Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 14-1 Cisco Prime Network 4.3.2 User Guide 14 Managing IP Address Pools An IP pool is a sequential range of IP addresses within a certain network. You can have multiple pool configurations. Each pool can have a priority and can be assigned to a group. IP addresses can be assigned dynamically from a single pool or from a group of pools. The Least Recently Used (LRU) method is used to assign IP addresses. In each pool, the addresses are placed in a queue. At the time of assigning, the address at the head of the queue is assigned, and when released is placed at the end of the queue. When a group of pools have the same priority, an algorithm is used to determine a probability for each pool based on the number of available addresses. A pool is selected based on the probability determined. This method allocates addresses evenly from the group of pools. IP pool supports both IPv4 and IPv6 addresses. With the IP Pool feature, Prime Network provides the flexibility of assigning IP addresses dynamically for services running on a network element. A service running on a network element can refer to an appropriate IP pool and an IP address gets assigned to the service from the IP pool. These topics describe how to use the Vision client to view and manage IP pools. If you cannot perform an operation that is described in these topics, you may not have sufficient permissions; see Appendix B, “Permissions Required to Perform Tasks Using the Prime Network Clients”. Viewing the IP Pool Properties, page 14-1 Modifying and Deleting IP Pools, page 14-3 Viewing the IP Pool Properties To view the IP pool properties for a device: Step 1In the Vision client, right-click the required device, and choose Inventory. Step 2In the Inventory window, choose Logical Inventory>Context>IP Pools. A list of IP pools are displayed in the content pane. Table 14-1 describes the fields that are displayed in the content pane. Table 14-1 IP Pool Properties Field Name Description Table Types Displays the type of table, which is IP Pools. IP Pools
14-2 Cisco Prime Network 4.3.2 User Guide Chapter 14 Managing IP Address Pools Step 3Right-click the IP pool name and choose Properties. The IP Pool Properties dialog box is displayed as shown in Figure 14-1. Figure 14-1 IP Pool Properties Table 14-2 describes the fields that are displayed in the IP Pool Properties dialog box. Name Name of the IP pool. IP Pool Entries Indicates whether entries exist for this pool. Table 14-1 IP Pool Properties Field Name Description
14-3 Cisco Prime Network 4.3.2 User Guide Chapter 14 Managing IP Address Pools Modifying and Deleting IP Pools The following commands can be launched from the inventory by right-clicking on an IP pool name and choosing Commands > Configuration. Your permissions determine whether you can run these commands (see Appendix B, “Permissions Required to Perform Tasks Using the Prime Network Clients”). To find out if a device supports these commands, see the Cisco Prime Network 4.3.2 Supported Cisco VNEs. Table 14-2 IP Pool Properties Field Name Description Name Name of the IP pool. IP Pool Entries Addresses In Use Number of IP addresses assigned from the pool. Start Address/Subnet AddressCould be one of the following: Starting IP address in the pool, if the pool is configured with a range. Subnet address, if the pool is configured with a subnet mask. Free Addresses Number of free addresses available in the pool. End Address/Subnet MaskCould be one of the following: Ending IP address in the pool, if the pool is configured with a range. Subnet mask, if the pool is configured with a subnet mask. VRF Virtual Routing and Forwarding (VRF) name, if the pool belongs to a VRF. Reserved Addresses Number of reserved addresses in the pool. Group Name Name of the group to which the pool belongs. Pool Status Status of the pool. Pool Type Type of the pool, which could be Public, Private, Static, Resource, or NAT. Pool Priority Priority of the pool, which is used when multiple pools are available. Command Navigation Description Delete IP PoolRight-click on IP Pool name> Commands> ConfigurationUse this command to delete an IP Pool Modify IP PoolUse this command to modify IP Pool details.
14-4 Cisco Prime Network 4.3.2 User Guide Chapter 14 Managing IP Address Pools
CH A P T E R 15-1 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 15 Monitoring AAA Configurations AAA refers to Authentication, Authorization, and Accounting, which is a security architecture for distributed systems that determines the access given to users for specific services and the amount of resources they have used. Authentication—This method identifies users, including their login and password, challenge and response, messaging support, and encryption. Authentication is the way to identify a subscriber before providing access to the network and network services. Authorization—This method provides access control, including authorization for a subscriber or domain profile. AAA authorization sends a set of attributes to the service describing the services that the user can access. These attributes determine the user’s actual capabilities and restrictions. Accounting—This method collects and sends subscriber usage and access information used for billing, auditing, and reporting. For example, user identities, start and stop times, performed actions, number of packets, and number of bytes. Accounting enables an operator to analyze the services that the users access as well as the amount of network resources they consume. Accounting records comprise accounting Attribute Value Pairs (AVPs) and are stored on the accounting server. This accounting information can then be analyzed for network management, client billing, and/or auditing. These topics describe how to use the Vision client to view and manage AAA configurations. If you cannot perform an operation that is described in these topics, you may not have sufficient permissions; see Permissions for Managing AAA, page B-20. Supported AAA Network Protocols, page 15-1 Viewing AAA Configurations, page 15-2 Configuring AAA Groups, page 15-24 Supported AAA Network Protocols AAA supports the following protocols: Diameter—This is a networking protocol that provides centralized AAA management for devices to connect and use a network service, and an alternative to RADIUS. Diameter Applications can extend the base protocol, by adding new commands and/or attributes. Remote Authentication Dial In User Service (RADIUS)—This is a networking protocol that provides centralized AAA management for devices to connect and use a network service. RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The Remote
15-2 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 15 Monitoring AAA Configurations Viewing AAA Configurations Access Server (RAS), the Virtual Private Network (VPN) server, the network switch with port-based authentication, and the Network Access Server (NAS), are all gateways that control access to the network, and all have a RADIUS client component that communicates with the RADIUS server. Terminal Access Controller Access Control System (TACACS) is an authentication program used on Unix and Linux based systems, along with certain network routers. TACACS allows a remote access server to communicate with an authentication server to determine whether or not a user has the proper rights to access a network or database. TACACS forwards username and password information to a centralized security server. TACACS+ is a networking protocol that provides centralized AAA management for devices to connect and use a network service. Derived from TACACS, TACACS+ provides for separate and modular AAA facilities and uses TCP as transport. Viewing AAA Configurations This topic contains the following sections: Viewing AAA Group Profile, page 15-2 Viewing a Dynamic Authorization Profile, page 15-3 Viewing a Dynamic Dictionary, page 15-3 Viewing a Radius Global Configuration Details, page 15-4 Viewing TACACS+ Global Configuration Details, page 15-5 Viewing TACACS+ Servers Configuration Details, page 15-7 Viewing AAA Group Configuration Details, page 15-7 For information on the devices that support AAA, refer to Cisco Prime Network 4.3.1 Supported VNEs. Viewing AAA Group Profile To view the AAA group profile: Step 1Right-click on the required device and choose the Inventory option. Step 2In the Inventory window, choose Logical Inventory>AAA. The AAA attribute details are displayed in the content pane. (The attributes that are displayed depend on the device type.) Table 15-1 describes the fields that are displayed in the content pane. Step 3In the Inventory window, choose AAA group node under the AAA node. In the Content pane you can view the AAA method in the Group Type field. The group Type displayed are None, TACACS+, RADIUS, or DIAMETER for the existing device types. Table 15-1 AAA Attributes Field Name Description Type Customization applied to the attribute. Key Unique format name applied to the attribute. Value Formatting applied to the attribute.
15-3 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 15 Monitoring AAA Configurations Viewing AAA Configurations Step 4Under the AAA group node, select and expand the required group and choose the Radius Configuration option. The group details are displayed in the content pane. Table 15-2 describes the fields that are displayed in the Radius Configuration dialog box. Viewing a Dynamic Authorization Profile To view the dynamic authorization profile: Step 1Right-click on the required device and choose the Inventory option. Step 2In the Inventory window, choose Logical Inventory>AAA>Dynamic Authorization. The authorization details are displayed in the content pane. You can click on the tabs to view more details. (The attributes that are displayed depend on the device type.) Table 15-3 describes the fields that are displayed in the Dynamic authorization content pane. Viewing a Dynamic Dictionary To view the dynamic dictionary: Table 15-2 Radius Configuration Details Field Name Description Load Balancing Method The load balancing method. Ignore Preferred Server Indicates if a transaction associated with a single AAA session should attempt to use the same server or not. Dead Time The deadtime for the profile. Table 15-3 Dynamic Authorization Details Field Name Description Protocol The name of the protocol. Server Listen Port The port number that receives service requests. Ignore Server Key Indicates whether the server key must be ignored. Values are: true false CoA Clients Tab IP Address The IP address of the Change of Authorization (CoA) client. VRF The associated VRF to which the CoA client belongs. Click the hyperlink to view the relevant node under the VRF node.
15-4 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 15 Monitoring AAA Configurations Viewing AAA Configurations Step 1Right-click on the required device and choose the Inventory option. Step 2In the Inventory window, choose Logical Inventory>local > AAA>AAA Dynamic Dictionaries > Context. The dynamic dictionary VID details are displayed in the content pane. Table 15-4 describes the fields that are displayed in the Dynamic dictionary content pane. Viewing a Radius Global Configuration Details To view the radius global configuration details: Step 1Right-click on the required device and choose the Inventory option. Step 2In the Inventory window, choose Logical Inventory>AAA>Radius Global Configuration. The authorization details are displayed in the content pane. (The attributes that are displayed depend on the device type.) Table 15-5 describes the fields that are displayed in the Radius global configuration content pane. Table 15-4 Dynamic Dictionary Details Field Name Description Dynamic Dictionary NameThe name of the configured diameter dynamic dictionary. Base Static Dictionary The static dictionary number and name from which the dynamic dictionary is derived. AAA Dynamic Dictionary VID Entries Vid The vendor ID.
15-5 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 15 Monitoring AAA Configurations Viewing AAA Configurations Viewing TACACS+ Global Configuration Details To view the TACACS+ global configuration details: Step 1Right-click on the required device and choose the Inventory option. Step 2In the Inventory window, choose Logical Inventory>AAA>TACACS+ Global Configuration. The configuration details are displayed in the content pane. (The attributes that are displayed depend on the device type.) Table 15-6 describes the fields that are displayed in the TACACS+ global configuration content pane. Table 15-5 Radius Global Configuration Details Field Name Description Load Balancing Method The load balancing method using which the next host is selected. The server with the least transactions outstanding is generally picked as the next host. Ignored Preferred ServerIndicates if a transaction associated with a single AAA session should attempt to use the same server or not. Request Timeout The request timeout value for the device. Dead Time The amount of time (in minutes) after which the dead RADIUS server will be treated as active. Retransmit Indicates whether retransmission of data is allowed. Retransmit Count The retransmission count. Dead Criteria Time The time interval after which the device is considered unavailable. Dead Criteria Retransmit CountThe retransmission count after the dead criteria time. Accounting Servers/ Authentication Servers Server IP The IP address of the server. Server Port The server port. Preference The preferred server. Operational State The current operational state of the interface. Administrative Status The administrative status of the interface. Retain Administrative Status After RebootIndicates whether the administrative status must be retained after the system reboots. Keepalive Representative GroupThe keepalive representative group. Request Timeout The request timeout value for the device. Retransmit Count The retransmission count.
15-6 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 15 Monitoring AAA Configurations Viewing AAA Configurations Table 15-6 TACACS+ Global Configuration Details Field Name Description Source Interface Specifies that the IP address of this specified interface is used for all outgoing TACACS+ packets. VRF The VRF for the specified source interface configuration. Timeout Specifies the time to wait for the TACACS+ server to reply in seconds. IPv4 DSCP Specifies the IPv4 Differentiated Services Code Point (DSCP) to be used in the outgoing IP headers. IPv6 DSCP Specifies the IPv6 Differentiated Services Code Point (DSCP) to be used in the outgoing IP headers. Administration Specifies if the handling of administrative messages by the TACACS+ daemon is enabled. Allow Unknown AttributeSpecifies if unknown TACACS+ attributes are ignored instead of trying to parse them. Packet Max Size Specifies the maximum size of TACACS+ packets. DNS Alias Lookup Specifies if IP Domain Name System (DNS) alias lookup is enabled for TACACS+ servers. Cache Expiry Time Specifies the length of time, in hours, for a cache database profile entry to expire. Cache Expiry Rule Specifies how the expired cached database profile entries in this TACACS+ server group are to be used: Enforce—Indicates not to use expired entries. Failover—Indicates to use an expired entry if all other methods fail. Cache Authentication Profile NameThe name of the cache authentication profile used in this TACACS+ server group. Cache Authorization Profile NameThe name of the cache authentication profile used in this TACACS+ server group. Directed Request Specifies if only the username (and not the entire string) is sent to an AAA TACACS+ server. Directed Request Specifies that queries are restricted to directed request servers only. Directed Request Specifies @hostname is not truncated from the username. Domain Stripping Right-to-Left Specifies that the stripping configuration at the first delimiter found when parsing the full username from right to left will be applied. Prefix Delimiter Specifies that the prefix stripping is enabled and the specified character(s) are to be recognized as a prefix delimiter(s). Suffix Delimiter Specifies the character(s) that are to be recognized as a suffix delimiter. Strip Suffix Specifies the suffix to strip from the username. VRF Specifies the VRF that the domain stripping configuration is applicable to.