seed device in CM 4.0.6

Unanswered Question
Jul 23rd, 2007
User Badges:

I m going to reinstall my LMS 2.6 server and now wondering which device is best for seed device. We have cisco WS-C4507R devices which is for servers. Also we have cisco WS-C6509 devices which route our network. We collect our servers also to cisco WS-C3750G-24TS devices. Any idea which is best suitable to seed device so that CM is best tuned for seed devices.


Thanks

Juha

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
Martin Ermel Mon, 07/23/2007 - 23:15
User Badges:
  • Blue, 1500 points or more

the 'best' device should be your core or distribution device/devices, i.e the devices that have the most direct connection to other network devices (as CDP info derived through SNMP is the only discovery protocol used by LMS); in big enivironments you also could spread them across the network; keep in mind, that you could specify multiple seed devices - but they are only of interest for the VERY FIRST discovery! Afterwards LMS defines the starting points for its discovery itself, based on the devices in DCR; So I would say it is not necessary to brood much about the seed devices; you just need to have a minimum of one in the local lan and every 'satellite network' (branch offices connected over wan links where usually no CDP is enabled).


I might add just one caveat to this good description:


You need to add a seed to each technology isolated part of your network if you want to discover it. Technology isolated could be defined as areas of your network which either by design or operation do not pass CDP such as firewalled, on the other side of an ATM link, or ACL restricted areas. It works much like Openview's Network Node Manager by playing "connect the dots".

u346874_2 Tue, 07/24/2007 - 03:59
User Badges:

Ok. Thanks for helpful answer. Now i have entered to CM seed, snmp, and ip range settings. Only one device appears to CM and its unreacheable state.(its the seed device) No device in CS. When i configure CM (seed, snmp, and ip range settings) and after discovery ends should those devices appear to CS that i could manage credentials.(or should i do some settings in CS before start discovery) I use snmpv3. CDP is enabled in our network. Have i forgot somenthing. I have installed LMS bundle few years ago and there was no problem in discovery then. I suppose i did now all settings like few years ago but now discovery fails. Any idea.


thanks

juha

Martin Ermel Tue, 07/24/2007 - 04:39
User Badges:
  • Blue, 1500 points or more

i suppose there is a misconfiguration concerning snmpv3 between what is configured on you device and what you have entered in LMS- Campus - SNMP settings. You should check if LMS has SNMPv3 access to the device.

For a quick check best way would be to open the follwing from the LMS Main page:

Device Troubleshooting- Device Center

enter the devices' IP ->Go

in the down left corner you can launch 'SNMP Walk'; enter the credentials and 'system' as the OID;

if this fails you should check both snmp config on device and credentials you entered in CM and also any ACL or firewall between Management Server and Device;

Basically what changed the last years is that they started to give each function its own process - that is much better for troubleshooting!

for an overview of discovery have a look at this thread:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1dddb1b3/16#selected_message


and be aware of snmpv3 context settings to get STP and UT info :

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddc37a0

u346874_2 Tue, 07/24/2007 - 21:33
User Badges:

Thanks. That was the main problem.(misconfiguration concerning snmpv3 between what is configured on you device and what you have entered in LMS- Campus - SNMP settings)

Now i can found devices. That context part is hard to understand. Do i need that context line in my device so that i can get UT and STP info. Now my snmp config is like


snmp-server group group1 v3 auth write v1default access xx


snmp-server user user1 group1 v3 auth sha password


What i have to tell with that line what Joe mentioned under that link.


"snmp-server group v3group v3 auth context vlan-1"


Joe mentioned "you must add a line like the following for each VLAN context in addition to the group line above"


What mean "context vlan-1"


Thanks

Juha


Martin Ermel Thu, 07/26/2007 - 07:43
User Badges:
  • Blue, 1500 points or more

Yes you need the context line in the config of the device.


the necessity for snmp context arises from the security model which snmpv3 uses; access to certain parts of the MIB is controled by user, group, type of access (read / write) and mib view (defines which parts of the mib are accessable); a combination of these things defines who can do what with which part of the mib;


Using snmpv1 or snmpv2c, having the read community you can walk the mib tree; To get information from the BRIDGE-MIB for non-default vlans you must use community string indexing;

with snmpv3 there are no community strings anymore - so how to get vlan related info from the BRIDGE-MIB and - according to the security model- how to define how has access?

this is the reason why snmp context is needed - you define which group has access to a certain context;

To see available contexts, use 'show snmp context'; and then you can assign a context to a specific group as Joe mentioned:


snmp-server group group1 v3 auth context vlan-1


and this is necessary for every vlan context you want to give a specified group access to (in your case group1); if you are not doing this the group is not allowed to read the informaton stored 'behind' this context

when using snmpv3, keep in mind that 2950 series have limitations on using snmpv3 as Joe mentioned here:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddeea68


u346874_2 Thu, 07/26/2007 - 23:46
User Badges:

Hi


That was very lightning.


I look around our switches with command " sho snmp context" and only our router give output to console which included all our vlan context info.(i suppose other switches do not support that context option)Do i have to add now to the router command


snmp-server group group1 v3 auth context vlan-x


for each vlan what i want my group1 to have access.( cant i give a range of vlans with one command.)


thanks

Juha

Actions

This Discussion