Coordinating Cisco Prime in a Large Environment

[deanwebb]

So we're using Cisco Prime to manage our routers and switches here at Major Megacorporation and it's not as easy-peasy as one would hope it would be.

I'll leave off of discussions of the technical ease of use or things like that... this is about coordinating changes to the basic templates and making sure they stay coordinated.

We just recently had an issue in which we *thought* that the global template for switches had been updated to allow NAC monitoring, but a recent push from Prime sent out an old, pre-NAC version of a part of the template to all the switches in one region, knocking all of them out of communication with the NAC system.

Good thing we're in monitor-only mode, but if we were in a hardcore 802.1X enforcement environment, that would have been a MAJOR disaster. If the whole template had been reverted, then we'd have lots of people getting online without issue, but if the dot1x parts of a config were left in place and then the info about the RADIUS server in the global config got borked, well... that would be a potential resume-generating event.

And then there are the switches not in Prime, but still connecting hosts, the switches that are in Prime that aren't getting updates from Prime, the ones that are in Prime, but the IOS doesn't support *all* the updates that Prime is pushing...

How do you coordinate different towers with Prime configs and all?

[icecream-guy]

in HP Network automation, I create groups of devices based on location/model/code version.
I can then push specific configs to specific groups base on needs and supported commands.

Haven't used Prime since the days of CiscoWorks, so I don't know if this is helpful or not.

[deanwebb]

This is more of making sure that the changes I get the LAN guys to make for my system that should be part of a global template, STAY part of a global template...