Professional Documents
Culture Documents
2 lab
Partner VT Amsterdam
Agenda
UNDERSTANDING THE LAB ENVIRONMENT
CONNECTION TO THE LAB
2
3
5
12
14
18
20
27
27
29
30
35
37
37
42
42
43
46
48
48
49
49
53
56
56
59
60
60
61
65
65
66
Page | 1
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
67
68
68
69
72
72
72
74
75
78
78
80
82
83
87
Page | 2
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Each student group own a POD which contains 1 catalyst 3560v2, 2 catalyst 3850 , one ISR G2 892,
one ISR G2 2911, one WLC 2504 and one virtual NAM, 3 AP, 3 phones .
Each POD is divided in 2 ports: The East Part, and the West Part
The rest of the infrastructure is shared.
The table below gives the
Name
SW-PODx-E
SW-PODx-W
RTR-PODx-E
RTR-PODx-W
WLC-PODx-W
vNAM-PODx
PI-PODx
SSOx
PI-P-PODx
PI-S-PODx
PI-V-PODx
Model
3850
3560V2
ISR 2911
ISR 892
WLC 2504
vNAM
Loopback0
10.14.20x.1
10.14.20x.2
10.14.20x.3
10.14.20x.4
172.195.x.1
192.168.40.2x
192.168.40.5x
192.168.40.15x
192.168.193.5x
192.168.193.15x
192.168.193.11x
Page | 3
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Username is pi-lab
Ask Proctor for the password.
If you dont have CiscoAnyConnect installed, you can install it from https://primelab-eu.cisco.com
username pi-lab, password : ask your lab proctor.
Page | 4
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 5
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 6
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Select Add
Page | 7
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Add another credential profile, called nam, with the following parameters (optionally, you can use the Copy )
Create now the discovery job : Select Inventory> Device Management> Discovery
Page | 8
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Select "New"
Page | 9
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 10
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
and
The discovery creates a job that you can see in the discovery job dashboard
Page | 11
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
This inventory replaces the device workcenter from 2.1 and earlier versions
Page | 12
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Select Add Device, and add the device 192.168.193.100 with the default credential profile
Page | 13
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Then select several devices. Remark, you can now edit multiple devices (edit devices in bulk)
click cancel
Page | 14
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Select Neighbors . In 2.2 , you can see both local and remote port (only remote port in 2.1 and
before)
Page | 15
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 16
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 17
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Explore Similar Menus with your wireless lan controller. What do you notice ?
How many access points are registered ?
Page | 19
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
layout
Page | 20
https://pi-podx.prime.ciscofrance.com
zoom
overview
Partner VT Amsterdam
Page | 21
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 22
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 23
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 24
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 25
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Move the dashlet on upper right corner and configure it to display the All Locations> Unassigned ,
with a symetric layout.
(Mouse over the right corner of the dashlet and select the icon
mode)
Page | 26
to enter config
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
A device group, contains devices for different purposes (configuration, monitoring). A device can join
a group statically or dynamically based on a membership rule. In this case, if a new device matches
this rule, it automatically joins the group. Some inventory attributes are provided to be used in the
membership rule (name, location, type, user define field ). A single device can belong to more than
one device group. Predefined device groups exist based on device model.
Location Group are conceptually identical to a device group : this is a device group based on location
parameters, either snmp location, or switch location (civic address attributes) .This is a new feature
of PI 2.2 which replaces somewhere the use of sites. Membership to a location group is either static
or dynamic.
The site maps are groups of Access points on a map. Access points are positionned on a map and
allow to create wireless heatmap . Sites are organized as a 3 level hierarchy :
campus/building/floors. Membership of an AP to a site is static (manually added/removed) but a
feature called automatic hierarchy creation allow creation and addition of APs in a site based on
their name.
Virtual domains allow grouping for administrative purpose (Role Based Access Control) .
Provider
East
West
Page | 27
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 28
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Create in the same way the location group West (syslocation contains West) and the site group
Provider (syslocation contains provider). Both must be subgroup of PI-LAB
You should have the following:
We will not spend time on virtual domain in this lab , just create one quickly called testVD and put
a few devices in it you will understand later
Page | 29
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 30
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 31
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 32
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 34
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Why ?
Change it to
Page | 35
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
You can use a filter to select YOUR router , 10.14.20x.3 and select GigabiEthernet 0/0 and 0/1
Select the appropriate port and move them to the group you created (add to group)
Page | 36
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Select Configuration, and Expand App Visibility & Control , then select App Visibility
Page | 37
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Then select Enable App Visibility> App Visibility & Performance (IPv4)
Page | 38
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 39
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Go to Configuration Archive
If the device sends syslog message to your PI, a configuration Archive will occur.
Check if you have a recent config (not the case below)
You can see the archive job running in the job dashboard (Administration> Jobs) . After a while it
must complete with success.
Page | 40
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Verify that you are receiving data through flexible netflow , Administration> data source
Select
Select your data source (RTR-PODx-E) and see the netflow template
Page | 41
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Exercise 2: Shared Policy Objects and Model Based Template: design an AVC
template
Shared Policy Object
PI 2.0 introduced the concept of reusable objects called Shared Policy Objects. In 2.0, only 2 shared
policy object existed : IPv4 subnet and Interface Role. These objects were used to customized model
based template like AVC and ZBFW (Zone Based Firewal) .
The release 2.2 have new objects : IPV6 Networks, Security Rule Parameter Map, Security Service,
Security Zone.
Select Configuration >Template> Shared Policy Objects > Shared > Interface Role
Add a new interface role calle inside-interface , where interface Name is GigabitEthernet0/1
Page | 42
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 43
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Select the Interface role you have created in the field Apply to Interface role
Page | 44
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
The template appears under My Templates > Features and Technologies> App Visibility and
control and can now be deployed
Page | 45
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Now you will configure the deployment process on your router RTR-PODx-E. Please dont deploy on
the router of another POD !!!!
Select Deploy
Select your router RTR-PODx-E in the device selection (Note : here you can select more than one
device)
Page | 46
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Click CLI preview. Verify that it will be deployed on the appropriate interface (GigabitEthernet0/1)
Page | 47
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
>
AVC
>
Readiness
Assesment
Page | 48
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
You can populate on PI a repository of protocol packs (import) then deploy on the device.
Deployment is a job which copies the appropriate protocol pack on flash then activate it in cli.
On your system the repository is probably empty.
AVC profiles
AVC profiles, are configuration templates that can be deployed on interfaces. There are 3 categories
QoS Classification Profiles. This profiles define how application traffic can be identified
(based on NBAR2) and marked. 3 default profiles are provided out of the box according to
Cisco best practices : 5 classes, 8 classes and 12 classes profiles. New profiles can be added
QoS Action Profiles, define the egress action which will occured on egress traffic. (Queuing,
Priority Queuing, BW reservation, shaping ) . 3 default profiles are provided (5,8,12 classes)
out of the box. They can be modified and new profiles can be added as well
APP visibility Profile : define the monitoring action (URL monitoring, traffic volume,
Application Response Time , Voice/Video metrics ).
Page | 49
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Now you will create a new classification profile based on the 5 class profile, but you will add the
traffic to/from your PI server in the class Transactional_data
Page | 50
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
click
Change the type from NBAR to L3/L4 (you will classify using your PI ip address)
Select Apply IP/Port symmetrically
Put YOUR PI IP address
Page | 51
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Click OK
Select now the QoS class (Transactinal-Data)
Page | 52
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Interface configuration
This new feature in 2.2 allow to enable AVC/QoS profiles on interface or interface groups
Select the port group you created in previous lab (User Defined > myportgroup)
Page | 53
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 54
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
then deploy
Please dont copy in startup !!
Page | 55
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
telnet/ssh to your nam, enable http server, use admin/cisco for admin user
Page | 56
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
now you can finish the config with your web browser
Page | 57
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
From administration > snmp , add snmp communities public : readonly, private : readwrite
Warning : Good time synchronisation between your NAM and your client is NOT an option
Page | 58
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 59
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
The Physical interface is then connected to a switch where a monitoring session (SPAN) is setup
Monitor Dashboard are composed of TOP N oriented dashlets (TOP N Application, TOP N DSCP , TOP
N encapsulation )
Select Monitor> Traffic Summary
Page | 60
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Analyze Dashboards
Back to Traffic summary, select an application (here netflow) in the TOP N application Dashlet
Page | 61
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 62
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 63
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Here you can see the components of a transaction : network time, server time and data time.
As you can see below, in this case , if http is slow , its not a nerworking issue
Page | 64
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Real time
you will monitor every 5 sec
Packet Capture
Page | 65
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
You can also create capture session, use filter,create triggered capture
Application Recognition
WIth 6.1, NAM software support NBAR 2. To enable the feature, Select Setupt> Classification >
Application Settings
Page | 66
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
There are tons on other feature in the NAM, dont hesitate to ask your lab proctor if you want more
details.
Select nam credential profile you created ealy, verigy and add
Page | 67
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Go to administration>Settings>Datasource
You will see
Page | 68
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 69
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Create
Page | 70
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 71
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Failover operations send mail to predefined mail destination. You should then configure a SMTP
destination on the primary PI server : 192.168.193.5x.
Connect to this server first and logon as root/Public123
From Administration > System settings , Configure SMTP destination . Server is 192.168.40.1
Use a user call pi-userx@cxd.ciscofrance.com (x is your pod number)
Page | 72
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 73
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Quicky add a virtual domain in this server , its not for HA You will understand later
Select admin > Virtual Domain
Page | 74
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Secondary is 192.168.193.15x
Key is Public123
You cane nable a Virtual IP and use 192.168.193.11x
Choose Manual failover
Page | 75
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
After a while you while have this window, it can take some time to complete (10/15 min) . You can
to the next exercise, you will come back here later.
Check configuration
Page | 76
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
You can also connect to the Helath monitor of the secondary, use the secondary ip address and port
8082, and use the HA key (Public123)
see below, your secondary is syncing , means it is in standby mode and database and file are in sync.
Page | 77
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Exercice 2: OpCenter
Enabling OpCenter Server
go to Administration License
Page | 78
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Page | 79
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Single sign on
Before Adding Server, you must configure your cluster as SSO server and your instances as SSO client
On the OpCenter, 192.168.40.15x, select
Page | 80
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
enable SSO
keep SSO mode local (this means that the SSO server can also you an external aaa radius or tacacs
server)
On first instance, 192.168.40.5x , add sso server (it will be the opCenter )
Page | 81
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
You must add your 2 server instances , pi-podx and your HA server (use the HA virtual pi-v-podx )
Add the first one : pi-podx.prime.ciscofrance.com
Page | 82
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Server is added
OpCenter Navigation
Page | 83
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Back to the Monitor> network device page , click on Prime server name
Page | 84
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
This drill down to the appropriate server (with sso) in another window
Look at the virtual domains : you should see the ROOT-DOMAIN and the domain testVD
Page | 85
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
you can also test the generic search . You should have a user with your pod number : podx , search
for him in the generic search window
Page | 86
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Exercice 3: Failover.
You will stop the server pi-p-podx , this should trigger a manual failover.
Connect to the server through ssh, and halt it
Page | 87
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
until
Page | 88
https://pi-podx.prime.ciscofrance.com
Partner VT Amsterdam
Check on the operation center. You see that OpCenter automatically switched to the secondary.
Page | 89
https://pi-podx.prime.ciscofrance.com