Cisco IP Manager Administration

As MPLS VPN Solution provisions, the product uses Cisco IP Manager to access the routers, first to get a configuration file, and then to download the new changes. MPLS VPN Solution's provisioning is all done through CIPM (including configuration file collection), but MPLS VPN Solution can also be instructed to access the devices directly for other reasons. For example, in a PoP (point of presence) with little new provisioning activity, it is possible for MPLS VPN Solution to obtain configuration files directly on a collection schedule; this is useful for auditing, but is unnecessary in sites with high activity because the activity of provisioning retrieves fresh configuration files on a regular basis. MPLS VPN Solution also collects large amounts of performance data directly from the routers, not via CIPM.

The Cisco IP Manager software meets business requirements for scalable, reliable Layer 3, IOS-based element management in very large networks by:

• Enabling rapid, high-quality service deployment through automated infrastructure provisioning

• Integrating with an existing or new OSS via flow-through interfaces, including the Cisco Provisioning Center, order processing and management, subscriber management and billing, and workforce automation

• Supporting new end-to-end network services

• Allowing partitioning of domain control and permissions to conform to business requirements

• Template-driven configuration file generation and command editing

• Configuration file access control

• Network configuration file upload and download, with verification

• Network element status verification (such as ping and show)

• Activity log

The template-building interface provides a mechanism for defining variables in a template file and their values in a companion data file. Configuration files can then be generated en masse, similar to a word processing application's mail-merge operation.

Variables can also pass through a CORBA IDL interface for other network management systems or operating systems.

The software can manage multiple discrete customer networks that use the same unregistered IP address ranges. The flow-through interface enables communication with static or dynamic IP address pool management tools. System administration allows user-based authentication. Network managers can organize elements into domains and subdomains and assign permissions to each, based on user group. Service provider operators must enter a password to obtain access to permitted domains.

The Cisco IP Manager software also partitions and controls data access.

• Service provider customers or their connected systems can be granted limited rights to view only those network elements which pertain to their part of the network. This is highly useful for networks that use the same infrastructure to provide services to multiple customers.

• Selected users can create, read, update, or delete selected data. Network managers can limit visibility in subdomains so that, for instance, a user can view or amend a router configuration, but cannot view or amend IP addresses within it.

• The Administration Server (ADMServer). Provides authorization services and authentication services; controls access to the system and its data for the other servers; manages domains; and manages user information.

• The Configuration Template Manager (CTMServer). Manages templates and template data.

• Event Server. Used by the individual elements of the system to keep track of events occurring throughout the rest of the system.

• GUI application. Provides a user interface for working with the Cisco IP Manager servers

• LOGServer. Maintains records of system activity

• Name Server (NS). Contains Orbix registry of servers and their locations.

• Network Element Manager server (NEMServer). Manages communications between CIPM and network elements. The NEM server calls upon the TG Server or the SG Server as appropriate.

• Oracle database---The data repository.

• The SNMP Gateway Server (SGServer). Uses the SNMP protocol to communicate with the network elements.

• Telnet Gateway Server (TGServer). Uses the Telnet protocol to communicate with the network elements.

• Version Control Manager Server (VCMServer). Archives network element and template configurations, and maintains a history of configuration changes.

Tips MPLS VPN Solution requires that you install all of these components, as well as the GUI package, on the same Cisco IP Manager host. The installation process is described in Chapter 3, "Installing and Starting Cisco IP Manager 2.0" in the Cisco VPN Solutions Center: MPLS Solution Installation Guide.

If the CIPM username or password are changed on the CIPM workstation, you must change the settings for the CIPM username or password to correspond in MPLS VPN Solution software.

The CIPM username and password are stored in the MPLS VPN Solution Repository. If the MPLS VPN Solution software cannot find the username and password in the Repository, it uses the defaults.

The username and password can consist of any combination of alphanumeric characters (upper- or lowercase), plus the underscore character, hyphen, and period. These fields cannot contain leading, trailing, or embedded spaces. The maximum length for these fields is 64 characters.

To change the username or password in MPLS VPN Solution software to match the CIPM workstation values, follow these steps:

Step 2 Go to the bin/solaris directory.

Step 3 From the vpnadm user terminal window, enter the following command:

setCIPMUserPassword

You are prompted for the CIPM username.

Step 4 Enter the CIPM username.

If you do not wish to change the username, enter the current username.

After you enter the username, you are prompted for the CIPM password.

Step 5 Enter the CIPM password; then re-enter the password as prompted to confirm it.

Step 6 Exit from the vpnadm user.

To implement the new username or password, you must stop the Watchdog, then restart it.

Step 7 Open the terminal window where the Watchdog is running.

Step 8 Stop the Watchdog with the stopwd -y command; then restart the Watchdog.

For details on starting the Watchdog, refer to "Starting the Watchdog and the VPN Console" in Chapter 4 of the Cisco VPN Solutions Center: MPLS Solution Installation Guide.

The domain name assignment is part of the Oracle configuration. If Cisco IP Manager is reinstalled, it should use the same naming convention previously configured during the initial installation.

If you are reinstalling Cisco IP Manager and you retain the existing Oracle installation, the domain name convention used in the previous Cisco IP Manager installation must be entered again for the new installation.

• When the MPLS VPN Solution workstation looks for the Cisco IP Manager workstation.

If the Cisco IP Manager workstation is directly resolvable, specifying the domain name is not necessary.

The domain name is required in this instance only if a fully domain-qualified hostname is needed to resolve the IP address of the Cisco IP Manager workstation.

Specifying the domain name in this context is necessary only if a fully domain-qualified hostname is needed to resolve the IP address of the target (router).

• Telnet-VTY access

• TACACS access

• Console access

Note Terminal Access Control Access Control System Plus (TACACS+) is supported in Cisco's family of routers and access servers, providing complete network access security (NAS) for dial-in connections. This protocol is a completely new version of the TACACS protocol referenced by RFC 1492.

To coordinate the router's login username and password with MPLS VPN Solution and Cisco IP Manager, follow these steps:

Step 2 In Cisco IP Manager, create a new user and password identical to that of the target router.

Cisco IP Manager's default user ID is admin. For instructions on creating a new user, refer to "Adding Users" in Chapter 7, "System Administration and Log Management," of the Cisco IP Manager (Lite) Users Guide, Version 2.0.

Step 3 Give the new user root access.

Step 4 In the Cisco IP Manager Device Properties dialog box, choose the VTY tab.

Step 5 Select CIPM Auth in the Login Security panel.

This creates a "pass-through" user name and password.

For more information about the Device Properties dialog box, refer to "Creating Elements" in Chapter 5, "Managing Network Elements," of the Cisco IP Manager (Lite) User's Guide, Version 2.0.

If you wish to change that setting after CIPM is installed and use the Trivial File Transfer Protocol (TFTP) instead, you must complete these tasks:

• On the Cisco IP Manager workstation, set up a TFTP server.

• On the MPLS VPN Solution workstation, edit the csm.properties file to change the CIPM transfer mode to TFTP.

If you use a remote TFTP server, the /tftpboot directory must be mounted on the NEMServer host.

#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot

Step 2 Remove the comment character (#) from the beginning of the line. Save your changes and exit the text editor.

If you are not able to do this, you must set up a symbolic link to your TFTP directory. (The user who launches the servers must have write permission to this directory.) If for some reason your network requires you to use something like myTftp, create a symbolic link by entering the following on the command line:

ln -s /myTftp /tftpboot

Step 4 To verify that your workstation is TFTP-enabled, enter the following on the UNIX command line:

ps -ef | grep -v grep | grep inetd

The output displays the process identification number for the inetd configuration:

root 106 1 0 Sep 21 ? 0:00 /usr/sbin/inetd -s

The first column shows the user ID of the user who owns the process (inetd is owned by root). The process ID is the number in the second column. In the example, the process ID is 106.

Step 5 Issue a kill command with a -1 (the number one) or -HUP argument to force the inetd process to read the newly edited inetd.conf file:

kill -1 106

Step 6 Verify that TFTP is enabled by entering the following:

netstat -a | grep tftp

The Cisco IP Manager workstation is enabled as a TFTP server if you see the following:

*.tftp Idle

If there is no output from the netstat command, TFTP is not enabled. Check the /etc/inetd.conf file for errors and repeat the previous instructions. For more information about TFTP or the kill command, see the UNIX man pages for tftp, tftpd, and kill.

mkdir /tftpboot

Step 2 Modify the permissions for this directory to give all users read, write, and execute permissions, by entering the following command:

chmod 777 /tftpboot

Step 3 If you intend to specify a subdirectory of /tftpboot for your Cisco IP Manager TFTP communications from within the GUI (Domain Properties dialog box), you should create that at this time as well, and set its permissions to the same value.

The Cisco IP Manager workstation is now enabled to act as a TFTP server.

Step 2 Go to the /opt/vpnadm/vpn/etc directory.

Step 3 Open the csm.properties file with a text editor.

Step 4 Find the following section in the csm.properties file:

# Transfer Mode on Create: when creating new elements in CIPM, this mode
# will be set for uploading and downloading router configuration.
# Once an element is created, the current transfer mode is set via the
# CIPM GUI will be used for these operations.
# Values: "tftp" or "telnet"
 
DIPMServer.CIPMTransferModeOnCreate = telnet

Step 5 Change the telnet value to tftp, then save your changes and exit the file.