Cisco Network Visibility Application on APIC-EM User Guide, Release 1.6.0.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The process of finding network devices and hosts is known as discovery. The Discovery function scans the devices and hosts
in your network and populates the Cisco APIC-EM database with the information that it retrieves. To discover devices and hosts, you need to provide the controller with information
about the devices so that the Discovery function can reach as many of the devices in your network as possible and gather as
much information as it can.
The Discovery function uses the following protocols and methods to retrieve device information, such as hosts IP addresses,
MAC addresses, and network attachment points:
Cisco Discovery Protocol (CDP)
Community-based Simple Network Management Protocol Version 2 (SNMPv2c)
Simple Network Management Protocol version 3 (SNMPv3)
Link Layer Discovery Protocol (LLDP)
IP Device Tracking (IPDT) (For Discovery to collect host information, you must manually enable IPDT on devices. After IPDT
is enabled, Discovery collects host information on a best-effort basis, because in addition to IPDT, Discovery relies on ARP
entries for host information.)
LLDP Media Endpoint Discovery (LLDP-MED)
(IP phones and some servers are discovered using LLDP-MED).
The
Cisco APIC-EM
supports two different types of discovery credentials: global and job specific
(or discovery request-specific). Both types of discovery credentials can
consist of CLI or SNMP credentials that are configured using the controller's
GUI.
Global credentials can
be configured in either the
Discovery window or the
Discovery
Credentials windows (as described in this chapter). Job specific
credentials are only configured in the
Discovery window.
Note
For information
about the procedure to configure global and/or job specific credentials in the
Discovery window, see the
Cisco
Application Policy Infrastructure Controller Enterprise Module Configuration
Guide.
Both CLI and SNMP credentials are required for a successful discovery. The SNMP credentials (either global or job specific)
are used for device discovery. The CLI credentials (either global or job specific) are used for capturing or applying device configurations for the controller's inventory.
You should enter at least one set of SNMP credentials, either SNMPv2c or SNMPv3, for your device discovery. If you are
going to configure SNMPv2 settings in your network, then SNMP Read Only (RO) community string values should be entered in
the controller to assure a successful discovery and populated inventory. However, if an SNMP RO community string and SNMP
Read Writer (RW) community string is not entered into the controller, as a best effort, discovery will run with the default SNMP RO community string "public." Additionally, if no SNMP RO community string is entered
but a SNMP RW community string is entered, then the SNMP RW community string will be used as SNMP RO community string.
Note
You can enter values for both SNMP versions (SNMPv2c and SNMPv3) for a single discovery. The controller supports multiple
SNMP credential configurations. Altogether, you can enter a maximum of 5 global device credentials (SNMP or CLI) using the
Discovery Credentials windows as described in this chapter, with an additional credentials set being created in the Discovery window. Therefore, for a single discovery scan request, you can configure a total of 6 credential sets of each type (CLI
or SNMP).
Global
Credentials
Global credentials are defined as
preexisting credentials that are common to the devices in a network. Global
credentials (CLI and SNMP) are configured on the devices using the GUI
(Discovery window or
Discovery Credentials window) and permit
successful login to the devices. Global credentials are used by the
Cisco APIC-EM
to authenticate and access the devices in a network that share this device
credential when performing network discoveries.
You can configure the global CLI credentials in the
CLI Credentials window. You access this window by
clicking either
admin or the
Settings icon (gear) on the menu bar at the upper
right of the screen. You then click the
Settings link from the drop-down menu and then
click
CLI Credentials on the Setting Navigation pane.
You can also configure global CLI credentials in the
Credentials field in the
Discovery window. For information about the
procedure to configure global CLI credentials in the
Discovery window, see the
Cisco Application Policy Infrastructure Controller Enterprise
Module Configuration Guide.
You configure the global SNMP credentials in the
SNMPv2c
or
SNMPv3
window . You access these windows by clicking either
admin or the
Settings icon (gear) on the menu bar at the upper
right of the screen. You then click the
Settings link from the drop-down menu and then
click one of the SNMP window links on the Setting Navigation pane. You can also
configure global SNMP credentials in the
Credentials field in the
Discovery window. For information about the
procedure to configure global SNMP credentials in the
Discovery window, see the
Cisco Application Policy Infrastructure Controller Enterprise
Module Configuration Guide.
Note
Multiple credentials can be configured in the
CLI Credentials window.
Job Specific
Credentials
Job specific
credentials (request-specific credentials) are defined as preexisting
device
credentials for a specific network device or set of devices that do not share
the global credentials.
You configure job
specific credentials in the
Discovery window prior to performing a discovery that
is exclusive for that set of network devices. You access this window by
clicking
Discovery on the Navigation pane.
Discovery
Credentials Example
Assume a network of
200 devices that form a CDP neighborship (neighboring devices discovered using
Cisco Discovery Protocol (CDP)). In this network, 190 devices share a global
credential (Credential-0) and the 10 remaining devices each have their own
unique or job specific credentials (Credential 1- 5)
To properly
authenticate and access the devices in this network by the
Cisco APIC-EM,
you perform the following tasks:
Configure the CLI
global credentials as Credential-0 for the controller.
You can configure
the global credentials in the
CLI
Credentials window. You access this window, by clicking either
admin or the
Settings icon (gear) on the menu bar at the upper
right of the screen. You then click the
Settings link from the drop-down menu and then click
CLI
Credentials on the Setting Navigation pane.
Configure the SNMP
(v2c or v3) global credentials.
You can configure
these global credentials in the two SNMP windows. You access these GUI windows
by clicking the
Settings button at the top right and then clicking
SNMPv2c or
SNMPv3 on the Setting Navigation pane.
Run a
CDP discovery using one of the 190 device IP
addresses (190 devices that share the global credentials) and selecting the
global credentials in the GUI. You run a
CDP discovery in the
Discovery window. You access this window, by clicking
Discovery on the Navigation pane.
Run 10 separate
Range discoveries for each of the remaining 10
devices using the appropriate job specific credentials and SNMP values (for
example, Credential-1, Credential-2-5, etc.).
You configure the
job specific credentials in the
Discovery window. You access this window, by clicking
Discovery on the Navigation pane.
Review the
Device
Inventory table in the
Device
Inventory window to check the discovery results
Discovery
Credentials Rules
Discovery credentials
(global and job specific) operate under the rules as described in the bullet
list and table below.
Job Specific Credential Rules
Job specific
credentials can be provided when creating a new network discovery, but only a
single set of job specific credentials is allowed per network discovery.
Job specific
credentials take precedence over any configured global credentials.
If the job
specific credentials are provided as part of a network discovery and cause an
authentication failure, then discovery is attempted a second time with the
configured global credentials (if explicitly selected in the
Discovery window of the controller's GUI). If
discovery fails with the global credentials then the device discovery status
will result in an authentication failure.
When using Cisco APIC-EM APIs for a network discovery and the job specific credentials (both CLI and SNMP) are not provided as part of the network discovery, then the global credentials (both CLI and SNMP provided by the user) are used
to authenticate devices.
Global Credential Rules
Table 1. Global Credential
Rules
Global
Credentials
Job Specific
Credentials
Result
Not configured
Not configured
If the network discovery is run from the controller's GUI, then
the default SNMP read community string (public) is used for the discovery scan.
A discovery failure will not occur in this case.
If the
network discovery is run using Cisco APIC-EM APIs, then a discovery failure
will occur since both CLI and SNMP credentials must be configured for a
successful device discovery using the Cisco APIC-EM APIs.
Not configured
Configured
The specified
job specific credentials will be used for discovery.
Configured
Not configured
All the
configured global credentials will be used.
Configured but
not selected
Configured
Only the job
specific credentials will be used.
Configured and
selected
Not configured
Only selected
global credential will be used.
Configured and
selected
Configured
Both specified
credentials (global and job specific) will be used for discovery.
Configured,
but wrong global credential IDs are mentioned in the discovery POST REST API.
Correct job
specific credentials configured
Discovery
fails.
Note
This
scenario is only possible by API not from the controller GUI.
Configured,
but wrong global credential IDs are mentioned in the discovery POST REST API.
Not configured
Discovery
fails.
Note
This
scenario is only possible by API not from the controller GUI.
Discovery
Credentials Caveats
The following are
caveats for the
Cisco APIC-EM
discovery credentials:
If a device
credential changes in a network device or devices after
Cisco APIC-EM
discovery is completed for that device or devices, any subsequent polling
cycles for that device or devices will fail. To correct this situation, an
administrator has following options:
Start a new
discovery scan with changed job specific credentials that matches the new
device credential.
Edit the
existing discovery by updating or modifying the global credentials, and then
rerun the discovery scan.
If the ongoing
discovery fails due to a device authentication failure (for example, the
provided discovery credential is not valid for the devices discovered by
current discovery), then the administrator has following options:
Stop or delete
the current discovery. Create one or more new network discovery jobs (either a
CDP or
Range discovery type) with a job specific credential
that matches the device credential.
Create a new
global credential and execute a new discovery selecting the correct global
credential.
Edit an
existing global credential and re-run the discovery.
Deleting a global
credential does not affect already discovered devices. These already discovered
devices will not report an authentication failure.
The
Cisco APIC-EM
provides a REST API which allows the retrieval of the list of managed network
devices in the
Cisco APIC-EM
inventory. The purpose of this API is to allow an external application to
synchronize its own managed device inventory with the devices that have been
discovered by the
Cisco APIC-EM.
For example, for Cisco IWAN scenarios, Prime Infrastructure makes use of this
API in order to populate its inventory with the IWAN devices contained in the
Cisco APIC-EM
inventory in order to provide monitoring of the IWAN solution.
Note
Only the username is provided in clear text. SNMP community strings
and passwords are not provided in cleartext for security reasons.
Configuring Global Discovery Credentials
Configuring CLI
Credentials
CLI credentials are
defined as preexisting
device
credentials that are common to most of the devices in a network. CLI
credentials are used by the
Cisco APIC-EM
to authenticate and access the devices in a network that share this CLI
credential when performing devices discoveries.
You
configure the CLI global credentials in the
CLI
Credentials window or the
Discovery window. This procedure describes how to
configure CLI global credentials in the
CLI
Credentials window.
Note
You can configure
up to five CLI credentials.
Figure 1. CLI
Credentials Window
Before you begin
You must have
successfully deployed the
Cisco APIC-EM
and it must be operational.
You must have administrator
(ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to
ALL) or an RBAC scope that contains all of the resources that you want to
group. For example, to create a group containing a specific set of resources,
you must have access to those resources (custom RBAC scope set to all of the
resources that you want to group).
For information about user permissions and RBAC scopes required to perform tasks using the Cisco APIC-EM, see the chapter,
"Managing Users".
Procedure
Step 1
In the
Home window, click either
admin or the
Settings icon (gear) at the top right corner of the
screen.
Step 2
Click the
Settings link from the drop-down menu.
Step 3
In the
Settings navigation pane, click
CLI
Credentials to view the
CLI
Credentials window.
In the
CLI
Credentials window, enter the appropriate CLI global credentials for
the devices within your network or networks.
Step 4
Enter the CLI
Credentials username in the
Username field.
Step 5
Enter the CLI
Credentials password in the
Password field.
Step 6
Reenter the CLI
Credentials password in the
Confirm
Password field to confirm the value that you just entered.
Step 7
If your network
devices have been configured with an enable password, then enter the CLI
Credentials for the enable password in the
Enable
Password field.
Note
Both the CLI credentials password and enable password are saved in the controller in encrypted form. You cannot view these
original passwords after you enter them.
Step 8
If you entered
an enable password in the
Enable
Password field, reenter it in the
Confirm
Enable Password field to confirm the value that you just entered.
Step 9
In the
CLI
Credentials window, click
Add to save the credentials to the
Cisco APIC-EM
database.
What to do next
Proceed to configure
SNMP values for your network device discovery.
For a
successful device discovery (with all the device information to be collected),
CLI credentials (global and/or job specific) should be configured using the
controller. The global credentials for CLI and SNMP (v2c or v3) can be
configured in the
Discovery
Credentials
windows (as described in this chapter) or the
Discovery window, and are used in addition to any job
specific credentials (for CLI and SNMP) that are also configured in the
Discovery window.
Configuring
SNMP
You configure SNMP for device discovery using the following
Discovery
Credentials windows in the
Cisco APIC-EM
GUI:
SNMPv2c
SNMPv3
SNMP Properties
Note
You can also configure SNMP for device discovery in the
Discovery window of the controller's GUI. For
information about the procedures to configure SNMP for device discovery in the
Discovery window, see the
Cisco Application Policy Infrastructure Controller Enterprise
Module Configuration Guide.
Important
You can use SNMP and
the existing security features in SNMP v3 to secure communications between the
controller and the devices in your network. SNMP v3 provides both privacy
(encryption) and authentication capabilities for these communications. If
possible for your network, we recommend that you use SNMPv3 with both privacy
and authentication enabled.
Configuring
SNMPv2c
You
configure SNMPv2c for device discovery in the
SNMPv2c window in the
Cisco APIC-EM
GUI. The SNMP values that you configure for SNMPv2c for the controller
must match the SNMPv2c values that have been configured for your network
devices.
Note
You can
configure up to five read community strings and five write community strings.
Figure 2. Configuring
SNMPv2c
SNMP is an application-layer protocol that provides a message format
for communication between SNMP managers and agents. SNMP provides a
standardized framework and a common language used for the monitoring and
management of devices in a network. The different versions of SNMP are SNMPv1,
SNMPv2, SNMPv2c, and SNMPv3.
SNMPv2c is the
community string-based administrative framework for SNMPv2. Community string is
a type of password, which is transmitted in clear text. SNMPv2c does not
provide authentication or encryption (noAuthNoPriv level of security).
Note
In addition to
configuring SNMPv2c for device discovery in the controller, a "best effort"
Cisco APIC-EM
discovery is in place, meaning that devices having SNMP with Read-Only (RO)
community string set to "public" will be discovered all the time irrespective
of the configured SNMP Read/Write community string.
Before you begin
You must have
successfully deployed the
Cisco APIC-EM
and it must be operational.
You must have your
network's SNMP information available for this configuration procedure.
You must have administrator
(ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to
ALL) or an RBAC scope that contains all of the resources that you want to
group. For example, to create a group containing a specific set of resources,
you must have access to those resources (custom RBAC scope set to all of the
resources that you want to group).
For information about user permissions and RBAC scopes required to perform tasks using the Cisco APIC-EM, see the chapter,
"Managing Users".
Procedure
Step 1
In the
Home window, click either
admin or the
Settings icon (gear) at the top right corner of the
screen.
Step 2
Click the
Settings link from the drop-down menu.
Step 3
In the
Settings navigation pane, click
SNMPv2c to view the
SNMPv2c window.
Step 4
In the
SNMPv2c window, click
Read
Community.
Enter your
Read
Community values:
Name/Description—Description of the Read-Only (RO)
community string value and/or the device or devices that are configured with
it.
Read
Community—Read-Only community string value configured on devices
that you need the controller to connect to and access. This community string
value must match the community string value pre-configured on the devices that
the controller will connect to and access.
Confirm Read
Community—Reenter the Read-Only community string to confirm the
value that you just entered.
Note
If you are
configuring SNMPv2c for your discovery, then configuring
Read Community values is mandatory.
Step 5
Click
Save to save your
Read
Community values.
The
Read
Community values will appear in the table below.
Step 6
(Optional) In
the
SNMPv2c window, click
Write
Community.
Enter your
Write
Community
values:
Name/Description—Description of the Write community
string value and/or the device or devices that are configured with it.
Write
Community—Write community string value configured on devices that
you need the controller to connect to and access. This community string value
must match the community string value pre-configured on the devices that the
controller will connect to and access.
Confirm Write
Community—Reenter the Write community string to confirm the value
that you just entered.
Step 7
(Optional) Click
Save to save your
Write
Community values.
The
Write Community values will appear in the table
below.
What to do next
If required for your
SNMP configuration, proceed to configure either
SNMPv3 or
SNMP
Properties using the GUI.
Configuring
SNMPv3
You configure
SNMPv3 for device discovery in the
SNMPv3 window in the
Cisco APIC-EM
GUI. The SNMP values that you configure for SNMPv3 for the controller must
match the SNMPv3 values that have been configured for your network devices. You
can configure up to five SNMPv3 settings.
Figure 3. Configuring
SNMPv3
SNMP is an application-layer protocol that provides a message format
for communication between SNMP managers and agents. SNMP provides a
standardized framework and a common language used for the monitoring and
management of devices in a network. The different versions of SNMP are SNMPv1,
SNMPv2, SNMPv2c, and SNMPv3.
SNMPv3 provides secure access to devices by a combination of
authenticating and encrypting frames over the network. The following are
supported SNMPv3 security models:
Message
integrity—Ensures that a packet has not been tampered with in-transit.
Authentication—Determines the message is from a valid source
Encryption—Scrambles the packet contents to prevent it from being seen by
unauthorized sources
SNMPv3 provides
for both security models and security levels. A security model is an
authentication strategy that is set up for a user and the role in which the
user resides. A security level is the permitted level of security within a
security model. A combination of a security model and a security level
determines which security mechanism is employed when handling an SNMP packet.
The security
level determines if an SNMP message needs to be protected from disclosure and
if the message needs to be authenticated. The various security levels that
exist within a security model are as follows:
noAuthNoPriv—Security level that does not provide authentication or encryption
AuthNoPriv—Security level that provides authentication but does not provide
encryption
AuthPriv—Security level that provides both authentication and encryption
The following
table identifies what the combinations of security models and levels mean:
Table 2. SNMP Security
Models and Levels
Model
Level
Authentication
Encryption
What
Happens
v2c
noAuthNoPriv
Community
String
No
Uses a
community string match for authentication.
v3
noAuthNoPriv
User Name
No
Uses a
username match for authentication.
v3
AuthNoPriv
Either:
HMAC-MD5
HMAC-SHA
No
Provides
authentication based on the Hash-Based Message Authentication Code (HMAC)
Message Digest 5 (MD5) algorithm or the HMAC Secure Hash algorithm (SHA)
v3
AuthPriv
Either:
HMAC-MD5
HMAC-SHA
Either:
CBC-DES
CBC-AES-128
Provides
authentication based on the HMAC-MD5 or HMAC-SHA algorithms.
Provides Data Encryption Standard (DES) 56-bit encryption in
addition to authentication based on the Cipher Block Chaining (CBC) DES
(DES-56) standard or CBC-mode AES for encryption.
Before you begin
You must have
successfully deployed the
Cisco APIC-EM
and it must be operational.
You must have your
network's SNMP information available for this configuration procedure.
You must have administrator
(ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to
ALL) or an RBAC scope that contains all of the resources that you want to
group. For example, to create a group containing a specific set of resources,
you must have access to those resources (custom RBAC scope set to all of the
resources that you want to group).
For information about user permissions and RBAC scopes required to perform tasks using the Cisco APIC-EM, see the chapter,
"Managing Users".
Note
With SNMPv3, passwords (or passphrases) must be at least 8 characters in length (minimum). Additionally, for several
Cisco Wireless LAN controllers, passwords (or passphrases) must be at least 12 characters in length (minimum). Failure to
ensure these required minimum character lengths for the passwords will result in devices not being discovered, monitored,
and/or managed by the controller.
Procedure
Step 1
In the
Home window, click either
admin or the
Settings icon (gear) at the top right corner of the
screen.
Step 2
Click the
Settings link from the drop-down menu.
Step 3
In the
Settings navigation pane, click
SNMPv3 to view the
SNMPv3 window.
If you use
SNMPv3 in your network to monitor and manage devices, then configure the SNMPv3
values for discovery for your network.
Step 4
In the
SNMPv3 window, enter a
Username value and choose a
Mode from the drop down menu.
The following
Mode options are available:
AuthPriv
AuthNoPriv
NoAuthNoPriv
Note
Subsequent
SNMPv3 configuration options might or might not be
available depending upon your selection for this step.
Step 5
If you selected
AuthPriv or
AuthNoPriv as a
Mode option, then choose an
Authentication type from the drop down menu and
enter an authentication password.
The following
Authentication options are available:
SHA—Authentication based on the Hash-Based Message
Authentication Code (HMAC), Secure Hash algorithm (SHA) algorithm
MD5—Authentication based on the Hash-Based Message
Authentication Code (HMAC), Message Digest 5 (MD5) algorithm
Step 6
If you selected
AuthPriv as a
Mode option, then choose a
Privacy type from the drop down menu and enter a
SNMPv3 privacy password.
The SNMPv3
privacy password is used to generate the secret key used for encryption of
messages exchanged with devices that support DES or AES128 encryption.
The following
Privacy type options are available:
DES—Data
Encryption Standard (DES) 56-bit encryption in addition to authentication based
on the Cipher Block Chaining (CBC) DES (DES-56) standard.
AES128—Cipher
Block Chaining (CBC) mode AES for encryption.
Step 7
Click
Save to save your SNMPv3 configuration values.
The
SNMPv3 configured values will appear in the table
below.
What to do next
If required for your
SNMP configuration, proceed to configure either
SNMPv2c or
SNMP
Properties using the GUI.
Configuring SNMP
Properties
You configure SNMP
properties for device discovery in the
SNMP
Properties window in the
Cisco APIC-EM
GUI.
Figure 4. Configuring
SNMP Properties
Before you begin
You must have
successfully deployed the
Cisco APIC-EM
and it must be operational.
You must have your
network's SNMP information available for this configuration procedure.
You must have administrator
(ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to
ALL) or an RBAC scope that contains all of the resources that you want to
group. For example, to create a group containing a specific set of resources,
you must have access to those resources (custom RBAC scope set to all of the
resources that you want to group).
For information about user permissions and RBAC scopes required to perform tasks using the Cisco APIC-EM, see the chapter,
"Managing Users".
Procedure
Step 1
In the
Home window, click either
admin or the
Settings icon (gear) at the top right corner of the
screen.
Step 2
Click the
Settings link from the drop-down menu.
Step 3
In the
Settings navigation pane, click
SNMP
Properties to view the
SNMP
Properties window.
Configure the
SNMP property settings for discovery in your network.
Step 4
In the
SNMP
Properties window, enter a value in the
Retries field.
The value
entered in this field is the number of attempts the controller attempts to use
SNMP to communicate with your network devices.
Step 5
In the
SNMP
Properties window, enter a value in the
Timeout field.
The value
entered in this field is the length of time in seconds the controller attempts
to use SNMP to communicate with your network devices.
Step 6
Click
Apply to save your SNMP configuration values.
You can also
click Revert to
Defaults to revert to the SNMP property default values. The
following are the SNMP property default values:
Retries—3
Timeout—5
What to do next
If required for your
SNMP configuration, proceed to configure either
SNMPv2c or
SNMPv3 using the GUI.
Enabling Device
Controllability
You can enable device controllability in the Device Controllability window of the Cisco APIC-EM GUI. When you enable device controllability, the controller performs two actions during a discovery:
The
controller automatically configures (applies) the SNMP credentials that you
entered using the controller's GUI on any network devices without SNMP
credentials (SNMPv2c and/or SNMPv3).
The controller automatically enables IP device tracking (IPDT) on any network devices where it is supported.
Note
If you want to discover hosts through a trunk interface, you must manually enable IPDT on the trunk interface.
IPDT is enabled only on devices that are identified as Access role in Device Inventory window during the initial inventory collection. The device does not need to be in a Managed state to have IPDT enabled. The IPDT configuration is applied to devices as long as Device Inventory has the device's software
version, role, and so on.
Note
The device controllability functionality depends upon whether the CLI credentials provided by the user permits the controller
to log into the device in enable mode (privilege level 15 for Cisco IOS devices).
Figure 5. Enabling Device Controllability
Before you begin
You must have successfully deployed the Cisco APIC-EM and it must be operational.
You must have administrator
(ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to
ALL) or an RBAC scope that contains all of the resources that you want to
group. For example, to create a group containing a specific set of resources,
you must have access to those resources (custom RBAC scope set to all of the
resources that you want to group).
For information about user permissions and RBAC scopes required to perform tasks using the Cisco APIC-EM, see the chapter,
"Managing Users".
Procedure
Step 1
In the
Home window, click either
admin or the
Settings icon (gear) at the top right corner of the
screen.
Step 2
Click the
Settings link from the drop-down menu.
Step 3
In the
Settings navigation pane, click
Device
Controllability to view the
Device
Controllability window.
Step 4
(Optional) Click
Yes for
SNMP
Autoconfig to automatically to enable this feature.
Clicking
Yes for
SNMP
Autoconfig automatically applies the SNMP credentials you
configured using the controller's GUI to any devices in your network without an
SNMP configuration.
Step 5
(Optional)
Click
Yes for
IPDT
Autoconfig to enable this feature.
Clicking
Yes for
IPDT
Autoconfig automatically enables IP device tracking (IPDT) on any
devices in your network where it is supported but not enabled.
Step 6
Click
Save to save your configuration.
What to do next
If you have not
already done so, configure SNMP in either the
Discovery window or the appropriate
CLI
Credentials window for SNMP in
Settings.
Configuring the
Polling Interval
You can configure the polling interval for inventory data collection
for devices managed by
Cisco APIC-EM.
This polling interval configuration will be used for all managed devices,
unless the polling interval of a device is updated specifically in the
Inventory page.
You configure the
polling interval in the
Polling
Interval Settings window of the
Cisco APIC-EM
GUI.
Note
The polling interval value that you configure is a global value
used for performing periodic inventory data collection, it is not used for
discovering the device.
Figure 6. Polling
Interval Window
Before you begin
You must have
successfully deployed the
Cisco APIC-EM
and it must be operational.
You must have administrator
(ROLE_ADMIN) permissions and either access to all resources (RBAC scope set to
ALL) or an RBAC scope that contains all of the resources that you want to
group. For example, to create a group containing a specific set of resources,
you must have access to those resources (custom RBAC scope set to all of the
resources that you want to group).
For information about user permissions and RBAC scopes required to perform tasks using the Cisco APIC-EM, see the chapter,
"Managing Users".
Procedure
Step 1
In the
Home window, click either
admin or the
Settings icon (gear) at the top right corner of the
screen.
Step 2
Click the
Settings link from the drop-down menu.
Step 3
In the
Settings navigation pane, click
Polling
Interval to view the
Polling
Interval window.
Step 4
Enter a polling
interval value in minutes in the
Polling
Interval field.
The default
polling interval is 25 minutes for device discovery by the controller.
Step 5
Click
Save to save your polling interval configuration.
Performing Discovery
Performing Discovery Using CDP
You can discover devices and hosts using CDP.
Figure 7. Discovery Using CDP
Figure 8. Discovery Using CDP
Before you begin
You must have administrator
(ROLE_ADMIN) permissions and access to all devices (RBAC Scope set to ALL) to
perform this procedure.
CDP must be enabled on the devices in order for them to be discovered.
Note
CDP is required for the hostname column to be populated.
In the Discovery Name field, enter a unique name for the discovery job.
Step 4
In the IP Ranges area, configure the following settings:
In the Type field, choose CDP.
In the IP Address field, enter a seed IP address for the Cisco APIC-EM to use to start the discovery scan.
(Optional) In the Subnet Filter field, enter the IP address or subnet and click + the plus sign..
You can enter the address as an individual IP address (x.x.x.x) or as a classless inter-domain routing (CIDR) address (x.x.x.x/y) where x.x.x.x refers to the IP address and y refers to the subnet mask. The subnet mask can be a value from 0 to 32.
Repeat this step to exclude multiple subnets from the discovery job.
(Optional) In the CDP Level field, enter the number of hops from the seed device that you want to scan.
Valid values are from 1 to 16. The default value is 16. For example, CDP level 3 means that CDP will scan up to three hops
from the seed device.
Step 5
Open the Credentials area and configure the credentials that you want to use for the discovery job.
You can configure credentials to be used for the current discovery job, or you can check the Save as global settings checkbox to save the credentials for future discovery jobs.
Make sure that any global credentials that you want to use are checked. If you do not want to use a credential, remove it
by clicking the check mark.
To add additional credentials, click + Add Credentials, complete the fields in the following tables for the credentials that you want to use, and click Add.
With the SNMP Autoconfig option enabled under Settings > Device Controllability, Cisco APIC-EM configures devices that do not have SNMP credentials with the SNMP credentials set in Global Settings or in the specific
discovery job, whichever one takes priority.
Discovery requires the correct SNMP Read Only (RO) community string. If an SNMP RO community string is not provided, as a
best effort, discovery uses the default SNMP RO community string, "public."
Note
CLI credentials are not required to discover hosts; hosts are discovered through the devices that they are connected to.
Table 3. CLI Credentials
Field
Description
Username
Username that is used to log into the command line interface (CLI) of the devices in your network.
Password
Confirm Password
Password that is used to log into the CLI of the devices in your network.
For security reasons, you must enter the password again as confirmation.
Passwords are encrypted for security reasons and are not displayed in the configuration.
Enable Password
Confirm Enable Password
Password used to move to a higher privilege level in the CLI.
For security reasons, you must enter the enable password again as confirmation.
Passwords are encrypted for security reasons and are not displayed in the configuration.
Table 4. SNMP v2c Credentials
Field
Description
Read
SNMP read-only (RO) community string configuration, which comprises the following fields:
Name/Description—Name or description of the SNMP v2c settings that you are adding.
Read Community and Confirm Read Community—Read-only community string password used only to view SNMP information on the device.
Note
Passwords are encrypted for security reasons and are not displayed in the configuration.
Note
To enable discovery on the network devices, configure the network device's IP host address as the client address.
Write
SNMP read-write (RW) community string configuration, which comprises the following fields:
Name/Description—Name or description of the SNMP v2c settings that you are adding.
Write Community and Confirm Write Community—Read/Write community string password used to view and make changes to SNMP information on the device.
Note
Passwords are encrypted for security reasons and are not displayed in the configuration.
Note
To enable discovery on the network devices, configure the network device's host IP address as the client IP address.
Table 5. SNMP v3 Credentials
Field
Description
Username
Username associated with the SNMPv3 settings.
Mode
Specifies the security level that an SNMP message requires and whether the message needs to be authenticated. Choose one of
the following modes:
noAuthNoPriv—Security level that does not provide authentication or encryption
AuthNoPriv—Security level that provides authentication but does not provide encryption
AuthPriv—Security level that provides both authentication and encryption
Auth Password
SNMPv3 password used for gaining access to information from devices that use SNMPv3.
Note
Passwords are encrypted for security reasons and are not displayed in the configuration.
Auth Type
Specifies the authentication type to be used.
SHA—Authentication based on the Hash-Based Message Authentication Code (HMAC), Secure Hash algorithm (SHA) algorithm
MD5—Authentication based on the Hash-Based Message Authentication Code (HMAC), Message Digest 5 (MD5) algorithm
None—No authentication
Privacy Password
SNMPv3 privacy password is used to generate the secret key used for encryption of messages exchanged with devices that support
DES or AES128 encryption.
Note
Passwords are encrypted for security reasons and are not displayed in the configuration.
Privacy Type
Specifies the privacy type:
DES—Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES
(DES-56) standard.
AES128—Cipher Block Chaining (CBC) mode AES for encryption.
None—No privacy
Table 6. SNMP Properties
Field
Description
Retries
Number of attempts to connect to the device. Valid values are from 0 to 4 attempts.
Timeout (in Seconds)
Number of seconds the controller waits when trying to establish a connection with a device before timing out. Valid values
are from 5 to 120 seconds in intervals of 5 seconds.
Step 6
(Optional) To configure the protocols to be used to connect with devices, open the Advanced area and do the following:
Click the protocols that you want to use. A green checkmark indicates that the protocol is selected.
Valid protocols are SSH (default) and Telnet.
Drag and drop the protocols in the order that you want them to be used.
Step 7
Click
Start
Discovery.
The
Discoveries window displays the results of your scan.
The
Discovery Details pane shows the status (active or
inactive) and the discovery configuration. The
Discovery Devices pane displays the host names, IP
addresses, and status of the discovered devices for the selected discovery.
Performing Discovery Using an IP Address Range
You can discover devices using an IP address range.
Figure 9. Discovery Using IP Address Range
Before you begin
You must have administrator
(ROLE_ADMIN) permissions and access to all devices (RBAC Scope set to ALL) to
perform this procedure.
In the Discovery Name field, enter a unique name for the discovery job.
Step 4
If the Discovery Details pane does not appear, click Add New.
Step 5
In the Discovery Name field, enter a unique name for this discovery.
Step 6
In the
IP
Ranges area, do the following:
From the
Discovery Type field, choose
Range for the discovery scan type.
In the IP Address field, enter the beginning and ending IP addresses (IP range) for the devices being discovered and click + (the plus sign).
You can enter a single IP address range or multiple IP addresses for the discovery scan.
Repeat Step b to enter additional IP address
ranges.
Step 7
Open the Credentials area and configure the credentials that you want to use for the discovery job.
You can configure credentials to be used for the current discovery job, or you can check the Save as global settings checkbox to save the credentials for future discovery jobs.
Make sure that any global credentials that you want to use are checked. If you do not want to use a credential, remove it
by clicking the check mark.
To add additional credentials, click + Add Credentials, complete the fields in the following tables for the credentials that you want to use, and click Save.
With the SNMP Autoconfig option enabled under Settings > Device Controllability, Cisco APIC-EM configures devices that do not have SNMP credentials with the SNMP credentials set in Global Settings or in the specific
discovery job, whichever one takes priority.
Discovery requires the correct SNMP Read Only (RO) community string. If an SNMP RO community string is not provided, as a
best effort, discovery uses the default SNMP RO community string, "public."
Note
CLI credentials are not required to discover hosts; hosts are discovered through the devices that they are connected to.
Table 7. CLI Credentials
Field
Description
Username
Username that is used to log into the command line interface (CLI) of the devices in your network.
Password
Confirm Password
Password that is used to log into the CLI of the devices in your network.
For security reasons, you must enter the password again as confirmation.
Passwords are encrypted for security reasons and are not displayed in the configuration.
Enable Password
Confirm Enable Password
Password used to move to a higher privilege level in the CLI.
For security reasons, you must enter the enable password again as confirmation.
Passwords are encrypted for security reasons and are not displayed in the configuration.
Table 8. SNMP v2c Credentials
Field
Description
Read
SNMP read-only (RO) community string configuration, which comprises the following fields:
Name/Description—Name or description of the SNMP v2c settings that you are adding.
Read Community and Confirm Read Community—Read-only community string used only to view SNMP information on the device.
Note
Passwords are encrypted for security reasons and are not displayed in the configuration.
Note
To enable discovery on the network devices, configure the network device's IP host address as the client address.
Write
SNMP read-write (RW) community string configuration, which comprises the following fields:
Name/Description—Name or description of the SNMP v2c settings that you are adding.
Write Community and Confirm Write Community—Read/Write community string used to view and make changes to SNMP information on the device.
Note
Passwords are encrypted for security reasons and are not displayed in the configuration.
Note
To enable discovery on the network devices, configure the network device's IP host address as the client address.
Table 9. SNMP v3 Credentials
Field
Description
Username
Username associated with the SNMPv3 settings.
Mode
Specifies the security level that an SNMP message requires and whether the message needs to be authenticated. Choose one of
the following modes:
noAuthNoPriv—Security level that does not provide authentication or encryption
AuthNoPriv—Security level that provides authentication but does not provide encryption
AuthPriv—Security level that provides both authentication and encryption
Auth Password
SNMPv3 password used for gaining access to information from devices that use SNMPv3.
Auth Type
Specifies the authentication type to be used.
SHA—Authentication based on the Hash-Based Message Authentication Code (HMAC), Secure Hash algorithm (SHA) algorithm
MD5—Authentication based on the Hash-Based Message Authentication Code (HMAC), Message Digest 5 (MD5) algorithm
None—No authentication
Privacy Password
SNMPv3 privacy password is used to generate the secret key used for encryption of messages exchanged with devices that support
DES or AES128 encryption.
Privacy Type
Specifies the privacy type:
DES—Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES
(DES-56) standard.
AES128—Cipher Block Chaining (CBC) mode AES for encryption.
None—No privacy
Table 10. SNMP Properties
Field
Description
Retries
Number of attempts to connect to the device. Valid values are from 0 to 4 attempts.
Timeout (in Seconds)
Number of seconds the controller waits when trying to establish a connection with a device before timing out. Valid values
are from 5 to 120 seconds in intervals of 5 seconds.
Step 8
Click Start Discovery.
The Discoveries window displays the results of your scan.
The Discovery Details pane shows the status (active or inactive) and the discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices for the selected discovery.
Step 9
(Optional) To configure the protocols to be used to connect with devices, open the Advanced area and do the following:
Click the protocols that you want to use. A green checkmark indicates that the protocol is selected.
Valid protocols are SSH (default) and Telnet.
Drag and drop the protocols in the order that you want them to be used.
Copying a Discovery Job
You can copy a discovery job and retain all of the information defined for the job, except the SNMP and CLI credentials. The
SNMP and CLI credentials are included in the copy only if you used global credentials (saved in Settings) for the original job. If you defined specific (one-time only) SNMP and CLI credentials for the original job, the credentials
are not copied.
Before you begin
You have created at least one discovery scan.
Procedure
Step 1
From the Navigation pane, click Discovery.
Step 2
From the Discoveries pane, select the discovery job.
Step 3
From the Discovery Details pane, click Copy.
The discovery job is copied, and the new job is named Copy of Discovery_Job.
Step 4
(Optional) Change the name of the discovery job.
Step 5
Define or update the SNMP and CLI credentials and any other parameters for the discovery job.
Stopping and Starting a Discovery Job
You can stop a discovery job that is in progress, and restart it.
Before you begin
You must have administrator
(ROLE_ADMIN) permissions and access to all devices (RBAC Scope set to ALL) to
perform this procedure.
Procedure
Step 1
From the
Navigation pane, click
Discovery.
Step 2
To stop an active discovery job, do the following:
From the Discoveries pane, select the discovery job.
From the
Discovery Details pane, click
Stop.
Click OK to confirm that you want to stop the discovery job.
Step 3
To restart an inactive discovery, do the following:
From the Discoveries pane, select the discovery job.
From the
Discovery Details pane, click
Start.
Deleting a Discovery Job
You can delete a discovery job whether it is active or inactive.
Before you begin
You must have administrator
(ROLE_ADMIN) permissions and access to all devices (RBAC Scope set to ALL) to
perform this procedure.
Procedure
Step 1
From the
Navigation pane, click
Discovery.
Step 2
From the Discoveries pane, select the discovery job that you want to delete.
Step 3
From the
Discovery Details pane, click
Delete.
Step 4
Click
OK to confirm that you want to delete the
discovery.
Understanding the
Discovery Results
The Discovery Results pane provides information about the selected scan.
To access the Discovery Results pane, do the following:
From the Navigation pane, click Discovery.
From the Discoveries pane, select the discovery job that you want to display.
The Discovery Results pane appears. See the following figures and table for information.
From this area, you can delete, clone, edit, or start a discovery job.
Discovery Details area
Open this area to display detailed information about the parameters that were used to perform the discovery, including the
CDP level (if used), protocol order, retry count, timeout value, IP address (seed) or range of IP addresses used, and IP address
filter list.
Credentials area
Open this area to display the credentials used in the discovery job and identifies them as either global or job-specific.
Last Runs area
Open this area to display a table showing information about each iteration of the discovery job, including the job number,
its status, an option to view the devices discovered, and the duration of the job. Clicking the View link in the Devices column opens the Devices pane.
Devices pane
(Shown when you open the Last Runs area and click the View link in the Devices column.)
The devices pane displays the results of the device discovery in two forms:
List—For each device, provides the following information:
IP address—IP addresses of the devices that Cisco APIC-EM discovered or attempted to discover.
Device name—Name of the device, if available.
Status—Status of the discovery for the device. Possible states are success, unreachable, failure, not tried, or unavailable.
Internet Control Message Protocol (ICMP)—Status of the ICMP for the device.
SNMP—Status of theCisco APIC-EM's use of the SNMP settings to gather SNMP information from the device.
CLI—Status of theCisco APIC-EM's use of the CLI username and passwords to gather information from the device.
Chart—Displays a circle graph showing the proportional representation of successful versus failed discovered devices.