-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Security Manager supports the management and configuration of security services and other platform-specific services on Cisco Catalyst switches and Cisco 7600 Series routers.
Appendix L, "Catalyst Platform User Interface Reference" describes the Security Manager pages and dialog boxes that are specific to Cisco Catalyst switches and Cisco 7600 Series routers. The following topics describe how to configure platform-specific services and policies on this platform:
•Discovering Policies on Cisco Catalyst Switches and Cisco 7600 Series Routers
–Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
–Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
–Creating or Editing VLAN Groups
–Creating or Editing EtherChannel VLAN Definitions
–Deleting EtherChannel VLAN Definitions
–Creating or Editing Data Port VLAN Definitions
–Deleting Data Port VLAN Definitions
•Viewing Configuration Summaries
You can discover the configurations of your Cisco Catalyst switches and Cisco 7600 Series Routers (as well as the configurations of the services modules and security contexts associated with them) and import the configurations as policies into Security Manager. This makes it possible to add existing devices and manage them with Security Manager without having to configure each device manually, policy by policy. For more information, see Adding Devices to the Device Inventory, page 5-7.
You can discover any command that Security Manager can configure. Discovery ignores unsupported commands, which means that they are left intact on the device even after subsequent deployments. Additionally, in cases where Security Manager can discover the command, but not all the subcommands and keywords related to that command, the unsupported elements are ignored and left intact on the device.
At any time, you can also rediscover the configurations of devices that you are already managing with Security Manager. Be aware, however, that we do not recommend rediscovery generally because performing rediscovery overwrites the policies that you have defined in Security Manager. For more information, see Discovering Policies on Devices Already in Security Manager, page 6-14.
Note We recommend that you perform deployment immediately after you discover policies, before you make any changes to policies or unassign policies from the device. (This recommendation also applies to any services module or security context hosted by the device.) Otherwise, the changes that you configure in Security Manager might not be deployed to the device. See Working with Deployment and the Configuration Archive, page 17-15.
Related Topics
•Understanding Policies, page 6-1
•Discovering Policies, page 6-11
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
•Chapter 12, "Managing IPS Services"
•Working with Deployment and the Configuration Archive, page 17-15
You use the Interfaces tab on the Interfaces/VLANs page to view and manage the following types of ports:
•Access ports—A switching port that is used to connect host machines or servers. An access port belongs to and carries the traffic of only one VLAN. Traffic is received and sent in native formats with no VLAN tagging.
•Trunk ports—A switching port operating at Layer 2 to carry the traffic of multiple VLANs. Traffic is tagged with a VLAN number to differentiate traffic from each VLAN. A trunk port is used to connect switches to switches or to connect switches to routers.
•Routed ports—A physical port that acts like a port on a router. A routed port is not associated with a particular VLAN, and it behaves like a regular router interface. You can configure a routed port with a Layer 3 routing protocol.
•Dynamic ports—A port that can change dynamically to a trunk port if the neighboring port is configured as a trunk port.
•Unsupported ports—Ports on the Catalyst device that are not supported by Security Manager.
To display the Interfaces tab, select a Catalyst device in Device view, select Interfaces/VLANs from the Policy selector, then click the Interfaces tab in the work area.
The following topics describe the actions you can perform when defining interfaces on Catalyst devices:
•Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
•Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
Related Topics
•Interfaces/VLANs Page—Interfaces Tab, page L-10
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
You can create access ports, routed ports, or trunk ports on Cisco Catalyst Switches and Cisco 7600 Series Routers, with these restrictions:
•Each interface must have a name.
•You can associate an access port with only one VLAN.
•You can associate a trunk port with one or more VLANs.
Related Topics
•Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
•Creating or Editing VLAN Groups
•Interfaces/VLANs Page—Interfaces Tab, page L-10
Step 1 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the Interfaces tab in the work area.
The Interfaces tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—Interfaces Tab, page L-10.
Step 2 Do one of the following:
•To define the attributes of a new interface, click Add Row.
•To edit the attributes of an interface, select it in the list, then click Edit Row.
Step 3 (Optional) Deselect the Enable Interface check box if you want this interface to be in shutdown mode.
Step 4 From the Type list, select Interface or Subinterface:
Step 5 (Interfaces only) Enter a name for the interface. You can click Select to open a dialog box that will help you generate a standard name based on interface type and details about the interface's location, such as card, slot, and subinterface. For more information on using the dialog box to generate an interface name, see Interface Auto Name Generator Dialog Box, page J-17.
Step 6 (Interfaces only) Select an option from the Mode list to specify the port configuration type. The fields in the dialog box vary according to your selection.
Step 7 (Subinterfaces only) Select the parent interface of the subinterface, then enter the ID number.
Step 8 Define or configure the settings for the type that you selected:
•Access Port—See Create and Edit Interface Dialog Boxes—Access Port Mode, page L-12 for a description of the fields.
•Routed Port—See Create and Edit Interface Dialog Boxes—Routed Port Mode, page L-15 for a description of the fields.
•Trunk Port—See Create and Edit Interface Dialog Boxes—Trunk Port Mode, page L-17 for a description of the fields.
•Dynamic Port—See Create and Edit Interface Dialog Boxes—Dynamic Mode, page L-21 for a description of the fields.
•Subinterface—See Create and Edit Interface Dialog Boxes—Subinterfaces, page L-25 for a description of the fields.
•Unsupported—See Create and Edit Interface Dialog Boxes—Unsupported Mode, page L-27 for a description of the fields.
Step 9 From the Speed list, select an option to define the speed of the interface.
Step 10 If you defined a specific speed for the interface, and therefore the Duplex list is enabled, select a duplexing option.
Step 11 In the MTU field, enter the maximum transmission unit value.
Step 12 Configure whether to use flow control on inbound (Receive) and outbound (Send) traffic.
Step 13 (Optional) Enter a description for the interface in the Description field.
Step 14 Click OK to save your definitions locally on the client and close the dialog box.
Although you can delete the definition of an interface at any time, use this option with great care. If the relevant device includes the interface definition in any policy definitions, deleting the interface causes these policy definitions to fail when they are deployed to the device.
Related Topics
•Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
•Interfaces/VLANs Page—Interfaces Tab, page L-10
Step 1 (Device view) Select a Cisco Catalyst switch or Cisco 7600 Series router from the Device selector.
Step 2 Select Interfaces/VLANs from the Policy selector to display the Interfaces/VLANs Page, page L-2.
Step 3 Click the Interfaces tab in the work area.
The Interfaces tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—Interfaces Tab, page L-10.
Step 4 Select an interface from the table, then click Delete Row. The interface is deleted.
A VLAN is a switched network that is segmented logically instead of on the basis of geography. For example, a VLAN might interconnect members of a geographically dispersed workgroup. VLANs offer a practical convenience for many organizations because they reduce the need to rearrange the physical placement of personnel, equipment, and network infrastructure. Properly configured VLANs are scalable, secure, and can simplify the tasks of network management.
A VLAN consists of hosts and network devices (such as bridges and routers), connected by a single bridging domain. Traffic between VLANs must be routed.
Security Manager helps you to create VLANs and define VLAN settings for the defined interfaces on Cisco Catalyst switches and Cisco 7600 Series routers, their supported services modules, and their security contexts.
The following topics describe the actions you can perform when defining VLANs on Catalyst devices:
Related Topics
•Interfaces/VLANs Page—VLANs Tab, page L-3
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
You can create a VLAN or reconfigure the attributes of a VLAN.
Related Topics
•Creating or Editing VLAN Groups
•Create and Edit VLAN Dialog Boxes, page L-4
Step 1 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the VLANs tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLANs Tab, page L-3.
Step 2 Do one of the following:
•To define the attributes of a new VLAN, click Add Row.
•To edit the attributes of a VLAN, select it in the list, then click Edit Row.
See Create and Edit VLAN Dialog Boxes, page L-4, for a description of the fields in the dialog box.
Step 3 In the VLAN ID field, enter a unique ID number for the VLAN. The number that you enter must not be assigned to any other VLAN in the bridging group.
Step 4 (Optional) Enter a name for the VLAN.
Step 5 (Optional) If the VLAN is part of a VLAN group, select the group ID, or select Add Group to open the Create VLAN Group dialog box. For more information, see Creating or Editing VLAN Groups.
Step 6 From the Status list, specify the status of the VLAN (active or suspended).
Step 7 From the Type list, select either Layer 2 or Layer 3.
Step 8 (Optional) For a Layer 3 VLAN, define a switched virtual interface (SVI):
a. To make the SVI active, select the Enable Interface check box. An SVI enables routing between VLANs and provides IP host connectivity to the switch. If you do not select this check box, the SVI is created in shutdown mode.
b. Enter the IP address for the SVI.
c. Enter the SVI subnet mask by typing it, or select a netmask value from the Subnet Mask list.
d. Enter an optional description, if required.
Step 9 Do one or both of the following:
•To associate access ports with the VLAN, enter their names in the Access Ports text box or click Select to open an interface selector.
•To associate trunk ports with the VLAN, enter their names in the Trunk Ports text box or click Select to open an interface selector.
See Interface Selector Dialog Box—VLAN ACL Content, page L-38 for a description of the fields in the dialog box. For more information about defining ports, see Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers.
Step 10 Click OK to save your definitions locally on the client and close the dialog box.
You can delete a VLAN.
Related Topics
•Interfaces/VLANs Page—VLANs Tab, page L-3
Step 1 (Device view) Select a Cisco Catalyst switch or Cisco 7600 Series router from the Device selector.
Step 2 Select Interfaces/VLANs from the Policies selector to display the Interfaces/VLANs Page, page L-2.
Step 3 Click the VLANs tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLANs Tab, page L-3.
Step 4 Select a VLAN from the table, then click Delete Row.
The VLAN is deleted.
A VLAN group defines a logical collection of VLANs. The VLAN Groups tab on the Interfaces/VLANs page displays:
•All VLAN groups that are defined on the selected device.
•The service module slots to which a VLAN group is bound.
•Which VLANs belong to each VLAN group.
VLAN groups can be used when assigning VLANs to an FWSM security context. A VLAN group can be assigned to multiple FWSMs, and each FWSM can have multiple VLAN groups assigned to it. To perform this assignment, see Add/Edit a Security Context for FWSM, page 14-87.
The following topics describe the actions you can perform when defining VLAN groups on Catalyst devices:
•Creating or Editing VLAN Groups
Related Topics
•Interfaces/VLANs Page—VLAN Groups Tab, page L-7
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
You can create VLAN groups. When you create a VLAN group, remember that:
•Each group must have an ID.
•You can associate a VLAN group with one or more FWSM modules.
•Each VLAN can be a member of only one VLAN group.
Related Topics
•Interfaces/VLANs Page—VLAN Groups Tab, page L-7
Step 1 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the VLAN Groups tab in the work area.
The VLAN Groups tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLAN Groups Tab, page L-7.
Step 2 Do one of the following:
•To define the attributes of a new VLAN group, click Add Row.
•To edit the attributes of a VLAN group, select it in the list, then click Edit Row.
See Create and Edit VLAN Group Dialog Boxes, page L-8, for a description of the fields in this dialog box.
Step 3 In the VLAN Group ID field, enter a unique ID number for the VLAN group. The number that you enter must not be assigned to any other VLAN group.
Step 4 To associate the VLAN group with specific service module slots, enter their slot numbers in the Service Module Slots text box, or click Select to open a selector.
Note Defining this association makes it possible to later assign this VLAN group to a security context on the FWSM. See Add/Edit a Security Context for FWSM, page 14-87.
Step 5 Enter the VLANs to add to the VLAN group, or click Select to open a selector.
Step 6 Click OK to save your definitions locally on the client and close the dialog box.
You can delete VLAN groups. Deleting a VLAN group has no affect on the VLANs in the group.
Related Topics
•Creating or Editing VLAN Groups
•Interfaces/VLANs Page—VLAN Groups Tab, page L-7
Step 1 (Device view) Select a Catalyst 6500 Series switch or Cisco 7600 Series router from the Device selector.
Step 2 Select Interfaces/VLANs from the Policy selector to display the Interfaces/VLANs Page, page L-2.
Step 3 Click the VLAN Groups tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLAN Groups Tab, page L-7.
Step 4 Select a VLAN group from the table, then click Delete Row. The VLAN group is deleted.
Cisco IOS standard or extended ACLs are configured on router interfaces only, and are applied on routed packets only. In contrast, Cisco Catalyst switches and Cisco 7600 Series routers can use VLAN ACLs (VACLs) to control the access of all packets that are bridged within a VLAN or that are routed to or from a VLAN for VACL capture through a WAN interface. VACLs:
•Are processed in hardware.
•Use Cisco IOS ACLs.
•Ignore any Cisco IOS ACL fields that are not supported in hardware.
Note Security Manager does not support the creation or configuration of MAC ACLs (MACLs), which are named ACLs that are sometimes used with VACLs to filter IPX, DECnet, AppleTalk, VINES, or XNS traffic based on MAC addresses.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against the VACL.
If you apply a VACL to a VLAN and you apply an ACL to a routed interface in that same VLAN, any packet coming into the VLAN is first checked against the VACL. Then, if permitted, the packet is checked against the input ACL before it reaches the routed interface.
When a packet is routed from one VLAN to another, it is first checked against the output ACL that is applied to the routed interface. Then, if permitted, the packet is checked against any VACLs that are configured for the destination VLAN.
If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is deny.
VLAN Access Maps
Security Manager uses VLAN access maps to configure VACLs. Conceptually similar to a route map, a VLAN access map is a container in which you place one or more statements (conditions that match an action) and number them by their order of importance. A VLAN access map must also identify the VLANs to which it is applied, contain the map name, and identify at least one VACL sequence.
A VACL sequence must have a sequence number and at least one action, and must match at least one ACL.
Devices evaluate map statements in sequence and you can associate more than one VLAN access map with any device chassis.
To manage a VACL, select a Catalyst device in Device View, then select Platform > VLAN Access Lists. You use VLAN access maps to configure VACLs for IP traffic.
The following topics describe the actions you can perform when defining VACLs on Catalyst devices:
Related Topics
•VLAN Access Lists Page, page L-34
•Create and Edit VLAN ACL Dialog Boxes, page L-35
•Create and Edit VLAN ACL Content Dialog Boxes, page L-37
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
When you can create or edit a VACL, you must:
•Name the VACL.
•Define the VLANs to which the VACL applies.
•Define a sequence map containing at least one VACL sequence.
Related Topics
•Creating or Editing VLAN Groups
•Create and Edit VLAN ACL Dialog Boxes, page L-35
•VLAN Access Lists Page, page L-34
Step 1 Do one of the following:
•(Device view) Select a Catalyst device, then select Platform > VLAN Access Lists from the Policy selector.
•(Policy view) Select Catalyst Platform > VLAN Access Lists.
The VLAN Access Lists page is displayed. For a description of the fields on this page, see VLAN Access Lists Page, page L-34.
Step 2 Do one of the following:
•To define the attributes of a new VACL, click Add Row.
•To edit the attributes of a VACL, select it in the list, then click Edit Row.
A dialog box opens. See Create and Edit VLAN ACL Dialog Boxes, page L-35, for a description of the fields in the dialog box.
Step 3 Enter a name for the VACL in the VLAN ACL Name field.
Step 4 In the VLANs field, specify the VLANs to which the VACL should be applied, or click Select to open a VLAN selector.
Step 5 Define the sequence map:
a. Click Add Row or Edit Row beneath the Sequence Map table. A dialog box opens. See Create and Edit VLAN ACL Content Dialog Boxes, page L-37.
b. Enter a number to identify the sequence.
c. Specify the standard and extended ACLs to assign to the sequence, or click Select to display a selector (see Object Selectors, page F-205). For more information about ACL objects, see Creating Access Control List Objects, page 8-23.
d. Specify the action to perform on traffic that matches the ACLs defined in this sequence. (When you select Redirect as the action, you must specify the physical destination interfaces, or click Select to display a selector. See Specifying Interfaces During Policy Definition, page 8-35.)
e. Click OK to save your definitions locally on the client and close the dialog box. The sequence is displayed in the Sequence Map table.
f. Repeat the process to add sequences to the sequence map.
g. Use the up and down arrows to reorder the sequences, if required.
Note The order in which you place the sequences is significant. When a flow matches a permit ACL entry, the associated action is taken without checking the remaining sequences. When a flow matches a deny ACL entry, it is checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
You can delete a VACL if it is not being used by any device, policy, or object.
Before You Begin
You must delete all references to the VACL before you can remove it from the database. To locate all references to the VACL, run an object usage report for it. See Generating Object Usage Reports, page 8-8.
Related Topics
•Interfaces/VLANs Page—VLANs Tab, page L-3
Step 1 Do one of the following:
•(Device view) Select a Catalyst device, then select Platform > VLAN Access Lists from the Policy selector.
•(Policy view) Select Catalyst Platform > VLAN Access Lists.
The VLAN Access Lists page is displayed. For a description of the fields on this page, see VLAN Access Lists Page, page L-34.
Step 2 Click in a row to select a VACL, then click Delete.
Step 3 Click OK to save your changes.
When you select a Catalyst device in Device view, then select Platform > IDSM Settings from the Policy selector, a list is displayed that:
•Displays the settings for data ports on Intrusion Detection System Service Modules (IDSMs).
•Helps you to organize IDSM data ports in channel groups.
The IDSM card detects and stops security threats on network connections. The card inspects the traffic that enters its two data ports and drops packets if a security threat is detected. The data port settings define:
•Which traffic is received by the data ports, as defined by the VLAN IDs.
•The sensing mode used by the data ports:
–Trunk (IPS)—The IDSM performs VLAN bridging between pairs of VLANs within the same data port, operating as an 802.1q trunk. The IDSM inspects the traffic it receives on each VLAN in a VLAN pair and can either forward the packets on the other VLAN in the pair or drop the packet if an intrusion attempt is detected.
–Capture (IDS)—The IDSM passively monitors network traffic that was copied to the data ports by the Catalyst switch using either VACL capture or SPAN. The data ports operate as 802.1q trunks that can be configured to trunk different VLANs. When operating in this passive mode, the IDSM cannot drop packets in response to a network intrusion attempt, but it can send TCP resets over the data ports in an attempt to block the intrusion.
For high-traffic networks, EtherChannel is used to perform load balancing among multiple data ports. These data ports might be located on different IDSM cards within the same Catalyst device.
EtherChannel is also used to redirect traffic in the event of port failure to the remaining ports within the channel group. This resiliency help preserve intrusion detection and prevention without user intervention and with minimum packet loss.
The following topics describe the actions you can perform when defining IDSM settings:
•Creating or Editing EtherChannel VLAN Definitions
•Deleting EtherChannel VLAN Definitions
•Creating or Editing Data Port VLAN Definitions
•Deleting Data Port VLAN Definitions
Related Topics
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
When defining an EtherChannel VLAN definition, you must:
•Define the slot-port combination containing the data ports to include in the channel group.
•Select the sensing mode used by the data ports.
•Define which VLANs are forwarded to the data ports.
The following restrictions apply:
•You can have a single definition only for each channel group.
•You can have a single definition only for each slot-data port combination. This means that you cannot create an EtherChannel VLAN definition if a data port definition already exists for this slot-data port.
Related Topics
•Deleting EtherChannel VLAN Definitions
•Creating or Editing Data Port VLAN Definitions
Step 1 Do one of the following:
•(Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
•(Policy view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page, page L-30.
Step 2 Do one of the following:
•To create an IDSM EtherChannel VLAN definition, click Add Row beneath the EtherChannel VLANs table.
•To edit an IDSM EtherChannel VLAN definition, select it in the list, then click Edit Row beneath the table.
The IDSM EtherChannel VLAN dialog box is displayed. For a description of the fields in this dialog box, see Create and Edit IDSM EtherChannel VLANs Dialog Boxes, page L-31.
Step 3 To assign a channel group number to the Ethernet interface for the VLAN, or to change the channel group number, enter a number in the Channel Group text box.
Step 4 To associate the VLAN with the numbered chassis slot where you installed your IDSM services module and to associate one module data port with the VLAN, do one of the following:
•Enter the slot-port number in the Slot-Ports text box.
•Click Select to open the IDSM Slot-Port Selector dialog box.
Note Associating one module data port with the VLAN enables you to configure the port at the group level instead of configuring it manually.
Step 5 From the Mode list, select the running mode of the EtherChannel VLAN. If you select Capture, select the check box to configure the specified channel group as a capture destination.
Note If you do not select this check box, the capture port is created in shutdown mode.
Step 6 To include a VLAN in the specified channel group, do one of the following:
•Enter its numeric ID in the VLAN IDs text box.
•Click Select to open the VLAN Selector dialog box.
You can enter or select more than one VLAN ID.
Step 7 Click OK to save your definitions locally on the client and close the dialog box.
You can delete an EtherChannel VLAN definition on the IDSM.
Related Topics
•Creating or Editing EtherChannel VLAN Definitions
•Deleting Data Port VLAN Definitions
Step 1 Do one of the following:
•(Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
•(Policy view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page, page L-30.
Step 2 Click a row in the table to select the VLAN definition to delete.
Step 3 Click Delete Row.
When defining a data port VLAN definition, you must:
•Define the slot-port combination where the data port is located.
•Select the sensing mode used by the data port.
•Define which VLANs are forwarded to the data port.
The following restrictions apply:
•You may have a single definition only for each data port.
•You cannot create a data port definition if the port is already defined as part of a channel group.
Related Topics
•Deleting Data Port VLAN Definitions
•Creating or Editing EtherChannel VLAN Definitions
Step 1 Do one of the following:
•(Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
•(Device view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page, page L-30.
Step 2 Do one of the following:
•To create an IDSM data port VLAN definition, click Add Row beneath the Data Port VLANs table.
•To edit an IDSM data port VLAN definition, select it in the list, then click Edit Row beneath the table.
The IDSM Data Port VLAN dialog box is displayed. For a description of the fields in this dialog box, see Create and Edit IDSM Data Port VLANs Dialog Boxes, page L-32.
Step 3 To associate the VLAN with the numbered chassis slot where you installed your IDSM services module and to associate one module data port with the VLAN, do one of the following:
•Enter the slot-port number in the Slot-Ports text box.
•Click Select to open the IDSM Slot-Port Selector dialog box.
Note Associating one module data port with the VLAN enables you to configure the port at the group level instead of configuring it manually.
Step 4 From the Mode list, select the running mode of the data port VLAN. If you select Capture, select the check box to configure the specified data port as a capture destination.
Note If you do not select this check box, the capture port is created in shutdown mode.
Step 5 To assign a VLAN to the specified data port, do one of the following:
•Enter its numeric ID in the VLAN IDs text box.
•Click Select to open the VLAN Selector dialog box.
You can enter or select more than one VLAN ID.
Step 6 Click OK to save your definitions locally on the client and close the dialog box.
You can delete a data port VLAN definition on the IDSM.
Related Topics
•Creating or Editing Data Port VLAN Definitions
•Deleting EtherChannel VLAN Definitions
Step 1 Do one of the following:
•(Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
•(Policy view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page, page L-30.
Step 2 Click a row in the table to select the VLAN definition to delete.
Step 3 Click Delete Row.
You can view a summary of the configurations saved to your Catalyst 6500 Series switches and Cisco 7600 Series routers.
Related Topics
•Chapter 15 "Managing Cisco Catalyst Switches and Cisco 7600 Series Routers"
•Interfaces/VLANs Page—Summary Tab, page L-29
•Interfaces/VLANs Page, page L-2
Step 1 (Device view) Select a Catalyst device, then select Interfaces/VLANs from the Policy selector.
Step 2 Click the Summary tab in the work area. The Summary tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—Summary Tab, page L-29.