we have Cisco prime infrastructure 3.4 installed in our organization. snmp v3 and ssh is configured on devices(Switches and routers) and PI. snmp access and ssh access from PI to devices are set and everything works fine and all devices are displayed with "Managed" label and green checkbox in inventory menu. The problem that drives me crazy is that when PI wants to grab IOS image from devices it has different behavior. In PI Software Image Management is configured as below:
Transfer protocol: SCP
Connection protocol: SSH
A user with privilege 15 with name of "prime" is configured for SSH connection.
AAA and SNMP parameters are exactly the same on all devices
here is the problem:
When PI connects to 2951 routers to grab IOS image, "prime" user logs in the router and perform below command:
copy flash://XXXX.bin scp://A.B.C.D (PI ip address)
When PI connects to N5K switches to grab NX-OS image, "Prime" user logs in the switch and performs this command:
scp -f bootflash://XXX.bin
when PI connects to 6500, 4500, 3750, 2960 switches or 1001 ASR router, to grab IOS image, "Prime" user DOESN'T perform any command on devices but IOS image receives successfully.
Why does PI show different behavior toward different devices?
SNMP CONFIGURATION ON DEVICES:
snmp-server view prime-view iso included
snmp-server group prime-grp v3 priv write prime-view
snmp-server user prime-usr prime-grp v3 auth md5 XXX priv aes-128 YYY
snmp-server host A.B.C.D version 3 priv prime-usr
- I can only assume that Prime takes into accoutn the device-family's capabilities and retrieves IOS accordingly. Perhaps for more advanced devices the IOS is retrieve using SNMP (CISCO copy config MIB, as far as I can remember currently). So as long as it works, things are probably not worrysome.
the problem is that our security policy doesn't allow SSH from devices to PI. Therefore command: Copy flash://XXX.bin scp:// can't be successfully applied.
- Then your security policy is wrong ; I mean if you acquire PI to manager your CISCO devices it needs to be incorporated into the security policy. Otherwise the investment makes no sense (if the security policy would be that strong). Usually the PI server will have a 'steady' IP address , including the switches (too). Hence the needed comm activity between PI and the switches should be incorporated into the security policies.