Cisco OverDrive 4.0 User Guide - Reference to common tasks [Cisco Network Services Manager]

Table Of Contents

Reference to common tasks

Creating and editing domains

Creating a new domain

Editing a domain

Working with sites

Creating a new site

Specifying site resources

Specifying the site DSC and its devices

Creating site subnets

Creating administrators in domains

Managing collections of resources

Allowing ports and protocols for services

Creating and refining business policies

Adding groups and collections

Reference to common tasks

This section provides how-to information for common tasks that you need to know how to do before you can effectively work with the vCOM Command Center.

•Creating and editing domains

•Working with sites

•Creating administrators in domains

•Managing collections of resources

•Allowing ports and protocols for services

•Creating and refining business policies

•Adding groups and collections

Creating and editing domains

Creating a new domain

To create a new domain:

1. In your domain tree, choose one of these two options:

•Click on the ROOT domain or another one if more appropriate, then click the New Domain icon in the toolbar.

•Or, right-click the ROOT or other domain and choose New Domain in the resulting context menu.

Notice that the browse view opens a maintenance panel with a pre-filled name for this new domain, the domain path for it, a text field to enter the domain name, and three tabs: Comment, Subnets, and VLAN.

2. Enter the domain name, for example, Customer Clouds.

3. In the comment pane, enter text to be seen when someone mouses-over this domain's name or icon in the tree view.

4. Click each appropriate tab and work through the settings and sub-tabs. For example:

•If subnets apply, click the Subnets tab. See the "Configuring subnets" section on page 2-2.

•If VLANs apply, click the VLANs tab. See the "Creating and configuring domain VLANs" section on page 2-34.

5. Click Submit.

Editing a domain

To edit an existing domain:

1. 1. Highlight it in the domain tree.

2. 2. Check that the selection view's Summary tab shows items contained within the domain that you have chosen.

For our domain Example, if you have entered VLANs as suggested below, this list should be:

3. Choose Edit in the context menu.

You will return to the domain window in the browse view, with the Comment tab open on the mouse-over comment you have entered or edited previously.s

Working with sites

A site consists of a DSC and one or more DSC-managed devices; it has one or more resources affiliated with it, and it can be configured with VLANs.

A site is a logical location. It is possible to have several sites in one physical location or vice versa. The site is a point of control for OverDrive to manage a collection of devices.

An example of a site is a large distributed office complex with one point of ingress or egress at which policies are enforced. Another example of a site is a stack of network equipment in a data center built to provide virtual compute services. You may have several of these in one physical location.

Creating a new site

To create a new site:

1. Right-click a domain in the domain tree view and choose New Site.

2. Enter the site name, for example, Boston or Boston State Street Branch.

3. Click on each tab and follow these directions as appropriate:

a. Participating Resources—These are resources available in the domain. Since this site is, for our example, in the Example domain, once we have created resources, future new sites will have them available. See Specifying site resources below.

Note Resources such as servers and subnets can only be assigned at one site at a time. Network IDs for LDAP users can be logged in at any of the sites in the domains in which they are visible.

b. Devices—Specify a name and password for the DSC controlling the device, and then specify the device itself, as described in Specifying site resources below.

c. Site Subnets—See the "Creating site subnets" section.

d. VLAN—See site-specific information in the "Creating and configuring domain VLANs" section on page 2-3.

Specifying site resources

Site resources include users, notebooks, desktops, servers, and so on.

To specify a site resource:

1. Right-click the site in the domain tree and choose New Local Resource.

2. Give the resource a name, choose an icon, and specify its IP address.

Note The drop-down site list lets you reassign this resource to another site within the same domain.

3. Under the Business Policies tab, click the business policy that you want this resource to participate in (use Ctrl-click for more than one).

4. Click Add to move the policies to the joined panel.

5. Do the same under the Collections tab, as appropriate.

6. Click Submit.

The resource should appear in the Summary tab for the site.

Specifying the site DSC and its devices

When you bring up a device configuration window, it will tell you the site name, for example, Chicago.

On the Config tab for a new site:

1. Specify the DSC name.

You might want to use an abbreviated name that reminds you of the site name, so, for example, you might use LIN-BOS-StateSt-01 for a DSC on a site named Linwood Boston State Street Branch.

2. Specify and confirm a password.

3. On the Device tab, specify needed information for devices.

Note For each device you want to add, choose the type from the Add drop-down list. Before adding switches, back up the switch configuration, and verify that all VLANs (managed and unmanaged) are known to OverDrive.

a. Specify configuration common to all devices:

•Name—A device name, as described above

•IP Address—Where they live on the net

•CLI Credentials—Access method (telnet/ssh), username, passwords

•SNMP Version—Most likely accept the default (3).

•V3 Credentials—Username, authorization passphrase, and private passphrase; SNMP credentials

•Comment—Tooltip text

b. For specific devices, provide the following information where applicable:

•Access switches have an Admin tab with the above information, plus a VLAN tab that shows permitted and non-permitted VLANs. This allows you to exclude a VLAN from designated switches. They also have uplink ports and access switch ports. Uplink ports may require an IP address that will be predefined on the switches. The DSC recognizes the uplink ports and reports them to the server to be used for validating that new VLANs do not overlap with the uplinks at the site; it does not configure the base static configuration of the switch (uplinks and downlinks): it configures dot1x, VLANs and ACLs.

•Aggregation switches may have several uplink and downlink trunk ports that permit traffic from the access layer to the distribution layer. You may specify certain managed ports on which OverDrive will dynamically create VLANs in addition to those it creates automatically such devices. This restricts traffic so that only managed or specified VLANs are permitted on the trunks.

•NAT devices need interface names for inside and outside.

•Routers need the IPsec interface IP address and the tunnel interface name.

•VM managers need property values that match those set in vCenter configuration: password, targetAddress, username, datacenter, targetFolder, templateFolder, vSwitch.

4. Click Submit.

Creating site subnets

Site subnets let you further constrain the address allocation within a domain by describing which addresses may be used at a site. The site subnet constrains the addresses that are available for resources at the site. The collection of site subnets is also used to aggregate routes and IPsec tunnel SA's.

Once you have created a site, you can create a subnet for it. A site subnet specifies the addresses in use at the sites and must be within the range of the domain subnets. It may not overlap with discovered uplink subnets or with VLANs at the site.

To do so:

1. If you are not already looking at the site window with the various tabs, right-click the site and choose Edit.

2. Click Site Subnets.

3. Click New, then enter an IP address and netmask.

4. Click Accept.

The site's resources will be required to adhere to this subnet.

Creating administrators in domains

When you create an administrator for a domain, you can choose that domain or one contained within it for him or her to manage. He or she will see only the domain you specify.

To create an administrator:

1. Right-click any domain and choose New Administrator.

If you want to have all of your administrators in a particular location in the tree, create a new subdomain for them and call it Administrators.

Note You can create an admin anywhere. Depending on the privileges you assign determines where he logs in. We suggest creating an admin outside of his domain, so he can't edit himself.

2. In the new administrator screen, under the Administrator tab:

a. Enter the username of the administrator you are specifying, plus a password and its confirmation.

b. Enter a comment to appear on mouse-overs, for example:

•Read Only: Automated daily reports

•Global view

•Read Only: NOC view

•Domain administrator

3. Under the Roles tab, expand the domain tree.

4. Right-click one of the domains and choose the type of admin to create.

5. Double-click the domain to open it, then verify that the admin has been added, as you can see by the key icon and type of admin that you added, for example:

6. Now you're done. Click Submit and the new administrator will show up in the domain's Summary tab.

Managing collections of resources

A collection is a set of resources grouped together with some common purpose or function. A collection provides an efficient way to manage a number of resources. For example, it lets you give a group of users joint access to a resource even though they are distributed across multiple sites. A very common use for collections is where you want to apply a hub and spoke topology to more than one resource at the hub

Collections may include other collections as members.

To create a collection:

1. Right-click a domain and choose New Collection.

2. Enter the collection name and visit all three tabs: Resources, Business Policies, and Collections.

3. For each tab, highlight one more available items and click Add to assign them to participating resources, to joined business policies, or to joined collections.

Once you have added them, you could highlight them and click Remove to return them to the available pool.

4. Enter something useful and appropriate in the comments field.

5. Click Submit.

Allowing ports and protocols for services

All network services use one or more ports and one or more protocols for communication. For the users on a given network to use a service, OverDrive must be configured to allow network traffic for it. (Some standard ports are predefined: http, telnet, ICMP, etc.)

Ports and protocols are an attribute of all business policies, which use them to permit certain traffic. See the "Creating a business policy for a CRM server" section on page 4-7 for an example.

To specify ports and protocols for a domain to use:

1. Right-click a domain and choose New Ports & Protocols.

Note If you don't specify at least one, the policy will be infeasible because no traffic will be considered valid for the policy.

2. Specify the name.

3. Click Add if the Ports & Protocols pane is empty. Otherwise, you may also highlight one set and click Edit or Remove.

4. In the Protocol section, leave Predefined selected, and choose ANY, ICMP, TCP, or UDP.

5. For TCP and UDP, enter the ports to use.

6. Click Submit to accept the new set of protocol and ports.

7. Click Submit to make it available to network services.

Creating and refining business policies

Business policies connect resources on the network. Two or more resources (local resources, VLANs, network identities) can be added to a business policy, and the system will configure all the devices required to enable the connection between them.

To create a business policy:

1. Right-click a domain and choose New Business Policy.

2. Specify a name.

3. Visit each tab in turn: Resources, Ports & Protocols, and Schedules.

•or resources, choose from those available and click Add. Then choose the network configuration: full mesh, hub and spoke, or peer to peer.

•For ports and protocols, choose and click Add.

•For schedules, you can set when to start and end activation, not at all, or immediately, or at a certain time.

4. Definitely use the comment field because it is especially helpful when describing policies and expected access.

5. Click Submit.

For an in-context look at how this works, and how to see the connections come up, see the "Creating a business policy for a CRM server" section on page 4-7.

Adding groups and collections

Earlier, we have shown you how to let users onto the network: see "Creating a user for a network policy" section on page 3-4.

Let's also assume that users Weber and Bouwer are in the same sales group in Philadelphia, and they need access to the CRM server, now in Boston. We have built a network access policy to associate their LDAP group with the sales VLAN (see "Creating a network access policy" section on page 2-7), and we have associated both sales and remote sales LDAP groups. Now, we only want those members who are in Philadelphia to be able to access the server.

In effect, we want the Philadelphia:VLAN: Sales to be part of the CRM access business policy. To do this, we're going to go and edit the collection (group) in Sales:

1. Right-click Business Policy: CRM Access, in the domain tree, and choose Edit.

2. In the participating resources panel, double-click Collection: Sales Force Workstations.

This opens the edit window for the sales force workstation collection. See that the Resources tab opens.

3. In the available resources panel, highlight Philadelphia: VLAN: Sales, and click Add.

4. Click Submit.

You have defined an additional connection that specifies that the sales VLAN in Philadelphia needs access to the VM CRM server in Boston.

5. In the business status view, find the WAN node under Business Policy: CRM Access, and click it.

The sales VLAN now has access to the Boston primary data center, as specified by the CRM Access business policy.

As we have seen earlier, this connection will shortly turn all green.

	Cisco OverDrive 4.0 User Guide
	Reference to common tasks
Cisco OverDrive 4.0 User Guide About This Guide Creating a simple site-to-site network Setting up intra-site network access Controlling intra-site network access Controlling intra-site business access Configuring clouds Enabling VMs Monitoring network status Creating audits and reports Reference to common tasks Sample Reports Cloud configurator fields FAQ Troubleshooting Glossary Index	Download this chapter Reference to common tasks Download the complete book Book PDF file (PDF - 3 MB) Feedback Table Of Contents Reference to common tasks Creating and editing domains Creating a new domain Editing a domain Working with sites Creating a new site Specifying site resources Specifying the site DSC and its devices Creating site subnets Creating administrators in domains Managing collections of resources Allowing ports and protocols for services Creating and refining business policies Adding groups and collections Reference to common tasks This section provides how-to information for common tasks that you need to know how to do before you can effectively work with the vCOM Command Center. •Creating and editing domains •Working with sites •Creating administrators in domains •Managing collections of resources •Allowing ports and protocols for services •Creating and refining business policies •Adding groups and collections Creating and editing domains Creating a new domain To create a new domain: 1. In your domain tree, choose one of these two options: •Click on the ROOT domain or another one if more appropriate, then click the New Domain icon in the toolbar. •Or, right-click the ROOT or other domain and choose New Domain in the resulting context menu. Notice that the browse view opens a maintenance panel with a pre-filled name for this new domain, the domain path for it, a text field to enter the domain name, and three tabs: Comment, Subnets, and VLAN. 2. Enter the domain name, for example, Customer Clouds. 3. In the comment pane, enter text to be seen when someone mouses-over this domain's name or icon in the tree view. 4. Click each appropriate tab and work through the settings and sub-tabs. For example: •If subnets apply, click the Subnets tab. See the "Configuring subnets" section on page 2-2. •If VLANs apply, click the VLANs tab. See the "Creating and configuring domain VLANs" section on page 2-34. 5. Click Submit. Editing a domain To edit an existing domain: 1. 1. Highlight it in the domain tree. 2. 2. Check that the selection view's Summary tab shows items contained within the domain that you have chosen. For our domain Example, if you have entered VLANs as suggested below, this list should be: 3. Choose Edit in the context menu. You will return to the domain window in the browse view, with the Comment tab open on the mouse-over comment you have entered or edited previously.s Working with sites A site consists of a DSC and one or more DSC-managed devices; it has one or more resources affiliated with it, and it can be configured with VLANs. A site is a logical location. It is possible to have several sites in one physical location or vice versa. The site is a point of control for OverDrive to manage a collection of devices. An example of a site is a large distributed office complex with one point of ingress or egress at which policies are enforced. Another example of a site is a stack of network equipment in a data center built to provide virtual compute services. You may have several of these in one physical location. Creating a new site To create a new site: 1. Right-click a domain in the domain tree view and choose New Site. 2. Enter the site name, for example, Boston or Boston State Street Branch. 3. Click on each tab and follow these directions as appropriate: a. Participating Resources—These are resources available in the domain. Since this site is, for our example, in the Example domain, once we have created resources, future new sites will have them available. See Specifying site resources below. Note Resources such as servers and subnets can only be assigned at one site at a time. Network IDs for LDAP users can be logged in at any of the sites in the domains in which they are visible. b. Devices—Specify a name and password for the DSC controlling the device, and then specify the device itself, as described in Specifying site resources below. c. Site Subnets—See the "Creating site subnets" section. d. VLAN—See site-specific information in the "Creating and configuring domain VLANs" section on page 2-3. Specifying site resources Site resources include users, notebooks, desktops, servers, and so on. To specify a site resource: 1. Right-click the site in the domain tree and choose New Local Resource. 2. Give the resource a name, choose an icon, and specify its IP address. Note The drop-down site list lets you reassign this resource to another site within the same domain. 3. Under the Business Policies tab, click the business policy that you want this resource to participate in (use Ctrl-click for more than one). 4. Click Add to move the policies to the joined panel. 5. Do the same under the Collections tab, as appropriate. 6. Click Submit. The resource should appear in the Summary tab for the site. Specifying the site DSC and its devices When you bring up a device configuration window, it will tell you the site name, for example, Chicago. On the Config tab for a new site: 1. Specify the DSC name. You might want to use an abbreviated name that reminds you of the site name, so, for example, you might use LIN-BOS-StateSt-01 for a DSC on a site named Linwood Boston State Street Branch. 2. Specify and confirm a password. 3. On the Device tab, specify needed information for devices. Note For each device you want to add, choose the type from the Add drop-down list. Before adding switches, back up the switch configuration, and verify that all VLANs (managed and unmanaged) are known to OverDrive. a. Specify configuration common to all devices: •Name—A device name, as described above •IP Address—Where they live on the net •CLI Credentials—Access method (telnet/ssh), username, passwords •SNMP Version—Most likely accept the default (3). •V3 Credentials—Username, authorization passphrase, and private passphrase; SNMP credentials •Comment—Tooltip text b. For specific devices, provide the following information where applicable: •Access switches have an Admin tab with the above information, plus a VLAN tab that shows permitted and non-permitted VLANs. This allows you to exclude a VLAN from designated switches. They also have uplink ports and access switch ports. Uplink ports may require an IP address that will be predefined on the switches. The DSC recognizes the uplink ports and reports them to the server to be used for validating that new VLANs do not overlap with the uplinks at the site; it does not configure the base static configuration of the switch (uplinks and downlinks): it configures dot1x, VLANs and ACLs. •Aggregation switches may have several uplink and downlink trunk ports that permit traffic from the access layer to the distribution layer. You may specify certain managed ports on which OverDrive will dynamically create VLANs in addition to those it creates automatically such devices. This restricts traffic so that only managed or specified VLANs are permitted on the trunks. •NAT devices need interface names for inside and outside. •Routers need the IPsec interface IP address and the tunnel interface name. •VM managers need property values that match those set in vCenter configuration: password, targetAddress, username, datacenter, targetFolder, templateFolder, vSwitch. 4. Click Submit. Creating site subnets Site subnets let you further constrain the address allocation within a domain by describing which addresses may be used at a site. The site subnet constrains the addresses that are available for resources at the site. The collection of site subnets is also used to aggregate routes and IPsec tunnel SA's. Once you have created a site, you can create a subnet for it. A site subnet specifies the addresses in use at the sites and must be within the range of the domain subnets. It may not overlap with discovered uplink subnets or with VLANs at the site. To do so: 1. If you are not already looking at the site window with the various tabs, right-click the site and choose Edit. 2. Click Site Subnets. 3. Click New, then enter an IP address and netmask. 4. Click Accept. The site's resources will be required to adhere to this subnet. Creating administrators in domains When you create an administrator for a domain, you can choose that domain or one contained within it for him or her to manage. He or she will see only the domain you specify. To create an administrator: 1. Right-click any domain and choose New Administrator. If you want to have all of your administrators in a particular location in the tree, create a new subdomain for them and call it Administrators. Note You can create an admin anywhere. Depending on the privileges you assign determines where he logs in. We suggest creating an admin outside of his domain, so he can't edit himself. 2. In the new administrator screen, under the Administrator tab: a. Enter the username of the administrator you are specifying, plus a password and its confirmation. b. Enter a comment to appear on mouse-overs, for example: •Read Only: Automated daily reports •Global view •Read Only: NOC view •Domain administrator 3. Under the Roles tab, expand the domain tree. 4. Right-click one of the domains and choose the type of admin to create. 5. Double-click the domain to open it, then verify that the admin has been added, as you can see by the key icon and type of admin that you added, for example: 6. Now you're done. Click Submit and the new administrator will show up in the domain's Summary tab. Managing collections of resources A collection is a set of resources grouped together with some common purpose or function. A collection provides an efficient way to manage a number of resources. For example, it lets you give a group of users joint access to a resource even though they are distributed across multiple sites. A very common use for collections is where you want to apply a hub and spoke topology to more than one resource at the hub Collections may include other collections as members. To create a collection: 1. Right-click a domain and choose New Collection. 2. Enter the collection name and visit all three tabs: Resources, Business Policies, and Collections. 3. For each tab, highlight one more available items and click Add to assign them to participating resources, to joined business policies, or to joined collections. Once you have added them, you could highlight them and click Remove to return them to the available pool. 4. Enter something useful and appropriate in the comments field. 5. Click Submit. Allowing ports and protocols for services All network services use one or more ports and one or more protocols for communication. For the users on a given network to use a service, OverDrive must be configured to allow network traffic for it. (Some standard ports are predefined: http, telnet, ICMP, etc.) Ports and protocols are an attribute of all business policies, which use them to permit certain traffic. See the "Creating a business policy for a CRM server" section on page 4-7 for an example. To specify ports and protocols for a domain to use: 1. Right-click a domain and choose New Ports & Protocols. Note If you don't specify at least one, the policy will be infeasible because no traffic will be considered valid for the policy. 2. Specify the name. 3. Click Add if the Ports & Protocols pane is empty. Otherwise, you may also highlight one set and click Edit or Remove. 4. In the Protocol section, leave Predefined selected, and choose ANY, ICMP, TCP, or UDP. 5. For TCP and UDP, enter the ports to use. 6. Click Submit to accept the new set of protocol and ports. 7. Click Submit to make it available to network services. Creating and refining business policies Business policies connect resources on the network. Two or more resources (local resources, VLANs, network identities) can be added to a business policy, and the system will configure all the devices required to enable the connection between them. To create a business policy: 1. Right-click a domain and choose New Business Policy. 2. Specify a name. 3. Visit each tab in turn: Resources, Ports & Protocols, and Schedules. •or resources, choose from those available and click Add. Then choose the network configuration: full mesh, hub and spoke, or peer to peer. •For ports and protocols, choose and click Add. •For schedules, you can set when to start and end activation, not at all, or immediately, or at a certain time. 4. Definitely use the comment field because it is especially helpful when describing policies and expected access. 5. Click Submit. For an in-context look at how this works, and how to see the connections come up, see the "Creating a business policy for a CRM server" section on page 4-7. Adding groups and collections Earlier, we have shown you how to let users onto the network: see "Creating a user for a network policy" section on page 3-4. Let's also assume that users Weber and Bouwer are in the same sales group in Philadelphia, and they need access to the CRM server, now in Boston. We have built a network access policy to associate their LDAP group with the sales VLAN (see "Creating a network access policy" section on page 2-7), and we have associated both sales and remote sales LDAP groups. Now, we only want those members who are in Philadelphia to be able to access the server. In effect, we want the Philadelphia:VLAN: Sales to be part of the CRM access business policy. To do this, we're going to go and edit the collection (group) in Sales: 1. Right-click Business Policy: CRM Access, in the domain tree, and choose Edit. 2. In the participating resources panel, double-click Collection: Sales Force Workstations. This opens the edit window for the sales force workstation collection. See that the Resources tab opens. 3. In the available resources panel, highlight Philadelphia: VLAN: Sales, and click Add. 4. Click Submit. You have defined an additional connection that specifies that the sales VLAN in Philadelphia needs access to the VM CRM server in Boston. 5. In the business status view, find the WAN node under Business Policy: CRM Access, and click it. The sales VLAN now has access to the Boston primary data center, as specified by the CRM Access business policy. As we have seen earlier, this connection will shortly turn all green.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks