Configuring the Cisco APIC-EM Settings PDF
Preview Configuring the Cisco APIC-EM Settings
Configuring the Cisco APIC-EM Settings • LoggingintotheCiscoAPIC-EM, page 1 • QuickTouroftheAPIC-EMGraphicalUserInterface(GUI), page 2 • ConfiguringthePrimeInfrastructureSettings, page 3 • DiscoveryCredentials, page 4 • Security, page 15 • ServiceLogs, page 22 • ConfiguringtheAuthenticationTimeout, page 31 • ConfiguringPasswordPolicies, page 32 • UpdatingtheCiscoAPIC-EMSoftware, page 34 • BackingUpandRestoringtheCiscoAPIC-EM, page 37 • TelemetryCollection, page 43 Logging into the Cisco APIC-EM YouaccesstheCiscoAPIC-EMGUIbyenteringtheIPaddressthatyouconfiguredforthenetworkadapter usingtheconfigurationwizard.ThisIPaddressconnectstotheexternalnetwork.EntertheIPaddressinyour GoogleChromebrowserinthefollowingformat: https://IPaddress Step 1 InyourGoogleChromebrowser,entertheIPaddressoftheCiscoAPIC-EM. Step 2 Onthelaunchpage,entertheadministratorusernameandpassword. TheHomepageoftheAPIC-EMcontrollerappears. What to Do Next ProceedtotakeaquicktouroftheCiscoAPIC-EMGraphicalUserInterface(GUI). Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 1 Configuring the Cisco APIC-EM Settings Quick Tour of the APIC-EM Graphical User Interface (GUI) Quick Tour of the APIC-EM Graphical User Interface (GUI) ForaquickintroductiontotheCiscoAPIC-EMGUI,logintotheCiscoAPIC-EMcontrollerasanadministrator andfollowtheprocedurebelow. Step 1 ClicktheQuickStartGuidelinkthatappearsontheCiscoAPIC-EMHomepage. TheQuickStartGuideopensinaseparatewindow. Figure 1: Quick Start Guide Step 2 TakeafewmomentstoreviewthecontentsoftheQuickStartGuide,whichprovidesashortintroductiontothemain componentsoftheCiscoAPIC-EMgraphicaluserinterfaceandbrieflydescribeshowtoconfiguresomeoftheCisco APIC-EMsettings. What to Do Next IfyouareusingtheIWANapplicationwithCiscoPrimeInfrastructureforyournetwork,thenproceedto configureyourPrimecredentials.IfyouarenotusingtheIWANapplicationwithCiscoPrimeInfrastructure, thenproceedtoconfigurethediscoverycredentialsforyournetwork. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 2 Configuring the Cisco APIC-EM Settings Configuring the Prime Infrastructure Settings Configuring the Prime Infrastructure Settings YoucanenterandsaveyourCiscoPrimeInfrastructure(PI)settingstotheCiscoAPIC-EMusingthecontroller's UI.ThesePIsettingsareusedbytheIWANapplicationtoestablishanauthenticatedconnectionbetweenthe controllerandPIserver,afterarequestinitiatedbythecontroller.TheIWANapplicationusestheauthenticated connectiontoperformitscentralizednetworkmanagementandenforcementdutieswithPIdata. YoucanconfigurethePIsettingsusingthePrimeInfrastructrueSettingswindowintheCiscoAPIC-EM GUI. Figure 2: Prime Infrastructure Settings Window Before You Begin YoumusthavesuccessfullydeployedtheCiscoAPIC-EManditmustbeoperational. YoumusthaveadministratorpermissionstoconfigureandsaveyourPrimeInfrastructuresettingsasdescribed inthisprocedure.ForinformationabouttheuserpermissionsrequiredtoperformtasksusingtheCisco APIC-EM,seethechapter,ManagingUsersandRolesintheCiscoApplicationPolicyInfrastructureController EnterpriseModuleConfigurationGuide. Step 1 IntheHomewindow,clickeitheradminortheSettingsicon(gear)atthetoprightcornerofthescreen. Step 2 ClicktheSettingslinkfromthedrop-downmenu. Step 3 IntheSettingsnavigationpane,clickPrimeInfrastructureSettingstoviewthePrimeInfrastructureSettingswindow. Step 4 EntereithertheIPaddressofthePIserverortheDNSdomainnameofthePIserver. Step 5 EnterthePICredentialsusername. Step 6 EnterthePICredentialspassword. Step 7 ClicktheSavebuttontosavethePIcredentialstotheCiscoAPIC-EMdatabase. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 3 Configuring the Cisco APIC-EM Settings Discovery Credentials What to Do Next Proceedtoconfigurethediscoverycredentialsforyournetwork. Discovery Credentials TheCiscoAPIC-EMsupportsthefollowingtypesofdiscoverycredentials: •CLICredentials(GlobalandException) •SNMPv2(ReadandWriteCommunity) •SNMPv3(Mode,AuthenticationType,PrivacyType) Forasuccessfuldevicediscoverynotethefollowing: •CLIcredentials(globaland/orexception)andSNMP(v2cand/orv3)areconfiguredusingthecontroller's GUI.TheCLIglobalcredentialsandSNMPcredentials(v2corv3)areconfiguredintheDiscovery Credentials windowsasdescribedinthischapter,andareusedinadditiontoanyCLIexception credentialsthatareconfiguredintheDiscoverywindow. Note ForinformationabouttheproceduretoconfigureCLIexceptioncredentialsinthe Discoverywindow,seetheCiscoApplicationPolicyInfrastructureControllerEnterprise ModuleConfigurationGuide. •BoththeCLIandSNMPcredentialsarerequiredforasuccessfuldevicediscovery. YoushouldenteratleastonesetofSNMPcredentials,eitherSNMPv2corSNMPv3fordevicediscovery. IfyouaregoingtoconfigureSNMPv2settings,thenSNMPReadOnly(RO)communitystringvalues shouldbeenteredtoassureasuccessfuldiscoveryandpopulatedinventory.However,ifanSNMPRO communitystringisnotprovided,asabesteffort,discoverywillrunwiththedefaultSNMPRO communitystring"public." Note TheCLIcredentialsareusedforcapturingdeviceconfigurationsforthecontroller's inventory. •YoucanentervaluesforbothSNMPversions(SNMPv2candSNMPv3)foradiscovery. •ThecontrollersupportsmultipleSNMPcredentialconfigurations,butifyouconfiguremorethan5 credentialsets(globaland/orexception,SNMPv2cand/orSNMPv3credentials),youwillreceivean errormessage. CLI Credentials—Global CLIcredentials(global)aredefinedaspreexistingdevicecredentialsthatarecommontothedevicesina network.Devicecredentialsarecredentialsthatwerepreviouslyconfiguredonthedevicesinyournetwork, permitsuccessfullogintothedevices,andarecurrentlyassociatedwiththedevices.CLIglobalcredentials Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 4 Configuring the Cisco APIC-EM Settings CLI Credentials—Exception areusedbytheCiscoAPIC-EMtoauthenticateandaccessthedevicesinanetworkthatsharethisdevice credentialwhenperformingnetworkdiscoveries. YouconfiguretheCLIglobalcredentialsinthe CLICredentialswindow.Youaccessthiswindow,by clickingeitheradminortheSettingsicon(gear)onthemenubarattheupperrightofthescreen.Youthen clicktheSettingslinkfromthedrop-downmenuandthenclickCLICredentialsontheSettingNavigation pane. Note Multiplecredentialscanbeconfiguredinthe CLICredentialswindow. Related Topics ConfiguringCLICredentials—Global, onpage7 CLI Credentials—Exception CLIcredentials(exception)aredefinedaspreexistingdevicecredentialsforaspecificnetworkdeviceorset ofdevicesthatdonotsharetheCLIglobalcredentials.TheCLIexceptioncredentialsprovidethefollowing features: •Thesecredentialscanbeprovidedwhencreatinganewnetworkdiscovery,butonlyasinglesetofthe CLIexceptioncredentialsisallowedpernetworkdiscovery. •ThesecredentialstakeprecedenceoveranyconfiguredCLIglobalcredentials. •IftheCLIexceptioncredentialscauseanauthenticationfailure,thendiscoveryisattemptedasecond timewiththeconfiguredCLIglobalcredentials.IfdiscoveryfailswiththeCLIglobalcredentialsthen thedevicediscoverystatuswillresultinanauthenticationfailure. •IftheCLIexceptioncredentialsarenotprovidedaspartofnetworkdiscovery,thentheCLIglobal credentialsareusedtoauthenticatedevices. Note YouconfiguretheCLIexceptioncredentialsintheDiscoverywindow.Youaccessthiswindowbyclicking DiscoveryontheNavigationpane. Discovery Credentials Example Thefollowingdiscoverycredentialsexampledescribeshowauserwouldconfigureandrunaseriesof discoveriestoauthenticateandaccessallofthedevicesinanetworkbytheCiscoAPIC-EM. Assumeanetworkof20devicesthatformaCDPneighborship.Inthisnetwork,15devicesshareaCLIglobal credential(Credential-0)andthe5remainingdeviceseachhavetheirownuniqueorCLIexceptioncredentials (Credential1-5). ToproperlyauthenticateandaccessthedevicesinthisnetworkbytheCiscoAPIC-EM,youperformthe followingtasks: 1 ConfiguretheCLIglobalcredentialsasCredential-0forthecontroller. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 5 Configuring the Cisco APIC-EM Settings Discovery Credentials Caveats YouconfiguretheCLIglobalcredentialsinthe CLICredentialswindow.Youaccessthiswindow,by clickingeitheradminortheSettingsicon(gear)onthemenubarattheupperrightofthescreen.You thenclicktheSettingslinkfromthedrop-downmenuandthenclickCLICredentialsontheSetting Navigationpane. 2 ConfigureSNMP(v2corv3)credentials.YouaccesstheseGUIwindowsbyclickingtheSettingsbutton atthetoprightandthenclickingSNMPv2corSNMPv3ontheSettingNavigationpane. 3 RunaCDPdiscoveryusingoneofthe15deviceIPaddresses(15devicesthatsharetheCLIglobal credentials). YourunaCDPdiscoveryintheDiscoverywindow.Youaccessthiswindow,byclickingDiscoveryon theNavigationpane. 4 Run5separateRangediscoveriesforeachoftheremaining5devicesusingtheappropriateCLIexception credentials(forexample,Credential-1,Credential-2-5,etc.). YouconfiguretheCLIexceptioncredentialsintheDiscoverywindow.Youaccessthiswindow,by clickingDiscoveryontheNavigationpane. 5 ReviewtheDeviceInventorytableintheDeviceInventorywindowtocheckthediscoveryresults. Discovery Credentials Caveats ThefollowingarecaveatsfortheCiscoAPIC-EMdiscoverycredentials: •IfadevicecredentialchangesinanetworkdeviceordevicesafterCiscoAPIC-EMdiscoveryiscompleted forthatdeviceordevices,anysubsequentpollingcyclesforthatdeviceordeviceswillfail.Tocorrect thissituation,anadministratorhasfollowingoptions: ◦UpdatetheCLIglobalcredentialswiththenewdevicecredential.Thedeviceswouldthenbe authenticatedinasubsequentpollingcycle. ◦StartanewdiscoverywiththechangedCLIexceptioncredentialsthatmatchesthenewdevice credential. •Iftheongoingdiscoveryfailsduetoadeviceauthenticationfailure(forexample,theprovideddiscovery credentialisnotvalidforthedevicesdiscoveredbycurrentdiscovery),thentheadministratorhas followingoptions: ◦Stopordeletethecurrentdiscovery.Createoneormorenewnetworkdiscoveryjobs(eitheraCDP orRangediscoverytype)withaCLIexceptioncredentialthatmatchesthedevicecredential. ◦ModifyoneoftheCLIglobalcredentialstothenewdevicecredential(ifpossible),sothesame discoverycandiscoverthedeviceinasubsequentpollingcycle. •DeletingaCLIglobalcredentialdoesnotaffectalreadydiscovereddevices.Thesealreadydiscovered deviceswillnotreportanauthenticationfailure. •TheCiscoAPIC-EMprovidesaRESTAPIwhichallowstheretrievalofthelistofmanagednetwork devicesintheCiscoAPIC-EMinventory,includingtheadministrativecredentials(SNMPcommunity strings,CLIusernameandpassword,CLIenablepassword)incleartext.ThepurposeofthisAPIisto allowanexternalapplicationtosynchronizeitsownmanageddeviceinventorywiththedevicesthat havebeendiscoveredbytheCiscoAPIC-EM.Forexample,forCiscoIWANscenarios,Prime InfrastructuremakesuseofthisAPIinordertopopulateitsinventorywiththeIWANdevicescontained Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 6 Configuring the Cisco APIC-EM Settings Configuring CLI Credentials—Global intheCiscoAPIC-EMinventoryinordertoprovidemonitoringoftheIWANsolution.Anyuseraccount withaROLE_ADMINhasaccesstothisAPI. Configuring CLI Credentials—Global CLIcredentialsaredefinedaspreexistingdevicecredentialsthatarecommontomostofthedevicesina network.CLIcredentialsareusedbytheCiscoAPIC-EMtoauthenticateandaccessthedevicesinanetwork thatsharethisCLIcredentialwhenperformingdevicesdiscoveries. YouconfiguretheCLIglobalcredentialsintheCLICredentialswindow. Note YoucanconfigureuptofiveCLIcredentials. Figure 3: CLI Credentials Window Before You Begin YoumusthavesuccessfullydeployedtheCiscoAPIC-EManditmustbeoperational. YoumusthaveadministratorpermissionstoconfiguretheCLIglobalcredentialsasdescribedinthisprocedure. ForinformationabouttheuserpermissionsrequiredtoperformtasksusingtheCiscoAPIC-EM,seethe chapter,ManagingUsersandRolesintheCiscoApplicationPolicyInfrastructureControllerEnterprise ModuleConfigurationGuide. Step 1 IntheHomewindow,clickeitheradminortheSettingsicon(gear)atthetoprightcornerofthescreen. Step 2 ClicktheSettingslinkfromthedrop-downmenu. Step 3 IntheSettingsnavigationpane,clickCLICredentialstoviewtheCLICredentialswindow. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 7 Configuring the Cisco APIC-EM Settings Configuring SNMP IntheCLICredentialswindow,entertheappropriateCLIglobalcredentialsforthedeviceswithinyournetworkor networks. Step 4 EntertheCLICredentialsusernameintheUsernamefield. Step 5 EntertheCLICredentialspasswordinthePasswordfield. Step 6 ReentertheCLICredentialspasswordintheConfirmPasswordfieldtoconfirmthevaluethatyoujustentered. Step 7 Ifyournetworkdeviceshavebeenconfiguredwithanenablepassword,thenentertheCLICredentialsfortheenable passwordintheEnablePasswordfield. Note BoththeCLIcredentialspasswordandenablepasswordaresavedinthedevice'sconfigurationinencrypted form.Youcannotviewtheseoriginalpasswordsafteryouenterthem. Step 8 IfyouenteredanenablepasswordintheEnablePasswordfield,reenteritintheConfirmEnablePasswordfieldto confirmthevaluethatyoujustentered. Step 9 Inthe CLICredentialswindow,clickAddtosavethecredentialstotheCiscoAPIC-EMdatabase. What to Do Next ProceedtoconfigureSNMPvaluesforyournetworkdevicediscovery. Forasuccessfuldevicediscovery(withallthedeviceinformationtobecollected),CLIcredentials(global and/orexception)andSNMP(v2cand/orv3)shouldbeconfiguredusingthecontroller.TheCLIglobal credentialsandSNMP(v2corv3)areconfiguredintheDiscoveryCredentials windowsasdescribedinthis chapter,andareusedinadditiontoanyCLIexceptioncredentialsthatareconfiguredintheDiscoverywindow. Related Topics CLICredentials—Global, onpage4 Configuring SNMP YouconfigureSNMPfordevicediscoveryusingthefollowingDiscoveryCredentialswindowsintheCisco APIC-EMGUI: •SNMPv2c •SNMPv3 •SNMPProperties Configuring SNMPv2c YouconfigureSNMPv2cfordevicediscoveryintheSNMPv2cwindowintheCiscoAPIC-EMGUI.The SNMPvaluesthatyouconfigureforSNMPv2cforthecontrollermustmatchtheSNMPv2cvaluesthathave beenconfiguredforyournetworkdevices. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 8 Configuring the Cisco APIC-EM Settings Configuring SNMP Note Youcanconfigureuptofivereadcommunitystringsandfivewritecommunitystrings. Figure 4: Configuring SNMPv2c SNMPisanapplication-layerprotocolthatprovidesamessageformatforcommunicationbetweenSNMP managersandagents.SNMPprovidesastandardizedframeworkandacommonlanguageusedforthe monitoringandmanagementofdevicesinanetwork.ThedifferentversionsofSNMPareSNMPv1,SNMPv2, SNMPv2c,andSNMPv3. SNMPv2cisthecommunitystring-basedadministrativeframeworkforSNMPv2.Communitystringisatype ofpassword,whichistransmittedincleartext.SNMPv2cdoesnotprovideauthenticationorencryption (noAuthNoPrivlevelofsecurity). Note InadditiontoconfiguringSNMPv2cfordevicediscoveryinthecontroller,a"besteffort"CiscoAPIC-EM discoveryisinplace,meaningthatdeviceshavingSNMPwithRead-Only(RO)communitystringsetto "public"willbediscoveredallthetimeirrespectiveoftheconfiguredSNMPRead/Writecommunity string. Before You Begin YoumusthavesuccessfullydeployedtheCiscoAPIC-EManditmustbeoperational. Youmusthaveyournetwork'sSNMPinformationavailableforthisconfigurationprocedure. Youmusthaveadministratorpermissionstoconfigurethediscoverycredentials(SNMPv2c)asdescribedin thisprocedure.ForinformationabouttheuserpermissionsrequiredtoperformtasksusingtheCiscoAPIC-EM, Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 9 Configuring the Cisco APIC-EM Settings Configuring SNMP seethechapter,ManagingUsersandRolesintheCiscoApplicationPolicyInfrastructureControllerEnterprise ModuleConfigurationGuide. Step 1 IntheHomewindow,clickeitheradminortheSettingsicon(gear)atthetoprightcornerofthescreen. Step 2 ClicktheSettingslinkfromthedrop-downmenu. Step 3 IntheSettingsnavigationpane,clickSNMPv2ctoviewtheSNMPv2cwindow. Step 4 IntheSNMPv2cwindow,clickReadCommunity. EnteryourReadCommunityvalues: •Name/Description—DescriptionoftheRead-Only(RO)communitystringvalueand/orthedeviceordevicesthat areconfiguredwithit. •ReadCommunity—Read-Onlycommunitystringvalueconfiguredondevicesthatyouneedthecontrollerto connecttoandaccess.Thiscommunitystringvaluemustmatchthecommunitystringvaluepre-configuredonthe devicesthatthecontrollerwillconnecttoandaccess. •ConfirmReadCommunity—ReentertheRead-Onlycommunitystringtoconfirmthevaluethatyoujustentered. Note IfyouareconfiguringSNMPv2cforyourdiscovery,thenconfiguringReadCommunityvaluesismandatory. Step 5 ClickSavetosaveyourReadCommunityvalues. TheReadCommunityvalueswillappearinthetablebelow. Step 6 (Optional)IntheSNMPv2cwindow,clickWriteCommunity. EnteryourWriteCommunityvalues: •Name/Description—DescriptionoftheWritecommunitystringvalueand/orthedeviceordevicesthatareconfigured withit. •WriteCommunity—Writecommunitystringvalueconfiguredondevicesthatyouneedthecontrollertoconnect toandaccess.Thiscommunitystringvaluemustmatchthecommunitystringvaluepre-configuredonthedevices thatthecontrollerwillconnecttoandaccess. •ConfirmWriteCommunity—ReentertheWritecommunitystringtoconfirmthevaluethatyoujustentered. Step 7 (Optional)ClickSavetosaveyourWriteCommunityvalues. TheWriteCommunityvalueswillappearinthetablebelow. What to Do Next IfrequiredforyourSNMPconfiguration,proceedtoconfigureeitherSNMPv3orSNMPPropertiesusing theGUI. IfyouarefinishedwithyourSNMPconfiguration,thenproceedtoimportanX.509certificateandprivate keyintothecontroller,ifnecessaryforyournetworkconfiguration. Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide, Release 1.0.x 10
Description:The list of books you might like
