- Preface
- Chapter 1: Cisco NCS Overview
- Chapter 2: Getting Started
- Chapter 3: Configuring Security Solutions
- Chapter 4: Performing Maintenance Operations
- Chapter 5: Monitoring Devices
- Chapter 6: Monitoring Maps
- Chapter 7: Managing NCS User Accounts
- Chapter 8: Configuring Mobility Groups
- Chapter 9: Configuring Devices
- Chapter 10: Managing Clients
- Chapter 11: Using Templates
- Chapter 12: Configuring Hybrid REAP
- Chapter 13: Alarm and Event Dictionary
- Chapter 14: Reports
- Chapter 15: Performing Administrative Tasks
- Chapter 16: NCS Services
- Chapter 17: Tools
- Chapter 18: Configuring Virtual Domains
- Chapter 19: wIPS Policy Alarm Encyclopedia
- Appendix A: Troubleshooting and Best Practices
- Appendix B: NCS and End-User Licenses
- Appendix C: Cisco NCS Server Hardening
- Index
Configuring Virtual Domains
This chapter describes how to perform basic operations like uploading or downloading a file on a controller, scheduling administrative tasks through Cisco NCS, and creating user accounts and groups.
This chapter includes the following sections:
•
Information About Virtual Domains
•Understanding Virtual Domain Hierarchy
•Virtual Domain RADIUS and TACACS+ Attributes
Information About Virtual Domains
A NCS Virtual Domain consists of a set of NCS devices and/or maps and restricts a user view to information relevant to these managed objects.
Through a virtual domain, an administrator can ensure that users are only able to view the devices and maps for which they are responsible. In addition, because of the virtual domain filters, users are able to configure, view alarms, generate reports for only their assigned part of the network.
Note The following elements can be partitioned in a virtual domain: maps, controllers, access points, templates, and config groups.
The following cannot be partitioned in a virtual domain (and are only available from the root partition: Google Earth Maps, Auto Provisioning, and Mobility Services).
The administrator specifies for each user a set of allowed virtual domains. Only one of these can be active for that user at login. The user can change the current virtual domain by selecting a different allowed virtual domain from the Virtual Domain drop-down list at the top of the page. All reports, alarms, and other functionality are now filtered by that virtual domain.
From NCS 1.0 release and later, you are required to add a virtual domain in ACS when exporting the task list to ACS. This may be the default ROOT-DOMAIN virtual domain. If you do not add a virtual domain to ACS then you will not be allowed to log in. This is applicable irrespective of whether you have a single or multiple domains.
Configuring a Virtual Domain
Use the Administration > Virtual Domain page to create, edit, or delete virtual domains. Each virtual domain may contain a subset of the elements included with its parent virtual domain. You can assign additional maps, controllers, and access points to the new virtual domain. See the "Managing a Virtual Domain" section for more information on managing virtual domains.
•New—Click to create a new virtual domain. See the "Creating a New Virtual Domain" section for more information.
•Delete—Click to delete the selected virtual domain from the hierarchy.
•Export—Click to configure custom attributes for the selected virtual domain. See the "Virtual Domain RADIUS and TACACS+ Attributes" section for more information.
Creating a New Virtual Domain
Note See the "Managing a Virtual Domain" section for more information.
To create a new virtual domain, follow these steps:
Step 1 Choose Administration > Virtual Domains.
Step 2 From the left Virtual Domain Hierarchy sidebar menu, select to highlight the virtual domain to which you want to add a sub (child) virtual domain.
Note The selected virtual domain becomes the parent virtual domain of the newly-created sub-virtual domain.
Step 3 Click New (see Figure 18-1).
Figure 18-1 Virtual Domains
Step 4 Enter the virtual domain name in the text box.
Step 5 Click Submit to create the virtual domain or Cancel to close the page with no changes.
Note Each virtual domain may contain a subset of the elements included with its parent virtual domain. When a user is assigned a virtual domain, that user may view the same maps, controllers, and access points that are assigned to its parent virtual domain.
Note To modify or update a current virtual domain name or description, choose Administration > Virtual Domains. From the left Virtual Domain Hierarchy sidebar menu, click the virtual domain you want to edit.
Understanding Virtual Domain Hierarchy
Virtual domains are organized hierarchically. Sub-sets of an existing virtual domain contain the network elements that are contained in the parent virtual domain.
Note The default or "ROOT-DOMAIN" domain includes all virtual domains.
Because network elements are managed hierarchically, some features and components such as report generation, searches, templates, config groups, and alarms are affected.
Note If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports. If you create a partition with only a few controllers and then go to Configure > Access Points and click an individual link in the AP Name column, the complete list of NCS-assigned controllers is displayed for primary, secondary and tertiary controllers rather than the limited number specified in the partition.
Note If a controller's configuration is modified by multiple Virtual Domains, complications may arise. To avoid this, manage each controller from only one Virtual Domain at a time.
This section helps you to better understand the effects of partitioning and includes the following topics.
•Maps
Reports
Reports only include components assigned to the current virtual domain. For example, if you create a virtual domain with only access points and no controllers assigned, all controllers do not display when you generate a controller inventory report.
If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports.
Note Reports are only visible in the current virtual domain. The parent virtual domain cannot view the reports from its sub-virtual domain.
Client reports such as Client Count only include clients that belong to the current virtual domain.
Note If new clients are assigned to this partition by the administrator, the previous reports do not reflect these additions. Only new reports will reflect the new clients.
Search
Search results only include components that are assigned to the virtual domain in which the search is performed. Search results do not display floor areas when the campus is not assigned to the virtual domain.
Note The saved searches are only visible in the current virtual domain. The parent virtual domain cannot view these search results.
Note NCS does not partition network lists. If you search a controller by network list, all controllers will be returned.
Note Search results do not display floor areas when the campus is not assigned to the virtual domain.
Alarms
When a component is added to a virtual domain, no previous alarms for that component are visible to that virtual domain. Only newly-generated alarms are visible. For example, when a new controller is added to a virtual domain, any alarms generated for that controller prior to its addition do not appear in the current virtual domain.
Alarms are not deleted from a virtual domain when the associated controllers or access points are deleted from the same virtual domain.
Note Alarm Email Notifications—Only the ROOT-DOMAIN virtual domain can enable Location Notifications, Location Servers, and NCS email notifications.
Templates
When you create or discover a template in a virtual domain, it is only available in that virtual domain unless it is applied to a controller. If it is applied to a controller and that controller is assigned to a sub-virtual domain, the template stays with the controller in the new virtual domain.
Note If you create a sub virtual domain and then apply a template to both network elements in the virtual domain, NCS may incorrectly reflect the number of partitions to which the template was applied.
Config Groups
Config groups in a virtual domain can also be viewed by the parent virtual domain. A parent virtual domain can modify config groups for a sub (child) virtual domain. For example, the parent virtual domain can add or delete controllers from a sub virtual domain.
Maps
You can only view the maps that your administrator assigned to your current virtual domain.
•When a campus is assigned to a virtual domain, all buildings in that campus are automatically assigned to the same virtual domain.
•When a building is assigned to a virtual domain, it automatically includes all of the floors associated with that building.
•When a floor is assigned, it automatically includes all of the access points associated with that floor.
Note If only floors are assigned to a virtual domain, you lose some ability to choose map-based features. For example, some reports and searches require you to drill down from campus to building to floor. Because campus and buildings are not in the virtual domain, you are not able to generate these kinds of reports or searches.
Note Coverage areas shown in NCS are only applied to campus and buildings. In a floor-only virtual domain, NCS does not display coverage areas.
Note If a floor is directly assigned to a virtual domain, it cannot be deleted from the virtual domain which has the building to which the floor belongs.
Note Search results do not display floor areas when the campus is not assigned to the virtual domain.
Access Points
When a controller or map is assigned to a virtual domain, the access points associated with the controller or map are automatically assigned as well. Access points can also be assigned manually (separate from the controller or map) to a virtual domain.
Note If the controller is removed from the virtual domain, all of its associated access points are also removed. If an access point is manually assigned, it remains assigned even if its associated controller is removed from the current virtual domain.
Note If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports.
Note If a manually-added access point is removed from a virtual domain but is still associated with a controller or map that is assigned to the same virtual domain, the access point remains visible in the virtual domain. Any alarms associated with this access point are not deleted with the deletion of the access point.
Note When maps are removed from a virtual domain, the access points on the maps can be removed from the virtual domain.
Note If you later move an access point to another partition, some events (such as generated alarms) may reside in the original partition location.
Note Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, NCS uses the detecting controller.
If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition may be changed at any time.
Controllers
Because network elements are managed hierarchically, controllers may be affected by partitioning. If you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to drill down from controller to access points. Because controllers are not in the virtual domain, you are not able to generate associated reports.
If you create a partition with only a few controllers and then choose Configure > Access Points and click an individual link in the AP Name column, the complete list of NCS-assigned controllers is displayed for primary, secondary and tertiary controllers rather than the limited number specified in the partition.
Note If a controller configuration is modified by multiple Virtual Domains, complications may arise. To avoid this, manage each controller from only one Virtual Domain at a time.
Email Notification
Email notification can be configured per virtual domain. An email is sent only when alarms occur in that virtual domain.
Managing a Virtual Domain
Select a Virtual Domain from the Virtual Domain Hierarchy on the left side to view or edit its assigned maps, controllers, and access points. The Summary page displays with links to view the current logged in virtual domain available maps, controllers, and access points.
Note Because all maps, controllers, and access points are included in the partition tree, you should expect this page to take several seconds to load.
The Maps, Controllers, and Access Points tabs are used to add or remove components assigned to this virtual domain.
To assign a map, controller, or access point to this domain, follow these steps:
Step 1 Choose Administration > Virtual Domains.
Step 2 Choose Virtual Domain Hierarchy from the left sidebar menu.
Note Because all maps, controllers, and access points are included in the partition tree, you should expect it to take several minutes to load. This increases if you have a system with a significant number of controllers and access points.
Step 3 Click the applicable Maps, Controller, or Access Points tab.
Step 4 In the Available (Maps, Controllers, or Access Points) column, click to highlight the new component(s) you want to assign to the virtual domain.
Step 5 Click Add to move the component(s) to the Selected (Maps, Controllers, or Access Points) column (see Figure 18-2).
Figure 18-2 Virtual Domains Access Points Tab
Note To remove a component from the virtual domain, click to highlight the component in the Selected (Maps, Controllers, or Access Points) column and click < Remove. The component returns to the Available column.
Step 6 Click Submit to confirm the changes.
Note After assigning elements to a virtual domain and submitting the changes, NCS may take a long time to process depending on how many elements are added.
Virtual Domain RADIUS and TACACS+ Attributes
The Virtual Domain Custom Attributes page allows you to indicate the appropriate protocol-specific data for each virtual domain. The Export button on the Virtual Domain Hierarchy sidebar menu pre-formats the virtual domain RADIUS and TACACS+ attributes. You can copy and paste these attributes into the ACS server. This allows you to copy only the applicable virtual domains into the ACS server page and ensures that the users only have access to these virtual domains.
To apply the pre-formatted RADIUS and TACACS+ attributes to the ACS server, follow these steps:
Step 1 Choose Administration > Virtual Domains.
Step 2 From the left Virtual Domain Hierarchy sidebar menu, select to highlight the virtual domain for which you want to apply the RADIUS and TACACS+ attributes.
Step 3 Click Export.
Step 4 Highlight the text inside of the RADIUS or TACACS+ Custom Attributes (depending on which one you are currently configuring), go to your browser's menu, and choose Edit > Copy.
Step 5 Log in to ACS.
Step 6 Go to User or Group Setup.
Note If you want to specify virtual domains on a per user basis, then you need to make sure you add ALL the custom attributes (for example, tasks, roles, virtual domains) information into the User custom attribute page.
Step 7 For the applicable user or group, click Edit Settings.
Step 8 Use your browser Edit > Paste feature to place the RADIUS or TACACS+ custom attributes into the applicable field.
Step 9 Select the check boxes to enable these attributes.
Step 10 Click Submit + Restart.
Note For more information on adding RADIUS and TACACS+ attributes to the ACS server, see "Adding NCS User Groups into ACS for TACACS+" section or "Adding NCS User Groups into ACS for RADIUS" section.
Understanding Virtual Domains as a User
When you log in, you can access any of the virtual domains that the administrator assigned to you.
Only one virtual domain can be active at login. You can change the current virtual domain by using the Virtual Domain drop-down list at the top of the page. Only virtual domains that have been assigned to you are available in the drop-down list.
When you select a different virtual domain from the drop-down list, all reports, alarms, and other functionality are filtered by the conditions of the new virtual domain.
Viewing Assigned Virtual Domain Components
To view all components (including maps, controllers, and access points) assigned to the current virtual domain, choose Administration > Virtual Domains (see Figure 18-3). Click a link on the Summary tab to view the assigned components for your virtual domain.
Figure 18-3 Virtual Domains Summary Tab
Limited Menu Access
Non-ROOT-DOMAIN virtual domain users do not have access to the following NCS menus:
•Monitor > RRM
•Configure > Auto Provisioning
•Configure > ACS View Servers
•Mobility > Mobility Services
•Mobility > Synchronize Servers
•Administration > Background Tasks
•Administration > Settings
•Administration > User Preferences
•Tools > Voice Audit
•Tools > Config Audit
•
Feedback