Deployment Guide PI

Guide
Cisco Prime Infrastructure 3.0

Deployment Guide
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 63
Contents
Scope ........................................................................................................................................................................ 5
Introduction .............................................................................................................................................................. 5
Overview ................................................................................................................................................................... 5
Design Overview ...................................................................................................................................................... 6
Prerequisites ......................................................................................................................................................... 6
Cisco Prime Infrastructure Deployment Models .................................................................................................... 7
Cisco Prime Infrastructure Form Factors .............................................................................................................. 7
Server Sizing Matrix .............................................................................................................................................. 7
Installing Cisco Prime Infrastructure ..................................................................................................................... 9
Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance ............................................................... 9
Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance .................................................................... 9
Accessing Cisco Prime Infrastructure GUI ............................................................................................................ 9
Client Requirements ............................................................................................................................................. 9
Logging In to Cisco Prime Infrastructure for the First Time ................................................................................. 10
Licensing ................................................................................................................................................................ 10
Upgrading Cisco Prime Infrastructure ................................................................................................................. 11
Migrating Data from Previous Versions ............................................................................................................... 11
Device Packs and Software Updates ................................................................................................................... 12
Application Setup .................................................................................................................................................. 12
System Setup...................................................................................................................................................... 12
Users and User Group Management .............................................................................................................. 12
Connection to Cisco.com................................................................................................................................ 14
Proxy Settings ................................................................................................................................................ 14
Cisco.com Settings ......................................................................................................................................... 14
Single Sign On (SSO) .................................................................................................................................... 15
RADIUS/TACACS+ Integration ...................................................................................................................... 15
Email Server Settings ..................................................................................................................................... 16
Credential Profile ............................................................................................................................................ 16
Discovering Your Network .................................................................................................................................... 16
Preparing the Network for Discovery .................................................................................................................. 17
Discovery Settings .............................................................................................................................................. 17
Scheduling Discovery ......................................................................................................................................... 18
Quick Discovery .................................................................................................................................................. 18
Importing Devices Manually ................................................................................................................................ 18
Data Center Discovery ........................................................................................................................................ 19
Validate Discovery ................................................................................................................................................. 20
Fixing Credential Errors ...................................................................................................................................... 20
Grouping................................................................................................................................................................. 21
Device Grouping ................................................................................................................................................. 21
Port Grouping...................................................................................................................................................... 22
Topology and Maps ............................................................................................................................................... 23
Viewing Network Topology.................................................................................................................................. 23
Wireless Planning Tool ....................................................................................................................................... 23
Wireless Site Map ............................................................................................................................................... 24
Create Sites.................................................................................................................................................... 25
Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure .................................................................... 26
Configuration Management .................................................................................................................................. 26
Managing Configuration Archives ....................................................................................................................... 26
Comparing Configuration .................................................................................................................................... 27
Image Management................................................................................................................................................ 27
Setting Up Image Management .......................................................................................................................... 27
Importing Software Images ................................................................................................................................. 28
Image Distribution ............................................................................................................................................... 28
Configuration Templates....................................................................................................................................... 29
Choosing a Configuration Template .................................................................................................................... 29
Defining Shared Policy Objects........................................................................................................................... 30
Wireless Controller Configuration........................................................................................................................ 31
RRM/Clean Air .................................................................................................................................................... 31
Build RF Profiles ................................................................................................................................................. 32
Apply RF Profiles to AP Groups ..................................................................................................................... 33
Automated Deployment......................................................................................................................................... 34
Compliance ............................................................................................................................................................ 35
Prerequisites ....................................................................................................................................................... 35
Creating Compliance Policy ................................................................................................................................ 35
Creating Policy Profiles ....................................................................................................................................... 36
Run Compliance Audit ........................................................................................................................................ 36
View Violation Summary ..................................................................................................................................... 37
PSIRT and EoX Reports ..................................................................................................................................... 37
Clients and Users .................................................................................................................................................. 38
Client Troubleshooting ........................................................................................................................................ 38
ISE Integration ................................................................................................................................................ 39
MSE Integration .............................................................................................................................................. 40
Monitoring .............................................................................................................................................................. 41
Monitoring Policies .............................................................................................................................................. 41
Viewing Alarms and Events ................................................................................................................................ 42
Configuring Alarm Severity ................................................................................................................................. 43
Customizing Traps and Syslogs.......................................................................................................................... 43
Defining Custom Trap Events......................................................................................................................... 43
Defining Custom Syslog Events ..................................................................................................................... 44
Forwarding Alarms as Traps to Notification/Trap Receivers ............................................................................... 44
AVC and QoS Configuration ................................................................................................................................. 45
Monitoring Application and Services ................................................................................................................... 45
Prerequisites ....................................................................................................................................................... 45
AVC Supported Platforms ................................................................................................................................... 45
Readiness Assessment ...................................................................................................................................... 45
AVC Configuration .............................................................................................................................................. 46
Different Approaches to Enable AVC ............................................................................................................. 46
Enabling AVC on Wireless Controllers ........................................................................................................... 46
Associate Endpoints to Sites .......................................................................................................................... 46
Managing Netflow Data Sources......................................................................................................................... 46
Viewing AVC Metrics .......................................................................................................................................... 47
Classify Unknown Traffic by Defining Custom Application .................................................................................. 47
Updating Application Definitions (NBAR2 Protocol Pack) ................................................................................... 48
Multi-NAM Capabilities within Cisco Prime Infrastructure ................................................................................... 48
Netflow Dashlets ................................................................................................................................................. 48
Lync Monitoring ..................................................................................................................................................... 48
Setting Up Microsoft Lync Monitoring ................................................................................................................. 49
Monitoring Microsoft Lync ................................................................................................................................... 49
PfR Monitoring ....................................................................................................................................................... 50
Site-to-Site PfR Topology.................................................................................................................................... 51
Comparing WAN Interfaces ................................................................................................................................ 51
Dashboards ............................................................................................................................................................ 52
Dashboard Customization ................................................................................................................................... 52
Customizing the Dashlet Content ........................................................................................................................ 53
Remediation Tools ................................................................................................................................................. 53
Wireless Remediation ......................................................................................................................................... 53
Wired Remediation ............................................................................................................................................. 54
Trigger Packet Capture from Cisco Prime Infrastructure .................................................................................... 54
Manual Packet Capture from Cisco Prime Infrastructure ............................................................................... 54
Automating Packet Capture Using Cisco Prime Infrastructure ....................................................................... 55
Decoding Packet Capture Using Cisco Prime Infrastructure .......................................................................... 55
Reports ................................................................................................................................................................... 56
REST API ................................................................................................................................................................ 56
High Availability ..................................................................................................................................................... 56
Prerequisites ....................................................................................................................................................... 57
Licensing ............................................................................................................................................................. 57
High-Availability Setup ........................................................................................................................................ 57
HA Modes ........................................................................................................................................................... 57
Failover........................................................................................................................................................... 57
Failback .......................................................................................................................................................... 58
Manual/Automatic Options .................................................................................................................................. 58
Automatic Failover .......................................................................................................................................... 58
Manual Failover .............................................................................................................................................. 58
Configuring Cisco Prime Infrastructure Backup .................................................................................................. 59
Advanced System Settings ................................................................................................................................... 59
Data Retention .................................................................................................................................................... 59
Server Tuning ..................................................................................................................................................... 59
Disabling Insecure Services ........................................................................................................................... 59
Disabling Root Access.................................................................................................................................... 59
Using SNMPv3 Instead of SNMPv2 .................................................................................................................... 59
Authenticating with External AAA........................................................................................................................ 60
Importing Client Certificates into Web Browsers ................................................................................................. 60
Enabling NTP Update Authentication .................................................................................................................. 60
Enabling Certificate-Based OCSP Authentication ............................................................................................... 60
Setting Up Local Password Policies .................................................................................................................... 60
Disabling Individual TCP/UDP Ports ................................................................................................................... 60
Checking Server Security Status ........................................................................................................................ 61
Miscellaneous ........................................................................................................................................................ 61
Accessing Cisco Prime Infrastructure Through CLI ............................................................................................ 61
How to Enable CLI Root User in Cisco Prime Infrastructure Server ................................................................... 61
Start/Stop Cisco Prime Infrastructure Services ................................................................................................... 61
Verifying IOPS for Cisco Prime Infrastructure Virtual Machine ........................................................................... 61
References ............................................................................................................................................................. 62
Cisco Prime Infrastructure 3.0 Links ................................................................................................................... 62
Cisco Product Pages .......................................................................................................................................... 62
Ordering and Licensing ....................................................................................................................................... 62
Scope
This guide covers the installation, set up, and basic operation of Cisco Prime Infrastructure. For more information,
see the Design overview section in this guide.
Introduction
Network administrators have a demanding, tedious job overseeing all the devices on a network. To complicate
matters, network devices are sometimes added to or removed from the network. As an organization grows, so
does the number of devices to be managed. The needs of the network management administrators include:
Configuration backup and archiveAdministrators need to make backup copies of device configurations
and store them in a protected location. Performing this task manually is extremely time-consuming and
tedious. An automated means of collecting and archiving device configuration files is a valuable aid to
network administrators.
Configuration deployment Change in the network/services it supports, requires changes to device
configurations. This results in manually connecting to and configuring all the affected devices, which can
take many hours to make similar, if not identical, changes to device configurations. A means of automating
the deployment of such configuration changes, including support for device-specific values, can greatly
improve the speed and also the accuracy of updating the network.
Software image managementA centralized way of viewing the operating system versions running on all
the network devices is very helpful, but the administrators also need to get the necessary software images
from a trusted source and then to propagate those images to many network devices.
Monitoring, troubleshooting, and reportingRunning a network requires knowing about the state of the
network and the state of individual devices. It also requires notification of events on the network,
troubleshooting tools, and an ability to generate reports about many aspects of the network.
Cisco Prime Infrastructure is the one management solution for converged access enterprise-class network. It
provides a single pane of glass solution for managing the wired and wireless networks and end-to-end visibility
from the branch to the campus and all the way to the data center.
This deployment guide helps to choose the right deployment model and the steps to deploy Cisco Prime
Infrastructure to manage the wired and wireless networks using some of the essential network management
features.
Overview
Cisco Prime Infrastructure is a sophisticated network management tool that can help support the end-to-end
management of the network technologies and services that are critical to the operation of your organization; it
aligns the network management functionality with the way that network administrators do their jobs. Cisco Prime
Infrastructure provides an intuitive, web-based graphical user interface (GUI) that can be accessed from anywhere
from within the network and gives you a full view of a network use and performance.
Cisco Prime Infrastructure provides comprehensive lifecycle management, assurance visibility and troubleshooting
capabilities across the network - from the user in the branch office, across the WAN, and to the data center. In
essence, it is one management and one assurance for one network.
Cisco Prime Infrastructure lets you manage your network more efficiently and effectively so you can achieve the
highest levels of wired and wireless network performance, service assurance, and application-centric end-user
experience.
Figure 1 depicts the campus network architecture documented in the Campus Wired LAN Technology Design
Guide and Campus Wireless LAN Technology Design Guide. With such a network and the services that it can
support, Cisco Prime Infrastructure can play a critical role in day-to-day network operations.
Figure 1. Campus Wired and Wireless LAN Architecture
Design Overview
Prerequisites
Cisco Prime Infrastructure software runs on either a dedicated Cisco Prime Infrastructure appliance or on a
VMware ESXi version 5.1 or 5.5 server. The Cisco Prime Infrastructure software image does not support the
installation of any other packages or applications on this dedicated platform. You cannot install Cisco Prime
Infrastructure on a standalone operating system such as Red Hat Linux, because Cisco Prime Infrastructure is
available as a physical or virtual appliance that comes preinstalled with a secure and hardened version of Red Hat
Linux as its operating system and bundled with Oracle 11.2.0.
Cisco Prime Infrastructure Deployment Models
Standalone: Cisco Prime Infrastructure can be deployed as a standalone Physical/Virtual appliance to
manage the wired and wireless network infrastructure.
High Availability (Recommended): The Cisco Prime Infrastructure High Availability (HA) implementation
allows one primary Cisco Prime Infrastructure server to failover to one secondary (backup) Cisco Prime
Infrastructure server. The secondary server sizing should be larger than or equal to that of the primary
server in order to take over Cisco Prime Infrastructure operation, in the event that the primary Cisco Prime
Infrastructure system fails. For example, if the primary Cisco Prime Infrastructure server is the Standard
OVA, then the secondary Cisco Prime Infrastructure server must be the Standard or Pro OVA.
In Cisco Prime Infrastructure, the only HA configuration supported is 1:1(Active, Standby) i.e., 1 primary
system, and 1 secondary system.
Distributed Deployment: Large or global organizations often distribute network management by domain,
region, or country. For reasons of geography, scalability, resilience, or visibility, Cisco customers may
deploy more than one instance of Cisco Prime Infrastructure to manage their network. If youre one of those
customers, you also need to manage all those instances together as one.
Cisco Prime Infrastructure Operations Center enables centralized management of multiple Cisco Prime
Infrastructure instances. Operations Center streamlines how your administrators access and interact with
multiple instances of Cisco Prime Infrastructure. You no longer need to generate reports one by one and
manually consolidate results. Nor do you have to check for alarms at each dashboard. These tasks take
time and may result in human errors. With Cisco Prime Infrastructure Operations Center, you get easier
access to information about the health of your entire network managed by multiple instances.
Cisco Prime Infrastructure Form Factors

Cisco Prime Infrastructure comes in two main forms:
Virtual: The Cisco Prime Infrastructure virtual appliance is packaged as an Open Virtualization Archive
(OVA) file, which must be installed on a user-supplied, qualified VMware ESXi server. This form allows you
to run on the server hardware of your choice. You can also install the virtual appliance in any of the four
configurations, each optimized for a different size of enterprise network. For hardware requirements and
capacities for each of the virtual appliances size options, see Virtual Appliance Options.
Physical: The physical appliance is packaged as a rack-mountable server, with Cisco Prime Infrastructure
preinstalled and configured for you. For physical appliance hardware specifications and capacities, see
Physical Appliance Options.
Server Sizing Matrix

Table 1 should help users to pick the right OVA size image for Cisco Prime Infrastructure virtual appliance.
Note: Compliance is supported on the Professional virtual appliance (OVA) and the Gen 2 physical appliance
based on Cisco UCS only.
Table 1. Server Sizing Matrix
Device Type Express Express-Plus Standard Professional Hardware Appliance (Gen2)
Network Devices
Max Unified APs 300 2500 5,000 10,000 20,000
Max Wired Devices 300 1000 6,000 10,000 13,000
Max Autonomous Aps 300 500 1500 2500 3,000
Max NAMs 5 5 500 800 1,000
Max Controllers 5 25 500 800 1000
Maximum number of devices (combination 500 3000 10000 14000 24000
of wired and wireless devices)
Clients
Max Wireless (Roaming) Clients 4,000 30,000 75,000 150000 200,000
Max Changing (Transient) Clients 1,000 5,000 25,000 30000 40,000
Max Wired Clients 6,000 50,000 50,000 50,000 50,000
Mobility Services Engine (MSEs) 1 1 6 10 12
Monitoring
Max Interfaces 12,000 50,000 250,000 250,000 350,000
Max Net flows Rate (flows/sec) 3,000 3,000 16,000 40,000 80,000
Max Events (events/sec) 100 100 300 500 1,000
Max Trap Rate 20 20 60 100 300
Max Syslog Rate 70 70 210 350 600
Max NAM Data Polling Enabled 5 5 20 30 40
Max Polling Interfaces (Polling of trunk 2400 8000 48000 10000 10000
ports)
Max hourly Host Records 144,000 720,000 2,100,000 6,000,000 12,000,000
System
Max Number of Sites per Campus 200 500 2,500 2,500 2,500
Max Virtual Domains 100 500 750 750 750
Max Groups (Total): User-Defined + Out of 50 100 150 150 150
the Box + Device Groups + Port Groups
Max Concurrent GUI Clients 5 10 25 50 50
Max Concurrent API Clients 2 2 5 5 5
Refer to the Cisco Prime Infrastructure 3.0 Quick Start Guide for the latest sizing information.
Table 2 lists the hardware requirements for the virtual appliance based on wired/wireless scale.
Table 2. Hardware Requirements for Virtual Appliance
Virtual Appliance Virtual CPU Memory (DRAM) HDD Size Throughput (Disk I/O)** Max Concurrent Clients/Users API Clients
Size
Express 4 12 GB 300 GB 200 MB/s 5 2
Express-Plus 8 16 GB 600 GB 200 MB/s 10 2
Standard 16 16 GB 900 GB 200 MB/s 25 5
Professional 16 24 GB 1. 2 TB 320 MB/s 50 5
Note: You can configure any combination of sockets and cores, the product of which must equal the number of
virtual CPUs required. For example, if 16 virtual CPUs are required, you can configure 4 sockets with 4 cores, or 2
sockets with 8 cores, etc.
Installing Cisco Prime Infrastructure

Option 1: Installing Cisco Prime Infrastructure on a Physical Appliance
The Cisco Prime Infrastructure 3.0 comes preinstalled on a next-generation Cisco UCS appliance. For some
reason, if the physical appliance comes without any software, application may be installed from the .iso image
(burnt on DVD). The procedure, once the server boots up, will be similar to the ones described for virtual appliance.
Use the .iso image instead of the .ova image, if installing on a Cisco Prime Infrastructure Physical Appliance. For
more details, see the Cisco Prime Infrastructure Hardware Appliance Installation Guide.
Cisco Prime Infrastructure Physical Appliance comes with the specifications shown in Table 3.
Table 3. Cisco Prime Appliance Specifications
Physical Physical CPU Memory (DRAM) HDD Size Throughput Max Concurrent API Clients
Appliance (Disk I/O) Clients/Users
Cisco Prime 10 Cores (20 64 GB 3600 GB 320 MB/s 50 5
Appliance Threads) (8x900 GB RAID10)
Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance

Cisco Prime Infrastructure is delivered as a virtual appliance or OVA file. OVA files allow you to easily deploy a
prepackaged virtual machine (VM) - an application along with a database and an operating system. Please follow
the link below for detailed instruction on installing Cisco Prime Infrastructure Virtual Application.
Before You Begin

Deploying the OVA from the VMware vSphere Client
Installing the Server
Accessing Cisco Prime Infrastructure GUI

Client Requirements
Table 4 shows all the supported browsers that can be used to access Cisco Prime Infrastructure. See the Cisco
Prime Infrastructure 3.0 Quick Start Guide for the latest client requirements.
Table 4. Client Requirements
Supported Browser Browser Version Additional Note

Internet Explorer 10, or 11 No plug-ins are required
Mozilla Firefox Firefox 35 or later Latest Firefox version may be used, but it may not be tested depending on when it was released.
Mozilla Firefox ESR ESR 31, 38
Google Chrome Chrome 40 or later Latest Chrome version may be used, but it may not be tested depending on when it was released.
Display resolutionCisco Prime Infrastructure supports 1366 x 768 or higher, but we recommend that you set the
screen resolution to 1600 x 900.
Cisco Prime Infrastructure user interface is based on HTML 5 and removes any dependency on Adobe Flash.
TIP: It is strongly recommended to use a client with at least 4 GB or more. Adding more memory will definitely
enhance the end-user experience.
Logging In to Cisco Prime Infrastructure for the First Time

Once the Cisco Prime Infrastructure server has been installed and configured, it is now ready to be accessed from
the web. The server URL would be https://server_hostname or https://<ip-address>. To login, use the following
credentials for the first time login.
Username: root
Password: <the root password is the one that was entered during the install script>
After the server has been configured, it is advisable to log in with a non-root user to keep the root user for system
level configurations as and when needed. More information can be found at Cisco Prime Infrastructure 3.0 Quick
Start Guide at Logging into the Cisco Prime Infrastructure User Interface.
Licensing
You can access the lifecycle and assurance features of the newly installed Cisco Prime Infrastructure using the
built-in evaluation license that is available by default. The default evaluation license is valid for 60 days for 100
devices. You need to purchase the licenses to continue using Cisco Prime Infrastructure before the evaluation
license expires.
License files can be added to Cisco Prime Infrastructure by navigating to Administration > Licenses and
Software Updates > Licenses in the GUI.
Figure 2. Adding License Files
Table 5 lists the different licenses available for Cisco Prime Infrastructure.
Table 5. License Types in Cisco Prime Infrastructure
Licenses Types License Purpose

Base Required for every Cisco Prime Infrastructure installation and is a prerequisite for all other license types.
Management (Lifecycle, Regulates the total number of devices, NetFlow devices under Cisco Prime Infrastructure management.
Assurance, APIC-EM/PnP)
High Availability High Availability Right To Use (RTU) License.
Collector Regulates the total number of NetFlow data flows per second that Cisco Prime Infrastructure can process.
Data Center Regulates the number of blade servers being managed by Cisco UCS device(s) in Cisco Prime Infrastructure.
The license count matches the number of blades or rack units associated with any Cisco UCS device.
Data Center Hypervisor Regulates the total number of host(s) managed by Cisco Prime Infrastructure management. This license
manages Discovery Sources (vCenter) in Cisco Prime Infrastructure.
Operations Center base Operations Center base License is required in case of distributed deployment of Cisco Prime Infrastructure and
License when the customer wants to deploy Operations center to centrally manage the Cisco Prime Infrastructure
Instances.
Operations Center Server Required to manage the Cisco Prime Infrastructure instances in Operations Center.
License
Note: Licenses are supplied in either evaluation or permanent form. For more information on Cisco Prime
Infrastructure licensing, you can also refer to the Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide.
Upgrading Cisco Prime Infrastructure

Cisco Prime Infrastructure can be upgraded to version 3.0 from the below versions:
Cisco Prime Infrastructure 2.2.3

Data Center Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1
Wireless Technology Package 1.0.0 for Cisco Prime Infrastructure 2.2.1
Cisco Prime Infrastructure 2.2
If your product/version is not in this list, to upgrade to 3.0, you must first upgrade to version 2.2.x at a minimum. For
In-line Upgrade, follow the steps listed in the Cisco Prime Infrastructure 3.0 Quick Start Guide.
Note: You cannot upgrade to Cisco Prime Infrastructure 3.0 if you have installed version 2.2.x in FIPS mode.
Migrating Data from Previous Versions

Data migration is supported only from Cisco Prime Infrastructure 2.2.x versions. Follow the data migration steps
listed in the Cisco Prime Infrastructure 3.0 Quick Start guide.
Device Packs and Software Updates
Cisco Prime Infrastructure periodically provides critical fixes, device support, and add-on updates that you can
download and install by choosing Administration >Licenses and Software Updates> Software Update.
Depending on the connectivity and preference, you can install software updates by:
Downloading updates directly from Cisco.com to the Cisco Prime Infrastructure server. To use this method,
Cisco Prime Infrastructure server must be able to connect externally to Cisco.com. For details, see Installing
Software Updates from Cisco.com.
Downloading software update files to a client or server with external connectivity, then uploading them to
and installing them on the Cisco Prime Infrastructure server. For details, see Uploading and Installing
Downloaded Software Updates.
Figure 3. Device Packs and Software Updates
Application Setup
System Setup
Users and User Group Management
It is not advisable to use the root user to log in for normal purposes. Role based Access control can be enforced by
creating new users and assigning them to relevant User groups and Virtual Domain.
Manage User Groups

User groups are synonymous with roles. All the roles except the user-defined roles are preconfigured. User-defined
groups can be modified by navigating to Administration > Users > Users, Roles & AAA > User Groups > User
Defined #. By clicking the task list, you can perform the following activities:
Modify other groups and roles.

Add users.
See audit trail.
Export the TACACS+/RADIUS command sets.
User-defined roles can be modified by clicking the User Defined link in Figure 4. Once clicked, all the collapsed
user access controls are expanded as shown in the figure. You can select the whole category, for example,
Network Configuration, or a few of the options within that category to customize the role. Once the group/role is
created, multiple users can then be assigned to that group.
Figure 4. User Group Administration
Manage Users
You can add new users by navigating to Administration > Users > Users, Roles & AAA > Users > Add Users
and selecting Add Users from the drop-down on the right side. Once you get into the add user workflow, enter
the username, password, and local authorization for this user as shown in Figure 5. Map the user to the
appropriate Role and assign Virtual Domains. It doesnt really matter whether you create users or groups first.
Figure 5. User Groups Creation
Virtual Domain
Virtual domains allow you to control who has access to specific sites and devices. After you add devices to Cisco
Prime Infrastructure, you can configure virtual domains. Virtual domains are logical groupings of devices and are
used to control the administration of the group. By creating virtual domains, an administrator allows users to view
information relevant to them specifically and restricts their access to other areas. Virtual domain filters allow users
to configure devices, view alarms, and generate reports for their assigned part of the network only.
Virtual domains are organized hierarchically. Subsets of an existing virtual domain contain the network elements
that are contained in the parent virtual domain. The ROOT-DOMAIN domain includes all virtual domains.
Virtual Domain can be added by navigating to Administration > Users > Virtual Domain.
A virtual domain can also be assigned to the users when you define their roles by selecting the virtual domain on
the left side and moving it to the right side as shown in Figure 6.
Figure 6. Virtual Domain
Connection to Cisco.com
Cisco.com connection is required for some of the advanced features such as Smart Interactions (TAC service
requests, and support forums), importing software images, Software Update, and many others. It is vital for the
Cisco Prime Infrastructure server to be able to connect to cisco.com to pull the data for those reasons. There are
two parts to making this work:
Proxy settings
Cisco.com user settings
Proxy Settings
If Cisco Prime Infrastructure requires a proxy to connect to internet, you can enter the proxy information by
navigating to Administration > Settings > System Settings > Proxy. You can enable proxy settings and enter all
the proxy information there. Authentication proxies are also supported in Cisco Prime Infrastructure.
Cisco.com Settings
You can enter your cisco.com credentials at the following places:
Administration > Settings > System Settings > Inventory > Account Credential
Administration > Settings > System Settings > General > Support Request
Single Sign On (SSO)
Cisco Prime Infrastructure supports Single Sign on. You can configure more than one SSO server for Cisco Prime
Infrastructure. Authentication will fall back to the second SSO server, and so on.
To add SSO servers, navigate to Administration > Users > Users, Roles & AAA > SSO Servers. Select Add
SSO servers. SSO Servers settings can be configured by navigating to Administration > Users > Users, Roles
& AAA > SSO Server Settings.
Figure 7. SSO Server Settings
RADIUS/TACACS+ Integration
Cisco Prime Infrastructure supports local authentication as well as TACACS+ and RADIUS AAA. To add
TACACS+ or RADIUS server, navigate to Administration > Users > Users, Roles & AAA. For Cisco Prime
Infrastructure to communicate with the TACACS+ server, the shared secret you enter on this page must match the
shared secret configured on the TACACS+ server.
Figure 8. Adding TACACS+ Server
Email Server Settings
Administrators must configure email parameters to enable Cisco Prime Infrastructure to email reports, alarm
notifications, and so on. You must configure the primary SMTP server before you can set the email parameters.
Choose Administration > Settings > System Settings > Mail and Notification > Mail Server Configuration.
Credential Profile
Credential profiles are set of device credentials. The credentials provided in a credential profile can include SNMP,
Telnet, SSH and HTTP/HTTPS credentials.
Choose Inventory > Device Management > Credential Profiles to add, edit, delete or copy credential profiles.
You can apply a credential profile during device discovery, when manually adding a device, or during bulk import of
devices.
Figure 9. Creating Credential Profile
Discovering Your Network

Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols such as ping, SNMP
(v1, v2c, and v3), Cisco Discovery Protocol, Link Layer Discovery Protocol (LLDP), and Open Shortest Path First
(OSPF) to discover the network automatically. This section will focus on how best to configure the discovery
settings once and to automate the discovery, going forward.
You can add devices to Cisco Prime Infrastructure in one of the following ways:
Use an automated process

Discovery Settings
Quick Discovery
Import devices from a CSV file.
Add devices manually by entering IP address and device credential information.
Preparing the Network for Discovery
Devices must be configured with Cisco Discovery Protocol/LLDP, SNMP (V2, V3), or Telnet/SSH. Advanced
protocols OSPF and BGP can also be used.
For successfully managing a device using Cisco Prime Infrastructure, it is crucial that all the essential protocols be
defined in the device credential for a given device. The following matrix shows what protocols are needed for
various wired and wireless device types.
Device Family SNMP RW Telnet/SSH HTTP

Wireless controllers
Wireless controllers (Cisco IOS XE Software)
Access points
Routers/switches
Medianet-capable routers and switches
Network Analysis Module
Third-party devices
These credentials are sufficient to discover wired as well as wireless networks.
Discovery Settings
This method is recommended if you want to specify settings and rerun discovery in the future using the same
settings. Discovery settings can be used to have a complete control over the discovery process.
You can specify various protocols, list of seed devices to be used, subnet range, credential profile/credential, and
management IP address that needs to be used to discover the network. For various discovery settings supported
by Cisco Prime Infrastructure, see the Cisco Prime Infrastructure User Guide.
You can create multiple discovery settings. These specify which protocols are to be used by Cisco Prime
Infrastructure while discovering the network. Discovery can be easily accessed from the Getting Started page
when you log in for the first time or by navigating to Inventory > Device Management > Discovery.
Select Discovery Settings to create a profile and reuse it for discovering the devices in the future. Now click New
in the discovery settings modal pop-up. Discovery Settings window will pop-up, where you can configure all the
discovery settings. You will observe that the pop-up is broken down into four sections: Protocol Settings, Filters,
Credential Settings, and Preferred Management IP.
You need to select at least one item from Protocol Settings, SNMP and Telnet/SSH from Credential Settings,
and Preferred Management IP. You can add your subnets manually or use the Import CSV File button to import
all your subnets from a simple CSV file.
After creating discovery settings, you can discover the wired and wireless network. Select the saved discovery
settings and click the Run Now button as shown in the figure. Discovery job will be created and status of the
discovery job can be monitored in the same page in real time.
Figure 10. Discovery Profile Settings
Scheduling Discovery
In addition to running discovery in real time, you can schedule discovery to run when you want it. Select the
required discovery settings and click Schedule. You will get a modal pop to specify the schedule. Scheduling is
extremely flexible in Cisco Prime Infrastructure. You can run every x minutes to y years.
Figure 11. Discovery Job Schedule
Quick Discovery
Quick Discovery ping sweeps the network quickly based on the seed IP address you provide and also uses SNMP
polling to get details on the devices.
Importing Devices Manually

If the device list and its credentials are maintained in an excel sheet, you have an option in Cisco Prime
Infrastructure to import the device list. Navigate to Inventory > Device Management>Network Devices, select
Bulk Import. The Bulk import pop-up is displayed as shown in Figure 12.
Figure 12. Bulk Import
TIP: Export the device template using the first here link. Use the exported CSV file to populate the device
information. This will make sure your import goes through successfully.
Data Center Discovery

Cisco Prime Infrastructure extends coverage to the data center and to the compute infrastructure management
supporting inventory, fault, configuration and performance for Cisco UCS B-series blade and C-series rack servers.
Integration with VMware vCenter supports monitoring and visualization of virtualized servers and VMware
hypervisors operating on Cisco UCS underlay hosts.
VMware vCenter details (ProtocolHTTP/HTTPS, ServerHost Name/IP address of vCenter, Port443 for
HTTPS or 80 for HTTP, User Name/PasswordvCenter Credential) are needed to discover the complete inventory
of compute resources like data center, cluster, hosts and VMs (Inventory > Device Management >Compute
Devices > Discovery Sources- Add Device). You need to add Data Center Hypervisor license for collecting the
inventory of VMware vCenter server.
Figure 13. Adding VMware vCenter Details
Compute devices provide a consolidated view of all the devices that provide compute capability within a Data
Center. You can manage Cisco UCS devices in the same way other network devices are managed.
You can create user defined Hosts and VMs Sub-groups similar to device groups.
Figure 14. Compute Device Details
Validate Discovery
To validate and view the complete list of devices discovered by Cisco Prime Infrastructure, navigate to Inventory >
Device Management>Network Devices to see the entire inventory that has been discovered. The left pane allows
you to filter the devices based on the device types or user-defined group that you create.
Figure 15. Discovered Device Inventory
Fixing Credential Errors

At times, you will encounter a few devices that dont have the SNMP strings or the CLI access that you thought
they would have. You can either streamline or change the information on the devices, or if you have another set of
credentials for a different subnet, you could add that by creating new credential profile and rerun the discovery. If
you have a handful of changes, you can select the particular devices and then click Edit to modify the credentials.
Figure 16. Edit Device Discovery Credential
Figure 17. Device Inventory Status and Credential Verification
Cisco Prime Infrastructure allows the user to export devices with credentials directly from the GUI. Navigate to
Inventory > Device Management>Network Devices to view the Export Device as shown in Figure 18.
Figure 18. Export Device Discovery Credential Information
User can export the device credentials, change them using a spreadsheet application, and import them back.
TIP: If you need to change the credentials for devices in bulk, this method can be used to do that.
Grouping
Device Grouping
Cisco Prime Infrastructure provides the following types of grouping:
Device type groupsBy default, Cisco Prime Infrastructure creates rule-based device groups and assigns
devices to the appropriate Device Type folder. You cannot edit these device groups. The device type
groups are not used for network topology maps.
Location groupsCreate location-based groups. Location groups allow you to group devices by location.
You can create a hierarchy of location groups (such as theater, country, region, campus, building, and floor)
by adding devices manually or dynamically.
Figure 19. Adding Devices to the Location Group Dynamically
User defined groups Allows to create your own device groups. These groups can be static or dynamic.
Figure 20. Device Groups in Cisco Prime Infrastructure
Port Grouping
Port grouping helps the user to simplify monitoring and configuration tasks. Cisco Prime Infrastructure allows you
to create groups in addition to the default preconfigured port groups. Port groups creation can be accessed from
Inventory>Group Management>Port Groups. If a custom port group needs to be created, you can hover over
User Defined and click the (i) icon to access a pop-up menu for adding a new group.
Figure 21. Creating Port Groups
The WAN Interfaces port group is a special preconfigured port group. The interfaces in this group are your WAN
interfaces that need to be actively monitored. In order to add WAN interfaces to this group, select all the groups
and filter the WAN interfaces based on your interfaces type, IP address, interface description, or any other
attributes that are used to denote a WAN interface group. It is highly recommended to populate this group with the
WAN interface to get the most out of this application.
Topology and Maps
Viewing Network Topology
Cisco Prime Infrastructure topology maps are based on location groups. Cisco Prime Infrastructure provides a
visual map of your networks physical topology, including the network devices and the links that connect them. You
must enable Cisco Discovery Protocol on the devices to visualize the links.
Figure 22. Network Topology Maps
Wireless Planning Tool

Cisco Prime Infrastructure provides a built-in planning tool that can be used by network administrators to determine
what is required in the deployment of a wireless network. As part of the planning process, various criteria are
inputted in the planning tool. Complete these steps:
1. Specify the AP prefix and AP placement method (automatic versus manual).

2. Choose the AP type and specify the antenna for both the 2.4 GHz and 5 GHz bands.
3. Choose the protocol (band) and minimum desired throughput per band that is required for this plan.
4. Enable planning mode for advanced options for data, voice, and location. Data and voice provide safety
margins for design help. Safety margins help design for certain RSSI thresholds, which is detailed in online
help. Monitor mode factors in APs could be deployed to augment location accuracy. The location typically
requires a denser deployment than data, and the location check box helps plan for the advertised location
accuracy.
5. Both the Demand and Override options allow for planning for any special cases where there is a high density
of client presence such as conference rooms or lecture halls.
Generated proposal contains these:
Floor plan details

Disclaimer/scope/assumptions
Proposed AP placement
Coverage and data rate heat map
Coverage analysis
Wireless Site Map
Cisco Prime Infrastructure site maps represent the geographical locations and physical structures where your
organization maintains network assets. Site maps display the physical locations of network devices including
wireless access points, client devices like laptops, tablets and mobile phones. It also helps to visualize wireless
network coverage, including heatmap, which displays of signal strength and quality, the locations of RF
interferers, chokepoints, and so on.
Site maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and
floors. Cisco Prime Infrastructure allows the user to add maps and view their managed system on realistic campus,
building, and floor.
The features of Cisco Prime infrastructure site maps are:
Supports .PNG, .JPG, JPEG, or .GIF formats.

Automatically converts images like DXF or DWG CAD files, Qualcomm MET files to your choice of PNG,
JPG, JPEG, or GIF file formats.
Automatically resizes the maps to fit the workspace.
Supports importing Google Earth Maps.
It is recommended not to have more than 100 APs per floor area. If you have monitor mode access points on the
floor plan, coverage heatmap excludes monitor mode access points.
Figure 23. Wireless Site Maps: Floor Settings
Create Sites
There are two way of creating sites. You can manually create the sites by navigating to Inventory > Device
Management > Network Devices > Device Groups > Select Create Sites.
Figure 24. Site Creation by User Manually
If your access points follow a very consistent naming convention, you can automatically create a site tree map
based on the hostname. Figure 25 shows how a device hostname separated by hyphens can be used as a
delimiter to create a site map tree automatically.
Figure 25. Automatic Hierarchy Creation
To create automatic site hierarchies, go to Maps>Wireless Maps > Automatic Hierarchy Creation. Enter the AP
Hostname and a suitable regular expression (or generate one as mentioned in the tip below). Click Test to see
how the site is created from the hostname. Change the pull-down to map to the appropriate campus, building, floor,
device, and so on.
TIP: After entering a sample hostname for an AP, you can click Create basic regex based on delimiter to
automatically generate the regular expression.
Import/Edit Maps from WCS/NCS to Cisco Prime Infrastructure
If you have already created sites for the wireless network in a previous version of WCS or NCS, you can export
from those applications and import the information into Cisco Prime Infrastructure as well. You can go to Maps >
Wireless Maps > Site Maps > Choose File.
Figure 26. Importing Wireless Site Maps
Configuration Management
Managing Configuration Archives
Cisco Prime Infrastructure archives and maintains multiple versions of running and startup configurations.
Configuration Archive settings control how Cisco Prime Infrastructure should manage the archives. Configuration
archive settings can be configured by navigating to Administration > Settings > System Settings > Inventory >
Configuration Archive.
The Basic tab allows users to define protocol order, SNMP timeout, the number of days and the versions to retain,
thread pool count, and other such variables. The Advanced tab allows users to define a command to exclude list
for each of the device family types.
Figure 27. Configuration Archive Settings
Comparing Configuration
You can use Cisco Prime Infrastructure to view and compare device configurations. To compare configurations,
navigate to Inventory > Device Management >Network Devices > Select the device. Select Configuration
Archive tab. Select the version of the configuration to compare and select the compare options. Now you can see
the color-coded configuration differences instantly as shown in Figure 28.
Figure 28. Configuration Archive
Image Management
Upgrading software image of the devices to the latest version can be error prone and time consuming, if manual
process is followed. Cisco Prime Infrastructure simplifies the deployment of software images to one or many
devices at the same time by providing plan, schedule, download, and monitor software image update jobs. Cisco
Prime Infrastructure provides software image details, lists recommended software images, and deletes software
images.
Setting Up Image Management

Cisco Prime Infrastructure provides number of knobs that can be accessed from Administration > Settings
>System Settings> Inventory>Image Management. These include team shared cisco.com username/password,
job failure handling options, image and configuration protocol options, and so on. You are recommended to set it
up initially so that preferred preferences are applied when distributing images on managed devices.
Figure 29. Image Management
Importing Software Images
Cisco Prime Infrastructure allows you to import images to software image library from devices, local file system and
by other means.
Figure 30. Import Images
Image Distribution
Images can easily be added to the local repository by choosing Inventory >Device Management >Software
Images >Import. Follow the wizard to import images. Images can be deployed to devices by navigating to
Inventory>Device Management>Software Image. Select the image from the list (once it has been added to the
repository) and click Distribute Images. Once the devices are selected to be upgraded/downgraded, a prerun
status is shown, which avoids the job failure in the first place. Click Upgrade Analysis to generate a report on this.
Figure 31. Image Repository
Figure 32. Distributing Selected Image to Device
Configuration Templates
Configuration templates follow design, approve and deploy workflow. When you have a site, office, or branch that
uses a similar set of devices and configurations, you can use configuration templates to build a generic
configuration that you can apply to one or more devices.
Choosing a Configuration Template

Cisco Prime Infrastructure provides the following types of templates:
Features and technologies templates - These out-of-the-box templates are specific to a feature or a
technology based on CVD or Cisco best practice recommendation. Features and Technologies templates
are based on device configuration(s) that focus on specific features or technologies in a device
configuration. These templates can configure various wired and wireless features on the devices. One can
even customize these templates by duplicating these templates, editing the templates and saving them as
your own custom template.
Figure 33. Configuration Templates Features and Technologies
CLI templates - CLI templates use Cisco IOS Software CLI commands. Cisco Prime Infrastructure supports
system defined CLI templates and custom CLI templates.
System templates - CLI - These are CLI based customizable out-of-the-box templates. You can modify
and save it as a new template, but you cannot delete a System Template. In this page, you can import or
export any template. You cannot import a template under the system defined folder.
To view the list of CLI templates, choose Configuration > Templates > Features and Technologies > CLI
Templates > System Templates - CLI.
CLI - This is primarily meant for creating custom configuration templates. CLI uses set of reusable device
configuration commands with the ability to parameterize select elements of the configuration as well as add
control logic statements. This template is used to generate a device deployable configuration by replacing
the parameterized elements (variables) with actual values and evaluating the control logic statements. CLI
templates are based on Apache velocity template language. CLI templates do not have an option to
undeploy.
Figure 34. CLI Templates
Composite templates - You can create a composite template if you have a collection of existing feature or
CLI templates that you want to apply collectively to devices. You specify the order in which the templates
contained in the composite template are applied to devices. If you have multiple similar devices replicated
across a branch, you can create and deploy a "master" composite template to all the devices in the branch.
This master composite template can also be used later when you create new branches.
To create composite template, choose Configuration > Templates > Features and Technologies >
Composite Templates > System Templates Composite
Figure 35. Composite Template
Defining Shared Policy Objects

Policy objects enable you to define logical collections of elements. They are reusable, named components that can
be used by other objects and policies. They also eliminate the need to define a component each time that you
define a policy.
Interface roles configuration allows you to group a set of interfaces according to a set of rules and apply the AVC
configuration for that group of interfaces. Navigate to Configuration -> Templates -> Shared Policy Objects.
Select Interface Role. Create the new interface roles.
Figure 36. Shared Policy Objects
Wireless Controller Configuration

You can use the system templates to configure the wireless controllers. Another way to achieve this along with
other benefits is by means of controller configuration groups. Configuration groups are an easy way to group
controllers logically. This feature provides a way to manage controllers with similar configurations. You can first
create templates to configure different features and apply them to a particular configuration group. Templates can
be also extracted from existing controllers to provision new controllers. Configuration groups can also be used to
schedule configuration sets from being provisioned. Controller reboots can also be scheduled or cascaded
depending on operational requirements. Mobility groups, Dynamic Channel Assignment (DCA), and controller
configuration auditing can also be managed using configuration groups.
Figure 37. WLAN Configuration
Configuration groups are used for grouping sites together for easier management (mobility groups, DCA, and
regulatory domain settings) and for scheduling remote configuration changes. Configuration groups can be
accessed from Configuration > Templates > Controller Configuration Groups.
RRM/Clean Air
RF profiles and groups are supported in Cisco Prime Infrastructure for both RF profile creation templates and AP
group templates. If you use Cisco Prime Infrastructure to create the RF profiles through the creation of templates,
this gives the administrator a simple way to create and apply templates consistently to groups of controllers.
Build RF Profiles
Cisco Prime Infrastructure provides two ways for building or managing an RF profile. Navigate to Configuration >
Network > Network Devices > Select a controller and click Configuration tab and choose 802.11 > RF Profiles
in order to access profiles for an individual controller.
Figure 38. RF Profiles
Figure 39 displays all the RF profiles currently present on the chosen controller and allows you to make changes to
profiles or AP group assignments.
Figure 39. RF Profile Template
When you create a new profile, Cisco Prime Infrastructure prompts you to choose an existing template. When
accessing the first time, you are directed to the Template Creation dialogue for an 802.11 controller template.
Figure 40. Features and Technologies RF Profile Template
Also, you can choose Configuration> Templates > Features & Technologies > Controller > 802.11 > RF
Profiles (see Figure 41) to navigate to the controller template launch pad directly.
In both cases, a new RF profile is created in Cisco Prime Infrastructure through the use of a template. This is a
recommended method, since it allows the administrator to use the workflow of Cisco Prime Infrastructure and apply
templates and configurations to all or select groups of controllers and reduce configuration errors and mismatches.
Apply RF Profiles to AP Groups

New RF profiles can be applied to a controller through the use of AP groups they are assigned to. Choose
Configuration > Templates > Features & Technologies > Controller > WLANs and choose AP Groups as
shown in Figure 41.
Figure 41. Select an AP Group and RF Profile
In Cisco Prime Infrastructure, you can choose the Venue Group tab to add venue information as well.
(See Figure 42.)
Figure 42. Venue Group
When you save the template, a warning message may appear. Changing the interface that the assigned WLAN
uses disrupts the VLAN mappings for FlexConnect APs applied in this group. Make sure that the interface is the
same before you proceed. Choose Deploy.
Choose the controllers to which the template needs to be applied as shown in Figure 43.
Figure 43. Choose Controllers
Only those access points attached to the controllers where the AP group was deployed successfully with the RF
profiles applied (click the Apply to Access Points) are available to select from.
Note: Until this point, no real changes were made to the RF infrastructure, but this changes when APs that
contain new RF profiles are moved into the group. When an AP is moved into or out of an AP group, the AP
reboots to reflect the new configuration.
Choose the APs you want to add to the AP group and click OK. A warning message appears. Cisco Prime
Infrastructure displays the status of the change.
Automated Deployment
Cisco Prime Infrastructure helps automate the deployment of new devices on the network by obtaining and
applying the necessary software image and configuration on a new network device. Using features such as Cisco
Network Services (CNS) call-home, APIC-EM (Application Policy Infrastructure Controller) call-home and Cisco
IOS Software auto-install (which uses DHCP and TFTP), Cisco Prime Infrastructure reduces the time a new device
takes to join the network and become functional.
The Plug and Play feature of Cisco Prime Infrastructure allows you to create templates to define features and
configurations that you can reuse and apply to new devices. You can streamline new device deployment by
creating bootstrap templates, which define the necessary initial configuration, to communicate with Cisco Prime
Infrastructure. You can specify (and predeploy) software images and configurations that will be added to the
devices in the future. See the Cisco Prime Infrastructure User Guide for detailed steps using automated
deployment.
Compliance
Cisco Prime Infrastructure allows to define device configuration baselines and audit policies which help to identify
and fix any device configuration deviations from the baseline. You can schedule a compliance audit job against
multiple devices and get an audit report that indicates if any configurations deviate from the specified baseline.
Prerequisites
Compliance Baseline Audit is available when Cisco Prime Infrastructure is deployed using either of the below
options:
Professional OVA Virtual appliance

Cisco Unified Computing System (Cisco UCS) Gen 2 physical appliances
By default, Compliance Service feature is disabled. To enable compliance auditing, choose Administration >
Settings > System Settings > General >Server, then enable Compliance Service (see Figure 44).
Figure 44. Enabling Compliance Service in Cisco Prime Infrastructure 3.0
Cisco Prime Infrastructure server will have to be restarted for the changes to take effect. No additional licenses are
required to use the compliance baseline audit feature.
Creating Compliance Policy

A Compliance policy is a set of conditional rules required to validate against your network devices configuration.
You can use the predefined policies or choose to create their own policies.
In order to create a new compliance policy, navigate to Configuration > Compliance > Policies. Click Add (+)
button to create Compliance Policy, and enter a name for the Policy.
Upon policy creation, you can define one or more conditional rules for each compliance policy. Refer to the Cisco
Prime Infrastructure User Guide for more details on the rule inputs and parameterization of user inputs.
Figure 45. Compliance Policies
Creating Policy Profiles

Once compliance policies have been defined, group one or more policies under a Compliance Profile. Profiles are
sets of one or more policies, intended as a unit of comparison against the network device configurations.
Follow the below steps to create policy profile.
Browse to Configuration > Compliance > Profiles and add a new profile.
Once profile is created, use the Compliance Policy selector to select the desired policies, from the
system-defined or user-defined policies to be grouped.
Multiple policies can be selected and grouped.
For each compliance policy, you have an option to use one or more of the rules defined.
Figure 46. Compliance Policy Profile
Run Compliance Audit

Once a policy profile is created by grouping the compliance policies, compliance baseline auditing can be
performed. Follow the below steps to run the compliance audit job.
Choose Configuration > Compliance > Profiles, select a profile and click Run compliance Audit icon
(lightning bolt icon).
Select the devices to be audited and the corresponding configuration to be checked (use latest archived
configuration or use current configuration).
Specify the desired job scheduling and recurrence (standard Cisco Prime Infrastructure job framework
selection options are available).
Compliance Job Dashboard lists the compliance audit jobs as well as violation fix jobs. To view the details of a job
result, Click Last Run Result. Results may be exported in PDF and CSV formats.
You can view details of Violations by Device and select the specific fixes to be included in a Fix Job, along
with an option to preview the Fix CLI.
Figure 47. View Compliance Audit Job
View Violation Summary

Violations raised during the compliance audit, can be viewed under Compliance > Jobs > Violation Summary.
Violation summary can also be exported in PDF and CSV formats.
Figure 48. Violation Summary
PSIRT and EoX Reports

Cisco Prime Infrastructure helps to determine if any managed devices in the network have any security
vulnerabilities as identified by the Cisco Product Security Incident Response Team (PSIRT). The report also
includes documentation about the specific vulnerability that describes the impact of vulnerability and any potential
steps needed to be applied.
Cisco Prime Infrastructure also gives you an option to run a report to determine if any Cisco device hardware or
software in the network has reached its end of life (EOX). This can help determine the product upgrade and
substitution options.
Browse to Reports>Reports> PSIRT and EOX.
Figure 49. PSIRT Reports
Figure 50. EoX Reports
Clients and Users

All clients (wired and wireless) available in the network and discovered by Cisco Prime Infrastructure are displayed
in the Clients and Users page (Monitor -> Monitoring Tools -> Clients and Users).
Figure 51. Clients and Users
Wired clients display AP name as N/A. Switch port information is provided in interfaces column, as shown in
Figure 51.
Client Troubleshooting
Cisco Prime Infrastructure also provides monitoring and troubleshooting for wired and wireless clients. SNMP is
used to discover clients and collect client data. Cisco Identity Service Engine (ISE) is polled periodically to collect
client statistics and other attributes to populate related dashboard components and reports. In order to launch the
client-troubleshooting tool, select the client, and click Troubleshoot.
Figure 52. Client Troubleshooting Tool
Log messages can be retrieved from the controller using the use of the Log Analysis tool, as shown in Figure 53.
Figure 53. Debug Client Issues
Event history tool and Test analysis (CCX5 clients) tools can also be used for wireless client troubleshooting. Cisco
Prime Infrastructure can also be used for troubleshooting wired clients.
Cisco Prime Infrastructure manages the wired and the wireless clients in the network. You can get enhanced
information using the Cisco Identity Services Engine (ISE) or Cisco Secure Access Control (ACS) View servers or
Cisco Mobility Services Engine (MSE). Hence, Cisco Prime Infrastructure provides a complete visibility of users
and managed clients.
ISE Integration
When Cisco ISE is used as a RADIUS server to authenticate clients, Cisco Prime Infrastructure collects additional
information about these clients from Cisco ISE and provides all client relevant information to be visible in a single
console.
You can get enhanced information about managed clients using the Cisco ISE.
If Cisco Prime Infrastructure is integrated with an ISE server (to access endpoint information), you can:
Check the endpoint type.

One can identify possible problems with the end users authentication and authorization for network access.
View the bandwidth utilization for wired clients.
Note: Cisco Prime Infrastructure displays ISE Profiling attributes only for authenticated endpoints.
A maximum of two ISEs can be added to Cisco Prime Infrastructure. If you add two ISEs, one should be primary
and the other should be standby. When you are adding a standalone node, you can add only one standalone node
and cannot add a second node.
To add an Identity Services Engine, browse to Administration -> Servers -> ISE Servers.
From the Select a command drop-down list, choose Add ISE Server, then click Go. Complete the required fields,
then click Save.
Figure 54. Identity Services Engine
Note: The credentials should be superuser credentials local to ISE. Otherwise, ISE integration does not work.
MSE Integration
Cisco Prime Infrastructure when integrated with Cisco Mobility Service Engine can provide a single unified view by
extracting location and posture information of managed clients. WIPS profiles can also be deployed.
You can add an MSE by navigating to Services -> Mobility Services -> Mobility Services Engines. Select Add
Mobility Services Engine from the command drop-down list, and click Go.
In this dialog box, you can add licensing files, tracking parameters, and assign maps to the MSE. If you launch the
wizard with an existing MSE for configuration, then the Add MSE option appears as Edit MSE Details.
Figure 55. Mobility Service Engine
For detailed information on MSE, see the Cisco Prime Infrastructure User guide.
Monitoring
Monitoring Policies
Cisco Prime Infrastructure uses monitoring policies to monitor devices against the thresholds you specify. When
the thresholds that you specify are reached, Cisco Prime Infrastructure issues an alarm.
By default, Cisco Prime Infrastructure polls:
Device health metrics on supported routers, switches and hubs. Storage devices and Cisco UCS series
devices are not monitored by the default health policy.
Port group health metrics.
Interface health metrics on WAN interface groups, AVC, and Cisco UCS.
Note: Cisco Prime Infrastructure uses monitoring policies only for wired devices.
Choose Monitor -> Monitoring Tools -> Monitoring Policies -> Auto monitoring. Cisco Prime Infrastructure
polls SNMP objects to gather monitoring information for the device and interface parameters.
Figure 56. Auto Monitoring
You can add new monitoring policies to monitor network device metrics and alert you of changing conditions before
the issues impact their operation. Choose Monitor > Monitoring Tools > Monitoring Policies > My Policies.
Then click Add. We can select the Policy Types, and configure the parameters and thresholds, and click Save
and Activate to activate the policy on the selected devices.
Figure 57. Monitoring Policy
Cisco Prime Infrastructure displays the summary information in several different dashboards that contain graphs
and visual indicators. Overview dashboards displays dashlet specific to network device summary graph, system
health, interface health metrics, Top N CPU and memory utilization, etc.
Viewing Alarms and Events

Alarms and events provide a single page view of all alarms and events for wired and wireless infrastructure. Alarms
can be viewed by navigating to Monitor > Monitoring Tools > Alarms and Events.
Almost all of the tables in Cisco Prime Infrastructure have a quick filter widget. This quickly allows you to filter
through the table, especially when there are many rows involved. This is very useful with alarms and events or
clients and users. Figure 58 shows different quick filtering options available for you.
Figure 58. Quick Filter
The Advanced Filter, as the name implies, allows you to filter on the content with complex rules. These filters can
be saved for one-click use, the next time they are needed.
Figure 59. Advanced Filter
Configuring Alarm Severity
Choose Administration -> Settings -> System Settings to change the alarms default severity level. Under
Alarms and Events section, select Alarm Severity and Auto Clear. Select the Event type and click Severity
Configuration. From the Configure Severity Level drop-down list, choose a severity level.
Figure 60. Severity Configuration Page
Customizing Traps and Syslogs

Defining Custom Trap Events
Cisco Prime Infrastructure recognizes additional traps and helps to customize and create events and alarms for
these traps. You can specify a trap notification name, specify the event severity, and message to use when the
specified trap is received. Cisco Prime Infrastructure creates an event with the settings you specify. Choose
Monitor -> Monitoring Tools -> Alarms & Events.
Figure 61. Adding Custom Trap Event
In Events tab, click Custom Trap Events. Click Add in the Custom Trap Events window, and select a MIB,
Notification Name, and mention the default severity level, and then click OK.
Cisco Prime Infrastructure creates a new event type and alarm condition for the specified trap.
Defining Custom Syslog Events

You can enable Cisco Prime Infrastructure to create events for particular syslog. You can specify a syslog
message identifier, and specify the event severity and message to use when the specified syslog is received. Cisco
Prime Infrastructure creates an event with the settings you specify.
Choose Monitor -> Monitoring Tools -> Alarms & Events. In the Syslog tab, click Custom Syslog Events.
Click Add and complete all the required fields, and click OK.
Figure 62. Adding Custom Syslog Event
Forwarding Alarms as Traps to Notification/Trap Receivers

Notification receivers can be configured, which supports North Bound access and guest access. Alerts and events
are sent as SNMPv2 and SNMPv3 notifications to the configured notification receivers. You can add and remove
notification receivers from Administration > Settings > System Settings > Alarms and Events > Notification
Receivers.
Figure 63. Notification Receivers
AVC and QoS Configuration
Monitoring Application and Services
Network administrators need to gain visibility into applications running on the network and their performance, and
to see the different types of traffic and their performance in greater detail. They should be able to quickly isolate
and troubleshoot application performance issues. They can define policies to control and tune the performance of
the different applications. Service assurance dashboards in Cisco Prime Infrastructure help to provide a granular
and detailed view of assurance features.
The Cisco Application Visibility and Control (AVC) is a solution which offers application awareness in the network.
AVC incorporates application recognition and performance monitoring capabilities. When coupled with network
management tools, AVC provides a powerful and pervasive integrated solution for discovering and controlling
applications within the network.
Prerequisites
Make sure that the devices on which you have to enable AVC are fully managed (In Device Work Center).
Make sure that the sites/location based groups are created and the endpoints (devices) that need to be
monitored are associated with corresponding sites.
Interface role (Shared Policy Objects) should be created for the wired devices, before using the AVC
template.
AVC Supported Platforms

Platforms Minimum Software version required
ASR 1000 15.3(1)S1 and later

ISR G2 15.2(4)M2 and later
ISR 4451-X 15.3(2)S
CSR 1000 15.3(2)S

WLC 7.4
Readiness Assessment
Readiness assessment allows you to analyze the routers in your network and determine whether these devices are
capable of running AVC.
Choose Services -> Application Visibility and Control -> Readiness Assessment.
Figure 64. Readiness Assessment
The table view provides all the relevant information for the devices and also suggests whether these devices are
AVC capable or not. It provides recommendations for AVC capable devices to make them AVC configurable.
AVC Configuration
Different Approaches to Enable AVC
There are three different approaches to enable AVC on routers.
Use the one-click option to enable it on a single or multiple interface of a router, if this is your first time with
AVC.
Use the template option to enable AVC on multiple devices based on the interface role.
Enable AVC on multiple interfaces and multiple devices for which you could use the location- and device-
based filters. This method will also allow you to configure QoS if needed. See the AVC Solution Guide for
more details.
Enabling AVC on Wireless Controllers

Feature design templates in Cisco Prime Infrastructure can be used to enable AVC on the controllers. You will first
need to create an exporter configuration template followed by creating a monitor template mapping the exporter
template and deploy the monitor template on the controllers. See the AVC Solution Guide for more details.
Associate Endpoints to Sites

Now that you have created all the sites where your network equipment is staged, it is time to map those sites to
their respective subnets, data sources, and VLANs. This allows Cisco Prime Infrastructure to see the traffic flow,
especially when it comes to application performance. In order to create an endpoint, you can navigate to Services
>Application Visibility & Control > Endpoint Association. Figure 65 shows how various sites are mapped to
their subnets. In addition to the subnet mask, you can also specify the default data source desired for that site.
Figure 65. Endpoint Association
Managing Netflow Data Sources

Cisco Prime Infrastructure can collect NetFlow from data sources directly. In case of Cisco Prime Network Analysis
Module (NAM), Cisco Prime Infrastructure collects all the information from the NAM natively.
To view all the data sources exporting NetFlow to Cisco Prime Infrastructure, navigate to Service -> Application
Visibility & Control -> Data Sources. The Device Data Sources lists all the devices that are actively sending
NetFlow data to Cisco Prime Infrastructure. The NAM Data Collector lists all the NAMs that have been discovered
or added to the inventory. You can select a NAM and enable/disable data collection from them.
Figure 66. Data Sources
Viewing AVC Metrics

Cisco Prime Infrastructure shows performance related metrics for applications in the following dashboards:
Dashboard -> Overview -> Service Assurance

Services -> Application Visibility and Control -> Service Health
Dashboard -> Performance (all of the dashboards)
Classify Unknown Traffic by Defining Custom Application

Cisco Prime Infrastructure helps to define custom applications that you can deploy on the device and let Cisco
Prime Infrastructure monitor these applications. Choose Services -> Application Visibility & Control ->
Applications and Services and click Create.
Figure 67. Application and Services
Provide an application name and the selector ID. Select the Business Critical check-box if you would like this
custom application to be marked so.
Updating Application Definitions (NBAR2 Protocol Pack)

NBAR2 Protocol packs can be uploaded to Cisco Prime Infrastructure to recognize any new applications. Choose
Services -> Application Visibility & Control -> NBAR2 Protocol Pack Management. Using the Import option,
you can update the protocol pack.
Multi-NAM Capabilities within Cisco Prime Infrastructure

Cisco Prime Infrastructure can serve as a central manager of managers (MoM) if multiple NAMs are deployed in
the network. Some of the functionality that Cisco Prime Infrastructure can help with includes:
Centralized monitoring of NAM health.

Deploying configurations to multiple NAMs using the CLI configuration templates.
Upgrading NAMs using software image management capabilities.
Using one-click packet capture from multiple NAMs based on a capture policy.
Proactively capturing packets using threshold breaches.
All of these allow you to use Cisco Prime Infrastructure to effectively manage the NAMs, thus making it a very good
and stable data source for application visibility.
Netflow Dashlets
The following table lists the dashlets which help in monitoring the Netflow data in Cisco Prime Infrastructure.
Grouping of Dashlets Dashlet Names
Site Specific Dashlets Application Usage Summary

Top N Application Groups
Top N Applications
Top N Applications with Most Alarms
Top N Clients (In and Out)
Top N VLANs
Application Specific Dashlets Application Configuration
Top N Applications
Top Application Traffic over Time
DSCP Classification
IP Traffic Classification
Client Conversations
Top N Clients (In and Out)
Client Traffic
Number of Clients over Time
Lync Monitoring
Cisco Prime Infrastructure can monitor the Microsoft Lync traffic in your network. It processes and filters Microsoft
Lync quality update messages and aggregates Microsoft Lync calls. You can view volume trends over time and get
a summary of call types, including filtering based on time and location groups. You can also view individual calls
and troubleshoot individual call streams.
Setting Up Microsoft Lync Monitoring
Cisco Prime Infrastructure must be registered as a receiver of Microsoft Lync data in order to monitor and provide a
centralized view of how Microsoft Lync is deployed in your network.
On your Microsoft Lync SDN server, edit the LyncDialogListener.exe.config file to add the following lines. The
LyncDialogListener.exe.config file is located in the Lync SCN API installation directory at the following default
location: C:\Program Files\Microsoft Lync Server\Microsoft Lync SDN API.
<add key=submituri value=https://PI_server_name/webacs/lyncData/>
Where https://PI_server_name is the name of your Cisco Prime Infrastructure as specified in the Trusted Root
Certification Authorities certificate.
<add key= clientcertificateid value=value/>
Where value is the certificate value of your Cisco Prime Infrastructure server as specified in the Trusted Root
Certification Authorities certificate.
Alternately, if you use the Microsoft SDN interface to enter your Cisco Prime Infrastructure server details, you must
accept the SSL certificate in order to enable XML communication over secure HTTP. After you register Cisco
Prime Infrastructure as a receiver of Microsoft Lync data, all Microsoft Lync details are sent to Cisco Prime
Infrastructure.
Monitoring Microsoft Lync

To monitor Microsoft Lync data, browse to Services -> Application Visibility & Control -> Lync Monitoring.
Colored bars represent the different call types and the respective call volume over the specified time period. The
Lync Conversations table lists the aggregated conversations for the call type you select from the bar chart. Click
the arrow next to a Caller to expand and view the details of that conversation, from the Caller to the Callee.
Cisco Prime Infrastructure displays the call metrics for the selected conversation.
Figure 68. Lync Monitoring
PfR Monitoring
Performance Routing (PfR) monitors network performance and selects the best path for each application based on
advanced criteria such as reachability, delay, jitter and packet loss. PfR can evenly distribute traffic to maintain
equivalent link utilization levels using an advanced load balancing technique.
PfR Version 3 (PfRv3) is an intelligent path control of the IWAN initiative and provides a business-class WAN over
internet transports. PfR allows customers to protect critical applications from fluctuating WAN performance while
intelligently load balancing traffic over all WAN paths.
Cisco IOS Software PfR makes real-time routing adjustments based on application criteria such as response time,
packet loss, jitter, path availability, interface load, and circuit cost minimization.
Browse to Services -> Application Visibility & Control -> PfR Monitoring. The PfR landing page includes Site to
Site PfR Events table, a filter panel, Metrics panel (Metrics Crossing Thresholds versus Service Provider(s)), and a
time slider.
Figure 69. PfR Monitoring
The Metrics panel displays the metrics gathered using the TCA, as charts. Each service provider is represented by
a unique color in the chart. The charts available in the Metrics panel are:
Unreachability over time

Maximum Delay over time
Maximum Jitter over time
Maximum Packet loss% over time
The Site to Site PfR events table displays site to site PfR events including Threshold Crossing Alert (TCA), Route
change (RC) and Immitigable event (IME). The PfR events that occurred over last 72 hours are displayed, by
default.
Site-to-Site PfR Topology
The site to site topology consists of nodes representing border router, master controller, and service provider. The
egress and ingress orange links represent the WAN link connectivity between border routers and service provider,
and blue links connect the border router and master controller.
Click a node to view the device metrics pop-up window from where you can navigate to the corresponding device
context page. Click a link to view the link metrics pop-up window from where you can navigate to the link context
page. Click Launch Interface Dashboard in the Link Metrics pop-up window to view the Interface dashlets in the
Performance dashboard.
Figure 70. Site-to-Site PfR Topology
Comparing WAN Interfaces

The Compare WAN Interfaces page shows the WAN link usage and performance of the selected WAN interfaces.
This compares the Egress Bandwidth (B/W) usage, number of TCAs, RCs and IMEs occurred and number of
applications routed, for the selected WAN Interfaces.
Figure 71. Comparing WAN Interfaces
Dashboards
Cisco Prime Infrastructure user interface is based on HTML5, which makes the application tablet friendly. Flash is
removed from the product.
Dashboard Customization
Easy visualization and customization of data views is possible in Cisco Prime Infrastructure. There are two different
ways of customizing the dashboards:
Adding your own dashboard in addition to the existing dashboards.

Adding/moving dashlets (also known as portlets) from one dashboard to another.
Navigate to any of the existing dashboards under Dashboards menu. Use the Settings in the top right corner of
the dashboard to add new dashboard. A new dashboard will be created under the current dashboard tree. A new
tab is reflected immediately.
Figure 72. Add Dashboard
The next step is to populate the new dashboard that you created with dashlets. There are about 50 preconfigured
dashlets that you can use for various dashboards.
Figure 73. Add Dashlet
A new dashlet can be added to the dashboard where you want it to appear. Use the Add Dashlet(s) from the
Settings to view the list. Once you see the list of dashlets, you can add the appropriate Dashlet to the dashboard.
Customizing the Dashlet Content
Figure 74. Dashlet Customization
We can customize the dashboard and also the content within the dashlets. You can select the pencil icon in the
title bar of any dashlet to customize the dashlet content. This will expose all the configurations that can be tweaked
for a given dashlet. You can use the various options available to select and configure as needed. Each dashlet has
its own configuration parameters. Once you are done, click Save and Close to view the data.
Remediation Tools
Wireless Remediation
The following tools available within Cisco Prime Infrastructure may be used in order to remediate wireless issues:
Cisco CleanAir
Client Troubleshooting
AP Troubleshooting
Audit Tool
Security Dashboard
Switch port Tracing (SPT)
Contextual device 360-degree views for easy access to assorted tools:
Ping
Traceroute
Cisco Discovery Protocol Neighbors
WLAN and SSID information
Active AP and client count
Apart from these key tools, you can find more tools by navigating to Monitor > Wireless Technologies or
Monitor > Tools.
Wired Remediation
The following tools within Cisco Prime Infrastructure can be used to remediate wired issues:
Wired Client Troubleshooting

Ad Hoc and Automated Packet Capture
Device Work Center
Contextual device 360-degree views for easy access to assorted tools:
Ping
TraceRoute
Cisco Discovery Protocol Neighbors
Config Diffs
Inventory Details
Network Audits
Support Forums
Figure 75. Device 360 Views
Trigger Packet Capture from Cisco Prime Infrastructure

Cisco Prime Infrastructure provides a very flexible solution for capturing packets throughout your network. You can
either manually trigger a packet capture or automatically specify the capture based on some advanced parameters,
so that it will be triggered once a threshold level is breached. In both of these solutions, packets can be captured
locally on the NAM or they can be stitched from multiple NAMs and stored in Cisco Prime Infrastructure. Packet
captures can also be triggered on the ASR 1Ks.
Manual Packet Capture from Cisco Prime Infrastructure

In order to do an ad hoc packet capture, you can navigate to Monitor > Tools > Packet Capture> Capture
Sessions. In order to create a new profile, click Create and fill in all the criteria for capturing a particular traffic. If
you need to capture a particular type of traffic all the time, it may be a good idea to proactively create those profiles
and test them before automating them, as described in the next section.
Figure 76. Packet Capture Session
Automating Packet Capture Using Cisco Prime Infrastructure

There are times when you want to capture packets based on a trigger. There is no way to anticipate the time of the
trigger. For example, if you are trying to meet the SLA for AvgRespTime for an application, you may want to start
the packet capture if the response time exceeds the predefined time. You can easily achieve this by combining
threshold and packet capture in Cisco Prime Infrastructure. Navigate to Monitor > Monitoring Tools > Monitoring
Policies > Add > Traffic Analysis. By clicking on threshold template, you can create a new instance from it. In
order to change any of them, simply select that row and edit the threshold as shown in Figure 77. You can see that
we have chosen to alert and start capturing SharePoint traffic if the AvgRespTime exceeds the default value.
Figure 77. Automate Packet Capture
Decoding Packet Capture Using Cisco Prime Infrastructure

Once the packets are captured, there are two options to decode them. The easiest way is to select the packet
capture session and click Decode from the Packet Capture homepage (Monitor > Tools > Packet Capture). The
capture decode is shown in a pop-up window, which makes it extremely easy to evaluate each and every packet.
You could also click Export and the .pcap file will be downloaded directly on the client PC. This is useful if you
need to perform advance troubleshooting on the capture decode. There is a dimmed Merge button between the
Decode button and the Export button, which can be used to merge the .pcap files if more than one file is selected.
TIP: If the capture file is not very large (that is, not on the order of GB), it makes sense to decode it in Cisco Prime
Infrastructure instead of jumping over to the NAM. Otherwise, you should use NAM instead of Cisco Prime
Infrastructure for decoding very large capture files.
Figure 78. Packet Capture
Reports
Wide variety of preconfigured reports can be used for up-to-date information on the network, including detailed
inventory, configuration, compliance, audit, capacity, and end of sale, security vulnerabilities, and many more.
Reports can be scheduled or run immediately, emailed, or saved as PDFs for future viewing purposes. Composite
reports help to group multiple reports. Navigate to Reports > Report Launchpad to generate various reports.
Figure 79. Report Launch Pad
REST API
Cisco Prime Infrastructure R/W REST APIs can be used to integrate with any in-house OSS systems. For details,
see the REST API documents in the Cisco Prime Infrastructure 3.0 API Reference Guide.
High Availability
The Cisco Prime Infrastructure High Availability (HA) implementation allows one primary Cisco Prime Infrastructure
server to failover to one secondary (backup) Cisco Prime Infrastructure server. A second server is required that
has sufficient resources (CPU, hard drive, network connection) in order to take over Cisco Prime Infrastructure
operation in the event that the primary Cisco Prime Infrastructure system fails. In Cisco Prime Infrastructure, the
only HA configuration is supported is 1:1 - 1 primary system, 1 secondary system.
Prerequisites
The size of the secondary server must be larger than or equal to that of the primary server; for example, if the
primary Cisco Prime Infrastructure server is the Express Plus OVA, then the secondary Cisco Prime Infrastructure
server must be the Express Plus or larger.
The primary and secondary server cannot be a mix of a physical and a virtual appliance. For example, if the
primary Cisco Prime Infrastructure server is a virtual appliance, the secondary server cant be a physical appliance.
Secondary server should be a virtual appliance with same or large OVA.
Customers must be running the same version of Cisco Prime Infrastructure and should be at the same patch level
on both the primary and secondary Cisco Prime Infrastructure servers.
The Cisco Prime Infrastructure HA feature is transparent to the wireless controller, that is, there is no software
version requirement for the Cisco Wireless LAN Controller (WLC), access points (APs), and the Cisco Mobility
Services Engine (MSE).
Licensing
An RTU (right-to-use) license is required to deploy Cisco Prime Infrastructure in HA implementation. Only one
Cisco Prime Infrastructure server license needs to be purchased. There is no need to purchase a license for the
secondary Cisco Prime Infrastructure server. The secondary server will use the license from the primary when a
failover occurs. The same Cisco Prime Infrastructure license file resides on both the primary and secondary Cisco
Prime Infrastructure servers. The license file is only active on one system at any given point in time.
High-Availability Setup
Cisco Prime Infrastructure HA can also be deployed with geographic separation of the primary and secondary
servers. This type of deployment is also known as disaster recovery or geographic redundancy.
HA Modes
There are two HA modes: failover and failback. After initial deployment of Cisco Prime Infrastructure HA, the
entire configuration of the primary Cisco Prime Infrastructure server is replicated to the host of the secondary Cisco
Prime Infrastructure server. During normal operation (that is, when the primary Cisco Prime Infrastructure server is
operational), the database and application data files from the primary server are replicated to the secondary Cisco
Prime Infrastructure server. Replication frequency is 11 seconds (for realtime files) and 500 seconds (for batch
files).
Failover
Failover is the process of activating (Automatically or manually) the secondary server in response to a detected
failure on the primary server. Health Monitor (HM) detects failure conditions using the heartbeat messages that the
two servers exchange. If the primary server is not responsive to three consecutive heartbeat messages from the
secondary, it is considered to have failed. During the health check, HM also checks the application process status
and database health; if there is no proper response to these checks, these are also treated as having failed.
Failback
When the issues on the server that host the primary Cisco Prime Infrastructure server have been resolved, failback
can be manually initiated. Once this is done, the screen is displayed on the secondary Cisco Prime Infrastructure
server. When you initiate failback, the Cisco Prime Infrastructure database on the secondary Cisco Prime
Infrastructure server and any other files that have changed since the secondary Cisco Prime Infrastructure server
took over Cisco Prime Infrastructure operation are synchronized between the secondary and the primary Cisco
Prime Infrastructure servers.
Figure 80. Health Monitor Details in Fallback
Manual/Automatic Options
Automatic Failover
Automatic failover is a much simpler process. The configuration steps are the same except that automatic failover
is selected. Once automatic failover is configured, the network administrator does not need to interact with the
secondary HM for the failover operation to take place. Only during failback is human intervention required.
Manual Failover
This is the recommended mode of Failover in Cisco Prime Infrastructure High Availability deployment. When the
secondary Cisco Prime Infrastructure server is configured with manual failover mode, the network administrator is
notified through an email that the primary Cisco Prime Infrastructure server has experienced a down condition. The
Health Monitor (HM) on the secondary Cisco Prime Infrastructure server detects the failure condition of the primary
Cisco Prime Infrastructure server. Because manual failover has been configured, the network administrator needs
to manually trigger the secondary Cisco Prime Infrastructure server to take over Cisco Prime Infrastructure
functionality from the primary Cisco Prime Infrastructure server. This is done if you log in to the secondary HM.
Even though the secondary Cisco Prime Infrastructure server is not running, you can connect to the secondary HM
using the following syntax: https://<Secondary_PI_IP_Address>:8082/.
The secondary HM displays messages in regard to events that are seen. Because manual failover has been
configured, the secondary HM waits for the network administrator to invoke the failover process. Once manual
failover has been chosen, the message is displayed as The Secondary Cisco Prime Infrastructure Server
Starts. Once the failover process has been completed, which means that the Cisco Prime Infrastructure database
replication process is completed and the secondary Cisco Prime Infrastructure JVM process has started, then the
secondary Cisco Prime Infrastructure server is the active Cisco Prime Infrastructure server.
Health Monitor on the secondary Cisco Prime Infrastructure server provides status information on both the primary
and secondary Cisco Prime Infrastructure servers. Failback can be initiated through the secondary HM once the
primary Cisco Prime Infrastructure server has recovered from the failure condition. The failback process is always
initiated manually so as to avoid a flapping condition that can sometimes occur when there is a network
connectivity problem. More details on how to deploy Cisco Prime Infrastructure 3.0 HA can be found at Cisco
Prime Infrastructure Administration Guide.
Configuring Cisco Prime Infrastructure Backup

It is strongly advisable to configure the backup plan in a more proactive manner. Backup can be configured by
navigating to Administration > Settings>Background Tasks > Prime Infrastructure Server Backup.
You can either use the default repository defaultRepo, or create an external backup repository. Enter credentials
for the remote repository and other relevant information and click Submit to create this new remote backup
repository.
Advanced System Settings

Data Retention
This feature allows you to specify how long the data is to be stored in Cisco Prime Infrastructure. By default you
can store the performance data as short, medium, and long-term data for 7, 31, and 378 days, respectively. You
can modify these numbers based on the available hard drive space. Navigate to Administration -> Settings ->
System Settings. Select Data Retention under General Tab to configure the data retention.
Server Tuning
The following sections explain how to enhance server security by eliminating or controlling individual points of
security exposure.
Disabling Insecure Services

You must disable non-secure services if not using them. For example: TFTP and FTP are not secure protocols.
These services are typically used to transfer firmware or software images to and from network devices and Cisco
Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend using
secure protocols (such as SFTP or SCP) for such services.
Disabling Root Access

Administrative users can enable root shell access to the underlying operating system for trouble shooting
purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We
recommend that you keep this access disabled, and enable it only when required. To disable root access, run the
command root_disable from the command line.
Using SNMPv3 Instead of SNMPv2

SNMPv3 is a higher security protocol than SNMPv2. You can enhance the security of communications between
their network devices and the Cisco Prime Infrastructure server by configuring the managed devices so that
management takes place using SNMPv3 instead of SNMPv2.
You can choose to enable SNMPv3 when adding new devices, importing devices in bulk, or as part of device
discovery.
Authenticating with External AAA
User accounts and password are managed more securely when they are managed centrally, by a dedicated,
remote authentication server running on a secure authentication protocol such as RADIUS or TACACS+. You can
configure Cisco Prime Infrastructure to authenticate users using external AAA servers.
Importing Client Certificates into Web Browsers

You must import client certificates into your browsers to authenticate while accessing Cisco Prime Infrastructure
servers with certificate authentication. Although the process is similar across browsers, the actual details vary with
each browser.
Enabling NTP Update Authentication

Network Time Protocol (NTP) version 4 (which authenticates server date and time updates) is an efficient setting to
harden server security. Note that you can configure a maximum of three NTP servers with Cisco Prime
Infrastructure.
Enabling Certificate-Based OCSP Authentication

You can further enhance the security of Cisco Prime Infrastructures interaction with its web clients by setting up
certificate-based client authentication using the Online Certificate Status Protocol (OCSP).
With this form of authentication, Cisco Prime Infrastructure validates the web clients certificate and its revocation
status before permitting you to access the login page. Checking the revocation status makes sure that the issuing
Certificate Authority (CA) has not already revoked the certificate.
Setting Up Local Password Policies

If you are authenticating users locally, using Cisco Prime Infrastructures own internal authentication, you can
enhance your systems security by enforcing rules for strong password selection.
Disabling Individual TCP/UDP Ports

Table 6 lists the TCP and UDP ports Cisco Prime Infrastructure uses, the names of the services communicating
over these ports, and the products purpose in using them. The Safe column indicates whether you can disable a
port and service without affecting Cisco Prime Infrastructures functionality.
Table 6. Cisco Prime Infrastructure TCP/UDP Ports
Cisco Prime Infrastructure TCP/UDP Ports

Port Service Name Purpose Safe?
21/tcp FTP File transfer between devices and server Y
22/tcp SSHD Used by SCP, SFTP, and SSH connections to and from the system N
69/udp TFTP File transfer between devices and the server Y
162/udp SNMP-TRAP To receive SNMP Traps N
443/tcp HTTPS Primary Web Interface to the product N

514/udp SYSLOG To receive Syslog messages N
1522/tcp Oracle Oracle/JDBC Database connections: These include both internal server connections and for N
connections with the High Availability peer server.
8082/tcp HTTPS Health Monitoring N
Cisco Prime Infrastructure TCP/UDP Ports
8087/tcp HTTPS Software updates on HA Secondary Systems N
9991/udp NETFLOW To receive Netflow streams (enabled if Assurance license installed) N
61617/tcp JMS (over SSL) For interaction with remote Plug&Play Gateway server Y
Checking Server Security Status

Cisco Prime Infrastructure administrators can connect to the server via CLI and use the show security-status
command to display the servers currently open TCP/UDP ports, the status of other services the system is using,
and other security-related configuration information.
Miscellaneous
Accessing Cisco Prime Infrastructure Through CLI
In normal circumstances, you may not need to access the CLI, but if there is a need to access some service
requirements, the Cisco Prime Infrastructure server may be accessed through Secure Shell Protocol Version 2
(SSH2) by the admin user. The admin user is provided with a Cisco IOS Software-like shell, which is the preferred
shell for carrying out most operational tasks. The password for this admin user is configured during the initial
installation and configuration, as mentioned in the Option 2: Installing the Cisco Prime Infrastructure Virtual
Appliance section. Please note that the root password that is prompted in the install script is only for web access
and not access to the CLI.
How to Enable CLI Root User in Cisco Prime Infrastructure Server

The root user is not enabled by default, but you can enable the root user for the first time using the root_enable
command at the admin console. Once the root user is enabled, log out of the admin shell and log in using the root
user and the previously defined password for root.
Start/Stop Cisco Prime Infrastructure Services

In normal circumstances, you dont stop or start PI services. The services will start automatically once installation is
complete, and no manual startup of services is required. If there is a need to restart the services for some reason,
the following commands may be executed by the admin user from the command-line interface (CLI):
<piserver>/admin# ncs stop - Stops the Cisco Prime Infrastructure server
<piserver>/admin# ncs status - Shows the Cisco Prime Infrastructure server status
<piserver>/admin# ncs start - Starts the Cisco Prime Infrastructure server
Verifying IOPS for Cisco Prime Infrastructure Virtual Machine

Until Cisco Prime Infrastructure 1.x, there was no easy way to verify data store input/output operations per second
(IOPS) for the virtual infrastructure. With the addition of the following new command, users can now verify the raw
performance before proceeding any further.
<piserver>/admin# ncs run test iops
Testing disk write speed...
8388608+0 records in
8388608+0 records out
8589934592 bytes (8.6 GB) copied, 38.3538 seconds, 224 MB/s
Note: If you run this command when Cisco Prime Infrastructure server is running, the results will be really
skewed. This test needs to be run after shutting down Cisco Prime Infrastructure server using ncs stop command
from the admin shell.
After shutting down ncs, here are they new results:

Pi30/admin# ncs run test iops
Testing disk write speed...
8388608+0 records in
8388608+0 records out
8589934592 bytes (8.6 GB) copied, 27.0878 seconds, 317 MB/s
The recommended value is the result from the command after shutting down ncs (ncs stop). Note that the
recommended value for the IOPS is 200 MBps.
References
Cisco Prime Infrastructure 3.0 Links
Cisco Prime Infrastructure 3.0 Quick Start Guide
Cisco Prime Infrastructure 3.0 Administrator Guide
Cisco Prime Infrastructure 3.0 User Guide
Cisco Prime Infrastructure 3.0 Release Notes
Cisco Prime Infrastructure 3.0 Data Sheet
Cisco Prime Infrastructure 3.0 Supported Devices
Ports used by Cisco Prime Infrastructure
Cisco Prime Infrastructure Alarms and Events
Cisco Prime Infrastructure 3.0 API Reference Guide
Password Recovery for Cisco Prime Infrastructure
AVC Solution Guide
Cisco Product Pages

Cisco Prime Infrastructure
Cisco Identity Security Engine (ISE)
Cisco Prime Network Analysis Module (NAM)
Cisco Application Visibility and Control
Product Downloads
Ordering and Licensing

Cisco Prime Infrastructure 3.0 Ordering and Licensing Guide
Cisco Ordering Tools
Product Evaluation
Printed in USA C07-736611-00 02/16

Deployment Guide PI

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Deployment Guide PI

Hochgeladen von

Copyright:

Verfügbare Formate

Guide

Cisco Prime Infrastructure 3.0

Figure 1. Campus Wired and Wireless LAN Architecture

Cisco Prime Infrastructure Form Factors

Server Sizing Matrix

Device Type Express Express-Plus Standard Professional Hardware Appliance (Gen2)

Table 2. Hardware Requirements for Virtual Appliance

Installing Cisco Prime Infrastructure

Table 3. Cisco Prime Appliance Specifications

Option 2: Installing the Cisco Prime Infrastructure Virtual Appliance

Before You Begin

Accessing Cisco Prime Infrastructure GUI

Table 4. Client Requirements

Supported Browser Browser Version Additional Note

Logging In to Cisco Prime Infrastructure for the First Time

Figure 2. Adding License Files

Table 5. License Types in Cisco Prime Infrastructure

Licenses Types License Purpose

Upgrading Cisco Prime Infrastructure

Cisco Prime Infrastructure 2.2.3

Migrating Data from Previous Versions

Figure 3. Device Packs and Software Updates

Manage User Groups

Modify other groups and roles.

Figure 5. User Groups Creation

Figure 6. Virtual Domain

Figure 7. SSO Server Settings

Figure 8. Adding TACACS+ Server

Figure 9. Creating Credential Profile

Discovering Your Network

Use an automated process

Device Family SNMP RW Telnet/SSH HTTP

These credentials are sufficient to discover wired as well as wireless networks.

Figure 11. Discovery Job Schedule

Importing Devices Manually

Figure 12. Bulk Import

Data Center Discovery

Figure 13. Adding VMware vCenter Details

Figure 14. Compute Device Details

Figure 15. Discovered Device Inventory

Fixing Credential Errors

Figure 16. Edit Device Discovery Credential

Figure 18. Export Device Discovery Credential Information

Figure 19. Adding Devices to the Location Group Dynamically

Figure 20. Device Groups in Cisco Prime Infrastructure

Figure 21. Creating Port Groups

Figure 22. Network Topology Maps

Wireless Planning Tool

1. Specify the AP prefix and AP placement method (automatic versus manual).

Floor plan details

The features of Cisco Prime infrastructure site maps are:

Supports .PNG, .JPG, JPEG, or .GIF formats.

Figure 23. Wireless Site Maps: Floor Settings

Figure 24. Site Creation by User Manually

Figure 25. Automatic Hierarchy Creation

Figure 26. Importing Wireless Site Maps

Figure 27. Configuration Archive Settings

Figure 28. Configuration Archive

Setting Up Image Management

Figure 29. Image Management

Figure 30. Import Images

Figure 31. Image Repository

Figure 32. Distributing Selected Image to Device

Choosing a Configuration Template