BRKNMS-2701 -- How I Learned to Stop Worrying and Love Prime Infrastructure
Presenters:
- Lewis Hickman, Consulting Systems Engineer
- Jennifer Valentine, Systems Engineer
Quick survey in the room: 60-70% of attendees running PI 3.x; 10-20 PI 2.x; some still on LMS.
"There are 37 different ‘Cisco Prime' products" -- Lewis
"Cisco Prime" isn't a product; "Cisco Prime Infrastructure" is. Cisco Prime is a family of products.
PI traces its lineage back to 1996: CWSI > Cisco Works LMS > Cisco Prime LMS > WCS > NCS > Prime Infrastructure.
"1232 SysObjIds supported in PI today" -- Lewis (aka, 1232 different devices supported by PI)
Two people (only!!) in the room running Network Analysis Module.
UCS Server Assurance module: enables mgmt of UCS servers; will integrate into vCenter and map VMs to physical hosts for you.Â
Operations Center: manager of managers for PI
Licensing in PI 3.x:
- One license for Lifecycle and Assurance now
- Different license files for different device types
- Different device types require a specific number of "tokens"
- When a license is installed in PI 3.x, it gets converted into the appropriate number of tokens
- As you add devices to PI, it draws down on the number of free tokens in the pool
- Hint: You don't have to install the matching license file for the type of device you want to manage (eg, you can install a Cat3k license to manage an AP)
- PI 2.x licenses can be installed in PI 3.x; only the functionality enabled by the 2.x license will be enabled (eg, only Life Cycle)
No more Flash (!!) in 3.x; HTML5 interface and tablet friendly, too.
Finding devices with discovery:
- Import CSV, CDP discovery or add single device at a time
- Can use different discovery methods for different places in the network
- Use a Credential Profile to store CLI and SNMP creds so they're reusable
- Device Groups: static (manual) or dynamic (by policy) assignment of devices to a group
Reports:
- "Hardware Detail Report" -- useful when you need a detailed inventory at Smartnet true-up time!
- PSIRT and EoX reports: security and end of sale/life reports
Config Archives:
- Administration > Settings > System Settings > Inventory > Configuration Archive
- Checkbox for archiving the configs as soon as the device is added
- Checkbox for archiving config on receiving config change events (syslog SYS-CONFIG messages); there is a hold off timer for this setting
- Archives can also be scheduled
- Archives are gathered when interesting things have changed; some commands are "not interesting" and will not trigger a new archive (full list in Config Archive settings, Advanced)
- View archives by drilling into the device from Device Inventory and Configuration Archive tab
- Supports side-by-side config diffing!
- Will identify when startup and running-configs are not in sync
Device configuration:
- Dozens of out of the box config templates
- Of course, create your own from scratch
- Or, modify an existing template and save it as a new template
- Templates have a built-in template language (Apache Velocity); if the user didn't specify a value for MTU, don't try to configure an MTU on the interface
- Templates can be confined to specific device types or specific operating systems
- Variables within the template can have its input validated to avoid users entering bogus data (and breaking the config)
- Templates can pull out data from the PI inventory about the device (eg, interface speed, device serial number)
- When templates are executed, user is displayed a form and asked to fill in the boxes; then they hit go to execute the config push.
Admin > Settings > System Settings > Inventory > Configuration > Deploy CLI Thread Pool Count:
- Default is 5
- Means PI will deploy to 5 devices at a time
- On beefy installations of PI, may way to raise this number
Config compliance:
- Supports IOS, XE, XE, NX-OS, AirOS (in PI 3.1+), and ASA
- Only supported on Pro OVA or Generation 2 appliance (PI-UCS... SKU)
- Support for Standard OVA coming PI 3.1 Maintenance Release 1
- Feature is disabled by default; needs to be enabled and services restarted to enable
- Define a baseline policy; run a report to validate compliance
- Many sample policies
- Policy has pretty complex logic rules
- The compliance policy can do auto remediation (_unsure how smart this is, but it's the_re); can run remediation on a per device or per violation basis
- There is a 2-hour breakout on just compliance on www.ciscolive.com
- By default, the compliance check uses the archived configuration and not the on-box config; can be overridden  at time the job is launched
Fault monitoring:
- Admin > Settings > System Settings > Alarms and Events > ...
- Customize this! -Jenn; make it suitable and tuned for your environment
- Alarms can be cleared, ack'd, annotated, and assigned to specific users
- "Events" are SNMP traps or syslog messages
- "Alarms" are a roll up of 1 or more events
Client tracking:
- Combines contextual data from WLC, ISE, and the wired network to track a device as it moves through the network
- Integration with CMX (MSE) can enable physical location tracking of wired devices
Application performance:
- With the Assurance license, PI can ingest NetFlow data
Topology maps:
- Network topology!
- Initial topology view is based on device groups; drill down to see individual devices
Software image management (SWIM):
- Can manually upload images to PI or have PI suck images down from the device
- Defect in PI 3.x prevents importing software images directly from cisco.com; will be fixed in future PI maintenance release
- Have PI archive all your deployed IOS images! -Lewis; don't depend on your specific image to always be available on cisco.com
- PI does efficient image downloads from your devices; won't download the same image over and over if it's on multiple devices
- Push images with scp, ftp, tftp, http