Protocol Groups Template

20-70

Creating Security - CPU Access Control List Templates

20-71

Creating a CPU Access Control List (ACL) Template

20-71

Creating Security - Rogue Templates

20-71

Creating a Rogue Policies Template

20-72

Rogue AP Rules

20-73

Creating a Rogue AP Rules Template

20-73

Creating a Rogue AP Rule Groups Template

20-74

Deploying a Rogue AP Rule Groups Template

20-75

Viewing Deployed Rogue AP Rules

20-76

Friendly Access Point Templates

20-76

Ignored Rogue AP Templates

20-77

Creating 802.11 Templates

20-78

Creating Load Balancing Templates

20-78

Creating Band Selection Templates

20-78

Creating Preferred Call Templates

20-79

Creating Media Stream for Controller Templates (802.11)

20-80

Creating RF Profiles Templates (802.11)

20-81

SIP Snooping

20-82

Creating 802.11a/n Radio Templates

20-83

Creating 802.11b/g/n Radio Templates

20-96

Creating Mesh Settings Templates

20-108

Creating Management Templates

20-109

Creating CLI Templates

20-115

Creating Location Configuration Templates

20-115

Creating LyncSDN Templates

20-117

Creating IPv6 Templates

20-119

Creating Proxy Mobile IPv6 Templates

20-121

Creating mDNS Templates

20-123

Creating AVC Profiles Templates

20-124

Creating NetFlow Templates

20-126

Creating AP Configuration Templates

20-127

Configuring a New Lightweight Access Point Template

20-127

Creating Autonomous Access Point Templates

20-129

Cisco Prime Infrastructure 3.0 User Guide

Contents xiii

Contents

C H A P T E R

21

Configuring Switch Location Configuration Templates

20-131

Creating Autonomous AP Migration Templates

20-131

Migrating an Autonomous Access Point to a Lightweight Access Point

20-132

Viewing the Current Status of Cisco IOS Access Points

20-135

Deploying Templates

20-136

Configuring Wireless Devices

21-1

Configuring Controllers

21-1

Viewing All Controllers

21-2

Wireless Controller Summary Information

21-2

Controller-Specific Commands

21-3

Auditing Controllers

21-4

Updating Controller Credentials

21-5

Updating Controller Credentials in Bulk

21-6

Rebooting Controllers

21-6

Downloading Software to Controllers

21-7

Configuring IPaddr Upload Configuration/Logs from Controllers

21-8

Downloading IDS Signatures to Controllers

21-8

Downloading Customized WebAuthentication Bundles to Controllers

21-9

Downloading Vendor Device Certificates to Controllers

21-10

Downloading Vendor CA Certificates to Controllers

21-10

Saving Controller Configurations to Flash

21-11

Synchronizing Configurations from Controllers

21-11

Managing Controller Templates

21-11

Replacing Old Controller Models with New Models

21-13

Modifying Controller Properties

21-13

Configuring Controller System Parameters

21-14

Uploading Configuration and Logs from Controllers

21-18

Downloading Configurations to Controllers

21-19

Configuring Controller System Interfaces

21-19

Adding Interfaces to Controllers

21-19

Viewing or Modifying Controller Interface Details

21-20

Configuring Controller System Interface Groups

21-21

NAC Integration

21-23

Guidelines for Using SNMP NAC

21-23

Guidelines for Using RADIUS NAC

21-24

Configuring NAC Out-of-Band Integration (SNMP NAC): Workflow

21-24

Wired Guest Access

21-26

Creating an Ingress Interface

21-29

Cisco Prime Infrastructure 3.0 User Guide xiv OL-32122-01

OL-32122-01

Creating an Egress Interface

21-29

Configuring Controller Network Routes

21-30

Viewing Controller Spanning Tree Protocol Parameters

21-31

Configuring Controller Mobility Groups

21-31

Background Scanning on 1510s in Mesh Networks

21-35

Configuring Controller QoS Profiles

21-37

Configuring Controller DHCP Scopes

21-37

Viewing Controller User Roles

21-38

Adding a New Local Net User Role to Controllers

21-39

Configuring a Global Access Point Password

21-39

Configuring Global CDP

21-40

Configuring AP 802.1X Supplicant Credentials

21-40

Configuring Controller DHCP

21-41

Configuring Access Point Timer Settings

21-43

Configuring Controller WLANs

21-44

Configuring Controller WLANs

21-44

Viewing Controller WLAN Configurations

21-44

Adding Policies to Controller WLANs

21-45

Configuring Mobile Concierge (802.11u) on WLANs

21-46

Adding WLANs to Controllers

21-48

Deleting Controller WLANs

21-49

Scheduling Status Changes for Multiple Controller WLANs

21-49

Viewing WLAN Mobility Anchors

21-50

Working with WLAN AP Groups

21-51

Creating Controller WLAN AP Groups

21-52

Deleting Controller WLAN AP Groups

21-53

Auditing Controller WLAN AP Groups

21-54

Configuring FlexConnect on APs

21-54

Supported Platforms for FlexConnect

21-55

FlexConnect Guidelines and Limitations

21-55

FlexConnect Authentication Process

21-56

FlexConnect Operation Modes

21-56

FlexConnect States

21-57

Configuring FlexConnect: Workflow

21-58

FlexConnect AP Groups

21-63

Viewing FlexConnect AP Groups

21-65

Configuring FlexConnect AP Groups

21-66

Verifying APs in FlexConnect Groups

21-67

Auditing FlexConnect Groups

21-67

Cisco Prime Infrastructure 3.0 User Guide

Contents xv

Contents xvi

Configuring Controller Security Parameters

21-67

Configuring Controllers AAA Security

21-68

Configuring Controller Web Auth Certificates

21-82

Configuring Controller User Login Policies

21-83

Managing Manually Disabled Clients

21-83

Configuring Controller Access Control Lists

21-84

FlexConnect Access Control Lists

21-86

Configuring IDS Signatures

21-92

802.11 Parameters

21-98

Configuring 802.11a/n Parameters

21-105

Configuring 802.11b/g/n General Parameters

21-120

Configuring Mesh Parameters

21-132

Configuring Port Parameters

21-136

Configuring Controller Management Parameters

21-137

Configuring Location Configurations

21-144

Configuring IPv6

21-146

Configuring Proxy Mobile IPv6

21-148

Configuring mDNS

21-151

Configuring Application Visibility and Control Parameters

21-153

Configuring NetFlow

21-155

Configuring Third-Party Controllers and Access Points

21-156

Adding a Third-Party Controller

21-157

Viewing Third-Party Controller Operational Status

21-157

Viewing the Details of Third-Party Access Points

21-158

Removing Third-Party Access Points

21-158

Viewing Third-Party Access Point Operational Status

21-159

Configuring Switches

21-160

Features Available by Switch Type

21-160

Viewing Switches

21-161

Viewing Switch Details

21-161

Modifying SNMP Parameters

21-161

Modifying Telnet/SSH Parameters

21-162

Adding Switches

21-162

Removing Switches

21-164

Enabling Traps and Syslogs on Switches for Wired Client Discovery

21-164

Example: MAC Notification for Traps (Used for Non-Identity Client Discovery)

21-164

Syslog Configuration

21-165

OfficeExtend Access Point

21-165

Link Latency Settings for Access Points

21-166

Cisco Prime Infrastructure 3.0 User Guide

OL-32122-01

C H A P T E R

22

OL-32122-01

Configuring Link Latency

21-167

Configuring Unified Access Points

21-167

Using the Sniffer Feature

21-168

Configuring Controller Redundancy

21-169

Configuring Cisco Adaptive wIPS Profiles

21-170

Accessing wIPS Profiles

21-170

Adding wIPS Profiles

21-171

Editing wIPS Profiles

21-172

Applying wIPS Profiles

21-173

Deleting wIPS Profiles

21-174

Associating SSID Groups With wIPS Profiles

21-174

Managing MSE High Availability Using Prime Infrastructure

21-175

MSE HA Automatic vs Manual Failover and Failback

21-176

Pairing MSE HA Servers

21-176

Viewing Configured Parameters for MSE HA Devices

21-178

Viewing MSE High Availability Status

21-178

Triggering MSE HA Manual Failover or Failback

21-179

Enabling Automatic MSE HA Failover and Failback

21-180

Unpairing MSE HA Servers

21-180

Auto Provisioning for Controllers

21-180

Creating Controller Configuration Groups

22-1

Adding Controller Configuration Groups

22-1

Configuring Controller Configuration Groups

22-2

Adding or Removing Controllers from a Configuration Group

22-3

Adding or Removing Templates from the Configuration Group

22-4

Applying or Scheduling Configuration Groups

22-4

Auditing Configuration Groups

22-5

Rebooting Configuration Groups

22-6

Viewing Configuration Group Reports

22-7

Downloading Software to Configuration Groups

22-7

Downloading IDS Signatures to Configuration Groups

22-8

Downloading Customized WebAuth to Configuration Groups

22-8

About Mobility

22-9

Intra-Controller Roaming

22-9

Inter-Controller Roaming

22-10

Inter-Subnet Roaming

22-11

Symmetric Tunneling

22-12

Cisco Prime Infrastructure 3.0 User Guide

Contents xvii

Contents

C H A P T E R

23

C H A P T E R

24

C H A P T E R

25

About Mobility Groups

22-13

When to Include Controllers in a Mobility Group

22-14

Messaging Among Mobility Groups

22-15

Configuring Mobility Groups: Workflow

22-15

Before You Begin Configuring Mobility Groups

22-16

Adding Controllers to Mobility Groups

22-16

Adding Controllers to Mobility Groups Manually

22-17

Setting Mobility Scalability Parameters

22-18

Mobility Anchors

22-19

Adding Multiple Controllers And Setting DCA Channels

22-19

Configuring Controller Mobility Groups: Workflow

22-19

Configuring Wireless Technologies

23-1

Chokepoints

23-1

Adding Chokepoints

23-1

Removing Chokepoints

23-2

Adding Chokepoints to Maps

23-2

Removing Chokepoints from Maps

23-3

Editing Chokepoints

23-3

Wi-Fi TDOA Receivers

23-3

Using Wi-Fi TDOA Receivers to Enhance Tag Location Reporting

23-4

Adding Wi-Fi TDOA Receivers

23-4

Adding Wi-Fi TDOA Receivers to Maps

23-5

Editing Wi-Fi TDOA Receivers

23-6

Removing Wi-Fi TDOA Receivers

23-6

Scheduling Configuration Tasks

24-1

Managing Scheduled Configuration Tasks

24-1

Managing AP Template Tasks

24-1

Viewing WLAN Configuration Scheduled Task Results

24-2

Managing Software Downloads

24-2

Auditing Device Configurations to Ensure Compliance

25-1

Compliance Auditing Prerequisites

25-2

Creating Compliance Policies

25-2

Creating Compliance Policy Rules

25-3

Policy Group Details

25-9

Grouping Policies into Compliance Profiles

25-11 xviii

Cisco Prime Infrastructure 3.0 User Guide

OL-32122-01

C H A P T E R

26

OL-32122-01

Running Compliance Profiles Against Devices

25-12

Viewing Compliance Audit Results

25-12

Fixing Compliance Violations on Devices

25-14

Viewing Violation Summary Details

25-14

Viewing Device Security Vulnerabilities

25-15

Viewing End-of-Life Reports

25-15

Viewing Field Notices for Devices

25-16

Configuring Plug and Play

26-1

Plug and Play Workflow

26-1

APIC-EM and Plug and Play

26-2

Integrating APIC-EM with Prime Infrastructure

26-2

Plug and Play Profiles

26-3

Creating Plug and Play Profiles

26-3

Importing Device Profiles into Plug and Play Profiles

26-5

Deploying Plug and Play Profiles

26-5

Deleting Plug and Play Profiles

26-6

Bootstrap Configuration

26-7

Methods of Installing Bootstrap Configurations

26-7

Exporting the Bootstrap Configuration

26-8

Exporting the Bootstrap Configuration Using TFTP

26-8

Emailing the Bootstrap Configuration

26-9

Emailing the PIN for the Bootstrap Configuration

26-9

Using DHCP to Export Bootstrap Configurations

26-10

Getting Help Setting Up and Configuring Devices

26-10

Preconfiguring Devices to be Added Later

26-11

Supported Devices and Software Images for Plug and Play Setup Workflow

26-11

Getting the Configuration to New Devices

26-12

Prerequisites for Delivering Plug and Play Profiles

26-13

Specifying Device Credentials

26-13

Saving the Plug and Play Profile

26-14

Prerequisites for Deploying Bootstrap Configuration into a Device

26-14

Verifying Plug and Play Provisioning Status

26-16

Getting Help Setting Up Access Switches

26-16

Before You Begin

26-17

Assign Devices to Location

26-17

Choose Devices

26-17

Configuring Wired Features Using Guided Mode

26-18

Cisco Prime Infrastructure 3.0 User Guide

Contents xix

Contents

P A R T

6

C H A P T E R

27

C H A P T E R

28

IP Address Options

26-19

Device Credentials

26-19

VLAN and Switching Parameters

26-19

Auto Smartports and Uplinks

26-19

Confirmation

26-20

Configuring Wired Features Using Advanced Mode

26-20

Configuring Wireless Features

26-21

Create Groups

26-21

Wireless Parameters

26-21

Wireless LAN Security

26-21

Guest Access

26-21

Confirmation

26-21

Configuring Plug and Play Controller Auto Provisioning

26-22

Using the Auto Provisioning Filter List

26-22

Adding an Auto Provisioning Filter

26-22

Auto Provisioning Primary Search Key Settings

26-23

Managing Device Inventory

Viewing Devices

27-1

Viewing Network Devices

27-1

Viewing Compute Devices

27-3

Creating User Defined UCS Groups

27-6

Creating User Defined Hosts and VMs

27-6

Updating Device Inventory

28-1

Changing Discovery Settings

28-1

Scheduling Discovery Jobs

28-2

Monitoring the Discovery Process

28-2

Discovery Protocols and CSV File Formats

28-2

Updating Device Inventory Manually

28-3

Editing Device Inventory Manually

28-3

Importing Device Inventory

28-4

Using Credential Profiles

28-4

Adding Credential Profiles

28-4

Editing Credential Profiles

28-5

Deleting Credential Profiles

28-5

Copying Credential Profiles

28-6

Cisco Prime Infrastructure 3.0 User Guide xx OL-32122-01

Contents

C H A P T E R

29

C H A P T E R

30

C H A P T E R

31

Viewing Devices Associated with a Credential Profile

28-6

Troubleshooting Unmanaged Devices

28-7

Managing and Monitoring Compute Resources

29-1

Managing VMware Vcenter Server

29-1

Adding VMware Vcenter Servers

29-1

CSV File Requirements for Importing Vcenter

29-2

Monitoring Performance of Compute Resources

29-2

Setting Polling Interval for Monitoring Compute Resources

29-2

Monitoring Clusters

29-3

Maintaining Software Images

30-1

Setting Image Management and Distribution Preferences

30-3

Managing Software Images

30-4

Importing Software Images

30-4

Changing Software Image Requirements

30-5

Deploying Software Images to Devices

30-6

Supported Image Format for Stack Devices

30-7

Viewing Recommended Software Images from Cisco.com

30-8

Analyzing Software Image Upgrades

30-8

Working with Device Configurations

31-1

Configuration Archives

31-1

Changing Prime Infrastructure Device Configuration Settings

31-2

Changing Prime Infrastructure Configuration Archive Collection Settings

31-2

Supported Syslog Formats for Configuration Archive Collection Settings

31-3

Comparing Current and Previous Device Configurations

31-3

Scheduling Configuration Archive Tasks

31-4

Overview of Device Configurations

31-4

Changing a Single Device Configuration

31-5

Adding a Wireless LAN Controller

31-5

Changing Wireless LAN Controller Configuration Settings

31-5

Rebooting Controllers

31-6

Configuration Rollbacks

31-6

Rolling Back Device Configuration Versions

31-6

Deleting Device Configurations

31-7

OL-32122-01

Cisco Prime Infrastructure 3.0 User Guide xxi

Contents

C H A P T E R

32

Grouping Devices, Ports and Data Center

32-1

Types of Groups

32-1

Creating Device Groups

32-2

Using Location Groups

32-3

Creating Location Groups

32-3

Location Groups and Wireless Maps

32-4

Editing User Defined and Location Groups

32-4

Duplicating User Defined and Location Groups

32-4

Deleting User Defined and Location Groups

32-5

Device Accessibility in Parent-Child Device and Location Groups

32-5

Hiding Empty Groups

32-5

Creating Groups of Ports

32-6

Creating Device Context or Group Context Port Groups

32-6

Understanding System Defined Port Groups

32-7

Adding Access Points (AP) to Device Group or Location Group

32-8

Creating Customized Port Groups

32-8

Grouping Integration with Data Center

32-9

Visualizing the Network

P A R T

7

C H A P T E R

33

Using Network Topology Maps

33-1

Network Topology Overview

33-2

Understanding Topology Map Functions and Icons

33-4

Navigating in Topology Maps

33-4

Topology Map Icons

33-5

Before Using Topology Maps

33-5

Viewing Detailed Tables of Alarms and Links

33-6

Determining What is Displayed in the Topology Map

33-6

Displaying Network Elements in the Topology Map

33-7

Viewing the Contents of a Sub-Group in the Topology Map

33-8

Manually Adding Links to the Topology Map

33-9

Adding Unmanaged Devices and Links to Topology Maps

33-9

Changing the Link and Device Types Shown in the Topology Map

33-10

Showing and Hiding Alarms, Links, and Labels in the Topology Map

33-10

Isolating Specific Sections of a Large Topology Map

33-11

Getting More Information About Devices

33-11

Getting More Information About Links

33-12

Cisco Prime Infrastructure 3.0 User Guide xxii OL-32122-01

C H A P T E R

34

OL-32122-01

Viewing Fault Information for Devices and Links

33-12

Using Device 360° to View a Device’s Network Topology

33-13

Changing the Topology Map Layout

33-14

Saving the Topology Map Layout

33-14

Saving the Topology Map as an Image File

33-15

Creating a Topology Dashlet

33-15

Using Wireless Maps

34-1

About Prime Infrastructure Site Maps

34-1

Site Map Hierarchy

34-1

Site Map Graphics

34-2

Network Elements on Site Maps

34-2

Wireless Coverage Areas, Inclusion/Exclusion Regions and Rail Lines on Maps

34-2

Preparing Image Files for Use with Prime Infrastructure Maps

34-3

Troubleshooting Problems With CAD Image File Imports

34-4

Default Campus Maps

34-4

Disabling Next Generation Maps

34-5

Working With Site Maps

34-5

Creating Campus Maps

34-5

Adding Image Files to Campus Maps

34-6

Adding Location Information to Campus Maps

34-7

Changing Default Map Measurement Units

34-7

Adding Buildings to Campus Maps

34-8

Moving Buildings and Floors to Another Campus

34-9

Copying and Moving Campuses, Buildings and Floors

34-9

Adding Floor Areas to Buildings

34-10

Adding Image Files to Floor Areas

34-12

Monitoring Floor Areas

34-26

Panning and Zooming with Next Generation Maps

34-27

Adding Access Points to a Floor Area

34-27

Using the Automatic Hierarchy to Create Maps

34-30

Using the Map Editor

34-33

Guidelines for Using the Map Editor

34-33

Guidelines for Placing Access Points

34-34

Guidelines for Inclusion and Exclusion Areas on a Floor

34-35

Opening the Map Editor

34-36

Map Editor Icons

34-36

Contents

Cisco Prime Infrastructure 3.0 User Guide xxiii

Contents

Using the Map Editor to Draw Coverage Areas

34-37

Using the Map Editor to Draw Obstacles

34-38

Defining an Inclusion Region on a Floor

34-38

Defining an Exclusion Region on a Floor

34-39

Defining a Rail Line on a Floor

34-40

Adding an Outdoor Area

34-41

Using Chokepoints to Enhance Tag Location Reporting

34-42

Adding Chokepoints to Prime Infrastructure

34-42

Adding a Chokepoint to a Prime Infrastructure Map

34-43

Positioning Chokepoints

34-44

Configuring Wi-Fi TDOA Receivers

34-44

Adding Wi-Fi TDOA Receivers to Prime Infrastructure

34-45

Adding Wi-Fi TDOA Receivers to a Map

34-45

Positioning Wi-Fi TDOA Receivers

34-45

Managing RF Calibration Models

34-46

Managing Location Presence Information

34-54

Searching Maps

34-54

Using the Map Editor

34-55

Inspecting Location Readiness and Quality

34-60

Inspecting Location Readiness

34-60

Inspecting Location Quality Using Calibration Data

34-61

Inspecting VoWLAN Readiness

34-62

Troubleshooting Voice RF Coverage Issues

34-62

Monitoring Mesh Networks Using Maps

34-63

Monitoring Mesh Link Statistics Using Maps

34-63

Monitoring Mesh Access Points Using Maps

34-64

Monitoring Mesh Access Point Neighbors Using Maps

34-65

Viewing the Mesh Network Hierarchy

34-66

Using Mesh Filters to Modify Map Display of Maps and Mesh Links

34-67

Monitoring Tags Using Maps

34-69

Using Planning Mode

34-69

Accessing Planning Mode

34-70

Using Planning Mode to Calculate Access Point Requirements

34-71

Wireless Map Refresh Options

34-74

Understanding RF Heatmap Calculation

34-75

Drawing Polygon Areas in Wireless Maps

34-75

Floor View in Wireless Maps

34-76

Associating Endpoints with a Site

34-77 xxiv

Cisco Prime Infrastructure 3.0 User Guide

OL-32122-01

OL-32122-01

Contents

Viewing Google Earth Maps in Prime Infrastructure

34-77

Viewing Google Earth Map Details

34-78

Creating Outdoor Locations using Geographical Coordinates

34-78

Required Geographical Coordinates

34-79

Creating a KML File with Geographical Coordinates

34-80

Creating Placemarks for KML Files

34-80

Creating a CSV File with Geographical Coordinates

34-81

Importing Geographical Coordinates Files into Prime Infrastructure

34-82

Adding Google Earth Location Launch Points to Access Point Pages

34-82

Configuring Google Earth Settings for Access Points

34-83

Editing Wireless Maps

34-83

Editing Floors

34-83

Editing Wireless Maps

34-83

Location Accuracy

34-84

Viewing Location Accuracy and Readiness

34-84

Inspecting Location Quality Using Calibration Data

34-85

Viewing VoWLAN Readiness

34-85

Using Chokepoints to Enhance Tag Location Reporting

34-86

Adding Wi-Fi TDOA Receivers

34-86

Defining Inclusion Regions on Floors

34-86

Defining Exclusion Regions on Floors

34-87

Using Maps to Monitor Your Network

34-88

Monitoring Mesh Networks Using Maps

34-89

Monitoring Mesh Link Statistics Using Maps

34-89

Monitoring Mesh Access Points Using Maps

34-90

Viewing Mesh Access Point Configuration Details

34-90

Monitoring Mesh Access Point Neighbors Using Maps

34-91

Viewing the Mesh Network Hierarchy Using Maps

34-91

Using Mesh Filters to Modify Map Display of Maps and Mesh Links

34-92

Monitoring Tags Using Maps

34-93

Viewing Device Details Using Maps

34-94

Using Maps to Plan Your Network Design

34-94

Using Planning Mode

34-94

Using Planning Mode to Calculate Access Point Requirements

34-95

Network Design

34-98

Designing a Network

34-98

Importing or Exporting WLSE Map Data

34-98

Troubleshooting Voice RF Coverage Issues

34-99

Cisco Prime Infrastructure 3.0 User Guide xxv

Contents

P A R T

8

C H A P T E R

35

Ensuring Network Services

Configuring and Monitoring IWAN

35-1

Prerequisites for Enabling IWAN Services

35-1

Using the IWAN Wizard

35-3

Using PKI with IWAN-DMVPN Service

35-3

C H A P T E R

36

Using Converged Access Workflow

36-1

Converged Access Workflow Overview

36-1

Supported IOS-XE Platforms

36-3

Prerequisites for Converged Access Deployment

36-4

Prerequisites for Layer 2 and Layer 3

36-4

Prerequisites for Server Configuration

36-8

Converged Access Template Based Deployment

36-8

Guidelines for Entering Configuration Values

36-10

Converged Access Template Field Descriptions

36-10

Entering Configuration Values for Controller-less Single-Switch Deployment Model

36-12

Entering Configuration Values for Controller-Less Large Wireless Deployment Model

36-16

Entering Configuration Values for Controller-Based Large Wireless Deployment Model

36-18

Entering Configuration Values for Centralized Wireless Campus Deployment Model

36-20

C H A P T E R

37

Configuring Application Visibility and Control

37-1

Configuring the Device using WSMA

37-1

Configuring Application Visibility

37-2

Estimating CPU, Memory and NetFlow Resources on ASR Devices

37-4

NBAR Protocol Packs

37-5

Creating an Application Visibility Template

37-5

Enabling Default Application Visibility on an Interface

37-7

Application Visibility Troubleshooting Sessions

37-8

Activating or Deactivating a Troubleshooting Session

37-9

Editing or Deleting a Troubleshooting Session

37-10

Managing Data Sources

37-10

Viewing Current Data Sources

37-11

Deleting Data Sources

37-11

Enabling Data Deduplication

37-12

Creating a VPN Component Template

37-12

Creating an IKE Policies Template

37-12

Creating an IKE Settings Template

37-12

Cisco Prime Infrastructure 3.0 User Guide xxvi OL-32122-01

OL-32122-01

Creating an IPsec Profile Template

37-13

Creating a Preshared Keys Template

37-13

Creating RSA Keys Template

37-14

Creating a Transform Sets Template

37-14

Configuring an Easy VPN Server

37-14

Creating an Easy VPN Server Proxy Setting Template

37-15

Creating an Easy VPN Remote Template

37-15

Creating an Easy VPN Server Template

37-16

Creating a GSM Profile Template

37-17

Creating a Cellular Profile Template

37-18

Redirecting HTTP and HTTPS Traffic

37-18

Configuring Interfaces

37-19

Configuring a Serial Interface

37-19

Configuring POS Interface

37-20

Configuring a Service Module

37-21

Configuring Controllers

37-21

Creating a Gigabit Ethernet or Fast Ethernet Interface

37-22

Creating a Loopback Interface

37-22

Creating a VLAN Interface

37-22

Editing a VLAN Interface

37-23

Creating a Tunnel Interface

37-23

Editing an Existing Tunnel Interface

37-23

Creating a Virtual Template Interface

37-24

Editing an Existing Virtual Template Interface

37-24

Configuring Cellular WAN Interfaces

37-25

Configuring a CDMA Interfaces

37-25

Configuring a GSM Interfaces

37-25

Configuring Network Address Translation (NAT)

37-26

NAT Types

37-26

Configuring NAT for IP Address Conservation

37-26

Creating NAT IP Pools

37-27

Creating NAT44 Rules

37-27

Configuring Interfaces

37-28

Setting Up NAT MAX Translation

37-29

Configuring DMVPN

37-29

Creating a DMVPN Tunnel

37-29

Configuring Hub and Spoke Topology

37-31

Configuring a DMVPN Fully Meshed Topology

37-31

Configuring a Cluster Topology

37-32

Cisco Prime Infrastructure 3.0 User Guide

Contents xxvii

Contents

C H A P T E R

38

Editing a DMVPN

37-32

Deleting a DMVPN

37-33

Configuring GETVPN

37-33

Creating a GETVPN Group Member

37-34

Creating a GETVPN Key Server

37-35

Editing a GETVPN Group Member or Key Server

37-35

Deleting a GETVPN Group Member or Key Server

37-36

Configuring VPN Components

37-36

Configuring IKE Policies

37-37

Configuring IKE Settings

37-37

Configuring IPsec Profiles

37-38

Creating Preshared Keys

37-38

Creating RSA Keys

37-39

Configuring Transform Sets

37-40

Creating a Zone-Based Firewall

37-40

Configuring a Zone-Based Firewall Template

37-42

Creating an Interface Role

37-42

Creating an IPv4 Network Object

37-42

Defining Device Override

37-43

Creating a Zone-Based Firewall Policy Rules Template

37-43

Configuring a Zone-Based Firewall on a Single Device

37-43

Creating a Routing Protocol

37-50

Creating a Static Route

37-50

Creating a RIP Route

37-51

Creating an EIGRP Route

37-51

Creating an OSPF Route

37-52

Configuring NAM with Application Servers

37-53

Ensuring Consistent Application Experiences

38-1

Evaluating Service Health

38-2

Creating Custom Applications

38-3

Service Health Window

38-4

Viewing the Health Timeline

38-5

Health Rules

38-5

Enabling Baselining

38-5

Establishing Performance Baselines

38-7

Identifying Optimization Candidates

38-7

Validating Optimization ROI

38-8 xxviii

Cisco Prime Infrastructure 3.0 User Guide

OL-32122-01

C H A P T E R

39

C H A P T E R

40

C H A P T E R

41

C H A P T E R

42

OL-32122-01

Monitoring Optimized Flows

38-9

Troubleshooting Applications

39-1

Monitoring Microsoft Lync Traffic

40-1

Setting Up Lync Monitoring

40-1

Viewing Microsoft Lync Data

40-2

Monitoring End-User Microsoft Lync Experience

40-2

Monitoring Microsoft Lync Data Between Sites

40-3

Understanding Voice Quality Value

40-3

Using Mediatrace

41-1

Troubleshooting RTP and TCP Flows Using Mediatrace

41-1

Using the Mediatrace Tables

41-1

Running Mediatrace from Selected RTP or TCP Flows

41-2

Launching an Ad Hoc Mediatrace From Endpoints

41-4

Troubleshooting Worst RTP Endpoints Using Dashlets

41-5

Comparing Flow Data From Multiple Sources

41-6

Cisco Mobility Services Engine and Services

42-1

Adding MSEs to Prime Infrastructure

42-2

MSE Licensing

42-5

Installing Device and wIPS License Files

42-6

Viewing MSE License Information

42-7

Deleting MSE License Files

42-7

Viewing MSEs

42-8

Deleting MSEs from Prime Infrastructure

42-8

Adding a Location Server

42-9

Synchronizing Prime Infrastructure and MSE

42-9

Synchronizing Controllers with MSEs

42-11

Managing Third-Party Elements on MSEs

42-12

Setting and Verifying the Controller Time Zones

42-13

Configuring Smart Mobility Services Engine Database Synchronization

42-14

Viewing MSE Synchronization Status

42-15

Viewing Synchronization History

42-16

Viewing MSE Notification Statistics

42-17

Editing MSE General Properties for MSE

42-17

Editing NMSP Parameters for MSE

42-19

Cisco Prime Infrastructure 3.0 User Guide

Contents xxix

Contents

Viewing Active Session Details for MSE

42-20

Viewing Trap Destinations for MSE

42-20

Adding Trap Destinations for MSE

42-21

Editing Advanced Parameters for MSE

42-22

Rebooting the MSE Hardware

42-23

Shutting Down the MSE Hardware

42-23

Clearing the MSE Database

42-23

Configuring MSE Logging Options

42-24

Adding MSE Users

42-25

Deleting MSE Users

42-26

Editing User Properties

42-26

Adding User Groups

42-26

Deleting User Groups

42-27

Editing Group User Permissions

42-27

Monitoring Status Information for MSEs

42-28

Viewing MSE Server Events

42-28

Viewing MSE Audit Logs

42-28

Viewing MSE Alarms

42-29

Out-of-Sync Alarms

42-29

Viewing MSE Events

42-29

Viewing MSE NMSP Connection Status

42-30

Editing MSE Backup Parameters

42-31

Backing Up MSE Historical Data

42-32

Restoring MSE Historical Data

42-32

Downloading Software to MSEs

42-33

Configuring Partner Systems for MSEs

42-33

Managing Cisco Adaptive wIPS Service Parameters

42-35

Managing Context-Aware Service Software Parameters

42-35

Context-Aware Service General Parameters

42-36

Modifying Tracking Parameters for Mobility Services

42-37

Filtering Parameters for Mobility Services

42-40

Modifying History Parameters for Mobility Services

42-42

Enabling Location Presence for Mobility Services

42-43

Importing Asset Information for Mobility Services

42-44

Exporting Asset Information for Mobility Services

42-44

Importing Civic Information for Mobility Services

42-44

Context-Aware Service Wired Parameters

42-45

Context-Aware Service Advanced Parameters

42-47

Viewing MSE Notifications Summary

42-52

Cisco Prime Infrastructure 3.0 User Guide xxx OL-32122-01

C H A P T E R

43

C H A P T E R

44

OL-32122-01

Viewing and Managing MSE Notifications

42-54

Viewing Notification Statistics

42-54

Mobile Concierge Service Parameters

42-55

Event Groups

42-56

Adding Event Groups

42-56

Deleting Event Groups

42-56

Working with Event Definitions

42-56

Adding Event Definitions

42-58

Deleting an Event Definition

42-61

Searching for Wireless Client on MSE by IPv6 Address

42-62

Viewing Clients Detected by MSE

42-63

Viewing MSE Alarm Details

42-65

Monitoring with Mobile Concierge Services

42-66

Defining Venues

42-66

Deleting Venues

42-68

Defining Providers with Policies

42-68

Deleting Providers

42-69

Defining Policies

42-70

Deleting Policies

42-71

Configuring the Cisco AppNav Solution

43-1

Overview of Cisco AppNav

43-1

Components of Cisco AppNav

43-1

Prerequisites for Configuring Cisco AppNav

43-3

Configuring Cisco AppNav

43-3

Configuring Cisco AppNav from the Device Work Center

43-4

Configuring Cisco AppNav Using Templates

43-5

Deploying a Cisco AppNav Template

43-6

Configuring Cisco AppNav Automatically During ISR-WAAS Container Activation

43-7

Configuring the Cisco WAAS Container

44-1

Prerequisites for Installing an ISR-WAAS Container

44-1

Cisco WAAS Central Manager Integration

44-1

Cisco WAAS Central Manager Integration

44-2

Configuring Single Sign-On

44-2

Creating a Username in Cisco WAAS Central Manager

44-3

Cross-Launching Cisco WAAS Central Manager

44-3

Defining Interface Roles

44-4

Contents

Cisco Prime Infrastructure 3.0 User Guide xxxi

Contents

Importing an OVA image

44-4

Configuring Cisco AppNav Automatically During ISR-WAAS Container Activation

44-5

Installing an ISR-WAAS Container

44-5

Installing and Activating an ISR-WAAS Container

44-5

Installing an ISR-WAAS Container on a Single Router

44-6

Installing an ISR-WAAS Container on Multiple Routers

44-6

Uninstalling and Deactivating a Cisco WAAS Container

44-7

Uninstalling a Single Cisco ISR-WAAS Container

44-7

Uninstalling a Multiple Cisco ISR-WAAS Container

44-7

Deactivating a Cisco ISR-WAAS Container

44-8

C H A P T E R

45

C H A P T E R

46

Working with Wireless Mobility

45-1

What Is Mobility?

45-1

New Mobility

45-2

Mobility Work Center

45-2

Creating a Mobility Domain

45-3

Creating a Switch Peer Group

45-4

Changing a Mobility Role

45-4

Mobility Anchors

45-5

Configuring a Guest Anchor Controller for a WLAN

45-5

Configuring Spectrum Experts

45-6

Adding a Spectrum Expert

45-6

Creating wIPS Profiles

45-8

Managing Various Reports

46-1

Managing Reports

46-2

Creating, Scheduling, and Running a New Report

46-2

Combining Reports

46-3

Customizing Report Results

46-4

About Scheduled Reports

46-5

About Saved Report Templates

46-6

Prime Infrastructure Reports

46-6

A P P E N D I X

A

Prime Infrastructure User Interface Reference

A-1

Understanding the Prime Infrastructure User Interface

A-1

Toolbar

A-1

Filters

A-2

Data Entry Features

A-3

Cisco Prime Infrastructure 3.0 User Guide xxxii OL-32122-01

A P P E N D I X

B

Interactive Graphs

A-4

Common UI Tasks

A-6

Changing Your Password

A-6

Changing Your Active Domain

A-6

Setting Your Home Page

A-7

Changing User Preferences

A-7

Getting Device Details from Device 360° View

A-7

Getting User Details from the User 360° View

A-10

Getting Help

A-11

Search Methods

A-12

Performing an Application Search

A-12

Performing an Advanced Search

A-12

Performing a Saved Search

A-20

System Time Zones

B-1

Contents

OL-32122-01

Cisco Prime Infrastructure 3.0 User Guide xxxiii

Contents xxxiv

Cisco Prime Infrastructure 3.0 User Guide

OL-32122-01

P

A R T

1

Getting Started

Introduction to Cisco Prime Infrastructure

Adding Licenses

Adding Devices to Prime Infrastructure

Grouping Devices

Setting Up Network Monitoring

Changing User Settings

C H A P T E R

1

Introduction to Cisco Prime Infrastructure

Cisco Prime Infrastructure is a network management tool that supports lifecycle management of your entire network infrastructure from one graphical interface. Prime Infrastructure provides network administrators with a single solution for provisioning, monitoring, optimizing, and troubleshooting both wired and wireless devices. Robust graphical interfaces make device deployments and operations simple and cost-effective.

Prime Infrastructure Organization

The Prime Infrastructure web interface is organized into a lifecycle workflow that includes the high-level task areas described in

Table 1-1 . This document follows the same general organization.

Caution

You are strongly advised not to enable third-party browser extensions. In Internet Explorer, you can disable third-party browser extensions by choosing Tools > Internet Options and unselecting the

Enable third-party browser extensions check box in the Advanced tab.

Table 1-1

Task Area

Dashboard

Monitor

Configuration

Prime Infrastructure Task Areas

Description

View dashboards, which give you a quick view of devices, performance information, and various incidents. See

Filters

for more information.

Used By

Network Operators, and Network

Engineers

Monitor your network on a daily basis and perform other day-to-day or ad hoc operations related to network device inventory and configuration management. The Monitor tab includes dashboards and tools that you need for day-to-day monitoring, troubleshooting, maintenance, and operations.

Design feature or device patterns, or templates. You create reusable design patterns, such as configuration templates, in the

Design area. You may use predefined templates or create your own. Patterns and templates are used in the deployment phase of the lifecycle. You can also design Plug and Play profiles and mobility services.

Network Engineers, Designers, and

Architects

Network Engineers, Designers, and

Architects

Cisco Prime Infrastructure 3.0 User Guide

1-1

Chapter 1 Introduction to Cisco Prime Infrastructure

Prime Infrastructure Organization

Table 1-1 Prime Infrastructure Task Areas (continued)

Task Area

Inventory

Maps

Services

Report

Description

Perform all device management operations such as adding devices, running discovery, managing software images, configuring device archives, and auditing configuration changes on devices.

View network topology and wireless maps.

Used By

Network Engineers, NOC Operators and Service Operators

Access mobility services, Application Visibility and Control services, and IWAN features.

Create reports, view saved report templates, and run scheduled reports.

Administration Specify system configuration settings and data collection settings, and manage access control. You can view and approve jobs, specify health rules, and manage licenses. You can also perform software updates and configure high availability.

Network Engineers, NOC Operators, and Service Operators

Network Engineers, NOC Operators and Service Operators

Network Engineers, NOC Operators, and Service Operators

Network Engineers

Related Topic

Understanding the Prime Infrastructure User Interface

1-2

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

2

Adding Licenses

You must purchase licenses to access the Cisco Prime Infrastructure features required to manage your network. Each license also controls the number of devices that you can manage using those features.

You need a base license and the corresponding feature licenses (such as the assurance or the lifecycle license) to get full access to the respective Prime Infrastructure features to manage a set number of devices.

When you install Prime Infrastructure for the first time, you can access the lifecycle, assurance, collector, and data center features using the built-in evaluation license that is available by default. The default evaluation limitations are as follows:

The Lifecycle and Assurance license is valid for 60 days for 100 devices.

The Collector License is valid for 60 days for 20,000 Netflow per seconds.

The Data Center License is valid for 60 days for 10 devices.

Data Center Hypervisor License is introduced in Prime Infrastructure version 3.0. This license is not available by default and is added explicitly to manage the V-center devices (hosts). The V-center devices are added in Inventory > Device Management > Compute Devices > Discovery Sources. The Data

Center Hypervisor License added in Administration > Licenses and Software Updates > Licenses >

Files > License Files automatically manages the number of hosts.

For information about Prime Infrastructure license types and how to order them, see the Cisco Prime

Infrastructure 3.0 Ordering and Licensing Guide

.

See the

Cisco Prime Infrastructure 3.0 Administrator Guide

for information about managing licenses, troubleshooting licensing issues, verifying license details and about the different types of licenses.

Adding a License to Access Features

You purchase licenses to access the Prime Infrastructure features required to manage your network. Each license also controls the number of devices or the number of devices on which NetFlow is enabled that you can manage using those features.

To add a new license, follow these steps:

Step 1

Step 2

Step 3

Choose Administration > Licenses and Software Updates > Licenses.

Click Files, then click License Files.

Select the licenses that you have ordered with the required device limit, then click Add.

Cisco Prime Infrastructure 3.0 User Guide

2-1

Chapter 2 Adding Licenses

Adding a License to Access Features

Step 4

Browse to the location of the license file, then click OK.

See the

Cisco Prime Infrastructure 3.0 Administrator Guide

for information about managing licenses, deleting licenses, troubleshooting licensing issues, and verifying license details.

2-2

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

3

Adding Devices to Prime Infrastructure

Methods for Adding Devices

You can add devices to Cisco Prime Infrastructure in one of the following ways:

Use an automated process—See

Adding Devices Using Discovery

.

Import devices from a CSV file—See

Importing Devices from Another Source .

Add devices manually by entering IP address and device credential information—See

Adding

Devices Manually .

Adding Devices Using Discovery

When you run discovery, Prime Infrastructure discovers the devices and, after obtaining access, collects device inventory data. We recommend that you run discovery, when you are initially getting started with

Prime Infrastructure.

Prime Infrastructure uses SNMP polling to gather information about your network devices within the range of IP addresses you specify. If you have CDP enabled on your network devices, Prime

Infrastructure uses the seed device you specify to discover the devices in your network.

You can discover your devices by:

Configuring discovery settings—This method is recommended if you want to specify settings and rerun discovery in the future using the same settings. See

Running Discovery .

Running Quick Discovery—Quick Discovery quickly ping sweeps your network and uses SNMP polling to get details on the devices. See

Running Quick Discovery .

Understanding the Discovery Process

Prime Infrastructure performs the following steps during the discovery process:

1.

Using ICMP ping, determine if each device is reachable. If Prime Infrastructure is unable to reach the device, the device Reachability status is Unreachable.

2.

Verify the SNMP credentials. If the device is reachable by ICMP, but the SNMP credentials are not valid, the device Reachability status is Ping Reachable.

If the device is reachable by both ICMP and SNMP, the device Reachability status is Reachable.

3.

Verify Telnet and SSH credentials.

Cisco Prime Infrastructure 3.0 User Guide

3-1

Chapter 3 Adding Devices to Prime Infrastructure

Adding Devices Using Discovery

5.

6.

4.

Modify the device configuration(s) to add a trap receiver in order for Prime Infrastructure to receive the necessary notifications.

Start the inventory collection process to gather all device information.

Add the devices to the Inventory > Network Devices page.

Running Discovery

Prime Infrastructure discovers devices with IPv4 and IPv6 addresses.

To run discovery, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Inventory > Device Management > Discovery.

Click Discovery Settings (in the top right corner), then click New.

Enter the Protocol Settings as described in

Table 3-1 .

Perform one of the following:

Click Save to save your discovery settings and schedule your discovery to run at a specified time.

Click Run Now to run the discovery now.

Discovery Protocol Settings Table 3-1

Field

Protocol Settings

Ping Sweep Module

Description

Prime Infrastructure gets a list of IP address ranges from a specified combination of IP address and subnet mask, then pings each IP address in the range to check the reachability of devices.

See Sample IPv4 IP Addresses for Ping Sweep for more information.

Layer 2 Protocols

CDP Module Prime Infrastructure reads the cdpCacheAddress and cdpCacheAddressType MIB objects in the cdpCacheTable from CISCO-CDP-MIB on every newly found device as follows:

1.

2.

The cdpCacheAddress MIB object is gathered from the current device. This provides a list of neighbor device addresses.

If the neighbor device addresses do not already exist in the global device list, they are added to the local cache.

Select the Enable Cross Router Boundary check box to specify that Prime Infrastructure should discover neighboring routers.

Similar to CDP, but it allows the discovery of non-Cisco devices.

LLDP

Advanced Protocols

Routing Table Queries and analyzes routing tables on seed routers to discover subnets and next-hop routers.

This process discovers a router for every subnet on its list of known networks.

3-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 3 Adding Devices to Prime Infrastructure

Adding Devices Using Discovery

Table 3-1 Discovery Protocol Settings (continued)

Field

Address Resolution

Protocol

Description

The ARP Discovery Module depends on the Routing Table Discovery Module (RTDM), and is executed only when RTDM is processed. This precondition is identified based on the flags processed by the ARP Discovery Module, which are part of the DeviceObject.

The entries coming out of the ARP Discovery Module do not need to pass through RTDM because (per the router Discovery algorithm) active routers are those that RTDM must process and identify.

When the ARP table is fetched and the entries are not already discovered by RTDM, these entries

(though they may represent routers) are not active routers and need not be passed on to RTDM.

This is ensured by setting the ARP Discovery Module flag to Processed and leaving the RTDM flag set to Unprocessed.

When the RTDM comes across an entry with the RTDM flag unset and the ARP flag set, RTDM identifies the entry as a inactive router or other device and it leaves the entry as unprocessed. The

ARP Discovery Module also ignores the entry according to the algorithm, based on the Processed flag set against the ARP Discovery Module.

When the Enable ARP check box is selected, the device MAC address needs to be updated in the device information. Applications can retrieve this information in the adapter through the

DeviceInfo object. By scanning the device MAC address, the applications can distinguish between Cisco and non-Cisco devices.

Filters

IP Filter

ARP cache from the device is collected using CidsARPInfoCollector. The MAC ID of the device is retrieved from this data and set in the DeviceInfo object.

Border Gateway Protocol The BGP Discovery Module uses bgpPeerTable in the BGP4-MIB to find its BGP peer. The table contains its peers’ IP addresses, which are added as clues to the local cache.

Open Shortest Path First Open Shortest Path First (OSPF) protocol is an interior gateway routing protocol that uses the ospfNbrTable and ospfVirtNbrTable MIBs to find neighbor IP addresses.

Includes or excludes devices based on IP address. For example, you can enter any of the following strings and specify whether to include or exclude the devices found during discovery:

192.0.2.89

192.0.2.*

192.0.[16-32].89

[192-193].*.55.[16-32]

Advanced Filters

System Location Filter

System Object ID Filter

DNS Filter

Credential Settings

Credential Set

SNMPv2 Credential

Includes or excludes devices based on System Location.

Includes or excludes devices based on the sysObjectID string set on the device.

Includes or excludes devices based on the domain name string set on the device.

The credential set lists all the available credential profiles in Prime Infrastructure. You can associate credential profile with a range of IP addresses. The devices will be discovered based on the selected credential profile. For more information see,

Using Credential Profiles .

SNMP community string is a required parameter for discovering devices in the network using

SNMPv2. You can enter multiple rows of credentials mapped to a specific IP address, or the IP address can be a wildcard; for example, *.*.*.*, 10.1.1.*. You cannot save or use the discovery settings if you do not specify SNMP credentials.

Cisco Prime Infrastructure 3.0 User Guide

3-3

Chapter 3 Adding Devices to Prime Infrastructure

Adding Devices Using Discovery

Table 3-1 Discovery Protocol Settings (continued)

Field

SNMPv3 Credential

Description

Prime Infrastructure supports SNMPv3 discovery for devices. The following SNMPv3 modes are available:

AuthPriv—Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

Provides DES 56-bit encryption in addition to authentication based on the CBC-DES

(DES-56) and AES-128 standards.

AuthNoPriv—Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

NoAuthNoPriv—Uses a username match for authentication.

PrivType—Protocol used to secure the SNMP authentication request.

Telnet Credential

SSH Credential

PrivPassword—Prefixed privacy passphrase for the SNMPv3 user.

You can specify the Telnet credentials during discovery so that Prime Infrastructure can collect the device configurations and fully manage the devices. If you do not specify Telnet credentials in the discovery settings, Prime Infrastructure discovers the devices but is unable to collect the full inventory of the device until you specify the Telnet credentials.

For full device support via SSH, you must use SSHv2 with a 1024 bit key. You can configure

SSH before running discovery.

We recommend that you select SSHv2 as the protocol for communicating with the device CLI because it allows the use of Web Services Management Agent (WSMA) for configuring devices.

(For more information see,

Configuring the Device using WSMA

.)

Preferred Management IP (how Prime Infrastructure attempts to find the preferred management address for devices)

Use Loopback IP Prime Infrastructure uses the preferred management IP address from the loop back interface. If the device does not have a loopback interface, Prime Infrastructure uses similar logic to the OSPF algorithm to select the router’s preferred management IP address.

Use SysName Prime Infrastructure gets the preferred management IP address for the device using DNS lookup of the SysName for the device.

Use DNS Reverse Lookup Prime Infrastructure gets the preferred management IP address by doing a reverse DNS lookup on the device IP address, followed by a forward DNS lookup.

After running discovery, choose Inventory > Device Management > Network Devices.

Note

When discovery job rediscovers an existing device, the original credentials will be maintained and will not be updated with the credentials entered in Discovery Settings, if Last Inventory Collection Status of the device is “completed” in the Inventory > Device Management > Network Devices page. However, if the status is “partial collection” or any other status, then original credentials of the existing device will be overwritten with the credentials present in the Discovery Settings.

See

Monitoring Network Devices for more information.

3-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 3 Adding Devices to Prime Infrastructure

Adding Devices Using Discovery

Sample IPv4 IP Addresses for Ping Sweep

Table 3-2 Sample IPv4 Seed IP Addresses for Ping Sweep

Subnet Range Number of Bits

255.255.240.0

255.255.248.0

255.255.252.0

255.255.254.0

20

21

22

23

255.255.255.0

24

255.255.255.128

25

255.255.255.192

26

255.255.255.224

27

255.255.255.240

28

255.255.255.248

29

255.255.255.252

30

255.255.255.254

31

255.255.255.255

32

Number of IP

Addresses

2

0

1

62

30

14

6

4094

2046

1022

510

254

126

Sample Seed IP

Address

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

10.104.62.11

Start IP Address End IP Address

10.104.48.1

10.104.56.1

10.104.60.1

10.104.62.1

10.104.62.1

10.104.62.1

10.104.62.1

10.104.62.1

10.104.62.1

10.104.62.9

10.104.62.9

10.104.63.254

10.104.63.254

10.104.63.254

10.104.63.254

10.104.62.254

10.104.62.126

10.104.62.62

10.104.62.30

10.104.62.14

10.104.62.14

10.104.62.10

10.104.62.11

10.104.62.11

Running Quick Discovery

If you want to quickly run discovery without specifying and saving your settings, you can use Quick

Discovery.

You can view the guest users discovered by Prime Infrastructure by choosing Services > Network

Services > Guest Users. To see the correct lifetime on guest user accounts after they are discovered, make sure the devices have the correct time settings specified.

To run Quick Discovery, follow these steps:

Step 1

Step 2

Step 3

Choose Inventory > Device Management > Discovery.

In the top-right side of the page, click Quick Discovery.

Complete the required fields, then click Run Now.

Verifying Discovery

When discovery is completed, you can verify that the process was successful.

To verify successful discovery, follow these steps:

Step 1

Step 2

Choose Inventory > Device Management > Discovery.

Choose the discovery job for which you want to view details.

Cisco Prime Infrastructure 3.0 User Guide

3-5

Chapter 3 Adding Devices to Prime Infrastructure

Importing Devices from Another Source

Step 3

Step 4

Choose User Jobs > Discovery from the left navigation pane and select the specific job.

Under Discovery Job Instances, expand the arrow to view details about the devices that were discovered.

If devices are missing:

Change your discovery settings, then rerun the discovery. See Table 3-1 for information about

discovery settings.

Add devices manually. See

Adding Devices Manually for more information.

Importing Devices from Another Source

If you have another management system from which you want to import your devices, or if you want to import a spreadsheet that lists all of your devices and their attributes, you can add device information into Prime Infrastructure as explained in the following steps:

Step 1

Step 2

Step 3

Step 4

Choose Inventory > Device Management > Network Devices, then click Bulk Import.

From the Operation drop-down list, choose Device.

In the Select CSV File, enter or browse to the CSV file that contains the devices that you want to import.

Click the link to download a sample file that contains all of the fields and descriptions for the information that must be contained in your imported file. See

Figure 3-1

.

Figure 3-1 Downloading a Sample Template for Importing Devices or Sites

Step 5

Make sure that you retain the required information in the CSV file as explained in

CSV File

Requirements for Importing Devices

.

If the importing CSV file contains any UDF parameters, ensure that UDF is configured in

Administration > Settings > System Settings > Inventory > User Defined Fields prior to importing the devices. The UDF column in the CSV file must be begin with UDF: as indicated in the sample CSV template.

Click Import.

3-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 3 Adding Devices to Prime Infrastructure

Importing Devices from Another Source

Step 6

Step 7

Check the status of the import by choosing Administration > Dashboards > Job Dashboard > User

Jobs > Import.

Click the arrow to expand the job details and view the details and history for the import job.

CSV File Requirements for Importing Devices

If you want to use a CSV file to import your devices or sites from another source into Prime

Infrastructure, you can download a sample template by choosing Inventory > Device Management >

Network Devices, then clicking Bulk Import. Click the link to download a sample template as shown in

Figure 3-1

.

When you download a sample CSV template for importing devices or sites, the extent to which Prime

Infrastructure can manage your devices, depends on the information you provide in the CSV file. If you do not provide values for CLI username, password, and enable password, Prime Infrastructure will have limited functionality and cannot modify device configurations, update device software images, and perform any other valuable functions. You can specify the credential profile in the CSV file to apply the credentials to a set of devices. If you specify the credential profile and also enter the values manually in the CSV file, then the manually entered credentials takes high priority and the device is manged based on the combination of manually entered credentials and credential profile. For example, if the CSV file contains credential profile with SNMP and Telnet credentials in addition to manually entered SNMP credentials, then the device is managed based on the manually entered SNMP credentials and the Telnet credentials in the credential profile.

For partial inventory collection in Prime Infrastructure, you must provide the following values in the

CSV file:

Device IP address

SNMP version

SNMP read-only community strings

SNMP write community strings

For full inventory collection in Prime Infrastructure, you must provide the following values in the

CSV file:

Device IP address

SNMP retry value

SNMP timeout value

SNMP version

SNMP read-only community strings

SNMP write community strings

SNMP retry value

SNMP timeout value

Protocol

You must also provide values for the fields that correspond to the protocol you specify. For example, if you specify SNMPv3, you must specify values for the SNMPv3 fields in the sample

CSV file such as the SNMPv3 username and authorization password.

CLI username

Cisco Prime Infrastructure 3.0 User Guide

3-7

Chapter 3 Adding Devices to Prime Infrastructure

Adding Devices Manually

CLI password

CLI enable password

CLI timeout value

Adding Devices Manually

Adding devices manually is helpful if you want to add a single device. If you want to add all devices in your network, we recommend that you run discovery (see

Running Discovery ) or import devices from a

CSV file (see

Importing Devices from Another Source ).

After adding a device in the Converged view with profile, if you edit the device (which is associated with

Credential Profile) in the Classic view, the Credential Profile association of the device is removed.

To add devices manually, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Inventory > Device Management > Network Devices.

Click Add Device.

Complete the required fields.

For the License Level field, select

Full to collect all device information and have Prime Infrastructure manage the device. Managed devices count against the number of managed devices in your Prime Infrastructure license. Full is selected by default.

Switch Port Trace Only to collect partial device information (host name, device name, device type, and reachability status) and allow Prime Infrastructure to display how an AP is connected to a WLC on wireless maps. Switch Port Trace Only devices do not count against the number of managed devices in your Prime Infrastructure license. You cannot perform device management operations on devices that you designate as Switch Port Trace Only.

See

Enabling IPSec Communication When Adding Devices for information about enabling IPSec.

(Optional) Click Verify Credentials to verify the device credentials before adding the device.

Note

Prime Infrastructure provides HTTP credentials verification support for NAM devices only.

Step 6

Click Add to add the device with the settings you specified.

Note

User Defined Field (UDF) parameters are available only if you added them under

Administration > Settings > System Settings > Inventory > User Defined Fields. Do not use the special characters : ; and # for UDF field parameters.

Enabling IPSec Communication When Adding Devices

We recommend that you use IPSec tunneling to secure wireless management traffic between your network devices and Prime Infrastructure servers. Using IPSec between the management system and the managed devices provides an additional layer of security.

Cisco Prime Infrastructure 3.0 User Guide

3-8

Chapter 3 Adding Devices to Prime Infrastructure

About Adding Wireless Devices

To enable IPSec when adding a device to Prime Infrastructure:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Inventory > Device Management > Network Devices.

Click Add Device.

Complete the required fields.

Under IPSec Parameters, click Enable IPSec Communication, then complete the required fields.

Click Add to add the device with the settings you specified.

About Adding Wireless Devices

Note the following information when adding wireless devices to Prime Infrastructure:

When a controller is removed from the system, a warning message appears to confirm whether the associated access points need to be removed.

If you are adding a controller into the Prime Infrastructure across a GRE link using IPSec or a lower

MTU link with multiple fragments, you might need to adjust the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU. If it is set too high, the controller might not be added into

Prime Infrastructure.

To adjust the Maximum VarBinds per Get PDU or Maximum VarBinds per Set PDU: Stop the Prime

Infrastructure, choose Administration > Settings > System Settings > Network and Device >

SNMP, and edit the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU values to 50 or lower.

If you receive the error message ‘Sparse table not supported', verify that Prime Infrastructure and

WLC versions are compatible and retry. For information on compatible versions, see the following

URL: http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compa tibility_Matrix.html

.

When a controller is added to Prime Infrastructure, Prime Infrastructure acts as a TRAP receiver and the following traps are enabled on the controller: 802.11 Disassociation, 802.11 Deauthentication, and 802.11 Authenticated.

In the Inventory > Network Devices > All Devices > Wireless Controllers page, to update the credentials of multiple controllers in bulk, select the controllers you need to update and click Edit.

Select the credential profile and click Update or Update & Sync.

You can also update the credentials of multiple controllers in bulk by choosing a CSV file. Select the controllers and click Bulk Import. Browse the CSV file that contains a list of controllers to be updated, one controller per line. Each line is a comma separated list of controller attributes.

When a controller is added, the Reachability of the controller will be Unknown, while Prime

Infrastructure attempts to communicate with the controller that you added. The Reachability of the controller changes to Reachable or Ping Reachable once the communication with the controller is successful.

Cisco Prime Infrastructure 3.0 User Guide

3-9

Chapter 3 Adding Devices to Prime Infrastructure

Validating That Devices Were Added Successfully

Validating That Devices Were Added Successfully

After collecting device information, Prime Infrastructure gathers and displays the configurations and the software images for the devices. To verify that your devices were successfully added to Prime

Infrastructure, you can choose Inventory > Device Management > Network Devices and

Verify that the devices you have added appear in the list. Click a device name to view the device configurations and the software images that Prime Infrastructure collected from the devices.

View details about the information that was collected from the device by hovering your mouse over the Inventory Collection Status field and clicking the icon that appears.

Check the Device Reachability Status column. See

Table 3-3

for status descriptions. HTTP/HTTPS parameters are verified on NAM devices only.

Check the Admin Status column. See

Table 3-4

for descriptions of the possible Admin Status values.

To view details about the collection job and the details and history for the import job, choose

Administration > Dashboards > Job Dashboard.

See

Troubleshooting Unmanaged Devices

for information about how to resolve any errors.

Table 3-3 Descriptions of Device Reachability Status

Reachability Color

Green

Yellow

Red

Description

Prime Infrastructure is able to reach the device using SNMP.

The device is reachable using Ping, but not via SNMP. Verify that you specified the correct SNMP parameters for read access when the device was added to Prime Infrastructure.

Prime Infrastructure is unable to reach the device using Ping. Verify that the device is operational and connected to the network.

Table 3-4

Admin Status

Managed

Unmanaged

Descriptions of Device Admin Status

Description

The device has been added successfully to Prime Infrastructure using SNMP.

The device credentials are incorrect or you have exceeded the number of devices allowed by your license. Choose Administration > Licenses to view the status of your license. See the

Cisco Prime

Infrastructure 3.0 Administrator Guide

for information about managing licenses, troubleshooting licensing issues, and verifying license details.

Verifying Device Credentials

Prime Infrastructure automatically verifies device credentials as part of the inventory process. You can view device credential verification information by choosing Reports > Report Launch Pad > Device

> Device Credential Verification.

Editing Device Parameters

You can edit the device parameters of a single device or multiple devices by choosing Inventory >

Device Management > Network Devices.

3-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 3 Adding Devices to Prime Infrastructure

Adding NAM HTTP/HTTPS Credentials

To edit device parameters, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Inventory > Device Management > Network Devices.

Select a single device or multiple devices and Click Edit.

Update the required parameters.

Click Update to update the parameters of all of the selected devices or Update & Sync to update and synchronize the devices with the updated parameters.

Synchronizing Devices

To synchronize the Prime Infrastructure database with the configuration running on a device, you can force an inventory collection.

To synchronize devices, follow these steps:

Step 1

Step 2

Step 3

Choose Inventory > Device Management > Network Devices.

Select the device whose configuration you want synchronized with the configuration stored in the Prime

Infrastructure database.

Click Sync.

Adding NAM HTTP/HTTPS Credentials

If you are using Cisco Network Analysis Modules (NAMs) to monitor your network, you must add

HTTPS credentials so that Prime Infrastructure can retrieve data from them. This is especially important for users who have licensed Assurance features, as most Assurance features depend on NAM data to work.

Prime Infrastructure polls NAMs directly via HTTP (or HTTPS) to collect their data. This type of polling requires Prime Infrastructure to store each NAMs’ HTTP credentials. Unlike with SNMP community strings and Telnet/SSH credentials, you cannot enter NAM HTTP credentials during the discovery process. You can only specify NAM HTTP credentials after the modules are discovered or added to inventory.

Follow these steps to add HTTP credentials for a single NAM. You can repeat this task for all NAMs from which you want Prime Infrastructure to collect data.

Step 1

Step 2

Step 3

Choose Inventory > Device Management > Network Devices > Device Type > Cisco Interfaces and

Modules > Network Analysis Modules.

Select one of the NAMs and click Edit.

In the Edit Device window, under Http Parameters:

Protocol—Select the HTTP protocol, HTTP or HTTPS. The TCP Port will change automatically to the default port for the protocol that you have selected.

TCP Port—Enter a different TCP Port if you want to override the default.

Cisco Prime Infrastructure 3.0 User Guide

3-11

Chapter 3 Adding Devices to Prime Infrastructure

Exporting Devices

Step 4

Username—Enter the name of a user who can access the NAM via HTTP or HTTPS.

Password—Enter the password for the username that you entered.

Confirm Password—Re-enter the password to confirm.

Choose Update.

Related Topics

Enabling NAM Data Collection

Defining NAM Polling Parameters

Exporting Devices

In Prime Infrastructure, you can export device information as a CSV file. Prime Infrastructure does not export credential profiles.

To export devices, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Inventory > Device Management > Network Devices.

Select the devices that you want to export, then click Export Device.

Enter an encryption password that will be used to open the exported CSV file.

Confirm the encryption Password and click Export to export the device information.

Double-click the ExportDevice.zip file and enter the encryption password to open the ExportDevice.csv file.

Caution

The device export CSV file includes all device credentials and should be handled with appropriate care.

Similarly, the privilege to allow device export should be assigned to appropriate users only.

Next Steps

Now that you have added devices to Prime Infrastructure, you can create device groups and port groups to simplify management, monitoring, and configuration of similar devices and ports. See

Grouping

Devices

.

You might also want to:

Plan for devices that will be added to your network in the future—See

Preconfiguring Devices to be

Added Later

.

Configure wired and wireless features on your devices using guided, step-by-step instructions—See

Getting Help Setting Up Access Switches

.

3-12

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

4

Grouping Devices

After you add devices to Prime Infrastructure, you can organize the devices into logical groupings to simplify management, monitoring, and configuration. When you group devices, you can perform operations on the entire group instead of selecting individual devices.

Grouping Devices by Device Type

You can group similar devices together to simplify management and configuration tasks. Depending on your needs, device groups can be based on location, device type, device role, and so on.

A device group that you create can be one of the following types:

Static—Create and name a new device group to which you can add devices using the Add to Group button from Inventory > Device Management > Network Devices or from Inventory > Group

Management > Network Device Groups.

Dynamic—Create and name a new device group and specify the rules to which devices must comply before they are added to this device group. You do not add devices to dynamic groups. Prime

Infrastructure adds devices that match the specified rules to the dynamic group from Inventory >

Device Management > Network Devices or from Inventory > Group Management > Network

Device Groups.

Mixed—Create and name a new device group to which you can add devices manually and specify the rules to which devices must comply before they are added to this device group. This can be done from Inventory > Device Management > Network Devices or from Inventory > Group

Management > Network Device Groups.

To create a device group, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Inventory > Device Management > Network Devices or Inventory > Group Management >

Network Device Groups.

In the Device Groups pane on the left, hover the mouse over the icon next to User Defined and click the icon. Click the Add SubGroup.

Enter the name, description, and parent group if applicable.

Select one of the following for the new device group:

Add Device Manually—You add devices to the group based on your needs.

Add Device Dynamically—You specify the rules to which devices must comply before they are added to this device group. You do not add devices to dynamic groups. Prime Infrastructure adds devices that match the specified rules to the dynamic group.

Cisco Prime Infrastructure 3.0 User Guide

4-1

Chapter 4 Grouping Devices

Grouping Devices by Device Type

Step 5

Step 6

Click Preview tab to view the devices that are automatically added to the group based on the specified rule and the manually added devices.

Click Save.

The device group that you created appears under the User Defined folder.

Related Topic

Grouping Devices, Ports and Data Center

4-2

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

5

Setting Up Network Monitoring

After you add devices to the Prime Infrastructure inventory and set up device and port groups, you create monitoring templates to monitor device health (for example, CPU, memory, and interface utilization), basic QoS, and VPN tunnel statistics for wired devices in the group. After you create and apply monitoring templates, Prime Infrastructure collects and processes data from specified devices and displays the information in dashboards, dashlets, and reports.

Monitoring Port Groups and Interfaces

Getting Enhanced Client Information by Integrating with Cisco Identity Services Engine (ISE)

Integrating Prime Infrastructure with Prime Insight

Setting Up Assurance for Performance Monitoring

Monitoring Port Groups and Interfaces

To monitor your device ports, you can create a port group and then display monitoring information on

Prime Infrastructure dashboards. Port groups are logical groupings of interfaces that allow you to monitor device ports by the function they serve. For example, you can create a port group for the WAN ports and create another port group for the internal distribution ports on the same router.

See Types of Groups and

Creating Device Context or Group Context Port Groups

for more information about creating port groups.

After you create groups, you can create an interface health monitoring policy on those ports as explained in the following steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Monitor > Monitoring Tools > Monitoring Policies.

Select Automonitoring under Policies.

Click expand arrow icon adjacent to WAN Interfaces.

Select the attributes that you want to monitor (for example, Interface Availability, Interface Inbound

Errors, Interface Outbound Errors, InputUtilization, and OutputUtilization), then click Save and

Activate.

Click My Policies.

Click Add.

Choose Interface Health. under Policy Types.

From the Device Selection drop-down list, choose Port Group.

Cisco Prime Infrastructure 3.0 User Guide

5-1

Chapter 5 Setting Up Network Monitoring

Monitoring Port Groups and Interfaces

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Choose the User Defined group and click OK.

Enter the policy name.

Select required the Parameters and Threshold and complete the required fields.

Click OK.

Click Save and Activate.

To display the results, choose Dashboards > Overview > Network Interface, and view the Top N

Interface Utilization dashlet.

Edit the Top N Interface Utilization dashlet and add the port group that you previously created.

Related Topics

Setting Up WAN Interface Monitoring

Types of Groups

Creating Device Context or Group Context Port Groups

Setting Up WAN Interface Monitoring

Creating a WAN interface port group allows you to efficiently monitor all WAN interfaces in a specific port group. For example, if you have many small branch offices that have low bandwidth issues, you can create a port group that includes all WAN interfaces from each branch office, and then monitor this port group for issues.

By default, Prime Infrastructure provides a static WAN Interfaces port group on which health monitoring is automatically deployed. The following procedure shows you how to:

1.

2.

Add interfaces to the WAN Interfaces port group.

Verify the utilization and availability of the WAN interfaces from the Site dashboard.

Step 1

Step 2

To add interfaces to the WAN Interfaces port group:

a.

b.

Choose Inventory > Group Management > Port Groups.

From the menu on the left, choose System Defined > WAN Interfaces.

c.

Select the device, then click Add to Group.

To display the results:

a.

b.

Choose Dashboard> Overview >

Click either of the following:

> Add Dashlets.

Top N WAN Interfaces by Utilization

Top N WAN Interfaces with Issues

5-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 5 Setting Up Network Monitoring

Getting Enhanced Client Information by Integrating with Cisco Identity Services Engine (ISE)

Getting Enhanced Client Information by Integrating with Cisco

Identity Services Engine (ISE)

Prime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to Prime Infrastructure to be visible in a single console.

When posture profiling is enforced in the network, Prime Infrastructure communicates with Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, Prime Infrastructure collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.

You can get enhanced information about managed clients using the Cisco ISE or Cisco Secure Access

Control (ACS) View servers.

If Prime Infrastructure is integrated with an ISE server (to access endpoint information), you can:

Check an End User’s Network Session Status.

Using the User 360° View, you can identify possible problems with the end user’s authentication and authorization for network access.

Troubleshoot the User Application and Site Bandwidth Utilization.

Prime Infrastructure displays ISE Profiling attributes only for authenticated endpoints.

Related Topics

Adding an Identity Services Engine

Configuring ACS View Servers

Adding an Identity Services Engine

A maximum of two ISEs can be added toPrime Infrastructure. If you add two ISEs, one should be primary and the other should be standby. When you are adding a standalone node, you can add only one standalone node and cannot add a second node.

To add an Identity Services Engine, follow these steps:

Step 1

Step 2

Step 3

Choose Administration > Servers > ISE Servers.

From the Select a command drop-down list, choose Add ISE Server, then click Go.

Complete the required fields, then click Save.

The credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.

Configuring ACS View Servers

If you do not have ISE, you can integrate your Cisco ACS View server with Prime Infrastructure. To access the ACS View Server tab, you must add a view server with credentials.

Cisco Prime Infrastructure 3.0 User Guide

5-3

Integrating Prime Infrastructure with Prime Insight

Prime Infrastructure supports only ACS View Server 5.1 or later.

To configure an ACS View Server, follow these steps:

Chapter 5 Setting Up Network Monitoring

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Administration > Servers > ACS View Servers.

From the Select a command drop-down list, choose Add ACS View Server, then click Go.

Enter the port number of the ACS View Server you are adding. (Some ACS View Servers do not allow you to change the port on which HTTPS runs.)

Enter the password that was established on the ACS View Server. Confirm the password.

Specify the number of retries to be attempted.

Click Save.

Integrating Prime Infrastructure with Prime Insight

You can integrate Prime Infrastructure with Prime Insight for detailed, analyzed information on network and application inventory, alarm, utilization, performance, user/service activity data.

To integrate Prime Infrastructure and Prime Insight from Prime Infrastructure 3.0 GUI, follow these steps:

Step 1

Step 2

Step 3

Choose Administration > Servers > Prime Insight Server.

Select the Enable Prime Insight check box.

Type the required details, and click Save.

You can now view the information on network, application inventory, and so on of Prime Infrastructure in Prime Insight.

Setting Up Assurance for Performance Monitoring

If your Prime Infrastructure implementation includes Assurance licenses, you must enable data collection via NAMs and NetFlow configurations. This is necessary to populate the additional dashlets, reports, and other features supplied with Assurance.

Related Topics

Enabling NAM Data Collection

Defining NAM Polling Parameters

Enabling NetFlow Data Collection

5-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Enabling NAM Data Collection

To ensure that you can collect data from your Network Analysis Modules (NAMs), you must enable

NAM data collection. You can do this for each discovered or added NAM, or for all NAMs at the same time.

Before You Begin

You must specify the HTTP/HTTPS credentials for each NAM (see

Adding NAM HTTP/HTTPS

Credentials ).

Step 1

Step 2

Step 3

Choose Services > Application Visibility & Control > Data Sources.

In the NAM Data Collector section, select the required NAM datasources for which you want to enable data collection.

Click Enable.

Related Topics

Defining NAM Polling Parameters

Enabling NetFlow Data Collection

Defining NAM Polling Parameters

You can specify data that is collected from NAMs.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Policies.

Click Add, then select NAM Health under the Policy Types list from the left sidebar menu.

Select the NAM devices from which you want to collect data, then complete the required fields.

Under Parameters and Thresholds, specify the parameters you want to poll from the NAM devices and threshold conditions.

Click Save and Activate.

Related Topics

Enabling NetFlow Data Collection

Enabling NAM Data Collection

Enabling NetFlow Data Collection

To start collecting NetFlow and Flexible NetFlow data, you must configure your NetFlow-enabled switches, routers, and other devices (ISR/ASR) to export this data to Prime Infrastructure. The following table shows the various device types that support NetFlow and the ways to configure devices to export

NetFlow data to Prime Infrastructure.

Table 5-1

gives the detailed information of NetFlow support summary.

Cisco Prime Infrastructure 3.0 User Guide

5-5

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Table 5-1 NetFlow Support Summary

Device Type

Cisco ASR

IOS Versions

Supporting NetFlow

IOS XE 3.11 to

15.4(1) S, and later

Easy PerfMon based configuration

(EzPM)

Supported NetFlow

Export Types

NetFlow Configuration in Prime

Infrastructure

TCP/UDP conversation traffic

Choose Services > Application

Visibility & Control >

Interfaces Configuration

Application Response

Time (ART) Format: V9 and IPFIX

Voice & Video

HTTP URL visibility

Template Naming Convention

Netflow-Traffic-Conv-

Netflow-App-Traffic-

Netflow-Traffic-Voice-Video

-

Netflow-URL-

Netflow-Aggregated-Traffic-

Stats-

IOS XE 3.9, 3.10

Application Traffic

Stats

TCP/UDP conversation traffic

Choose Services > Application

Visibility & Control >

Interfaces Configuration

Application Response

Time (ART) Format: V9 and IPFIX

Netflow-Traffic-Host-

Netflow-App-Traffic-

Netflow-Voice-Video-

Netflow-URL-

Voice & Video

HTTP URL visibility

Netflow-AVC-Troubleshooti ng-

AVC Troubleshooting

5-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Table 5-1 NetFlow Support Summary (continued)

Device Type

IOS Versions

Supporting NetFlow

Cisco ISR 15.1(3) T

Supported NetFlow

Export Types

NetFlow Configuration in Prime

Infrastructure

TCP/UDP conversation traffic

Voice & Video

TCP/UDP: Choose

Configuration > Templates >

Features & Technologies >

CLI Templates > System

Templates - CLI > Collecting

Traffic Statistics

IOS XE 3.11 to

15.4(1) S, and later

Easy PerfMon based config

(EzPM)

IOS XE 3.9, 3.10

Template Naming Convention

Netflow-Traffic-Conv-

Netflow-Voice-Video-

Voice Video: Use Medianet

Perfmon CLI template. Choose

Configuration > Templates >

Features & Technologies >

CLI Templates > System

Templates - CLI >Medianet –

PerfMon

TCP/UDP conversation traffic

Format: V9

Choose Services > Application

Visibility & Control >

Interfaces Configuration

Netflow-Traffic-Conv-

Application Response

Time (ART)

Voice & Video

Format: V9 and IPFIX

Netflow-App-Traffic-

Netflow-Traffic-Voice-Video

-

HTTP URL visibility

Application Traffic

Stats

Netflow-URL-

Netflow-Aggregated-Traffic-

Stats-

TCP/UDP conversation traffic

Choose Services > Application

Visibility & Control >

Interfaces Configuration

Application Response

Time (ART) Format: V9 and IPFIX

Netflow-Traffic-Host-

Netflow-App-Traffic-

Netflow-Voice-Video-

Netflow-URL-

Voice & Video

HTTP URL visibility

Netflow-AVC-Troubleshooti ng-

AVC Troubleshooting

Cisco Prime Infrastructure 3.0 User Guide

5-7

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Table 5-1 NetFlow Support Summary (continued)

Device Type

Cisco ISR

G2

Cisco

Catalyst

2000

Cisco

Catalyst

3750-X,

3560-X

IOS Versions

Supporting NetFlow

15.1(4) M and

15.2(1) T

Supported NetFlow

Export Types

NetFlow Configuration in Prime

Infrastructure

TCP/UDP conversation traffic

Application Response

Time (ART)

TCP/UDP, ART: Create a

MACE CLI template. See

Configuring NetFlow on ISR

Devices

Voice & Video

Voice & Video: Use Medianet

Perfmon CLI template. Choose

Configuration > Templates >

Features & Technologies >

CLI Templates > System

Templates - CLI >Medianet –

PerfMon

Format: V9

Template Naming Convention

Netflow-Traffic-Conv-

Netflow-App-Traffic-

Netflow-Voice-Video-

15.2(4) M and

15.3(1)T

15.4(1)T and later

Easy PerfMon based configuration

(EzPM)

TCP/UDP conversation traffic

Application Response

Time (ART)

Choose: Services >

Application Visibility &

Control >Interfaces

Configuration

Voice & Video

Format: V9 and IPFIX

TCP/UDP conversation traffic

Choose Services > Application

Visibility & Control >

Interfaces Configuration

Application Response

Time (ART) Format: V9 and IPFIX

Netflow-Traffic-Conv-

Netflow-App-Traffic-

Netflow-Voice-Video-

Netflow-Traffic-Conv-

Netflow-App-Traffic-

Netflow-Traffic-Voice-Video

-

Netflow-App-Traffic-URL-

15.0(2) UCP and later

Voice & Video

HTTP URL visibility

TCP/UDP conversation traffic

Create a custom CLI template.

See

Configuring NetFlow

Export on Catalyst 2000

Switches .

Netflow-Traffic-Conv-

15.0(1)SE

IP base or IP services feature set and equipped with the network services module.

TCP/UDP conversation traffic

Format: V5, V9

Create a custom CLI template.

See

Configuring NetFlow on

Catalyst 3000, 4000, and 6000

Family of Switches

Format: V9

Netflow-Traffic-Conv-

5-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Table 5-1 NetFlow Support Summary (continued)

Device Type

Cisco

Catalyst

3850

(wired)

IOS Versions

Supporting NetFlow

Supported NetFlow

Export Types

NetFlow Configuration in Prime

Infrastructure

15.0(1)EX and later TCP/UDP conversation traffic

Voice & Video

TCP/UDP: Create a custom CLI template. See

Configuring

NetFlow on Catalyst 3000,

4000, and 6000 Family of

Switches

Template Naming Convention

Netflow-Traffic-Conv-

Netflow-Voice-Video-

Cisco IOS XE

Release 3SE

(Edison)

Voice & Video: Use Medianet

Perfmon CLI template. Choose

Configuration > Templates >

Features & Technologies >

CLI Templates > System

Templates - CLI >Medianet –

PerfMon

TCP/UDP conversation traffic

Format: V9

See Configuring Flexible

NetFlow

Netflow-Traffic-Conv-

Format: V9

Cisco

Catalyst

3850

(wireless)

Cisco

CT5760

Controller

(Wireless)

Cisco

Catalyst

4500

Katana

5760

TCP/UDP conversation traffic

See Application Visibility and

Flexible Netflow.

Format: V9

Netflow-Traffic-Conv-

15.0(1)XO and

15.0(2)SG onwards

TCP/UDP conversation traffic

Voice & Video

TCP/UDP: Create a custom CLI template. See

Configuring

NetFlow on Catalyst 3000,

4000, and 6000 Family of

Switches .

Netflow-Traffic-Conv-

Netflow-Voice-Video-

Voice & Video: Use Medianet

Perfmon CLI template. Choose

Configuration > Templates >

Features & Technologies >

CLI Templates > System

Templates - CLI >Medianet –

PerfMon

Format: V9

Cisco Prime Infrastructure 3.0 User Guide

5-9

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Table 5-1 NetFlow Support Summary (continued)

Device Type

Cisco

Catalyst

6500

IOS Versions

Supporting NetFlow

Supported NetFlow

Export Types

NetFlow Configuration in Prime

Infrastructure

15.1(1)SY and later TCP /UDP conversation traffic

Voice & Video

TCP/UDP: Create a custom CLI template. See

Configuring

NetFlow on Catalyst 3000,

4000, and 6000 Family of

Switches .

Template Naming Convention

Netflow-Traffic-Conv-

Netflow-Voice-Video-

Voice & Video: Use Medianet

Perfmon CLI template. Choose

Configuration > Templates >

Features & Technologies >

CLI Templates > System

Templates - CLI >Medianet –

PerfMon

Format: V9

Configuring NetFlow Export on Catalyst 2000 Switches

To manually configure NetFlow export on Catalyst 2000 devices, create a user-defined CLI template as shown in the following steps.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > CLI Templates > CLI.

Hover your mouse cursor over the information icon and click New to create a new CLI template.

Enter a name for the new CLI template (for example, “Prime_NF_CFG_CAT2K).

From the Device Type list, choose Switches and Hubs.

In the Template Detail > CLI Content text box, enter the following commands, modifying them as needed for your network (note that these commands are only an example): flow record PrimeNFRec

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect counter bytes long

collect counter packets long

!

!

flow exporter PrimeNFExp

destination 172.18.54.93

!

!

transport udp 9991

option exporter-stats timeout 20 flow monitor PrimeNFMon

record PrimeNFRec

exporter PrimeNFExp interface GigabitEthernet3/0/1

ip flow monitor PrimeNFMon input

5-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Step 6

Click Save as New Template. After you save the template, deploy it to your devices (see

Creating

Feature-Level Configuration Templates

).

Configuring NetFlow on Catalyst 3000, 4000, and 6000 Family of Switches

To manually configure NetFlow to export TCP and UDP traffic on Catalyst 3000, 4000, or 6000 devices, create a user-defined CLI template as shown in the following steps.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Templates > Features & Technologies > CLI Templates > CLI.

Hover your mouse cursor over the information icon and click New to create a new CLI template.

Enter a name for the new CLI template (for example, “Prime_NF_CFG_CAT3K_4K”).

From the Device Type list, choose Switches and Hubs.

In the Template Detail > CLI Content text box, enter the following commands, modifying them as needed for your network (note that these commands are only an example): flow record PrimeNFRec

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

collect counter bytes long

collect counter packets long

!

!

flow exporter PrimeNFExp

destination 172.18.54.93

!

!

transport udp 9991

option exporter-stats timeout 20 flow monitor PrimeNFMon

record PrimeNFRec

exporter PrimeNFExp interface GigabitEthernet3/0/1

ip flow monitor PrimeNFMon input

Click Save as New Template. After you save the template, deploy it to your devices (see

Creating

Feature-Level Configuration Templates

).

Cisco Prime Infrastructure 3.0 User Guide

5-11

Chapter 5 Setting Up Network Monitoring

Setting Up Assurance for Performance Monitoring

Configuring NetFlow on ISR Devices

To manually configure NetFlow to export MACE traffic on an ISR device, use the following steps to create a user-defined CLI template:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Templates > Features & Technologies > CLI Templates > CLI.

Hover your mouse cursor over the information icon and click New to create a new CLI template.

Enter a name for the new CLI template (for example, “Prime_NF_CFG_MACE”).

From the Device Type list, choose Routers.

In the Template Detail > CLI Content text box, enter the following commands, modifying them as needed for your network (note that these commands are only an example) flow record type mace mace-record collect application name collect art all

!

flow exporter mace-export destination <PI_SERVER_IP_ADDRESS> source GigabitEthernet0/1 transport udp 9991

!

flow monitor type mace mace-monitor record mace-record exporter mace-export cache timeout update 600 class-map match-all PrimeNFClass

match protocol ip

exit policy-map type mace mace_global class PrimeNFClass flow monitor mace-monitor exit exit interface GigabitEthernet 0/1 mace enable

Click Save as New Template. After you save the template, deploy it to your devices (see

Creating

Feature-Level Configuration Templates ).

5-12

Cisco Prime Infrastructure 3.0 User Guide

Changing User Settings

C H A P T E R

6

Prime Infrastructure provides user preference settings that allows you to modify how information is displayed.

Changing Your User Preferences

Changing Your Idle-User Timeout

Changing List Length

Changing Your User Preferences

To change your user preferences, click the Settings icon (the gear icon on the right side of the menu bar) and choose My Preferences and change the settings shown on the My Preferences page.

Related Topics

Changing Your Idle-User Timeout

Changing List Length

Changing Alarm Display Behavior

Customizing the Alarm Summary

Toolbar

Changing Your Idle-User Timeout

Prime Infrastructure provides two settings that control when and how idle users are automatically logged out:

User Idle Timeout—You can disable or configure this setting, which ends your user session automatically when you exceed the timeout. It is enabled by default and is set to 15 minutes.

Global Idle Timeout—The Global Idle Timeout setting overrides the User Idle Timeout setting. The

Global Idle Timeout is enabled by default and is set to 15 minutes. Only users with administrative privileges can disable the Global Idle Timeout setting or change its time limit.

You may find it useful to disable the user idle timeout feature if, for example, you are an Operations

Center user experiencing sudden log-offs, due to idle sessions, with one or more Prime Infrastructure instances managed by Operations Center. For details, see “Disabling Idle User Timeout for Operations

Center” in Related Topics.

Cisco Prime Infrastructure 3.0 User Guide

6-1

Chapter 6 Changing User Settings

Changing List Length

To change the timeout settings, follow these steps:

Step 1

Step 2

Step 3

Click the Settings icon and choose My Preferences.

Under User Idle Timeout:

Change the check status of the check box next to Logout idle user to enable or disable your idle timeout.

From the Logout idle user after drop-down list, choose one of the idle timeout limits.

Click Save. You will need to log out and log back in for this change to take effect.

Related Topics

Changing Your User Preferences

Disabling Idle User Timeout for Operations Center

Changing the Global Idle Timeout

Changing List Length

Prime Infrastructure lets you change the default number of entries displayed in some lists. The Items Per

List setting affects the number of entries displayed on the monitoring pages for:

APs

Controllers

Site Maps

Mesh

CleanAir

The Items Per List setting does not apply to Network Devices, alarms and events, configuration archive, software image management, or configuration.

The default number of items to shown on a given page is 50.

Step 1

Step 2

Step 3

Click the Settings icon and choose My Preferences.

Change the setting in the Items Per List Page drop down.

Click Save.

Related Topic

Changing Your User Preferences

6-2

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

7

Viewing and Managing Dashboards

Dashboards display at-a-glance views of the most important data in your network. They provide status and alerts, monitoring, and reporting information. Dashboards contain dashlets that consist of visual displays such as tables and charts.

Related Topics

Viewing Dashboards

Managing and Editing Dashboards

Adding Dashboards

Adding Dashlets

Viewing Dashboards

Prime Infrastructure provides several types of dashboards that contain graphs and visual indicators:

Overview—Provides summary information and includes tabs specific to alarms and events, clients, network devices, network interfaces, and service assurance.

Wireless—Provides wireless information about Security, Mesh, CleanAir, and ContextAware.

Performance—Provides a summary of performance metrics and includes tabs specific to sites, devices, access points, interfaces, applications, voice/video, end user experience, and WAN optimization.

Network Summary—Provides an overview summary of your network including status metrics and a tab specific to incidents which includes alarm and event type graphs and critical, major, and minor alarm counts.

Data Center—Provides information about Data Center and includes tabs specific to Compute and

Host.

Note

Prime Infrastructure filters the monitoring data for virtual domains, based on the end points assigned to the sites and not based on the datasource, hence the dashboards display information for all virtual domains, irrespective of the virtual domain assigned to the user.

Related Topics

Overview Dashboards

Wireless Dashboards

Cisco Prime Infrastructure 3.0 User Guide

7-1

Chapter 7 Viewing and Managing Dashboards

Viewing Dashboards

Performance Dashboards

Network Summary Dashboards

Data Center Dashboards

Overview Dashboards

Table 7-1

Table 7-1 describes the default information shown in each of the dashboards under Dashboard >

Overview.

Overview Dashboard Descriptions

To View This Information

Network device summary graph, including the reachable and unreachable devices

Top N CPU and memory utilization

Client count by association/authentication

Coverage area

Top N sites with the most alarms

Alarm summary graph

Alarm type graph

Device reachability status

Syslog summary and watch

Client troubleshooting tool

Wired client speed distribution graph

Client distribution graph

Client alarms and events summary

Client traffic graph

Top 5 SSIDs by client count

Top 5 switches by client count

Client posture status

Top N CPU and memory utilization

Top N environmental temperature

Interface availability summary

Top N interface utilization

Interface utilization summary graph

Top N interface errors and discards

Top N applications

Top N servers

Top N resources by NetFlow

Top N clients

Chose Dashboard > Overview >

General

Incidents

Client

Network Devices

Network Interface

Service Assurance

7-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 7 Viewing and Managing Dashboards

Related Topic

Managing and Editing Dashboards

Viewing Dashboards

Wireless Dashboards

Table 7-2

describes the default information shown in each of the dashboards under Dashboard >

Wireless.

Table 7-2 Wireless Dashboard Descriptions

To View This Information

Security Index, including the top security issues

Adaptive WIPS

Rogue classification graph

Rogue containment graph

Attacks detected

Malicious, unclassified, friendly, and custom rogue APs

CleanAir security

Adhoc rogues

Most recent mesh alarms

Mesh work node hop count

Chose Dashboard > Wireless >

Security

Mesh

Note

Mesh worst SNR link

Mesh worst packet error rate

The information in the worst interferer and interferer count charts is collected from the mobility services engines

(MSE). If MSEs are not available, this chart does not show any results.

CleanAir

802.11 average and minimum air quality

Worst interferers

Interferer count

Recent security-risk interferers

Recent CAS notifications for interferers

MSE historical element count

Rogue elements detected by CAS

Location assisted client troubleshooting

MSE tracking counts

Top 5 MSEs

ContextAware

Related Topic

Managing and Editing Dashboards

Cisco Prime Infrastructure 3.0 User Guide

7-3

Chapter 7 Viewing and Managing Dashboards

Viewing Dashboards

Performance Dashboards

Table 7-3

Choose one of the dashboards under Dashboard > Performance to view a summary of performance metrics. Viewing the performance dashboards can show you the health of the networks, servers, and applications.

You can use performance graphs to compare the performance of different devices or interfaces.

Table 7-3 describes the default information shown in each of the dashboards under Dashboard >

Wireless.

Performance Dashboard Descriptions

To View This Information

For the specified site:

Client traffic (regular and optimized)

Device with most alarms

Top N applications

Device reachability status f

For the specified device:

Device Availability Trend

Device memory and CPU utilization trend

Device Port Summary

Device Health Information

Top N Interfaces by Netflow

For the specified access point:

Access point details

Top clients and applications

Channel utilization

Client count

For the specified interface:

Interface details

Interface Availability Trend

Interface In and Out Errors and Discards

Interface Tx and Rx utilization

Top applications and clients

Top application traffic over time

Number of clients over time

DSCP classification

QoS class map statistics

Top QoS class map statistics trend

Chose Dashboard > Performance >

Site

Device

Access Point

Interface

7-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 7 Viewing and Managing Dashboards

Viewing Dashboards

Table 7-3 Performance Dashboard Descriptions (continued)

To View This Information

For the specified application:

Top clients and servers

Application traffic analysis graph

Application server performance

Top interfaces over time

Top RTP streams

Worst RTP streams by packet loss

Works site-to-site connections by KPI

For the specified client:

Top applications

User sites summary

Client traffic

Multi-segment analysis

Traffic volume and compression ration

Transaction time

Average concurrent connections (optimized versus pass-through)

Multi-segment network time

Chose Dashboard > Performance >

Application

Voice/Video

End User Experience

WAN Optimization

Related Topic

Managing and Editing Dashboards

Network Summary Dashboards

Choose one of the following dashboards under Dashboard > Network Summary to view a summary of important data points in your network. Table 7-4 describes the default information shown in each of the

dashboards under Dashboard > Network Summary.

Cisco Prime Infrastructure 3.0 User Guide

7-5

Chapter 7 Viewing and Managing Dashboards

Viewing Dashboards

Table 7-4 Network Summary Dashboard Descriptions

To View This Information

Overall system health such as

Reachability metrics for ICMP, Unified APs, and controllers

Alarm summary metrics for all alarms and rogue alarms

Health metrics for system health, WAN link health, and service health

Coverage areas, including links to APs not assigned to map

Client counts by association/authentication

Top CPU and interface utilization

Network topology

Interface utilization summary

Status of device manageability and autonomous AP.

Alarm summary metrics for all alarms and rogue alarms

Health metrics for system health, WAN link health, and service health

Alarms graph

Top alarm and event types graphs

Syslog summary

Chose Dashboard > Network

Summary>

Overview

Incidents

Related Topics

Viewing Options for Network Summary Metrics

Managing and Editing Dashboards

Viewing Options for Network Summary Metrics

You can perform the following actions on the Metrics, which are displayed at the top of the Network

Summary dashboards:

Add or remove metrics by select Settings > Add or Remove Metric Dashlet(s).

Reorder the metrics by clicking near the metric title and dragging and dropping it to the area you prefer.

Click any of the hyperlinks in any of the boxes to go the details for that metric. For example, if you click on a number displayed in the Alarm Summary metrics, you go to the alarm page to view more information about the alarm(s).

Related Topic

Managing and Editing Dashboards

Data Center Dashboards

Table 7-5 describes the default information shown in each of the dashboards under Dashboard > Data

Center.

Cisco Prime Infrastructure 3.0 User Guide

7-6

Chapter 7 Viewing and Managing Dashboards

Managing and Editing Dashboards

Table 7-5 Data Center Dashboard Descriptions

To View This Information

For the specified data center:

Virtual machine summary by OS

Virtual machine resource usage summary

Compute resource summary

Top 5 host usage summary by CPU

For the specified host:

Host CPU usage

Related Topic

Managing and Editing Dashboards

Chose Dashboard > Data Center >

Compute

Host

Managing and Editing Dashboards

The Prime Infrastructure dashboards contain dashlets with charts, graphs, tables, and other information.

There are various tools, options, and settings you can specify in order to customize the dashboards.

Related Topics

Understanding Dashlet Icons

Adding Dashboards

Adding Dashlets

Time Filters for Dashboards and Dashlets

Overriding a Dashlet Filter

Creating Generic Dashlets

Understanding Dashlet Icons

Dashboards contain dashlets that consist of visual displays such as tables and charts. You can drag and drop dashlets to any location in the dashboards. Hover your mouse cursor over any dashlet, and the following icons appear in the top-right corner of the dashboard.

Figure 7-1 Dashlet Icons

Cisco Prime Infrastructure 3.0 User Guide

7-7

Chapter 7 Viewing and Managing Dashboards

Managing and Editing Dashboards

3

4

5

6

1

2

Dashlet options include editing the dashlet title, refreshing the dashlet, or changing the dashlet refresh interval. (To disable refresh, unselect Refresh Dashlet.)

Dashlet help includes a picture of the dashlet, a description, the data sources used to populate the dashlet, and any filters you can apply to the dashlet’s data.

Refresh the dashlet.

Maximize the dashlet. A restore icon appears, allowing you to restore the dashlet to its default size.

Collapse the dashlet so that only its title appears. An expand icon appears.

Remove the dashlet.

Dashlet badges indicate which filters were applied when generating the contents of each dashlet.

Figure 7-2 Dashlet Badges

1

2

3

4

Network aware filter. Use this filter to collect data for all devices, wired devices, wireless devices, or a specific wireless SSID.

Site filter. Use this filter to collect data associated with an AP or a controller located at a predefined location.

Application filter. Use this filter to collect data based on a service, an application within a service, up to ten separate applications, or all applications.

Time frame filter. Use this filter to collect data for a preset time period, or you can specify a beginning and ending date.

You can customize the predefined set of dashlets depending on your network management needs. You can organize the information in user-defined dashboards. The default view comes with default dashboards and pre-selected dashlets for each.

When using dashlets bear in mind:

The label “Edited” next to the dashlet heading indicates that the dashlet has been customized. If you reset to the default settings, the Edited label is cleared.

When an upgrade occurs, the arrangement of dashlets in a previous version is maintained. Because of this, dashlets or features added in a new release are not displayed. Click the Manage Dashboards link to discover new dashlets.

The horizontal and vertical scrollbars are visible if you zoom the dashlets. Reset the zoom level back to zero, or no zoom for viewing the dashlets without the scrollbars.

Related Topics

Adding Dashboards

7-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 7 Viewing and Managing Dashboards

Adding Dashboards

Restoring Dashboards

Adding Dashlets

Adding Dashboards

Prime Infrastructure has a set of default dashboards. You can also create a custom dashboard to display information specific to your needs:

Step 1

Step 2

Step 3

Click Settings at the top right of any dashboard page, and choose Add New Dashboard.

Enter a name for the new dashboard, then click Add.

Choose the new dashboard and add dashlets to it.

Related Topics

Restoring Dashboards

Adding Dashlets

Viewing Dashboards

Adding Dashlets

Each dashboard displays a subset of the available dashlets. You can add any dashlet that is not automatically displayed to any dashboard you want.

Step 1

Step 2

Step 3

Choose Dashboard, then select the dashboard to which you want to add the dashlet.

Click the Settings icon, then choose Add Dashlets.

Find the dashboard heading in the drop-down list; you can add any of the dashlets under that heading to that dashboard.

Related Topic

Default Dashlets

Default Dashlets

The following tables list the default dashlets that you can add to your Prime Infrastructure Home page or any dashboard:

Cisco Prime Infrastructure 3.0 User Guide

7-9

Chapter 7 Viewing and Managing Dashboards

Adding Dashlets

Table 7-6 lists the default General Dashlets that you can add in your Prime Infrastructure home page.

Default General Dashlets Table 7-6

Dashlet

AP Join Taken Time

Description

Displays the access point name and the amount of time (in days, minutes, and seconds) that it took for the access point to join.

Top N APs by Channel Utilization Shows the top N APs with maximum channel utilization.

AP Uptime Displays each access point name and amount of time it has been associated.

CAPWAP Uptime

Coverage Areas

Shows the APs based on the CAPWAP uptime.

Displays the list coverage areas and details about each coverage area.

Device Unreachability Summary

Network Topology

Unreachable MA-MC CAPWAP

Tunnels

Device Uptime

Ad hoc Rogues

GETVPN Network Statistics

Job Information Status

Most Recent AP Alarms

Network Device Summary

Displays the unreachability summary of APs, routers, and switches.

Displays the network topology map.

Displays the unreachability status between the mobility agent and mobility controller.

Displays the devices based on the device uptime.

Displays ad hoc rogues for the previous hour, previous 24 hours, and total active.

Shows available GETVPN network groups summary.

Shows all user defined jobs.

Displays the five most recent access point alarms. Click the number in parentheses to open the Alarms page which shows all alarms.

Displays the total managed device count, number of available access points (APs) and total count of managed unreachable devices in the network.

The Unified AP Reachability can be any of the following:

Reachable—Operational status is registered and admin status is enable.

Unreachable—Operational status unregistered and admin status is enable.

The network device summary dashlet for AP devices will be displayed only if the admin status is enabled.

Recent Alarms

Recent Coverage Holes

Software Summary

The AP reachability information is defined as follows:

Unified AP—Reachability is defined by the Operational Status. If the AP is registered to a wireless LAN controller, it is considered reachable. If it is not registered, it is not reachable.

Autonomous AP—Reachability is defined by the device's SNMP Reachability field in the Device Work Center.

Displays the five most recent alarms by default. Click the number in parentheses to open the Alarms page.

Displays the recent coverage hole alarms listed by access point.

Displays the software version and software type of all managed devices.

7-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 7 Viewing and Managing Dashboards

Adding Dashlets

Table 7-7

lists the default Security Dashlets that you can add in your Prime Infrastructure home page.

Default Security Dashlets Table 7-7

Dashlet

Client Classification

Description

Allows you to classify the clients that are added in Prime Infrastructure.

Table 7-8

lists the default Client Dashlets that you can add in your Prime Infrastructure home page.

Default Client Dashlets Table 7-8

Dashlet

Client Troubleshooting Dashlet

Description

Allows you to enter a Client MAC address and starts the client troubleshooting tool

Client Distribution Dashlet Shows the client distribution by protocol, EAP type, and authentication type. You can click a protocol to access the list of users belonging to that protocol. For example, if you click the 802.3 protocol, you can directly access the list of the wired clients and users in the Clients and Users page.

Client Alarms and Events Summary

Dashlet

Shows the most recent client alarms of both wired and wireless clients.

Client Association Failure

Wireless Client Traffic Dashlet

Wired Client Speed Distribution

Dashlet

Top 5 SSIDs by Client Count

Top 5 Switches by Switch Count

Client Authentication Failure

Client WEP Key Decryption Error

Client WPA MIC Error Counter Activated

Client Excluded

Autonomous AP Client Authentication Failure

Wired Client Authentication Failure

Wired Client Authorization Failure

Wired Client Critical VLAN Assigned

Wired Client Auth fail VLAN Assigned

Wired Client Guest VLAN Assigned

Wired Client Security Violation

Reports the amount of bandwidth that client traffic is consuming for each network protocol used by the clients to connect to the network.

Shows the wired client speeds and the client count for each speed. There are three different speeds on which clients run:

10 Mbps

100 Mbps

1 Gbps

The ports are in the Auto Negotiate mode by default. For example, you get 100 Mbps speed for a client that runs in 100 Mbps speed.

Shows the count of currently associated and authenticated clients. You can choose to display the information in table form or in an area chart.

Displays the five switches that have the most clients as well as the number of clients associated to the switch.

Cisco Prime Infrastructure 3.0 User Guide

7-11

Chapter 7 Viewing and Managing Dashboards

Adding Dashlets

Table 7-8 Default Client Dashlets (continued)

Dashlet

Client Posture Status Dashlet

Description

Prime Infrastructure collects the posture status information from the Identity Services

Engine (ISE). You need to add an ISE for authorization and authentication purpose.

After you enable necessary functions in ISE, Prime Infrastructure shows the data in the

Client Posture Status dashlet.

This dashlet displays the client posture status and the number of clients in each of the following status categories:

Compliant

Non-compliant

Unknown

Pending

Not Applicable

Client Count by IP Address Type

IPv6 Assignment Distribution

User Auth Failure Count

Client Protocol Distribution

Client EAP Type Distribution

Guest Users Count

Error

Displays a chart which shows client count trend over time by different IP addresses types. The types include IPv4, IPv6, Dual-Stack and Unknown.

Displays a pie chart which shows distribution of all clients based on how their IPv6 addresses get assigned. The type include Unknown, DHCPv6, Self-Assigned, and

SLACC or Static.

Displays a chart which shows user authentication failure count trend over time.

Displays the current client count distribution by protocols.

Displays the count based on the EAP type.

Displays Guest client count over a specified time.

Client CCX Distribution

Top N Client Count

Displays a pie chart which shows client distribution among different CCX versions

Displays a bar chart which shows top N elements based on client count. The elements include SSID, APs, Controller, Endpoint Type, Vendor, Switches, and Anchor

Controllers. It is a generic top N chart to replace different individual top N charts.

The Top N Client Count shows the anchor clients count on each anchor controller.

Client Mobility Status Distribution Displays a pie chart which shows client distribution between local (not anchored) and anchored.

Client 11u Distribution Displays a pie chart which shows 11u clients over non-11u clients.

11u Client Count

11u Client Traffic

PMIP Clients Distribution

PMIP Client Count

Top APs by Client Count

Most Recent Client Alarms

Recent 5 Guest User Accounts

Latest 5 logged in Guest Users

Clients Detected by Context Aware

Service

Displays a pie chart which shows 11u clients over non-11u clients

Displays a chart which shows 11u client traffic trend over time.

Displays a pie chart which shows PMIP client over non-PMIP clients.

Displays a chart which shows PMIP client count trend over time.

Displays the Top APs by client count.

Displays the most recent client alarms.

Displays the most recent guest user accounts created or modified

Displays the most recent guest users to log in.

Displays the client count detected by the context aware service within the previous 15 minutes.

7-12

Cisco Prime Infrastructure 3.0 User Guide

Chapter 7 Viewing and Managing Dashboards

Adding Dashlets

Table 7-8 Default Client Dashlets (continued)

Dashlet

Client Authentication Type

Distribution

Client Count By

Association/Authentication

Client Count By Wired/Wireless

Description

Displays the client count based on the type of client authentication.

Shows client count over a specified time interval. Count can be based on associated or authenticated clients.

Shows client count for wireless, wired or a combination of both.

Client Traffic By IP Address Type Shows client traffic based on IP address type.

IP Address Type Distribution Shows client distribution based on IP address type.

Table 7-9

lists the default Network Dashlets that you can add in your Prime Infrastructure home page.

Default Network Dashlets Table 7-9

Dashlet

CPU Utilization Summary

Device Availability Summary

Interface Availability Summary

Interface Statistics

Interface Statistics Summary

Description

Displays the distribution of devices by CPU utilization across 4 CPU utilization bands

(0-25%, 26-50%, 51-75%, 76-100%)

Shows a summary, total device count and pie chart distribution of devices in a given site that are reachable (and Unreachable) through SNMP.

Shows the availability of the interface in percentage in the selected time range.

Shows the statistics information of the interface in a given site.

Shows the total count of interfaces and a pie chart distribution of interface status (Up,

Operationally Up, Administratively Down) in a given site.

Interface Utilization Summary

Top N Memory Utilization

Shows pie chart distribution of devices by interface utilization across 4 Interface

Utilization bands (0-25%, 25-50%, 51-75%, 75-100%) in a given site. The inner pie represents the received (Rx) utilization and the outer pie represents transmitted (Tx) utilization.

Shows the top N devices with maximum CPU utilization. Top N CPU Utilization

Top N Environmental Temperature Shows the top N tabulated list of average, maximum, minimum, current temperature associated with devices in the network. For the stacked switches, the device name will be appended with switch instance. For example: RB-Edison.Cisco.com-Switch-1, where Switch-1 is switch instance.

Top N Interface Errors and Discards Displays the top N interfaces with highest input and output errors and discards.

Top N Interface Utilization Shows pie chart distribution of devices by interface utilization-transmitted across 4

Interface Utilization bands (0-25%, 25-50%, 51-75%, 75-100%) in a given site.

Shows the tabulated list of top N memory utilization in the network.

Cisco Prime Infrastructure 3.0 User Guide

7-13

Chapter 7 Viewing and Managing Dashboards

Adding Dashlets

Table 7-10 lists the default Service Assurance Dashlets that you can add in your Prime Infrastructure

home page.

Default Service Assurance Dashlets Table 7-10

Dashlet

Top N Applications

Description

Shows top N applications with break down of wired/wireless/unknown in terms of total traffic volume/rate for a site/enterprise, client, and interface.

TOP N Clients Shows top N clients based on total traffic volume/rate for site/enterprise and application, service or a set of applications.

Shows the top N interfaces with Netflow traffic based on volume.

Top N Interfaces by Netflow

Top N Resources by Netflow Shows the Top N devices that are exporting Netflow traffic by volume or rate. It provides a toggle between Netflow exporting devices and sites with Netflow data.In

Root Domain device list in the dashlet will not be VD aware.

Shows Top N Servers by traffic rate.

Top N Servers

Top N Sites by PFR This dashlet lists the Top N Sites with the most PfR. out of policy counts in the selected time range

Shows the tabulated list of Top N WAN Interface utilization in the network.

Top N WAN Interface

Worst N Sites by MOS Shows the worst sites by MOS score.

Worst N sites by Transaction Time Shows site to site average transaction time for an application, service or a set of applications.

Table 7-11

Dashlet

Alarm Summary

Device Reachability Summary

Top N Alarm Types

Top N Events

Top N Sits with Most Alarms

Top N Syslog Sender

Syslog Summary

Syslog Watch

Table 7-11 lists the default Incident Dashlets that you can add in your Prime Infrastructure home page.

Default Incident Dashlets

Top N WAN Interface

Description

Shows a pie chart distribution of alarms for Switches and Hubs, Ad hoc Rogue, Routers,

AP, System, Rogue AP etc.

This dashlet shows a tabulated view of each device's SNMP reachability status.

Shows a horizontal bar chart of the top N alarm types with their associate counts.

Shows a horizontal bar chart of the events types and their counts.

Shows a horizontal bar chart of the top N sites with highest alarm counts.

Shows a tabulated view of the top N devices that generated syslogs. The table shows the

Syslog count by Severity.

shows a tabulated view of the top N WAN Interfaces that reported issues along with the severity.

Shows syslogs of severity 0,1 and 2.

The dashlet shows syslogs based on predefined filter, by default Environmental Monitor is selected.

Related Topics

Adding Dashboards

Restoring Dashboards

7-14

Cisco Prime Infrastructure 3.0 User Guide

Chapter 7 Viewing and Managing Dashboards

Adding Dashlets

Time Filters for Dashboards and Dashlets

You can filter dashboards and dashlets based on a period of time. There are two ways to display information for a specified time:

By dashboard—Using the Filters at the top of the Dashboard page, select a value from the Time

Frame pulldown menu. Using the Filters feature allows you to filter all dashlet information for a specified time.

By dashlets—Edit the dashlet to override a dashboard filter.

Related Topic

Overriding a Dashlet Filter

Overriding a Dashlet Filter

You can change the filter settings for just one dashlet. For example, to change the time frame during which data is collected for a single dashlet from the default to 24 hours:

Step 1

Step 2

Navigate to that dashlet and click Dashlet Options icon.

Select the Override Dashboard Time Filter check box, choose Past 24 Hours from the Time Frame drop-down list, then click Save And Close.

The dashlet displays the last 24 hours of data, regardless of what is specified in the Dashboard Time

Frame pulldown menu. The label “Edited” next to the Time Frame dashlet badge with a red diagonal line over the badge indicates that the filter has been customized.

Related Topics

Adding Dashboards

Restoring Dashboards

Creating Generic Dashlets

You can add a generic dashlet to the Performance dashboards and to any dashboard under the

Performance tab. The generic dashlet displays the values for all polled devices.

Before You Begin

You must create at least one custom monitoring policy (for example, see

Creating New Monitoring

Policies ).

To create a generic dashlet:

Step 1

Step 2

Step 3

Step 4

Choose any dashboard under Dashboard > Performance.

Click the Settings icon, then choose Add Dashlets.

Find the Generic Dashlet and click Add. The Generic Dashlet appears on the dashboard.

To edit the dashlet, hover your cursor over the Generic Dashlet and click Dashlet Options icon.

Cisco Prime Infrastructure 3.0 User Guide

7-15

Chapter 7 Viewing and Managing Dashboards

Restoring Dashboards

Step 5

Step 6

Rename the dashlet.

From the Template Name drop-down list, choose the custom template that you created, then click Save.

Related Topics

Adding Dashboards

Restoring Dashboards

Restoring Dashboards

After an upgrade, the arrangement of dashlets in the previous version is maintained. Therefore, dashlets or features added in a new release are not displayed. To display new dashlets, click the Settings icon and choose Manage Dashboards.

To restore a dashboard to the default settings:

Step 1

Step 2

Click Settings at the top right of any dashboard page, then choose Manage Dashboards.

Choose a dashboard from the list, and click Reset.

Related Topics

Adding Dashboards

Adding Dashlets

7-16

Cisco Prime Infrastructure 3.0 User Guide

P

A R T

2

Monitoring Your Network

Monitoring Devices

Creating Monitoring Policies and Thresholds

Monitoring Alarms

Monitoring Clients and Users

Configuring and Monitoring IWAN

Monitoring Wireless Technologies

Using Monitoring Tools

Troubleshooting

Monitoring Multiple Prime Infrastructure Instances

C H A P T E R

8

Monitoring Devices

The Monitor > Managed Elements menu provides tools to help you monitor your network on a daily basis, as well as perform other day-to-day or ad hoc operations relating to network device inventory and configuration management.

Monitoring Network Devices

Monitoring Jobs

Monitoring Background Tasks

Using Packet Capture to Monitor and Troubleshoot Network Traffic

Securing Network Services

Monitoring Network Devices

Select Monitor > Managed Elements > Network Devices to view the list of devices that have been added to Prime Infrastructure. You can also add, edit, synchronize, and group devices.

Related Topic

Network Devices Page

Adding Devices Manually

Network Devices Page

Table 8-1

describes the information that is displayed when you select Monitor > Managed Elements >

Network Devices to view the list of devices that have been added to Prime Infrastructure. You can sort the table by clicking on any cell heading.

Note

When you launch the Cisco WLC UI from the Monitor > Managed Elements > Network Devices page in Cisco Prime Infrastructure UI, HTTPS connection opens for the Cisco WLC. If you want to use any other protocol to open the Cisco WLC UI session, you must launch it from the Device 360 view > Action

> Connect to Device page and select the protocol that you want to open the Cisco WLC with.

Cisco Prime Infrastructure 3.0 User Guide

8-1

Chapter 8 Monitoring Devices

Monitoring Jobs

Table 8-1 Network Devices Page Description

To View this Information

Device details such as software version, port information, CPU and memory utilization

Device 360 view

Collection status details

Do This

Click on a Device Name.

Click the icon in the IP Address field.

Click the icon in the Last Inventory

Collection column.

Related Topics

Getting Device Details from Device 360° View

Monitoring Jobs

Use the Jobs dashboard to:

View all running and completed jobs and corresponding job details

Filter jobs to view the specific jobs in which you are interested

View details of the most recently submitted job

View job execution results

Modify jobs, including deleting, editing, running, canceling, pausing, and resuming jobs

Prime Infrastructure can have a maximum of 25 jobs running concurrently. If a new job is created while

25 jobs are already running, the new job state is “scheduled” until a job completes and the new job can start. If a new job’s scheduled time has already passed before it could be started, the new job will not run and you’ll need to reschedule or start it when less than 25 jobs are running.

To monitor jobs, follow these steps:

Step 1

Step 2

Step 3

Choose Administration > Dashboards > Job Dashboard.

Click a job, then perform any of the following actions:

Click Run to start the currently scheduled job immediately. If a job has the status “failed,” click Run to resubmit the same job, which creates a new scheduled job with the same parameters as the previous job. Only the failed and partially successful devices within the job will be selected for retry.

Click Abort to stop a discovery job currently in progress and return it to its scheduled state. You cannot abort all jobs. For example, you receive an error message if you try to abort a running configuration job.

Click Cancel to delete any future scheduled jobs for the job you specified. If a job is currently running, it will complete.

To view information on when the job was created, started or scheduled and its history, select a job to view the Job Detail View page. Hover the mouse over the Status column of the specific job to view the troubleshooting information for a failed job.

When a minute job is scheduled to run recursively, the first trigger of the job falls on n th

minute of the hour, as divided by the quartz scheduler, and successive runs will be placed as per the schedule. For example, if you have given the start time as 12:02:00 and you want the job to run every 3 minutes, then the job will be executed at 12:03 (in a minute), with the next recurrence at 12:06, 12:09, and so on.

Cisco Prime Infrastructure 3.0 User Guide

8-2

Chapter 8 Monitoring Devices

Monitoring Background Tasks

Another example, if you have given the start time as 12:00:00 and you want the job to run every 3 minutes, then the job will be executed at 12:00 (without any delay), with the next recurrence at 12:03,

12:06, and so on.

Monitoring Background Tasks

A background task is a scheduled program running in the background with no visible pages or other user interfaces. In Prime Infrastructure, background tasks can be anything from data collection to backing up configurations. You can monitor background tasks to see which background tasks are running, check their schedules, and find out whether the task was successfully completed.

To monitor the background tasks, follow these steps:

Step 1

Step 2

Choose Administration > Settings > Background Tasks to view scheduled tasks. The Background

Tasks page appears.

Choose a command from the drop-down list:

Execute Now—Runs all of the data sets with a selected check box.

Enable Tasks—Enables the data set to run on its scheduled interval.

Disable Tasks—Prevents the data set from running on its scheduled interval.

Using Packet Capture to Monitor and Troubleshoot Network

Traffic

In addition to aggregating data from multiple NAMs, Prime Infrastructure features makes it easy to actively manage and troubleshoot network problems using multiple NAMs and ASRs.

Note

This feature is supported for NAMs and ASRs. For more information on minimum Cisco IOS XE version supported on ASRs, see the

Cisco ASR 1000 Series Aggregation Services Routers Release Notes .

In the following workflow, a network operator needs to troubleshoot a set of similar authentication violations taking place at multiple branches. Because the operator suspects that the authentication problems are due to a network attack in progress, the operator runs the Packet Capture feature against the NAMs or ASRs for each branch, then runs the Packet Decoder to inspect the suspicious traffic.

Step 1

Create a capture session definition:

a.

b.

Choose Monitor > Tools > Packet Capture, then click Capture Session to create a new capture session definition.

Complete the General section as needed. Give the session definition a unique name and specify how you want to file the captured data. To capture the full packet, enter 0 in the Packet Slice Size.

Cisco Prime Infrastructure 3.0 User Guide

8-3

Chapter 8 Monitoring Devices

Securing Network Services

Step 2

Step 3 c.

d.

d.

e.

b.

c.

If you want to restrict the captured traffic to particular source or destination IPs, VLANs, applications, or ports, click Add in the Software Filters section and create filters as needed. If you do not create a software filter, it captures everything.

In the Devices area, you can select:

A NAM and its data ports. You can create one capture session per NAM only, whether the capture session is running or not.

An ASR and its interfaces.

Click Create and Start All Sessions.

e.

Prime Infrastructure saves the new session definition, then runs separate capture sessions on each of the devices you specified. It stores the sessions as files on the device and displays the list of packet capture files in the Capture Files area.

To decode a packet capture file:

a.

Choose Monitor > Tools > Packet Capture.

Select a PCAP file in a NAM or ASR device.

Select Copy To to copy the PCAP file to the PI server (the decode operation only runs on files in the PI server).

Click View Jobs to confirm that the copy job completed successfully.

f.

Open the localhost folder, select the check box for the new capture file, then click Decode. The decoded data appears in the bottom pane.

A TCP Stream displays the data as the application layer sees it. To view the TCP Stream for a decoded file, select a TCP packet from the Packet List, then click TCP Stream. You can view the data as ASCII text or in a HEX dump.

To run a packet capture session again, select the session definition in the Capture Sessions area and click Start.

Securing Network Services

Cisco TrustSec Identity-Based Networking Services (IBNS) is an integrated solution consisting of Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. Cisco TrustSec IBNS help enterprises to increase productivity and visibility, reduce operating costs, and enforce policy compliance.

In Prime Infrastructure, the TrustSec network service design enables you to choose preferred options for provisioning configurations to TrustSec-capable devices to enable 802.1X and other TrustSec functionality. You can configure wired 802_1x devices by creating TrustSec model-based configuration templates and choosing any one of the following navigation paths:

Services > Network Services > TrustSec

Configuration > Templates > Features & Technologies > Security > TrustSec > Wired 802_1x

Note that for Catalyst 6000 devices:

Security violation as protect is not available for Catalyst 6000 supervisor devices.

Security violation as replace is available in Cisco IOS Release 15.1(01)SY and later.

The command macsec is not available for Catalyst 6500 supervisor 2T devices.

8-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 8 Monitoring Devices

Securing Network Services

The MACsec support is available only for 3560-X series and 3750-X series devices with minimum supported image version “12.2.55SE3/15.0(1)SE2”.

Note

For the TrustSec 2.0 platform support list, see the Cisco TrustSec 2.0 Product Bulletin .

For more details about configuring TrustSec model-based configuration templates, see

Creating

Feature-Level Configuration Templates

.

Generating a TrustSec Readiness Assessment Report

TrustSec Readiness Assessment displays TrustSec-based device details such as TrustSec version, readiness category, readiness device count, and device percentage displayed in the pie chart.

To generate a TrustSec Readiness Assessment report, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Services > Network Services > TrustSec.

Expand the Features-TrustSec folder, then click Readiness Assessment.

A pie chart appears with the following types of devices:

TrustSec Limited Compatibility Devices

TrustSec Capable Devices

TrustSec Hardware Incapable Devices

TrustSec Software Incapable Devices

Click Section view and click any of the pie chart slices to view the details of the selected TrustSec-based device type.

Click Complete view to view the details of all TrustSec-based devices.

Select the TrustSec version and click Export to export the readiness assessment details to a CSV file.

Cisco Prime Infrastructure 3.0 User Guide

8-5

Securing Network Services

Chapter 8 Monitoring Devices

8-6

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

9

Monitoring Wireless Devices

You can monitor your wireless devices in your network on a daily basis, as well as perform other day-to-day or ad hoc operations related to wireless device inventory.

Monitoring Controllers

Monitoring Access Points

Monitoring Rogue Access Points

Monitoring Spectrum Experts

Monitoring WiFi TDOA Receivers

Monitoring Media Streams

Monitoring Access Point Alarms

Monitoring Controllers

Choose Monitor > Managed Elements > Network Devices, then select Device Type > Wireless

Controller to view all the wireless controllers.

Related Topic

Monitoring System Parameters

Monitoring System Parameters

Choose Monitor > Managed Elements > Network Devices, then select Device Type > Wireless

Controller to view all the wireless controllers. Click a Device name to view its details. You can monitor all the wireless controller details described in

Table 9-1

.

Table 9-1 Monitor > Network Devices > Wireless Controller Details

Select This Menu ...

To View ...

System Information

Summary information such as IP address, device type, location, reachability status, description, etc.

CLI session details

System > Summary under Device Details tab

System > CLI Sessions under Device Details tab

Cisco Prime Infrastructure 3.0 User Guide

9-1

Chapter 9 Monitoring Wireless Devices

Monitoring Controllers

Table 9-1 Monitor > Network Devices > Wireless Controller Details

To View ...

DHCP statistics (for version 5.0.6.0 controllers or later) such as packets sent and received, DHCP server response information, and the last request time stamp

Select This Menu ...

System > DHCP Statistics under Device Details tab

Multicast information System > Multicast under Configuration tab

Stack information such as MAC address, role, state, etc. System > Stacks under Device Details tab

STP statistics

Information about any user-defined fields

Wireless local access networks (WLANs) configured on a controller

Mobility

Statistics for mobility group events such as receive and transmit errors, handoff request, etc.

Ports

System > Spanning Tree Protocol under Configuration tab

System > User Defined Field under Device Details tab

System > WLANs under Device Details tab

Mobility > Mobility Stats under Device Details tab

Information regarding physical ports on the selected controller

CDP Interfaces

Security

RADIUS accounting server information and statistics

Ports > General under Configuration tab

Ports > CDP Interface Neighbors under Configuration tab

RADIUS authentication server information

Information about network access control lists

Guest access deployment and network users

Management Frame Protection (MFP) summary information

Security > RADIUS Accounting under Device Details tab

Security > RADIUS Authentication under Device Details tab

System > Security > Network Access Control

Security > Guest Users under Device Details tab

System > Security > Management Frame Protection under

Device Details tab

List of all rogue access point rules currently applied to a controller.

List of sleeping clients, which are clients with guest access that have had successful web authentication that are allowed to sleep and wake up without having to go through another authentication process through the login page

System > Security > Rogue AP Rules under Device Details tab

Security > Sleeping Clients under Device Details tab

IPv6

Statistics for the number of messages exchanged between the host or client and the router to generate and acquire IPv6 addresses, link, MTU, etc.

IPv6 > Neighbor Binding Timers under Configuration tab

Redundancy

Redundancy information System > Redundancy Summary under Device Details tab

mDNS

List of mDNS services and service provider information.

mDNS > mDNS Service Provider under Device Details tab

Related Topics

Wireless Controller System Summary

9-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Controllers

Spanning Tree Protocol

Management Frame Protection

Rogue AP Rules

Spanning Tree Protocol

The Spanning Tree Protocol (STP) is a link management protocol. Cisco WLAN Solution implements the IEEE 802.1D standard for media access control bridges.

The spanning tree algorithm provides redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations. STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail.

The following controllers do not support Spanning Tree Protocol: WISM, 2500, 5500, 7500 and

SMWLC.

Related Topics

Wireless Controller > System > Spanning Tree Protocol

Monitoring Controllers

Management Frame Protection

Management Frame Protection (MFP) provides the authentication of 802.11 management frames.

Management frames can be protected to detect adversaries who are invoking denial of service attacks, flooding the network with probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.

If one or more of the WLANs for the controller has MFP enabled, the controller sends each registered access point a unique key for each BSSID the access point uses for those WLANs. Management frames sent by the access point over the MFP enabled WLANs is signed with a Frame Protection Information

Element (IE). Any attempt to alter the frame invalidates the message causing the receiving access point configured to detect MFP frames to report the discrepancy to the WLAN controller.

Related Topic

Monitoring Controllers

Rogue AP Rules

Rogue AP rules automatically classify rogue access points based on criteria such as authentication type, matching configured SSIDs, client count, and RSSI values. Prime Infrastructure applies the rogue access point classification rules to the controllers and respective access points.

These rules can limit a rogue appearance on maps based on RSSI level (weaker rogue access points are ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of time).

Rogue AP Rules also help reduce false alarms.

Rogue classes include the following types:

Cisco Prime Infrastructure 3.0 User Guide

9-3

Chapter 9 Monitoring Wireless Devices

Monitoring Controllers

Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been manually moved from the Friendly AP category.

Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined friendly rules.

Unclassified Rogue—A detected access point that does not match the malicious or friendly rules.

Related Topic

Monitoring Controllers

Monitoring Third Party Controllers

Choose Monitor > Managed Elements > Network Devices> Third Party Wireless Controllers to view the detailed information about the third party (non-Cisco) controllers that are managed by Prime

Infrastructure.

Monitoring Switches

Choose Monitor > Managed Elements > Network Devices > Switches and Hubs to view the following detailed information about the switches:

Searching Switches

Use the Prime Infrastructure search feature to find specific switches or to create and save custom searches.

Viewing the Switches

Related topics

Monitor > Switches > Search

Monitor > Switches > View

Configuring the Switch List Page

The Edit View page allows you to add, remove, or reorder columns in the Switches table.

To edit the available columns in the table, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Monitor > > Managed Elements > Network Devices > Switches and Hubs.

Click the Edit View link.

To add an additional column to the table, click to highlight the column heading in the left column. Click

Show to move the heading to the right column. All items in the right column are displayed in the table.

To remove a column from the table, click to highlight the column heading in the right column. Click

Hide to move the heading to the left column. All items in the left column are not displayed in the table.

Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired column heading and click Up or Down to move it higher or lower in the current list.

Click Reset to restore the default view.

9-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Step 7

Click Submit to confirm the changes.

Monitoring Controllers

Related topics

Monitor > Switches > Search

Monitor > Switches > View

Monitoring Switch System Parameters

Choose Monitor > Managed Elements > Network Devices > Switches and Hubs, then click on a

Device Name to view the following detailed information about the switch:

Viewing Switch Memory Information

Viewing Switch Environment Information

Viewing Switch Module Information

Viewing Switch VLAN Information

Viewing Switch VTP Information

Viewing Switch Physical Ports Information

Viewing Switch Sensor Information

Viewing Switch Spanning Tree Information

Viewing Spanning Tree Details

Viewing Switch Stacks Information

Viewing Switch NMSP and Location Information

Related Topics

Viewing Switch Information

Viewing Switch Information

To view switch information, follow these steps:

Step 1

Step 2

Step 3

Choose Monitor > Managed Elements > Network Devices > Switches and Hubs.

Click an Device Name in the Device Name column to view details about the switch.

Click one of the following from the System menu to view the relevant information:

Environment

Modules

VLANs

VTP

Physical Ports

Sensors

Spanning Tree

Cisco Prime Infrastructure 3.0 User Guide

9-5

Chapter 9 Monitoring Wireless Devices

Monitoring Controllers

Stacks

NMSP and Location

Related Topic

Monitoring Switch Interfaces

Monitor > Switches > IP Address

Monitor > Switches > Memory

Monitor > Switches > Environment

Monitor > Switches > Modules

Monitor > Switches > VLANs

Monitor > Switches > VTP

Monitor > Switches > Physical Ports

Monitor > Switches > Sensors

Monitor > Switches > Spanning Tree

Monitor > Switches > Spanning Tree Details

Monitor > Switches > Stacks

Monitoring Switch Interfaces

Step 1

Step 2

Step 3

Choose Monitor > Managed Elements > Network Devices > Switches and Hubs.

Click an Device Name in the Device Name column to view details about the switch.

Click Interfaces to view the following information:

Monitoring Switch Ethernet Interfaces

Monitoring Switch Ethernet Interface Details

Monitoring Switch IP Interfaces

Monitoring Switch VLAN Interfaces

Monitoring Switch EtherChannel Interfaces

Related Topics

Viewing Switch Interface Information

Viewing Switch Interface Information

To view switch interface information, follow these steps:

Step 1

Step 2

Choose Monitor > Managed Elements > Network Devices > Switches and Hubs.

Click an Device Name in the Device Name column to view details about the switch.

9-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Step 3

Step 4

Click Interfaces.

Click one of the following to view the relevant information:

Ethernet Interfaces

Ethernet Interface Name

IP Interfaces

VLAN Interfaces

EtherChannel Interfaces

Monitoring Access Points

Related Topics

Monitor > Switches > Interfaces > Ethernet Interfaces

Monitor > Switches > Interfaces > Ethernet Interface Name

Monitor > Switches > Interfaces > IP Interface

Monitor > Switches > Interfaces > VLAN Interface

Monitor > Switches > Interfaces > EtherChannel Interface

Monitoring Switch Clients

To view switch interface information, follow these steps:

Step 1

Step 2

Step 3

Choose Monitor > Managed Elements > Network Devices > Switches and Hubs.

Click an Device Name in the Device Name column to view details about the switch.

Choose Clients from the System Menu to monitor switch clients.

Monitoring Access Points

This section describes access to the controller access points summary details. Use the main date area to access the respective access point details.

Choose Monitor > Wireless Technologies> Access Point Radios to access this page.

Related Topics

Searching for Access Points

Viewing a List of Access Points

Types of Reports for Access Points

Monitoring Access Points Details

Cisco Prime Infrastructure 3.0 User Guide

9-7

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

Searching for Access Points

Use the Prime Infrastructure Search feature to find specific access points or to create and save custom searches.

Related Topics

Viewing a List of Access Points

Types of Reports for Access Points

Monitoring Access Points

Monitoring Access Points Details

Search Methods

Viewing a List of Access Points

Choose Monitor > Wireless Technologies> Access Point Radios or perform an access point search to view the summary of access points including the default information.

Related Topics

Searching for Access Points

Types of Reports for Access Points

Monitoring Access Points

Monitoring Access Points Details

Viewing a List of Access Points

Configuring the List of Access Points Display

The Edit View page allows you to add, remove, or reorder columns in the Access Points table.

To edit the available columns in the alarms table:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Monitor > Wireless Technologies > Access Point Radios.

Click the Edit View link.

To add an additional column to the access points table, highlight the column heading in the left column and click Show to move the heading to the right column. An additional column will be added to the left of the highlighted column.

To remove a column from the access points table, highlight the column heading of the column on the right of the column you want to remove and click Hide.

All items in the left column will be removed from the table.

Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired row heading and click Up or Down to move it higher or lower in the current list.

Click Reset to restore the default view.

9-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Step 7

Click Submit to confirm the changes.

Monitoring Access Points

Related Topics

Monitoring Access Points

Searching for Access Points

Viewing a List of Access Points

Monitoring Access Points Details

Types of Reports for Access Points

The following reports can be generated for Access Points. These reports cannot be customized.

Load—Generates a report with load information.

Dynamic Power Control—Generates a report with Dynamic Power Control information.

Noise—Generates a report with Noise information.

Interference—Generates a report with Interference information.

Coverage (RSSI)—Generates a report with Coverage (RSSI) information.

Coverage (SNR)—Generates a report with Coverage (SNR) information.

Up/Down Statistics—Time in days, hours and minutes since the last reboot. Generates a report with

Up Time information.

Network Airtime Fairness Statistics—Tabular representation of Average Airtime used across different WLAN profiles in the selected interval of time.

Voice Statistics—Generates a report for selected access points showing radio utilization by voice traffic.

Voice TSM Table—Generates a report for selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream.

Voice TSM Reports—Graphical representation of the TSM table except that metrics from the clients are averaged together on the graphs.

802.11 Counters—Displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer.

AP Profile Status—Displays access point load, noise, interference, and coverage profile status.

Air Quality vs. Time—Displays the air quality index of the wireless network during the configured time duration.

Traffic Stream Metrics—Determines the current and historical quality of service (QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays.

Tx Power and Channel—Displays the channel plan assignment and transmit power level trends of devices based on the filtering criteria used when the report was generated. It can help identify unexpected behavior or issues with network performance.

Cisco Prime Infrastructure 3.0 User Guide

9-9

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

VoIP Calls Graph—Helps analyze wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. VoIP snooping must be enabled on the WLAN to be able to gather useful data from this report. This report displays information in a graph.

VoIP Calls Table—Provides the same information as the VoIP Calls Graph report but in table form.

Voice Statistics—Helps analyze wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network. To be able to gather useful data from this report, make sure call admission control (CAC) is supported on voice clients.

Worst Air Quality APs—Provides a high-level, easy-to- understand metric to facilitate understanding of where interference problems are impacting the network. Air Quality (AQ) is reported at a channel, floor, and system level and it supports AQ alerts, so that you can be automatically notified when AQ falls below a desired threshold.

Note

Tx Power and Channel report and AP Profile Status report in Cisco Prime Infrastructure may not show data for all the polling instances. This is because of a mechanism in the database that compresses the identical rows in a table.

TX Power and Channel report and AP Profile Status report fetches data from "lradifstats” table in the database, which contains the following information:

Channel number

Tx Power level

Operational status

Load profile state

Noise Profile state

Interference profile state

Coverage profile state

The compression logic is applied to all the above columns in the table. If values in all the columns are the same, then the entry is compressed. For example, consider that the polling happened at interval t1, t2, t3, t4, and t5. If the values at interval t1 to t4 are the same and changes at t5, then

Prime Infrastructure keeps t1, t4, and t5 entries in the database.

The compression logic applies to Preferred Calls report also. But this report gets data from a different table “lradifprefvoicecallstats”, which has the columns: Number of calls received and

Number of calls accepted.

Related Topics

Monitoring Traffic Load

Monitoring Dynamic Power Control

Monitoring Access Points Noise

Monitoring Access Points Interference

Monitoring Access Points Coverage (RSSI)

Monitoring Access Points Coverage (SNR)

Monitoring Access Points Up/Down Statistics

Monitoring the Access Points Voice Statistics

9-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring the Access Points Voice TSM Table

Monitoring the Access Points Voice TSM Reports

Monitoring Access Points 802.11 Counters

Monitoring Access Points AP Profile Status

Monitoring Air Quality

Monitoring Access Points Traffic Stream Metrics

Monitoring Access Points Tx Power and Channel

Monitoring VoIP Calls

Monitoring Voice Statistics

Monitoring Air Quality

Generating Reports for Access Points

To generate a report for access points:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios.

Click to select the access point(s) for which you want to run a report.

Choose the applicable report from the Select a report drop-down list.

Click Go.

Monitoring Access Points

Related Topics

Types of Reports for Access Points

Monitoring Traffic Load

Traffic Load is the total amount of bandwidth used for transmitting and receiving traffic. This enables

WLAN managers to track network growth and plan network growth ahead of client demand.

To generate the access point load report:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box(es) of the applicable access point(s).

From the Generate a report for selected APs drop-down list, choose Load.

Click Go. The Load report displays for the selected access points.

Related Topics

Types of Reports for Access Points

Monitor > Access Points > Load

Cisco Prime Infrastructure 3.0 User Guide

9-11

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

Monitoring Dynamic Power Control

To generate the Access Point Load report:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box(es) of the applicable access point(s).

From the Generate a report for selected APs drop-down list, choose Dynamic Power Control.

Click Go. The Dynamic Power Control report displays the selected access points.

Related Topics

Types of Reports for Access Points

Monitor > Access Points > Dynamic Power Control

Monitoring Access Points Noise

To generate the Access Point Noise report:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box(es) of the applicable access point(s).

If multiple access points are selected, they must have the same radio type.

Choose Noise from the Generate a report selected APs drop-down list,.

Click Go.

The Noise report displays a bar graph of noise (RSSI in dBm) for each channel for the selected access points.

Related Topics

Types of Reports for Access Points

Monitoring Access Points Interference

To generate the Access Point Interference report:

Step 1

Step 2

Step 3

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box(es) of the applicable access point(s).

If multiple access points are selected, they must have the same radio type.

Choose Interference from the Generate a report for selected APs drop-down list, then click Go.

The Interference report displays a bar graph of interference (RSSI in dBm) for each channel:

High interference -40 to 0 dBm.

Marginal interference -100 to -40 dBm.

9-12

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Low interference -110 to -100 dBm.

Monitoring Access Points

Related Topics

Types of Reports for Access Points

Monitoring Access Points Coverage (RSSI)

To generate the Access Point Coverage (RSSI) report:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios

Select the check box(es) of the applicable access point(s).

Choose Coverage (RSSI) from the Generate a report for selected APs drop-down list.

Click Go.

The Coverage (RSSI) report displays a bar graph of client distribution by received signal strength showing the number of clients versus RSSI in dBm.

Related Topics

Types of Reports for Access Points

Monitoring Access Points Coverage (SNR)

To generate the Access Point Coverage (SNR) report:

Step 1

Step 2

Step 3

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box(es) of the applicable access point(s).

Choose Coverage (SNR) from the Generate a report for selected APs drop-down list, then click Go.

The Access Points Coverage (SNR) report displays a bar graph of client distribution by signal-to-noise ratio showing the number of clients versus SNR.

Related Topics

Types of Reports for Access Points

Monitoring Access Points Up/Down Statistics

To generate the Access Point Up/Down Statistics report:

Step 1

Step 2

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box of the applicable access point.

Cisco Prime Infrastructure 3.0 User Guide

9-13

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

Step 3

Choose Up/Down Statistics from the Generate a report for selected APs drop-down list.

Click Go.

The Up/Down Statistics report displays a line graph of access point up time graphed against time.

Related Topics

Types of Reports for Access Points

Monitoring the Access Points Voice Statistics

To generate the Access Point Voice Statistics report:

Step 1

Step 2

Step 3

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box(es) of the applicable access point(s).

Choose Voice Statistics from the Generate a report for selected APs drop-down list, then click Go.

The Voice Statistics report displays the following radio utilization statistics by voice traffic:

AP Name.

Radio.

Calls in Progress

Roaming Calls in Progress

Bandwidth in Use

Voice Statistics reports are only applicable for CAC/WMM clients.

Related Topics

Types of Reports for Access Points

Monitoring the Access Points Voice TSM Table

To access the Access Point Voice TSM Table report:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box of the applicable access point.

Choose Voice TSM Table from the Generate a report for selected APs drop-down list.

Click Go.

The Voice Traffic Stream Metrics Table is generated for the selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream.

9-14

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

Related Topics

Types of Reports for Access Points

Monitor > Wireless Technologies > Access Point Radios > Voice TSM Table

Monitoring the Access Points Voice TSM Reports

To access the access point Voice Traffic Stream Metrics Table report:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Access Point Radios.

Select the check box of the applicable access point.

Choose Voice TSM Reports from the Generate a report for selected APs drop-down list.

Click Go.

The Voice Traffic Stream Metrics Table report displays a graphical representation of the Voice Traffic

Stream Metrics Table except that metrics from the clients that are averaged together on the graphs for the selected access point.

Related Topics

Types of Reports for Access Points

Monitor > Wireless Technologies > Access Point Radios > Voice TSM Reports

Monitoring Access Points 802.11 Counters

The 8o2.11 Counters report displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer.

Related Topics

Types of Reports for Access Points

Managing Reports

Monitoring Access Points AP Profile Status

The AP Profile Status Report displays access point load, noise, interference, and coverage profile status.

Related Topics

Types of Reports for Access Points

Managing Reports

Cisco Prime Infrastructure 3.0 User Guide

9-15

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

Monitoring Access Points Radio Utilization

The Radio Utilization Report displays the utilization trends of the access point radios based on the filtering criteria used when the report was generated. It helps to identify current network performance and capacity planning for future scalability needs.

Related Topics

Types of Reports for Access Points

Managing Reports

Monitoring Access Points Traffic Stream Metrics

The Traffic Stream Metrics Report is useful in determining the current and historical quality of service

(QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays.

Related Topics

Types of Reports for Access Points

Managing Reports

Monitoring Access Points Tx Power and Channel

The Tx Power and Channel report displays the channel plan assignment and transmits power level trends of devices based on the filtering criteria used when the report was generated. It can help identify unexpected behavior or issues with network performance.

The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum available transmit power varies according to the configured channel, individual country regulation, and access point capability. See the Product Guide or data sheet at for each specific model to determine the access point capability.

The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access point. Each subsequent power level (for example. 2, 3, 4, and so on.) represents approximately a 50%

(or 3dBm) reduction in transmit power from the previous power level. The actual power reduction might vary slightly for different models of access points.

Based on the configured antenna gain, the configured channel, and the configured power level, the actual transmit power at the access point can be reduced so that the specific country regulations are not exceeded.

Irrespective of whether you choose Global or Custom assignment method, the actual conducted transmit power at the access point is verified such that country specific regulations are not exceeded.

The following command buttons are available to configure the transmission levels:

Save—Save the current settings.

Audit—Discover the present status of this access point.

Related Topics

Types of Reports for Access Points

Managing Reports

9-16

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Access Points

Monitoring VoIP Calls

VoIP Calls Report helps analyze wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. To be able to gather useful data from this report, VoIP snooping must be enabled on the WLAN. This report displays information in a graph.

Click VoIP Calls Graph from the Report Launch Pad to open the VoIP Calls Graph Reports page. From this page, you can enable, disable, delete, or run currently saved report templates.

Related Topics

Types of Reports for Access Points

Managing Reports

Monitoring Voice Statistics

Voice Statistics report helps analyze wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network.

To be able to gather useful data from this report, make sure Call Admission Control (CAC) is supported on voice clients.

Related Topics

Types of Reports for Access Points

Managing Reports

Monitoring Air Quality

To facilitate an easy understanding of where interference problems are impacting the network, Prime

Infrastructure rolls up the detailed information into a high-level, easy-to- understand metric referred to as Air Quality (AQ). AQ is reported at a channel, floor, and system level and it supports AQ alerts, so that you can be automatically notified when AQ falls below a desired threshold.

Related Topics

Types of Reports for Access Points

Managing Reports

Monitoring Access Points Details

The Access Points Details page enables you to view access point information for a single AP.

Choose Monitor > Wireless Technologies > Access Point Radios and click the access point name in the AP Name column to access this page. Depending on the type of access point, the following tabs are displayed:

General Tab

The General tab fields differ between lightweight and autonomous access points.

Cisco Prime Infrastructure 3.0 User Guide

9-17

.

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

For autonomous clients, Prime Infrastructure only collects client counts. The client counts in the

Monitor page and reports have autonomous clients included. Client search, client traffic graphs, or other client reports (such as Unique Clients, Busiest Clients, Client Association) do not include clients from autonomous access points.

Interfaces Tab

CDP Neighbors Tab

This tab is visible only when CDP is enabled.

Current Associated Clients Tab

This tab is visible only when there are clients associated to the AP (CAPWAP or Autonomous AP).

SSID Tab

This tab is visible only when the access point is an Autonomous AP and there are SSIDs configured on the AP

Clients Over Time Tab

This tab displays the following charts:

Client Count on AP—Displays the total number of clients currently associated with an access point over time.

Client Traffic on AP—Displays the traffic generated by the client connected in the AP distribution over time.

The information that appears in these charts is presented in a time-based graph. Time-based graphs have a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w, 4w, 3m, 6m, 1y, and Custom.

When selected, the data for that time frame is retrieved and the corresponding graph is displayed.

Related Topics

Types of Reports for Access Points

Monitor > Wireless Technologies > Access Point Radios> General

Monitor > Wireless Technologies > Access Point Radios> Interfaces

Monitor > Wireless Technologies > Access Point Radios > CDP Neighbors

Monitor > Wireless Technologies > Access Point Radios > Current Associated Clients

Monitor > Wireless Technologies > Access Point Radios> SSID

Monitoring Rogue Access Points

A rogue device is an unknown access point or client that is detected by managed access points in your network. Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial of service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of clear-to-send (CTS) frames. This action mimics an access point informing a particular client to transmit and instructing all others to wait, which results in legitimate clients being unable to access network resources. Therefore, wireless LAN service providers have a strong interest in banning rogue access points from the air space.

9-18

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

Since rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad-hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security as they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently publish insecure access point locations, increasing the odds of having enterprise security breached.

Related Topics

Detecting Rogue Devices

Classifying Rogue Access Points

Monitoring Rogue AP Alarms

Monitoring Ad hoc Rogues

Searching Rogue Clients Using Advanced Search

Monitoring Rogue Access Point Location, Tagging, and Containment

Detecting Rogue Devices

Controllers continuously monitor all nearby access points and automatically discover and collect information on rogue access points and clients. When a controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network.

Prime Infrastructure consolidates all of the controllers rogue access point data.

You can configure controllers to use RLDP on all access points or only on access points configured for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a crowded RF space, allowing monitoring without creating unnecessary interference and without affecting regular data access point functionality. If you configure a controller to use RLDP on all access points, the controller always chooses the monitor access point for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you can choose to either manually or automatically contain the detected rogue.

Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, Prime Infrastructure uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.

Related Topics

Configuring Rogue Policies

Monitoring Rogue Access Points

Classifying Rogue Access Points

Monitoring Rogue AP Alarms

Monitoring Ad hoc Rogue Alarms

Cisco Prime Infrastructure 3.0 User Guide

9-19

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

Classifying Rogue Access Points

Classification and reporting of rogue access points occurs through the use of rogue states and user-defined classification rules that enable rogues to automatically move between states. You can create rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or

Unclassified.

By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points

(friendly, malicious, and unclassified) in the Alert state only.Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.

The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to

625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services

Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per radio (or six per radio for access points in monitor mode).

When the controller receives a rogue report from one of its managed access points, it responds as follows:

1.

2.

The controller verifies whether the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.

If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.

3.

4.

If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.

The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.

5.

If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.

The controller repeats the previous steps for all rogue access points.

6.

7.

If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would change the rogue state to Contained. If the rogue access point is not on the network, the controller marks the rogue state as Alert, and you can manually contain the rogue.

If desired, you can manually move the access point to a different classification type and rogue state.

8.

As mentioned previously, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules, or you can manually move the unknown access point to a different classification type and rogue state.

9-20

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

The following table shows the allowable classification types and rogue states from and to which an unknown access point can be configured.

Table 9-2 Allowable Classification Type and Rogue State Transitions

From

Friendly (Internal, External, Alert)

Friendly (Internal, External, Alert)

Friendly (Alert)

Malicious (Alert, Threat)

Malicious (Contained, Contained Pending)

Unclassified (Alert, Threat)

Unclassified (Contained, Contained Pending)

Unclassified (Alert)

To

Malicious (Alert)

Unclassified (Alert)

Friendly (Internal, External)

Friendly (Internal, External)

Malicious (Alert)

Friendly (Internal, External)

Unclassified (Alert)

Malicious (Alert)

If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it.

Malicious Rogue APs

Malicious rogue access points are detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification.

The Security dashboard of Prime Infrastructure home page displays the number of malicious rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active malicious rogue access points.

Malicious rogue access point states include:

Alert—Indicates that the access point is not on the neighbor list or part of the user-configured

Friendly AP list.

Contained—The unknown access point is contained.

Threat—The unknown access point is found to be on the network and poses a threat to WLAN security.

Contained Pending—Indicates that the containment action is delayed due to unavailable resources.

Removed—This unknown access point was seen earlier but is not seen now.

Click an underlined number in any of the time period categories for detailed information regarding the malicious rogue access points.

Friendly Rogue APs

Friendly rogue access points are known, acknowledged or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained.

Only users can add a rogue access point MAC address to the Friendly AP list. Prime Infrastructure does not apply the Friendly AP MAC address to controllers.

Cisco Prime Infrastructure 3.0 User Guide

9-21

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

The Security dashboard of Prime Infrastructure home page displays the number of friendly rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active friendly rogue access points.

Friendly rogue access point states include the following:

Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you would manually configure it as Friendly, Internal. For example, the access points in your lab network.

External—If the unknown access point is outside the network and poses no threat to WLAN security, you would manually configure it as Friendly, External. For example, the access points belonging to a neighboring coffee shop.

Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly

AP list.

Click an underlined number in any of the time period categories for detailed information regarding the friendly rogue access points.

To delete a rogue access point from the Friendly AP list, ensure that both Prime Infrastructure and controller remove the rogue access point from the Friendly AP list. Change the rogue access point from

Friendly AP Internal or External to Unclassified or Malicious Alert.

Unclassified Rogue APs

A rogue access point is called unclassified, if it is not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list.

The Security dashboard of the Prime Infrastructure home page displays the number of unclassified rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active unclassified rogue access points.

Unclassified rogue access point states include:

Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During this time, the managed access points determine if the unknown access point is a neighbor access point.

Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly

AP list.

Contained—The unknown access point is contained.

Contained Pending—The unknown access point is marked Contained, but the action is delayed due to unavailable resources.

Click an underlined number in any of the time period categories for further information.

Related Topics

Monitoring Rogue Access Points

Detecting Rogue Devices

Monitoring Rogue AP Alarms

Rogue access point radios are unauthorized access points detected by one or more Cisco 1000 series lightweight access points. To open the Rogue AP Alarms page, do one of the following:

Search for rogue APs.

9-22

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

Navigate to Dashboard > Wireless > Security. This page displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms.

Click the AP number link in the Alarm Summary.

If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use it to view additional alarms.

Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, Prime Infrastructure uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.

When Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio

Types) can change during the life of the rogue.

Related Topic

Rogue AP Alarms Page

Alarm Severity Icons

Selecting Commands for Rogue AP Alarms

Viewing Rogue AP Alarm Details

Rogue access point radios are unauthorized access points detected by Cisco 1000 Series Lightweight

APs. Alarm event details for each rogue access point are available in the Rogue AP Alarms list page.

To view alarm events for a rogue access point radio, select Monitor > Monitoring Tools > Alarms and

Events, and click the arrow icon in a row to view Rogue AP Alarm Details page.

All Alarm Details page fields (except No. of Rogue Clients) are populated through polling and are updated every two hours. The number of rogue clients is a real-time number and is updated each time you access the Alarm Details page for a rogue access point alarm.

When a controller (version 7.4 or 7.5) sends custom rogue AP alarm, Prime Infrastructure shows it as unclassified rogue alarm. This is because Prime Infrastructure does not support custom rogue AP alarm.

When Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio

Types) can change during the life of the rogue.

Related Topics

Monitoring Rogue Access Points

Monitoring Ad hoc Rogue Alarms

Viewing Ad hoc Rogue Alarm Details

Selecting Commands for Rogue AP Alarms

Viewing Rogue Client Details

You can view a list of rogue clients in several ways:

Perform a search for rogue clients using Prime Infrastructure Search feature.

Cisco Prime Infrastructure 3.0 User Guide

9-23

Chapter 9 Monitoring Wireless Devices

Monitoring Rogue Access Points

View the list of rogue clients for a specific rogue access point from the Alarm Details page for the applicable rogue access point. Click the Rogue MAC address for the applicable rogue client to view the Rogue Client details page.

In the Alarms Details page of a rogue access point, choose Rogue Clients from the Select a command drop-down list.

The Rogue Clients page displays the Client MAC address, when it was last heard, its current status, its controller, and the associated rogue access point.

Rogue client statuses include: Contained (the controller contains the offending device so that its signals no longer interfere with authorized clients); Alert (the controller forwards an immediate alert to the system administrator for further action); and Threat (the rogue is a known threat).The higher the threat of the rogue access point, the higher the containment required.

Click the Client MAC Address for the rogue client to view the Rogue Client details page. T

Related Topics

Monitoring Rogue Access Points

Monitoring Rogue AP Alarms

Monitoring Ad hoc Rogue Alarms

Monitoring Ad hoc Rogue Events

Viewing Ad hoc Rogue Alarm Details

Selecting Commands for Rogue AP Alarms

Viewing Rogue AP History Details

To view the history of a rogue AP alarms, click the Rogue AP History link in the Rogue AP Alarm page.

Click the Rogue MAC address to view the specific rogue AP history details page.

Related Topics

Rogue AP History Details Page

Rogue AP Event History Details Page

Viewing Rogue AP Event History Details

To view the event details of a rogue AP, click the Event History link in the Rogue AP Alarm page.

Related Topics

Monitoring Rogue Access Points

Monitoring Rogue AP Alarms

Monitoring Ad hoc Rogue Alarms

Monitoring Rogue Alarm Events

Rogue AP History Details Page

Rogue AP Event History Details Page

9-24

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Ad hoc Rogues

Monitoring Ad hoc Rogues

If the MAC address of a mobile client operating in a ad hoc network is not in the authorized MAC address list, then it is identified as an ad hoc rogue.

Related Topics

Viewing Rogue AP Alarm Details

Viewing Rogue Client Details

Viewing Rogue AP History Details

Monitoring Ad hoc Rogue Alarms

Viewing Ad hoc Rogue Alarm Details

Monitoring Ad hoc Rogue Alarms

The Adhoc Rogue Alarms page displays alarm events for ad hoc rogues.To access the Adhoc Rogue

Alarms page, do one of the following:

Perform a search for ad hoc rogue alarms.

Navigate to Dashboard > Wireless > Security. This page displays all the ad hoc rogues detected in the past hour and the past 24 hours. Click the ad hoc rogue number to view the ad hoc rogue alarms.

If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms.

When Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio

Types) can change during the life of the rogue.

Related Topics

Viewing Rogue AP History Details

Viewing Ad hoc Rogue Alarm Details

Selecting Commands for Rogue AP Alarms

Viewing Ad hoc Rogue Alarm Details

Alarm event details for each ad hoc rogue is available on the Adhoc Rogue Alarms page. Rogue access point radios are unauthorized access points detected by Cisco 1000 Series Lightweight APs

To view alarm events for an ad hoc rogue radio, click the applicable Rogue MAC address in the Adhoc

Rogue Alarms page.

When Prime Infrastructure polls, some data might change or get updated. Hence some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.

Alarms will not be triggered if a rogue is discovered using switch port tracing as switch port tracing does not update any of the rogue attributes such as severity, state, and so on.

Related Topics

Searching Rogue Clients Using Advanced Search

Cisco Prime Infrastructure 3.0 User Guide

9-25

Chapter 9 Monitoring Wireless Devices

Monitoring Ad hoc Rogues

Viewing Ad hoc Rogue Alarm Details

Selecting Commands for Rogue AP Alarms

Searching Rogue Clients Using Advanced Search

When the access points on your WLAN are powered up and associated with controllers, Prime

Infrastructure immediately starts listening for rogue access points. When a controller detects a rogue access point, it immediately notifies Prime Infrastructure, which creates a rogue access point alarm.

To find rogue access point alarms using Advanced Search, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Click Advanced Search in the top right-hand corner of the Prime Infrastructure main page.

Choose Rogue Client from the Search Category drop-down list.

You can filter the search even further with the other search criteria if desired.

Click Search. The list of rogue clients appears.

Choose a rogue client by clicking a client MAC address. The Rogue Client detail page appears.

To modify the alarm, choose one of these commands from the Select a Command drop-down list, and click Go.

Set State to ‘Unknown-Alert’—Tags the ad hoc rogue as the lowest threat, continues to monitor the ad hoc rogue, and turns off containment.

1 AP Containment through 4 AP Containment—Indicates the number of access points (1-4) in the vicinity of the rogue unit that send deauthenticate and disassociate messages to the client devices that are associated to the rogue unit.

Map (High Resolution)—Displays the current calculated rogue location in the Maps > Building

Name > Floor Name page.

Location History—Displays the history of the rogue client location based on RF fingerprinting. The client must be detected by an MSE for the location history to appear.

Related Topics

Viewing Rogue AP Alarm Details

Monitoring Rogue Access Point Location, Tagging, and Containment

Monitoring Rogue Access Point Location, Tagging, and Containment

Prime Infrastructure generates the flags as rogue access point traps and displays the known rogue access points by MAC address Cisco Unified Network Solution is monitoring it.

The operator displays a map showing the location of the access points closest to each rogue access point.

These access points are classified as:

Known or Acknowledged rogue access points (no further action)

Alert rogue access points (watch for and notify when active)

Contained rogue access points

9-26

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Ad hoc Rogues

This built-in detection, tagging, monitoring, and containment capability enables system administrators to take appropriate action:

Locate rogue access points.

Receive new rogue access point notifications, eliminating hallway scans.

Monitor unknown rogue access points until they are eliminated or acknowledged.

Determine the closest authorized access point, making directed scans faster and more effective.

Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment can be done for individual rogue access points by MAC address or can be mandated for all rogue access points connected to the enterprise subnet.

Tag rogue access points:

Acknowledge rogue access points when they are outside of the LAN and do not compromise the

LAN or WLAN security

Accept rogue access points when they do not compromise the LAN or WLAN security

Tag rogue access points as unknown until they are eliminated or acknowledged

Tag rogue access points as contained and discourage clients from associating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point.

Related Topics

Detecting Access Points

Monitoring Rogue Alarm Events

Detecting Access Points

Use the Detecting Access Points feature to view information about the Cisco Lightweight APs that are detecting a rogue access point.

To access the Rogue AP Alarms details page, follow these steps:

Step 1

Step 2

Step 3

Step 4

To display the Rogue AP Alarms page, do one of the following:

Perform a search for rogue APs.

Navigate to Dashboard > Wireless > Security. This dashboard displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms.

Click the Malicious AP number link in the Alarm Summary box.

In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The

Rogue AP Alarms details page appears.

From the Select a command drop-down list, choose Detecting APs.

Click Go.

Click a list item to display data about that item.

Cisco Prime Infrastructure 3.0 User Guide

9-27

Chapter 9 Monitoring Wireless Devices

Monitoring Ad hoc Rogues

Related Topics

Monitoring Rogue Access Point Location, Tagging, and Containment

Monitoring Rogue Alarm Events

Monitoring Rogue Alarm Events

The Events page enables you to review information about rogue alarm events. Prime Infrastructure generates an event when a rogue access point is detected or if you make manual changes to a rogue access point (such as changing its state). The Rogue AP Events list page displays all rogue access point events.

To access the Rogue AP Events list page, follow these steps:

Step 1

Do one of the following:

Perform a search for rogue access point events using the Advanced Search feature of Prime

Infrastructure.

In the Rogue AP Alarms details page, click Event History link.

Related Topics

Detecting Access Points

Viewing Rogue AP Event Details

Rogue AP Event History Details Page

Viewing Rogue AP Event Details

To view rogue access point event details, in the Rogue AP Events list page, click the Rogue MAC

Address link.

Related Topics

Monitoring Rogue Alarm Events

Monitoring Ad hoc Rogue Events

Rogue AP Event History Details Page

Selecting Commands for Rogue AP Alarms

Monitoring Ad hoc Rogue Events

The Events page enables you to review information about ad hoc rogue events. Prime Infrastructure generates an event when an ad hoc rogue is detected or if you make manual changes to an ad hoc rogue

(such as changing its state). The Adhoc Rogue Events list page displays all ad hoc rogue events.

To access the Rogue AP Events list page, either perform a search for ad hoc rogues events using the

Advanced Search feature of Prime Infrastructure or in the Adhoc Rogue Alarms details page, click Event

History from the Select a Command drop-down list.

9-28

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Related Topics

Viewing Rogue AP Event Details

Viewing Ad hoc Rogue Event Details

Monitoring Ad hoc Rogues

Viewing Ad hoc Rogue Event Details

To view rogue access point event details, in the Rogue AP Events list page, click the Rogue MAC

Address link.

Related Topics

Viewing Rogue AP Event Details

Monitoring Ad hoc Rogue Events

Rogue AP Event History Details Page

Troubleshooting Unjoined Access Points

When a lightweight access point initially starts up, it attempts to discover and join a WLAN controller.

After joining the wireless controller, the access point updates its software image if needed and receives all the configuration details for the device and network. After successfully joining the wireless controller, the access point can be discovered and managed by Prime Infrastructure. Until the access point successfully joins a wireless controller the access point cannot be managed by Prime Infrastructure and does not contain the proper configuration settings to allow client access.

Prime Infrastructure provides you with a tool that diagnoses why an access point cannot join a controller and lists corrective actions.

The Unjoined AP page displays a list of access points that have not joined any wireless controllers. All gathered information about the unjoined access point is included in the page. This includes name, MAC address, IP address, controller name and IP address, switch and port that the access point is attached to, and any join failure reason if known.

To troubleshoot unjoined access points, do the following:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Wireless Technologies > Unjoined Access Points. The Unjoined APs page appears containing a list of access points that have not been able to join a wireless controller.

Select the access point that you wish to diagnose, then click Troubleshoot.

An analysis is run on the access point to determine the reason why the access point was not able to join a wireless controller. After performing the analysis, the Unjoined APs page displays the results. The middle pane, you can view what the problem is. It will also list error messages and controller log information.

Select a controller.

If the access point has tried to join multiple wireless controllers and has been unsuccessful, the controllers are listed in the left pane.

Perform one of the recommended actions from the list of recommendations for solving the problems listed in the right pane.

Run RTTS through the Unjoined AP page to further diagnose a problem. This allows you to see the debug messages from all the wireless controllers that the access point tried to join at one time.

Cisco Prime Infrastructure 3.0 User Guide

9-29

Chapter 9 Monitoring Wireless Devices

Monitoring Spectrum Experts

To run RTTS, click the RTTS icon ( ) located to the right of the table. The debug messages appear in the table. You can then examine the messages to see if you can determine a cause for the access point not being able to join the controllers.

Related Topics

Monitoring Rogue Access Points

Monitoring Ad hoc Rogues

Monitoring Spectrum Experts

A Spectrum Expert client acts as a remote interference sensor and sends dynamic interference data to

Prime Infrastructure. This feature allows Prime Infrastructure to collect, archive and monitor detailed interferer and air quality data from Spectrum Experts in the network.

To access the Monitor Spectrum Experts page, follow these steps:

Step 1

Choose Services > Mobility Services > Spectrum Experts.

From the left sidebar menu, you can access the Spectrum Experts Summary page.

Related Topics

Field Reference guide for Spectrum Experts Summary

Field Reference guide for Interferer’s Summary

Field Reference guide for Spectrum Experts Details

Searching Interferers

Monitoring WiFi TDOA Receivers

The WiFi TDOA receiver is an external system designed to receive signals transmitted from a tagged, tracked asset. These signals are then forwarded to the mobility services engine to aid in the location calculation of the asset.

To view WiFi TDOA receiver information:

Step 1

Choose Monitor > Wireless Technologies > WiFi TDOA Receivers.

Related Topics

Searching WiFi TDOA Receivers

Searching WiFi TDOA Receivers

To refine the search criteria for WiFi TDOA receivers:

Cisco Prime Infrastructure 3.0 User Guide

9-30

Chapter 9 Monitoring Wireless Devices

Monitoring Media Streams

Step 1

Step 2

Click the Advanced Search in the Prime Infrastructure user interface.

Choose WiFi TDOA Receiver from the Search Category drop-down list.

To initiate a search for a Wi-Fi TDOA receiver by its MAC address, choose MAC Address from the

Search drop-down list and enter the MAC address of the Wi-Fi TDOA receiver in the available text box, and click Search.

To initiate a search for a Wi-Fi TDOA receiver by its name, choose WiFi TDOA Receivers from the Search by drop-down list and enter the name of the Wi-Fi TDOA receiver in the available text box, and click Search.

Related Topics

Monitoring WiFi TDOA Receivers

Monitoring Media Streams

To view all the media streams configured across controllers:

Step 1

Choose Monitor > Wireless Technologies > Media Streams.

Related Topics

Viewing Media Stream Details

Viewing Media Stream Details

To view media stream details:

Step 1

Step 2

Choose Monitor > Wireless Technologies > Media Streams.

Click the Stream Name link.

Related Topics

Monitoring Media Streams

Monitoring WiFi TDOA Receivers

Radio Resource Management

The Radio Resource Management (RRM), built into the Cisco Unified Wireless Network, monitors and dynamically corrects performance issues found in the RF environment. Prime Infrastructure receives traps whenever a change in the transmit power in the access point or channel occurred. These trap events or similar events such as RF regrouping are logged into Prime Infrastructure and are maintained by the event dispatcher.

Cisco Prime Infrastructure 3.0 User Guide

9-31

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

RRM automatically detects and configures new controllers and lightweight access points as they are added to the network. It automatically adjusts associated and nearby lightweight access points to optimize coverage and capacity. Lightweight access points can simultaneously scan all valid 802.11b/g channels for the country of operation as well as for channels available in other locations. The access points go off-channel for a period not greater than 60 ms to monitor these channels for noise and interference. Packets collected during this time are analyzed to detect rogue access points, rogue clients, ad-hoc clients, and interfering access points.

The following notifications are sent to RRM dashboard:

Channel change notifications are sent when a channel change occurs. Channel change depends on the Dynamic Channel Assignment (DCA) configuration.

Transmission power change notifications are sent when transmission power changes occur. The reason code is factored and equated to one irrespective of the number of reasons for the event to occur.

RF grouping notifications are sent when there is a RF grouping content change and automatic grouping is enabled.

Related Topics

Viewing the RRM Dashboard

Viewing the RRM Dashboard

To view the RRM dashboard information:

Step 1

Choose Monitor > Wireless Technologies > Radio Resource Management.

Related Topics

Radio Resource Management

Monitoring Access Point Alarms

To monitor the Access Point (AP) alarms on your network:

Step 1

Perform an advanced search for AP alarms.

The Search Results page contains the following information for AP alarms. You can select the check box next to the alarm and modify the required fields in the Alarm Browser toolbar.

Severity

Failure Source

Owner

Time

Message

Category

Condition

Cisco Prime Infrastructure 3.0 User Guide

9-32

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Step 2

Acknowledged

Select the check box next to the alarm and modify the required fields in the Alarm Browser toolbar.

Monitoring Air Quality Alarms

To monitor air quality alarms on your network:

Step 1

Step 2

Perform an advanced search for Performance alarms.

The Search Results page contains the following information for air quality alarms.

Severity

Failure Source

Owner

Time

Message

Category

Condition

Acknowledged

Select the check box next to the alarm and modify the required fields in the Alarm Browser toolbar.

Monitoring CleanAir Security Alarms

To monitor CleanAir security alarms:

Step 1

Step 2

Perform an advanced search for Security alarms.

The Search Results page contains the following information for CleanAir Security alarms.

Severity

Failure Source

Owner

Date/Time

Message

Acknowledged

Select the check box next to the alarm and modify the required fields in the Alarm Browser toolbar.

Cisco Prime Infrastructure 3.0 User Guide

9-33

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Monitoring Cisco Adaptive wIPS Alarms

Alarms from Cisco Adaptive wIPS DoS (denial of service) and security penetration attacks are classified as security alarms.

To view a list of wIPS DoS and security penetration attack alarms:

Step 1

Step 2

Perform an advanced search for wIPS DoS alarms.

The Search Results page contains the following information.

Severity

Failure Object

Date/Time

Message

Acknowledged

Category

Condition

When there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms.

Select the check box next to the alarm and modify the required fields in the Alarm Browser toolbar.

Monitoring Cisco Adaptive wIPS Alarm Details

To monitor Cisco Adaptive wIPS alarm details:

Choose Monitor > Monitoring Tools > Alarms and Events > failure object to view details of the selected Cisco wIPS alarm. The following Alarm details are provided for Cisco Adaptive wIPS alarms:

General

Detected By wIPS AP—The access point that detected the alarm.

wIPS AP IP Address—The IP address of the wIPS access point.

Owner—Name of person to which this alarm is assigned or left blank.

Acknowledged—Displays whether or not the alarm is acknowledged by the user.

Category—For wIPS, the alarm category is Security.

Created—Month, day, year, hour, minute, second, AM or PM that the alarm was created.

Modified—Month, day, year, hour, minute, second, AM or PM that the alarm was last modified.

Generated By—Indicates how the alarm event was generated (either NMS or from a trap).

NMS (Network Management System - Prime Infrastructure)—Generated through polling.

Prime Infrastructure periodically polls the controllers and generates events. Prime

Infrastructure generates events when the traps are disabled or when the traps are lost for those events.

Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them.

9-34

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Severity—Level of severity including critical, major, info, warning, and clear.

Last Disappeared—The date and time that the potential attack last disappeared.

Channel—The channel on which the potential attack occurred.

Attacker Client/AP MAC—The MAC address of the client or access point that initiated the attack.

Attacker Client/AP IP Address—The IP address of the client or access point that initiated the attack.

Target Client/AP IP Address—The IP address of the client or access point targeted by the attacker.

Controller IP Address—The IP address of the controller to which the access point is associated.

MSE—The IP address of the associated mobility services engine.

Controller MAC address—The MAC address of the controller to which the access point is associated.

wIPS access point MAC address

Forensic File

Event History—Takes you to the Monitoring Alarms page to view all events for this alarm.

Annotations—Displays any annotations that you have entered.

Messages—Displays information about the alarm.

Audit Report—Click to view configuration audit alarms details. This report is only available for

Configuration Audit alarms.

Configuration audit alarms are generated when audit discrepancies are enforced on configuration groups.

Rogue Clients—If the failure object is a rogue access point, information about rogue clients is displayed.

Related Topics

Monitoring Cisco Adaptive wIPS Alarms

Monitoring Failure Objects

To monitor failure objects, follow these steps:

Step 1

Step 2

Choose Monitor > Monitoring Tools > Alarms and Events, then click the Events tab.

Click the expand icon to the left of the Description column. Depending on the type of event you selected, the associated details vary.

General Info

Failure Source—Indicates the source of the event (including name and/or MAC address).

Category—Type of alarm such as Security or AP.

Generated—Date and time that the event was generated.

Generated By—Indicates how the alarm event was generated (either NMS or from a trap).

Cisco Prime Infrastructure 3.0 User Guide

9-35

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

NMS (Network Management System - Prime Infrastructure)—Generated through polling.

Prime Infrastructure periodically polls the controllers and generates events. Prime

Infrastructure generates events when the traps are disabled or when the traps are lost for those events.

Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them.

Device IP Address—IP address of the alarm-generating device.

Severity—Level of severity including critical, major, info, warning, and clear.

Messages—Message explaining why the event occurred.

Monitoring Events for Rogue Access Points

To monitor events for rogue access points:

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Alarms and Events, then click the Events tab.

Use the Quick Filter or Advanced Filter feature to monitor the Rogue APs.

Click the expand icon to view alarm events for a rogue access point radio.

The following fields appear:

General

Rogue MAC Address

Vendor

On Network—Indicates how the rogue detection occurred.

Controller—The controller detected the rogue (Yes or No).

Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.

Owner—Name of person to which this alarm is assigned, or (blank).

State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert” when first scanned by the Port, or as “Pending” when operating system identification is still underway.

SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)

Containment Level—An access point which is being contained is either unable to provide service at all, or provides exceedingly slow service. There is a level associated with the containment activity which indicates how many Cisco 1000 series lightweight access points to use in containing the threat. This service must be initiated and halted by the administrator. Containment Type - Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status, otherwise Unassigned.

Channel—Indicates the band at which the ad hoc rogue is broadcasting.

Radio Type—Lists all radio types applicable to this rogue access point.

Created—Date and time that the event occurred.

Generated By—Indicates how the alarm event was generated (either NMS or from a trap).

Cisco Prime Infrastructure 3.0 User Guide

9-36

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

NMS (Network Management System - Prime Infrastructure)—Generated through polling.

Prime Infrastructure periodically polls the controllers and generates events. Prime

Infrastructure generates events when the traps are disabled or when the traps are lost for those events.

Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them.

Device IP Address—IP address of the alarm-generating device.

Severity—Level of severity, Critical, Major, Minor, Warning, and Clear, Info.

Message—Displays descriptive information about the alarm.

Help—Displays information about the alarm.

Related Topics

Monitoring Rogue Access Points

Monitoring Events for Ad hoc Rogues

To monitor events for ad hoc rogues:

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Alarms and Events, then click the Events tab.

Use the Quick Filter or Advanced Filter feature to monitor the events for Ad hoc Rogue APs.

Click the expand icon to view alarm events for an ad hoc rogue access point. The following fields are displayed:

General

Rogue MAC Address

Vendor

On Network—Indicates how the rogue detection occurred.

Controller—The controller detected the rogue (Yes or No).

Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.

Owner—Name of person to which this alarm is assigned, or (blank).

State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert” when first scanned by the Port, or as “Pending” when operating system identification is still underway.

SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)

Containment Level—An access point which is being contained is either unable to provide service at all, or provides exceedingly slow service. There is a level associated with the containment activity which indicates how many Cisco 1000 series lightweight access points to use in containing the threat. This service must be initiated and halted by the administrator. Containment Type - Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status, otherwise Unassigned.

Cisco Prime Infrastructure 3.0 User Guide

9-37

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Step 4

Channel—Indicates the band at which the ad hoc rogue is broadcasting.

Created—Date and time that the event occurred.

Generated By—Indicates how the alarm event was generated (either NMS or from a trap).

NMS (Network Management System - Prime Infrastructure)—Generated through polling.

Prime Infrastructure periodically polls the controllers and generates events. Prime

Infrastructure generates events when the traps are disabled or when the traps are lost for those events.

Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them.

Device IP Address—IP address of the alarm-generating device.

Severity—Level of severity, Critical, Major, Minor, Warning, and Clear, Info.

Message—Displays descriptive information about the alarm.

Help—Displays information about the alarm.

Related Topics

Monitoring Rogue Access Points

Monitoring Cisco Adaptive wIPS Events

To monitor Cisco adaptive wIPS events:

Step 1

Step 2

Choose Monitor > Monitoring Tools > Alarms and Events, then click the Events tab.

Use the Quick Filter or Advanced Filter feature to narrow down the search results to monitor wIPS events. One or more events might generate an abnormal state or alarm. The alarm can be cleared, but the event remains.

Monitoring CleanAir Air Quality Events

To view the events generated on CleanAir air quality of the wireless network:

Step 1

Perform an advanced search for Performance event.

The Search Results page contains the following CleanAir air quality events information:

Severity—Indicates the severity of the alarm.

Failure Source—Device that generated the alarm.

Date/Time—The time at which the alarm was generated.

Related Topics

Viewing Air Quality Event Details

9-38

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Viewing Air Quality Event Details

To view air quality event details:

Step 1

Step 2

From the Air Quality Events page, click an expand icon adjacent to Severity column to access the alarm details page.

The air quality event page displays the following information:

Failure Source—Device that generated the alarm.

Category—The category this event comes under. In this case, Performance.

Created—The time stamp at which the event was generated.

Generated by—The device that generated the event.

Device IP Address—The IP address of the device that generated the event.

Severity—The severity of the event.

Alarm Details—A link to the related alarms associated with this event. Click the link to learn more about the alarm details.

Message—Describes the air quality index on this access point.

Monitoring Interferer Security Risk Events

To monitor interferer security risk events:

Step 1

To view the security risk event generated on your wireless network, perform an advanced search for

Security event.

The Search Results page contains the following interferer security events information:

Severity—Indicates the severity of the alarm.

Failure Source—Device that generated the alarm.

Date/Time—The time at which the alarm was generated.

Related Topics

Viewing Interferer Security Risk Event Details

Viewing Interferer Security Risk Event Details

To view interferer security event details:

Step 1

Step 2

In the Interferer Security Event details page, click an expand icon adjacent to Severity column to access the alarm details page.

The air quality event page displays the following information:

Failure Source—Device that generated the alarm.

Category—The category this event comes under. In this case, Security.

Cisco Prime Infrastructure 3.0 User Guide

9-39

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Created—The time stamp at which the event was generated.

Generated by—The device that generated the event.

Device IP Address—The IP address of the device that generated the event.

Severity—The severity of the event.

Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details.

Message—Describes the interferer device affecting the access point.

Related Topics

Monitoring Interferer Security Risk Events

Monitoring Health Monitor Events

To view the health monitor events:

Step 1

Perform an advanced search for Prime Infrastructure event.

The Search Results page contains the following health monitor events related information:

Severity—Indicates the severity of the alarm.

Failure Source—Device that generated the alarm.

Date/Time—The time at which the alarm was generated.

Message—Describes the health details.

Related Topics

Viewing Health Monitor Event Details

Viewing Health Monitor Event Details

To view health monitor event details:

Step 1

Step 2

In the Health Monitor Events page, click an expand icon adjacent to Severity column to access the alarm details page.

The Health Monitor Events page displays the following information:

Failure Source—Device that generated the alarm.

Category—The category this event comes under.

Created—The time stamp at which the event was generated.

Generated by—The device that generated the event.

Device IP Address—The IP address of the device that generated the event.

Severity—The severity of the event.

9-40

Cisco Prime Infrastructure 3.0 User Guide

Chapter 9 Monitoring Wireless Devices

Monitoring Access Point Alarms

Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details.

Message—Describes the event through a message.

Related Topics

Monitoring Health Monitor Events

Cisco Prime Infrastructure 3.0 User Guide

9-41

Monitoring Access Point Alarms

Chapter 9 Monitoring Wireless Devices

9-42

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

10

Creating Monitoring Policies and Thresholds

Prime Infrastructure uses monitoring policies to monitor devices against the thresholds you specify.

When the thresholds that you specify are reached, Prime Infrastructure issues an alarm. The alarms warn you of changing conditions before the issues impact operations.

By default, Prime Infrastructure polls:

Device health metrics on supported routers, switches and hubs. Storage devices and UCS series devices are not monitored by the default health policy. See

Modifying Default Monitoring Policies .

Port group health metrics.

Interface health metrics on WAN interface groups, AVC, and UCS.

Note

Prime Infrastructure uses monitoring policies only for Wired devices.

You can also enable other Prime Infrastructure monitoring policies or create a custom MIB polling

policy (see Monitoring Third-Party Devices By Polling MIBs ).

Default Monitoring Policies

Prime Infrastructure polls SNMP objects to gather monitoring information for the following health monitoring policies under Monitor > Monitoring Tools > Monitoring Policies > Automonitoring:

Device Parameters—

Table 10-1 describes the device health parameters that are polled.

Interface Parameters—

Table 10-2 describes the interface parameters that are polled for:

Trunk and Link Ports

WAN Interfaces

For the following monitoring policies that provide assurance information, data is collected through

NetFlow or NAMs:

Application Response Time

NAM Health

Traffic Analysis

Voice Video Data

Voice Video Signaling

Cisco Prime Infrastructure 3.0 User Guide

10-1

Chapter 10 Creating Monitoring Policies and Thresholds

Default Monitoring Policies

Table 10-1 Device Parameter Automonitoring Metrics

Metric Devices Polled

Device Availability All SNMP devices

CPU Utilization

Memory Pool

Utilization

Environment Temp

1

MIB

SNMPv2-MIB

MIB Objects Included

sysUpTime

Cisco IOS devices, All

Supported Nexus devices, Cisco UCS devices

Cisco IOS devices, ISR devices.

CISCO-PROCESS-MIB cpmCPUTotalPhysicalIndex cpmCPUTotal1minRev

CISCO-MEMORY-POOL-MIB ciscoMemoryPoolName ciscoMemoryPoolType ciscoMemoryPoolUsed ciscoMemoryPoolFree

All supported Cisco

Nexus devices, Cisco

UCS devices and Cisco

IOS XE devices

Cisco ASA devices,

IOS XR and Edison devices

CISCO-PROCESS-MIB

CISCO-ENHANCED-MEMPO

OL-MIB

Cisco IOS ASR devices CISCO-ENTITY-QFP-MIB

CISCO-ENVMON-MIB cpmCPUTotalIndex cpmCPUMemoryUsed cpmCPUMemoryFree cempMemPoolType cempMemPoolName cempMemPoolUsed cempMemPoolFree ceqfpMemoryResType ceqfpMemoryResInUse ceqfpMemoryResFree entSensorValue ASR, All Supported

Nexus devices, Cisco

UCS devices

Catalyst 2000, 3000,

4000, 6000, ISR

CISCO-ENVMON-MIB ciscoEnvMonTemperatureStatusValue

1.

For stacked switch devices, the Environment Temp displays the temperature of each stacked instance.

10-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 10 Creating Monitoring Policies and Thresholds

Table 10-2

Metric

Interface

Availability

Interface Parameter Automonitoring Metrics

Devices Polled

Cisco IOS devices, All

Supported Nexus devices

MIB

IF-MIB

Input Utilization Cisco IOS devices

Output Utilization Cisco IOS devices

Percent Drop per

QoS Class

Cisco IOS devices

Default Monitoring Policies

IF-MIB,

Old-CISCO-Interface-MIB

IF-MIB,

Old-CISCO-Interface-MIB

IF-MIB,

Old-CISCO-Interface-MIB

MIB Objects Included

ifOperStatus ifOutOctets ifHighSpeed ifInOctets ifInErrors ifOutErrors ifInDiscards ifOutDiscards ifHCInBroadcastPkts, ifHCInMulticastPkts, ifInErrors, ifInDiscards, ifInUnknownProtos ifHCInBroadcastPkts, ifHCInMulticastPkts ifHCInBroadcastPkts, ifHCInMulticastPkts, ifHCInUcastPkts, ifInDiscards, ifInUnknownProtos, locIfInputQueueDrops ifHCOutBroadcastPkts, ifHCOutMulticastPkts, ifHCOutUcastPkts, ifOutDiscards, ifOutUnknownProtos, locIfOutputQueueDrops

Table 10-3

Metric

QOS calculation

Class-Based, QoS, Health-Monitoring Metrics

Devices Polled

Cisco IOS devices

MIB

CISCO-CLASS-BASED-QOS-

MIB

IF-MIB

MIB Objects Included

cbQosCMDropByte64 cbQosCMPostPolicyByte64 cbQosCMPrePolicyByte64 ifInErrors Interface Inbound

Errors

Interface Outbound

Errors

Interface Inbound

Discards

Interface Outbound

Discards

Cisco IOS devices

Cisco IOS devices

Cisco IOS devices

Cisco IOS devices

IF-MIB

IF-MIB

IF-MIB ifOutErrors ifInDiscards ifOutDiscards

Cisco Prime Infrastructure 3.0 User Guide

10-3

Chapter 10 Creating Monitoring Policies and Thresholds

Creating New Monitoring Policies

Modifying Default Monitoring Policies

Prime Infrastructure monitoring policies monitor network device metrics and alert you of changing conditions before the issues impact their operation. By default, Prime Infrastructure polls device health metrics on supported routers, switches and hubs only, and interface health metrics on WAN interface groups. It is not polled on storage devices, and UCS series devices. If a the threshold is violated three times, Prime Infrastructure generates a critical alarm, which is displayed on the Monitor > Monitoring

Tools > Alarms and Events page.

To modify or disable the polling frequency and the threshold parameters, follow these steps:

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Monitoring Policies > Automonitoring.

Select Device Health, then modify the polling frequencies and thresholds as desired.

Click:

Save and Activate to save and activate the policy immediately on the selected devices.

Save and Close to save the policy and activate it at a later time.

Creating New Monitoring Policies

Prime Infrastructure monitoring policies monitor network device metrics and alert you of changing conditions before the issues impact their operation.

To create a new monitoring policy, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Monitoring Policies > My Policies.

Click Add.

Select a monitoring policy from the Policy Types left sidebar menu.

Enter a name for the new policy.

Under Parameters and Thresholds, specify the threshold values for which you want Prime Infrastructure to issue an alarm when they are reached.

Note

For Wireless AP policy type, a maximum of 10 APs are allowed for selection.

Step 6

Click:

Save and Activate to save and activate the policy immediately on the selected devices.

Save and Close to save the policy and activate it at a later time.

GETVPN Monitoring Policies

For the GETVPN policy type, Prime Infrastructure uses metrics described in Table 10-5 .

10-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 10 Creating Monitoring Policies and Thresholds

Creating New Monitoring Policies

Cisco Prime Infrastructure 3.0 User Guide

10-5

Chapter 10 Creating Monitoring Policies and Thresholds

Creating New Monitoring Policies

Table 10-4 Monitor > Monitoring Tools > Monitoring Policies > GETVPN Metrics

GETVPN Monitoring Parameters MIB

Group Name

Group ID

Group ID Type

Group ID Length

Key Server ID

Group Member ID

Device Type

Device ID

Device ID Type

Device ID length

Registered Key Server ID

Registered Key Server ID Type

Registered Key Server ID Length

MIB Objects Included

CISCO-GDOI-MIB

cgmGdoiGroupTable

cgmGdoiGroupName, cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiGroupIdLength

cgmGdoiKeyServerTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiKeyServerIdValue, cgmGdoiKeyServerIdType, cgmGdoiKeyServerIdLength, cgmGdoiKeyServerActiveKEK, cgmGdoiKeyServerRekeysPushed

cgmGdoiKsKekTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiKeyServerIdValue, cgmGdoiKeyServerIdType, cgmGdoiKsKekIndex, cgmGdoiKsKekSPI, cgmGdoiKsKekSrcIdValue, cgmGdoiKsKekSrcIdType, cgmGdoiKsKekSrcIdLength, cgmGdoiKsKekDstIdValue, cgmGdoiKsKekDstIdType, cgmGdoiKsKekDstIdLength, cgmGdoiKsKekOriginalLifetime, cgmGdoiKsKekRemainingLifetime

10-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 10 Creating Monitoring Policies and Thresholds

Creating New Monitoring Policies

Table 10-4 Monitor > Monitoring Tools > Monitoring Policies > GETVPN Metrics (continued)

GETVPN Monitoring Parameters MIB

Active KEK

Rekeys Count

KEK Index

KEK SPI

KEK Source ID

CISCO-GDOI-MIB

MIB Objects Included cgmGdoiKsTekSelectorTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiKeyServerIdValue, cgmGdoiKeyServerIdType, cgmGdoiKsTekSelectorIndex, cgmGdoiKsTekSrcIdValue, cgmGdoiKsTekSrcIdType, cgmGdoiKsTekSrcIdLength, cgmGdoiKsTekDstIdValue, cgmGdoiKsTekDstIdType, cgmGdoiKsTekDstIdLength

KEK Source ID Type

KEK Source ID Length

KEK Destination ID

KEK Destination ID Type

cgmGdoiKsTekPolicyTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiKeyServerIdValue, cgmGdoiKeyServerIdType, cgmGdoiKsTekPolicyIndex, cgmGdoiKsTekSPI, cgmGdoiKsTekOriginalLifetime, cgmGdoiKsTekRemainingLifetime, cgmGdoiKsTekWindowSize

KEK Destination ID Length

KEK Original Lifetime

KEK Remaining LIfetime

TEK Selector Index

TEK Source ID

TEK Source ID Type

cgmGdoiGmTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiGmIdValue, cgmGdoiGmIdType, cgmGdoiGmIdLength, cgmGdoiGmRegKeyServerIdValue, cgmGdoiGmRegKeyServerIdType, cgmGdoiGmRegKeyServerIdLength, cgmGdoiGmActiveKEK, cgmGdoiGmRekeysReceived

TEK Source ID Length

TEK Destination ID

TEK Destination ID Type

TEK Destination ID Length

TEK Policy Index

TEK SPI

TEK Original Lifetime

TEK Remaining Lifetime

TEK Window Size

cgmGdoiGmKekTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiGmIdValue, cgmGdoiGmIdType, cgmGdoiGmKekIndex, cgmGdoiGmKekSPI, cgmGdoiGmKekSrcIdValue, cgmGdoiGmKekSrcIdType, cgmGdoiGmKekSrcIdLength, cgmGdoiGmKekDstIdValue, cgmGdoiGmKekDstIdType, cgmGdoiGmKekDstIdLength, cgmGdoiGmKekOriginalLifetime, cgmGdoiGmKekRemainingLifetime

cgmGdoiGmTekSelectorTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiGmIdValue, cgmGdoiGmIdType, cgmGdoiGmTekSelectorIndex, cgmGdoiGmTekSrcIdValue, cgmGdoiGmTekSrcIdType, cgmGdoiGmTekSrcIdLength, cgmGdoiGmTekDstIdValue, cgmGdoiGmTekDstIdType, cgmGdoiGmTekDstIdLength

cgmGdoiGmTekPolicyTable

cgmGdoiGroupIdValue, cgmGdoiGroupIdType, cgmGdoiGmIdValue, cgmGdoiGmIdType, cgmGdoiGmTekPolicyIndex, cgmGdoiGmTekSPI, cgmGdoiGmTekOriginalLifetime, cgmGdoiGmTekRemainingLifetime, cgmGdoiGmTekWindowSize

DMVPN Monitoring Policies

For the DMVPN policy type, Prime Infrastructure uses metrics described in

Table 10-5 .

Cisco Prime Infrastructure 3.0 User Guide

10-7

Chapter 10 Creating Monitoring Policies and Thresholds

Monitoring Third-Party Devices By Polling MIBs

Table 10-5 Monitor > Monitoring Tools > Monitoring Policies > DMVPN Metrics

DMVPN Monitoring

Parameters

Remote Peer Physical IP

Decrypted Byte Count

Encrypted Byte Count

Remote Tunnel IP

NHRP Expiration

Remote Subnet IP

Remote Subnet Mask

MIB

NHRP-MIB

IP-FORWARD-MIB

MIB Objects Included

CISCO-IPSEC-FLOW-MONITOR-MIB cipSecTunnelTable cipSecTunRemoteAddr, cipSecTunInOctets, cipSecTunOutOctets

nhrpCacheTable nhrpCacheInternetworkAddr, nhrpCacheHoldingTime, nhrpCacheNbmaAddr, nhrpCacheType

ipCidrRouteTable

ipCidrRouteNextHop, ipCidrRouteDest, ipCidrRouteMask

Monitoring Third-Party Devices By Polling MIBs

You can design custom MIB polling policies to monitor third-party or Cisco devices and device groups.

You can also create custom MIB policies to monitor device features for which Prime Infrastructure doesn’t provide default policies. Using this feature, you can:

Upload the SNMP MIB for the device type, then choose devices and attributes to poll and the polling frequency.

Upload a single MIB definition file or a group of MIBs with their dependencies as a ZIP file.

Note

Ensure that you upload all the dependencies of the MIB, before uploading the MIB. You can also upload the MIB along with it's dependencies in a ZIP file.

Display the results as a line chart or a table.

This feature allows you to easily repeat polling for the same devices and attributes and customize the way Cisco devices are polled using SNMP.

You can create a maximum of 25 custom MIB polling policies. There is no limitation in the number of

MIB files uploaded.

To create custom MIB polling policies, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Monitoring Policies > My Policies, then click Add.

From the Policy Types menu, select Custom MIB Polling.

Enter a name for the policy.

Under the MIB Selection tab, specify the polling frequency and enter the MIB information.

If Prime Infrastructure doesn’t have the specific MIB you want to monitor, download the MIBs you want to monitor from the following URL: http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2

To upload a MIB, specify a filename extension only if you are uploading a ZIP file.

Regardless of the device, the extensions .ZIP,.MIB and .MY are allowed.

10-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 10 Creating Monitoring Policies and Thresholds

Monitoring Third-Party Devices By Polling MIBs

Step 5

Step 6

Step 7

If you are uploading a ZIP file, ensure that all dependent MIB files are either included in the ZIP or already present in the system.

Ensure your upload file and the MIB definition have the same name (for example: Do not rename the ARUBA-MGMT-MIB definition file to ARUBA_MGMT). If you are uploading a ZIP file, you may name it as you please, but the MIB files packaged inside it must also follow this convention (for example: MyMibs.zip is acceptable, as long as all MIB files in the ZIP match their MIB names).

To test the policy you created on a device before activating it, click the Test tab and select a device on which to test the new policy.

Click Save and Activate to immediately activate the policy on the devices specified.

To view the MIB polling data, create a generic dashlet (see

Creating Generic Dashlets ) using the name

of the policy that you created.

To view the SNMP polling date for ASR devices, you should use the show platform hardware qfp

active datapath utilization | inc Processing command for CPU utilization and show platform

hardware qfp active infrastructure exmem statistics | sec DRAM command for memory utilization.

Example: Monitoring IP SLA

You can create a monitoring policy to view IP service levels for network-based applications and services.

There are approximately seven IP SLA-related MIBs. In this example, the video MIB only is monitored.

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 1

Step 8

Step 9

Step 10

Download the IP SLA video MIB from the following URL: http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2

Choose Monitor > Monitoring Policies > My Policies, then click Add.

Click Custom MIB Polling.

Enter a name for the policy.

Under the MIB Selection tab, click Upload MIB and navigate to the MIB that you uploaded in Step 1.

From the Tables pulldown menu, select a table, then select the specific metrics to monitor.

To test the policy you created on a device before activating it, click the Test tab and select a device on which to test the new policy.

Select the devices for which you want to monitor IP SLA metrics.

Click Save and Activate to immediately activate the policy on the devices specified.

To monitor this information from a dashboard, you need to create a generic dashlet. See

Creating Generic

Dashlets

for more information.

Polled Data in Dashlets and Reports

When viewing polled data from devices, consider the following scenario:

Device 1 data is polled from the last 6 hours.

Device 2 data is polled from the last 2 days.

Cisco Prime Infrastructure 3.0 User Guide

10-9

Chapter 10 Creating Monitoring Policies and Thresholds

Monitoring Third-Party Devices By Polling MIBs

When you filter dashlets or reports to show data from the past 2 days, only the data from Device 2 is displayed.

If you filter dashlets and reports by devices and time frame, then data for both devices is displayed.

10-10

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

11

Monitoring Alarms

An alarm is a Cisco Prime Infrastructure response to one or more related events. If an event is considered of high enough severity (critical, major, minor, or warning), Prime Infrastructure raises an alarm until the condition no longer occurs.

What Is an Event?

What Is an Alarm?

Defining Alarm Thresholds

Where to Find Alarms

Display Options

Changing Alarm Status

Changing Alarm and Event Options

Configuring Alarm Severity Levels

Customizing Alarms and Events For Traps

Getting Help for Alarms

Where to Find Syslogs

What Is an Event?

An event is an occurrence or detection of some condition in or around the network. An event is a distinct incident that occurs at a specific point in time. Examples of events include:

Port status change

Device reset

Device becomes unreachable by the management station

An event can also result from:

A fault that is an error, failure, or exceptional condition in the network. For example, when a device becomes unreachable, an unreachable event is triggered.

A fault clearing. For example, when a device state changes from unreachable to reachable, a reachable event is triggered.

One or more events may generate an abnormal state or alarm. The alarm can be cleared, but the event remains. You can view the list of events using the Event Browser.

Cisco Prime Infrastructure 3.0 User Guide

11-1

What Is an Alarm?

Chapter 11 Monitoring Alarms

Choose Monitor > Monitoring Tools > Alarms & Events, then click Events to access the Events

Browser page.

Event Creation

Prime Infrastructure maintains an event catalog and decides how and when an event is created and whether to associate an alarm with the event. Multiple events can be associated with the same alarm.

Prime Infrastructure discovers events in the following ways:

By receiving notification events and analyzing them; for example, syslog and traps.

By automatically polling devices and discovering changes; for example, device unreachable.

By receiving events when a significant change occurs on the Prime Infrastructure server; for example, rebooting the server.

Incoming event notifications (traps and syslogs) are identified by matching the event data to predefined patterns. A trap or syslog is considered supported by Prime Infrastructure if it has matching patterns and can be properly identified. If the event data does not match predefined patterns, the event is considered unsupported, and it is dropped.

Faults are discovered by Prime Infrastructure through polling, traps, or syslog messages. Prime

Infrastructure maintains the context of all faults and ensures that duplicate events or alarms are not maintained in the Prime Infrastructure database.

The following table provides examples of when Prime Infrastructure creates an event.

Time

10:00AM PDT December 1, 2014 Device A becomes unreachable.

Creates a new unreachable event on device A.

10:30AM PDT December 1, 2014 Device A continues to be unreachable.

No change in the event status.

10:45AM PDT December 1, 2014 Device A becomes reachable.

11:00AM PDT December 1, 2014 Device A stays reachable.

12:00AM PDT December 1, 2014 Device A becomes unreachable.

Creates a new reachable event on device A.

No change in the event status.

Creates a new unreachable event on device A.

Recurring Alarms and Events

To reduce the amount of unnecessary alarms and events, Prime Infrastructure detects the underlying causes of an event, and then modifies when it issues alarms and events if the devices have any of the problems. For example, for module or link faults, if a module is down, Prime Infrastructure creates one

Module Down alarm only, and associates all of the interfaces’ link down events to the Module Down alarm. When the module state is restored, Prime Infrastructure clears the module alarm and all interface messages are associated to the cleared alarm.

When several link-up and link-down traps are received for the same interface, within a short time period, then Prime Infrastructure detects those traps and creates a Flapping event.

What Is an Alarm?

An alarm is a Prime Infrastructure response to one or more related events. If an event is considered of high enough severity (critical, major, minor, or warning), Prime Infrastructure raises an alarm until the resulting condition no longer occurs.

11-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 11 Monitoring Alarms

What Is an Alarm?

One or more events can result in a single alarm being raised. An alarm is created in the following sequence:

1.

2.

A notification is triggered when a fault occurs in the network.

An event is created, based on the notification.

3.

An alarm is created after verifying that there is no active alarm corresponding to this event.

An alarm is associated with two types of events:

Active Events: Events that have not been cleared. An alarm remains in this state until the fault is resolved in a network.

Historical Events: Events that have been cleared. An event state changes to a historical event when the fault is resolved in a network.

A cleared alarm represents the end of an alarm’s lifecycle. A cleared alarm can be revived if the same fault recurs within a preset period of time. The default is 5 minutes.

Event and Alarm Association

Prime Infrastructure maintains a catalog of events and alarms. This catalog contains a list of events and alarms managed by Prime Infrastructure, and the relationship among the events and alarms. Events of different types can be attached to the same alarm type.

When a notification is received:

1.

2.

Prime Infrastructure compares an incoming notification against the event and alarm catalog.

Prime Infrastructure decides whether to raise an event.

3.

If an event is raised, Prime Infrastructure decides if the event triggers a new alarm or if it is associated with an existing alarm.

A new event is associated with an existing alarm if the new event is of the same type and occurs on the same source.

Alarm Status

Table 11-1 provides alarm status descriptions.

Alarm Status Descriptions Table 11-1

Alarm Status

Not acknowledged

Description

When an event triggers a new alarm or a new event is associated with an existing alarm.

Acknowledged When you acknowledge an alarm, the status changes from Not acknowledged to Acknowledged.

Cleared A cleared alarm can involve any of the following:

Auto-clear from the device—The fault is resolved on the device and an event is triggered for the device.

For example, a device-reachable event clears a device-unreachable event. This, in turn, clears the device-unreachable alarm.

Manual-clear from Prime Infrastructure users—You can manually clear an active alarm without resolving the fault in the network. A clearing event is triggered and the alarm is cleared.

If a fault continues to exist in the network, a new event and alarm are created subsequently, based on event notification (traps/syslogs).

Cisco Prime Infrastructure 3.0 User Guide

11-3

Chapter 11 Monitoring Alarms

Defining Alarm Thresholds

Event and Alarm Severity

Each event has an assigned severity. Events fall broadly into the following severity categories, each with an associated color in Prime Infrastructure:

Flagging (indicates a fault)—Critical (red), Major (orange), Minor (yellow), or Warning (sky blue).

Informational—Info (blue). Some informational events clear flagging events.

For example, a Link Down event might be assigned Critical severity, while its corresponding Link Up event will be Cleared severity.

In a sequence of events, the event with the highest severity determines the severity of the alarm.

Defining Alarm Thresholds

Use monitoring templates to define thresholds. When the thresholds that you specify are reached, Prime

Infrastructure issues an alarm. See

Creating Monitoring Policies and Thresholds for information about

defining thresholds.

Where to Find Alarms

Table 11-2 lists where you can find alarms.

Table 11-2 Where to Find Alarms

Location in GUI

Monitor > Monitoring

Tools > Alarms & Events

Description

Displays a new page listing all alarms with details such as severity, status, failure source, time stamp, owner, category, and condition. You can change the status of alarms and assign, annotate, delete, specify email notifications from this page and use the troubleshoot functionality to devices from Prime Infrastructure.

Toolbar on top right of the

Prime Infrastructure window

From device 360° view

If you enable Alarm Badging, Prime Infrastructure displays severity icons next to the device groups. See

Displaying Alarm Icons

.

The red box on the top right of the Prime Infrastructure window displays the total number of critical alarms currently detected by Prime Infrastructure. You can click on the box to open the

Alarm Summary. See

Customizing the Alarm Summary .

On the Alarms tab, when you hover the mouse over the Failure Source field, the crosshair icon appears. Click the icon to see the 360° view of the device. Or, on the Alarm browser, when you hover the mouse over the Failure Source field, the crosshair icon appears. Click the icon to see the 360° view of the device.

Displays dashlets that contain alarm summary information, top n sites with the most alarms, top n alarm types, device reachability status, syslog watch, and syslog summary.

Dashboard > Overview >

Incidents

Dashboard > Network

Summary > Incidents

Dashboard > Data Center

> Compute

Displays dashlets that contain Alarms, Top N Alarm Types, Syslog Summary and Top N Event

Types.

Displays Compute Resources Summary dashlet which shows alarms associated with each

Compute Resource.

11-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 11 Monitoring Alarms

Display Options

Table 11-2 Where to Find Alarms (continued)

Location in GUI

Inventory > Device

Management > Compute

Devices > Compute

Resources > Clusters>

Cluster Detail Page

Inventory > Device

Management > Compute

Devices > Compute

Resources > Host > Host

Details Page

Inventory > Device

Management > Compute

Devices > Compute

Resources > Virtual

Machines > Virtual

Machine Details Page

Description

Displays Severity, Status, Timestamp and Description of the Alarms in the Alarms area.

Displays Severity, Status, Timestamp and Description of the Alarms in the Alarms area.

Displays Severity, Status, Timestamp and Description of the Alarms in the Alarms area.

Display Options

The following sections explain the various ways you can modify how alarms, events, and syslogs are displayed:

Viewing Options for Alarms, Events, and Syslogs

Displaying Alarm Icons

Changing Alarm Display Behavior

Viewing Options for Alarms, Events, and Syslogs

When you choose Monitor > Monitoring Tools > Alarms & Events, then click any of the tabs at the top of the page (Alarms, Events, or Syslogs), you can click on either of the following viewing modes:

Show Latest 4000 Alarms—Prime Infrastructure displays the most recent alarms, events, or syslogs (depending on which tab you clicked), based on the timestamp when it was last modified.

The Most Recent cache supports till 4000 alarms that can be displayed in the Show Latest 4000

Alarms. If a newer alarm, event, or syslog occurs, Prime Infrastructure removes an older item from the list and adds the most recent one.

Show All—Prime Infrastructure retrieves all alarms, events, or syslogs from the database and displays them.

You can use filters on either view.

By default, Prime Infrastructure deletes alarms older than 30 days and deletes events older than 7 days.

Prime Infrastructure stores up to a maximum of 8,000,000 events. There is no limit on the number of alarms that Prime Infrastructure stores. You can change the number of days that events are stored by choosing Administration > Settings > System Settings > Alarms and Events.

Cisco Prime Infrastructure 3.0 User Guide

11-5

Display Options

Chapter 11 Monitoring Alarms

Prime Infrastructure displays a maximum of 200,000 rows of events, alarms, and syslogs for any particular active filter. If there are more than 200,000 rows of data on the Alarms, Events, or Syslog page, the global toolbar displays 200000 of N where N is the total number of rows in the table. If you hover your cursor over 200000 of N, a message appears saying that “Only the first 200,000 rows are displayed.

Use the table filter controls to display a smaller result set.” To see all records, use the time and date filters to view all records day-by-day.

Displaying Alarm Icons

To have Prime Infrastructure display alarm severity icons next to the device groups on the Monitor >

Monitoring Tools > Alarms & Events page, you need to enable Alarm Badging. This feature is disabled by default because it could impact performance if Prime Infrastructure is monitoring more than 2,000 devices with more than 10,000 active alarms. If you notice performance degradation issues, we suggest you disable this feature.

Step 1

Step 2

Step 3

Click your login name at the top-right of the screen and choose My Preferences.

Click the checkbox next to Enable Alarm Badging on Alarms & Events page.

Click Save.

Changing Alarm Display Behavior

Prime Infrastructure provides user preference settings that let you control whether:

Automatically refreshes the Alarms and Events page.

Prime Infrastructure displays prompts and warning messages when you acknowledge an alarm or clear all alarms of a condition.

Cleared alarm conditions are always set to the “Information” severity level.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Click the Settings icon and choose My Preferences.

If you want Alarms/Events/Syslog page to automatically refresh at a periodic interval, select the

Automatically refresh Alarms & Events page.

If you do not want the warning message to appear whenever you acknowledge an alarm, select the

Disable Alarm Acknowledge Warning Message check box. Note that the warning message displays as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled.

If you do not want to be prompted to confirm each time you clear an alarm condition, select the Disable

confirmation prompt for “Clear all of this condition” check box. Note that the warning displays as a reminder that you are clearing all occurrences of the specified condition.

If you do not want to be prompted to confirm the severity change each time you clear an alarm condition, select the Disable “Set severity to Information?” prompt for “Clear all of this condition” check box.

Click Save.

11-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 11 Monitoring Alarms

Related Topics

Changing Alarm Display Behavior

Customizing the Alarm Summary

Changing Alarm Display Behavior

Customizing Alarms and Events For Traps

Display Options

Customizing the Alarm Summary

Prime Infrastructure provides user settings that control the information shown in the Alarm Summary box (shown in the top right of the Toolbar at the top on the Prime Infrastructure window) and in the

Alarm Summary pop-up page displayed when you click on the Alarm Summary box. These include:

How often the alarm count is refreshed in the Alarm Summary box and page.

Which category of alarm to track as the default alarm category shown in the Alarm Summary box.

Which categories of alarms to include in the Alarm Summary page, and in the total displayed in the

Alarm Summary box.

Step 1

Step 2

Step 3

Step 4

Click the Settings icon and choose My Preferences.

You can also access the User Preferences page by clicking the arrow next to your login name in the

Global Toolbar at the top right.

To change the Alarm Summary refresh frequency: In the Refresh Alarm count in the Alarm Summary

every drop down list, choose a refresh frequency (every 5 seconds, 15 seconds, 30 seconds, 1 minute, 2 minutes, or 5 minutes).

To select the alarm categories to display in the Alarm Summary box and pop-up page:

a.

Click Edit Alarm Categories. The Select Alarm Categories pop-up displays.

b.

c.

In the Default Category to display drop-down, choose the default category whose total alarm count you want to display in the Alarm Summary box. For example: Choose “AP Rogue” to have the Alarm

Summary box display the count for AP Rogue alarms only. Choose “Alarm Summary” to have the box display a count of all alarms in all selected categories and subcategories.

In the pick list under the Show drop-down, choose the checkbox next to each category or sub-category of alarm that you want to include in the Alarm Summary popup page.

d.

If Default Category to display is set to “Alarm Summary”, the alarm totals shown will be the total of all critical alarms for all the categories and sub-categories you select in the pick list. If any other category or sub-category is selected as the Default Category, the box displays totals only for that category.

When you are finished, click OK. Your selected alarm category and subcategories are listed on the

User Preferences page.

Click Save to save your changes.

Related Topics

Changing Alarm Display Behavior

Toolbar

Cisco Prime Infrastructure 3.0 User Guide

11-7

Chapter 11 Monitoring Alarms

Changing Alarm Status

Changing Alarm Status

You can remove an alarm from the list of alarms by changing its status to Acknowledged or Cleared. No e-mails will be generated for these alarms.

Step 1

Step 2

Choose Monitor > Monitoring Tools > Alarms & Events. By default, the Alarms tab is selected.

Select an alarm, then choose one of the following options under Change Status:

Acknowledge—Removes the alarm from the Alarms list and prevents the alarm from being counted as an active alarm on the Alarm Summary page or any alarms list.

Unacknowledge—Returns the alarm to its active alarm state on the Alarm Summary page and all alarms lists.

Clear—Sets the alarm state to Cleared. Cleared alarms remain in the Prime Infrastructure database, but in the Clear state. You clear an alarm when the condition that caused it no longer exists.

Clear all of this Condition—Sets the alarm state to Cleared for all alarms with the same Condition as the alarm you selected.

After you click Yes to confirm that you want to clear all alarms of the specified condition, a dialog appears asking if you want to change the severity for the selected alarm condition to Informational.

This prevents Prime Infrastructure from issuing alarms for the specified condition. To later reset the condition’s severity, choose Administration > Settings > System Settings > Alarms and Events

> Alarm Severity and Auto Clear > Severity Configuration and modify the severity.

Related Topics

Configuring Alarm Severity Levels

When to Acknowledge Alarms

Including Acknowledged and Cleared Alarms in Searches

When to Acknowledge Alarms

You may want certain alarms to be removed from the Alarms list. For example, if you are continuously receiving an interference alarm from a certain device, you may want to stop that alarm from being counted as an active alarm on the Alarm Summary page or any alarms list. In this scenario, you can find the alarm for the device in the Alarms list, select an alarm and choose Change Status > Acknowledge.

If the device generates a new violation on the same interface, Prime Infrastructure does not create a new alarm, and the Alarm Summary page shows no new alarms. However, if the interference violation is created on another interface, a new alarm is created.

By default, acknowledged alarms are not displayed on either the Alarm Summary page or in any alarm list. Also, no emails are generated for acknowledged alarms. By default, acknowledged alarms are not included for any search criteria. To change this default, go to the Administration > Settings > System

Settings > Alarms and Events page and disable the Hide Acknowledged Alarms preference.

When you acknowledge an alarm, a warning message appears as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled. Click the Settings icon and choose My Preferences page to disable this warning message.

11-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 11 Monitoring Alarms

Changing Alarm and Event Options

You can also search for all previously acknowledged alarms to reveal the alarms that were acknowledged during the last seven days. Prime Infrastructure automatically deletes cleared alerts that are more than seven days old, so your results can show activity for only the last seven days. Until an existing alarm is deleted, a new alarm cannot be generated for any managed entity for which Prime Infrastructure has already generated an alarm.

Including Acknowledged and Cleared Alarms in Searches

By default, acknowledged and cleared alarms are not included for any search criteria. To change this default, choose Administration > Settings > System Settings > Alarms and Events and disable the

Hide Acknowledged Alarms or Hide Cleared Alarms preference.

Cleared alarms remain in the Prime Infrastructure database, but in the Clear state. You clear an alarm when the condition that caused it no longer exists.

Changing Alarm and Event Options

You might want to change the schedule for deleting alarms, the alarm severities that are displayed, or alarm email options.

To change alarm and event options, follow these steps:

Step 1

Step 2

Step 3

Choose Administration > Settings > System Settings.

From the left sidebar menu, choose Alarms and Events.

Change the alarm or event settings, then click Save.

Configuring Alarm Severity Levels

A newly generated alarm has a default severity level that you might want to change.

To configure an alarm’s severity level, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Administration > Settings > System Settings > Alarms and Events > Alarm Severity and

Auto Clear.

Choose Severity Configuration.

Select the check box of the alarm condition whose severity level that you want to change.

From the Configure Severity Level drop-down list, choose a severity level.

Click OK to confirm the changes.

Cisco Prime Infrastructure 3.0 User Guide

11-9

Chapter 11 Monitoring Alarms

Customizing Alarms and Events For Traps

Customizing Alarms and Events For Traps

You can enable Prime Infrastructure to recognize additional traps and to customize how Prime

Infrastructure creates events and alarms for these traps. You can specify a trap notification name or syslog message identifier, and specify the event severity, category, and message to use when the specified trap is received. Prime Infrastructure creates an event with the settings you specify.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Monitor > Monitoring Tools > Alarms & Events.

Click the Events tab.

Click Custom Trap Event. The Custom Trap Events window opens displaying any previously created custom tap events.

Click Add.

Select a MIB from the menu, which includes all MIBs that are not fully supported, or click Upload New

MIB to upload a MIB file.

If you upload a new MIB file, wait approximately 15 seconds, then click Refresh MIBs to have the newly added MIB added to the MIB drop-down list.

Select a Notification Name from the list of unsupported notification names included in the selected

MIB.

In the Event Description field, enter the text you want displayed in the Description column for the events that are generated from traps with the selected notification name.

Select a Default Severity level, then click OK.

Prime Infrastructure creates a new event type and alarm condition for the specified trap.

Related Topic

Modifying a Customized Trap Event

Modifying a Customized Trap Event

You can modify a previously created customized trap event.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Alarms & Events.

Click the Events tab.

Click Custom Trap Event. The Custom Trap Events window opens displaying any previously created custom trap events.

Select the custom trap event you want to modify, then click Edit.

Modify the necessary fields, then click OK.

Related Topic

Customizing Alarms and Events For Traps

11-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 11 Monitoring Alarms

Getting Help for Alarms

Getting Help for Alarms

If you receive an alarm in Monitor > Monitoring Tools > Alarms & Events for which you cannot find a resolution in the Cisco Support Community (select an alarm, then choose Troubleshoot > Support

Forum.), you can use Prime Infrastructure to open a support request (click an alarm, then choose

Troubleshoot > Support Case). See “Troubleshooting Prime Infrastructure” in the

Cisco Prime

Infrastructure 3.0 Administrator Guide

for more information.

Where to Find Syslogs

Prime Infrastructure logs all syslogs from severity 0 through 7 (emergency through debugging messages) generated by all devices that are managed by Prime Infrastructure. Prime Infrastructure also logs all

SNMP messages.

Prime Infrastructure logs and displays syslogs from managed devices only. Syslogs from devices that are not managed by Prime Infrastructure are not logged or displayed.

To view syslogs, choose Monitor > Monitoring Tools > Alarms & Events, then click the Syslogs tab.

You can use the predefined filters provided by Prime Infrastructure, or use the Quick or Advanced Filters to search on your own criteria.

Prime Infrastructure stores a maximum of 2,000,000 syslogs. You can view up to 50 syslogs per UI page, up to a maximum of 200,000 total syslogs.

Supported Syslog Formats for Event Based Inventory

The following are the supported Syslog formats. Prime Infrastructure will trigger the inventory collection if the device syslog matches any one of the following conditions:

Message Type is any one of the following:

LINK-3-UPDOWN

PORT_SECURITY-6-VLAN_REMOVED

PORT_SECURITY-6-VLAN_FULL

G8032-STATE_IDLE

G8032-STATE_PENDING

G8032-STATE_PROTECTION

G8032-STATE_FORCED_SWITCH

G8032-STATE_MANUAL_SWITCH

L2-G8032-3-APS_CHANNEL_INACTIVE

L2-G8032-6-APS_CHANNEL_ACTIVE

L2-L2VPN_ICCP_SM-4-REMOTE_CORE_ISOLATION

L2-L2VPN_ICCP_SM-4-REMOTE_CORE_ISOLATION_CLEAR

L2-L2VPN_ICCP_SM-3-CONFIG_LOCAL_ERROR

L2-L2VPN_ICCP_SM-3-CONFIG_REMOTE_ERROR

L2-L2VPN_ICCP_SM-4-LOCAL_CORE_ISOLATION

Cisco Prime Infrastructure 3.0 User Guide

11-11

Chapter 11 Monitoring Alarms

Where to Find Syslogs

L2-L2VPN_ICCP_SM-4-LOCAL_CORE_ISOLATION_CLEAR

L2-L2VPN_ICCP_SM-4-PEER_REACHABILITY_FAILURE

L2-L2VPN_ICCP_SM-4-PEER_REACHABILITY_CLEAR

L2-L2VPN_ICCP_SM-4-REMOTE_ACCESS_MAIN_PORT_FAILURE

L2-L2VPN_ICCP_SM-4-REMOTE_ACCESS_MAIN_PORT_FAILURE_CLEAR

INFRA-ICCP-5-ISOLATION

INFRA-ICCP-5-ISOLATION_CLR

INFRA-ICCP-5-NEIGHBOR_STATE_UP

INFRA-ICCP-5-NEIGHBOR_STATE_DOWN

INFRA-ICCP-6-BACKBONE_INTERFACE_STATE_UP

INFRA-ICCP-6-BACKBONE_INTERFACE_STATE_DOWN

L2-BM-6-ACTIVE_CLEAR

L2-BM-6-ACTIVE_PROBLEM

L2-L2VPN_ICCP_SM-3-CONFIG_INVALID_NODEID

L2-L2VPN_ICCP_SM-3-CONFIG_INVALID_NODEID_CLEAR

PKT_INFRA-ICPE_GCO-5-SATELLITE_STATUS_PROBLEM

PKT_INFRA-ICPE_GCO-5-SATELLITE_STATUS_CLEAR

PLATFORM-REDDRV-7-ROLE_CHANGE

PLATFORM-CE_SWITCH-6-UPDN

PLATFORM-CLUSTER_CLM-6-UPDN

E_CFM-6-LCK

E_CFM-6-AIS

E_CFM-6-AIS_INT

E_CFM-6-LCK_INT

LINK_UP

LINK_DOWNcefcPowerStatusChange cefcFRURemoved cefcFRUInserted

SYS-5-RELOAD

SYS-5-RESTART

OIR-6-INSCARD

OIR-SP-6-INSCARD

SWT_CEFC_STATUS_CHANGE

11-12

Cisco Prime Infrastructure 3.0 User Guide

Chapter 11 Monitoring Alarms

Customizing Alarms and Events For Syslogs

Customizing Alarms and Events For Syslogs

You can enable Prime Infrastructure to create events for particular syslogs. You can specify a syslog message identifier, and specify the event severity and message to use when the specified syslog is received. Prime Infrastructure creates an event with the settings you specify.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Alarms & Events.

Click the Syslogs tab.

If there is an existing syslog for which you want to create an event, select the syslog, then click Custom

Syslog Events. To create a new event for which there is not an existing syslog, click Custom Syslog

Events.

Click Add. Complete the required fields. If you selected a syslog in Step 3, the Message Type and Event

Message fields are prepopulated with the values of the syslog you selected.

Select a Default Severity level, then click OK. The Default Severity field controls the severity of the event that is created from the syslog. The syslog itself is not modified in any way.

Modifying a Customized Syslog Event

You can modify a previously created customized syslog event.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Alarms & Events.

Click the Syslogs tab.

Click Custom Syslog Events. The Custom Syslog Events window opens displaying any previously created event mappings.

Select the custom syslog event you want to modify, then click Edit.

Modify the necessary fields, then click OK.

Related Topic

Customizing Alarms and Events For Syslogs

Cisco Prime Infrastructure 3.0 User Guide

11-13

Customizing Alarms and Events For Syslogs

Chapter 11 Monitoring Alarms

11-14

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

12

Monitoring Clients and Users

About Wired and Wireless Clients

A client is a device that is connected to an access point or a switch. Cisco Prime Infrastructure supports both wired and wireless clients. After you add controllers and switches to Prime Infrastructure, the client discovery process starts. Wireless clients are discovered from managed controllers or autonomous access points. The controllers are polled during regular client status poll. The wireless client count includes autonomous clients as well. In the case of switches, Prime Infrastructure polls for clients immediately after the device is added and updates the device information in the database. For wired clients, the client status polling to discover client associations occurs every two hours (by default). A complete polling happens twice every day to poll complete information of all wired clients connected to all switches.

Prime Infrastructure uses background tasks to perform the data polling operations. There are three tasks associated with clients:

1.

Autonomous AP Client Status

2.

3.

Lightweight Client Status

Wired Client Status

You can refresh the data collection tasks (such as polling interval) from the Administration > Settings >

Background Tasks page.

Client status (applicable only for wired clients) is noted as connected, disconnected, or unknown:

Connected clients—Clients that are active and connected to a wired switch.

Disconnected clients—Clients that are disconnected from the wired switch.

Unknown clients—Clients that are marked as unknown when the SNMP connection to the wired switch is lost.

For the clients of autonomous access point managed by Prime Infrastructure and for the clients authenticated using Local Extensible Authentication Protocol (LEAP), the username is not registered and is displayed as unknown.

Prime Infrastructure supports both identity and non-identity wired clients. The support for wired clients is based on the identity service. The identity service provides secure network access to users and devices and it also enables the network administrators to provision services and resources to the users based on their job functions.

Prime Infrastructure do not poll end hosts connected through VLAN 1000-1024.

Prime Infrastructure does not support VRF. Therefore, if a client is connected to a VRF-configured device, you cannot view client information.

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-1 OL-32295-01

Chapter 12 Monitoring Clients and Users

Client Dashlets on the General Dashboard

Related Topics

Managing Data Collection and Retention

Tracking Clients

Client Dashlets on the General Dashboard

When you log into Prime Infrastructure, the General dashboard displays a few client-related dashlets.

Client Count By Association/Authentication—Displays the total number of clients by Association and authentication in Prime Infrastructure over the selected period of time.

Associated client—All clients connected regardless of whether it is authenticated or not.

Authenticated client—All clients connected and passed authentication, authorization and other policies, and ready to use the network.

Client Count By Wireless/Wired—Displays the total number of wired and wireless clients in Prime

Infrastructure over the selected period of time.

Related Topics

Interactive Graphs

Client Dashboard

Client Dashboard

The Client dashboard (Dashboard > Overview > Client) page displays the client-related dashlets.

These dashlets enable you to monitor the clients on the network. The data for graphs is also polled/updated periodically and stored in Prime Infrastructure database. On the other hand, most of the information in the Client Details page are polled directly from the controller/switch.

Click the Edit Content link to choose the dashlets you want to have appear on the Client dashboard. You can choose the dashlet from the Available dashlets list and then click to add it to the left or right column.

For example, if you want to see the client count in both the General and Client dashboards, you can add the same dashlet to both.

To return to the original Client dashboard before customization, click Edit Tabs, and click Reset to

Factory Default.

Related Topics

Interactive Graphs

Adding Dashlets

Monitoring Clients and Users

Choose Monitor > Monitoring Tools > Clients and Users to view all the wired and wireless clients in your network. In addition, you can view the client association history and statistical information. These tools are useful when users complain of network performance as they move throughout a building with their laptop computers. The information might help you assess what areas experience inconsistent coverage and which areas have the potential to drop coverage.

12-2

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Monitoring Clients and Users

Access the Client Detail page by clicking on a MAC Address to help you identify, diagnose, and resolve client issues.

Related Topics

Filtering Clients and Users

Viewing Clients and Users

Modifying the Clients and Users Page

Filtering Clients and Users

The Monitor > Monitoring Tools > Clients and Users page lists all associated clients by default. There are preset filters that allow you to view a subset of clients.

The WGB, Wired Guest, and Office Extended Access Point 600 (OEAP 600) are tracked as wireless clients. Prime Infrastructure only remembers sorting column which is indexed including MAC Address,

IP Address, Username, AP MAC Address and SSID. Sorting on non-indexed column causes serious performance issue when loading the client list page.You can still sort the table by any column. But after you leave this page, Prime Infrastructure will not remember the last used sorting column if it is not indexed.

In addition, you can use the filter icon ( ) to filter the records that match the filter rules. If you want to specify a filter rule, choose All from the Show drop-down list before you click .

When you select a preset filter and click the filter icon, the filter criteria is dimmed. You can only see the filter criteria but cannot change it. When the All option is selected to view all the entries, clicking the filter icon shows the quick filter options, where you can filter the data using the filterable fields. You can also enter text in the free form text box for table filtering.

You can use the advanced search feature to narrow the client list based on specific categories and filters.

Related Topics

Filtering on IP Addresses

Filtering on IP Addresses

When you perform advanced client filtering on IPv6 addresses, each octet that you specify must be a complete octet. If you specify a partial octet, the filtering might not show correct results.

The following example shows how the advanced client filtering works on IPv6 addresses.

This example assumes that you have the following IP addresses in the system:

10.10.40.1

10.10.40.2

10.10.40.3

10.10.240.1

Fec0::40:20

Fe80::240:20

If you search for all IP addresses containing 40, you get the following result:

10.10.40.1

10.10.40.2

10.10.40.3

Fec0::40:20

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01 12-3

Chapter 12 Monitoring Clients and Users

Monitoring Clients and Users

The IP addresses that contain 240 are not filtered because the filtering feature expects you to enter a complete octet.

Related Topic

Search Methods

Viewing Clients and Users

To view complete details in the Monitor > Monitoring Tools > Clients and Users page and to perform operations such as Radio Measurement, users in User Defined groups should have the required permission before they access the Monitor Clients, View Alerts & Events, Configure Controllers, and

Client Location pages.

The following attributes are populated only when the ISE is added to Prime Infrastructure:

ISE

Endpoint Type

Posture

Authorization Profile Name

Prime Infrastructure queries the ISE for client authentication records for the last 24 hours to populate this data. If the client is connected to the network 24 hours before it is discovered in Prime Infrastructure, you might not see the ISE-related data in the table. You might see the data in client details page. To work around this, reconnect the client to the network. The ISE information is shown in the table after the next client background task run.

To view clients and users, follow these steps:

Step 1

Step 2

Choose Monitor > Monitoring Tools > Clients and Users to view both wired and wireless clients information. The Clients and Users page appears.

The Clients and Users table displays a few columns by default. If you want display the additional columns that are available, click , and then click Columns. The available columns appear. Select the columns that you want to show in the Clients and Users table. When you click anywhere in a row, the row is selected and the client details are shown.

Choose a client or user. The following information appears depending on the selected client/user.

Client Attributes

Client Statistics

Client Statistics.

Client Association History

Client Event Information

Client Location Information

Wired Location History

Client CCXv5 Information

12-4

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

When to Use the Client Troubleshooting Tool

Related Topics

Modifying the Clients and Users Page

Filtering Clients and Users

Exporting Clients and Users

You can quickly export your clients and users list into a CSV file (spreadsheet format with comma-separated values).

The columns that are shown in the Clients and Users table are only exported to the CSV file.

To export the clients and users list, follow these steps:

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Clients and Users.

Click the export icon on the toolbar. A dialog box appears.

In the File Download dialog box, click Save.

Related Topics

Viewing Clients and Users

Modifying the Clients and Users Page

Filtering Clients and Users

When to Use the Client Troubleshooting Tool

Prime Infrastructure provides a troubleshooting tool to help you diagnose and solve issues experienced with both wired and wireless clients. This tool relies on SNMP to discover clients and collect client data.

If Cisco Identity Services Engine (ISE) is integrated with Prime Infrastructure, the tool also collects

ISE-based client statistics and other data shown in Prime Infrastructure’s client dashlets and reports.

Launch the client troubleshooting tool whenever you need to:

Monitor the status of a client connection.

Verify the current and past locations of users and their devices.

Troubleshoot client connectivity problems.

Troubleshoot current client issues.

View client issue history.

Obtain the location history for location-assisted clients.

The client troubleshooting feature is available for identity wired clients (those that are identified by ISE) and not for non-identity wired clients.

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Analyzing Client Connection Logs

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-5

Chapter 12 Monitoring Clients and Users

Launching the Client Troubleshooting Tool

Viewing Client Event History and Event Logs

Launching the Client Troubleshooting Tool

You can launch the Client Troubleshooting tool for any client from the Clients and Users page.

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Clients and Users. The Clients and Users page lists all the clients the system knows (including those not currently associated).

Click the MAC Address for the client having connection problems that you want to troubleshoot.

You may find it handy to narrow the client list first, by using the Search feature. See “Troubleshooting

Clients Using the Search Feature” in Related Topics.

Click Troubleshoot and Debug.

Related Topics

About the Client Troubleshooting Page

How the Client Troubleshooting Tool Gives Advice

Searching for Clients

About the Client Troubleshooting Page

The Client Troubleshooting page provides:

Details on the current or last session for a selected wired or wireless client.

The client’s current/last connection status, shown as a series of graphic icons.

If connection problems are detected:

The nature of the connection problem (also indicated by graphic icons)

Advice on how to troubleshoot that problems.

Figure 12-1

shows the complete Client Troubleshooting page for a wireless client that has connected successfully. The upper Properties section of the page provides the same session details for a successfully connected client that you would see on the Clients and Users page.

Also note that, as this is a successful connection, the lower Troubleshoot section shows green check marks as the status for each stage of the wireless connection process, and provides no advice on troubleshooting the connection.

12-6

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

2

3

1

Chapter 12 Monitoring Clients and Users

Figure 12-1

Launching the Client Troubleshooting Tool

Client Troubleshooting page for Successful Wireless Client

1

2

3

Properties

Troubleshoot

Recommendation

Figure 12-2 shows the Troubleshoot section of the Client Troubleshooting page for a different wireless

client (for simplicity, we have collapsed the Properties section by clicking on the section’s right arrow icon). This client had trouble connecting. As you can see, there is an alert on the 802.1X Authentication portion of the connection process and a list of steps to try to determine exactly why this was a problem.

This number and type of connection status icons, and advice in the Troubleshoot section, will vary according to the kind of client, the stage of the connection process that had problems, and the likely sources of the problem. For more information, see “How the Client Troubleshooting Tool Gives Advice” in Related Topics.

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-7

1

2

3

Chapter 12 Monitoring Clients and Users

Launching the Client Troubleshooting Tool

Figure 12-2 Client Troubleshooting page for Unsuccessful Wireless Client

1

2

3

Troubleshoot

Problem

Recommendation

Related Topics

Launching the Client Troubleshooting Tool

How the Client Troubleshooting Tool Gives Advice

Searching for Clients

How the Client Troubleshooting Tool Gives Advice

Prime Infrastructure determines the number of connection areas and the type of troubleshooting advice to present on the Client Troubleshooting page based on the stages the client passes through when establishing connection and connectivity protocols involved at each stage.

Table 12-1

summarizes these stages and protocols involved at each stage.

12-8

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Launching the Client Troubleshooting Tool

Table 12-1 Client Connection Stages and Protocols

Connection

Stage

802.1X

MAC

Authentication

Web

Authentication

Link

Connectivity

X

X

X –

802.1X

Authentication

X

MAC

Authentication

X

Web

Authentication IP Connectivity Authorization

X

X

X

X

– X X X

Table 12-2

Details the troubleshooting advice presented for each kind of problem detected during the stages of connection building.

Troubleshooting Advice for Each Connection Stage and Problem Table 12-2

Client State Problem

Link Connectivity Cannot find the client in the network

Suggested Action

Check whether the client cable is plugged into the network.

Check whether the client is using the proper cable to connect to the network.

Ensure that the port to which the client is connected is not disabled administratively.

Authentication in progress

Ensure that the port to which the client is connected is not error disabled.

Check whether the speed and duplex are set to Auto on the port to which the client is connected.

If the client has been in this state for a long time, check the following:

802.1X

Authentication

802.1X Authentication

Failure

Check whether the supplicant on the client is configured properly as required.

Modify the timers related to the authentication method and try again.

Use the fall back authentication feature if you are not sure which authentication method works with the client.

Try disconnecting and reconnecting.

Check whether the RADIUS server(s) is reachable from the switch.

Check whether the client choice of EAP is supported by the

RADIUS server(s).

Check whether the username/password/certificate of the client is valid.

Ensure that the certificates used by the RADIUS server are accepted by the client.

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-9

Chapter 12 Monitoring Clients and Users

Launching the Client Troubleshooting Tool

Table 12-2 Troubleshooting Advice for Each Connection Stage and Problem (continued)

Client State

MAC

Authentication

Problem Suggested Action

MAC Authentication Failure

Check whether the RADIUS server(s) is reachable from the switch.

Check whether the MAC address of the client is in the list of known clients on the RADIUS server.

Check whether the MAC address of the client is not in the list of excluded clients.

Check whether the guest credentials are valid and have not expired.

Web Authentication Client could not be authenticated through web/guest interface

Check whether the client can be redirected to the login page.

Check whether the RADIUS server is reachable.

Ensure that pop-ups are not blocked.

Check whether the DNS resolution on the client is working.

IP Connectivity Client could not complete

DHCP interaction

Ensure that the client is not using any proxy settings.

Check whether the client can access https://<virtual-ip>/login.html

Check whether the browser of the client accepts the self-signed certificate offered by the controller.

Check whether the DHCP server is reachable.

Check whether the DHCP server is configured to serve the WLAN.

Check whether the DHCP scope is exhausted.

Check whether multiple DHCP servers are configured with overlapping scopes.

Check whether the local DHCP server is present. If the DHCP bridging mode is enabled (move it to second), the client is configured to get the address from the DHCP server.

Authorization

Successful

Connection

Authorization Failure

None

Check if the client has the static IP configured and ensure that the client generates IP traffic.

Ensure that the VLAN defined for authorization is available on the switch.

Ensure that the default port ACL is configured for ACL authorization.

None. This indicates that all previous stages were completed successfully.

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Analyzing Client Connection Logs

12-10

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Searching for Clients

Searching for Clients

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Type the full or partial client MAC address in the Advanced Search text box, and click Search. The

Search Results page appears.

Click View List to view the clients that match the search criteria in the Clients page. The Monitor >

Monitoring Tools > Clients and Users page appears.

You can click the Reset link to set the table to the default display so that the search criteria is no longer applied.

Select a client, and then click the Troubleshoot. The Troubleshooting Client page appears. If you are troubleshooting a Cisco-compatible Extension v5 client (wireless), your Troubleshooting Client page will have additional tabs.

If you receive a message that the client does not seem to be connected to any access point, you must reconnect the client and click Refresh.

Related Topics

Launching the Client Troubleshooting Tool

Analyzing Client Connection Logs

Analyzing Client Connection Logs

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Launch the Client Troubleshooting Tool for the client you want to analyze. See “Launching the Client

Troubleshooting Tool” in Related Topics.

Click the Log Analysis tab to view log messages logged against the client.

Click Start to begin capturing log messages about the client from the controller.

Click Stop to stop log message capture.

Click Clear to clear all log messages. Log messages are captured for ten minutes and then automatically stopped. Click Start to continue.

Click one of the links under Select Log Messages to display log messages (the number between parentheses indicates the number of messages).

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Viewing Client Event History and Event Logs

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-11

Viewing Client Event History and Event Logs

Viewing Client Event History and Event Logs

Chapter 12 Monitoring Clients and Users

Step 1

Step 2

Step 3

Step 4

Step 5

Launch the Client Troubleshooting Tool. See “Launching the Client Troubleshooting Tool” in Related

Topics.

Click the Events tab to display the event history of a client.

Click the Event Log tab to view the event log.

Click Start to begin capturing log messages from the client.

Click Stop when a sufficient number of messages have been collected.

The Client Troubleshooting Event log and Messaging features are available to CCX Version 6 clients only if the Management Service version is 2 and later.

Starting with Prime Infrastructure 3.0, ACS troubleshooting is no longer supported.

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Checking Client ISE Authentication History and Identity

Services

Step 1

Step 2

Step 3

Step 4

Launch the Client Troubleshooting Tool for the Client you want to analyze. See “Launching the Client

Troubleshooting Tool” in Related Topics.

Click the Identity Services Engine tab to view information about ISE authentication.

Enter the date and time ranges to retrieve historical authentication and authorization information, and then click Submit. The results of the query are displayed in the Authentication Records portion of the page.

Click the Identity Services Engine tab to view information about the identity services parameters. You must configure the Identity Services Engine (ISE) before you access this tab.

If the ISE is not configured, it provides a link to add an ISE to Prime Infrastructure. The ISE provides authentication records to Prime Infrastructure via REST API. The network administrator can choose a time period for retrieving authentication records from the ISE.

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Checking Client Clean Air Environment

12-12

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Checking Client Clean Air Environment

Checking Client Clean Air Environment

Step 1

Step 2

Step 3

Launch the Client Troubleshooting Tool for the Client you want to analyze. See “Launching the Client

Troubleshooting Tool” in Related Topics.

Click the CleanAir tab to view information about the air quality parameters and active interferer for the

CleanAir-enabled access point.

Click CleanAir Details to know more about the air quality index.

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Checking Client ISE Authentication History and Identity Services

Running Diagnostic Tests on Problem Clients

Step 1

Step 2

Step 3

Launch the Client Troubleshooting Tool for the Client you want to analyze. See “Launching the Client

Troubleshooting Tool” in Related Topics.

(Optional) Click the Test Analysis tab if Cisco-compatible Extension Version 5 or Version 6 clients are available.

Check the check box for the applicable diagnostic test, enter any appropriate input information, and click

Start. The Test Analysis tab allows you to run a variety of diagnostic tests on the client.

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

When to Run Diagnostic Tests on Problem Clients

When to Run Diagnostic Tests on Problem Clients

Before you begin, ensure that you have reviewed the test qualifications and restrictions. See Related

Topics.

The following diagnostic tests are available on the Test Analysis tab:

DHCP—Executes a complete DHCP Discover/Offer/Request/ACK exchange to determine that the

DHCP is operating properly between the controller and client.

IP Connectivity—Causes the client to execute a ping test of the default gateway obtained in the

DHCP test to verify that IP connectivity exists on the local subnet.

DNS Ping—Causes the client to execute a ping test of the DNS server obtained in the DHCP test to verify that IP connectivity exists to the DNS server.

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-13

Chapter 12 Monitoring Clients and Users

Pinging Problem Clients with Text Messages

DNS Resolution—Causes the DNS client to attempt to resolve a network name known to be resolvable to verify that name resolution is functioning correctly.

802.11 Association—Directs an association to be completed with a specific access point to verify that the client is able to associate properly with a designated WLAN.

802.1X Authentication—Directs an association and 802.1X authentication to be completed with a specific access point to verify that the client is able to properly complete an 802.1x authentication.

Profile Redirect—At any time, the diagnostic system might direct the client to activate one of the configured WLAN profiles and to continue operation under that profile.

To run the profile diagnostic test, the client must be on the diagnostic channel. This test uses the profile number as the input. To indicate a wildcard redirect, enter 0. With this redirect, the client is asked to disassociate from the diagnostic channel and associate with any profile. You can also enter a valid profile

ID. Because the client is on the diagnostic channel when the test is run, only one profile is returned in the profile list. You should use this profile ID in the profile redirect test (when wildcard redirecting is not desired).

Related Topics

Launching the Client Troubleshooting Tool

Searching for Clients

Running Diagnostic Tests on Problem Clients

Pinging Problem Clients with Text Messages

Step 1

Step 2

Launch the Client Troubleshooting Tool for the Client you want to analyze. See “Launching the Client

Troubleshooting Tool” in Related Topics.

(Optional) For Cisco-compatible Extension Version 5 or Version 6 clients, a Messaging tab will appear which can be used to send an instant text message to the user of this client. From the Message Category drop-down list, choose a message, and click Send.

Related Topics

Launching the Client Troubleshooting Tool

Running Diagnostic Tests on Problem Clients

When to Run Diagnostic Tests on Problem Clients

Viewing Real Time Troubleshooting (RTTS) Details

Step 1

Step 2

Step 3

Step 4

Launch the Client Troubleshooting Tool for the Client you want to analyze. See “Launching the Client

Troubleshooting Tool” in Related Topics.

Click the RTTS tab to view the Real Time Troubleshooting (RTTS) details.

Select modules to debug and debug level.

Click Run. The RTTS manager executes a set of commands in the controllers connected to the client based on the selected debug modules and debug level and displays the RTTS details.

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-14 OL-32295-01

Chapter 12 Monitoring Clients and Users

Viewing Real Time Troubleshooting (RTTS) Details

Step 5

Step 6

Click the Filter tab to filter the RTTS details based on debug time, controller name, controller IP, severity, and debug message.

Click the Export tab to export the debug details as a csv file.

You can also debug other controllers based on the selected debug modules and debug levels by using the

Choose different controllers option.

The RTTS Manager supports five concurrent RTTS debug sessions and each debug session is limited to five devices.

Related Topics

Launching the Client Troubleshooting Tool

Debug Commands for RTTS

Debug Commands for RTTS

Table 12-3

contains the list of debug commands for Legacy controllers and Converged Access

Controllers 5760/3850/3650 Wireless LAN Controllers (WLCs).

Table 12-3

Controller

Legacy

Legacy

List of Debug Commands for Legacy Controllers and NGWC Controllers

Modules to

Debug

All

Dot1.x

Mobility

Wireless Client

Join

Debug Level

Detail

Error

High Level

Detail

Error

High Level

Detail

Error

High Level

Commands

debug capwap info enable debug dot1x all enable debug mobility directory enable debug dot1x all enable debug dot1x events enable debug dot1x states enable debug mobility packet enable debug mobility keepalive enable debug mobility directory enable debug mobility config enable debug mobility handoff enable debug client <macAddress> debug aaa all enable debug dot1x all enable debug client <macAddress> debug client <macAddress>

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-15

Tracking Clients

Chapter 12 Monitoring Clients and Users

Table 12-3

Controller

NGWC

List of Debug Commands for Legacy Controllers and NGWC Controllers

Modules to

Debug

All

Dot1.x

Mobility

Wireless Client

Join

Debug Level

Detail

Error

High Level

Detail

Error

High Level

Detail

Error

High Level

Commands

debug capwap ap error debug dot1x events debug capwap ios detail debug wcm-dot1x detail debug wcm-dot1x all debug dot1x all debug wcm-dot1x errors debug dot1x errors debug wcm-dot1x trace debug wcm-dot1x event debug wcm-dot1x error debug client mac-address <macAddress> debug mobility all debug mobility error debug mobility handoff debug wcdb error debug wcdb event debug wcdb db debug ip dhcp snooping events debug ip dhcp server events debug client mac <macAddress> debug client mac <macAddress> debug client mac <macAddress>

Related Topic

Launching the Client Troubleshooting Tool

Tracking Clients

This feature enables you to track clients and be notified when they connect to a network.

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Clients and Users.

Click Track Clients. The Track Clients dialog box appears listing the currently tracked clients.

This table supports a maximum of 2000 rows. To add or import new rows, you must first remove some older entries.

Click Add to track a single client, and then enter the following parameters:

12-16

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Client MAC address

Expiration—Choose Never or enter a date.

Tracking Multiple Clients

Related Topics

Launching the Client Troubleshooting Tool

Specifying Notification Settings

Tracking Multiple Clients

This feature enables you to track multiple clients and be notified when they connect to a network.

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Click Track Clients. The Track Clients dialog box appears listing the currently tracked clients.

This table supports a maximum of 2000 rows. To add or import new rows, you must first remove some older entries.

Click Add to track a single client, and then enter the following parameters:

Client MAC address

Expiration—Choose Never or enter a date.

If you have a long list of clients, click Import to track multiple clients. This allows you to import a client list from a CSV file. Enter the MAC address and username.

A sample CSV file can be downloaded that provides data format:

# MACAddress, Expiration: Never/Date in MM/DD/YYYY format

00:40:96:b6:02:cc,10/07/2010

00:02:8a:a2:2e:60,Never

A maximum of 2000 clients can be tracked. If you have reached the limit, you will have to remove some clients from the list before you can add more.

Related Topics

Launching the Client Troubleshooting Tool

Specifying Notification Settings

Tracking Clients

Specifying Notification Settings

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Click Track Clients. The Track Clients dialog box appears listing the currently tracked clients.

Select the tracked client(s) for which you want to specify notification settings.

Select a notification settings option from the following:

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-17

Chapter 12 Monitoring Clients and Users

When to Assign a Username

Step 5

Step 6

Purged Expired Entries—You can set the duration to keep tracked clients in Prime Infrastructure database. Clients can be purged as follows:

after 1 week after 2 weeks

after 1 month after 2 months

after 6 months kept indefinitely

Notification Frequency—You can specify when Prime Infrastructure sends a notification of a tracked client:

on first detection

on every detection

Notification Method—You can specify that the tracked client event generates an alarm or sends an email message.

Enter the email address.

Click Save.

Related Topics

Tracking Clients

Identifying Unknown Users

When to Assign a Username

Not all users or devices are authenticated via 802.1x (for example, printers). In such a case, a network administer can assign a username to a device.

If a client device is authenticated to the network through web auth, Prime Infrastructure might not have username information for the client (applicable only for wired clients).

Clients are marked as unknown when the NMSP connection to the wired switch is lost. A client status

(applicable only for wired client) is noted as connected, disconnected, or unknown:

Connected clients—Clients that are active and connected to a wired switch.

Disconnected clients—Clients that are disconnected from the wired switch.

Unknown clients—Clients that are marked as unknown when the NMSP connection to the wired switch is lost.

Related Topics

Identifying Unknown Users

12-18

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Identifying Unknown Users

Identifying Unknown Users

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Monitor > Monitoring Tools > Clients and Users.

Click Identify Unknown Users.

Click Add to add a user.

Enter the MAC address and username and click Add.

Once a username and MAC address have been added, Prime Infrastructure uses this data for client lookup by matching the MAC address.

Repeat Step 3 to Step 4 to enter a MAC Address and its corresponding username for each client.

Click Save.

The username is updated only when the next association of the client occurs.

This table supports a maximum of 10,000 rows. To add or import new rows, you must first remove some older entries.

Related Topics

When to Assign a Username

Tracking Clients

Modifying the Clients and Users Page

Modifying the Clients and Users Page

You can add, remove, or reorder columns in the Clients table.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Clients and Users.

Click the settings icon, then click Columns.

Select the columns to show

Click Reset to restore the default view.

Click Close to confirm the changes.

Related Topics

Tracking Clients

Enabling Automatic Client Troubleshooting

Enabling Automatic Client Troubleshooting

In the Settings > Client page, you can enable automatic client troubleshooting on a diagnostic channel.

This feature is available only for Cisco-compatible Extension clients Version 5.

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-19

Chapter 12 Monitoring Clients and Users

When to Obtain Radio Measurements for a Client

To enable automatic client troubleshooting, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Administration > Settings > System Settings.

From the left sidebar menu, choose Client.

Check the Automatically troubleshoot client on diagnostic channel check box.

When the check box is selected, Prime Infrastructure processes the diagnostic association trap. When it is not selected, Prime Infrastructure raises the trap, but automated troubleshooting is not initiated.

Click Save.

Related Topics

Modifying the Clients and Users Page

Obtaining Radio Measurements for a Client

When to Obtain Radio Measurements for a Client

In the client page, you can obtain radio measurements only if the client is Cisco-compatible Extensions v2 (or higher) and in the associated state (with a valid IP address). If the client is busy when asked to do the measurement, it determines whether to honor the measurement or not. If it declines to make the measurement, it shows no data from the client.

This feature is available to CCX Version 6 clients only if the Foundation service version is 1 or later.

Related Topic

Obtaining Radio Measurements for a Client

Obtaining Radio Measurements for a Client

To receive radio measurements, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Click the circle next to a client.

You can also perform a search for a specific client using Prime Infrastructure Search feature. See

“Searching for Clients” in Related Topics.

From the Test drop-down list, choose Radio Measurement.

The Radio Measurement option only appears if the client is Cisco-compatible Extensions v2 (or higher) and is in the associated state (with a valid IP address).

Check the check box to indicate if you want to specify beacon measurement, frame measurement, channel load, or noise histogram.

Click Initiate. The different measurements produce differing results. See “Radio Measurement Results for a Client” in Related Topics.

12-20

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Obtaining Radio Measurements for a Client

The measurements take about 5 milliseconds to perform. A message from Prime Infrastructure indicates the progress. If the client chooses not to perform the measurement, that is communicated.

Related Topics

Searching for Clients

When to Obtain Radio Measurements for a Client

Radio Measurement Results for a Client

Radio Measurement Results for a Client

Depending on the measurement type requested, the following information might appear:

Beacon Response

Channel—The channel number for this measurement

BSSID—6-byte BSSID of the station that sent the beacon or probe response

PHY—Physical Medium Type (FH, DSS, OFDM, high rate DSS or ERP)

Received Signal Power—The strength of the beacon or probe response frame in dBm

Parent TSF—The lower 4 bytes of serving access point TSF value

Target TSF—The 8-byte TSF value contained in the beacon or probe response

Beacon Interval—The 2-byte beacon interval in the received beacon or probe response

Capability information—As found in the beacon or probe response

Frame Measurement

Channel—Channel number for this measurement

BSSID—BSSID contained in the MAC header of the data frames received

Number of frames—Number of frames received from the transmit address

Received Signal Power—The signal strength of 802.11 frames in dBm

Channel Load

Channel—The channel number for this measurement

CCA busy fraction—The fractional duration over which CCA indicated the channel was busy during the measurement duration defined as ceiling (255 times the duration the CCA indicated channel was busy divided by measurement duration)

Noise Histogram

Channel—The channel number for this measurement

RPI density in each of the eight power ranges

Related Topics

When to Obtain Radio Measurements for a Client

Obtaining Radio Measurements for a Client

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-21

Chapter 12 Monitoring Clients and Users

Viewing Client V5 Statistics

Viewing Client V5 Statistics

To access the Statistics request page, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the Test drop-down list, choose V5 Statistics.

This menu is shown only for CCX v5 and later clients.

Click Go.

Select the desired type of stats (Dot11 Measurement or Security Measurement).

Click Initiate to initiate the measurements.

The duration of measurement is five seconds.

Depending on the V5 Statistics request type, the following counters are displayed in the results page:

Dot11 Measurement

Transmitted Fragment Count

Multicast Transmitted Frame Count

Failed Count

Retry Count

Multiple Retry Count

Frame Duplicate Count

Rts Success Count

Rts Failure Count

Ack Failure Count

Received Fragment Count

Multicast Received Frame Count

FCS Error Count—This counter increments when an FCS error is detected in a received MPDU.

Transmitted Frame Count

Security

Pairwise Cipher

Tkip ICV Errors

Tkip Local Mic Failures

Tkip Replays

Ccmp Replays

Ccmp Decryp Errors

Mgmt Stats Tkip ICV Errors

Mgmt Stats Tkip Local Mic Failures

Mgmt Stats Tkip Replays

Mgmt Stats Ccmp Replays

12-22

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Mgmt Stats Ccmp Decrypt Errors

Mgmt Stats Tkip MHDR Errors

Mgmt Stats Ccmp MHDR Errors

Mgmt Stats Broadcast Disassociate Count

Mgmt Stats Broadcast Deauthenticate Count

Mgmt Stats Broadcast Action Frame Count

Related Topics

Viewing Client Operational Parameters

Viewing Client Operational Parameters

To view specific client operational parameters, follow these steps:

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the Test drop-down list, choose Operational Parameters.

The following information is displayed:

Operational Parameters:

Device Name—User-defined name for device.

Client Type—Client type can be any of the following:

laptop(0)

pc(1) pda(2)

dot11mobilephone(3) dualmodephone(4) wgb(5) scanner(6)

tabletpc(7) printer(8) projector(9) videoconfsystem(10) camera(11) gamingsystem(12) dot11deskphone(13) cashregister(14) radiotag(15)

Viewing Client Operational Parameters

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-23

Chapter 12 Monitoring Clients and Users

Viewing Client Operational Parameters

rfidsensor(16)

server(17)

SSID—SSID being used by the client.

IP Address Mode—The IP address mode such as static configuration or DHCP.

IPv4 Address—IPv4 address assigned to the client.

IPv4 Subnet Address—IPv4 subnet address assigned to the client.

IPv6 Address—IPv6 address assigned to the client.

IPv6 Subnet Address—IPv6 address assigned to the client.

Default Gateway—The default gateway chosen for the client.

Operating System—Identifies the operating system that is using the wireless network adapter.

Operating System Version—Identifies the version of the operating system that is using the wireless network adapter.

WNA Firmware Version—Version of the firmware currently installed on the client.

Driver Version—

Enterprise Phone Number—Enterprise phone number for the client.

Cell Phone Number—Cell phone number for the client.

Power Save Mode—Displays any of the following power save modes: awake, normal, or maxPower.

System Name—

Localization—

Radio Information:

Radio Type—The following radio types are available:

unused(0)

fhss(1) dsss(2)

irbaseband(3) ofdm(4)

hrdss(5) erp(6)

Radio Channel—Radio channel in use.

DNS/WNS Information:

DNS Servers—IP address for DNS server.

WNS Servers—IP address for WNS server.

Security Information:

Credential Type—Indicates how the credentials are configured for the client.

Authentication Method—Method of authentication used by the client.

EAP Method—Method of Extensible Authentication Protocol (EAP) used by the client.

Encryption Method—Encryption method used by the client.

12-24

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Key Management Method—Key management method used by the client.

Viewing Client Profiles

Related Topics

Viewing Client Operational Parameters

Viewing Client Profiles

Viewing Client Profiles

To view specific client profile information, follow these steps:

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Profiles.

The following information is displayed:

Profile Name—List of profile names as hyperlinks. Click a hyperlink to display the profile details.

SSID—SSID of the WLAN to which the client is associated.

Related Topics

Disabling Current Clients

Disabling Current Clients

To disable a current client, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

Click Disable. The Disable Client page appears.

Enter a description in the Description text box.

Click OK.

Once a client is disabled, it cannot join any network/ssid on controller(s). To enable the client again, choose Configuration > Network > Network Devices > Wireless Controller > Device Name >

Security > Manually Disabled Clients, and remove the client entry.

Related Topics

Viewing Client Profiles

Removing Current Clients

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-25

Removing Current Clients

Removing Current Clients

To remove a current client, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

Choose Remove.

Click Remove to confirm the deletion.

Chapter 12 Monitoring Clients and Users

Related Topic

Enabling Mirror Mode

Enabling Mirror Mode

When a client is enabled, mirror mode enables you to duplicate (to another port) all the traffic originating from or terminating at a single client device or access point.

Mirror mode is useful in diagnosing specific network problems but should only be enabled on an unused port because any connections to this port become unresponsive.

To enable mirror mode, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Enable Mirror Mode.

Click Go.

Related Topics

Mapping Recent Client Locations

Mapping Recent Client Locations

To display a high-resolution map of the client recent location, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Choose a client from the Client Username column.

From the More drop-down list, choose Recent Map (High Resolution).

Click Go.

12-26

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Related Topic

Mapping Current Client Locations

Mapping Current Client Locations

Mapping Current Client Locations

To display a high-resolution map of the client current location, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Present Map (High Resolution).

Click Go.

Related Topic

Running Client Sessions Reports

Running Client Sessions Reports

To view the most recent client session report results for a client, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Client Sessions Report.

Click Go. The Client Session report details display.

Related Topic

Viewing Client Roam Reason Reports

Viewing Client Roam Reason Reports

To view the most recent roam report for this client, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Roam Reason.

Click Go.

This page displays the most recent roam report for the client. Each roam report has the following information:

New AP MAC address

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-27

Chapter 12 Monitoring Clients and Users

Viewing Detecting Access Point Details

Old (previous) AP MAC address

Previous AP SSID

Previous AP channel

Transition time—Time that it took the client to associate to a new access point.

Roam reason—Reason for the client roam.

Related Topic

Viewing Detecting Access Point Details

Viewing Detecting Access Point Details

To display details of access points that can hear the client including the signal strength/SNR, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Detecting APs.

Click Go.

Related Topic

Viewing Client Location History

Viewing Client Location History

To display the history of the client location based on RF fingerprinting, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Location History.

Click Go.

Related Topic

Viewing Voice Metrics for a Client

Viewing Voice Metrics for a Client

To view traffic stream metrics for this client, follow these steps:

12-28

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

Chapter 12 Monitoring Clients and Users

Viewing Voice Metrics for a Client

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Monitoring Tools > Clients and Users.

Select a client.

From the More drop-down list, choose Voice Metrics.

Click Go.

The following information appears:

Time—Time that the statistics were gathered from the access point(s).

QoS

AP Ethernet MAC

Radio

% PLR (Downlink)—Percentage of packets lost on the downlink (access point to client) during the

90 second interval.

% PLR (Uplink)—Percentage of packets lost on the uplink (client to access point) during the 90 second interval.

Avg Queuing Delay (ms) (Uplink)—Average queuing delay in milliseconds for the uplink. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed.

% Packets > 40 ms Queuing Delay (Downlink)——Percentage of queuing delay packets greater than

40 ms.

% Packets 20ms—40ms Queuing Delay (Downlink)—Percentage of queuing delay packets greater than 20 ms.

Roaming Delay—Roaming delay in milliseconds. Roaming delay, which is measured by clients, is measured beginning when the last packet is received from the old access point and ending when the first packet is received from the new access point after a successful roam.

Related Topic

Viewing Client Location History

OL-32295-01

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

12-29

Viewing Voice Metrics for a Client

Chapter 12 Monitoring Clients and Users

12-30

Cisco Prime Infrastructure Classic View Configuration Guide for Wireless Devices

OL-32295-01

C H A P T E R

13

Performance Routing Version 3 Based Network

Monitoring

Performance Routing

Performance Routing Version 3 (PfRv3) represents the third generation of enhancement to the intelligent path control capabilities offered by Cisco. PfR monitors network performance and selects the best path for each application based upon advanced criteria such as reachability, delay, jitter and packet loss. PfR can evenly distribute traffic to maintain equivalent link utilization levels using an advanced load balancing technique.

PfRv3 is an intelligent path control of the IWAN initiative and provides a business-class WAN over

Internet transports. PfR allows customers to protect critical applications from fluctuating WAN performance while intelligently load balancing traffic over all WAN paths.

PfR comprises two major Cisco IOS components:

Master Controller—The master controller is a policy decision point at which policies are defined and applied to various traffic classes that traverse the border router systems. The master controller can be configured to learn and control traffic classes on the network.

Border Routers— The border routers are in the data forwarding path. The border router collects data from the Performance Monitor cache and from the smart probe results. The border router influences the packet forwarding path as directed by the master controller to manage user traffic.

Getting Access to PfR Monitoring for a User Group

PfR monitoring is enabled for the Prime Infrastructure root user group by default.

To access the PfR monitoring landing page by other user groups, do the following:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Administration > User, Roles & AAA > User.

Click Users in the left pane, and choose Select a command > Add User, then click Go.

Enter the username and password, and then confirm the password, for the new user.

Assign user group to the new user by selecting the check box next to each user group which has PfR

Monitoring Access entry in its task list.

Click Save.

Log in to Prime Infrastructure using the new Username and Password.

Cisco Prime Infrastructure 3.0 User Guide

13-1

Chapter 13 Performance Routing Version 3 Based Network Monitoring

PfR Monitoring Landing Page

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Services > Application Visibility & Control > PfR Monitoring.

If you do not see PfR Monitoring, go to Administration > User, Roles & AAA > User Groups.

Click Task List corresponding to the assigned user group and check whether PfR Monitoring is available.

If PfR Monitoring is not available in the task list, click the Task Permissions tab and check the PfR

Monitoring Access check box under the Network Monitoring list.

Click Submit.

PfR Monitoring Landing Page

You can launch the PfR monitoring landing page by choosing Services > Application Visibility &

Control > PfR Monitoring. The PfR landing page includes Site to Site PfR Events table, a filter panel,

Metrics panel (Metrics Crossing Thresholds versus Service Provider(s)), and a time slider.

By default, Auto Refresh Enabled is selected so the PfR landing page is refreshed every five minutes.

Hover your mouse over the Refresh icon next to the Auto Refresh Enabled check box to know the time till next refresh. You can also manually refresh the PfR landing page by clicking the Refresh icon

at the top right corner of the PfR landing page.

Related Topics

Site to Site PfR Events Table

PfR Filter Panel

Metrics Crossing Thresholds Vs Service Provider(s)

Time Slider

Site to Site PfR Events Table

The Site to Site PfR events table displays site to site PfR events including Threshold Crossing Alert

(TCA), Route change (RC) and Immitigable event (IME). The PfR events that occurred over last 72 hours are displayed, by default.

The events are represented by red and blue dots in the Site to Site PfR events table. The metric violations that could not be corrected by the PfR are classified as IME and indicated as red dots in the table. The degraded network performance that are identified and corrected by PfR are indicated by blue dots.

The events in the table are sorted such that the site combinations with maximum number of IMEs, is present at top row of the table. If two site combinations have equal number of IMEs, then the one with maximum number of events (including IME, TCA, and RC) is placed on the top of the table and indicated in red color. You can view the site hierarchy by hovering the mouse over the source and destination sites.

You can search the events based on the site name, RC or TCA or IME by entering the search criteria in the Search box.

Related Topics

PfR Monitoring Landing Page

Site to Site PfR Events Table

Metrics Crossing Thresholds Vs Service Provider(s)

Cisco Prime Infrastructure 3.0 User Guide

13-2

Chapter 13 Performance Routing Version 3 Based Network Monitoring

PfR Monitoring Landing Page

Time Slider

PfR Filter Panel

The PfR Filter Panel allows you to filter events based on time filter, location group filter, event filter, and service provider filter. The Metrics panel and the Site to Site PfR Events table display the details based on the selected filter options.

Table 13-1

displays the filter options available in the Filter panel.

Table 13-1 Filter Options

Filter Options

Time Filter

Description

The default filter time is 72 hours. You can choose any of the preset filter time.

The Custom option allows you to select the From and To dates and time.

You can also use the Jump To option available adjacent to the filter icon, to set the filter time.

Location Group filter

Allows you to select the From Site and To Site.

Events Filter

Service Provider

Filter

You can select either a parent site or a child site. If you select a parent site, the PfR events table will display the details of the parent and all its children.

You can choose one or more of the following events:

TCA—Generated by the master controller whenever there is a violation of the metrics such as

Unreachability, Delay, Jitter and Packet loss, based on the DSCP. You can also choose one of the

TCA metrics.

RC—Generated by the master controller whenever there is a route change to rectify a TCA.

IME— Generated by the master controller whenever an RC fails and the traffic violation could not be corrected.

Displays the list of service providers based on the border router NetFlow data and allows to select one or more service provider.

You can view the selected filter options in the top of the filter panel. You can click more to view all the selected filter options.

Related Topics

PfR Monitoring Landing Page

Metrics Crossing Thresholds Vs Service Provider(s)

Site to Site PfR Events Table

Time Slider

Metrics Crossing Thresholds Vs Service Provider(s)

The Metrics panel displays the metrics gathered using the TCA, as charts. Each service provider is represented by a unique color in the chart. The charts available in the Metrics panel are:

Unreachability over time

Maximum Delay over time

Cisco Prime Infrastructure 3.0 User Guide

13-3

Chapter 13 Performance Routing Version 3 Based Network Monitoring

PfR Site To Site Details Page

Maximum Jitter over time

Maximum Packet loss% over time

A particular service provider may not have TCA, but may have RC events occurring when a route changes from the other service provider to the selected service provider. The Metrics panel may not show any graphs for the particular service provider whereas the PfR events table shows the RC events of the service provider.

Related Topics

PfR Monitoring Landing Page

Site to Site PfR Events Table

Site to Site PfR Events Table

Time Slider

Time Slider

A time slider present at the bottom of the page, represents the time range selected using the filter. You can drag the slider and set a particular time range. The Metrics Panels and the Site to Site PfR events table change corresponding to the set time range.

Related Topics

PfR Monitoring Landing Page

PfR Site To Site Details Page

Metrics Crossing Thresholds Vs Service Provider(s)

Site to Site PfR Events Table

PfR Site To Site Details Page

A PfR events pop-up window appears when you click an event (dot) in the Site to Site PfR Events table.

The pop-up window displays the events occurred in the selected time range and the number of occurrences of each event.

Click the Click here for site to site details in the pop-up window to view the site to site details page that includes Site to Site Topology, Threshold Crossing Alert(s), Route Change Event(s), and

Immitigable tabs.

Table 13-2 displays the details of the PfR Events.

Table 13-2 PfR Events Details

Tabs

Site to Site Topology

Threshold Crossing Alerts

Details displayed under each tab

The schematic representation of the site to site network topology monitored by PfR V3.

Time at which the events occurred, Border Router, WAN Interface,

Service Provider, DSCP, Byte Loss (%), Packet Loss (%), Delay (ms),

Jitter (ms), and Reachability.

13-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 13 Performance Routing Version 3 Based Network Monitoring

PfR Site To Site Details Page

Table 13-2 PfR Events Details

Tabs

Route Change Events

Immitigable Events

Details displayed under each tab

Time at which the events occurred, Border Router, WAN Interface,

Service Provider, DSCP, Application.

Time at which the events occurred, Service Provider, Number of

Performance Violations, and Number of Bandwidth Violations.

Related Topics

Site to Site PfR Topology

Viewing Link Context page

Viewing Device Context Page

Site to Site PfR Topology

The site to site network monitored by PfR V3 is schematically represented by a topology diagram. The topology is plotted based on the data for a minimum of 72 hours, even if you select a time frame of less than 72 hours using the time filter.

The site to site topology consists of nodes representing border router, master controller, and service provider. The egress and ingress orange links represent the WAN link connectivity between border router and service provider, and blue links connect the border router and master controller. The color of the link does not indicate the link state or the bandwidth utilization.

If the inventory collection is not proper or if a user is not authorized to access the node (as per Role Based

Access Control), the node is dimmed and you cannot click the node and the corresponding links.

Click a node to view the device metrics pop-up window from where you can navigate to the corresponding device context page. Click Launch Device Dashboard link in the device metrics pop-up window to view the Device dashlets in the Performance dashboard. See Performance Dashboard in

Related Topics.

Similarly, click a link to view the link metrics pop-up window from where you can navigate to the link context page. Click Launch Interface Dashboard link in the Link Metrics pop-up window to view the

Interface dashlets in the Performance dashboard.

Related Topics

PfR Site To Site Details Page

Comparing WAN Interfaces

Viewing Device Context Page

Viewing Link Context page

Performance Dashboards

Viewing Device Context Page

The device context page displays the Border Router Metrics and WAN link Usage and Performance.

Step 1

Click a node in the topology.

Cisco Prime Infrastructure 3.0 User Guide

13-5

Chapter 13 Performance Routing Version 3 Based Network Monitoring

PfR Site To Site Details Page

Step 2

Step 3

The device metrics pop-up window showing CPU Utilization and Memory Utilization appears.

Click Analyze in the device metrics pop-up window to view the device context page. You can see:

Border Router Metrics—Displays three charts in which the utilization of service provider, memory and CPU are plotted for the selected time range. In the CPU and memory utilization charts, click the

CPU and memory modules to know their utilization. Click the zoom icon to see the enlarged view of the chart. You can further enlarge the chart to view the data pattern in a specific time interval by moving the slider.

WAN Link Usage and Performance—Displays a table that shows WAN link usage and performance with respect to DSCP markings, for the WAN interfaces of the selected border router. The data includes Egress Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and the number of applications associated to DSCP markings.The number of applications is visible only if AVC

NetFlow is received by Prime Infrastructure for this WAN link.

Click the Expand arrow adjacent to the Traffic Class in the WAN Link Usage and Performance table to view and compare the Egress Bandwidth Utilization over time and Top Application traffic over time for that traffic class.

Related Topics

PfR Site To Site Details Page

Site to Site PfR Events Table

Viewing Link Context page

Comparing WAN Interfaces

Viewing Link Context page

The link context page displays WAN Link Metrics and WAN Link Usage and Performance details.

Step 1

Step 2

Step 3

Click Egress orange link in the topology.

The Link Metrics pop-up window comprising Egress B/W utilization, Interface Tx/Rx utilization,

Maximum one-way delay, Maximum packet loss%, and Maximum Jitter appears.

Click Ingress orange link in the topology.

The Link Metrics pop-up window comprising Ingress B/W utilization and Interface Tx/Rx utilization appears.

Click Analyze in the Link Metrics pop-up window to view the link context page. You can see:

WAN Link Metrics—Displays WAN Link B/W Usage Over Time, Top 5 Application Traffic Over

Time, and Top QOS Class Map Statistics Trend charts. Click the zoom icon to view the enlarged view of the chart. You can further enlarge the chart to view the data pattern in a specific time interval by moving the slider.

WAN Link Usage and Performance—Displays a table that shows WAN Link Usage and

Performance with respect to DSCP markings, for the WAN interface. The data includes Egress

Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and the number of applications associated to DSCP markings.The number of applications is visible only if AVC NetFlow is received by Prime Infrastructure for this WAN link.

13-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 13 Performance Routing Version 3 Based Network Monitoring

Comparing WAN Interfaces

Step 4

Click the Expand arrow adjacent to the Traffic Class in the WAN Link Usage and Performance table to view the Egress Bandwidth Utilization over time and Top Application traffic over time for that traffic class.

Related Topics

PfR Site To Site Details Page

Site to Site PfR Topology

Viewing Device Context Page

Comparing WAN Interfaces

Comparing WAN Interfaces

The Compare WAN Interfaces page shows the WAN link usage and performance of the selected WAN interfaces.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Services > Application Visibility & Control > PfR Monitoring.

Click Compare WAN Interfaces in top right corner of the PfR Landing Page.

In the Compare WAN Interfaces page, click the filter icon to view the Time Filter, if required.

In the Compare WAN Interfaces page, choose the Source Site, Border Router and WAN

Interface/Service Provider details and click Compare.

You can view the WAN Link Usage and Performance table that compares the Egress Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and number of applications routed, for the selected

WAN Interfaces.

Click Reset to reset an individual comparison group or click Reset All to reset all the three comparison groups, if required.

You can also click Compare WAN Links in the device metrics pop-up window in the topology to view the Compare WAN Interfaces page. The border router and WAN Interface details get automatically populated based on the device from which the page is launched.

Related Topics

PfR Site To Site Details Page

Site to Site PfR Topology

Viewing Link Context page

Cisco Prime Infrastructure 3.0 User Guide

13-7

Comparing WAN Interfaces

Chapter 13 Performance Routing Version 3 Based Network Monitoring

13-8

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

14

Monitoring Wireless Technologies

This chapter contains the following sections:

Monitoring Radio Resource Management

Monitoring Interferers

Monitoring Media Streams

Troubleshooting Unjoined Access Points

Monitoring Chokepoints

Monitoring WiFi TDOA Receivers

Monitoring Radio Resource Management

The operating system security solution uses the Radio Resource Management (RRM) function to continuously monitor all nearby access points to automatically discover rogue access points.

RRM, built into the Cisco Unified Wireless Network, monitors and dynamically corrects performance issues found in the RF environment.

Prime Infrastructure would receive traps whenever a change in the transmit power of the access point or channel occurred. These trap events or similar events such as RF regrouping were logged into Prime

Infrastructure events as informational and were maintained by the event dispatcher. The reason behind the transmit power or channel changes (such as signals from neighboring access points, interference, noise, load, and the like) were not evident. You could not view these events and statistics to then perform troubleshooting practices.

RRM statistics help to identify trouble spots and provide possible reasons for channel or power-level changes. The dashboard provides network-wide RRM performance statistics and predicts reasons for channel changes based on event groupings. The event groupings may include the following:

Worst performing access points

Configuration mismatch between controllers in the same RF group

Coverage holes that were detected by access points based on threshold

Precoverage holes that were detected by controllers

Ratios of access points operating at maximum power

Note

RRM dashboard information is available only for lightweight access points.

Cisco Prime Infrastructure 3.0 User Guide

14-1

Chapter 14 Monitoring Wireless Technologies

Monitoring Radio Resource Management

Channel Change Notifications

Notifications are sent to the Prime Infrastructure RRM dashboard when a channel change occurs.

Channel changes depend on the Dynamic Channel Assignment (DCA) configuration where the mode can be set to auto or on demand. When the mode is auto, channel assignment is periodically updated for all lightweight access points that permit this operation. When the mode is set to on demand, channel assignments are updated based on request. If the DCA is static, no dynamic channel assignments occur, and values are set to their global defaults.

When a channel change trap is received after an earlier channel change, the event is marked as Channel

Revised; otherwise, it is marked as Channel Changed. A channel change event can have multiple causes.

The reason code is factored and equated to 1, irrespective of the number of reasons that are possible. For example, suppose a channel change might be caused by signal, interference, or noise. The reason code in the notification is refactored across the reasons. If the event had three causes, the reason code is refactored to 1/3 or 0.33 per reason. If ten channel change events have the same reason code, all three reasons are equally factored to determine the cause of the channel change.

Transmission Power Change Notifications

Notifications are sent to the Prime Infrastructure RRM dashboard when transmission power changes occur. Each event for transmit power changes is caused by multiple reasons. The reason code is factored and equated to one, irrespective of the number of reasons for the event to occur.

RF Grouping Notifications

When RRM is run on the controller, dynamic grouping is done and a new group leader is chosen.

Dynamic grouping has three modes: Automatic, Off, and Leader. When grouping is Off, no dynamic grouping occurs, and each switch optimizes only its own lightweight access point parameters. When grouping is Automatic, switches form groups and elect leaders to perform better dynamic parameter optimization. With automatic grouping, configured intervals (in seconds) represent the period with which the grouping algorithm is run. (Grouping algorithms also run when the group contents change and automatic grouping is enabled.)

RRM Dashboard

The RRM dashboard is available at Monitor > Wireless Technologies > Radio Resource

Management.

The dashboard is made up of the following parts:

The RRM RF Group Summary shows the number of different RF groups. To get the latest number of RF Groups, run the configuration synchronization background task.

The RRM Statistics portion shows network-wide statistics.

The Channel Change Reason portion shows why channels changed for all 802.11a/b/g/n radios.

Signal—The channel changed because it improved the channel quality for some other neighbor radio(s). Improving the channel quality for some other neighbor radio(s) improved the channel plan of the system as evaluated by the algorithm.

WiFi Interference

14-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 14 Monitoring Wireless Technologies

Monitoring Radio Resource Management

Persistent Non-WiFi Interference

Major Air Quality Event

Other

The Channel Change shows all events complete with causes and reasons.

The Configuration Mismatch portion shows comparisons between leaders and members.

The Coverage Hole portion rates how severe the coverage holes are and gives their location.

The Percent Time at Maximum Power shows what percent of time the access points were at maximum power and gives the location of those access points.

The following statistics are displayed:

Total Channel Changes—The sum total of channel changes across 802.11a/b/g/n radios, irrespective of whether the channel was updated or revised. The count is split over a 24-hour and 7-day period.

If you click the percentages link or the link under the 24-hour column, a page with details for that access point only appears.

Total Configuration Mismatches—The total number of configuration mismatches detected over a

24-hour period.

Load

Radar

Noise

Total Coverage Hole Events—The total number of coverage hole events over a 24-hour and 7-day period.

Number of RF Groups—The total number of RF groups (derived from all of the controllers which are currently managed by Prime Infrastructure).

Configuration Mismatch—The configuration mismatch over a 24-hour period by RF group with details on the group leader.

APs at MAX Power—The percentage of access points with 802.11a/n radios as a total percentage across all access points which are at maximum power. The maximum power levels are preset and are derived with reference to the preset value.

Maximum power is shown in three areas of the RRM dashboard. This maximum power portion shows the current value and is poll driven.

Channel Change Causes—A graphical bar chart for 802.11a/n radios. The chart is factored based on the reason for channel change. The chart is divided into two parts, each depicting the percentage of weighted reasons causing the event to occur over a 24-hour and 7-day period. Each event for channel change can be caused by multiple reasons, and the weight is equally divided across these reasons.

The net reason code is factored and equated to one irrespective of the number of reasons for the event to occur.

Channel Change - APs with channel changes—Each event for channel change includes the MAC address of the lightweight access point. For each reason code, you are given the most channel changes that occurred for the 802.11a/n access point based on the weighted reason for channel events. This count is split over a 24-hour and 7-day period.

Coverage Hole - APs reporting coverage holes—The top five access points filtered by IF Type 11 a/n which triggered a coverage hole event (threshold based) are displayed.

Aggregated Percent Max Power APs—A graphical progressive chart of the total percentage of

802.11a/n lightweight access points which are operating at maximum power to accommodate coverage holes events. The count is split over a 24-hour and 7-day period.

Cisco Prime Infrastructure 3.0 User Guide

14-3

Chapter 14 Monitoring Wireless Technologies

Monitoring Interferers

This maximum power portion shows the values from the last 24 hours and is poll driven. This occurs every 15 minutes or as configured for radio performance.

Percent Time at Maximum Power—A list of the top five 802.11a/n lightweight access points which have been operating at maximum power.

This maximum power portion shows the value from the last 24 hours and is event driven.

Monitoring Interferers

In the Monitor > Wireless Technologies > Interferers page, you can monitor interference devices detected by CleanAir-enabled access points. By default, the Monitoring AP Detected Interferers page is displayed.

Table 14-1 lists the menu paths to follow to monitor interferers.

Table 14-1 Menu Paths to Monitor Interferers

To See...

AP-detected interferers

AP-detected interferer details

AP-detected interferer details location history

Go To...

Monitor > Wireless Technologies > Interferers

Monitor > Wireless Technologies > Interferers

> Interferer ID

Monitor > Wireless Technologies > Interferers

> Interferer ID, then choose Select a command >

Location History and click Go

Related topics

Field Reference for AP-detected interferers

Field Reference for AP-detected interferer details

Field Reference for AP-detected interferer details location history

Configuring the Search Results Display

The Edit View page allows you to add, remove, or reorder columns in the AP Detected Interferers

Summary page. To edit the columns in the AP Detected Interferers page, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Wireless Technologies > Interferers. The AP Detected Interferers page appears showing details of the interferers detected by the CleanAir-enabled access points.

Click the Edit View link.

To add an additional column to the access points table, click to highlight the column heading in the left column. Click Show to move the heading to the right column. All items in the right column are displayed in the table.

To remove a column from the access points table, click to highlight the column heading in the right column. Click Hide to move the heading to the left column. All items in the left column are not displayed in the table.

Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired column heading and click Up or Down to move it higher or lower in the current list.

14-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 14 Monitoring Wireless Technologies

Step 6

Step 7

Click Reset to restore the default view.

Click Submit to confirm the changes.

Monitoring RFID Tags

Monitoring RFID Tags

The Monitor > Wireless Technologies > RFID Tags page allows you to monitor tag status and location on Prime Infrastructure maps as well as review tag details.

This page is only available in the Location version of Prime Infrastructure.

This section provides information on the tags detected by the location appliance.

The Tag Summary page is available at Monitor > Wireless Technologies > RFID Tags.

Searching RFID Tags

Use the Prime Infrastructure Advanced Search feature to find specific tags or all tags.

To search for tags:

Step 1

Step 2

Step 3

Step 4

Click Advanced Search.

From the Search Category drop-down list, choose Tags.

Enter the required information. Note that search fields sometimes change, depending on the category chosen.

Click Go.

Checking RFID Tag Search Results

To check the search results, click the MAC address of a tag location on a search results page.

Note the following:

The Tag Vendor option does not appear when Asset Name, Asset Category, Asset Group, or MAC

Address is the search criterion.

Only vendor tags that support telemetry appear.

The Telemetry data option appears only when MSE (select for location servers), Floor Area, or

Outdoor Area is selected as the “Search for tags by” option.

Telemetry data displayed is vendor-specific; however, some commonly reported details are GPS location, battery extended information, pressure, temperature, humidity, motion, status, and emergency code.

Asset Information, Statistics, Location, and Location Notification details are displayed.

Only CCX v1 compliant tags are displayed for emergency data.

Cisco Prime Infrastructure 3.0 User Guide

14-5

Chapter 14 Monitoring Wireless Technologies

Monitoring Media Streams

Viewing Tag List

Click the Total Tags number link to view the Tags List for the applicable device name. The Tag List contains the MAC address, asset details, vendor name, mobility services engine, controller, battery status, and map location.

Monitoring Media Streams

To monitor the media streams configurations, follow these steps:

Step 1

Step 2

Choose Monitor > Wireless Technologies > Media Streams. The Media Streams page appears showing the list of media streams configured across controllers.

The Media Streams page contains a table with the following columns:

Stream Name—Media Stream name.

Start IP—Starting IP address of the media stream for which the multicast direct feature is enabled.

End IP—Ending IP address of the media stream for which the multicast direct feature is enabled.

State—Operational state of the media stream.

Max Bandwidth—Indicates the maximum bandwidth that is assigned to the media stream.

Priority—Indicates the priority bit set in the media stream. The priority can be any number from 1 to 8. A lower value indicates a higher priority. For example, a priority of 1 is highest and a value of

8 is the lowest.

Violation—Indicates the action to performed in case of a violation. The possible values are as follows:

Drop—Indicates that a stream is dropped on periodic revaluation.

Best Effort—Indicates that a stream is demoted to best-effort class on periodic reevaluations.

Policy—Indicates the media stream policy. The possible values are Admit or Deny.

Controllers—Indicates the number of controllers that use the specified media stream.

Clients—Indicates the number of clients that use the specified media stream.

To view the media stream details, click a media stream name in the Stream column. The Media Streams page appears.

The Media Streams page displays the following group boxes:

Media Stream Details—Displays the media stream configuration information. This includes the

Name, Start Address, End Address, Maximum Bandwidth, Operational Status, Average Packet Size,

RRC Updates, Priority, and Violation.

Statistics—Displays the number of controllers and number of clients that use the selected media stream. Click the controller count to access the list of controllers that use the selected media stream.

Error—Displays the error, Worst AP, and corresponding floor map for that AP.

Client Counts—Displays the number of clients for each period.

Failed Client Counts—Displays the number of clients that failed for each period.

14-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 14 Monitoring Wireless Technologies

Troubleshooting Unjoined Access Points

The client information is presented in a time-based graph. For graphs that are time-based, there is a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w, 4w, 3m, 6m, 1y, and Custom. When selected, the data for that time frame is retrieved and the corresponding graph is displayed.

Troubleshooting Unjoined Access Points

When a lightweight access point initially starts up, it attempts to discover and join a wireless LAN controller. After joining the wireless controller, the access point updates its software image if needed and receives all the configuration details for the device and network. After successfully joining the wireless controller, the access point can be discovered and managed by Prime Infrastructure. Until the access point successfully joins a wireless controller the access point cannot be managed by Prime

Infrastructure and does not contain the proper configuration settings to allow client access.

Prime Infrastructure provides you with a tool that diagnoses why an access point cannot join a controller and lists corrective actions.

The Unjoined AP page displays a list of access points that have not joined any wireless controllers. All gathered information about the unjoined access point is included in the page. This includes name, MAC address, IP address, controller name and IP address, switch and port that the access point is attached to, and any join failure reason if known.

To troubleshoot unjoined access points, do the following:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Monitor > Wireless Technologies > Unjoined Access Points. The Unjoined APs page appears containing a list of access points that have not been able to join a wireless controller.

Select the access point that you wish to diagnose, then click Troubleshoot. An analysis is run on the access point to determine the reason why the access point was not able to join a wireless controller. After performing the analysis, the Unjoined APs page displays the results.

If the access point has tried to join multiple wireless controllers and has been unsuccessful, the controllers are listed in the left pane. Select a controller.

In the middle pane, you can view what the problem is. It will also list error messages and controller log information.

In the right pane, recommendations for solving the problems are listed. Perform the recommended action.

If you need to further diagnose a problem, you can run RTTS through the Unjoined AP page. This allows you to see the debug messages from all the wireless controllers that the access point tried to join at one time.

To run RTTS, click the RTTS icon ( ) located to the right of the table. The debug messages appear in the table. You can then examine the messages to see if you can determine a cause for the access point not being able to join the controllers.

Cisco Prime Infrastructure 3.0 User Guide

14-7

Chapter 14 Monitoring Wireless Technologies

Monitoring Chokepoints

Monitoring Chokepoints

Chokepoints are low-frequency transmitting devices. When a tag passes within range of a placed chokepoint, the low-frequency field awakens the tag, which, in turn, sends a message over the Cisco

Unified Wireless Network that includes the chokepoint device ID. The transmitted message includes sensor information (such as temperature and pressure). A chokepoint location system provides room-level accuracy (ranging from few inches to 2 feet, depending on the vendor).

Chokepoints are installed and configured as recommended by the chokepoint vendor. After the chokepoint is installed and operational, it can be entered into the location database and plotted on a

Prime Infrastructure map.

Related Topic

Field Reference for Chokepoints Page

Adding a Chokepoint to the Prime Infrastructure Database

To add a chokepoint to the Prime Infrastructure database:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Monitor > Wireless Technologies > Chokepoints.

From the Select a command drop-down list, choose Add Chokepoint.

Click Go.

Enter the MAC address and name for the chokepoint.

Specify either an entry or exit chokepoint.

Enter the coverage range for the chokepoint.

Chokepoint range is a visual representation only. It is product-specific. The actual range must be configured separately using the applicable chokepoint vendor software.

Click Save.

After the chokepoint is added to the database, it can be placed on the appropriate Prime Infrastructure floor map.

Adding a Chokepoint to a Prime Infrastructure Map

To add a chokepoint to a map:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Maps > Wireless Maps > Site Maps.

In the Maps page, click the link that corresponds to the floor location of the chokepoint.

From the Select a command drop-down list, choose Add Chokepoints.

Click Go.

The Add Chokepoints summary page lists all recently added chokepoints that are in the database but not yet mapped.

Select the check box next to the chokepoint that you want to place on the map.

14-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 14 Monitoring Wireless Technologies

Monitoring Chokepoints

Step 6

Step 7

Step 8

Step 9

Step 10

Click OK.

A map appears with a chokepoint icon located in the top-left corner. You are now ready to place the chokepoint on the map.

Click the chokepoint icon and drag it to the proper location.

The MAC address, name, and coverage range of the chokepoint appear in the selected chokepoints detail page when you click the chokepoint icon for placement.

Click Save.

The newly created chokepoint icon might or might not appear on the map, depending on the display settings for that floor. The rings around the chokepoint icon indicate the coverage area. When a CCX tag and its asset passes within the coverage area, location details are broadcast, and the tag is automatically mapped on the chokepoint coverage circle. When the tag moves out of the chokepoint range, its location is calculated as before and is no longer mapped on the chokepoint rings.

MAC address, name, entry/exit chokepoint, static IP address, and range of the chokepoint display when you hover your mouse cursor over its map icon.

If the chokepoint does not appear on the map, select the Chokepoints check box located in the Floor

Settings menu.

Do not select the Save Settings check box unless you want to save this display criteria for all maps.

Synchronize network design to the mobility services engine or location server to push chokepoint information.

Removing a Chokepoint from the Prime Infrastructure Database

To remove a chokepoint from the Prime Infrastructure database:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Wireless Technologies > Chokepoints.

Select the check box of the chokepoint that you want to delete.

From the Select a command drop-down list, choose Remove Chokepoints.

Click Go.

Click OK to confirm the deletion.

Removing a Chokepoint from a Prime Infrastructure Map

To remove a chokepoint from a Prime Infrastructure map:

Step 1

Step 2

Step 3

Step 4

Choose Maps > Wireless Maps > Site Maps.

In the Maps page, click the link that corresponds to the floor location of the chokepoint.

From the Select a command drop-down list, choose Remove Chokepoints.

Click Go.

Cisco Prime Infrastructure 3.0 User Guide

14-9

Chapter 14 Monitoring Wireless Technologies

Monitoring WiFi TDOA Receivers

Step 5

Click OK to confirm the deletion.

Editing a Chokepoint

To edit a chokepoint in the Prime Infrastructure database and the appropriate map:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Wireless Technologies > Chokepoints.

In the MAC Address column, click the chokepoint that you want to edit.

Edit the parameters that you want to change.

The chokepoint range is product-specific and is supplied by the chokepoint vendor.

Click Save.

Monitoring WiFi TDOA Receivers

The WiFi TDOA receiver is an external system designed to receive signals transmitted from a tagged, tracked asset. These signals are then forwarded to the mobility services engine to aid in the location calculation of the asset.

Enhancing Tag Location Reporting with WiFi TDOA Receivers

TDOA receivers use the method of Time Difference of Arrival (TDOA) to calculate tag location. This method uses data from a minimum of three TDOA receivers to generate a tagged asset location.

Note •

If a TDOA receiver is not in use and the partner engine software is resident on the mobility service engine, then the location calculations for tags are generated using RSSI readings from access points.

The Cisco Tag engine can calculate the tag location using the RSSI readings from access points.

Before using a TDOA receiver within the Cisco Unified Wireless Network, you must perform the following steps:

1.

Have a mobility services engine active in the network. See

Adding MSEs to Prime Infrastructure

.

2.

3.

4.

5.

Add the TDOA receiver to Prime Infrastructure database and map. See

Adding WiFi TDOA

Receivers to Prime Infrastructure and Maps

.

Activate or start the partner engine service on the MSE using Prime Infrastructure.

Synchronize Prime Infrastructure and mobility services engines. See

Synchronizing Prime

Infrastructure and MSE .

Set up the TDOA receiver using the AeroScout System Manager. See the AeroScout Context-Aware

Engine for Tags, for Cisco Mobility Services Engine User’s Guide for configuration details at the following URL: http://support.aeroscout.com.

14-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 14 Monitoring Wireless Technologies

Monitoring WiFi TDOA Receivers

Adding WiFi TDOA Receivers to Prime Infrastructure and Maps

After the WiFi TDOA receiver is installed and configured by the AeroScout System Manager and the partner software is downloaded on the mobility services engine, you are ready to add the TDOA receiver to the mobility services engine database and position it on a Prime Infrastructure map.

After adding TDOA receivers to Prime Infrastructure maps, you continue to make configuration changes to the TDOA receivers using the AeroScout System Manager application rather than Prime

Infrastructure.

For more details on configuration options, see the AeroScout Context-Aware Engine for Tags, for Cisco

Mobility Services Engine User Guide at the following URL: http://support.aeroscout.com

.

To add a TDOA receiver to the Prime Infrastructure database and the appropriate map:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Wireless Technologies > WiFi TDOA Receivers to open the All WiFi TDOA

Receivers summary page.

To view or edit current WiFi TDOA receiver details, click the MAC Address link to open the details page.

From the Select a command drop-down list, choose Add WiFi TDOA Receivers.

Click Go.

Enter the MAC address, name, and static IP address of the TDOA receiver.

Click Save to save the TDOA receiver entry to the database.

Note

A WiFi TDOA Receiver must be configured separately using the receiver vendor software.

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Choose Maps > Wireless Maps > Site Maps.

In the Maps page, select the link that corresponds to the floor location of the TDOA receiver.

From the Select a command drop-down list, choose Add WiFi TDOA receivers.

Click Go.

The All WiFi TDOA Receivers summary page lists all recently-added TDOA receivers that are in the database but not yet mapped.

Select the check box next to each TDOA receiver to add it to the map.

Click OK.

A map appears with a TDOA receiver icon located in the top-left corner. You are now ready to place the

TDOA receiver on the map.

Click the TDOA receiver icon and drag it to the proper location on the floor map.

Click Save.

The icon for the newly added TDOA receiver might or might not appear on the map depending on the display settings for that floor. If the icon did not appear, proceed with

Step 14

.

If the TDOA receiver does not appear on the map, click Layers to collapse a selection menu of possible elements to display on the map.

Select the WiFi TDOA Receivers check box.

When you hover your mouse cursor over a TDOA receiver on a map, configuration details appear for that receiver.

Cisco Prime Infrastructure 3.0 User Guide

14-11

Chapter 14 Monitoring Wireless Technologies

Monitoring WiFi TDOA Receivers

Step 16

Step 17

Click X to close the Layers page.

Do not choose Save Settings from the Layers menu unless you want to save this display criteria for all maps.

Download the partner engine software to the mobility services engine.

14-12

Cisco Prime Infrastructure 3.0 User Guide

Using Monitoring Tools

C H A P T E R

15

Monitoring Wireless Voice Audit

Monitoring Wireless Voice Diagnostics

Monitoring Wireless Configuration Audit

Monitoring Autonomous AP Migration Analysis

Monitoring Location Accuracy

Monitoring Packet Capture

Monitoring Wireless Voice Audit

Prime Infrastructure provides a voice auditing mechanism to check controller configuration and to ensure that any deviation from the deployment guidelines is highlighted as an Audit Violation. You can run a voice audit on a maximum of 50 controllers in a single operation.

To run the voice audit:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Tools > Wireless Voice Audit.

Click the Controllers tab, and complete the fields as described in the Voice Audit Field Descriptions section in the Cisco Prime Infrastructure 3.0 Reference Guide .

Click the Rules tab.

In the VoWLAN SSID text box, type the applicable VoWLAN SSID.

Note

The red circle indicates an invalid rule (due to insufficient data). The green circle indicates a valid rule.

Step 5

Step 6

Do either of the following:

To save the configuration without running a report, click Save.

To save the configuration and run a report, click Save and Run.

Click the Report tab to view the report results.

Cisco Prime Infrastructure 3.0 User Guide

15-1

Chapter 15 Using Monitoring Tools

Monitoring Wireless Voice Diagnostics

Monitoring Wireless Voice Diagnostics

The Voice Diagnostic tool is an interactive tool that diagnoses voice calls in real time. This tool reports call control errors, clients' roaming history, and the total number of active calls accepted and rejected by an associated AP.

The Voice Diagnostic test is provisioned for multiple controllers; that is, if the AP is associated with more than one controller during roaming, the Voice Diagnostic tool tests all associated controllers. Prime

Infrastructure supports testing on controllers whose APs are placed on up to three floors. For example, a Prime Infrastructure map might have floors 1 to 4, with all APs associated to controllers (WLC1,

WLC2, WLC3, and WLC4) and placed on the Prime Infrastructure map. If a client on any AP is associated with WLC1 on the first floor and a Voice Diagnostic test is started for that client, a test is also provisioned on WLC2 and WLC3.

The Voice Diagnostic page lists prior test runs, if any. For information about the fields on this page, see the Voice Diagnostic Field Descriptions section in the Cisco Prime Infrastructure 3.0 Reference Guide .

From the Select a command from the drop-down list, you can start a new test, check the results of an existing test, or delete a test.

Note

To support roaming, the tool figures out controllers in the same building as of client's associated AP building and adds to all controller's watchlist. The tool looks for controllers in +/-5 floors from client's current association A’s location to configure on controllers. Configuration on controller's watchlist is done for 10 minutes. After 10 minutes controller will remove the entry from the watchlist.

To run a Voice Diagnostic test:

Step 1

Step 2

Choose Monitor > Tools > Wireless Voice Diagnostic.

From the Select a command drop-down list, choose the New test and click Go.

Note

You can configure a maximum of two clients for voice call diagnosis. Both clients can be on the same call or can be on a different call.

Step 3

Step 4

Step 5

Step 6

Enter a test name and the length of time to monitor the voice call.

Enter the MAC address of the device for which you want to run the voice diagnostic test.

Select a device type; if you select a custom phone, enter an RSSI range.

Click StartTest.

Monitoring Wireless Configuration Audit

Choose Monitor > Tools > Wireless Configuration Audit to launch the Configuration Audit Summary page.

This page provides a summary of the following:

Total Enforced Config Groups—Templates that are configured for Background Audit and are enforcement enabled.

15-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 15 Using Monitoring Tools

Monitoring Autonomous AP Migration Analysis

Total Mismatched Controllers—Configuration differences found between Prime Infrastructure and the controller during the last audit.

Total Config Audit Alarms—Alarms generated when audit discrepancies are enforced on configuration groups. If enforcement fails, a critical alarm is generated on the configuration group.

If enforcement succeeds, a minor alarm is generated on the configuration group. Alarms contain links to the audit report, where you can view a list of discrepancies for each controller.

Most recent 5 config audit alarms—Includes object name, event type, date, and time of the audit alarm.

Click View All to view the applicable Alarm page that includes all configuration audit alarms.

Monitoring Autonomous AP Migration Analysis

Choose Monitor > Tools > Autonomous AP Migration Analysis to launch the Migration Analysis

Summary page.

Autonomous access points are eligible for migration only if all criteria have a pass status. A red X designates ineligibility, and a green check mark designates eligibility. These columns represent the following:

Privilege 15 Criteria—The Telnet credential provided as part of the autonomous access point discovery must be privilege 15.

Software Version—Conversion is supported only from Cisco IOS 12.3(7)JA releases excluding

Cisco IOS 12.3(11)JA, Cisco IOS 12.3(11)JA1, Cisco IOS 12.3(11)JA2, and Cisco IOS

12.3(11)JA3.

Role Criteria—A wired connection between the access point and controller is required to send the association request; therefore, the following autonomous access point roles are required:

root

root access point root fallback repeater root fallback shutdown root access point only

Radio Criteria—In dual-radio access points, the conversion can happen even if only one radio is of the supported type.

Monitoring Location Accuracy

You can analyze the location accuracy of non-rogue and rogue clients, interferers, and asset tags by using the Location Accuracy tool.

By verifying for location accuracy, you are ensuring that the existing access point deployment can estimate the true location of an element within 10 meters at least 90% of the time.

The Location Accuracy tool enables you to run either of the following tests:

Cisco Prime Infrastructure 3.0 User Guide

15-3

Chapter 15 Using Monitoring Tools

Monitoring Location Accuracy

Scheduled Accuracy Testing—Employed when clients, tags, and interferers are already deployed and associated to the wireless LAN infrastructure. Scheduled tests can be configured and saved when clients, tags, and interferers are already prepositioned so that the test can be run on a regularly scheduled basis.

On-Demand Accuracy Testing—Employed when elements are associated but not pre-positioned.

On-demand testing allows you to test the location accuracy of clients, tags, and interferers at a number of different locations. It is generally used to test the location accuracy for a small number of clients, tags, and interferers.

Both are configured and executed through a single page.

Enabling the Location Accuracy Tool

You must enable the Advanced Debug option in Prime Infrastructure to use the Scheduled and

On-demand location accuracy tool testing features. The Location Accuracy tool does not appear as an option on the Monitor > Tools menu when the Advanced Debug option is not enabled.

To enable the advanced debug option in Prime Infrastructure:

Step 1

Step 2

Step 3

In Prime Infrastructure, choose Maps >Wireless Maps > Site Maps.

Choose Properties from the Select a command drop-down list, and click Go.

Select the Enabled check box to enable the Advanced Debug Mode. Click OK.

Note

If Advanced Debug is already enabled, you do not need to do anything further. Click Cancel.

Use the Select a command drop-down list in the Location Accuracy page, to create a new scheduled or on-demand accuracy test, to download logs for last run, to download all logs, or to delete a current accuracy test.

Note •

You can download logs for accuracy tests from the Accuracy Tests summary page. To do so, select an accuracy test and from the Select a command drop-down list, choose either Download Logs or

Download Logs for Last Run. Click Go.

The Download Logs option downloads the logs for all accuracy tests for the selected test(s).

The Download Logs for Last Run option downloads logs for only the most recent test run for the selected test(s).

Scheduling a Location Accuracy Test

Use the scheduled accuracy testing to verify the accuracy of the current location of non-rogue and rogue clients, interferers, and asset tags. You can get a PDF of the test results at Accuracy Tests > Results.

The Scheduled Location Accuracy report includes the following information:

A summary location accuracy report that details the percentage of elements that fell within various error ranges.

15-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 15 Using Monitoring Tools

Monitoring Location Accuracy

An error distance histogram.

A cumulative error distribution graph.

An error distance over time graph.

A summary by each MAC address whose location accuracy was tested noting its actual location, error distance and a map showing its spatial accuracy (actual vs. calculated location), and error distance over time for each MAC.

To schedule a Location Accuracy test:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Tools > Location Accuracy.

Choose New Scheduled Accuracy Test from the Select a command drop-down list.

Enter a test name.

Choose an area type, a building, and a floor from the corresponding drop-down lists.

Note

Campus is configured as Root Area, by default. There is no need to change this setting.

Step 5

Choose a beginning and ending time for the test by entering the days, hours, and minutes. Hours are entered using a 24-hour clock.

Note

When entering the test start time, be sure to allow enough time prior to the test start to position testpoints on the map.

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Choose a destination point for the test results. (If you choose the e-mail option, you must first define an

SMTP Mail Server for the target email address. Choose Administration > Settings > System Settings

> Mail Server Configuration to enter the appropriate information.)

Click Position Test Points.

On the floor map, select the check box next to each client, tag, and interferer for which you want to check location accuracy.

When you select a MAC address check box, two icons appear on the map. One represents the actual location and the other represents the reported location. If the actual location for an element is not the same as the reported location, drag the actual location icon for that element to the correct position on the map. (You cannot drag the reported location.)

(Optional) To enter a MAC address for a client, tag, or interferer that is not listed, select the Add New

MAC check box, enter the MAC address, and click Go.

An icon for the newly added element appears on the map. If the element is on the location server but on a different floor, the icon appears in the left-most corner (in the 0,0 position).

When all elements are positioned, click Save.

Click OK to close the confirmation dialog box.

You are returned to the Accuracy Tests summary page.

To check the test results, click the test name, click the Results tab in the page that appears, and click

Download under Saved Report.

Cisco Prime Infrastructure 3.0 User Guide

15-5

Chapter 15 Using Monitoring Tools

Monitoring Location Accuracy

Running an On-Demand Location Accuracy Test

You can run an On-Demand Accuracy Test when elements are associated but not prepositioned.

On-Demand testing allows you to test the location accuracy of clients, tags, and interferers at a number of different locations. It is generally used to test the location accuracy of a small number of clients, tags, and interferers. You can get a PDF of the test results at Accuracy Tests > Results. The On-Demand

Accuracy Report includes the following information:

A summary location accuracy report that details the percentage of elements that fell within various error ranges.

An error distance histogram

A cumulative error distribution graph

To run an On-Demand Accuracy Test:

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Tools > Location Accuracy.

From the Select a command drop-down list, choose New On demand Accuracy Test.

Enter a test name.

Choose an area type, a building, and a floor from the corresponding drop-down lists.

Note

Campus is configured as Root Area, by default. There is no need to change this setting.

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Choose a destination point for the test results. (If you choose the e-mail option, you must first define an

SMTP Mail Server for the target email address. Choose Administration > Settings > System Settings

> Mail Server Configuration to enter the appropriate information.)

Click Position Test Points.

To test the location accuracy and RSSI of a particular location, select client, tag, or interferer from the drop-down list on the left. A list of all MAC addresses for the selected option (client, tag, or interferer) is displayed in a drop-down list to the right.

Choose a MAC address from the drop-down list, move the red cross hair to a map location, and click the mouse to place it.

From the Zoom percentage drop-down list, choose the zoom percentage for the map.

The X and Y text boxes are populated with the coordinates based on the position of the red cross hair in the map.

Click Start to begin collection of accuracy data, and click Stop to finish collection. You must allow the test to run for at least two minutes before stopping the test.

Repeat Step 7 to Step 10 for each testpoint that you want to plot on the map.

Click Analyze Results when you are finished mapping the testpoints, and then click the Results tab in the page that appears to view the report.

15-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 15 Using Monitoring Tools

Monitoring Packet Capture

Monitoring Packet Capture

In addition to aggregating data from multiple NAMs, Prime Infrastructure with licensed Assurance features makes it easy to actively manage and troubleshoot network problems using multiple NAMs and

ASRs. For details, see

Using Packet Capture to Monitor and Troubleshoot Network Traffic .

Cisco Prime Infrastructure 3.0 User Guide

15-7

Monitoring Packet Capture

Chapter 15 Using Monitoring Tools

15-8

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

16

Viewing Performance Graphs

To compare the Key Performance Indicators (KPIs) for devices and interfaces, choose Monitor >

Monitoring Tools > Performance Graphs. You can chose the device or interface metrics you want to view over a specified time, and the resulting performance graphs allows you to quickly monitor performance.

Creating Performance Graphs

Step 1

Step 2

Step 3

Choose Monitor > Monitoring Tools > Performance Graphs.

The first time you access this page, an overlay help window appears with helpful tips.

Select one of the tabs at the top of the left frame:

Devices—Allows you to select a device for which to create a performance graph.

Interfaces—Allows you to select an interface for which to create a performance graph.

Depending on what you select, the Metrics panel displays the available metrics for the device or interface type.

Hover your cursor over a metric for which you want to measure performance, then click and drag the metric on to the Graphs portion of the window.

An overlay help window appears explaining the icons, date range, and other information.

Related Topics

Viewing Multiple Metrics on a Single Performance Graph

Performance Graphs Options

Viewing Multiple Metrics on a Single Performance Graph

You might want to view more than one metric on a single performance graph. For example, if you see a spike in CPU utilization, you might to add the memory utilization metric to the performance graph to see if the memory was impacted by change in CPU utilization.

You can add a maximum of 10 metrics on a single performance graph.

Cisco Prime Infrastructure 3.0 User Guide

16-1

Chapter 16 Viewing Performance Graphs

Performance Graphs Options

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Monitoring Tools > Performance Graphs.

Select one of the tabs at the top of the left frame:

Devices—Allows you to select a device for which to create a performance graph.

Interfaces—Allows you to select an interface for which to create a performance graph.

Depending on what you select, the Metrics panel displays the available metrics for the device or interface type.

Hover your cursor over a metric for which you want to measure performance, then click and drag the metric on to the Graphs portion of the window.

To add a second metric to the same graph, hover your cursor over the metric you want to add, then click and drag the metric on to the same graph that has the metric you added in the previous step.

If you don’t want multiple metrics in a single graph, you can create a new graph on the same page by dragging the metric on to the lower portion of the Graphs window where Drop item here is displayed.

To launch the Device 360° View, click on the IP address hyperlink at the top of the graph.

Related Topics

Creating Performance Graphs

Performance Graphs Options

Performance Graphs Options

The Show menu at the top of the performance chart allows you to change the following graph display options:

Legend Options—Specify whether to show or hide the legend.

Show Legends—Specify if the legends are at the right or the top of the performance chart.

Show Alarms—Specify whether to display alarms. A colored flag appears in the performance graph to indicate that an alarm occurred at that time. To view details about the alarm, click on the colored flag.

Show Config Changes—Specify whether to display configuration changes. A black flag appears in the performance graph to indicate that a configuration on the device was modified at that time. To view details about the configuration change, click on the flag.

You can also Export and Print performance graphs by clicking the arrow at the top of the graph.

Click Detach at the top right of the performance graph page to open the performance graph in a new browser window. This allows you to continue monitoring the performance graph in a separate window while you perform actions in another window.

Related Topics

Creating Performance Graphs

Viewing Multiple Metrics on a Single Performance Graph

16-2

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

17

Troubleshooting

Cisco Prime Infrastructure provides the following for sophisticated monitoring and troubleshooting of end-user network access.

The following sections describe some typical troubleshooting tasks:

Getting Help from Cisco

Checking an End User’s Network Session Status

Troubleshooting Authentication and Authorization

Troubleshooting Network Attachments

Troubleshooting Network Attachment Devices

Troubleshooting Site Network Devices

Troubleshooting the User Application and Site Bandwidth Utilization

Troubleshooting User Problems

Troubleshooting the User’s Experience

Troubleshooting Voice/Video Delivery to a Branch Office

Troubleshooting Unjoined Access Points

Troubleshooting Wireless Performance Problems

Getting Help from Cisco

Prime Infrastructure provides helpful tools for network operators to connect to Cisco experts to diagnose and resolve problems. You can open support cases and track your cases from Prime Infrastructure. If you need help troubleshooting any problems, Prime Infrastructure allows you to:

Connect with the Cisco Support Community to view and participate in discussion forums. See

Launching the Cisco Support Community .

Open a support case with Cisco Technical Support. See

Opening a Support Case

.

Launching the Cisco Support Community

You can use Prime Infrastructure to access and participate in discussion forums in the online Cisco

Support Community. This forum can help you find information for diagnosing and resolving problems.

You must enter your Cisco.com username and password to access and participate in the forums.

Cisco Prime Infrastructure 3.0 User Guide

17-1

Chapter 17 Troubleshooting

Checking an End User’s Network Session Status

To launch the Cisco Support Community:

Step 1

Step 2

Choose Monitor > Monitoring Tools > Alarms & Events, select an alarm, then choose Troubleshoot

> Support Forum.

In the Cisco Support Community Forum page, enter additional search parameters to refine the discussions that are displayed.

Opening a Support Case

You can use Prime Infrastructure to open a support request and to track your support cases. Prime

Infrastructure helps you gather critical contextual information to be attached to the support case, reducing the time it takes to create a support case.

To open a support case or access the Cisco Support Community, you must:

Have a direct Internet connection on the Prime Infrastructure server

Enter your Cisco.com username and password

To open a support case:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Chose Monitor > Monitoring Tools > Alarms & Events, then hover your mouse cursor over the IP address of the device on which the alarm occurred.

From the device 360° view, Select Support Request from Actions drop-down menu.

Enter your Cisco.com username and password.

Click Login.

Click Create in Update or Create a Support Case window.

Prime Infrastructure gathers information about the device and populates the fields for which it can retrieve information. You can enter a Tracking Number that corresponds to your own organization’s trouble ticket system.

Click Next and enter a description of the problem.

By default, Prime Infrastructure enters information that it can retrieve from the device. Prime

Infrastructure automatically generates the necessary supporting documents such as the technical information for the device, configuration changes, and all device events over the last 24 hours. You can also upload files from your local machine.

Click Create Service Request.

Checking an End User’s Network Session Status

When an end user calls the help desk, typically with a complaint that might not be very specific (“I can’t log in” or “The network is really slow”), you will want to get an overall view of the user’s current network session status, identify which individual session is associated with the problem, and examine the details for that session.

17-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 17 Troubleshooting

Troubleshooting Authentication and Authorization

For example, how is the user attached to the network? Does this person have more than one endpoint

(where an endpoint could be, for example, a laptop, desktop, iPad, iPhone, or Android)?

Before You Begin

This feature requires:

Integration with an ISE server (to access endpoint information).

Integration with LDAP (to display information about the end user).

To check an end user’s network session status:

Step 1

Step 2

In the system search field (see

Search Methods

), enter the name of the user (or client) who is experiencing the issue. If there are multiple matches, select the correct username from the list of matches.

Start the User 360° View.

The information that is available from this view typically includes current information about the end user and all of that user’s current or recently ended network sessions.

Troubleshooting Authentication and Authorization

Using the User 360° View, you can identify possible problems with the end user’s authentication and authorization for network access.

For example, there could be authentication problems (such as the user’s password being rejected), or there could be authorization issues (such as the user being placed in a policy category such as “guest” or “quarantine” that might result in unexpected behavior).

Before You Begin

This feature requires integration with an ISE server.

To troubleshoot the network:

Step 1

Step 2

Step 3

Open the User 360° View for that user and check the value in “Authorization Profile”. This is a mnemonic string that is customer-defined, so it might not contain clear information (for example,

“standard_employee” or “standard_BYOD” or “Guest”).

If this field is a link, click it to display information about the user’s authorization profile. Based on this information:

If the end user is associated with the appropriate policy category, this procedure is complete.

If the end user is not associated with the appropriate policy category, you can hand off the problem

(for example, to an ISE admin or help tech) or perform actions outside Prime Infrastructure to investigate why the user was placed in the current policy category (Authorization Profile).

Check to see whether there are any indications of authentication errors (authentication failure could be due to various things, including an expired password). The visual indication of authentication errors allows you to see more data related to the authentication errors. At that point, you might need to hand off the problem (for example, to an ISE admin or help tech).

Cisco Prime Infrastructure 3.0 User Guide

17-3

Chapter 17 Troubleshooting

Troubleshooting Network Attachments

Troubleshooting Network Attachments

Use the following procedure to determine if there are problems with the end user attaching to the network, such as errors on the access port (wired) or radio association problems (wireless).

To troubleshoot network attachments:

Step 1

Step 2

Open the User 360° View for that user and click the Go to Client Details icon.

If a problem has been detected, it might not be appropriate to continue troubleshooting the problem; it is probably sufficient to note the problem and hand it off to second tier support. If you want to continue detailed client troubleshooting, exit the User 360° View and launch the full client and user troubleshooting page (choose Monitor > Monitoring Tools > Clients and Users).

Troubleshooting Network Attachment Devices

Use the following procedure to troubleshoot any active alarms or error conditions associated with the network attachment device and port for the end user that might be causing problems for the end user’s network session:

Step 1

Step 2

Step 3

To view any existing active alarms or error conditions associated with the network attachment device and port for the end user (available for the controller, switch, access point, and site), open the User 360°

View for that user and click the Alarms tab.

To see if a problem has been detected, click the Go to Client Details icon.

If a problem has been detected, it might not be appropriate to continue troubleshooting the problem; it is probably sufficient to note that fact and hand off the task to second tier support. If you want to continue detailed client troubleshooting, exit the User 360° View and launch the full client and user troubleshooting page (choose Monitor > Monitoring Tools > Clients and Users).

Troubleshooting Site Network Devices

Use the following procedure to determine if there are any existing active alarms or error conditions associated with any of the network devices that are part of the site for the end user that could be causing problems for the user’s network session.

Step 1

Step 2

To view any existing active alarms or error conditions associated with network devices that are part of the site for the end user, open the User 360° View for that user and click the Alarms tab.

You can choose to view:

Active alarms list for the site

List of all site devices (with alarm indications)

Topo map of site (with alarm indications)

17-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 17 Troubleshooting

Troubleshooting the User Application and Site Bandwidth Utilization

Step 3

Step 4

If a problem with a site has been detected, an alarm icon will appear next to the site location. Click the icon to view all of the alarms associated with that site.

If a problem has been detected, it might not be appropriate to continue troubleshooting the problem; it is probably sufficient to note that fact and hand off the task to second tier support. If you want to continue detailed client troubleshooting, exit the User 360° View and launch the full client and user troubleshooting page (choose Monitor > Monitoring Tools > Clients and Users).

Troubleshooting the User Application and Site Bandwidth

Utilization

If an end user is experiencing high bandwidth utilization for a site on the interface dashboard, use the following procedure to identify the applications consumed by the user and the bandwidth consumed by every application for a given endpoint owned by the user.

Before You Begin

This feature requires:

Integration with an ISE server (to access endpoint information).

For wired sessions, that AAA accounting information is being sent to ISE.

That session information (netflow/NAM data, Assurance licenses) is available.

Step 1

Step 2

To view the applications accessed by the end user and the response time for the applications for the user’s devices, open the User 360° View for that user and click the Applications tab.

The Applications tab displays information about the applications accessed by the end user (see

Troubleshooting

). To get more information about an application, including the bandwidth utilization of the application consumed by the end user (the bandwidth consumed for the conversation), choose

Dashboard > Performance > Application.

Cisco Prime Infrastructure 3.0 User Guide

17-5

Troubleshooting User Problems

Troubleshooting User Problems

You can use the User 360° View to troubleshoot problems reported by users.

Chapter 17 Troubleshooting

Table 17-1

Step 1

Step 2

Step 3

In the Search field on any page, enter the end user’s name.

In the Search Results window, hover your mouse cursor over the end user’s name in the User Name column, then click the User 360° view icon that appears as shown in

Figure A-6

.

With the User 360° view displayed, identify where the problem is occurring using the information described in

Table 17-1

.

Using the User 360° View to Diagnose User Problems

To Gather This Data

Information about the device to which the user is attached, such as the endpoint, location, connections, and session information

Click Here in User 360° View

Click a device icon at the top of the

User 360° View.

Additional Information

Click available links to display additional information. For example, you can click the

Authorization Profile link to launch ISE. See

Troubleshooting Authentication and

Authorization

Click the Troubleshoot Client icon go to client troubleshooting.

to Alarms associated with the device to which the user is attached

Applications running on the device to which the user is attached

Click a device icon at the top of the

User 360° View, then click the Alarms tab.

Click a device icon at the top of the

User 360° View, then click the

Applications tab.

Click an application to view the end-user data filtered for the user you specified. See

Troubleshooting the User’s Experience .

Troubleshooting the User’s Experience

If an end user reports a problem with accessing the application, use the User 360° View to troubleshoot the user’s experience.

Before You Begin

This feature requires that session information (netflow/NAM data, Assurance licenses) is available.

Step 1

Step 2

To view the applications accessed by the end user and the response time for the applications for the user’s devices, open the User 360° View for that user and click the Applications tab.

The Applications tab displays information about the applications accessed by the end user (see

Troubleshooting User Problems

). To get more information about an application, choose Dashboard >

Performance > Application.

17-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 17 Troubleshooting

Troubleshooting Voice/Video Delivery to a Branch Office

Troubleshooting Voice/Video Delivery to a Branch Office

To successfully diagnose and resolve problems with application service delivery, network operators must be able to link user experiences of network services with the underlying hardware devices, interfaces, and device configurations that deliver these services. This is especially challenging with RTP-based services like voice and video, where service quality, rather than gross problems like outages, impose special requirements.

Note

To use this feature, your Prime Infrastructure implementation must include Assurance licenses.

Prime Infrastructure with the licensed Assurance features makes this kind of troubleshooting easy. The following workflow is based on a typical scenario: The user complains to the network operations desk about poor voice quality or choppy video replay at the user’s branch office. The operator first confirms that the user is indeed having a problem with jitter and packet loss that will affect the user’s RTP application performance. The user further confirms that other users at the same branch are also having the same problem. The operator next confirms that there is congestion on the WAN interface on the edge router that connects the local branch to the central voice/video server in the main office. Further investigation reveals that an unknown HTTP application is using a high percentage of the WAN interface bandwidth and causing the dropouts. The operator can then change the unknown application’s DSCP classification to prevent it from stealing bandwidth.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Dashboard > Performance > End User Experience.

Next to Filters, specify:

The IP address of the Client machine of the user complaining about poor service.

The Time Frame during which the problem occurred.

The ID of the problem Application.

Click Go to filter the Detail Dashboard information using these parameters.

View Average Packet Loss to see the Jitter and Packet Loss statistics for the client experiencing the problem.

View the User Site Summary to confirm that other users at the same site are experiencing the same issue with the same application.

In the User Site Summary, under Device Reachability, hover your mouse cursor over the branch’s edge router. Prime Assurance displays a 360° View icon for the device under the Device IP column. Click the icon to display the 360° View.

In the 360° View, click the Alarms tab, to see alarms on the WAN interfaces, or on the Interfaces tab, to see congested WAN interfaces and the top applications running on them.

Troubleshooting Unjoined Access Points

When a lightweight access point initially starts up, it attempts to discover and join a wireless LAN controller. After joining the wireless controller, the access point updates its software image if needed and receives all of the configuration details for the device and network. Until the access point

Cisco Prime Infrastructure 3.0 User Guide

17-7

Chapter 17 Troubleshooting

Troubleshooting Unjoined Access Points

successfully joins a wireless controller, it cannot be managed by Prime Infrastructure, and it does not contain the proper configuration settings to allow client access. Prime Infrastructure provides you with a tool that diagnoses why an access point cannot join a controller, and lists corrective actions.

Note

To use this feature, your Prime Infrastructure implementation must include Assurance licenses.

The Unjoined AP page displays a list of access points that have not joined any wireless controllers. All gathered information about the unjoined access point is included on the page. This information includes name, MAC address, IP address, controller name and IP address, switch and port that the access point is attached to, and any join failure reason, if known.

To troubleshoot unjoined access points:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Monitor > Wireless Technologies > Unjoined Access Points.

In the Unjoined APs page, select an access point to diagnose, then click Troubleshoot.

After the troubleshooting analysis runs, check the results in the Unjoined APs page.

If the access point has tried to join multiple wireless controllers but has been unsuccessful, the controllers are listed in the left pane.

Select a controller and check the middle pane for:

A statement of the problem

A list of error messages

Controller log information

Check the right pane for recommendations for solving any problems, and perform any recommended actions.

(Optional) To further diagnose the problem, run RTTS through the Unjoined AP page by clicking the

RTTS icon located to the right of the table. Examine the debug messages that appear in the table to determine a cause for the access point being unable to join the controllers.

RTTS Debug commands for Troubleshooting Unjoined Access Points

Table 17-2 contains the list of RTTS debug commands for Legacy controllers and NGWC controllers.

Table 17-2

Controller

Legacy

NGWC

RTTS Debug commands for Legacy controllers and NGWC controllers

Commands

debug capwap info enable debug dot1x all enable

debug mobility directory enable debug capwap ap error debug dot1x events debug capwap ios detail

17-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 17 Troubleshooting

Troubleshooting Wireless Performance Problems

Troubleshooting Wireless Performance Problems

If an end user reports a problem with their wireless device, you can use the Site dashboard to help you determine the AP that is experiencing problems.

Before You Begin

This feature requires that session information (netflow/NAM data, Assurance licenses) is available.

Step 1

Step 2

Step 3

Choose Dashboard > Performance > Site and view the site to which the client experiencing trouble belongs.

To see the AP that is experiencing trouble at this site, click the Settings icon, then click Add next to

Busiest Access Points.

Scroll down to the Busiest Access Points dashlet. You can

Hover your mouse over a device to view device information. See

Getting Device Details from

Device 360° View

.

Click on an AP name to go to the AP dashboard from where you can use the AP filter option to view

AP details such as Client Count, Channel Utilization, and, if you have an Assurance license, Top N

Clients and Top N Applications.

Utilization based on SNMP polling for the APs.

Volume information based on Assurance NetFlow data, if you have an Assurance license. For example, you can see the traffic volume per AP.

Root Cause and Impact analysis of Physical and Virtual Data

Center Components

The physical servers shows the list of UCS B-Series and C-series servers that are managed by Prime

Infrastructure. With application of this tech pack, it would also show the Host/Hypervisor running on it, only if the corresponding Vcenter is added.

The Cisco UCS Server Schematic shows the complete architecture of the UCS device. The Schematic tab shows a graph that can be expanded to show different elements of UCS device such as chassis and blades. You can view quick summary of the element by hovering your mouse over the operational status icon next to the chassis or blade. In addition, clicking on the operational status icon, which symbolizes each unique element (chassis or blade), would show the subsequent connection. You can view the connection to host and its VM if managed by Prime Infrastructure by clicking the operational status icon.

The schematic view also shows the operational status of the data center components and the associated alarms using which you can trace the root cause of an application delivery failure to a UCS hardware problem of Cisco UCS device.

Troubleshooting UCS Hardware Problems

Use the following procedure to trace the root cause of an application delivery failure to a UCS hardware problem of Cisco UCS B-series and C-series servers. You can identify whether the problem is in fabric interconnect port, chassis or blades.

Cisco Prime Infrastructure 3.0 User Guide

17-9

Root Cause and Impact analysis of Physical and Virtual Data Center Components

To identify the issue in UCS chassis, blade server, fabric interconnect port:

Chapter 17 Troubleshooting

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Inventory > Device Management > Compute Devices.

Choose Cisco UCS Servers in the Compute Devices pane.

Click the expand icon corresponding to the faulty UCS device in the Cisco UCS Servers pane to open the Schematic that shows the inter-connections of the UCS chassis and blades and the up/down status of chassis, and blade servers.

Click the Chassis tab and hover your mouse cursor over the faulty chassis name, then click the chassis

360° view icon to view the up/down status of power supply unit and fan modules.

Click the Servers tab and hover your mouse cursor over the faulty blade server name, then click the server 360° view icon.

The server 360° view provides detailed blade server information including the number of processors, memory capacity, up/down status of adapters, network interface cards (NICs), and hot bus adapters

(HBAs).

Click the Network tab to view the entire network interface details of fabric interconnect such as port channel, Ethernet interface, vEthernet, and vFabric Channel.

Click the IO Modules tab to view the operational status of backplane ports and fabric ports.

To identify the bandwidth issue in fabric interconnect port:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Inventory > Device Management > Network Devices.

Click the faulty UCS device from the All Devices pane.

Click the expand icon corresponding to fabric interconnect switch.

Click Fixed Modules to view the operational status of fabric interconnect ports.

Click Interfaces to view the operational status for fabric interconnect port and interfaces. This is same as the operational stays of fabric interconnect port and interfaces viewed from Network tab in Compute

Devices page.

Viewing Bandwidth on Fabric Interconnect Ports

You can view the details of a fabric interconnect port or a fabric interconnect port group using the Top-N

Interface Utilization dashlet from the Overview and Performance dashboards. Use the following procedure to identify whether the overuse of bandwidth on the ports connecting the fabric interconnect to the UCS chassis is causing application performance issues such as slowness on Cisco UCS.

We recommend you to create a fabric interconnect port group and select the port group in the dashlet to view the bandwidth utilization details.

To identify the overuse of bandwidth on the fabric interconnect ports:

Step 1

Choose Dashboard > Performance > Interface then choose the UCS device interface from the

Interface drop-down list.

or

17-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 17 Troubleshooting

Root Cause and Impact analysis of Physical and Virtual Data Center Components

Step 2

Step 3

Step 4

Choose Dashboard > Overview > Network Interface.

Click the Settings icon as shown in and choose Add Dashlets.

Choose Top N Interface Utilization dashlet and click Add.

Do the following if you have already created a fabric interconnect port group

a.

Click the Dashlet Options icon in the Top N Interface Utilization dashlet.

b.

Select the fabric interconnect port group in the Port Group and click Save And Close.

The Top N Interface Utilization dashlet displays the list of interfaces with maximum utilization percentage. This dashlet also shows the average and maximum data transmission and reception details of the fabric interconnect ports.

Cisco Prime Infrastructure 3.0 User Guide

17-11

Root Cause and Impact analysis of Physical and Virtual Data Center Components

Chapter 17 Troubleshooting

17-12

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

18

Monitoring Multiple Prime Infrastructure

Instances

There are three situations that justify the use of multiple Cisco Prime Infrastructure instances to manage your network:

You want to categorize the devices in your network into logical groups, with a different Prime

Infrastructure instance managing each of those groups. For example, you could have one instance managing all of your network’s wired devices and another managing all of its wireless devices.

The one Prime Infrastructure instance you have running is sufficient to manage your network, but the addition of one or more instances would improve Prime Infrastructure’s performance by spreading the CPU and memory load among multiple instances.

Your network has sites located throughout the world, and you want a different Prime Infrastructure instance to manage each of those sites in order to keep their data separate.

If multiple Prime Infrastructure instances are running in your network, you can monitor those instances from the Operations Center. In this chapter, we will cover a typical workflow you might employ when using the Operations Center. This workflow consists of the following tasks:

Viewing the Operations Center dashboards

Monitoring your network

Running reports

See Related Topics for details on these and related tasks.

Related Topics

Setting Up Operations Center

Viewing the Operations Center Dashboards

Monitoring Your Network Using Operations Center

Running Reports With Operations Center

Cisco Prime Infrastructure 3.0 User Guide

18-1

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Viewing the Operations Center Dashboards

Viewing the Operations Center Dashboards

The Operations Center provides additional, Operations Center-specific dashboards that you can use to quickly determine the status of your network and identify any issues that require further attention. The

Operations Center dashlets display aggregated data. The following types of dashboards are available:

Overview dashboards, which summarize the current status of key areas in your network.

Incident dashboards, which report on all alarms and events recorded across your network.

To access a particular dashboard and the dashlets that comprise it, either click the appropriate tabs on the main Operations Center page or select the dashboard from the Dashboard menu.

For general information about using and customizing dashboards and dashlets, see “Prime Infrastructure

User Interface Reference” in Related Topics.

Related Topics

Setting Up Operations Center

Monitoring Your Network Using Operations Center

Appendix A, “Prime Infrastructure User Interface Reference.”

Operations Center FAQs

Monitoring Your Network Using Operations Center

After viewing the various dashboards available in the Operations Center, you can then take a closer look at what is going on in your network. Specifically, you can monitor:

The devices that belong to your network.

The Prime Infrastructure servers that manage those devices.

The alarms, events and other incidents that have taken place in your network.

The clients and users configured to use your network.

The following related topics cover these items in more detail.

Related Topics

Monitoring Devices Using Operations Center

Using Virtual Domains With Operations Center

Managing and Monitoring Prime Infrastructure Servers Using Operations Center

Viewing the Prime Infrastructure Server Status Summary in Operations Center

Viewing Alarms and Events Using Operations Center

Viewing Clients and Users Using Operations Center

Cross-Launching Prime Infrastructure Using Operations Center

Viewing the Operations Center Dashboards

18-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Monitoring Your Network Using Operations Center

Monitoring Devices Using Operations Center

Select Monitor > Managed Elements > Network Devices to open the Network Devices page in

Operations Center. From here, you can view information for every device that belongs to your network that a Prime Infrastructure instance is managing. This information includes the device’s hostname/IP address, its current reachability status, and the last time inventory data was successfully collected from that device.

When you first open the Network Devices page, every network device is displayed. To refine the devices displayed, do one of the following:

From the Device Group pane, select the desired device type, location, or user-defined group.

Apply a custom filter or select one of the predefined filters from the Show drop-down list.

Operations Center provides a custom filter that allows you to view duplicate devices across your managed instances. For details on how to use filters, see the related topic “Performing a Quick

Filter”.

Search for a particular device. For details, see the related topic “Search Methods”.

If you delete a device from the Operations Center Network Devices page, the device is also deleted from all the managed Prime Infrastructure instances monitoring that device.

Related Topics

Performing a Quick Filter

Search Methods

Monitoring Your Network Using Operations Center

Using Virtual Domains With Operations Center

Using Virtual Domains With Operations Center

As explained in “Controlling User Access” in Related Topics, this feature provides an Operation Center administrator the ability to define a virtual domain on managed Prime Infrastructure instances. The

Virtual Domains page will be modified to give Operation Center administrators visibility to each virtual domain defined under a managed Prime Infrastructure instance. The list of domains will be consolidated and displayed in the Operation Center.

From the Operations Center, you can view all the virtual domains available in all of the Prime

Infrastructure instances that Operations Center is managing.

You can also create or edit virtual domains from Operations Center itself. If the same virtual domain is active in multiple Prime Infrastructure instances, Operations Center displays the virtual domain once, with data aggregated from all the active virtual domains with the same name on all the managed Prime

Infrastructure instances.

You can create virtual domain only if an instance is present or it is in reachable state. The Number of network elements in Virtual Domains is limited when compared to that of Prime Infrastructure, since the

Virtual Domain shows only managed network elements.

Note that any virtual domain you create using Operations Center will be replicated across all the instances of Prime Infrastructure that Operations Center manages, and if selected network elements are not present in particular instances, an empty virtual domain will be created.

Creating and editing virtual domains from within Operations Center works the same way as creating and editing virtual domains in a single instance of Prime Infrastructure. For details on adding, editing and viewing virtual domains, see “Using Virtual Domains to Control Access” in Related Topics.

Cisco Prime Infrastructure 3.0 User Guide

18-3

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Monitoring Your Network Using Operations Center

Related Topics

Controlling User Access

Using Virtual Domains to Control Access

Monitoring Your Network Using Operations Center

Monitoring Devices Using Operations Center

Managing and Monitoring Prime Infrastructure Servers Using Operations Center

Creating Existing Virtual Domain in New Instances

Maximum Virtual Domains Supported in Operations Center

Maximum Virtual Domains Supported in Operations Center

We recommend to use Express OVA for Operations Center in Prime Infrastructure 3.0. For Express OVA, the maximum number of Virtual Domains supported in Operations Center is 100 (Including Virtual

Domains in Prime Infrastructure instances). Also you have an option to increase CPU and Memory of

Operations Center server to higher configuration based on number of Virtual Domains supported. For more understanding, please refer

Cisco Prime Infrastructure 3.0 Quick Start Guide

, for metrics of hardware profiles and the respective number of Virtual Domains supported.

Related Topics

Using Virtual Domains With Operations Center

Creating Existing Virtual Domain in New Instances

Creating Existing Virtual Domain in New Instances

In Operations Center, if you want to create the existing virtual domain in new instances, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Administration > Users > Virtual Domains.

From the Virtual Domains sidebar menu, click an existing virtual domain which you want to create in new instance.

Click Managed Servers tab.

Click Distribute to All Servers.

Click Submit.

Related Topics

Controlling User Access

Using Virtual Domains With Operations Center

Maximum Virtual Domains Supported in Operations Center

18-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Monitoring Your Network Using Operations Center

Role Based Access Control Support in Operations Center

The Role Based Access Control (RBAC) support in Operation Center allows a collection of devices from multiple managed instances to be associated with a user via virtual domains. This feature enables to assign privileges such as accessing Monitor and Manage server page, adding, modifying or deleting managed instances and providing Nbi privilege to generate reports and populate certain dashlets, to a specific user.

Follow these steps to enable RBAC in the Operation Center:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Log in to Prime Infrastructure as an administrator.

Choose Administration > Users > Users, Roles & AAA > User Groups.

Click a group name to which RBAC is to be provided.

Click Task Permissions tab.

Check the following check boxes under Operation Center Tasks:

Monitor and Manage Servers Page Access

Administrative Privileges under Manage and Monitor Server Pages

Nbi Security Exception.

These options are enabled by default for admin and super users.

Click Save.

Related Topics

Controlling User Access

Using Virtual Domains With Operations Center

Maximum Virtual Domains Supported in Operations Center

Managing and Monitoring Prime Infrastructure Servers Using Operations

Center

Select Monitor > Monitoring Tools > Manage and Monitor Servers to open the Manage and Monitor

Servers page. From here, you can:

Add new Prime Infrastructure servers (up to the license limit).

Edit, delete, activate, and deactivate current Prime Infrastructure servers.

View each servers’ reachability, network latency, CPU utilization, memory utilization, software update status and secondary server details (if it is configured), license count, and alarms generated for the Prime Infrastructure instances.

Determine whether any servers are down.

View alarms and events.

Cross-launch into individual Prime Infrastructure instances.

Cisco Prime Infrastructure 3.0 User Guide

18-5

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Monitoring Your Network Using Operations Center

See if any backup servers are running. Administrators can use the Prime Infrastructure High

Availability (HA) framework to configure a backup Prime Infrastructure server to automatically come online and take over operations for the associated primary server when it goes down. For more information on Prime Infrastructure’s HA framework, see “Configuring High Availability” in

Related Topics. Administrators should be sure to follow the restrictions on use of HA with

Operations Center given in “Before You Begin Setting Up High Availability”.

Aside from a server’s reachability status, there are three server metrics you should focus on:

Network latency

CPU utilization

Memory utilization.

If a server has a network latency figure that exceeds one second, or it has a CPU or memory utilization percentage greater than 80%, the chances are good that an issue exists with that server.

If a server’s status is listed as “unreachable”, a “?” icon will appear next to the reachability status message. Hover your mouse cursor over the icon to see a popup message giving possible causes for the server’s status (for example, server cannot be pinged, API response (latency) is too slow and SSO is not setup properly).

Related Topics

Configuring High Availability

Before You Begin Setting Up High Availability

Monitoring Your Network Using Operations Center

Using Virtual Domains With Operations Center

Viewing the Prime Infrastructure Server Status Summary in Operations Center

Viewing the Prime Infrastructure Server Status Summary in Operations Center

Use the Server Status Summary to view the current status of your Prime Infrastructure servers without leaving the dashboard or page you have open. To open it, place your cursor over any portion of the Server

Status area at the top of the Operations Center’s main page. From here, you can quickly determine if any of your servers are currently down. You can also launch a separate Prime Infrastructure instance for the selected server.

Related Topics

Monitoring Your Network Using Operations Center

Cross-Launching Prime Infrastructure Using Operations Center

Viewing Alarms and Events Using Operations Center

Select Monitor > Monitoring Tools > Alarms and Events to open the Alarms and Events page. From here, you can view a comprehensive listing of your network’s alarms, events, and syslog messages. With one or multiple alarms selected, you can also determine whether those alarms have been acknowledged, add a note that describes them in more detail, or delete them from the page.

The Alarm Summary displays an aggregated count of critical, major, and minor alarms from the managed Prime Infrastructure instances.

18-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Monitoring Your Network Using Operations Center

To refine the alarms, events, and syslog messages displayed here, do one of the following:

From the Device Group pane, select the desired device type, location, or user-defined group.

Apply a custom filter or select one of the predefined filters from the Show drop-down list. For details on how to use filters, see the related topic “Performing a Quick Filter”.

Search for a particular alarm or event. For details, see the related topic “Search Methods”.

Hover your cursor on the Alarm Browser screen to display the aggregated count of alarms for the managed Prime Infrastructure instances. You can also acknowledge, annotate, and delete alarms; that action is duplicated on the respective Prime Infrastructure instance.

Related Topics

Performing a Quick Filter

Search Methods

Monitoring Your Network Using Operations Center

Viewing Clients and Users Using Operations Center

Cisco Prime Infrastructure 3.0 User Guide

18-7

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Running Reports With Operations Center

Viewing Clients and Users Using Operations Center

Select Monitor > Monitoring Tools > Clients and Users to open the Clients and Users page, which contains the aggregated clients of all managed Prime Infrastructure instances. From here, you can view information for the clients configured on your network, such as a client’s MAC address, the user associated with the client, and the name of the device that hosts the client. By clicking a client’s corresponding radio button, you can access even more detailed information for that client at the bottom of the Clients and Users page. To refine the list of clients displayed here, do one of the following:

Apply a custom filter or select one of the predefined filters from the Show drop-down list. For details on how to use filters, see the related topic “Performing a Quick Filter”.

Search for a particular client. For details, see the related topic “Search Methods”.

Related Topics

Performing a Quick Filter

Search Methods

Monitoring Your Network Using Operations Center

Cross-Launching Prime Infrastructure Using Operations Center

A common element in the Operations Center’s four Monitor pages is the Prime Server column, which indicates the Prime Infrastructure server associated with any given device, alarm, event, client, or user.

By clicking the corresponding link in any of the Monitor pages or the Server Status summary, you can launch a separate Prime Infrastructure instance to perform the necessary management tasks without closing the Operations Center.

Related Topics

Monitoring Your Network Using Operations Center

Running Reports With Operations Center

In addition to the Operations Center dashboards and monitor pages, Operations Center provides a subset of Prime Infrastructure reports that combine network management and performance data across all the managed instances of Prime Infrastructure. If you are using Operations Center to segment and rationalize your management of a global network, these specialized versions of the standard reports can help get a closer look at your network as a whole, help you monitor health across the globe, and troubleshoot emergent issues.

The Operations Center reports contain aggregated data from all of the managed Prime Infrastructure instances. If you want to restrict this aggregation to a subset of the managed instances, the best ways to do this are to:]

Temporarily deactivate those Prime Infrastructure managed instances whose data you do not want included in the aggregated Operations Center report data. You can do this by selecting Monitor >

Monitoring Tools > Manage and Monitor Servers and choosing to deactivate the servers you want to ignore.

Use virtual domains to restrict the data the instances in which you are interested. For details, see

“Using Virtual Domains With Operations Center” in Related Topics.

18-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Operations Center FAQs

Except for aggregating data across managed instances, Operations Center reports generation works the same way as in Prime Infrastructure. For more information about Prime Infrastructure reports and how to generate them, see “Managing Reports” in Related Topics.

Related Topics

Managing Reports

Viewing the Operations Center Dashboards

Monitoring Your Network Using Operations Center

Using Virtual Domains With Operations Center

Viewing Alarms and Events Using Operations Center

Viewing Clients and Users Using Operations Center

Operations Center FAQs

Operations Center FAQs

Q.

What are the system requirements for Operations Center, and what OVA size should I use?

A.

Operations Center requires the Standard OVA to manage up to 100 virtual domains. To manage more virtual domains, you must use a bigger OVA. See the full list of system requirements in the Scaling for Operations Center section in the Cisco Prime Infrastructure 3.0 Quick Start Guide .

Q.

How does the licensing work in Operations Center?

A.

Two license files that need to be applied in Operations Center:

A base license transforms the Prime Infrastructure instance to an Operations Center instance.

An incremental license indicates how many instances you can manage in Operations Center.

You must apply both licenses, then log out and log back in for the changes to take affect.

Q.

What communication ports must be opened between Operations Center and its managed instances?

A.

You must enable Single Sign On (SSO) when you set up Operations Center. The SSO server and its managed instances are configured as the SSO client. SSO requires two ports to be open:

443 (HTTPS)

8082 (used for setting up SSL certificate).

Q.

Why does the number of alarms in the Alarm Summary and the total alarm count differ in Operations

Center and the managed instances?

A.

You might have customized settings differently for the Operations Center and the managed instances. Check the following on both Operations Center and the managed instances to ensure they have the same settings:

User Preferences—Click your login name in the top right-hand corner, then click My

Preferences. Make sure the settings under Alarms are the same in Operations Center and the managed instances.

System Settings—Choose Administration > Settings > System Settings, then click Alarms

and Events. Make sure that all the settings under Alarm Display Options are the same in

Operations Center and the managed instances. By default, Prime Infrastructure and Operations

Center hide acknowledged and cleared alarms, but you can choose to display them.

Cisco Prime Infrastructure 3.0 User Guide

18-9

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Operations Center FAQs

For more information, see Customizing the Alarm Summary in the

Cisco Prime Infrastructure

3.0 User Guide

.

Q.

Why does the number of aggregated events and syslogs differ in Operations Center and managed instances?

A.

Events and syslogs are constantly changing on managed instances. (If you click the Refresh button every 5 seconds, you can see the constant changes.) Because of the time it takes to update the corresponding information in Operations Center, these two numbers might not always be in sync.

You should not compare the number displayed in the individual managed instances with the number displayed in Operations Center. The information displayed in the managed instances is more current than that displayed in the Operations Center.

Q.

Why can’t I go directly to the Events page?

A.

We will fix this issue in a future release. (See CSCui47865 for details.) To workaround this issue, on the Alarms page that is displayed, click the Events tab, then click Refresh to view the events data.

Q.

Why does the device details page display multiple devices instead of filtering on device I selected?

A.

This is known limitation within Operations Center and is likely due to the similarity of device names on your managed instances.

Q.

Why are there discrepancies in the report values generated between Operations Center and Prime

Infrastructure?

A.

Because of the differences in how the values are generated for Operations Center and Prime

Infrastructure, minor discrepancies are expected. Prime Infrastructure generates values using fractional values. Operations Center aggregates these values using a set of rounded numbers. See

CSCui29279 for details.

Q.

Does Operations Center support third-party devices?

A.

No. Because third-party devices are queried directly, there is not a corresponding NBI API to retrieve the data.

Q.

From the Network Device Summary dashlet, why can’t I cross-launch to my third party APs?

A.

This is a known issue. None of the third party APs are displayed.

Q.

How do you enable GZip compression for reports?

A.

To enable GZip compression in Operations Center go to Administration > Settings > System

Settings > General > Report, click Enable Compression, then click Save.

Q.

In Operations Center, why am I unable to cross-launch a managed instance and filter on my sylogs from the Monitor > Monitoring Tools > Alarms and Events > Syslogs tab?

A.

Prime Infrastructure does not support filtering by instanceId for Syslogs. Therefore, Operations

Center does not support filtering on Syslogs when cross launching to a managed instance.

A.

You need to change the default character encoding scheme to Western(ISO-8859-1. By default, the character encoding is set to UTF8 in FireFox ESR 17.0.6. After you change the setting, refresh the browser.

Q.

Why does the Current Associated Wired Clients table look different in Operations Center and Prime

Infrastructure?

18-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Operations Center FAQs

A.

The Operations Center table has fixed columns, while Prime Infrastructure has customizable columns.

Q.

Why is there a discrepancy in the VLAN ID and Association ID on the Clients and Users page between Operations Center and the managed instances?

A.

This data changes frequently. As a result, the managed instances data may have already changed before the Operations Center was updated.

Q.

Why is there a discrepancy in CPU Utilization and Memory Utilization fields for Autonomous AP on the device details page between Operations Center and the managed instances?

A.

These fields change very quickly. Operations Center collects, aggregates, and then displays the datat from the managed instances. Because of the time it takes to update this information in Operations

Center, the data might not always be in sync. The information displayed in the managed instances is more current than that displayed in the Operations Center.

Q.

Why does the network devices count (between Operations Center and managed instances) shown in the Network Devices table not match when someone tries to add them to a virtual domain?

A.

In Prime Infrastructure, when you are adding a device to a virtual domain, you see all devices, even devices that cannot be added due to an incomplete inventory collection. In Operations Center, devices that cannot be added to a virtual domain are not displayed. See CSCuu41360 for details.

Q.

Why do some managed instances keep going into Unreachable state?

A.

This might occur if you initiate multiple concurrent cross-launches to the managed instances. This creates many SSO sessions for the managed instances, which might cause a session limit error and make the managed instance unreachable in Operations Center.

Q.

Does Operations Center support High Availability (HA)?

A.

Operations Center does support HA for its managed instances. If the managed instances have HA enabled, if the primary server goes down, Operations Center automatically reroutes all calls to its secondary server and indicates the status of the instances by marking them as Backup on the Manage and Monitor Server page.

However, you cannot set up a secondary server for Operations Center itself. Because data is kept on the managed instances and very little data is stored in Operation Center’s database, there isn’t a need for high availability on Operations Center.

Q.

How do you disable auto-logout in Operations Center?

A.

To disable auto log out:

1.

Click your login name in the top right-hand corner, then click My Preferences.

2.

3.

Under User Idle Timeout, uncheck Logout idle user, then click Save.

Choose Administration > Settings > System Settings > Server, then under Global Idle Timeout, uncheck Logout all idle users, then click Save.

Q.

How do you set up Single-Sign-On (SSO) in Operations Center?

A.

You must set up Single-Sign-On (SSO) so that Operations Center acts as the SSO server and the managed instances act as the SSO clients as explained in the following steps:

Cisco Prime Infrastructure 3.0 User Guide

18-11

Chapter 18 Monitoring Multiple Prime Infrastructure Instances

Operations Center FAQs

In Operations Center:

1.

Select Administration > Users > Users, Roles & AAA, then select SSO Servers from left-hand menu

2.

From the Select a command dropdown menu, select Add SSO Server, then click Go.

3.

4.

5.

6.

Complete the required fields, then click OK.

From the left-hand menu, select AAA Mode Settings.

Click SSO, then click Save.

Logout of Operations Center.

In each managed instance:

1.

Select Administration > Users > Users, Roles & AAA, then select SSO Servers from left-hand menu

2.

From the Select a command dropdown menu, select Add SSO Server, then click Go.

3.

4.

5.

6.

Complete the required fields, then click OK.

From the left-hand menu, select AAA Mode Settings.

Click SSO, then click Save.

Log out of the managed instance.

To ensure that SSO is working properly, log in to Operations Center, open a new browser tab and access one of your managed instances. If you're automatically logged into your Prime Infrastructure instance without having to re-authenticate, then SSO is working as expected.

Q.

Does Operation Center support TACACS?

A.

Yes. To set up TACACS or another central authentication server in Operations Center, follow these steps:

1.

2.

3.

Select Administration > Users > Users, Roles & AAA, then select TACACS+ Servers from left-hand menu

From the Select a command dropdown menu, select Add TACACS+ Server, then click Go.

4.

5.

Complete the required fields, then click OK.

From the left-hand menu, select SSO Server Settings.

Click TACACS+, then click Save.

Q.

How do I avoid a “single point of failure” with Operations Center?

A.

To avoid a single point of failure with Operations Center, configure a second Prime Infrastructure instance as an SSO server. Ensure that it contains all the TACACS details (if applicable). Specify this sever as the second SSO server for all your managed instances. If your Operations Center server goes down, the Prime Infrastructure instances will reroute to this instance to authenticate users.

18-12

Cisco Prime Infrastructure 3.0 User Guide

P

A R T

4

Configuring Devices

Configuring Network Devices

Using Templates to Configure Devices

Configuring Wireless Devices

Creating Controller Configuration Groups

Configuring Wireless Technologies

Scheduling Configuration Tasks

Auditing Device Configurations to Ensure Compliance

Configuring Plug and Play

C H A P T E R

19

Configuring Network Devices

Table 19-1

From the Configuration > Network > Network Devices page, you can view all devices and device configuration information. The Network Devices page contains configuration functions as described in

Table 19-1

.

Configuration > Network > Network Devices Tasks

Task

Manage devices

View basic device information and collection status

Manage device groups

Description

You can add, edit, delete, sync, and export devices, add and delete devices from groups and sites, and perform a bulk import.

View basic device information such as reachability status, IP address, device type, and collection status.

Location in Configuration > Network >

Network Devices

Buttons are located across the top of the page.

Click the icon next to the IP Address to access the 360° view for that device.

For controllers, click the arrow to launch the controller web UI.

By default, Cisco Prime Infrastructure creates dynamic device groups and assigns devices to the appropriate Device Type folder. You can create new device groups that appear under the User Defined folder.

Hover your mouse cursor over the Reachability cell to view the status.

Click the icon in the Last Inventory Collection cell to view errors related to the inventory collection.

Displayed in the left pane of the page.

Cisco Prime Infrastructure 3.0 User Guide

19-1

Chapter 19 Configuring Network Devices

Table 19-1 Configuration > Network > Network Devices Tasks (continued)

Task

Add devices to site groups

Description

After you set up a site group profile, you can add devices to it.

Location in Configuration > Network >

Network Devices

Groups & Sites button located at the top of the page.

To add devices to site groups in Network

Devices page, add them to Group and then select site group.

To add devices to site maps, go to the Maps >

Site Map.

Note

A device can belong to one site group hierarchy only.

View device details

Create and deploy configuration templates

Note

The devices added to a site group on this page are not added in the Maps >

Site Map page. Similarly, the devices added in the Site Map Design page are not added to site groups on this page.

View device details such as memory, port, environment, and interface information.

You can configure device features on the selected device. You can also view the list of applied and scheduled feature templates that were deployed to the device.

Click on a Device Name to view the detailed configuration information for that device.

Click on a Device Name, then click the

Configuration tab.

View device configurations View archived configurations, schedule configuration rollbacks, and schedule archive collections.

View software images You can view the recommended software image for a single device, and then import or distribute that image.

Click on a Device Name, then click the

Configuration Archives tab.

Click on a Device Name, then click the Image tab.

Scroll down to Recommended Images to view the recommended image for the device that you selected. Prime Infrastructure gathers the recommended images from both Cisco.com and the local repository.

View interface details You can view the description, admin status, and operational status of the interface.

View and modify TrustSec configuration

You can view and modify the TrustSec configuration of a TrustSec-based device.

Click on a Device Name, click the

Configuration tab, then in the left frame, click

Interfaces to view the interface details.

Click on a Device Name, click the

Configuration tab, then in the left frame, click

Security >TrustSec > Wired 802_1x.

Related Topics

Configuring Network Devices

Using Templates to Configure Devices

Configuring Wireless Devices

19-2

Cisco Prime Infrastructure 3.0 User Guide

Chapter 19 Configuring Network Devices

Creating Controller Configuration Groups

Configuring Wireless Technologies

Scheduling Configuration Tasks

Auditing Device Configurations to Ensure Compliance

Configuring Plug and Play

Cisco Prime Infrastructure 3.0 User Guide

19-3

Chapter 19 Configuring Network Devices

19-4

Cisco Prime Infrastructure 3.0 User Guide

C H A P T E R

20

Using Templates to Configure Devices

You can use Cisco Prime Infrastructure configuration templates to design the set of device configurations that you need to set up the devices in a branch. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use configuration templates to build a generic configuration that you can apply to one or more devices in the branch. You can also use configuration templates when you have a new branch and want to quickly and accurately set up common configurations on the devices in the branch. Altering configurations across a large number of devices can be tedious and time-consuming, and templates save you time by applying the necessary configurations and ensuring consistency across devices.

Related Topics

Guidelines for Planning Your Network Design

Creating Feature-Level Configuration Templates

Creating Composite Templates

Shared Policy Objects

Grouping Configuration Templates with Devices

Controller Configuration Groups

Creating Wireless Configuration Templates

Creating Switch Location Configuration Templates

Creating Security Templates

Deploying Templates

Guidelines for Planning Your Network Design

Consider the following factors when using the Prime Infrastructure to create reusable design patterns to simplify device configurations. When you plan your network design and then create templates based on that design, you can increase operational efficiency, reduce configuration errors, and improve compliance to standards and best practices.:

What is the size of your network?

How diverse are the devices and services that you support?

How many network designers do you have?

What degree of precision do you need in controlling your network?

Cisco Prime Infrastructure 3.0 User Guide

20-1

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

If you have a small network with only one or two designers and not much variation among device configurations, you could start by copying all CLI configurations you know are “good” into a set of configuration and monitoring templates, then create a composite template that contains these templates.

If you have a large network with many different devices, try to identify the configurations you can standardize. Creating feature and technology templates as exceptions to these standards allows you to turn features on and off as needed.

Related Topics

Creating Feature-Level Configuration Templates

Creating Composite Templates

Shared Policy Objects

Controller Configuration Groups

Creating Wireless Configuration Templates

Creating Switch Location Configuration Templates

Creating Security Templates

Creating Feature-Level Configuration Templates

Prime Infrastructure provides the following types of feature-level configuration templates:

Features and technologies templates—Configurations that are specific to a feature or technology in a device’s configuration.

CLI templates—User-defined templates that are created based on your own parameters. CLI templates allow you to choose the elements in the configurations. Prime Infrastructure provides variables that you replace with actual values and logic statements. You can also import templates from the Cisco Prime LAN Management System.

Composite templates—Two or more feature or CLI templates grouped together into one template.

You specify the order in which the templates contained in the composite template are deployed to devices.

Related Topics

Creating Features and Technologies Templates

Creating Composite Templates

Creating Composite Templates

Creating Wireless Configuration Templates

Creating Switch Location Configuration Templates

Creating CLI Configuration Templates, page 20-4

Creating Security Templates

Creating Features and Technologies Templates

Features and Technologies templates are templates that are based on device configuration and that focus on specific features or technologies in a device’s configuration.

Cisco Prime Infrastructure 3.0 User Guide

20-2

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

When you add a device to Prime Infrastructure, Prime Infrastructure gathers the device configuration for the model you added. Prime Infrastructure does not support every configurable option for all device types. If Prime Infrastructure does not have a Features and Technologies template for the specific feature or parameter that you want to configure, create a CLI template.

Features and Technologies templates simplify the deployment of configuration changes. For example, you can create an SNMP Features and Technologies template and then quickly apply it to devices you specify. You can also add this SNMP template to a composite template. Then later, when you update the

SNMP template, the composite template in which the SNMP template is contained automatically has your latest changes.

To create a Features and Technologies template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Templates > Features and Technologies.

In the Features and Technologies menu on the left, choose a template type to create.

Complete the fields for that template.

If you are creating a feature template that applies only to a particular device type, the Device Type field lists only the applicable device type, and you cannot change the selection. Specifying a device type helps you to prevent a mismatch; that is, you cannot create a configuration and apply the configuration to a wrong device.

Click Save as New Template. After you save the template, apply it to your devices.

To verify the status of a template deployment, choose Administration > Dashboard > Jobs Dashboard.

To modify the deployment parameters for any subsequent configuration template deployments, select a configuration job, then click Edit Schedule.

Related Topics

Creating Composite Templates

Creating CLI Configuration Templates

Creating Features and Technologies Templates

Example: Creating an ACL Template

To create an ACL template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Features and Technologies > Security > ACL.

Enter the mandatory fields.

In the Template Detail, click Add Row.

Enter the ACL details, then click Save as New Template.

Click the arrow to expand the ACL, then click Add Row to provide additional details about the ACL such as the action, source IP address, and wildcard mask.

Click Save.

After you save the template, you can specify devices, values, and scheduling information to tailor your deployment.

Cisco Prime Infrastructure 3.0 User Guide

20-3

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

Related Topics

Creating Features and Technologies Templates

Creating CLI Templates

CLI templates are a set of re-usable device configuration commands with the ability to parameterize select elements of the configuration as well as add control logic statements. This template is used to generate a device deployable configuration by replacing the parameterized elements (variables) with actual values and evaluating the control logic statements.

To view the list of system CLI templates, choose Configuration > Templates > Features and

Technologies > CLI Templates > System Templates - CLI. You cannot delete a System Template, but you can modify and save it as a new template. In this page, you can import or export any template. You cannot import a template under the system defined folder. The Undeploy button is disabled in this page since the CLI templates do not have an option undeploy them.

Prerequisites for Creating CLI Templates

Before you create a CLI template, you must:

Have expert knowledge and understanding of the CLI and be able to write the CLI in Apache VTL.

For more information about Apache Velocity Template Language, see http://velocity.apache.org/engine/devel/vtl-reference-guide.html

.

Understand to what devices the CLI you create can be applied.

Understand the data types supported by Prime Infrastructure.

Understand and be able to manually label configurations in the template.

To know how to use variables and data types, see the

Variables and Data Types .

Creating CLI Configuration Templates

Use templates to define device parameters and settings, which you can later to a specified number of devices based on device type.

Before You Begin

Make sure that you have satisfied the prerequisites (see

Prerequisites for Creating CLI Templates ).

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features and Technologies.

Expand the CLI Templates folder, then click CLI.

Enter the required information.

a.

a.

In the OS Version field, you can specify an OS image version so that you can filter out devices older than the one that you specified.

In the Template Detail section, click the Manage Variables icon (above the CLI Content field).

b.

This allows you to specify a variable for which you will define a value when you apply the template.

Click Add Row and enter the parameters for the new variable (see the

Variables and Data Types ),

then click Save.

20-4

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

Step 4 c.

Enter the CLI information. In the CLI field, you must enter code using Apache VTL (see http://velocity.apache.org/engine/devel/vtl-reference-guide.html) . For more information about different CLI command formats, see:

Adding Multi-line Commands

Adding Enable Mode Commands

d.

Adding Interactive Commands

(Optional) To change the variables, click the Manage Variables icon, and then make your changes

(see the

Variables and Data Types

). Click Form View (a read-only view) to view the variables.

Click Save As New Template, specify the folder in which you want to save the template, then click Save.

To duplicate a CLI template, expand the System Templates - CLI, hover your mouse cursor over the quick view picker icon next to CLI, and then click Duplicate.

Variables and Data Types

You can use variables as placeholders to store values. The variables have names and data types.

Table 20-1

lists data types that you can configure in the Manage Variables page.

Table 20-1 Data Types

Data Type Description

String

Integer

Enables you to create a text box for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.

Enables you to create a text box that accepts only numeric value. If you want to specify a range for the integer, expand the row and configure the Range From and To fields. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.

DB

Enables you to specify a database type. See the Managing Database Variables in CLI Templates

.

IPv4 Address Enables you to create a text box that accepts only IPv4 addresses for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.

Drop-down

Check box

Enables you to create a list for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value field (with a comma-separated value for multiple lists which appears in the UI).

Enables you to create a check box for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value field.

Radio Button Enables you to create a radio button for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value field.

Text Area Enables you to create a text area which allows multiline values for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.

Managing Database Variables in CLI Templates

You can use database (DB) variables for the following reasons:

DB variables are one of the data types in CLI templates. You can use the DB variables to generate device-specific commands.

Cisco Prime Infrastructure 3.0 User Guide

20-5

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

DB variables are predefined variables. To view the list of predefined DB variables, see the

CLITemplateDbVariablesQuery.properties file in the following folder

/opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate.

For example, SysObjectID, IPAddress, ProductSeries, ImageVersion are DB variables.When a device is added to Prime Infrastructure, the complete details of the device is collected in the DB variables. That is, the OID of the devices is collected in SysObjeectID, product series in

ProductSeries, image versions of the device in ImageVersion, and so on.

Using the data collected by the DB variables, accurate commands can be generated to the device.

You can select the DB variable in the Type field (using the Managed Variables page). Expand the name field and fill in the default value field with any of the DB variables which you want to use.

When a device is discovered and added to Prime Infrastructure, you can use the database values that were gathered during the inventory collection to create CLI templates.

For example, if you want to create a CLI template to shut down all interfaces in a branch, create a CLI template that contains the following commands:

#foreach ($interfaceName in $interfaceNameList) interface $interfaceName shutdown

#end where $interfaceNameList is the database variable type whose value will be retrieved from the database.

$interfaceNameList has a default value of IntfName. You need to create the interfaceNameList variable as DB data type (using the managed variable dialog box) and add set the default to IntfName. If you have not specified a default value, you can specify it when you apply the CLI template.

To populate interfaceNameList with the value from the database, you must create a properties file to capture the query string and save it in the /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate folder.

To view the predefined DB variables go to the following path: cd /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate

After you create and apply the CLI template and the property file, the following CLI is configured on the devices. This output assumes that the device has two interfaces (Gigabitethernet0/1 and

Gigabitethernet0/0): interface GigabitEthernet0/0 shutdown interface GigabitEthernet0/1 shutdown

Note

While it is possible to create a customized query using Enterprise JavaBeans Query Language (EJB QL), only advanced developers should attempt this. We recommend you use the variables defined in the

CLITemplateDbVariablesQuery.properties file only.

Using Validation Expression

The values that you define in the Validation Expression are validated with the associated component value. For example, if you enter a default value and a validation expression value in the design flow, this will be validated during the design flow. That is, if the default value does not match with the entered value in the validation expression, you will encounter a get error at the design flow.

Note

The validation expression value works only for the string data type field.

20-6

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

Example:

Choose Configuration > Features and Technologies > CLI Templates > CLI > Manage Variables > Add

Row. Choose string data type and then expand the row and configure the regular expression, which will not allow a space in that text box.

Enter the following expression in the validating expression field.

^[\S]+$

Default value (optional)—ncs

The value should match with regular expression in the validation expression field.)

Result:

Save the template, and then select a device. Try to enter a space in the text field. You will encounter a regular expression error.

Adding Multi-line Commands

To enter multi-line commands in the CLI Content area, use the following syntax:

<MLTCMD>First Line of Multiline Command

Second Line of Multiline Command

......

......

Last Line of Multiline Command</MLTCMD> where:

<MLTCMD> and </MLTCMD> tags are case-sensitive and must be entered as uppercase.

The multi-line commands must be inserted between the <MLTCMD> and </MLTCMD> tags.

Do not start this tag with a space.

Do not use <MLTCMD> and </MLTCMD> in a single line.

Example 1:

<MLTCMD>banner motd ~ Welcome to

Cisco. You are using

Multi-line commands.

~</MLTCMD>

Example 2:

<MLTCMD>banner motd ~ ${message}

~</MLTCMD> where message is a multi-line input variable.

Restrictions for Using Multi-line Banner Commands

You can use “banner file xyz”' format as shown in the following example:

#conf t

Enter configuration commands, one per line. End with Ctrl-Z.

(config)#parameter-map type webauth global

(config-params-parameter-map)# type webauth

(config-params-parameter-map)#banner file tftp://192.168.0.0/banner.txt

(config-params-parameter-map)#^Z

#more tftp://192.168.0.0/banner.txt

Disclaimer:

Cisco Prime Infrastructure 3.0 User Guide

20-7

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

Usage of this wireless network is restricted to authorized users only.

Unauthorized access is strictly forbidden.

All accesses are logged and can be monitored.

#

Adding Enable Mode Commands

Use this syntax to add enable mode commands to your CLI templates:

#MODE_ENABLE

<<commands >>

#MODE_END_ENABLE

Adding Interactive Commands

An interactive command contains the input that must be entered following the execution of a command.

To enter an interactive command in the CLI Content area, use the following syntax:

CLI Command<IQ>interactive question 1<R>command response 1 <IQ>interactive question

2<R>command response 2 where <IQ> and <R> tag are case-sensitive and must be entered as uppercase.

For example:

#INTERACTIVE crypto key generate rsa general-keys <IQ>yes/no<R> no

#ENDS_INTERACTIVE

Combining Interactive Enable Mode Commands

Use this syntax to combine interactive Enable Mode commands:

#MODE_ENABLE

#INTERACTIVE commands<IQ>interactive question<R>response

#ENDS_INTERACTIVE

#MODE_END_ENABLE

For example:

#MODE_ENABLE

#INTERACTIVE mkdir <IQ>Create directory<R>xyz

#ENDS_INTERACTIVE

#MODE_END_ENABLE

Adding Interactive Multiline Commands

This is an example of an interactive command that contains multiple lines:

#INTERACTIVE macro name EgressQoS<IQ>Enter macro<R><MLTCMD>mls qos trust dscp wrr-queue queue-limit 10 25 10 10 10 10 10 wrr-queue bandwidth 1 25 4 10 10 10 10 priority-queue queue-limit 15 wrr-queue random-detect 1 wrr-queue random-detect 2 wrr-queue random-detect 3 wrr-queue random-detect 4 wrr-queue random-detect 5 wrr-queue random-detect 6 wrr-queue random-detect 7 wrr-queue random-detect max-threshold 1 100 100 100 100

20-8

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

wrr-queue random-detect min-threshold 1 80 100 100 100 wrr-queue random-detect max-threshold 2 100 100 100 100 wrr-queue random-detect min-threshold 2 80 100 100 100 wrr-queue random-detect max-threshold 3 80 90 100 100 wrr-queue random-detect min-threshold 3 70 80 90 100 wrr-queue random-detect min-threshold 4 70 80 90 100 wrr-queue random-detect max-threshold 4 80 90 100 100 wrr-queue random-detect min-threshold 5 70 80 90 100 wrr-queue random-detect max-threshold 5 80 90 100 100 wrr-queue random-detect min-threshold 6 70 80 90 100 wrr-queue random-detect max-threshold 6 80 90 100 100 wrr-queue random-detect min-threshold 7 60 70 80 90 wrr-queue random-detect max-threshold 7 70 80 90 100

@</MLTCMD>

#ENDS_INTERACTIVE

Creating CLI Configuration Templates from Copied Code

A quick way to create CLI configuration templates is to copy code from a command line configuration session, CLI script, or other stored set of configuration commands. Prime Infrastructure lets you turn all the CLI parameters in the copied CLI into template variables.

To create a CLI template variable from copied code:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Templates > Features and Technologies.

Expand the CLI Template folder, then click CLI.

In the CLI template, paste the copied code into the CLI Content field.

Select the text that is to be the variable name and click Manage Variables (the icon above the CLI

Content field).

You can use this same procedure to edit an existing variable created from copied code.

Fill out the required information, then click Save > Add.

To view the new variable, click Form View.

Exporting a CLI Configuration Template

If you have CLI templates in any other Prime Infrastructure server, you can export them as an XML file and import them into your current Prime Infrastructure server.

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features and Technologies.

Expand the CLI Template folder, then click System Templates - CLI.

Select the template(s) that you want to export.

Click the Export icon at the top right of the CLI template page.

Importing a CLI Configuration Template

Step 1

Choose Configuration > Templates > Features and Technologies.

Cisco Prime Infrastructure 3.0 User Guide

20-9

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

Step 2

Step 3

Step 4

Step 5

Expand the CLI Template folder, then hover your mouse cursor over the quick view picker icon next to

CLI.

Click Show All Templates.

Click the Import icon at the top right of the CLI template page.

Click Select Templates to navigate to your file, then click OK.

Exporting CLI Variables

You can export the CLI variables into a CSV file while deploying a CLI configuration template. You can use the CSV file to make necessary changes in the variable configuration and import it into Prime

Infrastructure at a later time.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Features and Technologies > CLI Templates.

Click System Templates - CLI.

Select the template whose variables you want to export.

Click Deploy.

Select devices in Device Selection area.

Click the Export icon at the top right of the Value Assignment area.

Click OK.

Exporting the variables without any data will export a blank file.

Importing CLI Variables

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features and Technologies > CLI Templates.

Click System Templates - CLI.

Select the template whose variables you want to import.

Click the Import icon at the top right of the CLI template page.

Click OK.

Example: Updating Passwords Using a CLI Template

You might want to update the password for network devices on a regular basis, once every six months.

To make the changes in a rolling fashion, you plan to perform the operation once for two regions every three months.

In this example, there are four custom dynamic groups, one for each region based on the cities in every region: North Region, South Region, East Region, and West Region. You must update the enable password for all of the devices in the north and south region. After this is complete, you plan to set another job to occur for the West and East region devices to occur three months later.

20-10

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Feature-Level Configuration Templates

Before You Begin

The devices in these regions must have an assigned location attribute.

Step 1

Step 2

Step 3

If the four groups, North Region, South Region, East Region, and West Region, have not been created:

a.

Choose Inventory > Device Management > Network Devices, then hover your mouse cursor over

User Defined and click Add SubGroup.

b.

In the Create Sub-Group area, enter:

Group Name: North Region

Group Description: List of devices in the north region

Filter: Location > Contains > SJC-N

To determine the location of a device, choose Inventory > Device Management > Network

Devices > (gear icon) > Columns > Location.

The devices for the new group appear under Device Work Center > User Defined > North.

c.

Do the same for south, east, and west regions.

To deploy the password template:

a.

b.

Choose Configuration > Templates > Features and Technologies > CLI Templates > System

Templates-CLI.

Select the Enable Password-IOS template and click Deploy.

c.

d.

In the Device Selection area, open the User Defined groups and select the North Region and South

Region groups.

In the Value Selection area, enter and confirm the new enable password, then click Apply.

e.

In the Schedule area, enter a name for the job, the date and time to apply the new template (or click

Now), then click OK.

After the job has run, choose Administration > Jobs to view the status of the job (see

Monitoring Jobs

).

Tagging Templates

You can label a set of templates by providing an intuitive name to tag the templates. After you create a tagged template, the template is listed under the My Tags folder. Tagging a configuration template helps you:

Search a template using the tag name in the search field

Use the tagged template as a reference to configure more devices

Tagging a New Configuration Template

To tag a new configuration template and publish the tagged template, follow these steps:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies.

Expand the Features and Technologies folder, choose an appropriate subfolder, and then choose a template type.

Cisco Prime Infrastructure 3.0 User Guide

20-11

Chapter 20 Using Templates to Configure Devices

Creating Composite Templates

Step 3

Complete the required fields, enter a tag name in the Tags field, then click Save as New Template.

Tagging an Existing Template

To tag an existing template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies.

In the Features and Technologies menu on the left, expand the My Templates folder and choose the template that you want to update.

Click the Tag icon, enter a tag name in the Tag as text box, then click Save.

Associating a Tag With Multiple Templates

You can tag a new tag name or associate an existing tag with multiple templates.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies.

Click the Tag icon on the navigation toolbar of the Templates column.

Enter a tag name in the Tag as field.

In the My Templates folder, click the templates that are to be associated with the tag.

To associate all of the templates in the folder with the tag, select the check box next to the My Templates folder.

Click Apply.

Creating Composite Templates

Create a composite template if you have a collection of existing features or CLI templates that you want to apply collectively to devices. For example, when you deploy a branch, you need to specify the minimum configurations for the branch router. Creating a composite template allows you to create a set of required features that include:

Feature templates for the Ethernet interface

A CLI template for additional features you require

All of the templates that you create can be added to a single composite template, which aggregates all of the individual feature templates that you need for the branch router. You can then use this composite template to perform branch deployment operations and to replicate the configurations at other branches.

If you have multiple similar devices replicated across a branch, you can create and apply a master

(golden) composite template for all of the devices in the branch. You can use this master composite template to:

Simplify deployment and ensure consistency across your device configurations.

Compare against an existing device configuration to determine if there are mismatches.

20-12

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Shared Policy Objects

Create new branches.

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Composite Templates > Composite

Templates.

Provide the required information.

From the Device Type drop-down list, choose the devices to which all of the templates contained in the composite template apply. For example, if your composite template contains one template that applies to Cisco 7200 Series routers and another that applies to all routers, choose the Cisco 7200

Series routers in the Device Type list.

If a device type is dimmed, the template cannot be applied on that device type.

In the Template Detail area, choose the templates to include in the composite template.

Using the arrows, put the templates in the composite in the order in which they should be deployed to the devices. For example, to create an ACL and associate it with an interface, put the ACL template first, followed by the interface template.

Click Save as New Template. After you save the template, and apply it to your devices (see

Creating

Features and Technologies Templates

).

Related Topic

Shared Policy Objects

Shared Policy Objects

Policy objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. They also eliminate the need to define a component each time that you define a policy.

Objects are defined globally. This means that the definition of an object is the same for every object and policy that references it. However, many object types (such as interface roles) can be overridden at the device level. This means that you can create an object that works for most of your devices, then customize the object to match the configuration of a particular device that has slightly different requirements.

To improve efficiency and accuracy in your configuration templates, you can create shared policy objects

to include in your configuration templates. You create interface roles (see Interface Roles ) or network

objects (see

Creating Network Objects

) that you can add to your configuration templates.

Related Topics

Interface Roles

Creating Network Objects

Interface Roles

Interface roles allow you to define policies to specific interfaces on multiple devices without having to manually define the names of each interface. Interface roles can refer to any of the actual interfaces on the device, including physical interfaces, subinterfaces, and virtual interfaces such as loopback interfaces.

Cisco Prime Infrastructure 3.0 User Guide

20-13

Chapter 20 Using Templates to Configure Devices

Shared Policy Objects

If you create an all-Ethernets interface role, you can define identical advanced settings for every Ethernet interface on the device with a single definition. You add this interface role to a configuration template, then deploy the template to the selected devices to configure the Ethernet interfaces.

Interface roles are especially useful when applying policies to new devices. As long as the devices that you are adding share the same interface naming scheme as existing devices, you can quickly deploy the necessary configuration template containing the interface role to the new devices.

Creating Interface Roles

An interface role allows you to dynamically select a group of interfaces without having to manually define the interfaces on each device. For example, you can use interface roles to define the zones in a zone-based firewall configuration template. You might define an interface role with a naming pattern of

DMZ*. When you include this interface role in a template, the configuration is applied to all interfaces whose name begins with “DMZ” on the selected devices. As a result, you can assign a policy that enables anti-spoof checking on all DMZ interfaces to all relevant device interfaces with a single action.

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Shared Policy Objects.

In the Shared Policy Objects pane, choose Shared > Interface Role.

From the Interface Role page, click Add Object.

From the Add Interface Role page, create matching rules for the interface role.

When you define the zone-based template, for example, all of the interfaces on the device that match the specified rules will become members of the security zone represented by this interface role. You can match interfaces according to their name, description, type, and speed.

Click OK to save the configurations.

Creating Network Objects

Network objects are logical collections of IP addresses or subnets that represent networks. Network objects make it easier to manage policies.

There are separate objects for IPv4 and IPv6 addresses; the IPv4 object is called “networks/hosts,” and the IPv6 object is called “network/hosts-IPv6.” Except for the address notation, these objects are functionally identical, and in many instances the name network/host applies to either type of object. Note that specific policies require the selection of one type of object over the other, depending on the type of address expected in the policy.

You can create shared policy objects to be used in the following configuration templates:

Zone-based firewall templates—See

Creating a Zone-Based Firewall

Application Visibility—See

Configuring Application Visibility

Step 1

Step 2

Step 3

Choose Configuration > Templates > Shared Policy Objects > Shared > IPv4 Network Object.

From the Network Object page, click Add Object and add a group of IP addresses or subnets.

Click OK to save the configurations.

20-14

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Shared Policy Objects

Creating a Security Rule Parameter Map

To create and use a set of parameter map objects in the firewall rules, do the following:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Configuration > Templates > Shared Policy Objects.

In the Shared Policy Objects pane, choose Shared > Security Rule Parameter Map.

From the Security Rule Parameter Map page, click Add Object.

Specify a name and description for the parameter map that is being created.

From the parameters list, select the parameters you want to apply and provide a value for each of them.

To specify Device Level Override, choose Device Level Override > Add Device.

Select the device you wish to add, and click OK.

Click OK to save the configurations.

Creating a Security Service Group

To create and use a set of parameter map objects in the firewall rules, do the following:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Configuration > Templates > Shared Policy Objects.

In the Shared Policy Objects pane, choose Shared > Security Service.

From the Security Service page, click Add Object.

Specify a name and description for the service that is being created.

Select the service data from the available list. If you select TCP or UDP, provide a list of port numbers or port ranges (separated by comma).

To specify Device Level Override, choose Device Level Override > Add Device.

Select the device you wish to add, and click OK.

Click OK to save the configurations.

Creating a Security Zone

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Shared Policy Objects.

In the Shared Policy Objects pane, choose Shared > Security Zone.

From the Security Zone page, click Add Object.

Specify a name and description for the security zone that is being created.

Specify a set of rules that defines the interfaces that must be attached to the zone.

To specify Device Level Override, choose Device Level Override > Add Device.

Select the device you wish to add, and click OK.

Cisco Prime Infrastructure 3.0 User Guide

20-15

Chapter 20 Using Templates to Configure Devices

Grouping Configuration Templates with Devices

Step 8

Click OK to save the configurations.

Grouping Configuration Templates with Devices

You might want to associate a set of configuration templates with specific devices. If you have devices that require the same configuration, you can create a configuration group that associates configuration templates with devices. Creating a configuration group allows you to quickly apply new templates without remembering to which devices the new templates should be deployed.

Composite templates allow you to group smaller templates together, but only configuration groups specify the relationship between the templates and the groups of devices to which those templates apply.

You can also specify the order in which the templates in the configuration group are deployed to the devices.

Before you create a configuration group, you should:

Create configuration templates for the devices in your configuration group. See

Creating Features and Technologies Templates .

Determine which devices should be included in the configuration group.

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Configuration Groups.

Complete the required fields. The device types displayed depend on what you select from the Device

Type field.

Where needed, change a template’s order in the group by selecting it and clicking the up or down arrow.

Click Save as a New Configuration Group.

Table 20-2 describes the possible configuration group states.

Table 20-2

Status

Success

Pending

Scheduled

Failure

Configuration Group Status Descriptions

Description

Indicates that a configuration group has been successfully created.

One or more devices in the configuration group have changes that have not yet been deployed. For example, if you add a new device to the configuration group, the status of the new device is Pending. If you modify a configuration template to which the configuration group is associated, all devices in the configuration group have the status Pending.

Indicates that a configuration group deployment is scheduled. When a configuration group is Scheduled, any devices in the group that are Pending or Failed are changed to Scheduled. If a device is Deployed, it remains

Deployed and its status does not change to Scheduled.

Deployment has failed for one or more devices in the configuration group.

20-16

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Controller Configuration Groups

Controller Configuration Groups

By creating a configuration group, you can group controllers that should have the same mobility group name and similar configuration. You can assign templates to the group and push templates to all of the controllers in a group. You can add, delete, or remove configuration groups, and download software, IDS signatures, or a customized web authentication page to controllers in the selected configuration groups.

You can also save the current configuration to nonvolatile (flash) memory to controllers in selected configuration groups.

Note

A controller cannot be a member of more than one mobility group. Adding a controller to one mobility group removes that controller from any other mobility group to which it is already a member.

By choosing Configuration > Templates > Controller Configuration Groups, you can view a summary of all configuration groups in the Prime Infrastructure database. Choose Add Configuration

Groups from the Select a command drop-down list to display a table with the following columns:

Group Name—Name of the configuration group.

Templates—Number of templates applied to the configuration group.

Creating Controller Configuration Groups

To create a configuration group, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Controller Configuration Groups.

From the Select a command drop-down list, choose Add Config Group, then click Go.

Enter the new configuration group name. It must be unique across all groups.

If Enable Background Audit is selected, the network and controller audits occur for this configuration group.

If Enable Enforcement is selected, the templates are automatically applied during the audit if any discrepancies are found.

Other templates created in Prime Infrastructure can be assigned to a configuration group. The same

WLAN template can be assigned to more than one configuration group. Choose from the following:

Select and add later—Click to add a template at a later time.

Copy templates from a controller—Click to copy templates from another controller. Choose a controller from a list of current controllers to copy its applied template to the new configuration group. Only the templates are copied.

Note

The order of the templates is important when dealing with radio templates. For example, if the template list includes radio templates that require the radio network to be disabled prior to applying the radio parameters, the template to disable the radio network must be added to the template first.

Step 5

Click Save. The Configuration Groups page appears.

After you create a configuration group, Prime Infrastructure allows you to choose and configure multiple controllers by choosing the template that you want to push to the group of controllers.

Cisco Prime Infrastructure 3.0 User Guide

20-17

Chapter 20 Using Templates to Configure Devices

Controller Configuration Groups

General—Allows you to enable mobility group.

To enable the Background Audit option, set template-based audit in Administration > System >

Audit Settings.

Controllers—For details, see Adding or Removing Controllers from Configuration Groups

.

Country/DCA—For details, see

Configuring Multiple Country Codes .

Templates—Allows you to select the configuration templates that you have already created.

Apply/Schedule—For details, see

Applying or Scheduling Configuration Groups .

Audit—For details, see Auditing Configuration Groups .

Reboot—For details, see

Rebooting Configuration Groups .

Report—Allows you to view the most recent report for this group.

Adding or Removing Controllers from Configuration Groups

To add or remove controllers from a configuration group, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Controller Configuration Groups.

Click a group name in the Group Name column, then click the Audit tab.

The columns in the table display the IP address of the controller, the configuration group name the controller belongs to, and the mobility group name of the controller.

Click to highlight the row of the controller that you want to add to the group, then click Add.

To remove a controller from the group, highlight the controller in the Group Controllers area and click

Remove.

Click the Apply/Schedule tab, click Apply to add or remove the controllers to the configuration groups, then click Save Selection.

Configuring Multiple Country Codes

You can configure one or more countries on a controller. After countries are configured on a controller, the corresponding 802.11a/n DCA channels are available for selection. At least one DCA channel must be selected for the 802.11a/n network. When the country codes are changed, the DCA channels are automatically changed in coordination.

Note

802.11a/n and 802.11b/n networks for controllers and access points must be disabled before configuring a country on a controller. To disable 802.11a/n or 802.11b/n networks, choose Configure > Controllers, select the desired controller that you want to disable, choose 802.11a/n or 802.11b/g/n from the left sidebar menu, and then choose Parameters. The Network Status is the first check box.

To add multiple controllers that are defined in a configuration group and then set the DCA channels, follow these steps:

20-18

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Controller Configuration Groups

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Configuration > Templates > Controller Configuration Groups.

From the Select a command drop-down list, choose Add Config Groups, then click Go.

Create a configuration group by entering the group name and mobility group name.

Click Save, then click the Controllers tab.

Highlight the controllers that you want to add, and click Add. The controller is added to the Group

Controllers page.

Click the Country/DCA tab. The Country/DCA page appears. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.

Select the Update Country/DCA check box to display a list of countries from which to choose.

Those DCA channels that are currently configured on the controller for the same mobility group are displayed in the Select Country Codes page. The corresponding 802.11a/n and 802.11b/n allowable channels for the chosen country is displayed as well. You can add or delete any channels in the list by selecting or deselecting the channel and clicking Save Selection.

A minimum of 1 and a maximum of 20 countries can be configured for a controller.

Applying or Scheduling Configuration Groups

The scheduling function allows you to schedule a start day and time for provisioning.

To apply the mobility groups, mobility members, and templates to all of the controllers in a configuration group, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Controller Configuration Groups.

Click a group name in the Group Name column, then choose the Apply/Schedule tab.

Click Apply to start the provisioning of mobility groups, mobility members, and templates to all of the controllers in the configuration group. After you apply, you can leave this page or log out of Prime

Infrastructure. The process continues, and you can return later to this page to view a report.

Note

Do not perform any other configuration group functions during the provisioning process.

Step 4

Step 5

Step 6

A report is generated and appears in the Recent Apply Report page. It shows which mobility groups, mobility members, or templates were successfully applied to each of the controllers.

Enter a starting date in the text box or use the calendar icon to choose a start date.

Choose the starting time using the hours and minutes drop-down lists.

Click Schedule to start the provisioning at the scheduled time.

Cisco Prime Infrastructure 3.0 User Guide

20-19

Chapter 20 Using Templates to Configure Devices

Controller Configuration Groups

Auditing Configuration Groups

The Configuration Groups Audit page allows you to verify if the configuration complies of the controller with the group templates and mobility group. During the audit, you can leave this window or log out of

Prime Infrastructure. The process continues, and you can return to this page later to view a report.

Do not perform any other configuration group functions during the audit verification.

To perform a configuration group audit, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Configuration > Templates > Controller Configuration Groups.

Click a group name in the Group Name column, then click the Audit tab.

Click to highlight a controller on the Controllers tab, choose >> (Add), and Save Selection.

Click to highlight a template on the Templates tab, choose >> (Add), and Save Selection.

Click Audit to begin the auditing process.

A report is generated and the current configuration on each controller is compared with that in the configuration group templates. The report displays the audit status, the number of templates in sync, and the number of templates out of sync.

This audit does not enforce Prime Infrastructure configuration to the device. It only identifies the discrepancies.

Click Details to view the Controller Audit report details.

Double-click a line item to open the Attribute Differences page. This page displays the attribute, its value in Prime Infrastructure, and its value in the controller.

Click Retain Prime Infrastructure Value to push all attributes in the Attribute Differences page to the device.

Click Close to return to the Controller Audit Report page.

Rebooting Configuration Groups

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Controller Configuration Groups.

Click a group name in the Group Name column, then click the Reboot tab.

Select the Cascade Reboot check box if you want to reboot one controller at a time, waiting for that controller to come up before rebooting the next controller.

Click Reboot to reboot all controllers in the configuration group at the same time. During the reboot, you can leave this page or log out of Prime Infrastructure. The process continues, and you can return later to this page and view a report.

The Recent Reboot Report page shows when each controller was rebooted and what the controller status is after the reboot. If Prime Infrastructure is unable to reboot the controller, a failure is shown.

20-20

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Configuration Templates

Retrieving Configuration Group Reports

To display all recently applied reports under a specified group name, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Controller Configuration Groups.

Click a group name in the Group Name column, then click the Report tab. The Recent Apply Report page displays all recently applied reports including the apply status, the date and time the apply was initiated, and the number of templates. The following information is provided for each individual IP address:

Apply Status—Indicates success, partial success, failure, or not initiated.

Successful Templates—Indicates the number of successful templates associated with the applicable

IP address.

Failures—Indicates the number of failures with the provisioning of mobility group, mobility members, and templates to the applicable controller.

Details—Click Details to view the individual failures and associated error messages.

To view the scheduled task reports, click the click here link at the bottom of the page.

Creating Wireless Configuration Templates

The following sections describe how to create wireless configuration templates for:

Lightweight access points

Autonomous access points

Switches

Converting autonomous access points to lightweight access points

Creating Lightweight AP Configuration Templates

To create a template for a lightweight access point, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Lightweight Access Points.

From the Select a command drop-down list, choose Add Template, then click Go.

Enter a name and description for the template and click Save. If you are updating an already existing template, click the applicable template in the Template Name column.

Click each of the tabs and complete the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure 3.0 Reference Guide

.

Creating Autonomous AP Configuration Templates

To create a template for an autonomous access point, follow these steps:

Cisco Prime Infrastructure 3.0 User Guide

20-21

Chapter 20 Using Templates to Configure Devices

Creating Wireless Configuration Templates

Step 1

Step 2

Step 3

Choose Configuration > Templates > Autonomous Access Points.

From the Select a command drop-down list, choose Add Template, then click Go. If you are updating an already existing template, click the applicable template in the Template Name column.

Enter a name for the template and the applicable CLI commands.

Note

Do not include any show commands in the CLI commands text box. The show commands are not supported.

Creating Controller WLAN Configuration Policy Templates

Use the Policy Configuration Templates page to configure device-based policies on a controller. You can configure policies for a user or a device on the network.

The maximum number of policies that you can configure is 64. Policies are not applied on WLANs and

AP groups if AAA override is configured on the controller.

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features and Technologies.

From the left sidebar menu, choose Features and Technologies > Controller > WLANs > Policy

Configuration. The Policy Configuration Template page displays.

Complete the following fields:

Name—Name of the policy template

Description—Description of the policy template.

Tags—Search keywords applicable to this template.

Device Type (validation criteria)—The device product family, series or type used to validate the template (CUWN, for Cisco Unified Wireless Network, is the default).

Policy Name—Name of the policy.

Policy Role—The user type or the user group the user belongs to. For example, student, employee.

EAP Type—EAP authentication method used by the client. The available types are as follows:

LEAP

EAP-FAST

EAP-TLS

PEAP

Device Type—Choose the device type to which this policy applies (e.g., Apple Laptop).

VLAN ID—VLAN associated with the policy.

IPv4 ACL—Choose an IPv4 ACL for the policy from the list

QoS—Choose the policy’s Quality of Service level from the list. You can choose one of the follows:

Platinum (Voice)—Assures a high QoS for Voice over Wireless.

Gold (Video)—Supports the high-quality video applications.

Silver (Best Effort)—Supports the normal bandwidth for clients.

Cisco Prime Infrastructure 3.0 User Guide

20-22

Chapter 20 Using Templates to Configure Devices

Creating Switch Location Configuration Templates

Step 4

Bronze (Background)— Provides the lowest bandwidth for guest services.

Session Timeout—Maximum amount of time, in seconds, before a client is forced to re-authenticate.

The default value is 0 seconds.

Sleeping Client Timeout—Maximum amount of time, in hours, before a guest client is forced to re-authenticate. The default value is 12 hours. The range is from 1 to 720 hours.

When you are finished, click Save as new template.

Creating Autonomous AP Migration Templates

To make a transition from an autonomous solution to a unified architecture, autonomous access points must be converted to lightweight access points.

After an access point has been converted to lightweight, the previous status or configuration of the access point is not retained.

To create an autonomous AP migration template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Autonomous AP Migration.

From the Select a command drop-down list, choose Add Template, then click Go. If you are updating an already existing template, click the applicable template in the Template Name column.

Complete the required fields. For information about the field descriptions, see the Cisco Prime

Infrastructure 3.0 Reference Guide

.

To view the migration analysis summary, choose Monitor > Tools > Autonomous AP Migration

Analysis.

Creating Switch Location Configuration Templates

To configure a location template for a switch, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Switch Location.

From the Select a command drop-down list, choose Add Template, then click Go.

Enter the required fields. For information about the field descriptions, see the Cisco Prime Infrastructure

3.0 Reference Guide .

Creating Wireless Templates

This section describes how to add and apply wireless templates. Templates allow you to set fields that you can then apply to multiple devices without having to reenter the common information.

Related Topics

Controller Templates

Cisco Prime Infrastructure 3.0 User Guide

20-23

Creating Wireless Templates

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating AP Configuration Templates

Configuring Switch Location Configuration Templates

Creating Autonomous AP Migration Templates

Chapter 20 Using Templates to Configure Devices

Controller Templates

The controller templates provides access to all Cisco Prime Infrastructure templates from a single page.

You can add and apply controller templates, view templates, or make modifications to the existing templates. This section also includes steps for applying and deleting controller templates and creating or changing access point templates.

To access the controller templates, choose Configuration > Templates > Features & Technologies >

Controller.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating AP Configuration Templates

Creating System Templates

About WLAN Templates

Creating Security - Access Control Templates

Creating Security - CPU Access Control List Templates

Creating Security - Rogue Templates

Creating 802.11 Templates

Creating 802.11a/n Radio Templates

Creating 802.11b/g/n Radio Templates

Creating Mesh Settings Templates

Creating Management Templates

Creating CLI Templates

Creating Location Configuration Templates

Creating IPv6 Templates

Creating Proxy Mobile IPv6 Templates

Creating mDNS Templates

Creating AVC Profiles Templates

Creating NetFlow Templates

20-24

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Adding Controller Templates

To add a new controller template:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller.

Select the template you want to add.

Enter the template name.

Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

Provide a description of the template.

Click Save.

Related Topics

Deleting Controller Templates

Applying Controller Templates

Deleting Controller Templates

To delete a controller template:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > My Templates.

Select the template(s) you want to delete, then click Delete.

Click OK to confirm the deletion. If this template is applied to controllers, the Remove Template

Confirmation page opens and lists all controllers to which this template is currently applied.

Select the check box of each controller from which you want to remove the template.

Click OK to confirm the deletion or Cancel to close this page without deleting the template.

Related Topics

Adding Controller Templates

Applying Controller Templates

Applying Controller Templates

You can apply a controller template directly to a controller or to controllers in a selected configuration group.

To apply a controller template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller.

From the left sidebar menu, choose the category of templates to apply.

Click the template name for the template that you want to apply to the controller.

Cisco Prime Infrastructure 3.0 User Guide

20-25

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 4

Step 5

Step 6

Step 7

Step 8

Click Apply to Controllers to open the Apply to Controllers page.

Select the check box for each controller to which you want to apply the template.

To select all controllers, select the check box that appears at the left most corner of the controllers table.

Select the Ignore errors on Apply template to Controllers check box to ignore errors and apply all commands in the template to the controller. If this check box is not selected, any errors encountered while applying a command in the template to a controller causes the rest of the commands to be not applied.

Choose between applying the template directly to a controller or to all controllers in a selected configuration group.

To apply the template directly to a controller (or controllers), follow these steps:

a.

Select the Apply to controllers selected directly radio button. The Apply to Controllers page lists the IP address for each available controller along with the controller name and the configuration group name (if applicable).

b.

Select the check box for each controller to which you want to apply the template.

Select the Ignore errors on Apply template to Controllers check box to ignore errors and apply all commands in the template to the controller. If this check box is not selected, any errors encountered while applying a command in the template to a controller causes the rest of the commands to be not applied.

To apply the template to all controllers in a selected configuration group, follow these steps:

a.

Select the Apply to controllers in the selected Config Groups radio button. The Apply to Controllers page lists the name of each configuration group along with the mobility group name and the number of controllers included.

b.

You can perform the following additional operations:

If you select the Save Config to Flash after apply check box, the save config to Flash command is executed after the template is applied successfully.

Select the check box for each configuration group to which you want to apply the template.

Configuration groups which have no controllers cannot be selected to apply the templates.

If you select the Reboot Controller after apply check box, the controller reboots after the template is successfully applied.

This configuration results can be viewed in the Template Results page by enabling the View Save

Config / Reboot Results option.

Click Save.

You can apply some templates directly from the Template List page. Select the check box(es) of the template(s) that you want to apply, choose Apply Templates from the Select a command drop-down list, and click Go to open the Apply to Controllers page. Select the check box(es) of the controllers to which you want to apply this template, and click OK.

Related Topics

Adding Controller Templates

Applying Controller Templates

20-26

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Creating System Templates

Step 1

Choose Configuration > Templates > Features & Technologies > Controller > System. You can

create the following controller system template:

AP 802.1X Supplicant Credentials

AP Timers

AP Username Password

DHCP

Dynamic Interface

General-System

Global CDP Configuration

Interface Groups

Network Time Protocol

QoS Profiles

SNMP Community

Traffic Stream Metrics QoS

User Roles

Vlan Group

Related Topics

Controller > System > General

Creating General - System Templates

Creating SNMP Community Controller Templates

Creating User Roles Controller Templates

Creating AP Username Password Controller Templates

Creating DHCP Templates

Creating Dynamic Interface Templates

Creating a Traffic Stream Metrics QoS Template

Creating AP 802.1X Supplicant Credentials

You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous

PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. All access points that are currently joined to the controller and any that join in the future are included.

If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.

Step 1

Choose Configuration > Templates > Features & Technologies > Controller > System > AP 802.1X

Supplicant Credentials.

Cisco Prime Infrastructure 3.0 User Guide

20-27

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 2

Step 3

Hover your mouse cursor over the tool tip next to the template type and click New to create the template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > AP 802.1X Supplicant Credentials

Applying Controller Templates

Configuring AP Timers Template

Some advanced timer configuration for FlexConnect and local mode is available for the controller on

Prime Infrastructure.

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > AP 802.1X

Supplicant Credentials.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > AP Timers

Applying Controller Templates

Creating AP Username Password Controller Templates

Create or modify a template for setting an access point username and password. All access points inherit the password as they join the controller and these credentials are used to log into the access point via the console or Telnet/SSH.

The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis. See the to see where the global password is displayed and how it can be overridden on a per-access point basis.

Also, in controller software Release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.

To create an AP username password controller template:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > System > AP

Username Password.

Hover your mouse cursor over the tool tip next to the template type and click New to create a

General - System template.

20-28

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Step 3

Complete the required fields, then and click Save as New Template.

Creating Wireless Templates

Related Topics

Controller > System > AP Username Password

Creating AP Configuration Templates

Applying Controller Templates

Creating DHCP Templates

You can enable or disable DHCP proxy on a global basis rather than on a WLAN basis. When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the WLAN or on the WLAN itself. DHCP proxy is enabled by default.

To create DHCP templates:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > DHCP

Templates.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > DHCP

Applying Controller Templates

Creating Dynamic Interface Templates

If you change the interface fields, the WLANs are temporarily disabled, therefore you might lose connectivity for some clients. Any changes to the interface fields are saved only after you successfully apply them to the controller(s).

If you remove an interface here, it is removed only from this template and not from the controllers.

Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers.

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > Dynamic

Interface Templates.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controllers > System > Dynamic Interface

Cisco Prime Infrastructure 3.0 User Guide

20-29

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Applying Controller Templates

Applying a Dynamic Interface Template to Controllers

Applying a Dynamic Interface Template to Controllers

Changing the Interface fields causes the WLANs to be temporarily disabled and might result in loss of connectivity for some clients.

Interfaces removed from this page are removed only from this template and not from controllers.

To apply a Dynamic Interface template to a controller, follow these steps:

Step 1

Step 2

Step 3

Step 4

In the Dynamic Interface controller template page, click Apply to Controllers.

Use the Manage Interfaces options to configure device-specific fields:

Add—Click Add to open the Add Interface dialog box. Enter an interface name, VLAN identifier,

IP address, and gateway. When all fields are entered, click Done.

Edit—Click Edit to make changes to current interfaces.

Remove—Click Remove to delete a current interface.

Select a check box for each controller to which you want to apply this template.

Click Apply. Interface field changes or configurations made on this page are saved only when applied successfully to the controller(s).

Related Topics

Creating Dynamic Interface Templates

Creating General - System Templates

To add a general-system template or make changes to an existing general template:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > General -

System.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > General

Applying Controller Templates

Creating a Global CDP Configuration Template

Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. CDP is enabled on the Ethernet and radio ports of the bridge by default.

20-30

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

CDP for Ethernet Interfaces fields are supported for Controller Release 7.0.110.2 and later.

The Global Interface CDP configuration is applied only to the APs for which the CDP is enabled at AP level.

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > System > Global CDP

Configuration.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > Global CDP Configuration

Applying Controller Templates

Creating an Interface Group Template

The interface group template page allows you to select list of interfaces and form a group. You cannot create interfaces using this page.

The Interface Groups feature is supported by controller software release 7.0.116.0 and later.

To configure an interface group template:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > Interface

Group.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Related Topics

Applying Controller Templates

Creating an Network Time Protocol Template

NTP is used to synchronize computer clocks on the Internet.

To add an NTP template or make modifications to an existing NTP template:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > Network

Time Protocol.

Hover your mouse cursor over the tool tip next to the template type and click New to create

General - System template.

Complete the required fields, then and click Save as New Template.

Cisco Prime Infrastructure 3.0 User Guide

20-31

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Related Topic

Applying Controller Templates

Creating QoS Profiles Templates

The Air QoS configurations are applicable for controller Release 7.0 and earlier.

To modify the quality of service (QoS) profiles:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > QoS

Profiles.

Hover your mouse cursor over the tool tip next to the template type and click New to create

QoS profiles template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > QoS Profiles Template

Applying Controller Templates

Creating SNMP Community Controller Templates

Create or modify a template for configuring SNMP communities on controllers. Communities can have read-only or read-write privileges using SNMP v1, v2, or v3.

When setting up SNMP communities on the WLC (Wireless LAN Controller), you are given an option to specify IP address and subnet. The default is 0.0.0.0 for both, which allows open SNMP access to any host using the specified community string. If you specify something other than the default of 0.0.0.0, the

SNMP access is limited to the settings specified for IP address and Subnet Mask. A subnet of

255.255.255.255 limits to the specific host ID specified in the IP address.

If the Access Mode option is configured as Read Only, then Prime Infrastructure has only read access to the controller after applying this template.

To create a new template with SNMP community information for a controller:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > SNMP

Community.

Hover your mouse cursor over the tool tip next to the template type and click New to create SNMP community template.

Complete the required fields, then and click Save as New Template.

The template appears in the Template List page. In the Template List page, you can apply this template to controllers. If a template is applied successfully and the Update Discover Community option is enabled, then the applied community name is updated in Prime Infrastructure database for that applied controller. Also, Prime Infrastructure uses that community name for further communication with the controller.

20-32

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Related Topics

Controller > System > SNMP Community

Applying Controller Templates

Creating a Traffic Stream Metrics QoS Template

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by

VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.

Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process.

Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. Prime Infrastructure queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator investigates the QoS of the wireless LAN.

For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.

To configure a Traffic Stream Metrics QoS template:

Step 1

Choose Configuration > Templates > Features & Technologies > Controller > System > Traffic

Stream Metrics QoS.

The Traffic Stream Metrics QoS Controller Configuration page shows several QoS values. An administrator can monitor voice and video quality of the following:

Upstream delay

Upstream packet loss rate

Roaming time

Downstream packet loss rate

Downstream delay

Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.

There are three levels of measurement:

Normal: Normal QoS (green)

Fair: Fair QoS (yellow)

Degraded: Degraded QoS (red)

System administrators should employ some judgment when setting the green, yellow, and red alarm levels. Some factors to consider are:

Environmental factors including interference and radio coverage which can affect PLR.

Cisco Prime Infrastructure 3.0 User Guide

20-33

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

End-user expectations and system administrator requirements for audio quality on mobile devices

(lower audio quality can permit greater PLR).

Different codec types used by the phones have different tolerance for packet loss.

Not all calls are mobile-to-mobile; therefore, some have less stringent PLR requirements for the wireless LAN.

Related Topics

Controller > System > Traffic Stream Metrics QoS

Applying Controller Templates

Creating User Roles Controller Templates

This section describes how to create or modify a template for configuring user roles. User roles determine how much bandwidth the network can use. Four QoS levels (Platinum, Bronze, Gold, and

Silver) are available for the bandwidth distribution to Guest Users. Guest Users are associated with predefined roles (Contractor, Customer, Partner, Vendor, Visitor, Other) with respective bandwidth configured by the Admin. These roles can be applied when adding a new Guest User.

To add a new template with User Roles information for a controller:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > System > User Roles.

Hover your mouse cursor over the tool tip next to the template type and click New to create user Roles template.

Complete the required fields, then and click Save as New Template.

Related Topics

Controller > System > User Roles

Applying Controller Templates

Creating Guest User Templates

About WLAN Templates

WLAN templates allow you to define various WLAN profiles for application to different controllers.

You can configure multiple WLANs with the same SSID. This feature enables you to assign different

Layer 2 security policies within the same wireless LAN. Unlike previous release where profile name was used as the unique identifier, the template name is now the unique identifier with software release 5.1.

These restrictions apply when configuring multiple WLANs with the same SSID:

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a

WLAN selection based on information advertised in the beacons and probes. These are the available

Layer 2 security policies:

None (open WLAN)

Static WEP or 802.1

20-34

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

CKIP

WPA/WPA2

Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.

FlexConnect access points do not support multiple SSIDs.

Related Topics

About WLAN Templates

Creating WLAN AP Groups Templates

Creating WLAN Configuration Templates

To add a WLAN configuration template or make modifications to an existing WLAN template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN

Configuration.

Hover your mouse cursor over the tool tip next to the template type and click New.

Complete the required fields in the General, Security, QoS, Advanced, HotSpot, Policy Mappings tabs, and then click Save as New Template.

Related Topic

Controller > WLANs > WLAN Configuration

Client Profiling

When a client tries to associate with a WLAN, it is possible to determine the client type from the information received in the process. The controller acts as the collector of the information and sends the

ISE with the required data in an optimal form.

Follow these guidelines when configuring client profiling:

By default, client profiling will be disabled on all WLANs.

Client profiling is supported on access points that are in Local mode and FlexConnect mode.

Profiling is not supported for clients in the following scenarios:

Clients associating with FlexConnect mode APs in Standalone mode.

Clients associating with FlexConnect mode APs when local authentication is done with local switching is enabled.

Both DHCP Proxy and DHCP Bridging mode on the controller are supported.

Accounting Server configuration on the WLAN must be pointing at an ISE running 1.1 MnR or later releases. Cisco ACS does not support client profiling.

The type of DHCP server used does not affect client profiling.

Cisco Prime Infrastructure 3.0 User Guide

20-35

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

If the DHCP_REQUEST packet contains a string that is found in the Profiled Devices list of the ISE, then the client will be profiled automatically.

The client is identified based on the MAC address sent in the Accounting request packet.

Only MAC address should be sent as calling station ID in accounting packets when profiling is enabled.

With profiling enabled for local switching FlexConnect mode APs, only VLAN override is supported as an AAA override attribute.

Related Topics

Client Profiling

Controller >WLANs > WLAN Configuration > Advanced

Configuring Client Profiling

To configure client profiling, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN

Configuration.

Click the Advanced tab.

Select the DHCP Profiling check box to enable DHCP profiling.

Select the HTTP Profiling check box to enable HTTP profiling.

HTTP client profiling is supported since controller Version 7.3.1.31.

Click Save.

Related Topics

Client Profiling

Creating WLAN Configuration Templates

Configuring Mobile Concierge (802.11u)

Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks.

The Mobile Concierge feature provides service availability information to clients and can help them to associate available networks.

The services offered by the network can be broadly classified into two protocols:

802.11u MSAP

802.11u HotSpot 2.0

The following guidelines and limitations apply to Mobile Concierge:

Mobile Concierge is not supported on FlexConnect Access Points.

802.11u configuration upload is not supported. If you perform a configuration upgrade and upload a configuration on the controller, the HotSpot configuration on the WLANs is lost.

To configure Mobile Concierge (802.11u) Groups:

20-36

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN

Configuration.

Click the Hot Spot tab.

On the General tab, configure the following fields:

Select the 802.11u Status check box to enable 802.11u on the WLAN.

Select the Internet Access check box to enable this WLAN to provide Internet services.

From the Network Type drop-down list, choose the network type that best describes the 802.11u you want to configure on this WLAN. The following options are available:

Private Network

Private Network with Guest Access

Chargeable Public Network

Free Public Network

Emergency Services Only Network

– Wildcard

Choose the authentication type that you want to configure for the 802.11u parameters on this network:

Personal Device Network

Test or Experimental

Not configured

Acceptance of Terms and Conditions

Online Enrollment

HTTP/HTTPS Redirection

In the HESSID field, enter the Homogeneous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.

On the Others tab, configure the following fields:

In the OUI List group box, enter the following details:

OUI name

Is Beacon

OUI Index

Click Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN.

In the Domain List group box, enter the following details:

Domain Name—The domain name operating in the 802.11 access network.

Domain Index—Choose the domain index from the drop-down list.

Click Add to add the domain entry to this WLAN.

On the Realm tab, configure the following fields:

In the OUI List section, enter the following details:

Realm Name—The realm name.

Realm Index—The realm index.

Cisco Prime Infrastructure 3.0 User Guide

20-37

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 6

Step 7

Step 8

Click Add to add the domain entry to this WLAN.

On the Service Advertisement tab, configure the following fields:

Select the MSAP Enable check box to enable service advertisements.

If you enabled MSAP in the previous step, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.

MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.

On the HotSpot 2.0 tab, configure the following fields:

Choose the Enable option from the HotSpot2 Enable drop-down list.

In the WAM Metrics group box, specify the following:

WAN Link Status—The link status. The valid range is 1 to 3.

WAN SIM Link Status—The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.

Down Link Speed—The downlink speed. The maximum value is 4,194,304 kbps.

Up Link Speed—The uplink speed. The maximum value is 4,194,304 kbps.

In the Operator Name List group box, specify the following:

Operator Name—Specify the name of the 802.11 operator.

Operator Index—Select an operator index. The range is from 1 to 32.

Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.

Click Add to add the operator details. The operator details are displayed in a tabular form.

In the Port Config List, specify the following:

IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP,

ICMP, and IKEV2.

Port No—The port number that is enabled on this WLAN.

Status—The status of the port.

Click Save.

Related Topics

About WLAN Templates

Controller > WLANs > WLAN Configuration

20-38

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Creating WLAN AP Groups Templates

Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN into different broadcast domains. Benefits include more effective management of load balancing and bandwidth allocation.

To configure WLAN AP Groups, follow these steps:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > WLANs > AP

Groups.

The WLAN > AP Groups page appears, and the number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, choose Add Template from the Select a command drop-down list, and click Go. To modify an existing template, click the template name. The AP Groups template page appears.

This page displays a summary of the AP groups configured on your network. In this page, you can add, remove, edit, or view details of an AP group. Click in the Edit column to edit its access point(s). Select the check box in the WLAN Profile Name column, and click Remove to delete WLAN profiles.

The maximum characters that you can enter in the Description text box is 256.

Related Topics

About WLAN Templates

Adding Access Point Groups

AP Groups (for controllers Release 5.2 and later) are referred to as AP Group VLANs for controllers prior to 5.2.

To display all available WLAN profile names, delete the current WLAN profile name from the text box. When the current WLAN profile name is deleted from the text box, all available WLAN profiles appear in the drop-down list.

Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.

The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).

You can create or modify a template for dividing the WLAN profiles into AP groups.

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > WLANs > AP

Groups.

Choose Add Template from the Select a command drop-down list, and click Go.

Cisco Prime Infrastructure 3.0 User Guide

20-39

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 3

Step 4

Step 5

Enter a name and group description for the access point group. The group description is optional.

If you want to add a WLAN profile, click the WLAN Profiles tab and configure the following fields:

a.

Click Add.

b.

c.

Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.

Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.

d.

e.

To display all available interfaces, delete the current interface from the Interface text box. When the current interface is deleted from the Interface text box, all available interfaces appear in the drop-down list.

Select the NAC Override check box, if applicable. The NAC override feature is disabled by default.

Specify the policy configuration parameters by clicking the Add/Edit link.

Policy Name—Name of the policy.

Policy Priority—Configure policy priority between 1 and 16. No two policies can have same priority. Only 16 Policy mappings are allowed per WLAN. Selected policy template for the mapping will be applied first if it does not exist on the controller.

When access points and WLAN profiles are added, click Save.

f.

If you want to add a RF profile, click the RF Profiles tab, and configure the following fields:

802.11a—Drop-down list from which you can choose an RF profile for APs with 802.11a radios.

802.11b—Drop-down list from which you can choose an RF profile for APs with 802.11b radios.

When RF profiles are added, click Save.

Related Topics

About WLAN Templates

Creating RF Profiles Templates (802.11)

Deleting Access Point Groups

To delete an access point group, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies.

Choose Controller > WLANs > AP Groups from the left sidebar menu.

Click Remove.

Related Topics

About WLAN Templates

Creating WLAN AP Groups Templates

Adding Access Point Groups

20-40

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Creating Policy Configuration Templates

The Policy Configuration Templates page enables you to configure the device-based policies on the controller. You can configure policies for a user or a device on the network. The maximum number of policies that you can configure is 64. Policies are not applied on WLANs and AP groups if AAA override is configured on the controller.

To configure Policy Configuration templates:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features &Technologies > Controller > WLANs > Policy

Configuration.

If you want to add a new template, choose Add Template from the Select a command drop-down list, and click Go.

Configure the required fields.

Click Save as New Template.

Creating FlexConnect Templates

FlexConnect enables you to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office.

There is no deployment restriction on the number of FlexConnect access points per location, but you can organize and group the access points per floor and limit them to 25 or so per building, because it is likely the branch offices share the same configuration.

Related Topics

Creating FlexConnect AP Groups Templates

Adding FlexConnect Users to FlexConnect AP Groups Templates

Creating FlexConnect AP Groups Templates

To set up a FlexConnect AP group, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller.

Choose FlexConnect > FlexConnect AP Groups from the left sidebar menu.

Hover the mouse on FlexConnect AP Groups and select Show All Templates. It displays the primary and secondary RADIUS, as well as the number of controllers and virtual domains that the template is applied to, which automatically populates. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names. To modify an existing template, click the template name.

If you want to add a new template, hover the mouse on FlexConnect AP Groups and select New or select FlexConnect AP Groups. The General tab of the FlexConnect AP Groups page appears.

The Template Name shows the group name assigned to the FlexConnect access point group.

Cisco Prime Infrastructure 3.0 User Guide

20-41

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

Step 18

Step 19

Step 20

Step 21

Choose the primary RADIUS authentication servers for each group. You can also configure local

RADIUS servers on the flexconnect group (at a site-level) which are not present on the controller. The

FlexConnect groups support up to 100 RADIUS servers per group.

Choose the secondary RADIUS authentication servers for each group. You can also configure local

RADIUS servers on the flexconnect group (at a site-level) which are not present on the controller. The

FlexConnect groups support up to 100 RADIUS servers per group.

If you want to add an access point to the group, click the FlexConnect AP tab.

An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the Ethernet MAC check box to unselect an access point from one of the groups. You should save this change or apply it to controllers.

Click Add AP. Select the applicable check boxes and click Add.

Click the Local Authentication tab to enable local authentication for a FlexConnect group. Ensure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to None on the General tab to perform this action.

Select the FlexConnect Local Authentication check box to enable local authentication for this

FlexConnect group. Enabling this potion enables EAP-TLS Authentication.

Select the EAP-TLS Authentication check box to enable EAP-TLS certificate download.

To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP

Authentication check box. Otherwise, to allow a FlexConnect access point to authenticate clients using

EAP-FAST, select the EAP-FAST Authentication check box.

Perform one of the following, depending on how you want Protected Access Credentials (PACs) to be provisioned:

To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST

Key and Confirm EAP-FAST Key text boxes. The key must be 32 hexadecimal characters.

To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Auto key generation check box.

The following EAP-FAST options are available only if you select the EAP-FAST check box in

Step 14

.

In the EAP-FAST Key text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.

In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.

In the EAP-FAST Authority Info text box, enter the authority information of the EAP-FAST server.

In the EAP-FAST PAC Timeout text box, specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds.

To allow a FlexConnect access point to authenticate clients using PEAP, select the PEAP

Authentication check box.

Click the Image Upgrade tab and configure the following:

FlexConnect AP Upgrade—Select the check box if you want to upgrade the FlexConnect access points.

Slave Maximum Retry Count—Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the

FlexConnect AP Upgrade check box.

You are allowed to add an access point as a master access point only if the FlexConnect AP Upgrade check box is enabled on the General tab. Click Add Master to add an access point as master AP.

20-42

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Wireless Templates

Step 22

Step 23

Step 24

Step 25

Step 26

Click the ACL Mapping tab.

Click VLAN-ACL Mapping tab to view, add, edit, or remove a VLAN ACL mapping.

Click the WLAN-ACL Mapping tab to view, add, edit, or remove a WLAN ACL mapping. You can add up to a maximum of 16 WebAuth ACLs.

Click the Local Split to view, add, edit, or remove a Local Split ACL mapping. Only the

FlexConnect central switching WLANs are displayed in the WLAN Profile Name drop-down list.

Click the Policies tab to view, add, edit, or remove a WebPolicy ACL mapping. You can add up to a maximum of 16 Web-Policy ACLs.

Click Save.

Click the Central DHCP tab to view, add, edit, or remove a Central DHCP processing.

a.

b.

Click the Add Row icon.

From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.

c.

d.

From the Central DHCP drop-down list, choose Enable or Disable. When you enable this feature, the DHCP packets received from AP are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID.

From the Override DNS drop-down list, choose Enable or Disable. You can enable or disable the overriding of the DNS server address on the interface assigned to the locally switched WLAN. When you override DNS in centrally switched WLANs, the clients get their DNS server IP address from the AP, not from the controller.

e.

c.

From the NAT-PAT drop-down list, choose Enable or Disable. You can enable or disable Network

Address Translation (NAT) and Port Address Translation (PAT) on locally switched WLANs. You must enable Central DHCP Processing to enable NAT and PAT.

Click Save.

f.

Click the WLAN-VLAN Mapping tab to view, add, edit, or remove the WLAN-VLAN mapping.

a.

Click the Add Row icon.

b.

From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.

Enter the VLAN ID within the specified range.

d.

Click Save.

Click the WLAN-AVC Mapping tab to view, add, edit, or remove the WLAN-AVC mapping.

a.

b.

Click the Add Row icon.

From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.

c.

From the Application Visibility drop-down list, choose Enable, Disable or Wlan-specific. When

Wlan-specific is chosen, the Flex AVC Profile will be disabled.

From the Flex AVC Profile drop-down list, choose the specific AVC profile.

d.

e.

Click Save.

Click Save.

Cisco Prime Infrastructure 3.0 User Guide

20-43

Creating Security Templates

Related Topic

Controller > FlexConnect > FlexConnect AP Groups

Chapter 20 Using Templates to Configure Devices

Adding FlexConnect Users to FlexConnect AP Groups Templates

You can click the Users configured in the group link that appears when the FlexConnect Local

Authentication check box is enabled to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group.Maximum 100 FlexConnect users are supported in controller Release 5.2.x.x and later. If controller Release 5.2.0.0, and earlier supports only 20

FlexConnect users.

To delete a FlexConnect User, choose a user from the FlexConnect Users list, and then click Delete.

To configure a FlexConnect user, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Configuration > Features & Technologies > Controller > FlexConnect > FlexConnect AP

Groups.

Hover the mouse on FlexConnect AP Groups and select Show All Templates.

Click the Local Authentication tab and select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group.

Click the Users configured in the group link. The FlexConnect Users page appears.

If you want to add a new user, choose Add User from the Select a command drop-down list, and click

Go. The Add User page appears.

In the User Name text box, enter the FlexConnect username.

In the Password text box, enter the password.

Reenter the password in the Confirm Password text box.

Click Save.

Related Topics

Creating FlexConnect AP Groups Templates

Creating FlexConnect Templates

Controller > FlexConnect > FlexConnect AP Groups

Creating Security Templates

This section contains the following topics:

Creating General Security Controller Templates

Creating File Encryption Templates

RADIUS Authentication Templates

Creating RADIUS Accounting Templates

Creating RADIUS Fallback Templates

LDAP Server Templates

20-44

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

TACACS+ Server Templates

Local EAP General Templates

Local EAP Profile Templates

EAP-FAST Templates

Creating Network User Priority Templates

Local Network Users Templates

Guest User Templates

User Login Policies Templates

Creating a MAC Filter Template

Access Point or MSE Authorization Templates

Creating a Manually Disabled Client Template

Access Point Authentication and MFP Templates

Web Authentication Templates

Creating External Web Auth Server Templates

Creating a Security Password Policy Template

Creating Security Templates

Creating General Security Controller Templates

To add a new template with general security information for a controller, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features & Technologies > Controller > Security.

Select the template you want to add.

Complete the following fields:

Template Name—Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

Maximum Local Database Entries (on next reboot)—Enter the maximum number of allowed database entries. This amount becomes effective on the next reboot.

Click Save.

The template appears in the Template List page. In the Template List page, you can apply this template to controllers.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Cisco Prime Infrastructure 3.0 User Guide

20-45

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Creating File Encryption Templates

To add and configure a File Encryption template or make modifications to an existing file encryption template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Templates > Features & Technologies > Controller > Security > File

Encryption.

Choose Add Template from the Select a command drop-down list, and click Go to add a new template.

To modify an existing template, click the template name. The File Encryption template page appears.

Check if you want to enable file encryption.

Enter an encryption key text string of exactly 16 ASCII characters.

Re-enter the encryption key.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

RADIUS Authentication Templates

You can add a RADIUS authentication template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or

GUI are authenticated.

Related Topics

Creating RADIUS Authentication Templates

Creating RADIUS Authentication Templates

To configure a RADIUS Authentication template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

RADIUS Auth Servers.

From the Shared Secret Format drop-down list, choose either ASCII or hex.

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime

Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Enter the RADIUS shared secret used by your specified server.

Check the Key Wrap check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have key encryption key (KEK) and message authenticator code keys (MACK) configured. Complete the following fields:

20-46

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Shared Secret Format: Enter ASCII or hexadecimal.

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and

Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in the event a discovered template is applied to another device.

KEK Shared Secret.

MACK Shared Secret.

Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.

Check the Admin Status check box to enable administration privileges.

Check the Support for RFC 3576 check box to t to enable support for RFC 3576.

RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters.

Check Network User to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Check Management User to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.

In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

If you enable IP Sec the IP security mechanism, additional IP security fields are added to the page, and

Steps 13 to 19 are required. If you disable it, click Save and skip Steps 13 to 19.

Use the drop-down list to choose the IP security authentication protocol to be used. The available options are:

HMAC-SHA1

HMAC-MD5

• None

Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function.

HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the

SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.

Set the IP security encryption mechanism to use. The options are as follows:

DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

Triple DES—Data Encryption Standard that applies three keys in succession.

AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in

Cipher Clock Chaining (CBC) mode.

None—No IP security encryption mechanism.

Cisco Prime Infrastructure 3.0 User Guide

20-47

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 13

Step 14

Step 15

Step 16

From the IKE phase 1 drop-down list choose either aggressive or main to set the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.

Enter the timeout interval (in seconds) in the Lifetime field to define when the session expires.

Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5

(1536 bits).

Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.

Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

RADIUS Authentication Templates

Controller > Security > AAA > RADIUS Auth Servers

Creating RADIUS Accounting Templates

To add and configure a RADIUS Accounting template or modify and existing template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

RADIUS Acct Servers.

Use the Shared Secret Format drop-down list to choose either ASCII or hexadecimal.

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime

Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Enter the RADIUS shared secret used by your specified server.

Re-enter the shared secret.

Click if you want to establish administrative privileges for the server.

Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Specify the time in seconds after which the RADIUS authentication request times out and a retransmission by the controller occurs. You can specify a value between 2 and 30 seconds.

20-48

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 8

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating RADIUS Fallback Templates

To add and configure a RADIUS Fallback template or modify an existing template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

RADIUS Fallback.

From the RADIUS Fallback Mode drop-down list, choose one of the following:

Off—Disables fallback.

Passive—You must enter a time interval.

Active—You must enter a username and time interval.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

LDAP Server Templates

This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user.

These credentials are then used to authenticate the user. For example, local EAP might use an LDAP server as its backend database to retrieve user credentials.

Related Topics

Creating LDAP Server Templates

Creating LDAP Server Templates

To add an LDAP server template or make modifications to an existing LDAP server template, follow these steps:

Cisco Prime Infrastructure 3.0 User Guide

20-49

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

LDAP Servers.

Enter the port number of the controller to which the access point is connected.

From the Bind Type drop-down list, choose one of the following:

Authenticated—Enter a bind username and password.

Anonymous.

In the Server User Base DN text box, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.

In the Server User Attribute text box, enter the attribute that contains the username in the LDAP server.

In the Server User Type text box, enter the ObjectType attribute that identifies the user.

In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.

Check the Admin Status check box if you want the LDAP server to have administrative privileges.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

LDAP Server Templates

TACACS+ Server Templates

This page allows you to add a TACACS+ server or make modifications to an existing TACACS+ server template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.

Related Topics

Creating TACACS+ Server Templates

Creating TACACS+ Server Templates

To configure a TACACS+ Server template, follow these steps:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

TACACS+ Servers.

Select one or more server types by selecting their respective check boxes. The following server types are available:

authentication—Server for user authentication/authorization.

authorization—Server for user authorization only.

accounting—Server for RADIUS user accounting.

Cisco Prime Infrastructure 3.0 User Guide

20-50

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Enter the IP address of the server.

Enter the port number of the server. The default is 49.

From the drop-down list, choose either ASCII or hex.

Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and

Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device.

Enter the TACACS+ shared secret used by your specified server in the Shared Secret text box.

Reenter the shared secret in the Confirm Shared Secret text box.

Select the Admin Status check box if you want the TACACS+ server to have administrative privileges.

In the Retransmit Timeout text box, enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

TACACS+ Server Templates

Controller > Security > AAA > TACACS+ Servers

Local EAP General Templates

This page allows you to specify a timeout value for local EAP. You can then add or make changes to an existing local EAP general template.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local

EAP.

Related Topics

Creating Local EAP General Templates

Creating Local EAP General Templates

To add an Local EAP template or make modifications to an existing template, follow these steps:

Step 1

Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP

> General - Local EAP.

The Local EAP General page appears.

Cisco Prime Infrastructure 3.0 User Guide

20-51

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 2

Step 3

In the Local Auth Active Timeout text box, enter the time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.

The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones:

Local EAP Identify Request Timeout =1

Local EAP Identity Request Maximum Retries=20

Local EAP Dynamic WEP Key Index=0

Local EAP Request Timeout=20

Local EAP Request Maximum Retries=2

You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. The recommended and default timeout on the Cisco ACS server is 20 seconds.

Roaming fails if these values are not set the same across multiple controllers.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Local EAP General Templates

Controller > Security > Local EAP > General - Local EAP

Local EAP Profile Templates

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally.

It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.

The LDAP backend database supports only these local EAP methods:

EAP-TLS.

EAP-FAST with certificates.

LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.

Related Topic

Creating Local EAP Profile Templates

Creating Local EAP Profile Templates

To add Local EAP Profile template or make modifications to an existing template, follow these steps:

20-52

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP

> Local EAP Profiles.

Choose one of the following desired authentication type:

LEAP—This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.

EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication.

A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.

TLS—This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.

PEAP—This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.

Choose the certificate for authentication from the Certificate Issuer drop-down list to determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.

Check the Check Against CA Certificates check box if you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller.

Check the Verify Certificate CN Identity check box if you want the incoming certificate to be validated against the common name of the CA certificate.

Check the Check Against Date Validity check box if you want the controller to verify that the incoming device certificate is still valid and has not expired,.

Check the Local Certificate Required check box if a local certificate is required.

Check the Client Certificate Required check box if a client certificate is required.

Click Save.

To enable local EAP, follow these steps:

a.

Choose WLAN > WLAN Configuration from the left sidebar menu.

b.

c.

Click the profile name of the desired WLAN.

Choose the Security > AAA Servers tab to access the AAA Servers page.

d.

Select the Local EAP Authentication check box to enable local EAP for this WLAN.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Local EAP Profile Templates

Controller > Security > Local EAP > Local EAP Profiles

Cisco Prime Infrastructure 3.0 User Guide

20-53

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

EAP-FAST Templates

This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point.

Related Topics

Creating an EAP-FAST Template

Creating an EAP-FAST Template

To add an EAP-FAST template or make modifications to an existing template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP

> EAP-FAST Parameters.

In the Time to Live for the PAC text box, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.

In the Authority ID text box, enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.

In the Authority Info text box, enter the authority identifier of the local EAP-FAST server in text format.

In the Server Key and Confirm Server Key text boxes, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.

If you want to enable anonymous provisioning, select the Anonymous Provision check box.

This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

EAP-FAST Templates

Creating Network User Priority Templates

You can specify the order that LDAP and local databases use to retrieve user credential information. This page allows you to add or make modifications to an existing network user credential retrieval priority template.

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > Security > Local EAP

> Network Users Priority.

Use the left and right arrow keys to include or exclude network user credentials in the right page.

20-54

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Step 3

Step 4

Use the up and down keys to determine the order credentials are tried.

Click Save.

Creating Security Templates

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Local Network Users Templates

With this template, you can store the credentials (username and password) of all the local network users.

These credentials are then used to authenticate the users. For example, local EAP might use the local user database as its back end database to retrieve user credentials. This page allows you to add or make modifications to an existing local network user template. You must create a local net user and define a password when logging in as a web authentication client.

Related Topics

Creating Local Network Users Templates

Creating Local Network Users Templates

To configure a Local Network Users template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

Local Net Users.

Click Import CSV to import from a file, then click Browse to navigate to the file. Then continue to Step

6. If you disable the import, continue to Step 3.

Only CSV file formats are supported.

Prime Infrastructure reads data from the second row onwards. The first row in the file is treated as the header and the data is not read by Prime Infrastructure. The header can either be blank or filled.

Enter the following details:

Username

Password

Profile

Description.

The Profile column if left blank (or filled in with any profile) means a client on any profile can use this account.

Use the drop-down list to choose the SSID which this local user is applied to or choose the any SSID option.

Enter a user-defined description of this interface.

Cisco Prime Infrastructure 3.0 User Guide

20-55

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 6

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Local Network Users Templates

Guest User Templates

The purpose of a guest user account is to provide a user account for a limited amount of time. A Lobby

Ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires. Choose Configuration > Templates

> Features & Technologies > CLI Templates > System Templates - CLI > Guest Users to access the

Guest Users template page.

Related Topics

Creating Guest User Templates

Creating Guest User Templates

To add an guest user template or make modifications to an existing template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Configuration > Templates > Features & Technologies > CLI Templates > System

Templates - CLI > Guest Users.

Enter a guest username in the User Name text box. The maximum size is 24 characters.

Enter a password for this username in the Password text box.

From the Advanced tab choose the guest user to connect to from the Profile drop-down list

Choose a user role for the guest user from the drop-down list. User roles are predefined by the administrator and are associated with the access of the guest.

User Role is used to manage the amount of bandwidth allocated to specific users within the network.

Choose one of the following radio buttons to specify the lifetime of the guest account:

Limited—The period of time that the guest user account is active using the hours and minutes drop-down lists. The default value for Limited is one day (8 hours).

Unlimited Lifetime—no expiration date for the guest account.

Choose the area (indoor, outdoor), controller list, or config group to which the guest user traffic is limited from the Apply to drop-down list.

If you choose the controller list option, a list of controller IP addresses appears.

Modify the default guest user description on the General tab if necessary. This is not mandatory.

Modify the Disclaimer text on the General tab, if necessary. If you want the supplied text to be the default, select the Make this Disclaimer default check box. This is not mandatory.

20-56

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 10

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Guest User Templates

User Login Policies Templates

You can set the maximum number of concurrent logins that each single user can have.

Related Topics

Creating User Login Policies Templates

Creating User Login Policies Templates

To add a user login template or make modifications to an existing template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > User Login

Policies.

Enter the maximum number of concurrent logins each single user can have.

Click Save as New Template.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

User Login Policies Templates

Creating a MAC Filter Template

To add a MAC filter template or make modifications to an existing template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

MAC Filtering or choose Security > MAC Filtering.

Click Import CSV to import a file containing access point MAC addresses.

Enter the desired file path or click Browse to import the file.

Cisco Prime Infrastructure 3.0 User Guide

20-57

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 4

Step 5

Step 6

Step 7

The import file must be a CSV file with MAC address, profile name, interface, and description (such as

00:11:22:33:44:55, Profile1, management, test filter). If you disable the Import from File check box, continue to

Step 4 ..

The client MAC address appears.

Choose the profile name to which this MAC filter is applied or choose the Any Profile option.

Use the drop-down list to choose from the available interface names.

Enter a user-defined description of this interface.

Click Save as New Template.

You cannot use MAC address in the broadcast range.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Access Point or MSE Authorization Templates

These templates are devised for Cisco 11xx/12xx series access points converted from Cisco IOS to lightweight access points or for 1030 access points connecting in bridge mode. See the Cisco Mobility

Services Engine Configuration Guide for further information.

Related Topics

Creating an Access Point or MSE Authorization Templates

Creating an Access Point or MSE Authorization Templates

To add a MSE authorization template or make modifications to an existing template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA > AP

or MSE Authorization.

Click Import CSV to import a file containing access point MAC addresses.

You can only import a CSV file. The file format parallels the fields in the GUI and therefore includes access point base radio MAC, Type, Certificate Type (MIC or SSC), and key hash (such as

00:00:00:00:00:00, AP, SSC, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx). No other file formats are not supported.

Enter the desired file path or click Browse to import the file.

Click Save As New Template.

You cannot use MAC address in the broadcast range.

Related Topics

Adding Controller Templates

20-58

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Deleting Controller Templates

Applying Controller Templates

Access Point or MSE Authorization Templates

Creating Security Templates

Creating a Manually Disabled Client Template

This page allows you to add a manually disable client template or make modifications to an existing disabled client template.

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features & Technologies > Controller > Security > Manually

Disable Clients.

Enter the MAC address of the client you want to disable.

Enter a description of the client you are setting to disabled.

Click Save as New Template.

You cannot use a MAC address in the broadcast range.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating Client Exclusion Policies Templates

To add a client exclusion policies template or modify an existing client exclusion policies template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > Client Exclusion Policies.

Complete the following fields:

Template Name—Enter a name for the client exclusion policy.

Excessive 802.11 Association Failures—Enable to exclude clients with excessive 802.11 association failures.

Excessive 802.11 Authentication Failures—Enable to exclude clients with excessive 802.11 authentication failures.

Excessive 802.1X Authentication Failures—Enable to exclude clients with excessive 802.1X authentication failures.

Excessive 802.11 Web Authentication Failures—Enable to exclude clients with excessive 802.11 web authentication failures.

IP Theft or Reuse—Enable to exclude clients exhibiting IP theft or reuse symptoms.

Click Save as New Template.

Cisco Prime Infrastructure 3.0 User Guide

20-59

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Access Point Authentication and MFP Templates

Management Frame Protection (MFP) provides for the authentication of 802.11 management frames by the wireless network infrastructure. Management frames can be protected to detect adversaries who are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.

When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. An access point must be a member of a WDS to transmit MFP frames.

When MFP detection is enabled, the access point validates every management frame that it receives from other access points in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system.

Related Topics

Creating Access Point Authentication and MFP Templates

Creating Access Point Authentication and MFP Templates

To add or make modifications for the access point authentication and management frame protection

(MFP) template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > AP Authentication and MFP.

From the Protection Type drop-down list, choose one of the following authentication policies:

None—No access point authentication policy.

AP Authentication—Apply authentication policy.

MFP—Apply management frame protection.

Alarm trigger threshold appears only when AP authentication is selected as a protection type. Set the number of hits from an alien access point to ignore before raising an alarm.

The valid range is from 1 to 255. The default value is 255.

Click Save as New Template.

Related Topics

Adding Controller Templates

20-60

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Deleting Controller Templates

Applying Controller Templates

Access Point Authentication and MFP Templates

Creating Security Templates

Web Authentication Templates

With web authentication, guests are automatically redirected to a web authentication page when they launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN administrators using this authentication mechanism should have the option of providing unencrypted or encrypted guest access. Guest users can then log into the wireless network using a valid username and password, which is encrypted with SSL. Web authentication accounts might be created locally or managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web authentication client. You can use this template to replace the Web authentication page provided on the controller.

Related Topics

Creating a Web Authentication Template

Creating a Web Authentication Template

To add or make modifications to an existing web authentication template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Features & Technologies > Controller > Security > AAA >

Web Auth Configuration.

Choose one of the following web authentication type from the drop-down list.

default internal— You can still alter the page title, message, and redirect URL, as well as whether the logo appears. Continue to Step 5.

customized web authentication—Click Save and apply this template to the controller. You are prompted to download the web authentication bundle.

Before you can choose customized web authentication, you must first download the bundle by going to Config > Controller and choose Download Customized Web Authentication from the Select a

command drop-down list, and click Go.

external—you need to enter the URL you want to redirect to after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user is directed to the company home page

Select the Logo Display check box if you want your company logo displayed.

Enter the title you want displayed on the Web Authentication page.

Enter the message you want displayed on the Web Authentication page.

Provide the URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user would be directed to the company home page.

Click Save as New Template.

Cisco Prime Infrastructure 3.0 User Guide

20-61

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Related Topics

Web Authentication Templates

Customized Web Authentication Pages

Customized Web Authentication Pages

You can download a customized Web Authentication page to the controller. With a customized web page, you can establish a username and password for user web access.

When downloading customized web authentication, you must follow these strict guidelines:

Provide a username.

Provide a password.

Retain a redirect URL as a hidden input item after extracting from the original URL.

Extract the action URL and set aside from the original URL.

Include scripts to decode the return status code.

Related Topics

Downloading Customized Web Authentication Pages

Downloading Customized Web Authentication Pages

Before downloading, follow these steps:

Step 1

Download the sample login.html bundle file from the server. The following figure displays .html file.

The login page is presented to web users the first time they access the WLAN if web authentication is turned on.

Figure 20-1 Login.html

Step 2

Step 3

Edit the login.html file and save it as a .tar or .zip file.

You can change the text of the Submit button to read Accept terms and conditions and Submit.

Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep these guidelines in mind when setting up a TFTP server:

20-62

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. However, if you want to put the TFTP server on a different network while the management port is down, add a static route if the subnet where the service port resides has a gateway (config route add IP address of TFTP server).

If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.

A third-party TFTP server cannot run on the same computer as Prime Infrastructure because the built-in TFTP server of Prime Infrastructure and third-party TFTP server use the same communication port.

Download the .tar or .zip file to the controller(s).

The controller allows you to download up to 1 MB of a .tar file containing the pages and image files required for the Web authentication display. The 1 MB limit includes the total size of uncompressed files in the bundle.

You can now continue with the download.

Copy the file to the default directory on your TFTP server.

Choose Configuration > Network > Network Devices > Wireless Controller.

Click on a Device Name. If you select more than one device, the customized Web authentication page is downloaded to multiple controllers.

From the left sidebar menu, choose System > Commands.

From the Upload/Download Commands drop-down list, choose Download Customized Web Auth, and click Go.

The IP address of the controller to receive the bundle and the current status are displayed.

Choose local machine from the File is Located On field. If you know the filename and path relative to the root directory of the server, you can also select TFTP server.

For a local machine download, either .zip or .tar file options exists, but Prime Infrastructure does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar files would be specified.

Enter the maximum number of times the controller should attempt to download the file in the Maximum

Retries field.

Enter the maximum amount of time in seconds before the controller times out while attempting to download the file in the Timeout field.

The files are uploaded to the c:\tftp directory. Specify the local filename in that directory or click Browse to navigate to it.

Click OK.

If the transfer times out, you can simply choose the TFTP server option in the File Is Located On field, and the server filename is populated for you. The local machine option initiates a two-step operation.

First, the local file is copied from the workstation of the administrator to the built-in TFTP server of

Prime Infrastructure. Then the controller retrieves that file. For later operations, the file is already in the

TFTP directory of Prime Infrastructure server, and the download web page now automatically populates the filename.

Click the Click here to download a sample tar file link to get an option to open or save the login.tar file.

After completing the download, you are directed to the new page and able to authenticate.

Cisco Prime Infrastructure 3.0 User Guide

20-63

Chapter 20 Using Templates to Configure Devices

Creating Security Templates

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating a Web Authentication Template

Creating External Web Auth Server Templates

To create or modify an External Web Auth Server template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > External

Web Auth Server or choose Security > External Web Auth Server.

Enter the server address of the external web auth server.

Click Save as New Template.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating a Security Password Policy Template

To add or make modifications to an existing password policy template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > Password

Policy.

You can enable or disable the following settings:

Password must contain characters from at least 3 different classes such as uppercase letters, lowercase letters, digits, and special characters.

No character can be repeated more than 3 times consecutively.

Password cannot be the default words like cisco or admin.

Password cannot be “cisco”, “ocsic”, “admin”, “nimda’ or any variant obtained by changing the capitalization of letters, or by substituting ‘1” “|” or “!” for i, or substituting “0” for “o”, or substituting “$” for “s”.

Password cannot contain username or reverse of username.

Click Save.

Related Topics

Adding Controller Templates

20-64

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - Access Control Templates

Deleting Controller Templates

Applying Controller Templates

Creating Security - Access Control Templates

This section contains the following topics:

Creating an Access Control List Template

Creating a FlexConnect Access Control List Template

Creating an ACL IP Groups Template

Creating an ACL Protocol Groups Template

Creating an Access Control List Template

An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs can be applied to data traffic to and from wireless clients or to all traffic destined for the controller

Central Processing Unit (CPU) and can now support reusable grouped IP addresses and reusable protocols. After ACLs are configured in the template, they can be applied to the management interface, the AP-manager interface, or any of the dynamic interfaces for client data traffic; to the Network

Processing Unit (NPU) interface for traffic to the controller CPU; or to a WAN.

You can create or modify an ACL template by protocol, direction, and the source or destination of the traffic.

You can now create new mappings from the defined IP address groups and protocol groups. You can also automatically generate rules from the rule mappings you created. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add up to 29 rules.

Existing ACL templates are duplicated into a new ACL template. This duplication clones all the ACL rules and mappings defined in the source ACL template.

This release of Prime Infrastructure provides support to IPv6 ACLs.

Related Topics

Adding or Modifying an ACL Template

Creating an ACL IP Groups Template

Creating an ACL Protocol Groups Template

Adding or Modifying an ACL Template

To add or modify an existing ACL template, follow these steps:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > Security > Access

Control Lists.

Complete the following fields:

Access Control List Name—User-defined name of the template.

ACL Type—Choose either IPv4 or IPv6. IPv6 ACL is supported from controller Release 7.2.x.

Cisco Prime Infrastructure 3.0 User Guide

20-65

Chapter 20 Using Templates to Configure Devices

Creating Security - Access Control Templates

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose IP Groups from the left sidebar menu to create reusable grouped IP addresses and protocols.

Choose Add IP Group from the Select a command drop-down list and click Go to define a new IP address group.

One IP address group can have a maximum of 128 IP address and netmask combinations. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group page opens.For the IP address of any, an any group is predefined.

Edit the following current IP group fields if required in the ACL IP Groups details page:

IP Group Name

IP Address

Netmask OR CIDR Notation

Enter the Netmask or CIDR Notation and then click Add. The list of IP addresses or Netmasks appears in the List of IP Address/Netmasks text box.

CIDR or Classless InterDomain Routing a protocol which allows the assignment of Class C IP addresses in multiple contiguous blocks. CIDR notation allows you to add a large number of clients that exist in a subnet range by configuring a single client object.

Netmask allows you to set the subnet mask in dotted-decimal notation rather than the CIDR notation for the IP address property.

BroadCast/Network

List of IP Addresses/Netmasks

Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete any IP address or Netmask.

Choose Access Control > Protocol Groups from the left sidebar menu to define an additional protocol that is not a standard predefined one.

The protocol groups with their source and destination port and DSCP are displayed.

Choose Add Protocol Group from the Select a command drop-down list, and click Go to create a new protocol group. To view or modify an existing protocol group, click the URL of the group.

The Protocol Groups page appears.

Enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the parameters of a rule, the action for this rule is exercised.

Choose one of the following protocols from the drop-down list:

Any—All protocols

TCP—Transmission Control Protocol

UDP—User Datagram Protocol

ICMP—Internet Control Message Protocol

ESP—IP Encapsulating Security Payload

AH—Authentication Header

GRE—Generic Routing Encapsulation

IP—Internet Protocol

Eth Over IP—Ethernet over Internet Protocol

Other Port OSPF—Open Shortest Path First

Other—Any other IANA protocol (http://www.iana.org/)

20-66

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - Access Control Templates

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

Some protocol choices (such as TCP or UDP) cause additional Source Port and Dest Port GUI elements to appear.

Source Port—Specify the source of the packets to which this ACL applies. The choices are Any,

HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server,

Other, and Port Range.

Dest Port—Specify the destination of the packets to which this ACL applies. The choices are Any,

HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server,

Other, and Port Range.

Choose any or specific from the DSCP (Differentiated Services Code Point) drop-down list. If you choose specific, enter the DSCP (range of 0 to 255).

DSCP is a packet header code that can be used to define the quality of service across the Internet.

Click Save.

Choose the ACL template to which you want to map the new groups to define a new mapping. All ACL mappings appear on the top of the page, and all ACL rules appear on the bottom.

Choose Add Rule Mappings from the Select a command drop-down list. The Add Rule Mapping page appears.

Configure the following fields:

Source IP Group—Predefined groups for IPv4 and IPv6.

Destination IP Group—Predefined groups for IPv4 and IPv6.

Protocol Group—Protocol group to use for the ACL.

Direction—Any, Inbound (from client) or Outbound (to client).

Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.

Click Add. The new mappings populate the bottom table.

Click Save.

Choose the mappings for which you want to generate rules, and click Generate. This automatically creates the rules.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating a FlexConnect Access Control List Template

You can create or modify a FlexConnect ACL template for configuring the type of traffic that is allowed by protocol, and the source or destination of the traffic. The FlexConnect ACLs do not support IPv6 addresses.

Cisco Prime Infrastructure 3.0 User Guide

20-67

Chapter 20 Using Templates to Configure Devices

Creating Security - Access Control Templates

Creating and Applying a FlexConnect Access Control List

To configure and apply an Access Control List template to a Controller, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Configuration > Templates > Features & Technologies > Controller > Security >

FlexConnect ACLs.

Enter a name for the new FlexConnect ACL.

Click Save as New Template.

A FlexConnect ACL template is created. You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All FlexConnect ACL mappings appear on the top of the page, and all FlexConnect

ACL rules appear in the bottom.

Click Add Rule Mappings, then configure the following fields in the FlexConnect ACL IP Protocol

Map page:

Source IP Group—Predefined groups for IPv4 and IPv6.

Destination IP Group—Predefined groups for IPv4 and IPv6.

Protocol Group—Protocol group to use for the ACL.

Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.

Click Add. The new mappings populate the bottom table.

Click Save.

Choose the mappings for which you want to generate rules, and click Generate. This automatically creates the rules.

From the Select a command drop-down list in the FlexConnect ACL page, choose Apply Templates.

The Apply to Controllers page appears.

Select Save Config to Flash after apply check box to save the configuration to Flash after applying the

FlexConnect ACL to the controller.

Select Reboot Controller after apply to reboot the controller once the FlexConnect ACL is applied.

This check box is available only when you select the Save Config to Flash after apply check box.

Select one or more controllers and click OK to apply the FlexConnect ACL template.

The FlexConnect ACL that you created appears in Configure > Controller Template Launch Pad > IP

Address > Security > Access Control > FlexConnect ACLs.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Deleting a FlexConnect Access Control List

To delete a FlexConnect ACL, follow these steps:

20-68

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - Access Control Templates

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Network > Network Devices > Controllers.

Click a controller Device Name.

From the left sidebar menu, choose Security > FlexConnect ACLs.

From the FlexConnect ACLs page, select one or more FlexConnect ACLs to delete.

From the Select a command drop-down list, choose Delete FlexConnect ACLs.

Click Go.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating an ACL IP Groups Template

To create reusable grouped IP addresses, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > IP Groups.

Configure the following fields:

Name

IP Address—For IP Group, enter an IPv4 address format. For IPv6 groups, enter an IPv6 address format.

Netmask OR CIDR Notation—Enter the Netmask or CIDR Notation and then click Add.

The list of IP addresses or Netmasks appears in the List of IP Addresses/Netmasks text box.

These fields are not applicable for IPv6 groups.

BroadCast/Network

These fields are not applicable for IPv6 groups.

Prefix Length—Prefix for IPv6 addresses, ranging from 0 to 128.

List of IP Addresses/Netmasks—Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete an IP address or Netmask.

Click Save as New Template.

You can create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All ACL mappings appear in the top of the page, and all ACL rules appear in the bottom.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Cisco Prime Infrastructure 3.0 User Guide

20-69

Chapter 20 Using Templates to Configure Devices

Creating Security - Access Control Templates

Creating Controller Configuration Groups

Creating an ACL Protocol Groups Template

Creating an ACL Protocol Groups Template

To define an additional protocol that is not a standard predefined one, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Security > Protocol

Groups.

Configure the following fields:

Name—The rule name is provided for the existing rules, or you can now enter a name for a new rule.

ACLs are not required to have rules defined. When a packet matches all the fields of a rule, the action for this rule is exercised.

Protocol—Choose a protocol from the drop-down list:

Any—All protocols

TCP—Transmission Control Protocol

UDP—User Datagram Protocol

ICMP—Internet Control Message Protocol

ESP—IP Encapsulating Security Payload

AH—Authentication Header

GRE—Generic Routing Encapsulation

IP—Internet Protocol

Eth Over IP—Ethernet over Internet Protocol

Other Port OSPF—Open Shortest Path First

Other—Any other IANA protocol (http://www.iana.org/)

Source Port—Can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS,

L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS,

NetBIOS SS, MS Dir Server, Other and Port Range.

Dest Port—Destination port. If TCP or UDP is selected, can be Any, HTTP, HTTPS, Telnet,

RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP,

LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.

DSCP (Differentiated Services Code Point)—Choose Any or Specific from the drop-down list. If

Specific is selected, enter the DSCP (range of 0 through 255).

DSCP is a packet header code that can be used to define the quality of service across the Internet.

Click Save as New Template.

Related Topics

Creating Controller Configuration Groups

Creating an ACL IP Groups Template

Adding Controller Templates

20-70

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - CPU Access Control List Templates

Deleting Controller Templates

Applying Controller Templates

Creating Security - CPU Access Control List Templates

CPU ACL configuration with IPv6 is not supported in this release because all IP addresses of controllers on interfaces use IPv4 except the virtual interface. The existing ACLs are used to set traffic controls between the Central Processing Unit (CPU) and Network Processing Unit (NPU).

Creating a CPU Access Control List (ACL) Template

To add or modify an existing CPU ACL template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > Security > CPU

Access Control List.

Select the check box to enable CPU ACL. When CPU ACL is enabled and applied on the controller,

Prime Infrastructure displays the details of the CPU ACL against that controller.

From the ACL Name drop-down list, choose a name from the list of defined names.

From the CPU ACL Mode drop-down list, choose which data traffic direction this CPU ACL list controls. The choices are the wired side of the data traffic, the wireless side of the data traffic, or both wired and wireless.

Click Save as New Template.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating Security - Rogue Templates

Rogue templates enable you to configure the rogue policy (for access points and clients) applied to the controller. It also determines whether or not the Rogue Location Discovery Protocol (RLDP) is connected to the enterprise wired network.With RLDP, the controller instructs a managed access point to associate with the rogue access point and sends a special packet to the controller. If the controller receives the packet, the rogue access point is connected to the enterprise network. This method works for rogue access points that do not have encryption enabled.

There can be many rogues with very weak RSSI values that do not provide any valuable information in the rogue analysis. Therefore, you can use this option to filter the rogues by specifying the minimum

RSSI value at which the APs should detect rogues.

Cisco Prime Infrastructure 3.0 User Guide

20-71

Chapter 20 Using Templates to Configure Devices

Creating Security - Rogue Templates

Rogue access point rules allow you to define rules to automatically classify rogue access points. Prime

Infrastructure applies the rogue access point classification rules to the controllers. These rules can limit the appearance of a rogue on maps based on RSSI level (weaker rogue access points are ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of time). Rogue access point rules also help reduce false alarms.

The new enhancements to the role classification rule are applicable for Cisco WLC 7.4 and later. These enhancements are not applicable to Catalyst 3850, Catalyst 3650, Catalyst 4500 switches, and Cisco

5760 WLAN Controllers (WLC).

To view current classification rule templates, rule type, and the number of controllers to which they are applied, choose Configuration > Templates > Features & Technologies > Controller > Security >

Wireless Protection Policies > Rogue AP Rules.

Rogue classes include the following types:

Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been manually moved from the Friendly AP category.

Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined friendly rules.

Unclassified Rogue—A detected access point that does not match the malicious or friendly rules.

Related Topics

Creating a Rogue Policies Template

Creating a Rogue AP Rules Template

Creating a Rogue AP Rule Groups Template

Creating a Rogue Policies Template

To add or modify a rogue policy (for access points and clients) template applied to the controller, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > Rogue Policies.

Choose one of the following from the drop-down list:

Disable—Disables RLDP on all access points.

All APs—Enables RLDP on all access points.

Monitor Mode APs—Enables RLDP only on access points in monitor mode.

Set the expiration timeout (in seconds) for rogue access point entries.

Enter the time interval in seconds at which the APs should send the rogue detection report to the controller in the Rogue Detection Report Interval text box.

The valid range is 10 seconds to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only.

Enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller in the Rogue Detection Minimum RSSI text box.

The valid range is -70 dBm to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes.

20-72

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - Rogue Templates

Step 6

Step 7

Step 8

Step 9

Enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned in the Rogue Detection Transient Interval text box.

By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. The valid range is between

120 seconds to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only.

Select the Validate rogue clients against AAA check box to enable the AAA validation of rogue clients.

Select the Detect and report Adhoc networks check box to enable detection and reporting of rogue clients participating in ad hoc networking.

Click Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Rogue AP Rules

To configure rogue rules on Prime Infrastructure, follow these steps:

1.

Create a Rogue AP rule—See

Creating a Rogue AP Rules Template

.

2.

3.

Create a Rogue AP Rule Group that contains all the rules you want to apply—See

Creating a Rogue

AP Rule Groups Template

.

Deploy the Rogue AP Rule Group to the controllers—See

Deploying a Rogue AP Rule Groups

Template .

Creating a Rogue AP Rules Template

To add or create a new classification rule template for rogue access points, follow these steps:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > Rogue AP Rules.

Configure the following fields:

Template Name.

Rule Type—Choose Malicious, Friendly, or Custom from the drop-down list.

Notify—Choose Global, Local, None, or All from the drop-down list.

Global—Trap information is sent only to Prime Infrastructure.

Local—Trap information is sent only to controller.

None —Trap information is not sent.

All—Trap information is sent to Prime Infrastructure and controller.

State—Use the drop-down list to choose from Contain, Alert, or Delete.

Cisco Prime Infrastructure 3.0 User Guide

20-73

Chapter 20 Using Templates to Configure Devices

Creating Security - Rogue Templates

Step 3

Step 4

Match Type—Choose Match All Conditions or Match Any Condition from the drop-down list.

Severity Score (for Custom rule type only)—Specify the severity score. The Custom Rogue AP severity is based on Severity Score Value you specify:

Critical—80 to 100

Major—60 to 79

Minor—1 to 59

Classification Name (for Custom rule type only).

In the Rogue Classification Rule group box of the page, configure the following fields.

Open Authentication—Select the check box to enable open authentication.

Match Managed AP SSID—Select the check box to enable the matching of a Managed AP SSID.

Managed SSIDs are the SSIDs configured for the WLAN and known to the system.

Match User Configured SSID—Select the check box to enable the matching of User Configured

SSIDs.

User Configured SSIDs are the SSIDs that are manually added. Enter the User Configured SSIDs

(one per line) in the Match User Configured SSID text box.

Match Wildcard Configured SSID—Select the check box to enable the matching of Wildcard

Configured SSIDs. You can use wildcards (*).

Minimum RSSI—Select the check box to enable the Minimum RSSI threshold limit.

Enter the minimum RSSI threshold level (dBm) in the text box. The detected access point is classified with the Rule Type you specified if it is detected above the indicated RSSI threshold.

Time Duration—Select the check box to enable the Time Duration limit.

Enter the time duration limit (in seconds) in the text box. If it is viewed for a longer period of time than the specified time limit, the detected access point is classified with the Rule Type you specified.

Minimum Number Rogue Clients—Select the check box to enable the Minimum Number Rogue

Clients limit. Enter the minimum number of rogue clients allowed. If the number of clients associated to the detected access point is greater than or equal to the specified value, the detected access point is classified with the Rule Type you specified.

Click Save as New Template.

Related Topics

Creating a Rogue AP Rule Groups Template

Deleting Controller Templates

Applying Controller Templates

Creating a Rogue AP Rule Groups Template

A rogue access point rule group template allows you to combine more than one rogue access point rule to controllers. To view current rogue access point rule group templates or create a new rule group, follow these steps:

20-74

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - Rogue Templates

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > Rogue AP Rule Groups.

Enter a template name.

To add a Rogue AP rule, click to highlight the rule in the left column. Click Add to move the rule to the right column.

Rogue access point rules can be added from the Rogue Access Point Rules section.

To remove a rogue access point rule, click to highlight the rule in the right column. Click Remove to move the rule to the left column.

Use the Move Up/Move Down buttons to specify the order in which the rules apply. Highlight the desired rule and click Move Up or Move Down to move it higher or lower in the current list.

Click Save to confirm the rogue access point rule list.

Click Deploy to apply the rule group to the controller. See

Deploying a Rogue AP Rule Groups

Template .

Related Topics

Creating a Rogue AP Rules Template

Deploying a Rogue AP Rule Groups Template

Viewing Deployed Rogue AP Rules

Deploying a Rogue AP Rule Groups Template

After you create and save a rogue AP Rule Group template, you can deploy it to a controller.

Step 1

Step 2

Step 3

Step 4

Navigate to the Rogue AP Rule Group that you previously created. By default, it is saved in

Configuration > Templates > Features & Technologies > My Templates > Features & Technologies

> Controller > Security > Wireless Protection Policies.

Click Deploy to apply the rule group to the controller.

Select the controller(s) to which you want to apply the AP Rule Group, then click OK.

Prime Infrastructure creates a job for deploying the rules to the controllers you specified.

Choose Administration > Dashboards > Job Dashboard > User Jobs > Config Deploy - Deploy View to view the status of the job.

Related Topics

Creating a Rogue AP Rules Template

Creating a Rogue AP Rule Groups Template

Viewing Deployed Rogue AP Rules

Cisco Prime Infrastructure 3.0 User Guide

20-75

Chapter 20 Using Templates to Configure Devices

Creating Security - Rogue Templates

Viewing Deployed Rogue AP Rules

You can view and edit the Rogue AP Rules that you previously deployed.

Step 1

Step 2

Step 3

Step 4

Choose Monitor > Network > Network Devices > Wireless Controllers.

Click on a Device Name, then select Security > Wireless Protection Policies > Rogue AP Rules.

Click on a Rogue AP Rule name to edit the rule.

To view Rogue AP alarms, click the Alarm Summary at the top right of the page, then select Rogue AP.

You can also choose Dashboard > Wireless > Security to view Rogue AP information.

Related Topics

Monitoring Alarms

Where to Find Alarms

Friendly Access Point Templates

This template allows you to import friendly internal access points. Importing these friendly access points prevents non-lightweight access points from being falsely identified as rogues. Friendly Internal access points were previously referred to as Known APs. The Friendly AP page identifies the MAC address of an access point, status, any comments, and whether or not the alarm is suppressed for this access point.

Creating a Friendly Access Point Template

To view or edit the current list of friendly access points, follow these steps:

Step 3

Step 4

Step 5

Step 6

Step 7

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > Friendly AP.

To import an access point, click Import CSV. Then enter the file path or click Browse to navigate to the

CSV file containing the MAC addresses.

Use a line break to separate MAC addresses. For example, enter the MAC addresses as follows:

00:00:11:22:33:44

00:00:11:22:33:45

00:00:11:22:33:46

To manually add an access point, enter the MAC address for the access point.

Choose Internal access point from the Status drop-down list.

Enter a comment regarding this access point, if necessary.

Select the Suppress Alarms check box to suppress all alarms for this access point.

Click Save as New Template.

20-76

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating Security - Rogue Templates

To modify an existing friendly access point, choose Configuration > Network > Network Devices >

Controller, and click the controller Device Name, then select Security > Rogue > Friendly Internal, and click the MAC address of an access point. Make the necessary changes to the access point, and click

Save.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Ignored Rogue AP Templates

The Ignored Rogue AP Template page allows you to create or modify a template for importing ignored access points. Access points in the Ignored AP list are not identified as rogues. You create an Ignored

Rogue AP Template with a specific MAC address, or a set of MAC addresses in a CSV file. The Ignored

Rogue AP Template is not immediately applied to the controller. The next time the controller detects the rogue MAC address and informs Prime Infrastructure about it, Prime Infrastructure deletes the Rogue

AP/Adhoc alarm from its database and this MAC address is added to the controller’s Rogue AP

Ignore-List.

Creating Ignored Rogue AP Templates

To add or edit the Ignored Rogue access points, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > Security > Wireless

Protection Policies > Ignored Rogue AP.

To import an ignored rogue access point, click Import CSV. Then enter the file path or click Browse to navigate to the CSV file containing the MAC addresses.

Use a line break to separate MAC addresses. For example, enter the MAC addresses as follows:

00:00:11:22:33:44

00:00:11:22:33:45

00:00:11:22:33:46

To manually add an ignored rogue access point, unselect the Import from File check box.

Enter the MAC address and comment for the rogue access point.

Click Save as a New Template.

If you remove the MAC address from the Ignored AP list, the MAC address is removed from the Rogue

AP Ignore-List on the controller.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Cisco Prime Infrastructure 3.0 User Guide

20-77

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11 Templates

You can create the following 802.11 templates:

Creating Load Balancing Templates.

Creating Band Selection Templates.

Creating Media Parameters Controller Templates (802.11a/n).

Related Topics

Creating Load Balancing Templates

Creating Band Selection Templates

Creating Media Stream for Controller Templates (802.11)

Creating Load Balancing Templates

To configure load balancing templates, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Load

Balancing.

Enter a value between 1 and 20 for the client window size.

The page size becomes part of the following algorithm that determines whether an access point is too heavily loaded to accept more client associations: load-balancing page + client associations on AP with lightest load = load-balancing threshold

In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.

Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.

Click Save as New Template.

Related Topics

Creating 802.11 Templates

Creating Band Selection Templates

Creating Media Stream for Controller Templates (802.11)

Creating Band Selection Templates

To configure band selection templates, follow these steps:

Step 1

Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Band Select.

20-78

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Enter a value between 1 and 10 for the probe cycle count.

The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.

Enter a value between 1 and 1000 milliseconds for the scan cycle period threshold.

This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.

Enter a value between 10 and 200 seconds for the age out suppression field.

Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Enter a value between 10 and 300 seconds for the age out dual band field.

The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Enter a value between –20 and –90 dBm for the acceptable client RSSI field.

This field sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.

Click Save.

Related Topics

Creating 802.11 Templates

Creating Load Balancing Templates

Creating Preferred Call Templates

Creating Media Stream for Controller Templates (802.11)

Creating Preferred Call Templates

To add or modify preferred call templates, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Preferred

Call.

Configure the following Preferred Call parameters:

Template Name—Enter a template name which is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

Number Id—Enter a value to identify the preferred number. You can have a maximum of six preferred call numbers. The valid range is from 1 to 6. The default value is 1.

Preferred Number—Enter the preferred call number.

Click Save as New Template.

Related Topics

Creating 802.11 Templates

Cisco Prime Infrastructure 3.0 User Guide

20-79

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating Load Balancing Templates

Creating Band Selection Templates

Creating Media Stream for Controller Templates (802.11)

Creating Media Stream for Controller Templates (802.11)

To configure the media stream for a controller template for an 802.11 Radio, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > Mediat

Stream.

Enter a name for the template.

Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.

In the Media Stream Configuration group box, specify the following fields:

Media Stream Name

Multicast Destination Start IP—Start IP address of the media stream to be multicast.

Multicast Destination End IP—End IP address of the media stream to be multicast.

IPv4 or IPv6 multicast addresses are supported from controller Release 7.2.x.

Maximum Expected Bandwidth—Maximum bandwidth that a media stream can use.

In the Resource Reservation Control (RRC) Parameters group box, specify the following fields:

Average Packet Size—Average packet size that a media stream can use.

RRC Periodical Update—Resource Reservation Control calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.

RRC Priority—Priority of RRC with the highest at 1 and the lowest at 8.

Traffic Profile Violation—Appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.

Policy—Appears if the media stream is admitted or denied.

Click Save.

Once saved, the template is displayed in the Template List page. In the Template List page, you can apply this template to controllers.

Related Topics

Creating 802.11 Templates

Creating Load Balancing Templates

Creating Band Selection Templates

Creating Preferred Call Templates

Creating RF Profiles Templates (802.11)

20-80

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating RF Profiles Templates (802.11)

To configure a RF Profile for a controller template for an 802.11 Radio, follow these steps:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > RF Profiles.

Configure the following information:

• General

Template Name—User-defined name for the template.

Radio Type—The radio type of the access point. This is a drop-down list from which you can choose an RF profile for APs with 802.11a or 802.11b radios.

TPC (Transmit Power Control)

Profile Name—User-defined name for the current profile.

Description—Description of the template.

Minimum Power Level Assignment (-10 to 30 dBm)—Indicates the minimum power assigned. Range: -10 to 30 dBm Default: -10 dBm.

Maximum Power Level Assignment (-10 to 30 dBm)—Indicates the maximum power assigned. Range: -10 to 30 dBm Default: 30 dBm.

Power Threshold v1(-80 to -50 dBm)—Indicates the transmitted power threshold.

Power Threshold v2(-80 to -50 dBm)—Indicates the transmitted power threshold.

Data Rates—Use the Data Rates drop-down lists to specify the rates at which data can be transmitted between the access point and the client. The following data rates are available:

802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps.

802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps

For each data rate, choose one of these options:

Mandatory—Clients must support this data rate to associate to an access point on the controller.

Supported—Any associated clients that support this data rate might communicate with the access point using that rate. However, the clients are not required to be able to use this rate to associate.

Disabled—The clients specify the data rates used for communication.

Band Select—The Band Select feature enables you to balance client distribution among both serving radios when APs are serving hundreds of clients in a dense auditorium or stadium sites.

Band Select discovers the client capabilities to verify whether client can associate on both 2.4 GHz and 5Ghz spectrum. Enabling band select on a WLAN, forces AP to do a probe suppression on

2.4GHz that ultimately moves dual band clients to 5Ghz spectrum. In the Band Select group box, specify the following:

Probe Response

Cycle Count(1 to 10 Cycles)

Cycle Threshold(1 to 1000 msecs)

Suppression Expire(10 to 200 secs)

Dual Band Expire(10 to 300 secs)

Client RSSI(-90 to -20 dBm)

Cisco Prime Infrastructure 3.0 User Guide

20-81

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

High Density Configurations

Maximum Clients—Specify the maximum number of clients

Multicast Configurations

Multicast Data Rate—From the Multicast Data Rate drop-down list, choose the data rate. The value “auto” indicates that the AP automatically adjusts data rate with client.

Coverage Hole Detection

Data RSSI(-90 to -60 dBm)—Enter the minimum receive signal strength indication (RSSI) value for data packets received by the access point. The value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. If the access point receives a packet in the data queue with an RSSI value below the value that you enter here, a potential coverage hole has been detected. The valid range is –90 to –60 dBm, and the default value is

–80 dBm. The access point takes data RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Voice RSSI(-90 to -60 dBm)—Enter the minimum receive signal strength indication (RSSI) value for voice packets received by the access point. The value that you enter is used to identify coverage holes within your network. If the access point receives a packet in the voice queue with an RSSI value below the value that you enter here, a potential coverage hole has been detected.

The valid range is –90 to –60 dBm, and the default value is –75 dBm. The access point takes voice RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.

Coverage Exception(1 to 75 Clients)—Enter the minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold. The valid range is 1 to

75, and the default value is 3.

Coverage Level(0 to 100%)—In the Coverage Exception Level per AP text box, enter the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point. The valid range is 0 to 100%, and the default value is 25%.

• Load Balancing

Window(0 to 20 Clients)—Enter a value between 1 and 20. The window size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations.

Denial(1 to 10)—Enter a value between 0 and 10. The denial count sets the maximum number of association denials during load balancing.

Click Save.

Related Topics

Creating 802.11 Templates

Creating Load Balancing Templates

Creating Band Selection Templates

Creating Preferred Call Templates

SIP Snooping

Keep the following guidelines in mind when using SIP Snooping:

20-82

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

SIPs are available only on the Cisco 5500 Series Controllers and on the 1240, 1130, and 11n access points.

SIP CAC should only be used for phones that support status code 17 and do not support

TSPEC-based admission control.

SIP CAC will be supported only if SIP snooping is enabled.

Creating SIP Snooping

To configure SIP Snooping for a controller, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > 802.11 > SIP

Snooping.

Configure the following fields:

Port Start

Port End

If single port is to be used, configure both start and end port fields with same number.

Click Save as New Template.

Related Topics

Creating 802.11 Templates

Creating Load Balancing Templates

Creating Band Selection Templates

Creating Preferred Call Templates

Creating RF Profiles Templates (802.11)

Creating 802.11a/n Radio Templates

You can create or modify a 802.11a/n radio template for a wireless controller and/or apply specific settings to controller(s).

Related Topics

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Roaming Parameters Template

Creating an 802.11h Template

Creating 802.11a/n High Throughput Template

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n RRM Templates

Cisco Prime Infrastructure 3.0 User Guide

20-83

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11a/n Parameters Templates

To add or modify radio templates, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac >

Parameters.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Select the check box if you want to enable 802.11a/n network status.

In the Beacon Period field, enter the amount of time between beacons in kilo-microseconds. The valid range is from 20 to 1000 milliseconds.

In the DTIM Period field, enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count text box is

0. This value is transmitted in the DTIM period field of beacon frames. Shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

In the Fragmentation Threshold field, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

Enter the percentage for 802.11e Maximum Bandwidth.

The client and controller negotiate data rates between them. It can range from 6 Mbps to 54 Mbps.

If the data rate is set to Mandatory, the client must support it to use the network.

If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate.

Each data rate can also be set to Disabled to match client settings.

From the Channel List drop-down list in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.

Configure the CCX Location Measurement parameters:

Select the Mode check box to enable the broadcast radio measurement request. When enabled, this enhances the location accuracy of clients.

When the Mode check box is enabled, you can enter the time in seconds between requests in the

Interval field.

Click Save as New Template.

20-84

Related Topics

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Roaming Parameters Template

Creating an 802.11h Template

Creating 802.11a/n High Throughput Template

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n RRM Templates

Creating 802.11a/n Media Parameters Controller Templates

This page enables you to create or modify a template for configuring 802.11a/n voice fields such as call admission control and traffic stream metrics.

To add a new template with 802.11a/n voice fields information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac >

Media Parameters.

Specify an appropriate name for the template.

On the Voice tab, configure the following fields:

Select the Admission Control (ACM) check box to enable admission control.

For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

If Admission Control (ACM) is enabled, choose either load-based or static from the CAC method drop-down list.

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from

PHY and channel impairment.

In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 40 to 85. For controller versions 6.0.188.1 and later, the valid range is 5 to

85, and the default is 75.

In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth.

This option is only available when CAC is enabled. The valid range is 0 to 25, and the default is 6.

Select the Expedited Bandwidth check box to enable expedited bandwidth as an extension of CAC for emergency calls.

You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.

Select the SIP CAC check box to enable SIP CAC.

Choose the appropriate option from the SIP Codec drop-down list. The available options are G.711,

G.729, and User Defined.

In the SIP Call Bandwidth field, specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.

In the SIP Sample Interval field, specify the sample interval in milliseconds that the Codec must operate in.

Select the Metric Collection check box to enable metric collection.

Cisco Prime Infrastructure 3.0 User Guide

20-85

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 4

Step 5

Step 6

On the Video tab, configure the following fields:

Select the Admission Control (ACM) check box to enable admission control.

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every

90 seconds for the 802.11a/n interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth.

This option is only available when CAC is enabled. The valid range is 0 to 25.

From the SIP Codec drop-down list, choose one of the following options to set the CAC method.

Select the SIP CAC check box to enable Static CAC support. SIP CAC will be supported only if SIP snooping is enabled.

Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.

Specify the physical data rate required for the client to join a media stream from the Client

Minimum Phy Rate drop-down list.

Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media

Direct enabled on a WLAN on this radio.

In the Maximum Number of Streams per Radio field, specify the maximum number of streams per radio to be allowed.

In the Maximum Number of Streams per Client field, specify the maximum number of streams per client to be allowed.

Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.

In the Maximum Retry Percentage field, specify the maximum retry percentage value.

On the General tab, specify the following field:

In the Maximum Media Bandwidth field, specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.

Click Save as New Template.

Related Topics

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Roaming Parameters Template

Creating an 802.11h Template

Creating 802.11a/n High Throughput Template

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n RRM Templates

20-86

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic.

You must shut down radio interface before configuring EDCA Parameters

To add or configure 802.11a/n EDCA parameters through a controller template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac >

EDCA Parameters.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names. .

Choose one of the following options from the EDCA Profile drop-down list:

WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value.

Choose this option when voice or video services are not deployed on your network.

Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if

Spectralink phones are deployed on your network to improve the quality of calls.

Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.

Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.Video services must be deployed with admission control (ACM). Video services without ACM are not supported.

Select the Low Latency MAC check box to enable this feature. Enable low latency MAC only if all clients on the network are WMM compliant.

Related Topics

Creating 802.11a/n Roaming Parameters Template

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating an 802.11h Template

Creating 802.11a/n High Throughput Template

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n RRM Templates

Creating 802.11a/n Roaming Parameters Template

To add or modify an existing roaming parameter template, follow these steps:

Step 1

Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac >

Roaming Parameters.

Cisco Prime Infrastructure 3.0 User Guide

20-87

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Use the Mode drop-down list to choose one of the configurable modes.

Default values—When this option is chosen, the roaming parameters are unavailable with the default values displayed in the text boxes.

Custom values—When this option is chosen, the roaming parameters can be edited in the text boxes. To edit the parameters, continue to Step 6.

In the Minimum RSSI field, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point. If the average received signal power of the client dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

In the Roaming Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be for the client to roam to it. This field is intended to reduce the amount of ping between access points if the client is physically located on or near the border between two access points.

In the Adaptive Scan Threshold field, enter the RSSI value from the associated access point of the client, below which the client must be able to roam to a neighboring access point within the specified transition time. This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the associated access point of the client is below the scan threshold.

The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.

Click Save as New Template.

Related Topics

Creating an 802.11h Template

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n High Throughput Template

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n RRM Templates

20-88

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating an 802.11h Template

802.11h informs client devices about channel changes and can limit the transmit power of the client device. You can create or modify a template for configuring 802.11h parameters (such as power constraint and channel controller announcement) and apply these settings to multiple controllers.

To add or modify an 802.11h template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac >

802.11h.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Select the Power Constraint check box if you want the access point to stop transmission on the current channel.

Select the Channel Announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.

Click Save as New Template.

Related Topics

Creating 802.11a/n High Throughput Template

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Roaming Parameters Template

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n RRM Templates

Creating 802.11a/n High Throughput Template

To add or modify to an 802.11a/n high throughput template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > High

Throughput (802.11n or ac).

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Select the 802.11n Network Status check box to enable high throughput.

The 802.11ac Network Status check box can be enabled and is supported from WLC version 7.5 onwards.

Cisco Prime Infrastructure 3.0 User Guide

20-89

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 4

Step 5

In the MCS (Data Rate) Settings column, choose which level of data rate you want supported.

Modulation coding schemes (MCS) are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used. When you select the Supported check box, the chosen numbers appear in the

Selected MCS Indexes page.

Click Save as New Template.

Related Topics

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Roaming Parameters Template

Creating an 802.11h Template

Creating 802.11a/n RRM Templates

Creating 802.11a/n CleanAir Controller Templates

You can configure the template to enable or disable CleanAir, reporting and alarms in 802.11a/n radio for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.

To add a new template with 802.11a/n CleanAir information for a controller, follow these steps:

Step 1

Step 2

Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > CleanAir.

Configure the following fields:

Select the CleanAir check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference. If CleanAir is enabled, the

Reporting Configuration and Alarm Configuration group boxes appear.

Reporting Configuration—Use the fields in this group box to configure the interferer devices you want to include for your reports.

Select the Report Interferers check box to enable CleanAir system to report and detect sources of interference.

Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences Selected for Reporting box and any that do not need to be detected appear in the Interferences Ignored for Reporting box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.

Select the Persistent Device Propagation check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the a location and interfere with the WLAN operations even if they are not detectable at all times.

Alarm Configuration—This group box enables you to configure triggering of air quality alarms.

Select the Air Quality Alarm check box to enable the triggering of air quality alarms.

20-90

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold field to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered.

Select the Air Quality Unclassified category Alarm check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.

The Unclassified category alarm is generated when the unclassified severity goes above the configured threshold value for unclassified severity or when the air quality index goes below the configured threshold value for Air Quality Index.

If you selected the Air Quality Unclassified category Alarm check box, enter a value between

1 and 99 (inclusive) in the Air Quality Unclassified Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.

Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types.

Make sure that any sources of interference that need to trigger interferer alarms appear in the

Interferers Selected for Security Alarms box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms box. Use the > and < buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.

Click Save as New Template.

Related Topics

Creating 802.11a/n RRM Templates

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Roaming Parameters Template

Creating an 802.11h Template

Creating 802.11a/n High Throughput Template

Creating 802.11a/n RRM Templates

You can create or modify the parameters such as threshold, interval, DCA, TPC for 802.11a/n Radio

Resource Management (RRM) templates.

Related Topics

Creating 802.11a/n RRM Threshold Template

Creating 802.11a/n RRM Interval Template

Creating 802.11a/n RRM Dynamic Channel Allocation Template

Creating 802.11a/n RRM Transmit Power Control Template

Cisco Prime Infrastructure 3.0 User Guide

20-91

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11a/n RRM Threshold Template

You must disable the 802.11a/n network before applying the RRM threshold fields.

To add or make modifications to an 802.11a/n RRM threshold template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM

> Thresholds.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

Coverage Hole Algorithm—Enter the values for the following parameters.

In the Min Failed Clients field, enter the minimum number of failed clients currently associated with the controller.

In the Coverage Level field, enter the target range of coverage threshold.

In the Data RSSI field, enter the value in the specified range. This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.

In the Voice RSSI field, enter the value in the specified range. This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.

Local Thresholds—Enter the values for the following parameters.

In the Max Clients field, enter the maximum number of failed clients that are currently associated with the controller.

In the RF Utilization field, enter the percentage of threshold for 802.11a/n.

Threshold for Traps—Enter the values for the following parameters.

In the Interference Threshold Percentage field, enter the percentage of interference threshold.

In the Noise Threshold field, enter a noise threshold between -127 and 0 dBm. When the controller is outside of this threshold, it sends an alarm to Prime Infrastructure.

In the Coverage Exception Level per AP field, enter the percentage value of coverage exception level. When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.

Click Save as New Template.

Related Topics

Creating 802.11a/n RRM Interval Template

Creating 802.11a/n RRM Dynamic Channel Allocation Template

Creating 802.11a/n RRM Transmit Power Control Template

Creating 802.11a/n RRM Interval Template

To add or make modifications to an 802.11a/n RRM interval template, follow these steps:

20-92

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM

> Intervals.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

In the Neighbor Packet Frequency field, enter the interval at which you want strength measurements taken for each access point. The default is 300 seconds.

In the Channel Scan Duration field, enter the interval at which you want scanning of the channel for each access point. The default is 300 seconds.

Click Save as New Template.

Related Topics

Creating 802.11a/n RRM Dynamic Channel Allocation Template

Creating 802.11a/n RRM Threshold Template

Creating 802.11a/n RRM Transmit Power Control Template

Creating 802.11a/n RRM Dynamic Channel Allocation Template

The RRM Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.

RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.

Choosing a larger bandwidth reduces the non-overlapping channels which could potentially reduce the overall network throughput for certain deployments.

To configure 802.11 a/n RRM DCA template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM

> DCA.

Hover the mouse on DCA and select Show All Templates. The 802.11a/n RRM DCA Template page appears and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on DCA and select New or click DCA. The

802.11a/n DCA template page appears.

Dynamic Channel Assignment Algorithm— Configure the following fields:

From the Assignment Mode drop-down list, choose one of three modes:

Automatic—The transmit power is periodically updated for all access points that permit this operation.

Cisco Prime Infrastructure 3.0 User Guide

20-93

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 5

On Demand—Transmit power is updated when you click Assign Now.

Disabled—No dynamic transmit power assignments occur, and values are set to their global default.

Select the Avoid Foreign AP Interference check box to enable RRM to consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. Unselect this check box to have RRM ignore this interference.

In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.

Select the Avoid Cisco AP Load check box to enable this bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.

In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better reuse patterns to those access points that carry more traffic load.

Select the Avoid non 802.11 Noise check box to enable this noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.

In certain circumstances with significant interference energy (dB) from non-802.11 noise sources,

RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.

Select the Avoid Persistent Non-WiFi Interference check box to enable this field to have access points avoid persistent interferences from non-wifi sources.

The Signal Strength Contribution check box is always enabled (not configurable). This constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.

Event Driven RRM—Enable or disable event-driven RRM using the following fields. Event Driven

RRM is used when a CleanAir-enabled access point detects a significant level of interference.

Select the Event Driven RRM check box to enable it.

If Event Driven RRM is enabled, Sensitivity Threshold field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local

Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance.

Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.

Select the Rogue Contribution check box to enable contribution from rogue access points.

If the Rogue Contribution is enabled, Rogue Duty-Cycle field displays the interval at which the rogue access points are interfered. The range is between 1 to 99.

Click Save as New Template.

20-94

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Related Topics

Creating 802.11a/n RRM Transmit Power Control Template

Creating 802.11a/n RRM Threshold Template

Creating 802.11a/n RRM Interval Template

Creating 802.11a/n RRM Transmit Power Control Template

The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of the access points according to how the access points are seen by their third strongest neighbor.

The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points.

This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.

To configure 802.11a/n RRM TPC template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM

> TPC.

Hover the mouse on TPC and select Show All Templates. The 802.11a/n RRM TPC Template page appears and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on TPC and select New or click TPC. The 802.11a/n

TPC template page appears.

Configure the following fields:

Choose TPCv1 or TPCv2 radio buttons in the TPC Version field. The TPCv2 option is applicable only for those controllers running on Release 7.2.x or later.

From the Dynamic Assignment drop-down list, choose one of three modes:

Automatic—The transmit power is periodically updated for all access points that permit this operation.

On Demand—Transmit power is updated when you click Assign Now.

Disabled—No dynamic transmit power assignments occur, and values are set to their global default.

In the Maximum Power Assignment field, enter the value that indicates the maximum power assigned.

Range: -10 to 30 dB

Default: 30 dB

Cisco Prime Infrastructure 3.0 User Guide

20-95

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 5

In the Minimum Power Assignment field, enter the value that indicates the minimum power assigned.

Range: -10 to 30 dB

Default: 30 dB

Determine if you want to enable Dynamic Tx Power Control check box.

In the Transmitted Power Threshold field, enter a value between -50 and -80.

Click Save as New Template.

Related Topics

Creating 802.11a/n RRM Templates

Creating 802.11a/n Parameters Templates

Creating 802.11a/n Media Parameters Controller Templates

Creating 802.11a/n EDCA Parameters Through a Controller Template

Creating 802.11a/n Roaming Parameters Template

Creating an 802.11h Template

Creating 802.11a/n High Throughput Template

Creating 802.11a/n CleanAir Controller Templates

Creating 802.11b/g/n Radio Templates

You can create or modify a 802.11b/g/n radio template for a wireless controller and/or apply specific settings to controller(s).

Related Topics

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

Creating 802.11b/g/n High Throughput Controller Templates

Creating 802.11 b/g/n CleanAir Controller Templates

Creating 802.11b/g/n RRM Templates

Creating 802.11b/g/n Parameters Templates

You can create or modify a template for configuring 802.11b/g/n parameters (such as power and channel status, data rates, channel list, and CCX location measurement) and/or applying these settings to controller(s).

To add a new template with 802.11b/g/n parameters information for a controller, follow these steps:

Step 1

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > Parameters.

20-96

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 2

Step 3

Step 4

Step 5

Step 6

Configure the following General parameters:

Select the 802.11b/g Network Status check box to enable 802.11b/g network status on controller.

In the Beacon Period field, enter the rate at which the SSID is broadcast by the access point (the amount of time between beacons). The valid range is from 100 to 600 milliseconds.

In the DTIM Period field, enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0. This value is transmitted in the DTIM period field of beacon frames.

DTIM period is not applicable in controller Release 5.0.0.0 and later.

When client devices receive a beacon that contains a DTIM, they normally “wake up” to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power.

Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

In the Fragmentation Threshold field, enter the value that determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default value is 2346.

Configure the Data Rate parameters that are negotiated between the client and the controller. For each rate, a drop-down list selection of Mandatory, Supported and Disabled is available.

If the data rate is set to Mandatory, the client must support it to use the network.

In the 802.11e Max Bandwidth field, enter the percentage value for 802.11e max bandwidth. The default value is 100.

Select the Short Preamble check box to enable short preamble.

If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate. But it is not required that a client be able to use all the rates marked Supported to associate 6, 9, 12, 18, 24, 36, 48, 54 Mbps.

Each data rate can also be set to Disabled to match Client settings.

Configure the Noise/Interference/Rogue Monitoring Channels parameters.

From the Channel List drop-down list, choose between All Channels, Country Channels, or DCA

Channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation among a set of managed devices connected to the controller.

Configure the CCX Location Measurement parameters:

Select the Mode check box to enable the broadcast radio measurement request. When enabled, this enhances the location accuracy of clients.

When the Mode check box is enabled, you can enter the time in seconds between requests in the

Interval field.

Click Save as New Template.

Related Topics

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

Creating 802.11b/g/n High Throughput Controller Templates

Cisco Prime Infrastructure 3.0 User Guide

20-97

Creating 802.11 Templates

Creating 802.11 b/g/n CleanAir Controller Templates

Creating 802.11b/g/n RRM Templates

Chapter 20 Using Templates to Configure Devices

Creating 802.11b/g/n Media Parameters Controller Templates

You can create or modify a template for configuring 802.11b/g/n voice parameters such as Call

Admission Control and traffic stream metrics.

To add a new template with 802.11b/g/n voice parameters information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:

Step 1

Step 2

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > Media

Parameters.

On the Voice tab, configure the following parameters:

Select the Admission Control (ACM) check box to enable admission control.

For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

If Admission Control (ACM) is enabled, choose either load-based or static from the CAC method drop-down list.

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from

PHY and channel impairment.

In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 40 to 85. For controller versions 6.0.188.1 and later, the valid range is 5 to

85, and the default is 75.

In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth.

This option is only available when CAC is enabled. The valid range is 0 to 25, and the default is 6.

Select the Expedited Bandwidth check box to enable expedited bandwidth as an extension of CAC for emergency calls.

You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.

Select the SIP CAC check box to enable SIP CAC. SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.

Choose the appropriate option from the SIP Codec drop-down list. The available options are G.711,

G.729, and User Defined.

In the SIP Call Bandwidth field, specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.

In the SIP Sample Interval field, specify the sample interval in milliseconds that the Codec must operate in.

Select the Metric Collection check box to enable metric collection.

20-98

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

Step 4

Step 5

On the Video tab, configure the following parameters:

Select the Admission Control (ACM) check box to enable admission control.

Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every

90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth.

This option is only available when CAC is enabled. The valid range is 0 to 25.

From the SIP Codec drop-down list, choose one of the following options to set the CAC method.

Select the SIP CAC check box to enable Static CAC support. SIP CAC will be supported only if SIP snooping is enabled.

Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.

Specify the physical data rate required for the client to join a media stream from the Client

Minimum Phy Rate drop-down list.

Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media

Direct enabled on a WLAN on this radio.

In the Maximum Number of Streams per Radio field, specify the maximum number of streams per radio to be allowed.

In the Maximum Number of Streams per Client field, specify the maximum number of streams per client to be allowed.

Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.

In the Maximum Retry Percentage field, specify the maximum retry percentage value.

On the General tab, specify the following field:

In the Maximum Media Bandwidth field, specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.

Click Save as New Template.

Related Topics

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

Creating 802.11b/g/n High Throughput Controller Templates

Creating 802.11 b/g/n CleanAir Controller Templates

Creating 802.11b/g/n RRM Templates

Cisco Prime Infrastructure 3.0 User Guide

20-99

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

You can create or modify a template for configuring 802.11b/g/n EDCA parameters. EDCA parameters designate pre-configured profiles at the MAC layer for voice and video.

You must shut down radio interface before configuring EDCA Parameters.

To add a new template with 802.11b/g/n EDCA parameters information for a controller, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > EDCA

Parameters.

Choose one of the following options from the EDCA Profile drop-down list:

WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value.

Choose this option when voice or video services are not deployed on your network.

Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if

Spectralink phones are deployed on your network to improve the quality of calls.

Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.

Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.Video services must be deployed with admission control (ACM). Video services without ACM are not supported.

Select the Low Latency MAC check box to enable this feature. Enable low latency MAC only if all clients on the network are WMM compliant.

Click Save as New Template.

Related Topics

Creating 802.11b/g/n Roaming Parameters Controller Templates

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n High Throughput Controller Templates

Creating 802.11 b/g/n CleanAir Controller Templates

Creating 802.11b/g/n RRM Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

You can create or modify a template for configuring roaming parameters for 802.11b/g/n radios.

To add a new template with 802.11b/g/n Roaming parameters information for a controller, follow these steps:

Step 1

Step 2

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > Roaming

Parameters.

Configure the following parameters:

From the Mode drop-down list, choose one of the configurable modes:

20-100

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

Default Values—The roaming parameters are unavailable and the default values are displayed.

Custom Values—The following roaming parameters can be edited.

In the Minimum RSSI field, enter a value for the minimum Received Signal Strength Indicator

(RSSI) required for the client to associate to an access point.

If the client average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

Range: -80 to -90 dBm

Default: -85 dBm

In the Roaming Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it. This field is intended to reduce the amount of “ping ponging” between access points if the client is physically located on or near the border between two access points.

Range: 2 to 4 dB

Default: 2 dB

In the Adaptive Scan Threshold field, enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.

This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.

Range: -70 to -77 dB

Default: -72 dB

In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.

Range: 1 to 10 seconds

Default: 5 seconds

The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.

Click Save as New Template.

Related Topics

Creating 802.11b/g/n High Throughput Controller Templates

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11 b/g/n CleanAir Controller Templates

Creating 802.11b/g/n RRM Templates

Cisco Prime Infrastructure 3.0 User Guide

20-101

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11b/g/n High Throughput Controller Templates

You can create or modify a template for configuring high-throughput parameters such as MCS (data rate) settings and indexes and for applying these 802.11n settings to multiple controllers.

To add a new template with High Throughput (802.11n) information for a controller, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > High

Throughput(802.11n) Parameters.

Configure the following fields:

Select the 802.11n Network Status check box to enable high throughput.

In the HT MCS (Data Rate) SS VHT MCS Index, choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate.

As a default, 20 MHz and short guarded interval are used.

When you select the Supported check box, the chosen numbers appear in the Selected MCS

Indexes page.

Click Save as New Template.

Related Topics

Creating 802.11 b/g/n CleanAir Controller Templates

Creating 802.11b/g/n RRM Templates

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

Creating 802.11 b/g/n CleanAir Controller Templates

You can create or modify a template for configuring CleanAir parameters for the 802.11 b/g/n radio to enable or disable CleanAir, reporting and alarms for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.

To add a new template with 802.11b/g/n CleanAir information for a controller, follow these steps:

Step 1

Step 2

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > CleanAir

Parameters.

Configure the following fields:

Select the CleanAir check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference. The default value is selected.

If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.

Reporting Configuration—Use the parameters in this group box to configure the interferer devices you want to include for your reports.

20-102

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

Select the Report Interferers check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers.

Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferers Selected for Reporting box and any that do not need to be detected appear in the Interferers Ignored for Reporting box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.

Select the Persistent Device Propagation check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the a location and interfere with the WLAN operations even if they are not detectable at all times.

Alarm Configuration—This group box enables you to configure triggering of air quality alarms.

Select the Air Quality Alarm check box to enable the triggering of air quality alarms, or unselect the box to disable this feature.

If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 1.

Select the Air Quality Unclassified category Alarm check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.

The Unclassified category alarm is generated when the unclassified severity goes above the configured threshold value for unclassified severity or when the air quality index goes below the configured threshold value for Air Quality Index.

If you selected the Air Quality Unclassified category Alarm check box, enter a value between

1 and 99 (inclusive) in the Air Quality Unclassified Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.

Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselected it to disable this feature. The default value is unselected.

Make sure that any sources of interference that need to trigger interferer alarms appear in the

Interferers Selected for Security Alarms box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms box. Use the > and < buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.

Click Save as New Template.

Related Topics

Creating 802.11b/g/n RRM Templates

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

Cisco Prime Infrastructure 3.0 User Guide

20-103

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating 802.11b/g/n High Throughput Controller Templates

Creating 802.11b/g/n RRM Templates

You can create or modify the parameters such as threshold, interval, DCA, TPC for 802.11b/g/n Radio

Resource Management (RRM) templates.

Related Topics

Creating 802.11b/g/n RRM Thresholds Controller Templates

Creating 802.11b/g/n RRM Intervals Controller Templates

Creating 802.11b/g/n RRM Dynamic Channel Allocation Template

Creating 802.11b/g/n RRM Transmit Power Control Template

Creating 802.11b/g/n RRM Thresholds Controller Templates

You can create or modify a template for setting various RRM thresholds such as load, interference, noise, and coverage.

To add a new template with 802.11b/g/n RRM thresholds information for a controller, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM

> Thresholds.

Configure the following Coverage Hole Algorithm parameters:

In the Min. Failed Clients field, enter the minimum number of failed clients currently associated with the controller.

In the Coverage Level field, enter the target range of coverage threshold (dB).

When the Coverage Level field is adjusted, the value in the Signal Strength (dBm) field automatically reflects this change. The Signal Strength field provides information regarding what the signal strength is when adjusting the coverage level.

In the Data RSSI field, enter the Data RSSI value (-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.

In the Voice RSSI field, enter the Voice RSSI value(-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.

Configure the following Load Thresholds parameters:

In the Max Clients field, enter the maximum number of clients able to be associated with the controller.

In the RF Utilization field, enter the percentage of threshold for this radio type.

Configure the following Threshold for Traps parameters:

In the Interference Threshold field, enter an interference threshold between 0 and 100 percent.

In the Noise Threshold field, enter a noise threshold between -127 and 0 dBm. When outside of this threshold, the controller sends an alarm to Prime Infrastructure.

In the Coverage Exception Level per AP field, enter the coverage exception level percentage.

When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.

20-104

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 5

Click Save as New Template.

Related Topics

Creating 802.11b/g/n RRM Intervals Controller Templates

Creating 802.11b/g/n RRM Dynamic Channel Allocation Template

Creating 802.11b/g/n RRM Transmit Power Control Template

Creating 802.11b/g/n RRM Intervals Controller Templates

You can create or modify a template for configuring RRM intervals for 802.11b/g/n radios.

To add a new template with 802.11b/g/n RRM intervals information for a controller, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM

> Intervals.

Configure the following parameters:

In the Neighbor Packet Frequency field, enter at which interval you want strength measurements taken for each access point. The default is 300 seconds.

In the Channel Scan Duration field, enter at which interval you want coverage measurements taken for each access point. The default is 300 seconds.

Click Save as New Template.

Related Topics

Creating 802.11b/g/n RRM Dynamic Channel Allocation Template

Creating 802.11b/g/n RRM Thresholds Controller Templates

Creating 802.11b/g/n RRM Transmit Power Control Template

Creating 802.11b/g/n RRM Dynamic Channel Allocation Template

The RRM Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.

RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.

Choosing a larger bandwidth reduces the non-overlapping channels, which could potentially reduce the overall network throughput for certain deployments.

To configure 802.11b/g/n RRM DCA template, follow these steps:

Step 1

Step 2

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM

> DCA.

Configure the following parameters in Dynamic Channel Assignment Algorithm:

From the Assignment Mode drop-down list, choose one of three modes:

Automatic—The transmit power is periodically updated for all access points that permit this operation.

Cisco Prime Infrastructure 3.0 User Guide

20-105

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

On Demand—Transmit power is updated when you click Assign Now.

Disabled—No dynamic transmit power assignments occur, and values are set to their global default.

Select the Avoid Foreign AP Interference check box to enable this field to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. This foreign 802.11 interference. Unselect this check box to have

RRM ignore this interference.

In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.

Select the Avoid Cisco AP Load check box to enable this bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.

In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better re-use patterns to those access points that carry more traffic load.

Select the Avoid non 802.11 Noise check box to enable this noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.

In certain circumstances with significant interference energy (dB) from non-802.11 noise sources,

RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.

Select the Avoid Persistent Non-WiFi Interference check box to enable this field to have access points avoid persistent interferences from non-wifi sources.

The Signal Strength Contribution check box is always enabled (not configurable). constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel re-use. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.

Event-driven RRM—Enable or disable event-driven RRM using the following parameters. Event

Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.

Select the Event Driven RRM check box to enable it.

If Event Driven RRM is enabled, Sensitivity Threshold field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local

Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance.

Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.

Select the Rogue Contribution check box to enable contribution from rogue access points.

If the Rogue Contribution is enabled, Rogue Duty-Cycle field displays the interval at which the rogue access points are interfered. The range is between 1 to 99.

20-106

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

Click Save as New Template.

Related Topics

Creating 802.11b/g/n RRM Transmit Power Control Template

Creating 802.11b/g/n RRM Thresholds Controller Templates

Creating 802.11b/g/n RRM Intervals Controller Templates

Creating 802.11b/g/n RRM Transmit Power Control Template

The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of an access point according to how the access points are seen by their third strongest neighbor.

The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points.

This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.

To configure 802.11b/g/n RRM TPC template, follow these steps:

Step 1

Step 2

Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM

> TPC.

Configure the following parameters:

Choose TPCv1 or TPCv2 radio buttons in the TPC Version field. The TPCv2 option is applicable only for those controllers running on Release 7.2.x or later.

From the Dynamic Assignment drop-down list, choose one of three modes:

Automatic—The transmit power is periodically updated for all access points that permit this operation.

On Demand—Transmit power is updated when you click Assign Now.

Disabled—No dynamic transmit power assignments occur, and values are set to their global default.

In the Maximum Power Assignment field, enter the value that indicates the maximum power assigned.

Range: -10 to 30 dB

Default: 30 dB

In the Minimum Power Assignment field, enter the value that indicates the minimum power assigned.

Range: -10 to 30 dB

Default: 30 dB

Determine if you want to enable Dynamic Tx Power Control check box.

In the Transmitted Power Threshold field, enter a value between -50 and -80.

Cisco Prime Infrastructure 3.0 User Guide

20-107

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 3

Click Save as New Template.

Related Topics

Creating 802.11b/g/n RRM Templates

Creating 802.11b/g/n Parameters Templates

Creating 802.11b/g/n Media Parameters Controller Templates

Creating 802.11b/g/n EDCA Parameters Controller Templates

Creating 802.11b/g/n Roaming Parameters Controller Templates

Creating 802.11b/g/n High Throughput Controller Templates

Creating 802.11 b/g/n CleanAir Controller Templates

Creating Mesh Settings Templates

You can configure an access point to establish a connection with the controller.

To add or modify a mesh template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Configuration > Features & Technologies > Controller > Mesh > Mesh Settings.

Hover the mouse on Mesh Settings and select Show All Templates. The Mesh Configuration Template page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the rootAP to MeshAP range, the client access on backhaul link, and security mode. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

The Root AP to Mesh AP Range field ha the value as 12,000 feet by default. Enter the optimum distance

(in feet) that should exist between the root access point and the mesh access point. This global field applies to all access points when they join the controller and all existing access points in the network.

When the Client Access on Backhaul Link check box is enabled, mesh access points can associate with

802.11a/n wireless clients over the 802.11a/n backhaul. This client association is in addition to the existing communication on the 802.11a/n backhaul between the root and mesh access points.

This feature applies only to access points with two radios.

Select Mesh DCA Channels check box to enable backhaul channel deselection on the Controller using the DCA channel list configured in the Controller. Any change to the channels in the Controller DCA list is pushed to the associated access points. This feature applies only to the 1524SB mesh access points.

Select the Background Scanning check box to enable Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents.

Enabling the Global Public Safety check box indicates that 4.9 Ghz can be used on backhaul link by selecting channel on the 802.11a backhaul radio. 4.9Ghz considered to be public safety band and is limited to some service providers. This setting applies at the controller level.

From the Security Mode drop-down list, choose EAP (Extensible Authentication Protocol) or PSK

(Pre-Shared Key).

20-108

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 9

Click Save as New Template.

Creating Management Templates

You can create or modify the templates for the following management parameters of the controllers.

Trap Receivers

Trap Control

Telnet and SSH

Multiple Syslog servers

Local Management Users

Authentication Priority

Related Topics

Creating Trap Receiver Templates

Creating Trap Control Templates

Creating Telnet SSH Templates

Creating Local Management User Templates

Creating User Authentication Priority Templates

Creating Trap Receiver Templates

If you have monitoring devices on your network that receive SNMP traps, you might want to add a trap receiver template.

To add or modify a trap receiver template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > Management > Trap Receiver.

Hover the mouse on Trap Receiver and select Show All Templates. The Management > Trap Receiver page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the IP address and admin status. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

The Trap Receiver Template name should not contain any space.

Enter the IP address of the server in the IP Address text box.

Select the Admin Status check box to enable the administrator status if you want SNMP traps to be sent to the receiver.

Click Save as New Template.

Cisco Prime Infrastructure 3.0 User Guide

20-109

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Related Topics

Creating Trap Control Templates

Creating Telnet SSH Templates

Creating Local Management User Templates

Creating User Authentication Priority Templates

Creating Trap Control Templates

To add or modify a trap control template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > Management > Trap Control.

Hover the mouse on Trap Control and select Show All Templates. The Management > Trap Control page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the link port up or down and rogue AP. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on Trap Control and select New or click Trap

Control. The Trap Control template page appears.

Select the appropriate check box to enable any of the following Miscellaneous Traps:

SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.

Link (Port) Up/Down—Link changes states from up or down.

Multiple Users—Two users log in with the same login ID.

Spanning Tree—Spanning Tree traps. See the STP specification for descriptions of individual parameters.

Rogue AP—Whenever a rogue access point is detected or when a rogue access point was detected earlier and no longer exists, this trap is sent with its MAC address.

Controller Config Save as New Template—Notification sent when the configuration is modified.

RFID Limit Reached Threshold— The maximum permissible value for RFID limit.

Select the appropriate check box to enable any of the following Client-related Traps:

802.11 Association—A trap is sent when a client is associated to a WLAN. This trap does not guarantee that the client is authenticated.

802.11 Disassociation—The disassociate notification is sent when the client sends a disassociation frame.

802.11 Deauthentication—The deauthenticate notification is sent when the client sends a deauthentication frame.

802.11 Failed Authentication—The authenticate failure notification is sent when the client sends an authentication frame with a status code other than successful.

20-110

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

802.11 Failed Association—The associate failure notification is sent when the client sends an association frame with a status code other than successful.

Excluded—The associate failure notification is sent when a client is excluded.

802.11 Authenticated— The authenticate notification is sent when the client sends an authentication frame with a status code 'successful'.

MaxClients Limit Reached Threshold— The maximum permissible number of clients allowed.

Select the appropriate check box to enable any of the following Cisco AP Traps:

AP Register—Notification sent when an access point associates or disassociates with the controller.

AP Interface Up/Down—Notification sent when access point interface (802.11a/n or 802.11b/g/n) status goes up or down.

Select the appropriate check box to enable any of the following Auto RF Profile Traps:

Load Profile—Notification sent when Load Profile state changes between PASS and FAIL.

Noise Profile—Notification sent when Noise Profile state changes between PASS and FAIL.

Interference Profile—Notification sent when Interference Profile state changes between PASS and

FAIL.

Coverage Profile—Notification sent when Coverage Profile state changes between PASS and FAIL.

Select the appropriate check box to enable any of the following Auto RF Update Traps:

Channel Update—Notification sent when the dynamic channel algorithm of an access point is updated.

Tx Power Update—Notification sent when the dynamic transmit power algorithm of an access point is updated.

Select the appropriate check box to enable any of the following AAA Traps:

User Auth Failure—This trap is to inform you that a client RADIUS authentication failure has occurred.

RADIUS Server No Response—This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.

Select the appropriate check box to enable the following 802.11 Security Traps:

WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.

Signature Attack— Notification sent when a signature attack is detected in the wireless controller that uses RADIUS Authentication.

Click Save as New Template.

Related Topics

Creating Telnet SSH Templates

Creating Trap Receiver Templates

Creating Local Management User Templates

Creating User Authentication Priority Templates

Cisco Prime Infrastructure 3.0 User Guide

20-111

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating Telnet SSH Templates

To add or modify a Telnet SSH configuration template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Configuration > Features & Technologies > Controller > Management > Telnet SSH.

Hover the mouse on Telnet SSH and select Show All Templates. The Management > Telnet SSH page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the session timeout, maximum sessions, and whether Telnet or SSH sessions are allowed. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on Telnet SSH and select New or click Telnet SSH.

The Telnet SSH template page appears.

In the Session Timeout field, enter the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The valid range is 0 to 160, and the default is 5.

In the Maximum Sessions field, enter the number of simultaneous Telnet sessions allowed. The valid range is 0 to 5, and the default is 5. New Telnet sessions can be allowed or disallowed on the DS

(network) port. New Telnet sessions are always allowed on the service port.

Use the Allow New Telnet Session drop-down list to determine if you want new Telnet sessions allowed on the DS port. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port. The default is no.

Use the Allow New SSH Session drop-down list to determine if you want Secure Shell Telnet sessions allowed. The default is yes.

Click Save as New Template.

Related Topics

Creating Trap Receiver Templates

Creating Trap Control Templates

Creating Local Management User Templates

Creating User Authentication Priority Templates

Creating Multiple Syslog Templates

You can enter up to three syslog server templates. To add or modify a multiple syslog configuration template, follow these steps:

Step 1

Choose Configuration > Features & Technologies > Controller > Management > Multiple Syslog.

20-112

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 2

Step 3

Step 4

Step 5

Hover the mouse on Multiple Syslog and select Show All Templates. The Management > Multiple

Syslog page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the syslog server address. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on Multiple Syslog and select New or click Multiple

Syslog. The Multiple Syslog template page appears.

In the Syslog Server IP Address field, enter the appropriate syslog server IP address.

Click Save as New Template.

Related Topics

Creating Local Management User Templates

Creating Trap Receiver Templates

Creating Trap Control Templates

Creating Telnet SSH Templates

Creating User Authentication Priority Templates

Creating Local Management User Templates

To add or modify a local management user template, follow these steps:

Step 4

Step 5

Step 6

Step 7

Step 8

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller > Management > Local

Management Users.

Hover the mouse on Local Management Users and select Show All Templates. The Management >

Local Management Users page appears, and to modify an existing template, click the template name.

The number of controllers and virtual domains that the template is applied to automatically populates.

This initial page also displays the username and access level. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on Local Management Users and select New or click Local Management Users. The Local Management Users template page appears.

In the User Name text box, enter the template username.

In the Password text box, enter a password for this local management user template.

In the Confirm Password text box, reenter the password.

From the Access Level drop-down list, choose either Read Only or Read Write.

Select the Update Telnet Credentials check box to update the user credentials in Prime Infrastructure for Telnet/SSH access.

Cisco Prime Infrastructure 3.0 User Guide

20-113

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 9

If the template is applied successfully and the Update Telnet Credentials option is enabled, the applied management user credentials are used in Prime Infrastructure for Telnet/SSH credentials to that applied controller.

Click Save as New Template.

Related Topics

Creating User Authentication Priority Templates

Creating Trap Receiver Templates

Creating Trap Control Templates

Creating Telnet SSH Templates

Creating User Authentication Priority Templates

Management user authentication priority templates control the order in which authentication servers are used to authenticate the management users of a controller.

To add a user authentication priority template or make modifications to an existing template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Configuration > Features & Technologies > Controller > Management > Authentication

Priority.

Hover the mouse on Authentication Priority and select Show All Templates. The Management >

Authentication Priority page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the authentication priority list. The last column indicates when the template was last saved.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on Authentication Priority and select New or click

Authentication Priority. The Local Management Users template page appears.

Select either First or Second radio buttons to prioritize the authentication of the local server.

Select either RADIUS or TACACS+ radio buttons to try if local authentication fails.

Click Save as New Template.

Related Topics

Creating Trap Receiver Templates

Creating Trap Control Templates

Creating Telnet SSH Templates

Creating Local Management User Templates

20-114

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating CLI Templates

You can create templates containing a set of CLI commands and apply them to one or more controllers from Prime Infrastructure. These templates are meant for provisioning features in multiple controllers for which there is no SNMP support or custom Prime Infrastructure user interface. The template contents are simply a command array of strings. No support for substitution variables, conditionals, and the like exist.

The CLI sessions to the device are established based on user preferences. The default protocol is SSH.

To add or modify a CLI template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Configuration > Features & Technologies > Controller > CLI > General -CLI.

Hover the mouse on General -CLI and select Show All Templates. The General-CLI page appears, and to modify an existing template, click the template name. The number of controllers that the template is applied to automatically populates.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on General -CLI and select New or click General

-CLI. The Command-Line Interface General template page appears.

In the Commands box, enter the series of CLI commands.

Select the Refresh Config after Apply check box to perform a refresh config on the controller after the

CLI template is applied successfully.

Select the Save as New Template Config to Flash after apply check box to save the config to flash after the CLI template is applied successfully.

When the Save as New Template Config to Flash after apply check box is enabled, the Reboot

Controller after apply check box can be selected to perform a reboot on the controller after the CLI template is applied successfully.

Select the Ignore errors on Apply Template to Controllers check box to ignore the errors when the template is applied to the controllers.

Click Save as New Template.

When the template is applied to the selected controllers, a status screen appears. If an error occurred while you applied the template, an error message is displayed. You can click the icon in the Session

Output column to get the entire session output.

If the Controller Telnet credentials check fails or the Controller CLI template fails with invalid username and password even though the correct username and password are configured on the controller, check whether the controller has exceeded the number of CLI connections it can accept. If the connections have exceeded the maximum limit, then either increase the maximum allowed CLI sessions or terminate any pre-existing CLI sessions on the controller, and then retry the operation.

Creating Location Configuration Templates

To add or modify a location setting template, follow these steps:

Cisco Prime Infrastructure 3.0 User Guide

20-115

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > Location > Location

Configuration.

Hover the mouse on Location Configuration and select Show All Templates. The Location

Configuration appears, and to modify an existing template, click the template name. The number of controllers that the template is applied to automatically populates.

The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.

If you want to add a new template, hover the mouse on Location Configuration and select New or click

Location Configuration. The General tab of Location Configuration template page appears.

Select the RFID Tag Data Collection check box to enable tag collection. Before the mobility services engine can collect asset tag data from controllers, you must enable the detection of active RFID tags using the CLI command config rfid status enable on the controllers.

Configure the following Location Path Loss Configuration parameters:

Select the Calibrating Client check box to enable calibration for the client. Controllers send regular

S36 or S60 requests (depending on the client capability) by way of the access point to calibrating clients. Packets are transmitted on all channels. All access points irrespective of channel (and without a channel change) gather RSSI data from the client at each location. These additional transmissions and channel changes might degrade contemporaneous voice or video traffic.

Select the Normal Client check box to have a non-calibrating client. No S36 requests are transmitted to the client.

Note

S36 and S60 are client drivers compatible with specific Cisco-compatible Extensions. S36 is compatible with CCXv2 or later. S60 is compatible with CCXv4 or later. For details, see the following URL: http://www.cisco.com/en/US/products/ps9806/products_qanda_item09186a0080af9513.shtml

Step 6

Step 7

Step 8

Step 9

Step 10

Measurement Notification Interval— In the Tags, Clients and Rogue APs/Clients field, specify how many seconds should elapse before notification of the found element (tags, clients, and rogue

APs/clients).

Configure the following RSSI Expiry Timeout parameters:

In the For Clients field, enter the number of seconds after which RSSI measurements for clients should be discarded.

In the For Calibrating Clients field, enter the number of seconds after which RSSI measurements for calibrating clients should be discarded.

In the For Tags field, enter the number of seconds after which RSSI measurements for tags should be discarded.

In the For Rogue APs field, enter the number of seconds after which RSSI measurement for rogue access points should be discarded.

Click the Advanced tab.

In the RFID Tag Data Timeout field, enter a value in seconds to set the RFID tag data timeout setting.

Location Path Loss Configuration—Select the Calibrating Client Multiband check box to send S36 and S60 packets (where applicable) on all channels. Calibrating clients must be enabled in the General group box.

20-116

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 11

Step 12

Configure the Hyperlocation Config parameters:

Select the Hyperlocation check box so that all the APs associated to that controller which have the

Hyperlocation module will be enabled.

Adjust the value in Packet Detection RSSI Minimum field to filter out weak RSSI readings from location calculation.

In the Scan Count Threshold for Idle Client Detection field, enter the maximum permissible count of the idle clients detected while scanning.

In the NTP Server IP Address field, enter the valid NTP server IP address.This IP address is used by all APs for time synchronization.

Click Save as New Template.

Creating LyncSDN Templates

LyncSDN configuration is not supported on Virtual and Cisco 2500 Series and Virtual Controllers.

You can create these LyncSDN templates:

LyncSDN Global Config feature templates.

LyncSDN PolicyFeature templates.

LyncSDN ProfileFeature templates

Related Topics

Creating LyncSDN Global Configuration Template

Creating LyncSDN Policy Template

Creating LyncSDN Profile Template

Creating LyncSDN Global Configuration Template

To create parameters to apply to devices using the LyncSDN Global Config feature, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > LyncSDN > LyncSDN Global

Config.

In the Template Basic area, enter a name, description, and tag for your template in the appropriate text boxes.

In the Validation Criteria area, choose a Device Type from the drop-down list and enter the OS Version.

In the Template Detail area, configure the following information:

Select the LyncServer checkbox to enable or disable the LYNC application on the PI.

Enter the port number.

You can configure support for HTTP/HTTPS communication on PI for LYNC server. PI supports only http. For https certificate, you need to provide and approved at Lync server which takes once

Lync service is ready from Prime Infrastructure.

Cisco Prime Infrastructure 3.0 User Guide

20-117

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 5

When you are finished, click Save as Template.

Related Topics

Creating LyncSDN Policy Template

Creating LyncSDN Profile Template

Creating LyncSDN Policy Template

To create parameters to apply to devices using the LyncSDN Policy feature, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > LyncSDN > LyncSDN Policy.

In the Template Basic area, enter a name, description, and tag for your template in the appropriate text boxes.

In the Validation Criteria area, choose a Device Type from the drop-down list and enter the OS Version.

In the Template Detail area, configure the following information:

Choose the policy of audio lync call on WLAN from the Audio drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.

Choose the policy of video lync call on WLAN from the Video drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.

Choose the policy of desktop-share lync call on WLAN from the Application-Sharing drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.

Choose the policy of file transfer lync call on WLAN from the File-Transfer drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.

When you are finished, click Save as Template.

Related Topics

Creating LyncSDN Global Configuration Template

Creating LyncSDN Profile Template

Creating LyncSDN Profile Template

To create parameters to apply to devices using the LyncSDN Profile feature, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > LyncSDN > LyncSDN Policy.

In the Template Basic area, enter a name, description, and tag for your template in the appropriate text boxes.

In the Validation Criteria area, choose a Device Type from the drop-down list and enter the OS Version.

In the Template Detail area, click the Wlan Profile check box and select a policy from the LyncSDN

Policy drop-down list.

20-118

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Step 5

When you are finished, click Save as Template.

Creating 802.11 Templates

Related Topics

Creating LyncSDN Global Configuration Template

Creating LyncSDN Policy Template

Creating IPv6 Templates

You can create or modify IPv6 templates with parameters such as Neighbor Binding Timers and Router

Advertisements (RA).

Related Topics

Creating Neighbor Binding Timers Templates

Creating RA Throttle Policy Templates

Creating RA Guard Templates

Creating Neighbor Binding Timers Templates

You can create or modify a template for configuring IPv6 Router Neighbor Binding Timers such as Down

Lifetime, Reachable Lifetime, State Lifetime, and corresponding intervals.

To create a Neighbor Binding Timers template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > IPv6 > Neighbor Binding Timers.

Specify the value in the Down Lifetime Interval text box which indicates the maximum time, in seconds, an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is

0.

Specify the value in the Reachable Lifetime Interval text box which indicates the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale.The range is 0 to 86,400 seconds, and the default value is 0.

Specify the value in the Stale Lifetime Interval text box which indicates the maximum time, in seconds, a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.

Click Save as New Template.

Related Topics

Creating RA Throttle Policy Templates

Creating RA Guard Templates

Cisco Prime Infrastructure 3.0 User Guide

20-119

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating RA Throttle Policy Templates

The RA Throttle Policy allows you to limit the amount of multicast Router Advertisements (RA) circulating on the wireless network. You can create or modify a template for configuring IPv6 Router

Advertisement parameters such as RA Throttle Policy, Throttle Period, and other options.

To create a RA Throttle Policy template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > IPv6 > RA Throttle Policy.

If you want to add a new template, hover the mouse on RA Throttle Policy and select New or click RA

Throttle Policy. To modify an existing template, click the template name. The IPv6 > RA Throttle Policy page appears.

If you want to enable the RA Throttle Policy, select the Enable check box and configure the following parameters:

In the Throttle Period field, enter the duration of the throttle period in seconds. The range is 10 to

86,400 seconds.

In the Max Through field, enter the number of RA that passes through over a period in seconds. If the No Limit check-box is not enabled, the maximum pass-through number can be specified.

From the Interval Option drop-down list, choose an option (Ignore, Passthrough, Throttle) that indicates the behavior in case of RA with an interval option.

Specify the value in the Allow At-least field that indicates the minimum number of RA not throttled per router.

Specify the value in the Allow At-most field that indicates the maximum number of RA not throttled per router. If the No Limit check-box is not enabled, the maximum number of RA not throttled per router can be specified.

Click Save as New Template.

Related Topics

Creating RA Guard Templates

Creating Neighbor Binding Timers Templates

Creating RA Guard Templates

RA Guard is a Unified Wireless solution used to drop RA from wireless clients. It is configured globally, and by default it is enabled. You can create or modify a template for configuring IPv6 Router

Advertisement parameters.

To create an RA Guard template, follow these steps:

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > IPv6 > RA Guard.

If you want to add a new template, hover the mouse on RA Guard and select New or click RA Guard.

To modify an existing template, click the template name. The RA Guard template page appears.

If you want to enable the RA Guard on AP, select the Enable check box.

Click Save as New Template.

20-120

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Creating Proxy Mobile IPv6 Templates

Proxy Mobile IPv6 is a network-based mobility management protocol that supports a mobile node by acting as the proxy for the mobile node in any IP mobility-related signaling. The mobility entities in the network track the movements of the mobile node and initiate the mobility signaling and set up the required routing state.

The main functional entities are the Local Mobility Anchor (LMA) and Mobile Access Gateway (MAG).

The LMA maintains the reachability state of the mobile node and is the topological anchor point for the

IP address of the mobile node. The MAG performs the mobility management on behalf of a mobile node.

The MAG resides on the access link where the mobile node is anchored. The controller implements the

MAG functionality.

Related Topics

Creating PMIP Global Configurations

Creating LMA Configurations

Creating PMIP Profile

Creating PMIP Global Configurations

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > PMIP > Global Config.

If you want to add a new template, hover the mouse on Global Config and select New or click Global

Config. To modify an existing template, click the template name.

Enter a template name in the text box.

Configure the following fields:

In the Domain Name text box, enter the domain name.

In the Maximum Bindings Allowed field, enter the maximum number of binding updates that the controller can send to the MAG. The valid range is between 0 to 7000.

In the Binding Lifetime field, enter the value of the lifetime of the binding entries in the controller.

The valid range is between 10 to 65535 seconds. The default value is 65535. The binding lifetime should be a multiple of 4 seconds.

In the Binding Refresh Time field, enter the refresh time of the binding entries in the controller.

The valid range is between 4 to 65535 seconds. The default value is 300 seconds. The binding refresh time should be a multiple of 4 seconds.

In the Binding Initial Retry Timeout field, specify the initial timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs).

The valid range is between 100 to 65535 seconds. The default value is 1000 second.

In the Binding Maximum Retry Timeout field, enter the maximum timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments

(PBAs). The valid range is between 100 to 65535 seconds. The default value is 32000 seconds.

In the Replay Protection Timestamp field, specify the maximum amount of time difference between the timestamp in the received proxy binding acknowledgment and the current time of the day. The valid range is between 1 to 255 milliseconds. The default value is 7 milliseconds.

In the Minimum BRI Retransmit Timeout field, specify the minimum amount of time that the controller waits before retransmitting the BRI message. The valid range is between 500 to 65535 seconds.

Cisco Prime Infrastructure 3.0 User Guide

20-121

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 5

In the Maximum BRI Retransmit Timeout field, specify the maximum amount of time that the controller waits before retransmitting the Binding Revocation Indication (BRI) message. The valid range is between 500 to 65535 seconds. The default value is 2000 seconds.

In the BRI Retries, specify the number of BRI retries.

In the MAG APN text box, specify the name of the Access Point Node of MAG.

Click Save as New Template.

Related Topics

Creating LMA Configurations

Creating PMIP Profile

Creating LMA Configurations

Step 1

Step 2

Step 3

Step 4

Choose Configuration > Features & Technologies > Controller > PMIP > LMA Config.

If you want to add a new template, hover the mouse on LMA Config and select New or click LMA

Config. To modify an existing template, click the template name.

Configure the following fields:

In the LMA Name text box, enter the name of the LMA connected to the controller.

In the LMA IP Address, enter the IP address of the LMA connected to the controller.

Click Save as New Template.

Related Topics

Creating PMIP Profile

Creating PMIP Global Configurations

Creating PMIP Profile

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Configuration > Features & Technologies > Controller > PMIP > PMIP Profile.

If you want to add a new template, hover the mouse on PMIP Profile and select New or click PMIP

Profile. To modify an existing template, click the template name.

In the PMIP Profile text box, enter the profile name.

Click Add and then configure the following fields:

In the Network Access Identifier text box, enter the name of the Network Access Identifier (NAI) associated with the profile.

In the LMA field, enter the name of the LMA to which the profile is associated.

In the Access Point Node text box, enter the name of the access point node connected to the controller.

Click Save as New Template.

20-122

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Related Topics

Creating PMIP Global Configurations

Creating LMA Configurations

Creating 802.11 Templates

Creating mDNS Templates

Multicast DNS (mDNS) service discovery provides a way to announce and discover services on the local network. mDNS performs DNS queries over IP multicast. mDNS supports zero configuration IP networking.

The following are the guidelines and limitations for mDNS templates:

You cannot delete a mDNS service when it is mapped to one or more profiles.

The length of the profile name and the services name can be a maximum of 31 characters.

The length of the service string can be maximum 255 characters.

You cannot delete the default profile (default-mdns-profile).

You cannot delete profiles when they are mapped to interfaces, interface-groups, or WLANs.

You cannot remove mDNS services from a profile when they are mapped to interface, interface-groups or WLANs. You can add new services.

Whenever you create and apply any mDNS template, it overwrites existing configuration on controller.

You cannot enable mDNS snooping for WLAN when FlexConnect local switching is ON.

You cannot attach mDNS profiles to interfaces when “AP Management” is enabled.

You can create a mDNS template so that the controller can learn about the mDNS services and advertise these services to all clients.

There are two tabs—Services and Profiles.

Services Tab—This tab enables you to configure the global mDNS parameters and update the Master

Services database.

Profiles Tab—This tab enables to view the mDNS profiles configured on the controller and create new mDNS profiles. After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority. By default, the controller has an mDNS profile, default-mdns-profile.

You cannot delete this default profile.

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller > mDNS > mDNS.

If you want to add a new template, hover the mouse on mDNS and select New or click mDNS. To modify an existing template, click the template name.

On the Services tab, configure the following parameters:

Select the mDNS Global Snooping check box to enable snooping of mDNS packets. The controller does not support IPv6 mDNS packets even when you enable mDNS snooping.

In the Query Interval(10-120) field, specify the mDNS query interval in minutes that you can set.

This interval is used by WLC to send periodic mDNS query messages to services which do not send service advertisements automatically after they are started. The default value is 15 minutes.

Cisco Prime Infrastructure 3.0 User Guide

20-123

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 4

Step 5

Master Services—Click Add Row and then configure the following fields. To add a new service, enter or choose the service name, enter the service string, and then choose the service status.

From the Master Service Name drop-down list, choose the supported services that can be queried. The following services are available:

AirTunes

AirPrint

AppleTV

HP Photosmart Printer1

HP Photosmart Printer2

Apple File Sharing Protocol (AFP)

Scanner

Printer

FTP

iTunes Music Sharing iTunes Home Sharing

iTunes Wireless Device Syncing

Apple Remote Desktop

Apple CD/DVD Sharing

Time Capsule Backup

In the Service String text box, specify the unique string associated to an mDNS service. For example, _airplay._tcp.local. is the service string associated to AppleTV.

From the Query Status drop-down list, choose Enabled or Disabled to specify an mDNS query for a service. Periodic mDNS query messages will be sent by WLC at configured Query Interval for services only when the query status is enabled; otherwise, service should automatically advertised for other services where the query status is disabled (for example AppleTV).

On the Profiles tab, configure the following parameters:

Profiles—Click Add Profile and then configure the following fields:

In the Profile Name text box, enter the name of the mDNS profile. You can create a maximum of 16 profiles.

Select the services (using the check boxes) that you want to map to the mDNS profile.

Click OK.

Click Save as New Template.

Creating AVC Profiles Templates

Application Visibility and Control (AVC) uses the Network Based Application Recognition (NBAR) deep packet inspection technology to classify applications based on the protocol they use. Using AVC, the controller can detect more than 1400 Layer 4 to Layer 7 protocols. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.

20-124

Cisco Prime Infrastructure 3.0 User Guide

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

AVC is supported only on the following controllers:

Cisco 2500 and 5500 Series Controllers.

WiSM 2 Controllers

Cisco Flex 7500 and Cisco 8500 Series Controllers.

To configure the AVC profile template, follow these steps:

Step 1

Step 2

Step 3

Choose Configuration > Features & Technologies > Controller > Application Visibility And

Control > AVC Profiles.

If you want to add a new template, hover the mouse on AVC Profiles and select New or click AVC

Profiles. To modify an existing template, click the template name.

In the AVC Profile Name text box, enter the AVC Profile Name.

Note

You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or Drop action for an application. This allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs.

Step 4

Under the AVC Rule List, click Add Row to create AVC rules.

In the Application Name field, enter the name of the application.

In the Application Group Name field, enter the name of the application group to which the application belongs.

From the Action drop-down list, choose one of the following:

Drop—Drops the upstream and downstream packets corresponding to the chosen application.

Mark— Marks the upstream and downstream packets corresponding to the chosen application with the DSCP value that you specify in the Differentiated Services Code Point (DSCP) drop-down list. The DSCP value helps you provide differentiated services based on the QoS levels.

The default action is to permit all applications.

If you select Mark as an action, then choose QoS levels from the DSCP drop-down list. DSCP is a

Packet header code that is used to define quality of service across the Internet. The DSCP values are mapped to the following QoS levels:

Rate Limit—If you select Rate Limit as an action, you can specify Average Rate Limit per client and Burst data rate limit. The number of rate limit applications is limited to 3.

Platinum (Voice)—Assures a high QoS for Voice over Wireless.

Gold (Video)—Supports the high-quality video applications.

Silver (Best Effort)—Supports the normal bandwidth for clients.

Bronze (Background)— Provides lowest bandwidth for guest services.

Custom—Specify the DSCP value. The range is from 0 to 63.

In the DSCP Value field, enter the value which can be entered only when Custom is chosen from the DSCP drop-down list.

If you select Rate Limit as an action, you can specify the value in Avg. Rate Limit (in Kbps), which is the average bandwidth limit of that application.

Cisco Prime Infrastructure 3.0 User Guide

20-125

Chapter 20 Using Templates to Configure Devices

Creating 802.11 Templates

Step 5

If you select Rate Limit as an action, you can specify Burst Rate Limit (in Kbps), which is the peak limit of that application

Click Save as New Template.

Related Topics

Adding Controller Templates

Deleting Controller Templates

Applying Controller Templates

Creating NetFlow Templates

NetFlow is a protocol that provides valuable information about network users and applications, peak usage times, and traffic routing. This protocol collects IP traffic information from network devices to monitor traffic. The NetFlow architecture consists of the following components:

Collector—An entity that collects all the IP traffic information from various network elements.

Exporter—A network entity that exports the template with the IP traffic information. The controller acts as an exporter.

Related Topics

Creating NetFlow Monitor Template

Creating NetFlow Exporter Template

Creating NetFlow Monitor Template

To create NetFlow Monitor template:

Step 1

Step 2

Step 3

Choose Configuration > Templates > Features & Technologies > Controller > Netflow > Monitor.

Hover your mouse cursor over the tool tip next to the template type and click New to create.

Complete the required fields, then and click Save as New Template.

Related Topics

Creating NetFlow Templates

Creating NetFlow Exporter Template

You can configure only one NetFlow Exporter per controller. To create NetFlow exporter template:

Step 1

Step 2

Choose Configuration > Templates > Features & Technologies > Controller > Netflow > Monitor.

Hover your mouse cursor over the tool tip next to the temp