CISCO Prime Network Registrar 11.1 User Guide
- June 16, 2024
- Cisco
Table of Contents
CISCO Prime Network Registrar 11.1
Product Information
Specifications
- Product Name: Cisco Prime Network Registrar 11.1
- Publication Date: 2022-07-13
- Manufacturer: Cisco Systems, Inc.
- Headquarters: San Jose, CA, USA
- Website: http://www.cisco.com
- Contact: Tel: 408 526-4000, 800 553-NETS (6387), Fax: 408 527-0883
Introduction
Cisco Prime Network Registrar is a software solution designed for network administrators to manage and control IP addresses and phone numbers in a network environment. It provides configuration and performance guidelines, as well as support for various deployment scenarios.
Target Users
This product is intended for network administrators and IT professionals
responsible for managing IP address allocation and phone number assignments in
their network infrastructure.
Deployment Scenarios
The Cisco Prime Network Registrar can be deployed in various network
environments, including:
- Small-to-Medium-Size LANs
- Large Enterprise Networks
- Service Provider Networks
Configuration and Performance Guidelines
The following guidelines are provided for configuring and optimizing the
performance of Cisco Prime Network Registrar:
- General Configuration Guidelines
- Special Configuration Cases
- General Performance Guidelines
- Interoperability with Earlier Releases
Related Topics
For more information on configuration, performance, and deployment scenarios, refer to the relevant chapters in the administration guide.
Product Usage Instructions
Chapter 1: Getting Started
This chapter provides an introduction to Cisco Prime Network Registrar and
is intended for new users who are getting started with the product.
Chapter 2: Introduction to Cisco Prime Network Registrar
This chapter provides an overview of the features and capabilities of Cisco
Prime Network Registrar. It explains the target users, deployment scenarios,
and provides configuration and performance guidelines.
Cisco Prime Network Registrar 11.1 Administration Guide
First Published: 2022-07-13
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA
http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE
SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL
RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET
FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A
COPY.
The Cisco implementation of TCP header compression is an adaptation of a
program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved.
Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF
THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-
NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document
are not intended to be actual addresses and phone numbers. Any examples,
command display output, network topology diagrams, and other figures included
in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and
coincidental.
All printed copies and duplicate soft copies of this document are considered
uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are
listed on the Cisco website at www.cisco.com/go/offices.
The documentation set for this product strives to use bias-free language. For
purposes of this documentation set, bias-free is defined as language that does
not imply discrimination based on age, disability, gender, racial identity,
ethnic identity, sexual orientation, socioeconomic status, and
intersectionality. Exceptions may be present in the documentation due to
language that is hardcoded in the user interfaces of the product software,
language used based on standards documentation, or language that is used by a
referenced third-party product.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco
and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party
trademarks mentioned are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and
any other company. (1721R)
© 2022 Cisco Systems, Inc. All rights reserved.
CONTENTS
PART I CHAPTER 1
CHAPTER 2
Getting Started 15
Introduction to Cisco Prime Network Registrar 1 Target Users 1 Regional and
Local Clusters 2 Deployment Scenarios 2 Small-to-Medium-Size LANs 3 Large
Enterprise and Service Provider Networks 3 Configuration and Performance
Guidelines 4 Related Topics 4 General Configuration Guidelines 5 Special
Configuration Cases 5 General Performance Guidelines 6 Interoperability with
Earlier Releases 6
Cisco Prime Network Registrar User Interfaces 9 Management Components 9
Introduction to the Web-Based User Interfaces 10 Supported Web Browsers 10
Access Security 11 Logging in to the Web UI 11 Multiple Users 12 Changing
Passwords 12 Navigating the Web UI 12 Waiting for Page Resolution Before
Proceeding 13 Committing Changes in the Web UI 14
Cisco Prime Network Registrar 11.1 Administration Guide iii
Contents
CHAPTER 3
Role and Attribute Visibility Settings 14 Displaying and Modifying Attributes
14
Grouping and Sorting Attributes 14 Modifying Attributes 14 Displaying
Attribute Help 15 Left Navigation Pane 15 Help Pages 15 Logging Out 16 Local
Cluster Web UI 16 Related Topics 16 Local Basic Main Menu Page 16 Local
Advanced Main Menu Page 17 Setting Local User Preferences 18 Configuring
Clusters in the Local Web UI 20 Regional Cluster Web UI 20 Related Topics 20
Command Line Interface 20 REST API 22 Global Search in Prime Network Registrar
22
Server Status Dashboard 25 Opening the Dashboard 25 Display Types 26 General
Status Indicators 26 Graphic Indicators for Levels of Alert 27 Magnifying and
Converting Charts 27 Legends 27 Tables 27 Line Charts 28 Area Charts 29 Other
Chart Types 30 Getting Help for the Dashboard Elements 30 Customizing the
Display 30 Refreshing Displays 31
Cisco Prime Network Registrar 11.1 Administration Guide iv
PART II CHAPTER 4
Setting the Polling Interval 31 Displaying Charts as Tables 31 Exporting to
CSV Format 31 Selecting Dashboard Elements to Include 32 Configuring Server
Chart Types 32 Host Metrics 33 System Metrics 34 JVM Memory Utilization 35
Local and Regional Administration 37
Managing Administrators 39 Administrators, Groups, Roles, and Tenants 39 How
Administrators Relate to Groups, Roles, and Tenants 39 Administrator Types 40
Roles, Subroles, and Constraints 41 Groups 44 External Authentication Servers
44 Configuring a RADIUS External Authentication Server 45 Configuring an AD
External Authentication Server 46 Managing Tenants 48 Adding a Tenant 48
Editing a Tenant 49 Managing Tenant Data 49 Assigning a Local Cluster to a
Single Tenant 51 Pushing and Pulling Tenant Data 51 Assigning Tenants When
Using External Authentication 52 Using cnr_exim With Tenant Data 52 Managing
Administrators 53 Adding Administrators 54 Editing Administrators 54 Deleting
Administrators 54 Suspending/Reinstating Administrators 55 CLI Commands 55
Contents
Cisco Prime Network Registrar 11.1 Administration Guide v
Contents
Managing Passwords 55 Managing Groups 56
Adding Groups 56 Editing Groups 56 Deleting Groups 56 CLI Commands 56 Managing
Roles 57 Adding Roles 57 Editing Roles 57 Deleting Roles 57 CLI Commands 57
Granular Administration 58 Local Advanced and Regional Advanced Web UI 58
Related Topics 58 Scope-Level Constraints 58 Prefix-Level Constraints 60 Link-
Level Constraints 61 Centrally Managing Administrators 61 Pushing and Pulling
Administrators 62 Pushing Administrators to Local Clusters 62 Pushing
Administrators Automatically to Local Clusters 63 Pulling Administrators from
the Replica Database 63 Pushing and Pulling External Authentication Servers 64
Pushing and Pulling Groups 67 Pushing Groups to Local Clusters 67 Pulling
Groups from the Replica Database 67 Pushing and Pulling Roles 68 Pushing Roles
to Local Clusters 68 Pulling Roles from the Replica Database 69 Pushing and
Pulling Tenants 70 Pushing Tenants to Local Clusters 70 Pulling Tenants from
the Replica Database 70 Session Management 71 User Sessions 71
Cisco Prime Network Registrar 11.1 Administration Guide vi
Contents
CHAPTER 5 CHAPTER 6
Active User Sessions 72 Logs for Session Events 73
Managing Owners and Regions 75 Managing Owners 75 Local Advanced and Regional
Advanced Web UI 75 CLI Commands 75 Managing Regions 76 Local Advanced and
Regional Advanced Web UI 76 CLI Commands 76 Centrally Managing Owners and
Regions 76 Pushing and Pulling Owners or Regions 77 Pushing Owners or Regions
to Local Clusters 77 Pulling Owners and Regions from the Replica Database 78
Managing the Central Configuration 79 Central Configuration Tasks 79 Default
Ports for Cisco Prime Network Registrar Services 80 Firewall Considerations 81
DNS Performance and Firewall Connection Tracking 81 Configuring Caching DNS to
Use Umbrella 83 Licensing 83 Use Cisco Smart Licensing 84 Setting Up Smart
Licensing in Cisco Prime Network Registrar 84 Viewing Smart License Usage 87
Renewing License Authorization and ID Certificate 87 Re-registering Cisco
Prime Network Register with the CSSM (or Satellite) 88 Deregistering Cisco
Prime Network Register 89 Disabling Smart Licensing 89 Using Smart License
Reservation 90 Smart Product Registration and License Authorization Statuses
92 Use Traditional Licensing 93 Adding Traditional License 94 License History
95
Cisco Prime Network Registrar 11.1 Administration Guide vii
Contents
License Utilization 95 Registering a Local Cluster that is Behind a NAT 96
Configuring Server Clusters 97 Adding Local Clusters 98 Editing Local Clusters
99 Connecting to Local Clusters 99 Synchronizing with Local Clusters 99
Replicating Local Cluster Data 100 Viewing Replica Data 100 Purging Replica
Data 101 Deactivating, Reactivating, and Recovering Data for Clusters 101
Viewing Cluster Report 103 Central Configuration Management Server 103
Managing CCM Server 104 Editing CCM Server Properties 104 Trivial File
Transfer 105 Viewing and Editing the TFTP Server 105 Managing the TFTP Server
Network Interfaces 106 Simple Network Management 106 Setting Up the SNMP
Server 108 How Notification Works 110 Handling SNMP Notification Events 113
Handling Deactivated Scopes or Prefixes 114 Editing Trap Configuration 114
Deleting Trap Configuration 115 Server Up/Down Traps 115 Handling SNMP Queries
116 Integrating Cisco Prime Network Registrar SNMP into System SNMP 117
Polling Process 117 Polling Utilization and Lease History Data 117 Adjusting
the Polling Intervals 118 Enabling Lease History Collection 118 Managing DHCP
Scope Templates 119 Pushing Scope Templates to Local Clusters 119
Cisco Prime Network Registrar 11.1 Administration Guide viii
Pulling Scope Templates from Replica Data 120 Managing DHCP Policies 120
Pushing Policies to Local Clusters 121 Pulling Policies from Replica Data 121
Managing DHCP Client-Classes 122 Pushing Client-Classes to Local Clusters 122
Pulling Client-Classes from Replica Data 123 Managing Virtual Private Networks
123 Pushing VPNs to Local Clusters 124 Pulling VPNs from Replica Data 124
Managing DHCP Failover Pairs 125
Regional Web UI 125 CLI Commands 125 Managing Lease Reservations 126 DHCPv4
Reservations 126 DHCPv6 Reservations 126 Monitoring Resource Limit Alarms 127
Configuring Resource Limit Alarm Thresholds 128 Setting Resource Limit Alarms
Polling Interval 129 Viewing Resource Limit Alarms 129 Certificate Management
130 Adding SSL/TLS Certificates 132 Pulling and Pushing SSL/TLS Certificates
133 Pushing SSL/TLS Certificates to Local Clusters 133 Pulling SSL/TLS
Certificates from the Replica Database 133 CLI Commands 134 Cisco Prime
Network Registrar Use of Certificates 134 Web UI 134 Configuration Management
Server 134 Authoritative DNS Server 134 Caching DNS Server 135 Certificate
Expiration Notification 135 Local Cluster Management Tutorial 135 Related
Topics 136
Contents
Cisco Prime Network Registrar 11.1 Administration Guide ix
Contents
CHAPTER 7
Administrator Responsibilities and Tasks 136 Create the Administrators 136
Create the Address Infrastructure 137 Create the Zone Infrastructure 138
Create the Forward Zones 138 Create the Reverse Zones 139 Create the Initial
Hosts 139 Create a Host Administrator Role with Constraints 140 Create a Group
to Assign to the Host Administrator 141 Test the Host Address Range 142
Regional Cluster Management Tutorial 142 Administrator Responsibilities and
Tasks 142 Create the Regional Cluster Administrator 143 Create the Central
Configuration Administrator 143 Create the Local Clusters 144 Add a Router and
Modify an Interface 144 Add Zone Management to the Configuration Administrator
145 Create a Zone for the Local Cluster 145 Pull Zone Data and Create a Zone
Distribution 146 Create a Subnet and Pull Address Space 146 Push a DHCP Policy
147 Create a Scope Template 148 Create and Synchronize the Failover Pair 148
Managing Routers and Router Interfaces 151 Adding Routers 151 Local Advanced
and Regional Advanced Web UI 151 CLI Commands 151 Editing Routers 152 Local
Advanced and Regional Advanced Web UI 152 CLI Commands 152 Viewing and Editing
the Router Interfaces 152 Local Advanced and Regional Advanced Web UI 152 CLI
Commands 152
Cisco Prime Network Registrar 11.1 Administration Guide x
CHAPTER 8
Changeable Router Interface Attributes 152 Bundling Interfaces 153 Pushing and
Reclaiming Subnets for Routers 153
Maintaining Servers and Databases 155 Managing Servers 155 Local and Regional
Web UI 156 CLI Commands 157 Scheduling Recurring Tasks 157 Local Web UI 158
CLI Commands 159 Logs 159 Log Files 159 Logging Server Events 161 Logging
Format and Settings 162 Searching the Logs 162 View Change Log 163 Dynamic
Update on Server Log Settings 164 Running Data Consistency Rules 164 Local and
Regional Web UI 165 CLI Tool 165 Monitoring and Reporting Server Status 167
Server States 168 Displaying Health 168 Server Health Status 169 Displaying
Statistics 169 DNS Statistics 171 CDNS Statistics 172 DHCP Statistics 173 TFTP
Statistics 175 Displaying IP Address Usage 177 Displaying Related Servers 177
Monitoring Remote Servers Using Persistent Events 177 DNS Zone Distribution
Servers 179
Contents
Cisco Prime Network Registrar 11.1 Administration Guide xi
Contents
CHAPTER 9
DHCP Failover Servers 179 Displaying Leases 180 Modifying the cnr.conf File
180
Syslog Support 181 Troubleshooting DHCP and DNS Servers 183
Immediate Troubleshooting Actions 183 Troubleshooting Server Failures 183
Troubleshooting Tools 184 Using the TAC Tool 184 Using the statscollector
Utility 185 Troubleshooting and Optimizing the TFTP Server 187 Tracing TFTP
Server Activity 187 Optimizing TFTP Message Logging 187 Enabling TFTP File
Caching 188
Backup and Recovery 189 Backing Up Databases 189 Recommendation 189 Syntax and
Location 190 Backup Strategy 190 Manual Backup (Using cnr_shadow_backup
utility) 190 Setting Automatic Backup Time 191 Performing Manual Backups 191
Using Third-Party Backup Programs with cnr_shadow_backup 191 Backing Up CNRDB
Data 191 Backing Up All CNRDBs Using tar or Similar Tools 193 Database
Recovery Strategy 193 Recovering CNRDB Data from Backups 195 Recovering All
CNRDBs Using tar or Similar Tools 195 Recovering Single CNRDB from tar or
Similar Tools 196 Recovering from Regional Cluster Database Issues 196
Handling Lease History Database Issues 197 Handling Subnet Utilization
Database Issues 197 Handling Replica Utilization Database Issues 198
Cisco Prime Network Registrar 11.1 Administration Guide xii
Contents
CHAPTER 10
PART III CHAPTER 11 CHAPTER 12 APPENDIX A
Rebuilding the Regional Cluster 198 Virus Scanning While Running Cisco Prime
Network Registrar 199 Troubleshooting Databases 200
Using the cnr_exim Data Import and Export Tool 200 Using the cnrdb_recover
Utility 202 Using the cnrdb_verify Utility 203 Using the cnrdb_checkpoint
Utility 203 Using the cnrdb_util Utility 204 Restoring DHCP Data from a
Failover Server 205
Managing Reports 207 ARIN Reports and Allocation Reports 207 Managing ARIN
Reports 207 Managing Point of Contact and Organization Reports 208 Creating a
Point of Contact Report 208 Registering a Point of Contact 209 Editing a Point
of Contact Report 209 Creating an Organization Report 209 Registering an
Organization 210 Editing an Organization Report 210 Managing IPv4 Address
Space Utilization Reports 211 Regional Advanced Web UI 211 Managing Shared
WHOIS Project Allocation and Assignment Reports 212
Cisco Prime Network Registrar on Docker and Kubernetes 213
Cisco Prime Network Registrar on Docker Container 215 How to Run Cisco Prime
Network Registrar as Docker Container 215
Cisco Prime Network Registrar on Kubernetes 217 How to Deploy Cisco Prime
Network Registrar Instances on Kubernetes 217
Server Statistics 219 DNS Statistics 219
Cisco Prime Network Registrar 11.1 Administration Guide xiii
Contents
CDNS Statistics 231 DHCP Statistics 237 Glossary 253
Cisco Prime Network Registrar 11.1 Administration Guide xiv
I P A R T
Getting Started
· Introduction to Cisco Prime Network Registrar, on page 1 · Cisco Prime
Network Registrar User Interfaces, on page 9 · Server Status Dashboard, on
page 25
1 C H A P T E R
Introduction to Cisco Prime Network Registrar
Cisco Prime Network Registrar is a full featured, scalable Domain Name System
(DNS), Dynamic Host Configuration Protocol (DHCP), and Trivial File Transfer
Protocol (TFTP) implementation for medium to large IP networks. It provides
the key benefits of stabilizing the IP infrastructure and automating
networking services, such as configuring clients and provisioning cable
modems. This provides a foundation for policy-based networking. Service
provider and enterprise users can better manage their networks to integrate
with other network infrastructure software and business applications.
· Target Users, on page 1 · Regional and Local Clusters, on page 2 ·
Deployment Scenarios, on page 2 · Configuration and Performance Guidelines, on
page 4 · Interoperability with Earlier Releases, on page 6
Target Users
Cisco Prime Network Registrar is designed for these users: · Internet service
providers (ISPs)–Helps ISPs drive the cost of operating networks that provide
leased line, dialup, and DSL (Point-to-Point over Ethernet and DHCP) access to
customers. · Multiple service operators (MSOs)–Helps MSOs provide subscribers
with internet access using cable or wireless technologies. MSOs can benefit
from services and tools providing reliable and manageable DHCP and DNS
services that meet the Data Over Cable Service Interface Specification
(DOCSIS). Cisco Prime Network Registrar provides policy-based, robust, and
scalable DNS and DHCP services that form the basis for a complete cable modem
provisioning system. · Enterprises–Helps meet the needs of single- and
multisite enterprises (small-to-large businesses) to administer and control
network functions. Cisco Prime Network Registrar automates the tasks of
assigning IP addresses and configuring the Transport Control Protocol/Internet
Protocol (TCP/IP) software for individual network devices. Forward-looking
enterprise users can benefit from class-of-service and other features that
help integrate with new or existing network management applications, such as
user registration.
Cisco Prime Network Registrar 11.1 Administration Guide 1
Regional and Local Clusters
Getting Started
Regional and Local Clusters
The regional cluster acts as an aggregate management system for up to a
hundred local clusters. Address and server administrators interact at the
regional and local clusters through the regional and local web-based user
interface (web UI), and local cluster administrators can continue to use the
command line interface (CLI) at the local cluster. The regional cluster
consists of a Central Configuration Management (CCM) server, Tomcat web
server, servlet engine, and server agent (see Management Components, on page
9). The license management is now done at the regional cluster and hence the
local server has to be registered to a regional server to avail the necessary
services. See the “Overview” chapter in Cisco Prime Network Registrar 11.1
Installation Guide for more details.
Figure 1: Cisco Prime Network Registrar User Interfaces and Server Clusters
A typical deployment is one regional cluster at a customer network operation
center (NOC), the central point of network operations for an organization.
Each division of the organization includes a local address management server
cluster responsible for managing a part of the network. The System
Configuration Protocol (SCP) communicates the configuration changes between
the servers.
Deployment Scenarios
The Cisco Prime Network Registrar regional cluster web UI provides a single
point to manage any number of local clusters hosting DNS, CDNS, DHCP, or TFTP
servers. The regional and local clusters also provide administrator management
so that you can assign administrative roles to users logged in to the
application. This section describes two basic administrative scenarios and the
hardware and software deployments for two different types of installations–a
small-to-medium local area network (LAN), and a large-enterprise or service-
provider network with three geographic locations.
Cisco Prime Network Registrar 11.1 Administration Guide 2
Getting Started
Small-to-Medium-Size LANs
Small-to-Medium-Size LANs
In this scenario, low-end Linux servers are acceptable. The image below shows
a configuration that would be adequate for this network.
Note Regional server is MUST in deployment for small and medium sized LANs.
Figure 2: Small-to-Medium LAN Configuration
Large Enterprise and Service Provider Networks
In a large enterprise or service provider network serving over 500,000 DHCP
clients, use mid-range Linux servers. Put DNS and DHCP servers on different
systems. The image below shows the hardware that would be adequate for this
network.
When supporting geographically dispersed clients, locate DHCP servers at
remote locations to avoid disrupting local services if wide-area connections
fail. Install the Cisco Prime Network Registrar regional cluster to centrally
manage the distributed clusters.
Cisco Prime Network Registrar 11.1 Administration Guide 3
Configuration and Performance Guidelines Figure 3: Large Enterprise or Service Provider Network Configuration
Getting Started
Configuration and Performance Guidelines
Cisco Prime Network Registrar is an integrated DHCP, DNS, and TFTP server
cluster capable of running on a Linux workstation or server. Because of the
wide range of network topologies for which you can deploy Cisco Prime Network
Registrar, you should first consider the following guidelines. These
guidelines are very general and cover most cases. Specific or challenging
implementations could require additional hardware or servers.
Related Topics
General Configuration Guidelines, on page 5
Cisco Prime Network Registrar 11.1 Administration Guide 4
Getting Started
General Configuration Guidelines
Special Configuration Cases, on page 5
General Performance Guidelines, on page 6
General Configuration Guidelines
The following suggestions apply to most Cisco Prime Network Registrar
deployments:
· Configure a separate DHCP server to run in remote segments of the wide area
network (WAN).
Ensure that the DHCP client can consistently send a packet to the server in
under a second. The DHCP protocol dictates that the client receive a response
to a DHCPDISCOVER or DHCPREQUEST packet within four seconds of transmission.
Many clients (notably early releases of the Microsoft DHCP stack) actually
implement a two-second timeout.
· In large deployments, separate the secondary DHCP server from the primary
DNS server used for dynamic DNS updates.
Because lease requests and dynamic DNS updates are persisted to disk, server
performance is impacted when using a common disk system. So that the DNS
server is not adversely affected, run it on a different cluster than the DHCP
server.
· Include a time server in your configuration to deal with time differences
between the local and regional clusters so that aggregated data at the
regional server appears in a consistent way. See the Polling Utilization and
Lease History Data, on page 117.
· Set DHCP lease times in policies to four to ten days.
To prevent leases from expiring when the DHCP client is turned off (overnight
or over long weekends), set the DHCP lease time longer than the longest period
of expected downtime, such as seven days. See the “Managing Leases” section in
Cisco Prime Network Registrar 11.1 DHCP User Guide.
· Locate backup DNS servers on separate network segments.
DNS servers are redundant by nature. However, to minimize client impact during
a network failure, ensure that primary and secondary DNS servers are on
separate network segments.
· If there are high dynamic DNS update rates in the network, configure
separate DNS servers for forward and reverse zones.
· Use NOTIFY/IXFR.
Secondary DNS servers can receive their data from the primary DNS server in
two ways: through a full zone transfer (AXFR) or an incremental zone transfer
(NOTIFY/IXFR, as described in RFCs 1995 and 1996). Use NOTIFY/IXFR in
environments where the name space is relatively dynamic. This reduces the
number of records transferred from the primary to the secondary server. See
the “Enabling Incremental Zone Transfers (IXFR)” section in Cisco Prime
Network Registrar 11.1 Authoritative and Caching DNS User Guide.
Special Configuration Cases
The following suggestions apply to some special configurations:
· When using dynamic DNS updates for large deployments or very dynamic
networks, divide primary and secondary DNS and DHCP servers across multiple
clusters.
Cisco Prime Network Registrar 11.1 Administration Guide 5
General Performance Guidelines
Getting Started
Dynamic DNS updates generate an additional load on all Cisco Prime Network
Registrar servers as new DHCP lease requests trigger dynamic DNS updates to
primary servers that update secondary servers through zone transfers.
· During network reconfiguration, set DHCP lease renewal times to a small
value.
Do this several days before making changes in network infrastructure (such as
to gateway router and DNS server addresses). A renewal time of eight hours
ensures that all DHCP clients receive a changed DHCP option parameter within
one working day. See the “Managing Leases” section in Cisco Prime Network
Registrar 11.1 DHCP User Guide
General Performance Guidelines
For Cisco Prime Network Registrar, the general guideline is to invest in the
highest performance disk I/O subsystem available, then memory, and finally the
processors. DHCP and Authoritative DNS (especially if using DNS updates) will
be most impacted by disk latency, then memory and network performance, and
finally CPU (these applications are not CPU intensive).
· The best way to reduce latency and improve performance is to provide high
performance disks (SSD are recommended over traditional hard disks). High
performance disk controllers are also recommended. This is especially
important for DHCP and Authoritative DNS servers that handle Dynamic Updates.
· Providing lots of memory is also important as it reduces disk read
requirements if the file system cache can be used. The recommendation here is
to assure that a system has sufficient free memory that is twice the size of
the Cisco Prime Network Registrar databases. It is difficult to give exact
requirements here as it depends on many variables.
· Network performance is also an important consideration and 1 GB or better
Ethernet controllers are recommended.
· As most Cisco Prime Network Registrar uses are not CPU intensive, the CPU
performance tends to be least important.
Interoperability with Earlier Releases
The following table shows the interoperability of Cisco Prime Network
Registrar features on the regional CCM server with versions of the local
cluster.
Table 1: CCM Regional Feature Interoperability with Server Versions
Feature
Local Cluster Version
9.0
9.1
10.0
10.1
11.0
11.1
Push and pull:
Address space
x
x
x
x
x
x
IPv6 address space
x
x
x
x
x
x
Scope templates, policies,
x
x
x
x
x
x
client-classes
Cisco Prime Network Registrar 11.1 Administration Guide 6
Getting Started
Interoperability with Earlier Releases
Feature
Local Cluster Version
9.0
9.1
10.0
10.1
11.0
11.1
IPv6 prefix and link templates x
x
x
x
x
x
Zone data and templates
x
x
x
x
x
x
Groups, owners, regions
x
x
x
x
x
x
Resource records (RRs)
x
x
x
x
x
x
Local cluster restoration
x
x
x
x
x
x
Host administration
x
x
x
x
x
x
Extended host administration x
x
x
x
x
x
Administrators and roles
x
x
x
x
x
x
Zone Views
x
x
x
x
x
x
Administrator:
Single sign-on
x
x
x
x
x
x
Password change
x
x
x
x
x
x
IP history reporting:
Lease history
x
x
x
x
x
x
Detailed lease history
x
x
x
x
x
x
Utilization reporting:
DHCP utilization history (v4 x
x
x
x
x
x
History)
DHCP utilization history (v6 History)
x
x
x
x
x
Subnet and scope utilization x
x
x
x
x
x
IPv6 prefix utilization
x
x
x
x
x
x
Cisco Prime Network Registrar 11.1 Administration Guide 7
Interoperability with Earlier Releases
Getting Started
Cisco Prime Network Registrar 11.1 Administration Guide 8
2 C H A P T E R
Cisco Prime Network Registrar User Interfaces
Cisco Prime Network Registrar provides a regional and a local web UI and a
regional and local CLI to manage the CDNS, DNS, DHCP, TFTP, and CCM servers:
· Web UI for the regional cluster to access local cluster servers–See Regional
Cluster Web UI, on page 20.
· Web UI for the local cluster–See Local Cluster Web UI, on page 16. · CLI for
the local clusters–Open the CLIContent.html file in the installation /docs
directory (see
Command Line Interface, on page 20). · REST API–See REST API, on page 22. ·
CCM servers that provide the infrastructure to support these interfaces– See
Central Configuration
Management Server, on page 103.
This chapter describes the Cisco Prime Network Registrar user interfaces and
the services that the CCM servers provide. Read this chapter before starting
to configure the Cisco Prime Network Registrar servers so that you become
familiar with each user interface capability.
· Management Components, on page 9 · Introduction to the Web-Based User
Interfaces, on page 10 · Local Cluster Web UI, on page 16 · Regional Cluster
Web UI, on page 20 · Command Line Interface, on page 20 · REST API, on page 22
· Global Search in Prime Network Registrar, on page 22
Management Components
Cisco Prime Network Registrar contains two management components: · Regional
component, consisting of: · Web UI · CLI · CCM Server
Cisco Prime Network Registrar 11.1 Administration Guide 9
Introduction to the Web-Based User Interfaces
Getting Started
· Simple Network Management Protocol (SNMP) server
· Local component, consisting of: · Web UI · CLI · CCM server · Authoritative
Domain Name System (DNS) server · Caching / Recursive Domain Name System
(CDNS) server · Dynamic Host Configuration Protocol (DHCP) server · Trivial
File Transport Protocol (TFTP) server · SNMP server · Management of local
address space, zones, scopes, DHCPv6 prefixes and links, and users
Note Cisco Prime Network Registrar includes a Hybrid DNS feature that allows
you to run both the Caching DNS and Authoritative DNS servers on the same
operating system without two separate virtual or physical machines. However,
Cisco recommends hybrid mode for smaller sized deployments only. For larger
deployments, Cisco recommends separating Caching and Authoritative DNS on
separate physical machines or VMs.
License management is done from the regional cluster when Cisco Prime Network
Registrar is installed. You must install the regional server first and load
all licenses in the regional server. When you install the local cluster, it
registers with regional to obtain its license.
The regional CCM server provides central management of local clusters, with an
aggregated view of DHCP address space and DNS zones. It provides management of
the distributed address space, zones, scopes, DHCPv6 prefixes and links, and
users.
The local CCM server provides management of the local address space, zones,
scopes, DHCPv6 prefixes and links, and users.
The remainder of this chapter describes the TFTP and SNMP protocols. The CCM
server, web UI, and CLI are described in Cisco Prime Network Registrar User
Interfaces, on page 9. The DNS, CDNS, and DHCP servers are described in their
respective sections.
Introduction to the Web-Based User Interfaces
The web UI provides granular access to configuration data through user roles
and constraints. The UI provides quick access to common functions. The web UI
granularity is described in the following sections.
Supported Web Browsers
The web UI has been tested on Microsoft Edge 89, Mozilla Firefox 86, and
Google Chrome 89. Internet Explorer is not supported.
Cisco Prime Network Registrar 11.1 Administration Guide 10
Getting Started
Access Security
Access Security
At Cisco Prime Network Registrar installation, you can choose to configure
HTTPS to support secure client access to the web UI. You must specify the
HTTPS port number and provide the keystore at that time. With HTTPS security
in effect, the web UI Login page indicates that the “Page is SSL1 Secure.”
Note Do not use a dollar sign ($) symbol as part of a keystore password.
Logging in to the Web UI
You can log in to the Cisco Prime Network Registrar local or regional cluster
web UI by HTTPS secure login. After installing Cisco Prime Network Registrar,
open one of the supported web browsers and specify the login location URL in
the browser address. Login is convenient and provides some memory features to
increase the login speed. You can log in using a secure login as follows: Open
the web browser and go to the website. For example, if default ports were used
during the installation, the URLs would be https://hostname:8443 for the local
cluster web UI, and https://hostname:8453 for the regional cluster web UI.
Note Open the regional web UI first and add the licenses for the required
services.
If you are logging in for the first time, this opens the Add Superuser
Administrator page. Enter the superuser administrator name and password, and
then click the Add button. Smart Licensing is enabled by default in Cisco
Prime Network Registrar. Click the Configure Smart Licensing link in the alert
window to open the Smart Software Licensing page and set up Smart Licensing.
For details, see Use Cisco Smart Licensing, on page 84. If you want to use
traditional licensing, you must disable Smart Licensing first (see Disabling
Smart Licensing, on page 89). Then, enter the license information as follows:
Click Use Traditional Licensing, then click Browse in the New Product
Installation page, and add the valid license. If the license key is
acceptable, the Cisco Prime Network Registrar login page is displayed.
Note You can add the licenses only in the regional server. The local has to be
registered to the regional at the time of installation to run the desired
licensed services.
In the local server, confirm the regional server IP address and port number
and also the services you want to run at the time of your first login. Click
Register to confirm registration. If the regional server is configured with
the required licenses, the login page is displayed. Enter the superuser
username and password that is created during the first login to log in to the
web UI. The password is case-sensitive (see Managing Passwords, on page 55).
1 This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit (http://www.openssl.org/ ).
Cisco Prime Network Registrar 11.1 Administration Guide 11
Multiple Users
Getting Started
Note There is no default username or password for login.
Depending on how your browser is set up, you might be able to abbreviate the
account name or choose it from a drop-down list while setting the username. To
log in, click Log In. The Configuration Summary page is displayed by default
which shows the summary of configuration details on the cluster. The
Configuration Summary page on the regional cluster displays the configured
failover-pairs and zone distributions which further can display the underlying
cluster or HA pairs. You can use the graphical utilities such as Show
Visualization icon ( ) or Show Table View icon ( ) in the chart to view the
network data in chart or table format.
Multiple Users
The Cisco Prime Network Registrar user interfaces support multiple, concurrent
users. If two users try to access the same object record or data, a Modified
object error will occur for the second user. If you receive this error while
editing user data, do the following:
· In the web UI–Cancel the edits and refresh the list. Changes made by the
first user will be reflected in the list. Redo the edits, if necessary.
· In the CLI–Use the session cache refresh command to clear the current edits,
before viewing the changes and making further edits. Make changes, if you feel
that it is necessary even after the other user’s changes.
Changing Passwords
Whenever you edit a password on a web UI page, it is displayed as a string of
eight dots. The actual password value is never sent to the web browser. So, if
you change the password, the field is automatically cleared. You must enter
the new password value completely, exactly as you want it to be.
Note The password should not be more than 255 characters long.
For details on changing administrator passwords at the local and regional
cluster, see Managing Passwords, on page 55.
Navigating the Web UI
The web UI provides a hierarchy of pages based on the functionality you desire
and the thread you are following as part of your administration tasks. The
page hierarchy prevents you from getting lost easily.
Caution Do not use the Back button of the browser. Always use the navigation
menu, or the Cancel button on the page to return to a previous page. Using the
browser Back button can cause erratic behavior or can cause failures.
Cisco Prime Network Registrar 11.1 Administration Guide 12
Getting Started
Waiting for Page Resolution Before Proceeding
A single sign-on feature is available to connect between the regional and
local clusters. The regional cluster web UI pages include the Connect button
in the List/Add Remote clusters page, which you can click to connect to the
local cluster associated with the icon. If you have single sign-on privileges
to the local cluster, the connection takes you to the related local server
management page (or a related page for related server configurations). If you
do not have these privileges, the connection takes you to the login page for
the local cluster. To return to the regional cluster, local cluster pages have
the Return button on the main toolbar.
Note To protect against vulnerabilities, strict SameSite support for cookies
has been added to the web UI in Cisco Prime Network Registrar 11.1. The
attribute to control this is in the context.xml file in the tomcat/conf
folder. If single sign-on support is required, in the tomcat/conf/context.xml
file, delete the line
The Search bar in the navigation menu provides an easy way to search for
menus. The Pin icon in the top right corner of the navigation menu helps to
pin/unpin the menu. Cisco Prime Network Registrar provides a facility to save
the frequently used pages/menus as favorites, which helps in accessing them
easily. To configure the page/menu as favorite, after navigating to the
desired menu, click the Favorite icon (star icon ( ) next to the navigation
path), provide the appropriate name, and then click OK. The pages/menus which
are configured as favorites appear under the Favorites section of the global
navigation. You can delete the menus from the favorites list by clicking the
Delete icon next to them. Configuration Summary page is listed under the
Favorites section by default.
Note Click the double arrow icon ( ) in any page to view the hidden
options/functionalities.
Note Navigation menu items can vary based on if you have the role privileges
for IPv4 or IPv6. For example, the Design menu can be DHCPv4 and DHCPv6 if you
have the ipv6-management subrole of the addrblock-admin role assigned.
Waiting for Page Resolution Before Proceeding
Operations performed in the web UI, such as resynchronizing or replicating
data from server clusters, are synchronous in that they do not return control
to the browser until the operation is completed. These operations display
confirmation messages in blue text. Also, the browsers display a wait cursor
while the operation is in progress.
Tip Wait for each operation in the web UI to finish before you begin a new
operation. If the browser becomes impaired, close the browser, reopen it, then
log in again. Some operations like zone distributions can take significant
amount of time, so you may have to wait till the operation completes.
Cisco Prime Network Registrar 11.1 Administration Guide 13
Committing Changes in the Web UI
Getting Started
Committing Changes in the Web UI
You do not actually commit the page entries you make until you click Save on
the page. You can delete items using the Delete icon. To prevent unwanted
deletions, a Confirm Delete dialog box appears in many cases so that you have
a chance to confirm or cancel the deletion.
Role and Attribute Visibility Settings
Click the Settings drop-down list on the toolbar at the top of the main page
to modify user preferences, session settings, user permissions, or debug
settings.
· To view the user groups and roles for the administrator, select the User
Preferences option. Superuser is a special kind of administrator. (For details
how to set up these administrator roles, see Create the Administrators, on
page 136.)
· Select Session Settings to open the Session Settings dialog, select the mode
from the Session Web UI Mode drop-down list, and click Modify Session
Settings. You can also click the drop-down arrow of the Mode icon ( ) to view
the list of modes. Select the required mode from the list:
· Basic–Basic user mode (the preset choice).
· Advanced–Advanced user mode that exposes the normal attributes.
· Expert–Expert user mode that exposes a set of attributes that are relevant
for fine-tuning or troubleshooting the configuration. In most cases, you would
accept the default values for these expert attributes and not change them
without guidance from the Cisco Technical Assistance Center (TAC). Each Expert
mode attribute is marked with a Warning icon on the configuration pages. Each
page is clearly marked as being in Expert mode.
Displaying and Modifying Attributes
Many of the web UI pages, such as those for servers, zones, and scopes,
include attribute settings that correspond to those you can set using the CLI.
(The CLI name equivalents appear under the attribute name.) The attributes are
categorized into groups by their function, with the more prominent attributes
listed first and the ones less often configured nearer the bottom of the page.
Grouping and Sorting Attributes
On many Advanced mode web UI pages, you can toggle between showing attributes
in groups and in alphabetical order. These pages generally open by default in
group view so that you can see the attributes in their respective categories.
However, in the case of large numbers of attributes, you might want to see the
attributes alphabetized. Click Show A-Z View to change the page to show the
attributes alphabetically. Click Show Group View to change the page to show
the attributes in groups. You can also expand or collapse the attribute groups
in group view by clicking Expand All or Collapse All. In Expert mode, the
Expert mode attributes are alphabetized separately further down the page under
the Visibility=3 heading and are all marked with the Warning icon.
Modifying Attributes
You can modify attribute values and unset those for optional attributes. In
many cases, these attributes have preset values, which are listed under the
Default column on the page. The explicit value overrides the default
Cisco Prime Network Registrar 11.1 Administration Guide 14
Getting Started
Displaying Attribute Help
one, but the default one is always the fallback. If there is no default value,
unsetting the explicit value removes all values for that attribute.
Displaying Attribute Help
For contextual help for an attribute, click the name of the attribute to open
a separate popup window.
Left Navigation Pane
The web UI also provides a navigation pane on the left of the main pages. This
navigation pane provides access to objects that are added as part of the
various categories. The objects are listed in a tabular format and you can
click the object to edit its properties in the main page.
Each object displayed under a category in the pane has a Quick View icon
associated with it. The Quick View icon expands to open a dialog box that
displays the main details about the object, and provides links (if any) to
perform the main actions associated with the object.
By default, the list of objects is displayed in a single column format.
However, you can add additional columns in the left pane. To add additional
columns for objects, click the gear icon ( ) above the objects table in the
left pane, select the desired column names, and then click Close. You can save
the column format by clicking the Save Column Format button.
There are Quick Filter and Advanced Filter options available to filter the
objects as needed. To do a quick search for the objects, you can use the Quick
Filter option. Click the Filter icon ( ) or select Quick Filter from the Show
drop-down list located above the objects table and then enter the search
string in the search bar. The objects are listed as per your search criteria.
You can also use Advanced Filter to filter the objects. Select Advanced Filter
from the Show drop-down list, set the appropriate filter and condition in the
Advanced Filter dialog box, and then click OK. Once you click OK, the object
list on the left pane is filtered as per the filter specified. To save the
filter, click Save As in the Advanced Filter dialog box, enter the appropriate
name in the Save Filter dialog box, and then click Save. The saved filter name
appears in the Show drop-down list and you can use this filter on that
particular object list at any time. You can also set this filter as the
default filter by clicking the Set Default Filter button.
The user defined filters can be edited or removed. To do this, select Manage
User Defined Filters from the Show drop-down list, select the required user
defined filter from the filter list in the Manage User Defined Filters dialog
box, and then click Edit or Remove as required.
Help Pages
The web UI provides a separate window that displays help text for each page.
The Help pages provide: · A context-sensitive help topic depending on which
application page you have open.
· A clickable and hierarchical Contents and Index, and a Favorites setting, as
tabs on a left-hand pane that you can show or hide.
· A Search facility that returns a list of topics containing the search
string, ordered by frequency of appearance of the search string.
· Forward and backward navigation through the history of Help pages opened.
· A Print function
· A Glossary
Cisco Prime Network Registrar 11.1 Administration Guide 15
Logging Out
Getting Started
Logging Out
Log out of the web UI by clicking Log Out link. You can find the Log Out under
the gear icon at the top right corner of the application page.
Local Cluster Web UI
The local cluster web UI provides concurrent access to Cisco Prime Network
Registrar user and protocol server administration and configuration. It
provides granular administration across servers with permissions you can set
on a per element or feature basis. The local cluster web UI is available in
three user modes:
· Basic Mode– Provides a more simplified configuration for the more frequently
configured objects, such as DHCP scopes and DNS zones (see Local Basic Main
Menu Page, on page 16).
· Advanced Mode– Provides the more advanced configuration method familiar to
past users of the Cisco Prime Network Registrar web UI, with some enhancements
(see Local Advanced Main Menu Page, on page 17).
· Expert Mode (marked with the icon)-For details on Expert mode, see Role and
Attribute Visibility Settings, on page 14.
Change to Basic, Advanced, or Expert mode by clicking the drop-down arrow of
the Mode icon ( ) on the toolbar at the top right of the page (see Setting
Local User Preferences, on page 18).
Note If you change the IP address of your local cluster machine, see the Note
in Configuring Clusters in the Local Web UI, on page 20.
Related Topics
Introduction to the Web-Based User Interfaces, on page 10 Regional Cluster Web
UI, on page 20
Local Basic Main Menu Page
The Basic tab activated on the toolbar at the top right corner of the page
implies that you are in Basic user mode. Otherwise, click the drop-down arrow
of the Mode icon ( ) to view the list of modes and select Basic. You can see
the submenu items under the navigation menu by clicking the global navigation
icon on the top left corner of the page. To choose a submenu under a
navigation menu, place the cursor over the navigation menu item. For example,
place the cursor on Operate to choose the Manage Servers. Also, you can select
any submenu under the required navigation menu and then navigate to the
required submenu page from the left pane. For example, place the cursor on
Operate, choose Schedule Tasks. You can see List/Add Scheduled Tasks page
along with a left pane that has links to Manage Servers, Manage Clusters,
Schedule Tasks, and View Change Log. Click the Manage Servers link to view the
Manage Servers page. The Local Basic main menu page provides functions with
which you can:
Cisco Prime Network Registrar 11.1 Administration Guide 16
Getting Started
Local Advanced Main Menu Page
· Open the dashboard to monitor system health–Open the Operate menu and click
Dashboard. See the “Server Status Dashboard” chapter.
· Set up a basic configuration by using the Setup interview pages–Click the
Setup icon at the top and select the different tabs in the Setup page. See
Cisco Prime Network Registrar 11.1 Quick Start Guide for more details.
· Administer users, tenants, encryption keys–Place the cursor on the
Administration menu (for user access options) or Design menu (for Security >
Keys option). See Managing Administrators, on page 39.
· Manage the Cisco Prime Network Registrar protocol servers–Place the cursor
on the Operate menu and select Manage Servers or Schedule Tasks option. See
Maintaining Servers and Databases, on page 155.
· Manage clusters–Place the cursor on the Operate menu and choose Manage
Clusters option. See Configuring Server Clusters, on page 97.
· Configure DHCP–Place the cursor on Design menu and select the options under
DHCP Settings, DHCPv4, or DHCPv6. See the “Managing DHCP Server” chapter in
Cisco Prime Network Registrar 11.1 DHCP User Guide.
· Configure DNS–Place the cursor on the Design menu and select the options
under Cache DNS and Auth DNS. Place the cursor on the Deploy menu and select
the options under DNS and DNS Updates. See the “Managing Zones” section in
Cisco Prime Network Registrar 11.1 Authoritative and Caching DNS User Guide.
· Manage hosts in zones–From the Design menu, choose Hosts under the Auth DNS
submenu. See the “Managing Hosts” section in Cisco Prime Network Registrar
11.1 Authoritative and Caching DNS User Guide.
· Go to Advanced mode–Click Advanced in the top right corner of the page. See
Local Advanced Main Menu Page, on page 17.
Local Advanced Main Menu Page
To switch to Advanced user mode from the Basic user Main Menu page, click the
drop-down arrow of the Mode icon ( ) at the top right of the window to view
the list of modes and select Advanced. Doing so opens another Main Menu page,
except that it shows the Advanced user mode functions. To switch back to Basic
mode at any time, click next to the Mode icon at the top right of the window
and select Basic.
The local Advanced mode Main Menu page includes advanced Cisco Prime Network
Registrar functions that are in addition to the ones in Basic mode:
· Open the dashboard to monitor system health–Open the Operate menu and click
Dashboard. See the “Server Status Dashboard” chapter.
· Administer users, tenants, groups, roles, regions, access control lists
(ACLs), and view change logs–Place the cursor on the Administration menu (for
user access options), Design menu (for ACLs), or Operate menu (for change
logs). See Managing Administrators, on page 39.
· Manage the Cisco Prime Network Registrar protocol servers–Place the cursor
on the Operate menu and select Manage Servers or Schedule Tasks option. See
Maintaining Servers and Databases, on page 155.
Cisco Prime Network Registrar 11.1 Administration Guide 17
Setting Local User Preferences
Getting Started
· Manage clusters–Place the cursor on the Operate menu and choose Manage
Clusters. See Configuring Server Clusters, on page 97.
· Configure Routers–Place the cursor on the Deploy menu and select the options
under Router Configuration. See Managing Routers and Router Interfaces, on
page 151.
· Configure DHCPv4–Place the cursor on the Design menu and select any option
under DHCPv4. See the “Managing DHCP Server” chapter in Cisco Prime Network
Registrar 11.1 DHCP User Guide.
· Configure DHCPv6–Place the cursor on the Design menu and select any option
under DHCPv6. See the “DHCPv6 Addresses” section in Cisco Prime Network
Registrar 11.1 DHCP User Guide.
· Configure DNS–Place the cursor on the Design menu and select the options
under Cache DNS and Auth DNS. Place the cursor on the Deploy menu and select
the options under DNS and DNS Updates. See the “Managing Zones” section in
Cisco Prime Network Registrar 11.1 Authoritative and Caching DNS User Guide.
· Manage hosts in zones–From the Design menu, choose Hosts under the Auth DNS
submenu. See the “Managing Hosts” section in Cisco Prime Network Registrar
11.1 Authoritative and Caching DNS User Guide.
· Manage IPv4 address space–Place the cursor on the Design menu and select any
option under DHCPv4. See the “Managing Address Space” section in Cisco Prime
Network Registrar 11.1 DHCP User Guide.
· Configure IPv6 address space–Place the cursor on the Design menu and select
any option under DHCPv6. See the “DHCPv6 Addresses” section in Cisco Prime
Network Registrar 11.1 DHCP User Guide.
· Go to Basic mode– Click the drop-down arrow of the Mode icon ( ) at the top
right corner of the page and choose Basic. See Local Basic Main Menu Page, on
page 16.
The Advanced user mode page provides additional functions:
· View the user role and group data for the logged-in user–See Role and
Attribute Visibility Settings, on page 14.
· Set your preferred session settings–See Role and Attribute Visibility
Settings, on page 14.
· Set server debugging–You can set debug flags for the protocol servers. Set
these values only under diagnostic conditions when communicating with the
Cisco Technical Assistance Center (TAC).
· Change your login administrator password–See Managing Passwords, on page 55.
Setting Local User Preferences
You can maintain a short list of web UI settings through subsequent user
sessions. The only difference between the Basic and Advanced or Expert mode
user preference pages is that Advanced and Expert modes have additional
columns listing the data types and defaults.
You can edit the user preferences by going to User Preferences under the
Settings drop-down list. The user preference attributes to set are:
· Username–Username string, with a preset value of admin. You cannot modify
this field.
Cisco Prime Network Registrar 11.1 Administration Guide 18
Getting Started
Setting Local User Preferences
· Web UI list page size–Adjust the page size by the number of displayed lines
in a list; the preset value is 10 lines.
· Web UI mode–User mode at startup: Basic, Advanced, or Expert (see Role and
Attribute Visibility Settings, on page 14). If unset, the mode defaults to the
one set in the CCM server configuration (see Managing Servers, on page 155).
· Web UI tree page size–Adjust the page size when displaying a tree view in
the web UI.
· Web UI log page size–Adjust the page size on log pages.
· Web UI report page size–Adjust the page size to use when displaying report
pages in the web UI.
· Views–Specify the DNS view setting at session startup in the web UI or CLI.
· VPN–Specify the VPN setting at session startup in the web UI or CLI.
· Alarm poll interval–Adjust the alarm poll interval; that is, how often
Network Registrar polls the alarm data from server.
· Homepage–Set a page from favorites list as the homepage for the application.
By default, Configuration Summary page is set as the homepage. You can set a
page of your choice as the homepage for the application. To do this, add the
desired page to the Favorites list (see Navigating the Web UI, on page 12),
select the page name from the Homepage drop-down list, and then click Modify
User Preferences. You can click the Home icon ( ) on the top left corner of
the web UI to go to the homepage.
· Date format–Set the date-time format for date-time values in the web UI. A
format can be selected from the default list or entered in text form as <date-
pattern>
· Month as “M”, “MM”, “MMM”, “MMMM”
· Day as “d”, “dd”
· Hour as “h”, “hh”, “H”, “HH”
· Minute as “mm”
· Second as “s”, “ss”
· Delimiters as “:”, “-“, “/”
· Chart X-Axis Timestamp Pattern–Specify the pattern to be used for displaying
the timestamp on x-axis while displaying charts.
· Tree node display–Specify the initial display option for tree nodes. If this
setting is set to Expanded and the number of nested child nodes is greater
than 500, it may take a few minutes to display the tree.
You can unset the page size and web UI mode values by checking the check box
in the Unset? column, next to the attribute. After making the user preference
settings, click Modify User Preferences.
Cisco Prime Network Registrar 11.1 Administration Guide 19
Configuring Clusters in the Local Web UI
Getting Started
Configuring Clusters in the Local Web UI
You can define other local Cisco Prime Network Registrar clusters in the local
web UI. The local cluster on the current machine is called the localhost
cluster. To set up other clusters, choose Manage Clusters from the Operate
menu to open the List/Add Clusters page. Note that the localhost cluster has
the IP address and SCP port of the local machine. Click the Add Cluster icon
in the left pane to open the Add Cluster page. At a minimum, you must enter
the name and address (IPv4 and/or IPv6) of the remote local cluster. You
should also enter the admin name and password, along with possibly the SCP
port (if not 1234) of the remote cluster. Click Add Cluster. To edit a
cluster, click the cluster name in the Clusters pane on the left to open the
Edit Cluster page. If you want to use secure access mode, select use-ssl as
disabled, optional, or required (optional is the preset value; you need the
security library installed if you choose required). Make the changes and then
click Save.
Note If you change the IP address of your local cluster machine, you must
modify the localhost cluster to change the address in the ipaddr field. Avoid
setting the value to the loopback address (127.0.0.1); if you do, you must
also set the actual IP addresses of main and backup servers for DHCP failover
and High-Availability (HA) DNS configurations.
Regional Cluster Web UI
The regional cluster web UI provides concurrent access to regional and central
administration tasks. It provides granular administration across servers with
permissions you can set on a per element or feature basis. After you log in to
the application, the Home page appears. Regional cluster administration is
described in Managing the Central Configuration, on page 79.
Related Topics
Introduction to the Web-Based User Interfaces, on page 10 Local Cluster Web
UI, on page 16
Command Line Interface
Using the Cisco Prime Network Registrar CLI (the nrcmd program), you can
control your local cluster server operations. You can set all configurable
options, as well as start and stop the servers.
Note The CLI provides concurrent access, by at most 14 simultaneous users and
processes per cluster.
Tip See the CLIContents.html file in the /docs subdirectory of your
installation directory for details.
The nrcmd program for the CLI is located in the install-path/usrbin directory.
On a local cluster, once you are in the appropriate directory, use the
following command at the prompt:
Cisco Prime Network Registrar 11.1 Administration Guide 20
Getting Started
Command Line Interface
nrcmd [-C cluster[:port]] [-N user] [-P password] [-h] [-r] [-v] [-b < script
| command] nrcmd -C clustername:port -N username -P password [L| -R] ·
C–Cluster name, preset value localhost. Specify the port number with the
cluster name while invoking nrcmd to connect to another cluster. See the
preceding example. The port number is optional if the cluster uses the default
SCP port–1234 for local and 1244 for regional. Ensure that you include the
port number if the port used is not the default one.
· N–Username. You have to enter the username that you created when first
logged into the web UI. · P–User password. You have to enter the password
that you created for the username. · L–Access the local cluster CLI. ·
R–Access the regional cluster CLI. · -b < script–Process script file of nrcmd
commands. · -h–Print this help text. · -r –Login as a read-only user. ·
-R–Connect to regional. · -v (or -vv)–Report the program version and exit. ·
-V–Specify the session visibility
Note Cluster defaults to localhost if not specified. Tip For additional command options, see the CLIGuide.html file in /docs.
Note If you change the IP address of your local cluster machine, you must
modify the localhost cluster to change the address in the ipaddress attribute.
Do not set the value to 127.0.0.1.
You can also send the output to a file using:
nrcmd> session log filename
For example: To send the leases on the DHCP server to a file (leases.txt), use
the following commands:
nrcmd> session log leases.txt nrcmd> lease list
Note To close a previously opened file, use session log (no filename). This
stops writing the output to any file.
To disconnect from the cluster, use exit:
Cisco Prime Network Registrar 11.1 Administration Guide 21
REST API
Getting Started
nrcmd> exit
Tip The CLI operates on a coordinated basis with multiple user logins. If you
receive a cluster lock message, determine who has the lock and discuss the
issue with that person. (See Multiple Users, on page 12.)
REST API
The Cisco Prime Network Registrar REST API provides access to a set of
resources that can be managed by an HTTP client. It is supported on the
regional server and on local DHCP, DNS, and Caching DNS servers, provided web
services have been enabled. To know about the REST methods and endpoints to
use to get information about the most commonly used objects in Cisco Prime
Network Registrar, see Cisco Prime Network Registrar 11.1 REST APIs Quick
Start Guide. For complete details on the REST APIs that are supported by Cisco
Prime Network Registrar, see Cisco Prime Network Registrar 11.1 REST APIs
Reference Guide. Starting with 11.1, Cisco Prime Network Registrar supports
Swagger based documentation for the REST API which covers most of the
scenarios. However, it does not cover all the REST API requests, especially
the special cases with actions.
Global Search in Prime Network Registrar
The Local and Regional web UI in Prime Network Registrar also provides a
global search functionality for the IP addresses or DNS names available in the
local clusters. The search interface element is available at the top right
corner of the main page.
Note To view the search interface element and run the search for IP addresses and DNS names, Cisco Prime Network Registrar must be licensed with DHCP or DNS, and the DHCP or DNS services must be enabled for the local cluster (in the List/Add Remote Clusters page in Regional web UI).
The following table shows the typical search results under different
scenarios.
Table 2: Typical Search Results
You search for…
With active licenses and services Search Results for…
An IPv4 address
Only DHCP
The closest matching scope, scope lease or scope reservation
An IPv4 address or a DNS FQDN Only DNS
The related Zone or Resource Record
An IPv6 address
Only DHCP
The closest matching prefix, prefix lease or prefix reservation
Cisco Prime Network Registrar 11.1 Administration Guide 22
Getting Started
Global Search in Prime Network Registrar
You search for…
With active licenses and services Search Results for…
An IPv6 address or a DNS FQDN Only DNS
The related Zone or Resource Record
An IPv4 address, an IPv6 address Both DHCP and DNS or a DNS FQDN
All of the above, based on the type of address
Cisco Prime Network Registrar 11.1 Administration Guide 23
Global Search in Prime Network Registrar
Getting Started
Cisco Prime Network Registrar 11.1 Administration Guide 24
3 C H A P T E R
Server Status Dashboard
The Cisco Prime Network Registrar server status dashboard in the web user
interface (web UI) presents a graphical view of the system status, using
graphs, charts, and tables, to help in tracking and diagnosis. These dashboard
elements are designed to convey system information in an organized and
consolidated way, and include:
· Significant protocol server and other metrics · Alarms and alerts · Database
inventories · Server health trends
The dashboard is best used in a troubleshooting desk context, where the system
displaying the dashboard is dedicated for that purpose and might be distinct
from the systems running the protocol servers. The dashboard system should
point its browser to the system running the protocol servers. You should
interpret dashboard indicators in terms of deviations from your expected
normal usage pattern. If you notice unusual spikes or drops in activity, there
could be communication failures or power outages on the network that you need
to investigate.
· Opening the Dashboard, on page 25 · Display Types, on page 26 · Customizing
the Display, on page 30 · Selecting Dashboard Elements to Include, on page 32
· Host Metrics, on page 33
Opening the Dashboard
The Dashboard feature is available on the regional cluster also. It provides
System Metrics chart by default. It allows you to display the server specific
(DHCP, DNS, and CDNS) charts for various clusters. This can be configured in
the Chart Selections page. To open the dashboard in the web UI, from the
Operate menu, choose Dashboard.
Cisco Prime Network Registrar 11.1 Administration Guide 25
Display Types
Getting Started
Display Types
Provided you have DHCP and DNS privileges through administrator roles assigned
to you, the preset display of the dashboard consists of the following tables
(See the table below for an example):
· System Metrics–See System Metrics, on page 34. · DHCP General Indicators–See
the “DHCP General Indicators” section in Cisco Prime Network
Registrar 11.1 DHCP User Guide. · DNS General Indicators–See the “DNS General
Indicators” section in Cisco Prime Network Registrar
11.1 Authoritative and Caching DNS User Guide.
Tip These are just the preset selections. See Selecting Dashboard Elements to
Include, on page 32 for other dashboard elements you can select. The dashboard
retains your selections from session to session.
Figure 4: Preset Dashboard Elements
Each dashboard element initially appears as a table or a specific panel chart,
depending on the element: · Table–See Tables, on page 27. · Line chart–See
Line Charts, on page 28. · Area chart–See Area Charts, on page 29.
General Status Indicators
Note the green indicator in the Server State description in the above image.
This indicates that the server sourcing the information is functioning
normally. A yellow indicator indicates that server operation is less than
optimum. A red indicator indicates that the server is down. These indicators
are the same as for the server health on the Manage Servers page in the
regular web UI.
Cisco Prime Network Registrar 11.1 Administration Guide 26
Getting Started
Graphic Indicators for Levels of Alert
Graphic Indicators for Levels of Alert
Graphed lines and stacked areas in the charts follow a standard color and
visual coding so that you can immediately determine key diagnostic indicators
at a glance. The charts use the following color and textural indicators:
· High alerts or warnings–Lines or areas in red, with a hatched texture.
· All other indicators–Lines or areas in various other colors distinguish the
data elements. The charts do not use green or yellow.
Magnifying and Converting Charts
You can magnify a chart in a separate window by clicking the Chart Link icon
at the bottom of the panel chart and then by clicking the Magnified Chart
option (see the image below). In magnified chart view, you can choose an
alternative chart type from the one that comes up initially (see Other Chart
Types, on page 30).
Figure 5: Magnifying Charts
Legends
Tables
Note Automatic refresh is turned off for magnified charts. To get the most
recent data, click the Refresh icon next to the word Dashboard at the top left
of the page.
To convert a chart to a table, see the Displaying Charts as Tables section.
You cannot convert tables to a graphic chart format.
Each chart includes a color-coded legend by default.
Dashboard elements rendered as tables have data displayed in rows and columns.
The following dashboard elements are preset to consist of (or include) tables:
· DHCP DNS Updates · DHCP Address Current Utilization · DHCP General
Indicators · DNS General Indicators · Caching DNS General Indicators
Cisco Prime Network Registrar 11.1 Administration Guide 27
Line Charts
Getting Started
Note If you view a table in Expert mode, additional data might appear.
Line Charts
Dashboard elements rendered as line charts can include one or more lines
plotted against the x and y axes. The three types of line charts are described
in the following table.
Table 3: Line Chart Types
Type of Line Chart Raw data line chart
Description Lines plotted against raw data.
Dashboard Elements Rendered
· Java Virtual Machine (JVM) Memory Utilization (Expert mode only)
· DHCP Buffer Capacity
· DHCP Failover Status (two charts)
· DNS Network Errors
· DNS Related Servers Errors
Delta line chart
Lines plotted against the difference between two sequential raw data.
· DNS Inbound Zone Transfers
· DNS Outbound Zone Transfers
Rate line chart
Lines plotted against the difference between two sequential raw data divided by the sample time between them.
· DHCP Server Request Activity (see the image below)
· DHCP Server Response Activity
· DHCP Response Latency
· DNS Query Responses
· DNS Forwarding Errors
Tip To get the raw data for a chart that shows delta or rate data, enter Expert mode, go to the required chart, click the Chart Link icon at the bottom of the panel chart, and then click Data Table . The Raw Data table is below the Chart Data table.
Cisco Prime Network Registrar 11.1 Administration Guide 28
Getting Started Figure 6: Line Chart Example
Area Charts
Area Charts
Dashboard elements rendered as area charts have multiple related metrics
plotted as trend charts, but stacked one on top of the other, so that the
highest point represents a cumulative value. The values are independently
shaded in contrasting colors. (See the image below for an example of the DHCP
Server Request Activity chart shown in Figure 6: Line Chart Example, on page
29 rendered as an area chart.)
Figure 7: Area Chart Example
They are stacked in the order listed in the legend, the left-most legend item
at the bottom of the stack and the right-most legend item at the top of the
stack. The dashboard elements that are pre-set to area chart are:
· DHCP Buffer Capacity · DHCP Failover Status · DHCP Response Latency · DHCP
Server Leases Per Second · DHCP Server Request Activity · DHCP Server Response
Activity · DNS Inbound Zone Transfers · DNS Network Errors · DNS Outbound Zone
Transfers
Cisco Prime Network Registrar 11.1 Administration Guide 29
Other Chart Types
Getting Started
· DNS Queries Per Second · DNS Related Server Errors
Other Chart Types
The other chart types available for you to choose are: · Line–One of the line
charts described in Line Charts, on page 28. · Area–Charts described in the
Area Charts, on page 29. · Column–Displays vertical bars going across the
chart horizontally, with the values axis being displayed on the left side of
the chart. · Scatter–A scatter plot is a type of plot or mathematical diagram
using Cartesian coordinates to display values for typically two variables for
a set of data.
Tip Each chart type shows the data in distinct ways and in different
interpretations. You can decide which type best suits your needs.
Getting Help for the Dashboard Elements
You can open a help window for each dashboard element by clicking the help
icon on the table/chart window.
Customizing the Display
To customize the dashboard display, you can: · Refresh the data and set an
automatic refresh interval. · Expand a chart and render it in a different
format. · Convert a graphic chart to a table. · Download data to comma-
separated value (CSV) output. · Display or hide chart legends. · Configure
server chart types. · Reset to default display
Each chart supports: · Resizing · Drag and drop to new cell position ·
Minimizing · Closing
Cisco Prime Network Registrar 11.1 Administration Guide 30
Getting Started
Refreshing Displays
Each chart has a help icon with a description of the chart and a detailed help
if you click the link (more…) at the bottom of the description.
Note The changes made to the dashboard/chart will persist only if you click
Save in the Dashboard window.
Refreshing Displays
Refresh each display so that it picks up the most recent polling by clicking
the Refresh icon.
Setting the Polling Interval
You can set how often to poll for data. Click the Dashboard Settings icon in
the upper-right corner of the dashboard display. There are four options to set
the polling interval of the cached data, which polls the protocol servers for
updates (See the image below).
Figure 8: Setting the Chart Polling Interval
You can set the cached data polling (hence, automatic refresh) interval to: ·
Disabled–Does not poll, therefore does not automatically refresh the data. ·
Slow–Refreshes the data every 30 seconds. · Medium–Refreshes the data every 20
seconds. · Fast (the preset value)–Refreshes the data every 10 seconds.
Displaying Charts as Tables
Use the Chart Link icon at the bottom of the panel chart to view the chart
link options (see the image below). You can choose to display a graphic chart
as a table by clicking the Data Table option.
Figure 9: Specifying Chart Conversion to Table Format
Exporting to CSV Format
You can dump the chart data to a comma-separated value (CSV) file (such as a
spreadsheet). In the Chart Link controls at the bottom of the panel charts
(see the above image), click the CSV Export option. A Save As window appears,
where you can specify the name and location of the CSV file.
Cisco Prime Network Registrar 11.1 Administration Guide 31
Selecting Dashboard Elements to Include
Getting Started
Selecting Dashboard Elements to Include
You can decide how many dashboard elements you want to display on the page. At
times, you might want to focus on one server activity only, such as for the
DHCP server or the DNS server, and exclude all other metrics for the other
servers. In this way, the dashboard becomes less crowded, the elements are
larger and more readable. At other times, you might want an overview of all
server activities, with a resulting smaller element display. You can select
the dashboard elements to display from the main Dashboard page by clicking the
Dashboard Settings icon and then clicking Chart Selections in the Dashboard
Settings dialog. Clicking the link opens the Chart Selection page (see Figure
10: Selecting Dashboard Elements, on page 32).
Configuring Server Chart Types
You can set the default chart types on the main dashboard view. You can
customize the server charts in the dashboard to display only the specific
chart types as default. To set up default chart type, check the check box
corresponding to the Metrics chart that you want to display and choose a chart
type from the Type drop-down list. The default chart types are consistent and
shared across different user sessions (see the image below).
Note You can see either the CDNS or DNS Metrics in the Dashboard Settings >
Chart Selection page based on the service configured on the server.
Tip The order in which the dashboard elements appear in the Chart Selection
list does not necessarily determine the order in which the elements will
appear on the page. An algorithm that considers the available space determines
the order and size in a grid layout. The layout might be different each time
you submit the dashboard element selections. To change selections, check the
check box next to the dashboard element that you want to display.
Figure 10: Selecting Dashboard Elements
Cisco Prime Network Registrar 11.1 Administration Guide 32
Getting Started
Host Metrics
The above image displays the Charts Selection table in the regional web UI.
The Clusters column is available only in regional dashboard and it displays
the list of local clusters configured. You can add the local cluster by
clicking the Edit icon and then by selecting the local cluster name from the
Local Cluster List dialog box. To change selections, check the check box next
to the dashboard element that you want to display. Specific group controls are
available in the Change Chart Selection drop-down list, at the top of the page
(see the image above). To:
· Uncheck all check boxes, choose None.
· Revert to the preset selections, choose Default. The preset dashboard
elements for administrator roles supporting DHCP and DNS are: · Host Metrics:
System Metrics
· DHCP Metrics: General Indicators
· DNS Metrics: General Indicators
· Select the DHCP metrics only, choose DHCP (see the “DHCP Metrics” section in
Cisco Prime Network Registrar 11.1 DHCP User Guide).
· Select the DNS metrics only, choose DNS (see the “Authoritative DNS Metrics”
section in Cisco Prime Network Registrar 11.1 Authoritative and Caching DNS
User Guide).
· Select the DNS metrics only, choose CDNS (see the “Caching DNS Metrics”
section in Cisco Prime Network Registrar 11.1 Authoritative and Caching DNS
User Guide)
· Select all the dashboard elements, choose All.
Click OK at the bottom of the page to save your choices, or Cancel to cancel
the changes. You can change the chart type by clicking the Chart Type icon at
the bottom of the panel chart and then by selecting the required chart type
(see the image below). The different types of chart available are: Line Chart,
Column Chart, Area Chart, and Scatter Chart.
Figure 11: Selecting the Chart Type
Host Metrics
Host metrics comprise two charts: · System Metrics–See System Metrics, on page
34. · JVM Memory Utilization (available in Expert mode only)–See JVM Memory
Utilization, on page 35.
Cisco Prime Network Registrar 11.1 Administration Guide 33
System Metrics
Getting Started
System Metrics
The System Metrics dashboard element shows the free space on the disk volumes
where the Cisco Prime Network Registrar logs and database directories are
located, the date and time of the last server backup, and CPU and memory usage
for the various servers. System metrics are available if you choose Host
Metrics: System Metrics in the Chart Selection list.
The resulting table shows:
· Logs Volume–Current free space out of the total space on the disk drive
where the logs directory is located, with the equivalent percentage of free
space.
· Database Volume–Current free space out of the total space on the disk drive
where the data directory is located, with the equivalent percentage of free
space.
· Last Good Backup–Date and time when the last successful shadow database
backup occurred (or Not Done if it did not yet occur) since the server agent
was last started.
· CPU Utilization (in seconds), Memory Utilization (in kilobytes), VM
Utilization (in kilobytes), and Process ID (PID) for the:
· Cisco Prime Network Registrar server agent
· CCM server
· DNS server
· DHCP server
· Web server
· SNMP server
· DNS caching server
How to Interpret the Data
The System Metrics data shows how full your disk volumes are getting based on
the available free space for the Cisco Prime Network Registrar logs and data
volumes. It also shows if you had a last successful backup of the data files
and when that occurred. Finally, it shows how much of the available CPU and
memory the Cisco Prime Network Registrar servers are using. The difference in
the memory and VM utilization values is:
· Memory Utilization–Physical memory that a process uses, or roughly
equivalent to the Resident Set Size (RSS) value in UNIX ps command output: the
number of pages the process has in real memory minus administrative usage.
This value includes only the pages that count toward text, data, or stack
space, but not those demand-loaded in or swapped out.
· VM Utilization–Virtual memory that a process uses, or roughly equivalent to
the SZ value in UNIX ps command output: the in-memory pages plus the page
files and demand-zero pages, but not usually the memory-mapped files. This
value is useful in diagnosing how large a process is and if it continues to
grow.
Cisco Prime Network Registrar 11.1 Administration Guide 34
Getting Started
Troubleshooting Based on the Results
Troubleshooting Based on the Results If you notice the free disk space
decreasing for the logs or data directory, you might want to consider
increasing the disk capacity or look at the programs you are running
concurrently with Cisco Prime Network Registrar.
JVM Memory Utilization
The Java Virtual Machine (JVM) Memory Utilization dashboard element is
available only when you are in Expert mode. It is rendered as a line trend
chart that traces the Unused Maximum, Free, and Used bytes of JVM memory. The
chart is available if you choose Host Metrics: JVM Memory Utilization in the
Chart Selection list when you are in Expert mode.
How to Interpret the Data The JVM Memory Utilization data shows how much
memory applies to running the dashboard in your browser. If you see the Used
byte data spiking, dashboard elements might be using too much memory.
Troubleshooting Based on the Results If you see spikes in Used memory data,
check your browser settings or adjust the polling interval to poll for data
less frequently.
Cisco Prime Network Registrar 11.1 Administration Guide 35
Troubleshooting Based on the Results
Getting Started
Cisco Prime Network Registrar 11.1 Administration Guide 36
I I P A R T
Local and Regional Administration
· Managing Administrators, on page 39 · Managing Owners and Regions, on page
75 · Managing the Central Configuration, on page 79 · Managing Routers and
Router Interfaces, on page 151 · Maintaining Servers and Databases, on page
155 · Backup and Recovery, on page 189 · Managing Reports, on page 207
4 C H A P T E R
Managing Administrators
This chapter explains how to set up network administrators at the local and
regional clusters. The chapter also includes local and regional cluster
tutorials for many of the administration features.
· Administrators, Groups, Roles, and Tenants, on page 39 · External
Authentication Servers, on page 44 · Managing Tenants, on page 48 · Managing
Administrators, on page 53 · Managing Passwords, on page 55 · Managing Groups,
on page 56 · Managing Roles, on page 57 · Granular Administration, on page 58
· Centrally Managing Administrators, on page 61 · Session Management, on page
71
Administrators, Groups, Roles, and Tenants
The types of functions that network administrators can perform in Cisco Prime
Network Registrar are based on the roles assigned to them. Local and regional
administrators can define these roles to provide granularity for the network
administration functions. Cisco Prime Network Registrar predefines a set of
base roles that segment the administrative functions. From these base roles
you can define further constrained roles that are limited to administering
particular addresses, zones, and other network objects. The mechanism to
associate administrators with their roles is to place the administrators in
groups that include these roles. The data and configuration that can be viewed
by an administrator can also be restricted by tenant. When an administrator is
assigned a tenant tag, access is further restricted to configuration objects
that are assigned to the tenant or made available for tenant use as read-only
core configuration objects.
How Administrators Relate to Groups, Roles, and Tenants
There are four administrator objects in Cisco Prime Network
Registrar–administrator, group, role, and tenant: · Administrator–An account
that logs in and that, through its association with one or more administrator
groups, can perform certain functions based on its assigned role or roles. At
the local cluster, these functions are administering the local Central
Configuration Management (CCM) server and databases,
Cisco Prime Network Registrar 11.1 Administration Guide 39
Administrator Types
Local and Regional Administration
hosts, zones, address space, and DHCP. At the regional cluster, these
functions administer the regional CCM server and databases, central
configuration, and regional address space. An administrator must be assigned
to at least one group to be effective. Adding administrators is described in
Managing Administrators, on page 53.
· Group–A grouping of roles. You must associate one or more groups with an
administrator, and a group must be assigned at least one role to be usable.
The predefined groups that Cisco Prime Network Registrar provides map each
role to a unique group. Adding groups is described in Managing Groups, on page
56.
· Role–Defines the network objects that an administrator can manage and the
functions that an administrator can perform. A set of predefined roles are
created at installation, and you can define additional constrained roles. Some
of the roles include subroles that provide further functional constraints.
Adding roles is described in Managing Roles, on page 57.
· Tenant–Identifies a tenant organization or group that is associated with a
set of administrators. When you create tenants, the data stored on both
regional and local clusters is segmented by tenant. A tenant cannot access the
data of another tenant. Adding tenants is described in Managing Tenants, on
page 48.
Administrator Types
There are two basic types of administrators: superusers and specialized
administrators: · Superuser–Administrator with unrestricted access to the web
UI, CLI, and all features. This administrator type should be restricted to a
few individuals. The superuser privileges of an administrator override all its
other roles.
Tip You have to create the superuser and password at installation, or when you
first log in to the web UI.
When a superuser is assigned a tenant tag, unrestricted access is only granted
for corresponding tenant data. Data of other tenants cannot be viewed, and
core objects are restricted to read-only access.
· Specialized–Administrator created by name to fulfill specialized functions,
for example, to administer a specific DNS forward or reverse zone, based on
the administrator assigned role (and subrole, if applicable). Specialized
administrators, like the superuser, require a password, but must also be
assigned at least one administrator group that defines the relevant roles. The
CLI provides the admin command. For an example of creating a local zone or
host administrator, see Create the Administrators, on page 136. A specialized
user that is assigned a tenant tag can only access corresponding tenant or
core data that also matches the relevant roles. Core data is further
restricted to read-only access.
Cisco Prime Network Registrar 11.1 Administration Guide 40
Local and Regional Administration
Roles, Subroles, and Constraints
Roles, Subroles, and Constraints
A license type is associated with each role-subrole combination. A role-
subrole is enabled only if that license is available in that cluster.
You can limit an administrator role by applying constraints. For example, you
can use the host-admin base role to create a host administrator, named
192.168.50-host-admin, who is constrained to the 192.168.50.0 subnet. The
administrator assigned a group that includes this role then logs in with this
constraint in effect. Adding roles and subroles is described in Managing
Roles, on page 57.
You can further limit the constraints on roles to read-only access. An
administrator can be allowed to read any of the data for that role, but not
modify it. However, if the constrained data is also associated with a read-
write role, the read-write privilege supersedes the read-only constraints.
Tip An example of adding role constraints is in Create a Host Administrator Role with Constraints, on page 140.
The interplay between DNS and host administrator role assignments is such that
you can combine an unconstrained dns-admin role with any host-admin role in a
group. For example, combining the dns-admin-readonly role and a host-admin
role in a group (and naming the group host-rw-dns-ro) provides full host
access and read-only access to zones and RRs. However, if you assign a
constrained dns-admin role along with a host-admin role to a group and then to
an administrator, the constrained dns-admin role takes precedence, and the
administrator privileges at login will preclude any host administration.
Certain roles provide subroles with which you can further limit the role
functionality. For example, the local ccm-admin or regional-admin, with just
the owner-region subrole applied, can manage only owners and regions. By
default, all the possible subroles apply when you create a constrained role.
The predefined roles are described in Table 4: Local Cluster Administrator
Predefined and Base Roles , on page 41 (local), and Table 5: Regional Cluster
Administrator Predefined and Base Roles , on page 43 (regional).
Table 4: Local Cluster Administrator Predefined and Base Roles
Local Role addrblock-admin
ccm-admin
Subroles and Active Functionality
Core functionality: Manage address block, subnets, and reverse DNS zones (also
requires dns-admin); and notify of scope activity.
· ric-management: Push to, and reclaim subnets from, DHCP failover pairs and
routers.
· ipv6-management: Manage IPv6 prefixes, links, options, leases, and
reservations.
· lease-history: Query, poll, and trim lease history data.
Core functionality: Manage access control lists (ACLs), and encryption keys.
· authentication: Manage administrators. · authorization: Manage roles and
groups. · owner-region: Manage owners and regions. · database: View database
change entries and trim the CCM change
sets. · security-management: Manage ACLs and DNSSEC configuration.
Cisco Prime Network Registrar 11.1 Administration Guide 41
Roles, Subroles, and Constraints
Local Role cdns-admin cfg-admin
dhcp-admin dns-admin
host-admin
Local and Regional Administration
Subroles and Active Functionality
Core functionality: Manage in-memory cache (flush cache and flush cache name).
· security-management: Manage ACLs and DNSSEC configuration. · server-
management: Manage DNSSEC configuration, as well as
forwarders, exceptions, DNS64, and scheduled tasks, and stop, start, or reload
the server.
Core functionality: Manage clusters.
· ccm-management: Manage the CCM server configuration. · dhcp-management:
Manage the DHCP server configuration. · dns-management: Manage the DNS server
configuration. · cdns-management: Manage Caching DNS server configuration. ·
ric-management: Manage routers. · snmp-management: Manage the SNMP server
configuration. · tftp-management: Manage the TFTP server configuration.
Core functionality: Manage DHCP scopes and templates, policies, clients,
client-classes, options, leases, and reservations.
· lease-history: Query, poll, and trim lease history data. · ipv6-management:
Manage IPv6 prefixes, links, options, leases,
and reservations. · server-management: Manage the DHCP server configuration,
failover pairs, LDAP servers, extensions, and statistics.
Core functionality: Manage DNS zones and templates, resource records,
secondary servers, and hosts.
· security-management: Manage DNS update policies, ACLs, and encryption keys.
· server-management: Manage DNS server configurations and zone distributions,
synchronize zones and HA server pairs, and push update maps.
· ipv6-management: Manage IPv6 zones and hosts. · enum-management: Manage DNS
ENUM domains and numbers.
Core functionality: Manage DNS hosts. (Note that if an administrator is also
assigned a constrained dns-admin role that overrides the host-admin
definition, the administrator is not assigned the host-admin role.)
Cisco Prime Network Registrar 11.1 Administration Guide 42
Local and Regional Administration
Roles, Subroles, and Constraints
Table 5: Regional Cluster Administrator Predefined and Base Roles
Regional Role central-cfg-admin
Subroles and Active Functionality
Core functionality: Manage clusters and view replica data.
· dhcp-management: Manage DHCP scope templates, policies, client-classes,
failover pairs, virtual private networks (VPNs), and options; modify subnets;
and replicate data.
· ric-management: Manage routers and router interfaces, and pull replica
router data.
· ccm-management: Manage CCM Server configuration · snmp-management: Manage
SNMP Server configuration.
· ipv6-management: Manage IPv6 prefixes, links, options, leases and
reservations.
· cdns-management: Manage CDNS Server configuration.
central-dns-admin
central-host-admin regional-admin
Core functionality: Manage DNS zones and templates, hosts, resource records,
and secondary servers; and create subzones and reverse zones.
· security-management: Manage DNS update policies, ACLs, and encryption keys.
· server-management: Synchronize DNS zones and HA server pairs, manage zone
distributions, pull replica zone data, and push update maps.
· ipv6-management: Manage IPv6 zones and hosts. · enum-management: Manage DNS
ENUM domains and numbers.
Core functionality: Manage DNS hosts. (Note that if an administrator is also
assigned a constrained central-dns-admin role that overrides the central-host-
admin definition, the administrator is not assigned the central-host-admin
role.)
Core functionality: Manage licenses and encryption keys.
· authentication: Manage administrators. · authorization: Manage roles and
groups. · owner-region: Manage owners and regions. · database: View database
change entries and trim the CCM change
sets. · security-management: Manage ACLs and DNSSEC configuration.
Cisco Prime Network Registrar 11.1 Administration Guide 43
Groups
Local and Regional Administration
Regional Role regional-addr-admin
Subroles and Active Functionality
Core functionality: Manage address blocks, subnets, and address ranges;
generate allocation reports; and pull replica address space data.
· dhcp-management: Push and reclaim subnets; and add subnets to, and remove
subnets from, DHCP failover pairs.
· lease-history: Query, poll, and trim lease history data. · subnet-
utilization: Query, poll, trim, and compact subnet and prefix
utilization data. · ipv6-management: Manage IPv6 prefixes, links, options,
leases and
reservations.
Groups
Administrator groups are the mechanism used to assign roles to administrators.
Hence, a group must consist of one or more administrator roles to be usable.
When you first install Cisco Prime Network Registrar, a predefined group is
created to correspond to each predefined role.
Roles with the same base role are combined. A group with an unconstrained
dhcp-admin role and a constrained dns-admin role, does not change the
privileges assigned to the dns-admin role. For example, if one of the roles is
assigned unconstrained read-write privileges, the group is assigned
unconstrained read-write privileges, even though other roles might be assigned
read-only privileges. Therefore, to limit the read-write privileges of a user
while allowing read-only access to all data, create a group that includes the
unconstrained read-only role along with a constrained read-write role. (See
Roles, Subroles, and Constraints, on page 41 for the implementation of host-
admin and dns-admin roles combined in a group.)
External Authentication Servers
Cisco Prime Network Registrar includes a RADIUS client component and Active
Directory (AD) client component, which are integrated with the authentication
and authorization modules of the CCM server. To enable external
authentication, you must configure a list of external RADIUS or an AD server
at local and regional clusters, and ensure all authorized users are
appropriately configured on the respective servers.
When external authentication is enabled, the CCM server handles attempts to
log in via the web UI, SDK, or CLI, by issuing a RADIUS request to a RADIUS
server or a LDAP request to a AD server that is selected from the configured
list. If the corresponding server validates the login request, access is
granted, and the CCM server creates an authorized session with the group
assignments specified by the RADIUS or the AD server.
Note Any administrators defined in the CCM server’s database are ignored when external authentication is enabled. Attempting to log in with these usernames and passwords will fail. To disable external authentication, you must remove or disable all the configured external servers or change the auth-type attribute value to Local.
Cisco Prime Network Registrar 11.1 Administration Guide 44
Local and Regional Administration
Configuring a RADIUS External Authentication Server
Tip If all logins fail because the external authentication servers are
inaccessible or misconfigured, use alternative method to login and resolve the
issues. See Managing Administrators, on page 53 for more details.
Configuring a RADIUS External Authentication Server
Once you have your RADIUS server up and running and have created a user, there
are some specific groups and vendor specific attributes (VSA) needed for
RADIUS user to login to Cisco Prime Network Registrar. Using the Cisco vendor
id (9), create the Cisco Prime Network Registrar groups attribute for each
administrator, using the format cnr:groups=group1, group2, group3. For
example, to assign an administrator to the built-in groups dhcp-admin-group
and dns-admin-group, enter:
cnr:groups=dhcp-admin-group,dns-admin-group
To assign superuser access privileges, the reserved group name superusers is
used. To provide superuser privileges to an administrator, enter:
cnr:groups=superusers
The superuser privileges override all other groups. The VSA name used for
Cisco Prime Network Registrar is cisco-avpair. Below is an example
configuration of FreeRadius server for Cisco Prime Network Registrar: For the
user: (this contains default info from the server)
ciscoprime Cleartext-Password := “Cisco123” -> CPNR Username/Password Service-
Type = Framed-User, cisco-avpair += “cnr:groups=superusers”, -> CPNR group for
CNR. This is the VSA. Framed-Protocol = PPP, Framed-IP-Address = 192.168.1.2,
-> CPNR IP Framed-Filter-Id = “std.ppp”, Framed-MTU = 1500,
For the Client:
client CNR-HOST { ipaddr = 192.168.1.2 -> IP of CPNR server secret = P@$$W0rd!
-> Password for CPNR Radius
Once you save and reload your RADIUS server (assuming all configuration is
correct), you can then login to Cisco Prime Network Registrar using the user
created in RADIUS and it will allow authentication.
Note You cannot add, delete, or modify external user names and their passwords
or groups using Cisco Prime Network Registrar. You must use the RADIUS server
to perform this configuration.
Adding a RADIUS External Configuration Server
To add an external configuration server, do the following:
Cisco Prime Network Registrar 11.1 Administration Guide 45
Local Advanced and Regional Advanced Web UI
Local and Regional Administration
Local Advanced and Regional Advanced Web UI
Step 1 Step 2
Step 3 Step 4
From the Administration menu, choose Radius under the External Authentication
submenu. The List/Add Radius Server page is displayed.
Click the Add Radius icon in the Radius pane, enter the name, IPv4 and/or IPv6
address of the server you want to configure as the external authentication
server, and you can set the key attribute which will be used for communicating
with this server in the Add External Authentication Server dialog box, and
click Add External Authentication Server. The CCM server uses the key to set
the key-secret attribute which is the secret key shared by client and the
server.
To enable the external authentication server, check the enabled check box of
the ext-auth attribute in the Edit Radius Server page, and then click Save.
Change the auth-type attribute to RADIUS in the Manage Servers page, click
Save, and then restart Cisco Prime Network Registrar.
Note
At this point, if you are not able to login to Cisco Prime Network Registrar since local authentication is
disabled, you need to create a backdoor account under /var/nwreg2/{local | regional}/conf/priv and create a
file name “local.superusers” with a username and password.
CLI Commands
To create an external authentication server, use auth-server name create <address | ip6address> [attribute=value …] (see the auth-server command in the CLIGuide.html file in the /docs directory for syntax and attribute descriptions).
Deleting a RADIUS External Authentication Server
To delete a RADIUS external authentication server, select the server in the
Radius pane, click the Delete Radius icon, and then confirm the deletion. You
can also cancel the deletion by clicking the Close button.
Configuring an AD External Authentication Server
Cisco Prime Network Registrar administrators must be assigned to one or more
administrator groups to perform management functions. When using an AD server
for external authentication, these are set as a vendor specific attribute for
each user. Using the Cisco vendor id (9), create the Cisco Prime Network
Registrar groups attribute for each administrator, using the format
cnr:groups=group1, group2, group3.
For example, to assign an administrator to the built-in groups dhcp-admin-
group and dns-admin-group, enter:
cnr:groups=dhcp-admin-group,dns-admin-group
To assign superuser access privileges, the reserved group name superusers is
used. To provide superuser privileges to an administrator, enter:
cnr:groups=superusers
The superuser privileges override all other groups.
A group needs to be created to access Cisco Prime Network Registrar and users
need to be added to that group. Select an user attribute and provide the group
information in the format cnr:group1,group2,..
To configure an Active Directory (AD) external authentication server:
Cisco Prime Network Registrar 11.1 Administration Guide 46
Local and Regional Administration
Configuring Kerbero’s Realm and KDC
Step 1 Step 2 Step 3 Step 4
In AD server, create a new group, for example CPNR, with the group scope Domain Local. Select a user and click Add to a group. In Enter the Object Names window, select CPNR and click OK. In AD Server Object windows, select CPNR for the ad-group-name attribute and info for the ad-user-attr-map attribute.
Note
You cannot add, delete, or modify external user names and their passwords or groups using Cisco Prime
Network Registrar. You must use the AD server to perform this configuration.
Configuring Kerbero’s Realm and KDC
For the Cisco Prime Network Registrar to communicate with the AD server, the
Kerbero’s Realm and KDC servers are required. The changes need to be
configured in krb5.conf (/etc/krb5.conf) file as shown below:
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 1d default_realm = ECNR.COM
default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac
dns_lookup_realm = false dns_lookup_kdc = false forwardable = true
[realms] ECNR.COM = { kdc =
admin_server =
[domain_realm] .ecnr.com = ECNR.COM ecnr.com = ECNR.COM
Adding an AD External Configuration Server
To add an external configuration server, do the following:
Local Advanced and Regional Advanced Web UI
Step 1 Step 2
Step 3
From the Administration menu, choose Active Directory under the External
Authentication submenu. The List/Add Active Directory Server page is
displayed.
Click the Add Active Directory Server icon in the Active Directory pane, enter
the name, hostname of the server, and domain you want to configure as the
external authentication server. You can set the base domain, LDAP user
attribute map, and AD group name which will be used for communicating with
this server in the Add Active Directory Server dialog box. Click Add Active
Directory Server.
Change the auth-type attribute to Active Directory in the Manage Servers page,
click Save, and then restart Cisco Prime Network Registrar.
Cisco Prime Network Registrar 11.1 Administration Guide 47
CLI Commands
Local and Regional Administration
CLI Commands
To create an external authentication server, use auth-server name create <address | ip6address> [attribute=value …].
Deleting an AD External Authentication Server
To delete an AD external authentication server, select the server in the
Active Directory pane, click the Delete Active Directory Server icon, and then
confirm the deletion. You can also cancel the deletion by clicking the Close
button.
Managing Tenants
The multi-tenant architecture of Cisco Prime Network Registrar provides the
ability to segment the data stored on both regional and local clusters by
tenant. When tenants are defined, data is partitioned by tenant in the
embedded databases of each cluster. This provides data security and privacy
for each tenant, while allowing cloud or managed service providers the
flexibility to consolidate many smaller customer configurations on a set of
infrastructure servers, or distribute a larger customer configuration across
several dedicated servers.
Any given local cluster may be associated with one or more tenants, but within
a local cluster, the address pools and domain names assigned to a given tenant
must not overlap.
For larger customers, clusters may be explicitly assigned to a tenant. In this
case, all data on the local cluster will be associated with the tenant, and
may include customized server settings. Alternatively, infrastructure servers
may service many tenants. With this model, the tenants can maintain their own
address space and domain names, but share common server settings that would be
administered by the service provider. Their use of public or private network
addresses needs to be managed by the service provider, to ensure that the
tenants are assigned non-overlapping addresses.
The following are the key points you should know while configuring tenants:
· Tenant administrators are linked to their data by a tenant object that
defines their tenant tag and identifier. · Tenant objects should be consistent
and unique across all clusters. · You should not reuse tags or identifiers for
different tenants. · You can configure multiple tenants on a single cluster. ·
A tenant administrator cannot create, modify, or remove tenant objects. · A
tenant administrator cannot view or modify the data of another tenant. ·
Objects that are not assigned to a tenant are defined as core data, and are
visible to all tenants in read-only
mode.
Adding a Tenant
To add a tenant, do the following: Local and Regional Web UI
Step 1 Step 2
From the Administration menu, choose Tenants under the User Access submenu.
This opens the List/Add Tenants page.
Click the Add Tenants icon in the Tenants pane, enter the tenant tag and
tenant ID and click Add Tenant. The Name and Description attributes are
optional.
Note
You cannot create more than one tenant with the same tenant ID or tenant tag.
Cisco Prime Network Registrar 11.1 Administration Guide 48
Local and Regional Administration
CLI Commands
Step 3
Click Save. The Settings drop-down list on the toolbar at the top of the page will display the tenant under the Tenant submenu. You can use this drop-down list to select a tenant when you have to do tenant specific configurations.
CLI Commands
To add a tenant, use tenant tag create tenant-id [attribute=value] (see the tenant command in the CLIGuide.html file in the /docs directory for syntax and attribute descriptions).
Editing a Tenant
To edit a tenant, do the following: Local and Regional Web UI
Step 1 Step 2
On the List/Add Tenants page, click the name of the desired tenant in the
Tenants pane and the Edit Tenant page appears with the details of the selected
tenant.
You can modify the tenant tag, name, or description of the tenant on the Edit
Tenant page and click Save. The tenant ID cannot be modified.
Deleting a Tenant
Warning Deleting the tenant will also delete all data for the tenant.
To delete a tenant, select the name of the desired tenant in the Tenants pane,
click the Delete icon in the Tenants pane, and then confirm the deletion. You
can also cancel the deletion by clicking the Close button.
Note A user constrained to a specific tenant cannot delete tenants.
Managing Tenant Data
You can create two types of data for tenants: · Tenant data, which is assigned
to a specified tenant and cannot be viewed by other tenants · Core data, which
is visible to all tenants in read-only mode
Local and Regional Web UI To create tenant data objects in the web UI, do the
following:
Cisco Prime Network Registrar 11.1 Administration Guide 49
Local and Regional Web UI
Local and Regional Administration
Step 1 Step 2
To set the data for a desired tenant, click the Settings drop-down list on the
toolbar at the top of the page and select the desired tenant under the Tenant
submenu.
Create the object.
When creating tenant data, most object names are only required to be unique for the specified tenant. For example, tenants abc and xyz may both use their own scope test that is private to their configuration.
Note
Administrators (Admin), zones (CCMZone, CCMReverseZone, and CCMSecondaryZone), keys (Key), and
clients (ClientEntry) must be unique across all tenants.
Administrator names must be unique to perform initial login authentication and establish whether the user is a tenant. Zone and key classes must be unique because these require a DNS domain name that is expected to be unique across the internet. Client names must correspond to a unique client identifier that the DHCP server can use to match its incoming requests.
Local and Regional Web UI To create core data objects in the web UI, do the following:
Step 1 Step 2
Ensure that you select [all] from the Settings drop-down list on toolbar at
the top of the page and select the desired tenant under the Tenant submenu.
Create the object, leaving the object tenant assignment set to none. By
default none is selected in the Tenant drop-down list. Leave it as it is, so
that the object is not constrained to any specific tenant.
Core data can be used to provide common configuration elements such as
policies or client classes that you choose to offer to tenants. Tenants can
view and reference these objects in their configuration, but cannot change or
delete them. Because core data is visible to all tenants, objects names must
be unique across all tenants.
CLI Commands
Use session set tenant=tag to set the selected tenant. Use session unset tenant to clear the tenant selection, if set (see the session command in the CLIGuide.html file in the /docs directory for syntax and attribute descriptions).
Note Once created, you cannot change the tenant or core designation for the object. You must delete and recreate the object to change its tenant assignment.
Tip You can use the cnr_exim tool to move a set of tenant data from one tenant to another.
Cisco Prime Network Registrar 11.1 Administration Guide 50
Local and Regional Administration
Assigning a Local Cluster to a Single Tenant
Assigning a Local Cluster to a Single Tenant
When assigned to a single tenant, core data on the local cluster is not
restricted to read-only access. This means tenants may be given the ability to
stop and start servers, modify defaults, and install custom extensions. After
the cluster is assigned to a specific tenant, other tenants cannot log in to
the cluster.
Note If synchronization with the local cluster fails, the cluster will not be assigned to the tenant. Resolve any connectivity issues and use the resynchronization icon to set the local cluster tenant.
Regional Web UI
To assign a local cluster to a single tenant, do the following:
Step 1
Step 2 Step 3
Step 4 Step 5
Add the tenant in the List/Add Tenant page if you want to assign the cluster
to a new tenant (see the Adding a Tenant, on page 48).
From the Operate menu, Choose Manage Clusters under the Servers submenu. The
List/Add Clusters page is displayed.
Choose the tenant you added in Step 1 from the Settings drop-down list on the
toolbar at the top of the page and select the desired tenant under the Tenant
submenu.
Click the Add Manage Clusters icon in the Manage Clusters pane. The Add
Cluster dialog box appears.
Click Add Cluster to add the cluster. For information on adding the cluster,
see the Create the Local Clusters, on page 144.
Note
Once a cluster is assigned to a particular tenant, it cannot be changed or unset.
Pushing and Pulling Tenant Data
In the regional web UI, list pages include push options that let you
distribute objects to a list of local clusters, and pull options that let you
merge local cluster objects from the Replica data into the central
configuration. These operations can be performed on both tenant and core data,
but only one set of data can be pushed or pulled in a single operation.
Use the Settings drop-down list on the toolbar at the top of the page and
select the desired tenant under the Tenant submenu to specify the set of data
to be pushed or pulled.
CLI Commands
Note To maintain a consistent view of tenant data, all related clusters should
be configured with the same list of tenants. See Pushing and Pulling Tenants,
on page 70 for steps that help you manage tenant lists.
When connected to a regional cluster, you can use the following pull, push,
and reclaim commands. For push and reclaim, a list of clusters or “all” may be
specified.
· tenant < tag | all > pull < ensure | replace | exact > cluster-name
[-report-only | -report] · tenant < tag | all > push < ensure | replace |
exact > cluster-list [-report-only | -report]
Cisco Prime Network Registrar 11.1 Administration Guide 51
Assigning Tenants When Using External Authentication
Local and Regional Administration
· tenant tag reclaim cluster-list [-report-only | -report] Assigning Tenants
When Using External Authentication
When external RADIUS authentication is configured, the groups that are
assigned in the RADIUS server configuration establish the access privileges of
the user. The implicit group name ccm-tenant-tag or ccm-tenant-id must be
added to the list of groups of tenant user to designate the tenant status.
Other assigned groups must be core groups or groups assigned to the same
tenant. Invalid groups will be ignored when building user credentials at
login. For example, to assign superuser access for the tenant abc, specify the
groups attribute as:
cnr:groups=superusers,ccm-tenant-abc
See External Authentication Servers, on page 44.
Using cnr_exim With Tenant Data
The cnr_exim tool lets you export tenant data, and optionally re-assign the
data to a different tenant on import (See the Using the cnr_exim Data Import
and Export Tool, on page 200). You can use these features to:
· Create a standard set of objects for each tenant · Move tenant data to a new
tenant
Note A user constrained to a specific tenant can only export or import data
for that tenant.
Creating a Standard Set of Tenant Objects You can use a standard set of tenant
objects to provide common objects such as scope and zone templates, policies,
and client classes. You can use these instead of core data objects to give
tenants the option to customize their settings. To create a standard set of
tenant objects, do the following:
Step 1 Step 2 Step 3
Create a template tenant user to use as a placeholder, with tag=template and
id=9999, and create the set of objects to be reused for each tenant. Use the
cnr_exim tool to export the template configuration:
cnr_exim -f template -x -e template.bin
| Use the cnr_exim tool to import the template configuration for the tenant abc |
|---|
| cnr_exim -f template -g abc -i template.bin |
Note
The template tenant user does not need to be present on the cluster to import the data, which lets you reuse
the template.bin export file on other clusters. Once you have created the export file, you can also delete the
placeholder tenant on the original cluster to remove all associated template data, if desired.
Cisco Prime Network Registrar 11.1 Administration Guide 52
Local and Regional Administration
Moving Tenant Data
Moving Tenant Data
The ID of a tenant can only be changed by deleting and re-creating the tenant. To retain the data of the tenant when this is required, do the following (assuming the tenant tag for the tenant is xyz):
Step 1
Step 2 Step 3 Step 4
Use the cnr_exim tool to export the configuration for the tenant xyz:
cnr_exim -f xyz -x -e xyz.bin
Delete the tenant xyz. Recreate the tenant with the corrected tenant id. Use
the cnr_exim tool to re-import the configuration:
cnr_exim -f xyz -g xyz -i xyz.bin
Managing Administrators
When you first log in, Cisco Prime Network Registrar will have one
administrator–the superuser account. This superuser can exercise all the
functions of the web UI and usually adds the other key administrators.
However, ccm-admin and regional-admin administrators can also add, edit, and
delete administrators. Creating an administrator requires:
· Adding its name. · Adding a password. · Specifying if the administrator
should have superuser privileges (usually assigned on an extremely limited
basis). · If not creating a superuser, specifying the group or groups to which
the administrator should belong.
These groups should have the appropriate role (and possibly subrole)
assignments, thereby setting the proper constraints.
If you accidentally delete all the roles by which you can log in to Cisco
Prime Network Registrar (those having superuser, ccm-admin, or regional-admin
privileges), you can recover by creating an admin name/password pair in the
/var/nwreg2/{local | regional}/conf/priv/local.superusers file. You must
create this file and include a line in it with the format admin password. Use
this admin name and password for the next login session. All users in the
local.superusers file must be prefixed with “local$”. This helps to identify
when the local.superusers file is used, as all users are prefixed by local$.
Users that start with local$ will be validated against the local.superusers
file entries. They will neither be checked against users in the local CCM user
database nor using external authentication.
Note
· As admin names are case blind, the local$ and internal$ prefixes are case blind as well.
· When using nrcmd -N admin with a local$ or internal$ user, one must escape the $ (so, use local$ or internal$). The alternative is to let nrcmd prompt one for the user, as then no escaping is needed.
Cisco Prime Network Registrar 11.1 Administration Guide 53
Adding Administrators
Local and Regional Administration
Important
Using the local.superusers file causes reduced security. Therefore, use this
file only in emergencies such as when temporarily losing all login access.
After you log in, create a superuser account in the usual way, then delete the
local.superusers file or its contents. You must create a new administrator
account for each individual, to track administrative changes.
If you want to keep this file in place, make sure it is protected against
general read access (read access to it is only needed by ccmsrv).
If external authentication is enabled and login fails because the external authentication servers are inaccessible or misconfigured, you can log in using any administrators defined in the CCM server’s database. In this case, the username should be prefixed with “internal$” (during login) to specify that internal CCM server’s database should be used for authentication and authorization of administrator.
Adding Administrators
To add an administrator, do the following:
Local and Regional Web UI
Step 1 Step 2
Step 3
From the Administration menu, choose Administrators under the User Access
submenu. This opens the List/Add Administrators page (see the Create the
Administrators, on page 136 for an example).
Click the Add Administrators icon in the Administrators pane, enter the name
in the Name field, enter the password in the Password field, retype the
password in the Confirm Password field in the Add Admin dialog box, and then
click Add Admin.
Choose one or more existing groups from the Groups Available list (or whether
the administrator should be a superuser) and then click Save.
Editing Administrators
To edit an administrator, select the administrator in the Administrators pane,
modify the name, password, superuser status, or group membership on the Edit
Administrator page, and then click Save. The active group or groups should be
in the Selected list.
You can select the Unlimited Sessions? checkbox to indicate that the
administrator is permitted an unlimited number of concurrent token and user
sessions, when a session limit has been configured. For more information, see
Session Management, on page 71.
Note The web UI logs out whenever there is a change in user role for the
currently logged in admins.
Deleting Administrators
To delete an administrator, select the administrator in the Administrators
pane, click the Delete Administrators icon, and then confirm or cancel the
deletion.
Cisco Prime Network Registrar 11.1 Administration Guide 54
Local and Regional Administration
Suspending/Reinstating Administrators
Suspending/Reinstating Administrators
To suspend login access for an administrator, select the administrator in the
Administrators pane, click the Suspend button at the top of the Edit
Administrator page on the right pane.
Note When administrator login is enabled, only the Suspend action will be available. When suspended, only the Reinstate action will be available.
CLI Commands
Use admin name create [attribute=value] to create an administrator. Use admin
name delete to delete an administrator. Use admin name suspend to suspend
login access for administrators. Use admin name reinstate to reinstate login
access for administrators. When connected to a regional cluster, you can use
the following pull, push, and reclaim commands. For push and reclaim, a list
of clusters or “all” may be specified. For push, unless -omitrelated is
specified, associated roles and groups are also pushed (using replace mode).
· admin < name | all > pull < ensure | replace | exact > cluster-name
[-report-only | -report] · admin < name | all > push < ensure | replace |
exact > cluster-list [-omitrelated] [-report-only | -report] · admin name
reclaim cluster-list [-report-only | -report]
Managing Passwords
Passwords are key to administrator access to the web UI and CLI. In the web
UI, you enter the password on the Login page. In the CLI, you enter the
password when you first invoke the nrcmd program. The local or regional CCM
administrator or superuser can change any administrator password.
You can prevent exposing a password on entry. In the web UI, logging in or
adding a password never exposes it on the page, except as asterisks. In the
CLI, you can prevent exposing the password by creating an administrator,
omitting the password, then using admin name enterPassword, where the prompt
displays the password as asterisks. You can do this instead of the usual admin
name set password command that exposes the password as plain text.
Administrators can change their own passwords on clusters. If you want the
password change propagated from the regional server to all local clusters, log
in to the regional cluster. First ensure that your session admin-edit-mode is
set to synchronous, and then update your password.
Note The password should not be more than 255 characters long.
Cisco Prime Network Registrar 11.1 Administration Guide 55
Managing Groups
Local and Regional Administration
Managing Groups
A superuser, ccm-admin, or regional-admin can create, edit, and delete
administrator groups. Creating an administrator group involves:
· Adding its name. · Adding an optional description. · Choosing associated
roles.
Adding Groups
To add a group, do the following:
Local Advanced and Regional Web UI
Step 1 Step 2 Step 3
From the Administration menu, choose Groups under the User Access submenu.
This opens the List/Add Administrator Groups page (see the Create a Group to
Assign to the Host Administrator, on page 141 for an example).
Click the Add Groups icon in the Groups pane, enter a name and an optional
description in the Add CCMAdminGroup dialog box, and then click Add
CCMAdminGroup.
Choose one or more existing roles from the Roles Available list and then click
Save.
Editing Groups
To edit a group, click the name of the group that you want to edit in the Groups pane to open the Edit Administrator Group page. You can modify the name, description, or role membership in this page. You can view the active roles in the Selected list.
Deleting Groups
To delete a group, select the group in the Groups pane, click the Delete
Groups icon, and then confirm the deletion. You can also cancel the deletion
by clicking the Close button.
CLI Commands
Use group name create [attribute=value] to create a group.
Use group name delete to delete a group.
When connected to a regional cluster, you can use the following pull, push,
and reclaim commands. For push and reclaim, a list of clusters or “all” may be
specified. The push operation will also push the related roles (using replace
mode) and related owners and regions (using ensure mode) unless -omitrelated
is specified to prevent this.
· group < name | all > pull < ensure | replace > cluster-name [-report-only |
-report] · group < name | all > push < ensure | replace | exact > cluster-list
[-omitrelated] [-report-only | -report] · group name reclaim cluster-list
[-report-only | -report]
Cisco Prime Network Registrar 11.1 Administration Guide 56
Local and Regional Administration
Managing Roles
Managing Roles
A superuser, ccm-admin, or regional-admin administrator can create, edit, and
delete administrator roles. Creating an administrator role involves:
· Adding its name. · Choosing a base role. · Possibly specifying if the role
should be unconstrained, or read-only. · Possibly adding constraints. ·
Possibly assigning groups.
Adding Roles
To add a role, do the following:
Local Advanced and Regional Advanced Web UI
Step 1 Step 2 Step 3
From the Administration menu, choose Roles under the User Access submenu. This
opens the List/Add Administrator Roles page.
Click the Add Role icon in the Roles pane, enter a name, and choose a tenant
and a base role in the Add Roles dialog box, and then click Add Role.
On the List/Add Administrator Roles page, specify any role constraints,
subrole restrictions, or group selections, then click Save.
Editing Roles
To edit a role, select the role in the Roles pane, then modify the name or any constraints, subrole restrictions, or group selections on the Edit Administrator Role page. The active subroles or groups should be in the Selected list. Click Save.
Deleting Roles
To delete a role, select the role in the Roles pane, click the Delete Role
icon, and then confirm the deletion.
Note You cannot delete the default roles.
CLI Commands
To add and edit administrator roles, use role name create base-role
[attribute=value] (see the role command in the CLIGuide.html file in the /docs
directory for syntax and attribute descriptions). The base roles have default
groups associated with them. To add other groups, set the groups attribute (a
comma-separated string value).
When connected to a regional cluster, you can use the following pull, push,
and reclaim commands. The push and reclaim commands allow a list of clusters
or “all”. The push operation will also push the related groups (using replace
mode) and related owners and regions (using ensure mode). The pull operation
will pull the
Cisco Prime Network Registrar 11.1 Administration Guide 57
Granular Administration
Local and Regional Administration
related owners and regions (using ensure mode). For either operation, specify
-omitrelated to prevent this and just push or pull the role.
· role < name | all > pull < ensure | replace | exact > cluster-name [-report-
only | -report] · role < name | all > push < ensure | replace | exact >
cluster-list [-omitrelated] [-report-only | -report] · role name reclaim
cluster-list [-report-only | -report]
Granular Administration
Granular administration prevents unauthorized users from accidentally making a
change on zones, address blocks, subnets, and router interfaces. It also
ensures that only authorized users view or modify specific scopes, prefixes,
and links. Granular administration constraints administrators to specific set
of scopes, prefixes, and links. A constrained administrator can view or make
changes to authorized scope, prefix, and link objects only. The CCM server
uses owner and region constraints to authorize and filter IPv4 address space
objects, and DNS zone related objects (CCMZone, CCMReverseZone,
CCMSecondaryZone, CCMRRSet, and CCMHost). The zones are constrained by owners
and regions. Owner or region attributes on the CCMSubnet control access to
scopes. Also, owner or region attributes on the Prefix and Link objects
control access to prefixes and links.
Local Advanced and Regional Advanced Web UI
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6
From the Administration menu, choose Roles to open the List/Add Administrator Roles page. Click the Add Role icon in the Roles pane, enter a name for the custom role, for example, my-dhcp, choose a tenant, and choose dhcp-admin
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>