Cisco Prime Infrastructure – Comprehensive Study Notes

Introduction to Cisco Prime Infrastructure

  • Cisco Prime Infrastructure (CPI) is Cisco’s legacy wireless-lifecycle platform used to monitor, manage and troubleshoot wireless controllers (WLCs) and associated Unified Access Points (APs).
  • Typical use-case in the environment: visibility into reachability, client count, configuration state, alarms and performance Top-N statistics.
  • Current IP of the active CPI server is maintained on the Global Network Tools ⇒ 6.6 page of the internal Kargil Wiki.

Access & Authentication Model

  • Two broad privilege sets:
    • Read-only users → everyone in the same point team can obtain from Wiki; see landing login page.
    • Admin users → must check credentials out of the secure chat/vault (channel: rp-mg-ns-cisco-print-share).
  • Four local accounts configured (all stored only inside CPI, not in Active Directory):
    1. root – GUI full admin (used mainly for GUI login)
    2. admin – second GUI admin fallback
    3. cpadmin – CLI / SSH admin
    4. netadmin – alternate CLI / SSH admin
  • Password-rotation policy (GCC standard): change all four passwords every 9090 days; ticket is opened under “Infra-Tools → Wireless” to document the change.

First Look After Login – Dashboards

  • Landing page presents multiple movable panels; default layout shows:
    • Top-N Utilisation (interfaces, clients, etc.)
    • ICMP reachability pie-chart
    • SNMP reachability pie-chart
    • Active Alarm Summary
  • Clicking any panel drills-down to the underlying report.

Inventory Navigation

  • Path: Inventory ⇒ Network Devices.
  • Grid lists every managed device with columns for:
    • Manageability (Yes/No)
    • Reachability (Ping / SNMP)
    • Telemetry status
    • IP Address
    • Number of joined APs
    • Inventory-collection status & last-run timestamp
  • Filters on the left allow quick drill-down by device type, location, software, etc.
  • Dedicated shortcuts:
    • “Wireless Controllers” – shows only WLCs
    • “Unified APs” – shows all APs auto-discovered from the WLCs (no manual addition required).

Device Detail Page

  • Click a row to open the device-specific dashboard containing:
    • Model, software version, mobility group data
    • Interface list & status
    • Client count trends
    • Configuration-save history
    • Traps/alarms window
  • Trap workflow: if a device stays DOWN > 55 minutes, CPI fires an SNMP trap which flows to DMC ticketing automatically.

Adding Devices

  1. Press “+ Add Device”.
  2. Mandatory fields:
    • IP/FQDN of the device
    • License level ⇒ Full
    • Credential profile ⇒ Cisco-Profile (SNMP v3 + SSH)
    • Device Role (e.g.
      • Master Controller, • Switch, • DC Switch, …)
    • Optional: assign to an existing site / location group.
  3. Best practice: click “Verify Credentials” before saving.
  4. Successful entries show all green ticks; failures list error cause (wrong password, ACL, etc.).
Bulk Import
  • Inventory ⇒ Network Devices ⇒ Bulk Import.
  • Download template CSV, fill columns (hostname, IP, SNMP v3 credentials, SSH creds, role, group).
  • Upload & press “Update”; CPI iterates through each row and on-boards the devices.
Other Inline Actions (toolbar icons)
  • Pencil ✏️ ⇒ Edit existing device parameters.
  • Sync 🔄 ⇒ Immediate manual synchronisation (useful between the scheduled 2424-hour cycles).
  • Cancel Sync ⏹️ ⇒ Abort a running manual sync.
  • Cross ❌ ⇒ Delete device (status shows “Deletion in Progress” until completed).
  • Reboot ↻ ⇒ Remote reboot of a WLC directly from GUI.

Inventory Collection & Status Codes

  • Background job runs every 2424 hours for all devices; Job name: Wireless Command Control Element.
  • Completion example: last run finished in 4444 minutes starting at 18:1518{:}15.
  • Possible states:
    • Completed • Add Initiated • Collection Failure • Partial Collection Failure • Deletion In Progress • In Service Maintenance • SNMP Connectivity Fail • Synchronising • Prompt Selector Engines.

Auto-Discovery of Unified APs

  • After a WLC is added, CPI uses CAPWAP telemetry to enumerate all joined APs automatically – no manual work.
  • Example shown: AP L3122 displayed as joined to controller L3140.
  • Search bar top-right lets you jump to any AP/WLC by hostname or IP instantly.

Job Dashboard (Administration ⇒ Job Dashboard)

  • Categories:
    1. System Jobs (inventory collection, backups, mobility polling).
    2. User-defined jobs (reports, scripts, etc.).
  • Key recurring tasks:
    • Inventory Collection – daily (2424 h)
    • Mobility Service Status – every 55 min
    • Server Backup – weekly: starts Saturday, must finish before Monday; large file stored on remote FTP.
  • Always verify that latest run has “Success”; investigate any “Failed” or “Suspended” state.

Credential Profiles

  • Inventory ⇒ Device Credential Profiles.
  • Two active profiles today:
    1. SNMP-v3-Wireless (3 user strings) – enables CPI/Catalyst-Center to pull stats.
    2. SSH-Wireless – login for command-level actions.
  • Update cycle = 9090 days ⇒ edit profile, change passwords, click “Save & Verify”.

Reports & CMDB Feeds

  • Reports ⇒ Scheduled Reports allows creation of automated exports, e.g.
    • Inventory list for CMDB
    • Top-N utilisation report
    • Client count trends
  • Exports can be emailed or dropped on FTP/SFTP.

Heatmaps / Maps (Legacy Feature)

  • Historical Wi-Fi heat-maps existed in CPI but are no longer maintained; Cisco DNA Center (Catalyst Center) has superseded this feature.
  • Only default seed maps remain inside CPI; kept for reference but not updated.

System Settings & User Management

  • Administration ⇒ Users / AAA / Access Control.
  • Current configuration uses Local database only; no RADIUS / TACACS integration for CPI itself.
  • User list snapshot:
    • cpadmin – role: System Admin, login method: Local
    • root – role: Superuser, login method: Local
    • admin, netadmin similarly.
  • When GCC password-change incident opens, engineer logs in, edits each user, and documents change id in ticket.

Backup & Disaster-Recovery

  • Weekly Server Backup job exports full CPI repository and database to FTP server.
  • Retention and rotation handled externally; ensure FTP reachability before Saturday.
  • In event of CPI failure, backup is imported onto standby or freshly built CPI node.

Common Troubleshooting Pointers

  • Credential verification fails during device add → confirm correct SNMP-v3 engine-ID and ACL on WLC.
  • “Partial Collection Failure” → usually MIB mismatch after WLC code upgrade.
  • “SNMP Connectivity Fail” but ping succeeds → check VRF routing or firewall between CPI and WLC UDP 161161/162162.
  • Deletion stuck in “Progress” → restart Inventory Collector service from CLI.

Security & Operational Best Practices

  • Rotate all local admin passwords every 9090 days under GCC policy; store in secure vault only.
  • Keep weekly backups verified; random file-restore test once per quarter.
  • Disable unused legacy features (Maps, old reports) to reduce resource load.
  • Maintain minimal credential profiles – remove obsolete SNMP strings post-migration.
  • Continually monitor Job Dashboard; aim for 99%\ge 99\% success rate.

Key Takeaways

  • CPI is end-of-life but still authoritative for legacy WLC visibility until full migration to Catalyst Center.
  • Daily workflow revolves around three menus: Dashboard, Inventory, Administration → Job Dashboard.
  • Understand add/sync/delete cycle and the importance of verifying credentials ahead of time.
  • Strong governance on passwords, backups and scheduled jobs is critical for compliance and business continuity.