-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The main pages available in Cisco Security Manager for configuring and managing platform-specific policies on Cisco IOS routers are discussed in the following topics:
NAT policies:
Interface policies:
•Advanced Interface Settings Page
•IPS Module Interface Settings Page
Device Admin policies:
•Accounts and Credential s Policy Page
•Device Access policies:
•Secure Device Provisioning Policy Page
•Server Access policies:
Identity policies:
•Network Admission Control Policy Page
Logging policies:
•Syslog Logging Setup Policy Page
Quality of Service policies:
•Quality of Service Policy Page
Routing policies:
Tip Use the Policy Management page in the Security Manager Administration window to control which router platform policy pages are available in Security Manager. For more information, see Policy Management Page, page A-33.
You can configure NAT policies on a Cisco IOS router from the following tabs on the NAT policy page:
•NAT Page—Interface Specification Tab
Network Address Translation (NAT) converts private, internal LAN addresses into globally routable IP addresses. NAT enables a small number of public IP addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 13-4.
•(Device view) Select NAT from the Policy selector.
•(Policy view) Select NAT (Router) from the Policy Type selector. Right-click NAT (Router) to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the NAT Interface Specification tab to define the inside and outside interfaces on the router used for NAT. Inside interfaces typically connect to a LAN that the router serves. Outside interfaces typically connect to your organization's WAN or to the Internet. You must designate at least one inside interface and one outside interface for the router to perform NAT.
NAT uses the Inside and Outside designations when interpreting translation rules, translating the original, inside addresses to outside ones. After these interfaces are designated, they are used in all static and dynamic NAT translation rules.
In the NAT Inside Interfaces and NAT Outside Interfaces fields, type in the names of the interfaces or interface roles for the inside and outside interfaces. Separate multiple names or roles with commas (for example, Ethernet1/1, Ethernet1/2). You cannot enter the same name in both fields.
Click Select to select interface names or roles from a list of existing objects, or to create new interface role objects.
Go to the NAT Policy Page, then click the Interface Specification tab.
Use the NAT Static Rules tab to create, edit, and delete static address translation rules. For more information, see Defining Static NAT Rules, page 13-5.
Go to the NAT Policy Page, then click the Static Rules tab.
•NAT Page—Interface Specification Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Original Address |
The original address (and optionally, the subnet mask) that is being translated. |
Translated Address |
The IP address to which the traffic is translated. |
Port Redirection |
(When the static rule is defined on a port) Information about the port that is being translated, including the local and global port numbers. |
Advanced |
The advanced options that are enabled. |
Add button |
Opens the NAT Static Rule Dialog Box. From here you can create a static translation rule. |
Edit button |
Opens the NAT Static Rule Dialog Box. From here you can edit the selected static translation rule. |
Delete button |
Deletes the selected static translation rules from the table. |
Use the NAT Static Rule dialog box to add or edit static address translation rules.
Go to the NAT Page—Static Rules Tab, then click the Add or Edit button beneath the table.
•Defining Static NAT Rules, page 13-5
•Disabling the Alias Option for Attached Subnets, page 13-9
•Disabling the Payload Option for Overlapping Networks, page 13-10
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address translation rules. A dynamic address translation rule dynamically maps hosts to addresses, using either the globally registered IP address of a specific interface or addresses included in an address pool that are globally unique in the destination network.
For more information, see Defining Dynamic NAT Rules, page 13-10.
Go to the NAT Policy Page, then click the Dynamic Rules tab.
•NAT Page—Interface Specification Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Traffic Flow |
The ACL that defines the traffic that is being translated. |
Translated Address |
Indicates whether the translated address is based on an interface or on a defined address pool. |
Port Translation |
Indicates whether Port Address Translation (PAT) is being used by this dynamic NAT rule. |
Add button |
Opens the NAT Dynamic Rule Dialog Box. From here you can create a dynamic translation rule. |
Edit button |
Opens the NAT Dynamic Rule Dialog Box. From here you can edit the selected dynamic translation rule. |
Delete button |
Deletes the selected dynamic translation rules from the table. |
Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation rules.
Go to the NAT Page—Dynamic Rules Tab, then click the Add or Edit button beneath the table.
•Defining Dynamic NAT Rules, page 13-10
•Creating Access Control List Objects, page 8-23
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
Use the NAT Timeouts tab to view or modify the default timeout values for PAT (overload) translations. These timeouts cause a dynamic translation to expire after a defined period of non-use. In addition, you can use this page to place a limit on the number of entries allowed in the dynamic NAT table and to modify the default timeout on all dynamic translations that are not PAT translations.
Note For more information about the Overload feature, see NAT Dynamic Rule Dialog Box.
Go to the NAT Policy Page, then click the Timeouts tab.
•Specifying NAT Timeouts, page 13-12
•NAT Page—Interface Specification Tab
Use the Router Interfaces page to view, create, edit, and delete interface definitions (physical and virtual) on a selected Cisco IOS router. The Router Interfaces page displays interfaces that were discovered by Security Manager as well as interfaces added manually after you added the device to the system.
Note Unlike other router policies, the Interfaces policy cannot be shared among multiple devices. The Advanced Settings policy, however, may be shared. See Local Policies vs. Shared Policies, page 6-3.
For more information, see Basic Interface Settings on Cisco IOS Routers, page 13-13.
Select a Cisco IOS router from the Device selector, then select Interfaces > Interfaces from the Policy selector.
•Available Interface Types, page 13-13
•Deleting a Cisco IOS Router Interface, page 13-17
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Interface Type |
The interface type. Subinterfaces are displayed indented beneath their parent interface. |
Interface Name |
The name of the interface. |
Enabled |
Indicates whether the interface is currently enabled (managed by Security Manager) or disabled (shutdown state). |
IP Address |
The IP address of interfaces defined with a static address. |
IP Address Type |
The type of IP address assigned to the interface—static, DHCP, PPPoE, or unnumbered. (IP address is defined by a selected interface role.) |
Interface Role |
The interface roles that are assigned to the selected interface. |
Add button |
Opens the Create Router Interface Dialog Box. From here you can create an interface on the selected router. |
Edit button |
Opens the Create Router Interface Dialog Box. From here you can edit the selected interface. |
Delete button |
Deletes the selected interfaces from the table. |
Use the Create Router Interface dialog box to create and edit physical and virtual interfaces on the selected Cisco IOS router.
Tip Interface configuration is specific to the type of device. Many of the options on this page might be greyed out for specific device or interface types because they do not apply or they are not configurable.
Go to the Router Interfaces Page, then click the Add or Edit button beneath the table.
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Deleting a Cisco IOS Router Interface, page 13-17
•Never Block Networks Dialog Box, page M-101
|
|
---|---|
Enabled |
Whether the interface is enabled (no shutdown). If you deselect this option, the interface is created in the configuration but it is shut down. |
Type |
Specifies whether you are defining an interface or subinterface. |
Name |
Applies only to interfaces. The name of the interface. Enter a name manually, or click Select to display a dialog box for generating a name automatically. See Interface Auto Name Generator Dialog Box. Logical interfaces require a number after the name: •The range for dialer interfaces is 0-799. •The range for loopback interfaces is 0-2147483647. •The range for BVI interfaces is 1-255. •The only allowed value for null interfaces is 0. |
Parent |
Applies only to subinterfaces. The parent interface of the subinterface. Choose the parent interface from this list. |
Subinterface ID |
Applies only to subinterfaces. The ID number of the subinterface. |
IP |
The method of IP address assignment for the interface: •Static IP—Defines a static IP address and subnet mask for the interface. Enter this information in the fields that appear below the option. Note You can define the mask using either dotted decimal (for example, 255.255.255.255) or CIDR notation (/32). See Contiguous and Discontiguous Network Masks, page 8-65. •DHCP—The interface obtains its IP address dynamically from a DHCP server. •PPPoE—The router automatically negotiates its own registered IP address from a central server (via PPP/IPCP). The following interface types support PPPoE: –Async –Serial –High-Speed Serial Interface (HSSI) –Dialer –BRI, PRI (ISDN) –Virtual template –Multilink •Unnumbered—The interface obtains its IP address from a different interface on the device. Choose an interface from the Interface list. This option can be used with point-to-point interfaces only. Note Layer 2 interfaces do not support IP addresses. Deployment fails if you define an IP address on a Layer 2 interface. |
Layer Type |
The OSI layer at which the interface is defined: •Unknown—The layer is unknown. •Layer 2—The data link layer, which contains the protocols that control the physical layer (Layer 1) and how data is framed before being transmitted on the medium. Layer 2 is used for bridging and switching. Layer 2 interfaces do not have IP addresses. •Layer 3—The network layer, which is primarily responsible for the routing of data in packets across logical internetwork paths. This routing is accomplished through the use of IP addresses. |
Negotiation |
Available on ASRs; applies to Fast Ethernet and Gigabit Ethernet interfaces only. Auto-negotiation detects the capabilities of remote devices and negotiates the best possible performance between the two devices. When Negotiation is enabled, the Duplex and Speed options are disabled. |
Duplex |
The interface transmission mode: •None—The transmission mode is returned to its device-specific default setting. •Full—The interface transmits and receives at the same time (full duplex). •Half—The interface can transmit or receive, but not at the same time (half duplex). This is the default. •Auto—The router automatically detects and sets the appropriate transmission mode, either full or half duplex. Not available on ASRs; use auto-negotiation instead. Note When using Auto mode, be sure that the port on the active network device to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, select the appropriate fixed mode. Note You can configure a duplex value only if you set the Speed to a fixed speed, not Auto. Note This setting does not apply to serial, HSSI, ATM, PRI, DSL, tunnel, or loopback interfaces. |
Speed |
Applies only to Fast Ethernet and Gigabit Ethernet interfaces. The speed of the interface: •None—The setting is not configurable on the device. •10—10 megabits per second (10Base-T networks). •100—100 megabits per second (100Base-T networks). This is the default for Fast Ethernet interfaces. •1000—1000 megabits per second (Gigabit Ethernet networks). This is the default for Gigabit Ethernet interfaces. •Auto—The router automatically detects and sets appropriate interface speed. Not available on ASRs; use auto-negotiation. Note When using Auto mode, be sure that the port on the active network device to which you connect this interface is also set to automatically negotiate the transmission speed. Otherwise, select the appropriate fixed speed. |
MTU |
The maximum transmission unit, which refers to the maximum packet size, in bytes, that this interface can handle. Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64 to 17940 bytes. Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes. |
Encapsulation |
The type of encapsulation performed by the interface: •None—No encapsulation. •DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q standard. Applies only to Ethernet subinterfaces. •Frame Relay—IETF Frame Relay encapsulation. Applies only to serial interfaces (not serial subinterfaces). Note IETF Frame Relay encapsulation provides interoperability between a Cisco IOS router and equipment from other vendors. To configure Cisco Frame Relay encapsulation, use CLI commands or FlexConfigs. |
VLAN ID |
Applies only to subinterfaces with encapsulation type DOT1Q. The VLAN ID associated with this subinterface. The VLAN ID specifies where 802.1Q tagged packets are sent and received on this subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094. Note All VLAN IDs must be unique among all subinterfaces configured on the same physical interface. |
Native VLAN |
Applies only when the encapsulation type is DOT1Q and you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface. Trunking is a way to carry traffic from several VLANs over a point-to-point link between two devices. When selected, the Native VLAN is associated with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) The native VLAN is the VLAN to which all untagged VLAN packets are logically assigned by default. This includes the management traffic associated with the VLAN. If no VLAN ID is defined, the default is 1. For example, if the VLAN ID of this interface is 1, all incoming untagged packets and packets with VLAN ID 1 are received on the main interface and not on a subinterface. Packets sent from the main interface are transmitted without an 802.1Q tag. When deselected, the Native VLAN is not associated with this interface. Note The Native VLAN cannot be configured on a subinterface of the trunk interface. Be sure to configure the same Native VLAN value at both ends of the link; otherwise, traffic may be lost or sent to the wrong VLAN. |
DLCI |
Applies only to serial subinterfaces with Frame Relay encapsulation. Enter the data-link connection identifier to associate with the subinterface. Valid values range from 16 to 1007. Note Security Manager configures serial subinterfaces as point-to-point not multipoint. |
Description |
Additional information about the interface (up to 1024 characters). |
Roles |
The interface roles assigned to this interface. A message is displayed if no roles have yet been assigned. |
Use the Interface Auto Name Generator dialog box to have Security Manager generate a name for the interface based on the interface type and its location in the router or switch.
Go to the Create Router Interface Dialog Box, select Interface from the Type list, then click Select in the Name field.
•Basic Interface Settings on Cisco IOS Routers, page 13-13
|
|
---|---|
Type |
The type of interface. Your selection from this list forms the first part of the generated name, as displayed in the Result field. For more information, see Table 13-1 on page 13-13. |
Card |
The card related to the interface. Note When defining a BVI interface, enter the number of the corresponding bridge group. |
Slot |
The slot related to the interface. |
Port |
The port related to the interface. Note The information you enter in these fields forms the remainder of the generated name, as displayed in the Result field. |
Result |
The name generated by Security Manager from the information you entered for the interface type and location. The name displayed in this field is read-only. |
Use the Advanced Interface Settings page to configure advanced interface definitions (physical and virtual) on a router. Examples of advanced settings include Cisco Discovery Protocol (CDP) settings, ICMP message settings, and virtual fragment reassembly settings. You can configure settings for specific interfaces or for interface roles. The columns in the table summarize the advanced settings for an entry and are explained in Advanced Interface Settings Dialog Box.
To configure advanced settings:
•Click the Add button to add an interface or interface role to the table, and fill in the Advanced Interface Settings dialog box.
•Select an entry and click the Edit button to edit an existing entry.
•Select an entry and click the Delete button to delete it.
For more information, see Advanced Interface Settings on Cisco IOS Routers, page 13-18.
•(Device view) Select Interfaces > Settings > Advanced Settings from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > Advanced Settings from the Policy Type selector. Right-click Advanced Settings to create a policy, or select an existing policy from the Shared Policy selector.
•Available Interface Types, page 13-13
•Deleting a Cisco IOS Router Interface, page 13-17
•Table Columns and Column Heading Features, page 2-18
Use the Advanced Interface Settings dialog box to define a variety of advanced settings on a selected interface as described in the table below.
Go to the Advanced Interface Settings Page, then click the Add or Edit button beneath the table.
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Advanced Interface Settings on Cisco IOS Routers, page 13-18
•Deleting a Cisco IOS Router Interface, page 13-17
•Available Interface Types, page 13-13
|
|
---|---|
Interface |
The interface on which the advanced settings are defined. Enter the name of an interface or interface role, or click Select to select it. If the you want is not listed, click the Create button to create it. Note The only advanced settings supported on Layer 2 interfaces are Max. Bandwidth, Load Interval, and CDP. |
Max Bandwidth |
The bandwidth value to communicate to higher-level protocols in kilobits per second (kbps). The value you define in this field is an informational parameter only; it does not affect the physical interface. |
Load Interval |
The length of time, in seconds, used to calculate the average load on the interface. Valid values range from 30 to 600 seconds, in multiples of 30 seconds. The default is 300 seconds (5 minutes). Load interval is not supported on subinterfaces. Modify the default to shorten the length of time over which load averages are computed. You can do this if you want load computations to be more reactive to short bursts of traffic. Load data is gathered every 5 seconds. This data is used to compute load statistics, including input/output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data. |
TCP Maximum Segment Size |
The maximum segment size (MSS) of TCP SYN packets that pass through this interface. Valid values range from 500 to 1460 bytes. If you do not specify a value, the MSS is determined by the originating host. This option helps prevent TCP sessions from being dropped as they pass through the router. Use this option when the ICMP messages that perform auto-negotiation of TCP frame size are blocked (for example, by a firewall). We highly recommend using this option on the tunnel interfaces of DMVPN networks. For more information, see TCP MSS Adjustment at this URL: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html Note Typically, the optimum MSS is 1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link. |
Helper Addresses |
The helper addresses that are used to forward User Datagram Protocol (UDP) broadcasts that are received on this interface. Enter one or more addresses or the names of the network/host objects, or click Select to select an object from a list or to create a new object. By default, routers do not forward broadcasts outside of their subnet. Helper addresses provide a solution by enabling the router to forward certain types of UDP broadcasts as a unicast to an address on the destination subnet. For more information, see Understanding Helper Addresses, page 13-19. |
Interface Throughput Delay |
The expected delay for the interface in tens of microseconds (for example, 3000 translates to 30,000 microseconds). You can enter a value between 1 and 16777215, and the default varies by the type of interface. Higher-level protocols might use delay information to make operating decisions. For example, IGRP can use delay information to differentiate between a satellite link and a land link. This setting is for informational purposes only and does not affect the actual delay on the interface. |
Cisco Discovery Protocol settings |
Settings related to the Cisco Discovery Protocol (CDP). CDP is a media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. It is primarily used to obtain protocol addresses of neighboring devices and to discover the platform of those devices. The options are: •Enable CDP—Whether to enable the Cisco Discovery Protocol (CDP) on this interface. You cannot enable CDP on ATM interfaces. •Log CDP Messages—On Ethernet interfaces, whether to log duplex mismatches for this interface. |
|
|
Enable Redirect Messages |
Whether to enable the sending of Internet Control Message Protocol (ICMP) redirect messages if the device is forced to resend a packet through the same interface on which it was received to another device on the same subnet. Redirect messages are sent when the device wants to instruct the originator of the packet to remove it from the route and substitute a different device that offers a more direct path to the destination. |
Enable Unreachable Messages |
Whether to enable the sending of ICMP unreachable messages. Unreachable messages are sent in two circumstances: •If the interface receives a nonbroadcast packet destined for itself that uses an unknown protocol, the interface sends an ICMP unreachable message to the source. •If the device receives a packet that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it sends an ICMP host unreachable message to the originator of the packet. Note This is the only advanced setting supported by the null0 interface. |
Enable Mask Reply Messages |
Whether to enable the sending of ICMP mask reply messages. Mask reply messages are sent in response to mask request messages, which are sent when a device needs to know the subnet mask for a particular subnetwork. |
|
|
Enable Maintenance Operation Protocol (MOP) |
Whether to enable MOP on the interface. You can use MOP for utility services such as uploading and downloading system software, remote testing, and problem diagnosis. |
Enable Virtual Fragment Reassembly (VFR) |
Whether to enable virtual fragmentation reassembly (VFR) on this interface. VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs that can protect the network from various fragmentation attacks. For more information, see Virtual Fragmentation Reassembly at this URL: |
Enable Proxy ARP |
Whether to enable proxy Address Resolution Protocol (ARP) on the interface. Proxy ARP, defined in RFC 1027, is the technique in which one host, usually a router, answers ARP requests intended for another machine, thereby accepting responsibility for routing packets to the real destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. |
Enable NBAR Protocol Discovery |
Whether to enable network-based application recognition (NBAR) on this interface to discover traffic and keep traffic statistics for all protocols known to NBAR. Protocol discovery provides a method to discover application protocols traversing an interface so that QoS policies can be developed and applied to them. For more information, go to: http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a00800a3ded.shtml |
Enable Directed Broadcasts ACL |
Whether to have directed broadcast packets "exploded" as a link-layer broadcast when this interface is directly connected to the destination subnet. When deselected, directed broadcast packets that are intended for the subnet to which this interface is directly connected are dropped rather than being broadcast. This is the default. An IP directed broadcast is an IP packet whose destination address is a valid broadcast address on a different subnet from the node on which it originated. In such cases, the packet is forwarded as if it was a unicast packet until it reaches its destination subnet. This option affects only the final transmission of the directed broadcast on its destination subnet; it does not affect the transit unicast routing of IP directed broadcasts. If you enable directed broadcasts, you can apply an ACL to determine which directed broadcasts are permitted to be broadcast on the destination subnet. All other directed broadcasts destined for the subnet to which this interface is directly connected are dropped. Enter the name of a standard or extended ACL object, or click Select to select an object from a list or to create a new object. |
|
|
Enable Unicast RFP |
Whether to enable unicast reverse path forwarding (RFP) on the interface. When you enable Unicast RPF on an interface, the router examines all packets that are received on that interface. The router checks to make sure that the source address appears in the FIB, and takes action based on your unicast RFP settings. Use unicast RFP to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks based on source IP address spoofing. For more information on unicast RFP, see the description of the ip verify unicast source reachable-via command in the Cisco IOS Interface and Hardware Component Command Reference. To enable unicast RFP, you must also globally enable Cisco Express Forwarding (CEF). For more information on CEF, see CEF Interface Settings on Cisco IOS Routers, page 13-22. |
Mode |
How strict to make unicast RFP: •Loose Mode—The default. Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet if the source is reachable through any interface on the router. Use loose mode on interfaces where asymmetric paths allow packets from valid source networks (networks contained in the FIB). For example, routers that are in the core of an ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. •Strict Mode—Examines incoming packets to determine whether the source address is in the FIB and permits the packet only if the source is reachable through the interface on which the packet was received. Use strict mode on interfaces where only one path allows packets from valid source networks (networks contained in the FIB). Also, use strict mode when a router has multiple paths to a given network as long as the valid networks are switched through the incoming interfaces. Packets for invalid networks are dropped. For example, routers at the edge of the network of an ISP are likely to have symmetrical reverse paths. Strict mode is also applicable in certain multihomed situations, provided that optional Border Gateway Protocol (BGP) attributes, such as weight and local preference, are used to achieve symmetric routing. |
Allow Use Of Default Route for RFP Verification |
Whether to permit Unicast RPF to successfully match on prefixes that are known through the default route when determining whether to pass packets. Normally, sources found in the FIB but only by way of the default route are dropped. |
Allow Self Ping |
Whether to allow the router to ping its own interfaces. By default, when you enable Unicast RPF, packets that are generated by the router and destined to the router are dropped, thereby making certain troubleshooting and management tasks difficult to accomplish. Caution Allowing self-ping opens a potential denial of service (DoS) hole. |
ACL (For Unicast RFP) |
If you enable unicast RFP, you can apply an ACL to refine how packets are handled when a reverse path is not found. If you specify an ACL, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Enter the name of a standard or extended ACL object, or click Select to select an object from a list or to create a new object. |
Use the IPS Module Interface Settings page to define the settings on the Cisco Intrusion Prevention System Advanced Integration Module or Network Module. The module must be running IPS 6.0 or later. You can define the fail mode for the IPS interface, and the interfaces that the module should monitor. Configure this policy only if the router hosts an IPS module.
•(Device view) Select Interfaces > Settings > IPS Module from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > IPS Module from the Policy Type selector. Create a new policy or select an existing policy from the Shared Policy selector.
•IPS Module Interface Settings on Cisco IOS Routers, page 13-21
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Interface Name |
The name of the IPS module interface. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it. |
Fail Over Mode |
How the module should handle traffic inspection during a module failure, either to fail open (passing all traffic without inspection) or fail closed (dropping all traffic). The default is fail open. |
IPS Module Service Module Monitoring Settings table |
The list of interfaces on the router that the IPS module should monitor. The table shows the name of the interface or interface role, whether monitoring is inline or promiscuous, and whether an ACL is used to filter traffic for inspection on the interface. Inline mode puts the IPS module directly into the traffic flow, allowing it to stop attacks by dropping malicious traffic before it reaches the intended target. In promiscuous mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. If the ACL is matched, the matched traffic is not inspected. •To add an interface to the table, click the Add button and fill in the IPS Monitoring Information Dialog Box. •To edit the settings for an interface, select it and click the Edit button. •To delete an interface, select it and click the Delete button. |
Use the IPS Monitoring Information dialog box to add or edit the properties of interfaces to be monitored by the IPS module.
Go to the IPS Module Interface Settings Page, then click the Add or Edit button beneath the IPS Module Service Module Monitoring Settings table.
•IPS Module Interface Settings on Cisco IOS Routers, page 13-21
•Basic Interface Settings on Cisco IOS Routers, page 13-13
Use the CEF Interface Settings page to define the settings for Cisco Express Forwarding. CEF is an advanced Layer 3 IP switching technology that optimizes network performance and scalability for all kinds of networks, from those that carry small amounts of traffic to those that carry large amounts of traffic in complex patterns, such as the Internet and networks characterized by intensive web-based applications or interactive sessions. CEF is enabled by default on most Cisco IOS routers.
•(Device view) Select Interfaces > Settings > CEF from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > CEF from the Policy Type selector. Create a new policy or select an existing policy from the Shared Policy selector.
•CEF Interface Settings on Cisco IOS Routers, page 13-22
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Enable Cisco Express Forwarding |
Whether to enable CEF globally on the device. The option is greyed out if you cannot disable CEF on the device. You can configure other settings on the page only if you enable CEF globally. |
CEF Network Accounting |
These options are for configuring CEF accounting globally. If you collect accounting statistics, you can view them using the show ip cef command on the router. You can select the following options to enable different types of accounting: •Enable Accounting for Traffic Through Non-Recursive Prefixes—For network prefixes with directly connected next hops, non-recursive accounting enables express forwarding of the collection of packets through a prefix. •Enable Per-Prefix Accounting—Accounting statistics based on the packet's network prefix. •Enable Prefix Length Accounting—Accounting statistics based on the network prefix length. •Enable Load Balance Hash Accounting—When you use per-destination load balancing (the default), CEF uses a series of 16 hash buckets to distribute the available paths based on the source and destination addresses. Enabling load balance hash accounting provides per-hash-bucket counters. |
CEF Interface Settings table |
The interfaces on the router for which you are defining special CEF configurations. When you enable CEF globally, by default, all interfaces on the router enable CEF and use per-destination load balancing. Add interfaces to this table only if you want to configure different behavior for the interfaces. The table shows the name of the interface or interface role, whether CEF is enabled or disabled, and whether the interface is load balancing based on destination or on a per-packet basis. For a detailed explanation of the fields, see CEF Interface Settings Dialog Box. •To add an interface to the table, click the Add button. •To edit the settings for an interface, select it and click the Edit button. •To delete an interface, select it and click the Delete button. |
Use the CEF Interface Settings dialog box to add or edit the CEF properties of interfaces when you want to configure something different than the global default.
Go to the CEF Interface Settings Page, then click the Add or Edit button beneath the CEF Interface Settings table.
•CEF Interface Settings on Cisco IOS Routers, page 13-22
•Basic Interface Settings on Cisco IOS Routers, page 13-13
Use the Dialer page to define the relationship between physical Basic Rate Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when you configure the dial backup feature for site-to-site VPNs.
For more information, see Dialer Interfaces on Cisco IOS Routers, page 13-22.
•(Device view) Select Interfaces > Settings > Dialer from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > Dialer from the Policy Type selector. Right-click Dialer to create a policy, or select an existing policy from the Shared Policy selector.
•Configuring Dial Backup, page 9-29
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
|
|
Interface |
The interface role that the dialer interface uses. |
Profile Name |
The name of the dialer profile. |
Dial Pool |
The dialing pool that this dialer profile uses. |
Dial Group |
The dialer group that this dialer profile uses. |
Interesting Traffic ACL |
The ACL that defines which traffic can use this dialer profile. |
Dial String |
The phone number that the dialer calls. |
Idle Timeout |
The defined interval after which an uncontested idle line is disconnected. |
Fast Idle |
The defined interval after which a contested idle line is disconnected. |
Add button |
Opens the Dialer Profile Dialog Box. From here you can define a dialer profile. |
Edit button |
Opens the Dialer Profile Dialog Box. From here you can edit the selected dialer profile. |
Delete button |
Deletes the selected dialer profiles from the table. |
|
|
Interface |
The name of the interface role that the physical interface uses. |
Pools |
The dial pools related to this physical interface. |
Switch Type |
The ISDN switch type that the physical interface uses. |
SPID1 |
The first service provider identifier (SPID) related to this interface. |
SPID2 |
The second SPID related to this interface. |
Add button |
Opens the Dialer Physical Interface Dialog Box. From here you can define a dialer physical interface. |
Edit button |
Opens the Dialer Physical Interface Dialog Box. From here you can edit the selected dialer physical interface. |
Delete button |
Deletes the selected dialer physical interfaces from the table. |
Use the Dialer Profile dialog box to add or edit dialer profiles.
Go to the Dialer Policy Page, then click the Add or Edit button beneath the
Dialer Profile table.
•Dialer Physical Interface Dialog Box
•Defining Dialer Profiles, page 13-23
•Dialer Interfaces on Cisco IOS Routers, page 13-22
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Creating Interface Role Objects, page 8-34
Use the Dialer Physical Interface dialog box to add or edit the properties that associate physical BRI interfaces with dialer interfaces.
Note Use FlexConfigs to define other types of physical dialer interfaces, such as ATM and Ethernet. For more information, see Understanding FlexConfig Policies and Policy Objects, page 18-1.
Go to the Dialer Policy Page, then click the Add or Edit button beneath the Dialer Physical Interfaces table.
•Defining BRI Interface Properties, page 13-24
•Dialer Interfaces on Cisco IOS Routers, page 13-22
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
|
|
---|---|
ISDN BRI |
The physical BRI interface associated with the dialer interface. Enter the name of an interface or interface role object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. |
Pools |
Associates dialer pools with a physical interface. Enter the names of one or more pools (as defined in the Dialer Profile Dialog Box), or click Select to display a selector. Use commas to separate multiple entries. |
Switch Type |
The ISDN switch type. Options for North America are: •basic-5ess—Lucent (AT&T) basic rate 5ESS switch •basic-dms100—Northern Telecom DMS-100 basic rate switch •basic-ni—National ISDN switches Options for Australia, Europe, and the UK are: •basic-1tr6—German 1TR6 ISDN switch •basic-net3—NET3 ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3 switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system •vn3—French VN3 and VN4 ISDN BRI switches Option for Japan is: •ntt—Japanese NTT ISDN switches Option for Voice/PBX system is: •basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 () |
SPID1 |
Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as the switch type. The service provider identifier (SPID) for the ISDN service to which the interface subscribes. Some service providers in North America assign SPIDs to ISDN devices when you first subscribe to an ISDN service. If you are using a service provider that requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid assigned SPID to the service provider when accessing the switch to initialize the connection. Valid SPIDs can contain up to 20 characters, including spaces and special characters. Note We recommend that you do not enter a SPID for interfaces using the AT&T 5ESS switch type, even though they are supported. |
SPID2 |
Applies only when you select DMS-100 or NI as the switch type. The service provider identifier (SPID) for a second ISDN service to which the interface subscribes. Valid SPIDs can contain up to 20 alphanumeric characters (no spaces are permitted). |
Use the ADSL page to create, edit, and delete ADSL definitions on the ATM interfaces of the router. For more information, see Defining ADSL Settings, page 13-27.
•(Device view) Select Interfaces > Settings > DSL > ADSL from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > DSL > ADSL from the Policy Type selector. Right-click ADSL to create a policy, or select an existing policy from the Shared Policy selector.
•ADSL on Cisco IOS Routers, page 13-25
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
ATM Interface |
The ATM interface on which ADSL settings are defined. |
Interface Card |
The type of device or ADSL interface card on which the ATM interface resides. |
Bandwidth Change |
Indicates whether the router makes dynamic adjustments to VC bandwidth as overall bandwidth changes. (This is relevant only when IMA groups are configured on the ATM interface.) |
DSL Operating Mode |
The DSL operating mode for this interface. |
Tone Low |
Indicates whether the interface is using the low tone set (carrier tones 29 through 48). |
Add button |
Opens the ADSL Settings Dialog Box. From here you can define the ADSL settings for a selected ATM interface. |
Edit button |
Opens the ADSL Settings Dialog Box. From here you can edit the selected ADSL definition. |
Delete button |
Deletes the selected ADSL definition from the table. |
Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM interface.
Note When you configure ADSL settings, we highly recommend that you select the type of device or interface card on which the ATM interface is defined. ADSL settings are highly dependent on the hardware. Defining the hardware type in Security Manager enables proper validation of your configuration for a successful deployment to your devices.
Go to the ADSL Policy Page, then click the Add or Edit button beneath the table.
•Defining ADSL Settings, page 13-27
|
|
---|---|
ATM Interface |
The ATM interface on which ADSL settings are defined. Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it. Note We recommend that you do not define an interface role that includes ATM interfaces from different interface cards. The different settings supported by each card type may cause deployment to fail. Note You can create only one ADSL definition per interface. |
Interface Card |
The device type or the type of interface card installed on the router: •[blank]—The interface card type is not defined. •WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL over POTS (ordinary telephone lines). •WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the router warns the DSLAM of imminent line drops when the router is about to lose power.) •WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides ADSL over POTS with Dying Gasp support. •HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that provides ADSL over POTS. •HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that provides ADSL over ISDN. •HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over POTS with an ISDN BRI port for backup. •HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over ISDN with an ISDN BRI port for backup. |
Interface Card (continued) |
•857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface. •876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface. •877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface. •1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that provides ADSL over POTS. •1802 ADSLoISDN—Cisco 1802 Integrated Services Router that provides ADSL over ISDN. Note When discovering from a live device, the correct interface card type will already be displayed. If you did not perform discovery on a live device, or if Security Manager cannot detect the type of interface card installed on the device, this field displays "Unknown". |
Allow bandwidth change on ATM PVCs |
When selected, the router makes dynamic adjustments to VC bandwidth in response to changes in the overall bandwidth of the Inverse Multiplexing over ATM (IMA) group defined on the ATM interface. When deselected, PVC bandwidth must be adjusted manually (using the CLI) whenever an individual physical link in the IMA group goes up or down. |
DSL Operating Mode |
The operating mode configured for this ADSL line: •auto—Performs automatic negotiation with the DSLAM located at the central office (CO). This is the default. •ansi-dmt—The line trains in ANSI T1.413 Issue 2 mode. •itu-dmt—The line trains in G.992.1 mode. •splitterless—The line trains in G.992.2 (G.Lite) mode. •etsi—The line trains in ETSI (European Telecommunications Standards Institute) mode. •adsl2—The line trains in G.992.3 (adsl2)mode. •adsl2+—The line trains in G.992.5 (adsl2+) mode. Note See Table 13-3 on page 13-26 for a description of the operating modes that are supported by each card type. |
Use low tone set |
When selected, the interface card uses carrier tones 29 through 48. When deselected, the interface card uses carrier tones 33 through 56. Note Leave this option deselected when the interface card is operating in accordance with Deutsche Telekom specification U-R2. |
Use the SHDSL page to create, edit, and delete DSL controller definitions on the router. For more information, see Defining SHDSL Controllers, page 13-29.
•(Device view) Select Interfaces > Settings > DSL > SHDSL from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > DSL > SHDSL from the Policy Type selector. Right-click SHDSL to create a policy, or select an existing policy from the Shared Policy selector.
•SHDSL on Cisco IOS Routers, page 13-28
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Name |
The name of the DSL controller. |
Description |
An optional description of the controller. |
Shutdown |
Indicates whether the DSL controller is in shutdown mode. |
Configure ATM Mode |
Indicates whether the DSL controller has been set into ATM mode. |
Line Termination |
The line termination set for the router (CPE or CO). |
DSL Mode |
The operating mode defined for the DSL controller. |
Line Mode |
The line mode defined for the DSL controller. |
Line Rate |
The line rate (in kbps) defined for the DSL controller. Note A value is displayed in this column only if the line mode is not set to Auto. |
SNR Margin Current |
The current signal-to-noise ratio on the controller. |
SNR Margin Snext |
The self near-end crosstalk (Snext) signal-to-noise ratio on the controller. |
Add button |
Opens the SHDSL Controller Dialog Box. From here you can define the settings for a DSL controller. |
Edit button |
Opens the SHDSL Controller Dialog Box. From here you can edit the selected DSL controller definition. |
Delete button |
Deletes the selected DSL controller definition from the table. |
Use the SHDSL Controller dialog box to configure SHDSL controllers.
Go to the SHDSL Policy Page, then click the Add or Edit button beneath the table.
•Defining SHDSL Controllers, page 13-29
•Discovering Policies on Devices Already in Security Manager, page 6-14
|
|
---|---|
Name |
The name of the controller. Enter a name manually, or click Select to display a dialog box for generating a name. See Controller Auto Name Generator Dialog Box. |
Description |
Additional information about the controller (up to 80 characters). |
Shutdown |
When selected, the DSL controller is in shutdown state. However, its definition is not deleted. When deselected, the DSL controller is enabled. This is the default. |
Configure ATM mode |
When selected, sets the controller into ATM mode and creates an ATM interface with the same ID as the controller. This is the default. You must enable ATM mode and then perform rediscovery to configure ATM or PVCs on the device. When deselected, ATM mode is disabled. No ATM interface is created on deployment. Note You cannot remove ATM mode from a controller after it has been saved in Security Manager. |
Line Termination |
The line termination that is set for the router: •CPE—Customer premises equipment. This is the default. •CO—Central office. |
DSL Mode |
The DSL operating mode, including regional operating parameters, used by the controller: •[blank]—The operating mode is not defined. (When deployed, the Annex A standard for North America is used.) •A—Supports Annex A of the G.991.2 standard for North America. •A-B—Supports Annex A or Annex B. Available only when the Line Term is set to CPE. The appropriate mode is selected when the line trains. •A-B-ANFP—Supports Annex A or Annex B-ANFP. Available only when the Line Term is set to CPE. The appropriate mode is selected when the line trains. •B—Supports Annex B of the G.991.2 standard for Europe. •B-ANFP—Supports Annex B-ANFP (Access Network Frequency Plan). Note The available DSL modes are dependent on the selected line termination. |
|
|
Line Mode |
The line mode used by the controller: •auto—The controller operates in the same mode as the other line termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the default for CPE line termination. •2-wire—The controller operates in two-wire mode. This is the default for CO line termination. •4-wire—The controller operates in four-wire mode. Note You can select Auto only when you configure the controller as the CPE. |
Line |
Applies only when the Line Mode is defined as 2-wire. The pair of wires to use: •line-zero—RJ-11 pin 1 and pin 2. This is the default for CO line termination. •line-one—RJ-11 pin 3 and pin 4. |
Exchange Handshake |
Applies only when the Line Mode is defined as 4-wire. The type of handshake mode to use: •[blank]—The handshake mode is not specified. (When deployed, the enhanced option is used.) This is the default. •enhanced—Exchanges handshake status on both wire pairs. •standard—Exchanges handshake status on the master wire pair only. |
Line Rate |
Does not apply when the Line Mode is defined as Auto. The DSL line rate (in kbps) available for the SHDSL port: •auto—The controller selects the line rate. This is available only in 2-wire mode. •Supported line rates: –For 2-wire mode: 192, 256, 320, 384, 448, 512, 576, 640, 704, 768, 832, 896, 960, 1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664, 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, and 2304. –For 4-wire mode: 384, 512, 640, 768, 896, 1024, 1152, 1280, 1408, 1536, 1664, 1792, 1920, 2048, 2176, 2304, 2432, 2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712, 3840, 3968, 4096, 4224, 4352, 4480, and 4608. Note Third-party equipment may use a line rate that includes an additional SHDSL overhead of 8 kbps for 2-wire mode or 16 kbps for 4-wire mode. |
|
|
Current |
The current signal-to-noise (SNR) ratio on the controller, in decibels (dB). Valid values range from -10 to 10 dB. This option can create a more stable line by making the line train more than current noise margin plus SNR ratio threshold during training time. If any external noise is applied that is less than the set SNR margin, the line will be stable. Note Select disable to disable the current SNR. |
Snext |
The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the controller, in decibels. Valid values range from -10 to 10 dB. This option can create a more stable line by making the line train more than SNEXT threshold during training time. If any external noise is applied that is less than the set SNEXT margin, the line will be stable. Note Select disable to disable the SNEXT SNR. |
Use the Controller Auto Name Generator dialog box to have Security Manager generate a name for the DSL controller based on its location in the router.
Go to the SHDSL Controller Dialog Box, then click Select in the Name field.
•Defining SHDSL Controllers, page 13-29
Use the PVC page to create, edit, and delete permanent virtual connections (PVCs) on the router. PVCs allow direct and permanent connections between sites to provide a service that is similar to a leased line. These PVCs can be used in ADSL, SHDSL, or pure ATM environments. For more information, see Defining ATM PVCs, page 13-35.
•(Device view) Select Interfaces > Settings > PVC from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > PVC from the Policy Type selector. Right-click PVC to create a policy, or select an existing policy from the Shared Policy selector.
•PVCs on Cisco IOS Routers, page 13-30
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
ATM Interface |
The ATM interface on which the PVC is defined. |
Interface Card |
The type of device or WAN interface card on which the ATM interface resides. |
PVC ID |
The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the PVC. |
Settings |
Additional settings configured for the PVC, including encapsulation, the number of PPPoE sessions, and the VPN service name. |
QoS |
Quality-of-service settings defined for the PVC, such as traffic shaping. |
Protocol |
The IP protocol mappings (static maps or Inverse ARP) configured for the PVC. |
OAM |
The F5 Operation, Administration, and Maintenance (OAM) loopback, continuity check, and AIS/RDI definitions configured for the PVC. |
OAM-PVC |
The OAM management cells that are configured for the PVC. |
Add button |
Opens the PVC Dialog Box. From here you can define a PVC. |
Edit button |
Opens the PVC Dialog Box. From here you can edit the selected PVC. |
Delete button |
Deletes the selected PVC from the table. |
Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs).
Go to the PVC Policy Page, then click the Add or Edit button beneath the table.
•Defining ATM PVCs, page 13-35
|
|
---|---|
ATM Interface |
The ATM interface on which the PVC is defined. Enter the name of an interface, subinterface, or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it. Note We strongly recommend not defining an interface role that includes ATM interfaces from different interface cards. The different settings supported by each card type may cause deployment to fail. |
Interface Card |
The type of WAN interface card installed on the router or the router type: •[blank]—The interface card type is not defined. •WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL over POTS (ordinary telephone lines). •WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the router warns the DSLAM of imminent line drops when the router is about to lose power.) •WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides ADSL over POTS with Dying Gasp support. •HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that provides ADSL over POTS. •HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that provides ADSL over ISDN. •HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over POTS with an ISDN BRI port for backup. •HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over ISDN with an ISDN BRI port for backup. •WIC-1-SHDSL-V2—A 1-port multiline G.SHDSL WAN interface card with support for 2-wire mode and enhanced 4-wire mode. •WIC-1-SHDSL-V3—A 1-port multiline G.SHDSL WAN interface card with support for 2-wire mode and 4-wire mode (standard & enhanced). •NM-1A-T3—A 1-port ATM network module with a T3 link. •NM-1A-OC3-POM—A 1-port ATM network module with an optical carrier level 3 (OC-3) link and three operating modes (multimode, single-mode intermediate reach (SMIR), and single-mode long-reach (SMLR)). |
Interface Card (continued) |
•NM-1A-E3—A 1-port ATM network module with an E3 link. •857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface. •876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface. •877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface. •878 G.SHDSL—Cisco 878 Integrated Services Router with a G.SHDSL interface. •1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that provides ADSL over POTS. •1802 ADSLoISDN—Cisco 1802 Integrated Services Router that provides ADSL over ISDN. •1803 G.SHDSL—Cisco 1803 Integrated Services Router that provides 4-wire G.SHDSL. Note To ensure proper policy validation, we highly recommend that you define a value in this field. When you discover a live device, the correct interface card type will already be displayed. If you did not perform discovery on a live device, or if Security Manager cannot detect the type of interface card installed on the device, this field displays "Unknown". |
Settings tab |
Defines basic PVC settings, such as the VPI/VCI and encapsulation. See PVC Dialog Box—Settings Tab. |
QoS tab |
Defines ATM traffic shaping and other quality-of-service settings for the PVC. See PVC Dialog Box—QoS Tab. |
Protocol tab |
Defines the IP protocol mappings configured for the PVC (static maps or Inverse ARP). See PVC Dialog Box—Protocol Tab. |
Advanced button |
Defines F5 Operation, Administration, and Maintenance (OAM) settings for the PVC. See PVC Advanced Settings Dialog Box—OAM Tab. |
Use the Settings tab of the PVC dialog box to configure the basic settings of the PVC, including:
•ID settings.
•Encapsulation settings.
•Whether ILMI and Inverse ARP are enabled.
•The maximum number of PPPoE sessions.
•The static domain (VPN service) name to use for PPPoA.
Go to the PVC Dialog Box, then click the Settings tab.
•PVC Advanced Settings Dialog Box
•Defining ATM PVCs, page 13-35
|
|
---|---|
|
|
VPI |
The virtual path identifier of the PVC. In conjunction with the VCI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values for most platforms range from 0 to 255. For Cisco 2600 and 3600 Series routers using Inverse Multiplexing for ATM (IMA), valid values range from 0 to 15, 64 to 79, 128 to 143, and 192 to 207. Note VPI/VCI values must be unique for all the PVCs configured on a selected interface. VPI/VCI values are unique to a single link only and might change as cells traverse the ATM network. |
VCI |
The 16-bit virtual channel identifier of the PVC. In conjunction with the VPI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values vary by platform. Typically, values up to 31 are reserved for special traffic (such as ILMI) and should not be used. 3 and 4 are invalid. Note VPI/VCI values must be unique for all the PVCs configured on a selected interface. VPI/VCI values are unique to a single link only and might change as cells traverse the ATM network. |
Handle |
An optional name to identify the PVC. The maximum length is 15 characters. |
Management PVC (ILMI) |
Does not apply when configuring the PVC on a subinterface. When selected, designates this PVC as the management PVC for this ATM interface by enabling communication with the Interim Local Management Interface (ILMI). ILMI is a protocol defined by the ATM Forum for setting and capturing physical layer, ATM layer, virtual path, and virtual circuit parameters on ATM interfaces. See Understanding ILMI, page 13-33. When deselected, this PVC does not act as the management PVC. This is the default. Note The VPI/VCI for the management PVC is typically set to 0/16. |
|
|
Type |
Does not apply when the Management PVC (ILMI) check box is enabled. The ATM adaptation layer (AAL) and encapsulation type to use on the PVC: •[blank]—The encapsulation type is not defined. (When deployed, aal5snap is applied.) •aal2—For PVCs dedicated to AAL2 Voice over ATM. AAL2 is used for variable bit rate (VBR) traffic, which can be either realtime (VBR-RT) or non-realtime (VBR-NRT). •aal5autoppp—Enables the router to distinguish between incoming PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) sessions and create virtual access for both PPP types based on demand. •aal5ciscoppp—For the proprietary Cisco version of PPP over ATM. •aal5mux—Enables you to dedicate the PVC to a single protocol, as defined in the Protocol field. •aal5nlpid—Enables ATM interfaces to work with High-Speed Serial Interfaces (HSSI) that are using an ATM data service unit (ADSU) and running ATM-Data Exchange Interface (DXI). •aal5snap—Supports Inverse ARP and incorporates the Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) that precedes the protocol datagram. This allows multiple protocols to traverse the same PVC. |
Virtual Template |
The virtual template used for PPP over ATM on this PVC. Enter the name of a virtual template interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it. When a user dials in, the virtual template is used to configure a virtual access interface. When the user is done, the virtual access interface goes down and the resources are freed for other dial-in users. Note If you modify the virtual template settings on an existing PVC, you must enter the shutdown command followed by the no shutdown command on the ATM subinterface to restart the interface. This causes the newly configured parameters to take effect. |
Protocol |
Applies only when aal5mux is the defined encapsulation type. The protocol carried by the MUX-encapsulated PVC: •frame-relay—Frame-Relay-ATM Network Interworking (FRF.5) on the Cisco MC3810. •fr-atm-srv—Frame-Relay-ATM Service Interworking (FRF.8) on the Cisco MC3810. •ip—IP protocol. •ppp—IETF-compliant PPP over ATM. You must specify a virtual template when using this protocol type. •voice—Voice over ATM. |
|
|
Enable ILMI |
When selected, enables ILMI management on this PVC. When deselected, ILMI management on this PVC is disabled. |
Inverse ARP |
When selected, the Inverse Address Resolution Protocol (Inverse ARP) is enabled on the PVC. When deselected, Inverse ARP is disabled. This is the default. Inverse ARP is used to learn the Layer 3 addresses at the remote ends of established connections. These addresses must be learned before the virtual circuit can be used. Note Use the Protocol tab to define static mappings of IP addresses instead of dynamically learning the addresses using Inverse ARP. See PVC Dialog Box—Protocol Tab. |
PPPoE Max Sessions |
The maximum number of PPP over Ethernet sessions that are permitted on the PVC. |
VPN Service Name |
The static domain name to use on this PVC. The maximum length is 128 characters. Use this option when you want PPP over ATM (PPPoA) sessions in the PVC to be forwarded according to the domain name supplied, without starting PPP. |
Use the QoS tab of the PVC dialog box to configure the ATM traffic shaping and other quality-of-service settings of the PVC, including:
•The limit on packets placed on transmission rings.
•The QoS service.
•Whether random detection is enabled.
These settings regulate the flow of traffic over the PVC by queuing traffic that exceeds the defined allowable bit rates.
Note QoS values are highly hardware dependent. Please refer to your router documentation for additional details about the settings that can be configured on your device.
Go to the PVC Dialog Box, then click the QoS tab.
•PVC Advanced Settings Dialog Box
•Defining ATM PVCs, page 13-35
•Quality of Service Policy Page
•Understanding Policing and Shaping Parameters, page 13-104
|
|
---|---|
Tx Ring Limit |
The maximum number of transmission packets that can be placed on a transmission ring on the WAN interface card (WIC) or interface. The range of valid values depends on the type of interface card selected in the Settings tab. See PVC Dialog Box—Settings Tab. |
|
|
Traffic Shaping |
The type of service to define on the PVC: •[null]—The bit rate is not defined. •ABR—Available Bit Rate. A best-effort service suitable for applications that do not require guarantees against cell loss or delays. •CBR—Constant Bit Rate service. Delay-sensitive data, such as voice or video, is sent at a fixed rate, providing a service similar to a leased line. •UBR—Unspecified Bit Rate service. A best-effort service suitable for applications that are tolerant to delay and do not require realtime responses. •UBR+—Unspecified Bit Rate service. Unlike UBR, UBR+ attempts to maintain a guaranteed minimum rate. •VBR-NRT—Variable Bit Rate - Non-Real Time service. A service suitable for non-realtime applications that are bursty in nature. VBR is more efficient than CBR and more reliable than UBR. •VBR-RT—Variable Bit Rate - Real Time service. A service suitable for realtime applications that are bursty in nature. For more information about each service class, see Understanding ATM Service Classes, page 13-32. |
ABR |
The following fields are displayed when ABR is selected as the Bit Rate: •PCR—The peak cell rate in kilobits per second (kbps). It specifies the maximum value of the ABR. •MCR—The minimum cell rate in kilobits per second (kbps). It specifies the minimum value of the ABR. The ABR varies between the MCR and the PCR. It is dynamically controlled using congestion control mechanisms. |
CBR |
The following field is displayed when CBR is selected as the Bit Rate: •Rate—The constant bit rate (also known as the average cell rate) for the PVC in kilobits per second (kbps). An ATM VC configured for CBR can send cells at this rate for as long as required. |
UBR |
The following field is displayed when UBR is selected as the Bit Rate: •PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded. |
UBR+ |
The following fields are displayed when UBR+ is selected as the Bit Rate: •PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded. •MCR—The minimum guaranteed cell rate for output in kilobits per second (kbps). Traffic is always allowed to be sent at this rate. Note UBR+ requires Cisco IOS Software Release 12.4(2)XA or later, or version 12.4(6)T or later. |
VBR-NRT |
The following fields are displayed when VBR-NRT is selected as the Bit Rate: •PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded. •SCR—The sustained cell rate for output in kilobits per second (kbps). This value, which must be lower than or equal to the PCR, represents the maximum rate at which cells can be transmitted without incurring data loss. •MBS—The maximum burst cell size for output. This value represents the number of cells that can be transmitted above the SCR but below the PCR without penalty. |
VBR-RT |
The following fields are displayed when VBR-RT is selected as the Bit Rate: •Peak Rate—The peak information rate for realtime traffic in kilobits per second (kbps). •Average Rate—The average information rate for realtime traffic in kilobits per second (kbps). This value must be lower than or equal to the peak rate. •Burst—The burst size for realtime traffic, in number of cells. Configure this value if the PVC carries bursty traffic. These values configure traffic shaping between realtime traffic (such as voice and video) and data traffic to ensure that the carrier does not discard realtime traffic, for example, voice calls. |
|
|
Random Detect |
When selected, enables Weighted Random Early Detection (WRED) or VIP-distributed WRED (DWRED) on the PVC. When deselected, WRED and DWRED are disabled. This is the default. WRED is a queue management method that selectively drops packets as the interface becomes congested. See Tail Drop vs. WRED, page 13-102. |
Use the Protocol tab of the PVC dialog box to add, edit, or delete the protocol mappings configured for the PVC. You may configured static mappings or Inverse ARP (broadcast or nonbroadcast) for each PVC, but not both.
Note IP is the only protocol supported by Security Manager for protocol mapping on ATM networks. You cannot define protocol mappings on the Management PVC (ILMI).
Go to the PVC Dialog Box, then click the Protocol tab.
•PVC Advanced Settings Dialog Box
•Defining ATM PVCs, page 13-35
|
|
---|---|
IP Protocol Mapping |
Displays the IP protocol mappings configured for the PVC. |
Add button |
Opens the Define Mapping Dialog Box. From here you can define an IP protocol mapping. |
Edit button |
Opens the Define Mapping Dialog Box. From here you can edit the selected mapping. |
Delete button |
Deletes the selected mapping from the table. |
Use the Define Mapping dialog box to configure the IP protocol mappings to use on the ATM PVC. Mappings are required by the PVC to discover which IP address is reachable at the other end of a connection. Mappings can either be learned dynamically using Inverse ARP (InARP) or defined statically. Static mappings are best suited for simple networks that contain only a few nodes.
Note Inverse ARP is only supported for the aal5snap encapsulation type. See PVC Dialog Box—Settings Tab.
Tip Use the CLI or FlexConfigs to configure mappings for protocols other than IP.
Go to the PVC Dialog Box—Protocol Tab, then click Add or Edit.
•Defining ATM PVCs, page 13-35
|
|
---|---|
IP Options |
The type of IP protocol mapping to use: •IP Address—Select this option when using static mapping. Enter the address or the name of a network/host object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. •InARP—Inverse ARP. Select this option when using dynamic mapping. This allows the PVC to resolve its own network addresses without configuring a static map. Dynamic mappings age out and are refreshed periodically every 15 minutes by default. Note InARP can be used only when aal5snap is the defined encapsulation type for the PVC. See PVC Dialog Box—Settings Tab. |
Broadcast Options |
Indicates whether to use this map entry when sending IP broadcast packets (such as EIGRP updates): •Broadcast—The map entry is used for broadcast packets. •No Broadcast—The map entry is used only for unicast packets. •None—Broadcast options are disabled. |
Use the PVC Advanced Settings dialog box to configure F5 Operation, Administration, and Maintenance (OAM) functionality on an ATM PVC. OAM is used to detect connectivity failures at the ATM layer.
For more information, see Defining OAM Management on ATM PVCs, page 13-37.
Go to the PVC Dialog Box, then click Advanced.
|
|
---|---|
OAM tab |
Defines loopback, connectivity check, and AIS/RDI settings. See PVC Advanced Settings Dialog Box—OAM Tab. |
OAM-PVC tab |
Enables OAM loopbacks and connectivity checks on the PVC. See PVC Advanced Settings Dialog Box—OAM-PVC Tab. |
Use the OAM tab of the PVC Advanced Settings dialog box to define:
•The number of loopback cell responses that move the PVC to the down or up state.
•The number of alarm indication signal/remote defect indication (AIS/RDI) cells that move the PVC to the down or up state.
•The number and frequency of segment/end continuity check (CC) activation and deactivation requests that are sent on this PVC.
For more information, see Defining OAM Management on ATM PVCs, page 13-37.
Note The settings defined in this tab are dependent on the settings defined in the OAM-PVC tab. See PVC Advanced Settings Dialog Box—OAM-PVC Tab.
Go to the PVC Advanced Settings Dialog Box, then click the OAM tab.
Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable loopback cells and connectivity checks (CCs) on the PVC. These functions test the connectivity of the virtual connection.
For more information, see Defining OAM Management on ATM PVCs, page 13-37.
Note Use the OAM tab to define additional settings related to the settings on this tab. See PVC Advanced Settings Dialog Box—OAM Tab.
Go to the PVC Advanced Settings Dialog Box, then click the OAM-PVC tab.
Use the PPP/MLP page to create, edit, and delete PPP connections on the router. For more information, see Defining PPP Connections, page 13-40.
•(Device view) Select Interfaces > Settings > PPP/MLP from the Policy selector.
•(Policy view) Select Router Interfaces > Settings > PPP/MLP from the Policy Type selector. Right-click PPP/MLP to create a policy, or select an existing policy from the Shared Policies selector.
•PPP on Cisco IOS Routers, page 13-39
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Interface |
The interface that is configured for PPP/MLP. |
Authentication |
The types of authentication used on the PPP connection. |
Authorization |
The method list used for AAA authorization on the PPP connection. |
Multilink |
Indicates whether Multilink PPP (MLP) is enabled on this PPP connection. |
Endpoint |
The type of default endpoint discriminator to use when negotiating the use of MLP with the peer. |
Multiclass |
Indicates whether the Multiclass Multilink PPP (MCMP) feature is enabled on this PPP connection. |
Group |
The number of the multilink-group interface to which the physical link is restricted. |
Interleave |
Indicates whether the PPP multilink interleave feature is enabled on this PPP connection. |
Add button |
Opens the PPP Dialog Box. From here you can define the authentication and multilink settings for the PPP connection. |
Edit button |
Opens the PPP Dialog Box. From here you can edit the selected PPP connection. |
Delete button |
Deletes the selected PPP connection from the table. |
Use the PPP dialog box to configure PPP connections on the router. When you configure a PPP connection, you can define the type of authentication and authorization to perform and define multilink parameters.
Go to the PPP/MLP Policy Page, then click the Add or Edit button beneath the table.
•Defining PPP Connections, page 13-40
|
|
---|---|
Interface |
The interface on which PPP encapsulation is enabled. Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it. The following interface types support PPP: •Async •Group-Async •Serial •High-Speed Serial Interface (HSSI) •Dialer •BRI, PRI (ISDN) •Virtual template •Multilink You cannot define PPP on: •Subinterfaces. •Serial interfaces with Frame Relay encapsulation. •Virtual template interfaces defined as Ethernet or tunnel types (serial is supported). Note You can define only one PPP connection per interface. Note Deployment might fail if you define PPP on a virtual template that is also used in an 802.1x policy. See 802.1x Policy Page. |
PPP tab |
Defines the type of authentication and authorization to perform on the PPP connection. See PPP Dialog Box—PPP Tab. |
MLP tab |
Defines how to split and recombine sequential datagrams across multiple logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP Tab. This tab is greyed out and cannot be opened for devices that do not support the configuration settings. |
Use the PPP tab of the PPP dialog box to define the types of authentication and authorization to perform on the PPP connection.
Go to the PPP Dialog Box, then click the PPP tab.
|
|
---|---|
|
|
PPP Encapsulation |
When selected, indicates that PPP encapsulation is enabled for the selected interface. This field is read-only. |
Protocol |
The authentication protocols to use: •CHAP—Challenge-Handshake Authentication Protocol. •PAP—Password Authentication Protocol. •MS-CHAP—Version 1 of the Microsoft version of CHAP (RFC 2433). •MS-CHAP-2—Version 2 of the Microsoft version of CHAP (RFC 2759). •EAP—Extensible Authentication Protocol. You may select one or more authentication protocols, as required. |
Options |
The authentication options to use: •Call In—When selected, authentication is performed on incoming calls. •Call Out—When selected, authentication is performed on outgoing calls. •Call Back—When selected, authentication is performed on callback. •One Time—When selected, one-time passwords are used for authentication. One-time passwords are considered highly secure since each one is used only once. When deselected, one-time passwords are not used. Note AAA authentication must be enabled in order to use one-time passwords. See AAA Policy Page. One-time passwords cannot be used with CHAP. •Optional—When selected, allows a mobile station in a Packet Data Serving Node (PDSN) configuration to receive Simple IP and Mobile IP services without using CHAP or PAP. When deselected, mobile stations must use CHAP or PAP to receive Simple IP and Mobile IP services. |
Authenticate Using |
AAA authentication settings for the PPP connection: •PPP Default List—Defines a default list of methods to be queried when authenticating a user for PPP. Enter the names of one or more AAA server group objects (up to four) in the Prioritized Method List field, or click Select to select it. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. •Prioritized Method List—Defines a sequential list of methods to be queried when authenticating a user for this PPP connection only. Note Leave this field blank to perform authentication using the local database on the router. |
|
|
Username |
The username to send in PAP authentication requests. The username is case sensitive. |
Password |
The password to send in PAP authentication requests. Enter the password again in the Confirm field. The password can contain 1 to 25 uppercase or lowercase alphanumeric characters. The password is case sensitive. The username and password are sent if the peer requests the router to authenticate itself using PAP. |
Encrypted Password |
When selected, this indicates that the password you entered is already encrypted. When deselected, this indicates that the password you entered is in clear text. |
|
|
Hostname |
By default, the router uses its hostname to identify itself to the peer. If required, you can enter a different hostname to use for all CHAP challenges and responses. For example, use this field to specify a common alias for all routers in a rotary group. |
Secret |
The secret used to compute the response value for any CHAP challenge from an unknown peer. Enter the secret again in the Confirm field. |
Encrypted Secret |
When selected, this indicates that the password you entered is already encrypted. When deselected, this indicates that the password you entered is in clear text. |
|
|
Authorize Using |
AAA authorization settings for the PPP connection: •AAA Policy Default List—Uses the default authorization method list that is defined in the device's AAA policy. See AAA Policy Page. •Prioritized Method List—Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select it. Use the up and down arrows to define the order in which selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note Leave this field blank to perform authorization using the local database on the router. |
Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters for the selected PPP connection.
Go to the PPP Dialog Box, then click the MLP tab.
Use the AAA page to define the default authentication, authorization, and accounting methods to use on the router. You do this by configuring method lists, which define which methods to use and the sequence in which to use them.
Note You can use the method lists defined in this policy as default settings when you configure AAA on the router's console port and VTY lines. See Console Policy Page and VTY Policy Page.
•(Device view) Select Platform > Device Admin > AAA from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > AAA from the Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.
•AAA on Cisco IOS Routers, page 13-44
•Understanding AAA Server and Server Group Objects, page 8-15
•"Router Platform User Interface Reference"
|
|
---|---|
Authentication tab |
Defines the login authentication methods to use and the sequence in which to use them. See AAA Page—Authentication Tab. |
Authorization tab |
Defines the types of network, EXEC, and command authorization to perform and the methods to use for each type. See AAA Page—Authorization Tab. |
Accounting tab |
Defines types of connection, EXEC, and command accounting to perform and the methods to use for each type. See AAA Page—Accounting Tab. |
Use the Authentication tab of the AAA page to define the methods used to authenticate users who access the device. Authentication methods are defined in a method list, which define the security protocols to use, such as RADIUS and TACACS+.
Note You can use the method list defined in this policy on the console and VTY lines that are used to communicate with the device. See Console Policy Page and VTY Line Dialog Box—Authentication Tab.
Go to the AAA Policy Page, then click the Authentication tab.
•Defining AAA Services, page 13-46
•Understanding Method Lists, page 13-45
•AAA Server Group Dialog Box, page F-6
•Predefined AAA Authentication Server Groups, page 8-19
Use the Authorization tab of the AAA page to define the type of authorization services to enable on the device and the methods to use for each type. Security Manager supports the following types of authorization:
•Network—Authorizes various types of network connections, such as PPP.
•EXEC—Authorizes the launching of EXEC sessions.
•Command—Authorizes the use of all EXEC mode commands that are associated with specific privilege levels.
Note You can use the method lists defined in this policy on the console and VTY lines that are used to communicate with the device. See Console Policy Page and VTY Line Dialog Box—Authentication Tab.
Go to the AAA Policy Page, then click the Authorization tab.
•Defining AAA Services, page 13-46
•Supported Authorization Types, page 13-44
•Understanding Method Lists, page 13-45
•AAA Server Group Dialog Box, page F-6
|
|
---|---|
|
|
Enable Network Authorization |
When selected, enables the authorization of network connections, such as PPP, SLIP, or ARAP connections, using the methods defined in the method list. When deselected, network authorization is not performed. |
Prioritized Method List |
Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Supported methods include RADIUS, TACACS+, Local, and None. Note RADIUS uses the same server for authentication and authorization. Therefore, if you use define a RADIUS method list for authentication, you must define the same method list for authorization. Note If you select None as a method, it must appear as the last method in the list. |
|
|
Enable CLI/EXEC Operations Authorization |
When selected, this type of authorization determines whether the user is permitted to open an EXEC (CLI) session, using the methods defined in the method list. When deselected, EXEC authorization is not performed. |
Prioritized Method List |
Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Authorization Dialog Box. From here you can configure a command authorization definition. |
Edit button |
Opens the Command Authorization Dialog Box. From here you can edit the command authorization definition. |
Delete button |
Deletes the selected command authorization definitions from the table. |
Use the Command Authorization dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege level. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15.
From the AAA Page—Authorization Tab, click the Add button beneath the Command Authorization table.
•Defining AAA Services, page 13-46
•Supported Authorization Types, page 13-44
•Understanding Method Lists, page 13-45
Use the Accounting tab of the AAA page to define the type of accounting services to enable on the device and the methods to use for each type. Security Manager supports the following types of accounting:
•Connection—Records information about all outbound connections made from this device.
•EXEC—Records information about user EXEC sessions on the devices, including the username, date, start and stop times, and the IP address.
•Command—Records information about the EXEC commands executed on the device by users with specific privilege levels.
In addition, you use the Accounting page to determine when accounting records should be generated and whether they should be broadcast to more than one AAA server.
Note You can use the method lists defined in this policy on the console and VTY lines that are used to communicate with the device. See Console Policy Page and VTY Line Dialog Box—Authentication Tab.
Go to the AAA Policy Page, then click the Accounting tab.
•Defining AAA Services, page 13-46
•Supported Accounting Types, page 13-45
•Understanding Method Lists, page 13-45
•AAA Server Group Dialog Box, page F-6
|
|
---|---|
|
|
Enable Connection Accounting |
When selected, enables the recording of information about outbound connections (such as Telnet) made over this device, using the methods defined in the method list. When deselected, connection accounting is not performed. |
Generate Accounting Records for |
Defines when the device sends an accounting notice to the accounting server: •Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record. •Stop Only—Generates an accounting record at the end of the user process only. •None—Disables this type of accounting. |
Prioritized Method List |
Defines a sequential list of methods to be queried when creating connection accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. Supported methods include RADIUS and TACACS+. |
Enable Broadcast to Multiple Servers |
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group. When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list. |
|
|
Enable CLI/EXEC Operations Accounting |
When selected, enables the recording of basic information about user EXEC sessions, using the methods defined in the method list. When deselected, EXEC accounting is not performed. |
Generate Accounting Records for |
See description Table M-98 on page M-100. |
Prioritized Method List |
Defines a sequential list of methods to be queried when creating connection accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. |
Enable Broadcast to Multiple Servers |
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Generate Accounting Records for |
The points in the process where the device sends an accounting notice to the accounting server. |
Enable Broadcast |
Whether accounting records are broadcast to multiple servers simultaneously. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Accounting Dialog Box. From here you can configure a command accounting definition. |
Edit button |
Opens the Command Accounting Dialog Box. From here you can edit the command accounting definition. |
Delete button |
Deletes the selected command accounting definitions from the table. |
Use the Command Accounting dialog box to define which methods to use when recording information about the EXEC commands that are executed for a given privilege level. Each accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the name of the user who executed it.
From the AAA Page—Accounting Tab, click the Add button beneath the Command Accounting table.
•Defining AAA Services, page 13-46
•Supported Accounting Types, page 13-45
•Understanding Method Lists, page 13-45
Use the Accounts and Credentials page to define the enable password or enable secret password assigned to the router. In addition, you can define a list of usernames that can be used to access the router.
For more information, see Defining Accounts and Credential Policies, page 13-48.
•(Device view) Select Platform > Device Admin > Accounts and Credentials from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Accounts and Credentials from the Policy Type selector. Right-click Accounts and Credentials to create a policy, or select an existing policy from the Shared Policy selector.
•User Accounts and Device Credentials on Cisco IOS Routers, page 13-48
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Enable Secret Password |
The enable secret password for entering privileged EXEC mode on the router. This option offers better security than the Enable Password option. The enable secret password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed. Note You can discover an encrypted password, but any password you enter must be in clear text. If you modify an encrypted password, it is saved as clear text. Note After you set an enable secret password, you can switch to an enable password only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. |
Enable Password |
The enable password for entering privileged EXEC mode on the router. The enable password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed. Note You must enter the password in clear text. |
Enable Password Encryption Service |
When selected, encrypts all passwords on the device, including the enable password (which is otherwise saved in clear text). For example, use this option to encrypt username passwords, authentication key passwords, console and VTY line access passwords, and BGP neighbor passwords. This command is primarily used for keeping unauthorized individuals from viewing your passwords in your configuration file. When deselected, device passwords are stored unencrypted in the configuration file. Note This option does not provide a high level of network security. You should also take additional network security measures. |
|
|
Username |
The username that can be used to access the router. The username must be a single word up to 64 characters in length. Spaces and quotation marks are not allowed. |
Encryption |
Indicates whether password information for the user is encrypted using MD5 encryption. |
Privilege Level |
The privilege level assigned to the user. |
Add button |
Opens the User Account Dialog Box. From here you can define a user account. |
Edit button |
Opens the User Account Dialog Box. From here you can edit the selected user. |
Delete button |
Deletes the selected user accounts from the table. |
Employ the User Account dialog box to define a username and password combination that can be used by Security Manager to access the router. You can also define the privilege level of the user account, which determines whether you can configure all commands on this router or only a subset of them.
Note Remember—there may be additional user accounts defined on the router using other methods, such as the CLI.
Go to the Accounts and Credential s Policy Page, then click the Add or Edit button beneath the table.
•Defining Accounts and Credential Policies, page 13-48
•User Accounts and Device Credentials on Cisco IOS Routers, page 13-48
•Understanding FlexConfig Policies and Policy Objects, page 18-1
Use the Bridging page to define bridge groups that can perform integrated routing and bridging on the router. For more information, see Defining Bridge Groups, page 13-51.
•(Device view) Select Platform > Device Admin > Bridging from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Bridging from the Policy Type selector. Right-click Bridging to create a policy, or select an existing policy from the Shared Policy selector.
•Bridging on Cisco IOS Routers, page 13-50
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Group Number |
The number that identifies the bridge group. |
Group Interfaces |
The interfaces and interface roles that are included in the bridge group. |
Add button |
Opens the Bridge Group Dialog Box. From here you can define a bridge group. |
Edit button |
Opens the Bridge Group Dialog Box. From here you can edit the bridge group. |
Delete button |
Deletes the selected bridge groups from the table. |
Use the Bridge Group dialog box to define bridge groups on the router. Each bridge group can contain multiple Layer 3 interfaces of various types, including serial interfaces.
Note All bridge groups use the standard Spanning Tree Protocol (IEEE 802.1D). Use CLI commands or FlexConfigs to bridge other protocols, such as AppleTalk or IPX, and to use other spanning tree protocols, such as VLAN-Bridge.
Go to the Bridging Policy Page, then click the Add or Edit button beneath the table.
•Defining Bridge Groups, page 13-51
•Bridging on Cisco IOS Routers, page 13-50
•Understanding Interface Role Objects, page 8-33
Use the Clock page to configure the time zone in which the router is located and the settings for Daylight Saving Time (DST). For more information, see Time Zone Settings on Cisco IOS Routers, page 13-52.
Tip You can configure the local time on the router by defining an NTP policy or by configuring the clock set command using the CLI.
•(Device view) Select Platform > Device Admin > Clock from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the CPU page to configure settings related to router CPU utilization, including the thresholds for sending log messages, the size of the CPU history table, and whether to enable automatic CPU Hog profiling.
For more information, see Defining CPU Utilization Settings, page 13-54.
•(Device view) Select Platform > Device Access > CPU from the Policy selector.
•(Policy view) Select Router Platform > Device Access > CPU from the Policy Type selector. Right-click CPU to create a policy, or select an existing policy from the Shared Policy selector.
•Syslog Logging Setup Policy Page
•"Router Platform User Interface Reference"
Use the HTTP page to configure HTTP and HTTPS access on the router. You can configure HTTP policies on a Cisco IOS router from the following tabs on the HTTP policy page:
For more information, see HTTP and HTTPS on Cisco IOS Routers, page 13-54.
•(Device view) Select Platform > Device Admin > Device Access > HTTP from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Right-click HTTP to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the Setup tab of the HTTP page to enable HTTP and HTTP over Secure Socket Layer (HTTP over SSL or HTTPS) on the router. You can optionally limit access to these protocols to the addresses defined in an access control list.
Note As a general rule, Cisco IOS routers that have been discovered by Security Manager already have HTTPS enabled because Security Manager uses SSL as the default protocol for communicating with them. See Setting Up SSL on Cisco IOS Routers, page 4-4.
Go to the HTTP Policy Page, then click the Setup tab.
•HTTP and HTTPS on Cisco IOS Routers, page 13-54
Use the AAA tab of the HTTP page to define the authentication and authorization methods to perform on users who attempt to access the router using HTTP or HTTPS.
Go to the HTTP Policy Page, then click the AAA tab.
•HTTP and HTTPS on Cisco IOS Routers, page 13-54
|
|
---|---|
Authenticate Using |
The type of authentication to use: •AAA—Performs AAA login authentication. •Enable Password—Uses the enable password configured on the router. This is the default. •Local Database—Uses the local username database configured on the router. •TACACS—Uses the TACACS or XTACACS server configured on the router. Applies only to devices using an IOS software version prior to 12.3(8) or 12.3(8)T. |
|
|
Enable Device Login Authentication |
Applies only when AAA is selected as the authentication method. When selected, authentication is based on the methods defined in the Prioritized Method List field. When deselected, the default authentication list defined in the router's AAA policy is used. See AAA Page—Authentication Tab. |
Prioritized Method List |
Applies only when the Enable Device Login Authentication check box is selected. Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
|
|
Enable CLI/EXEC Operations Authorization |
Applies only when AAA is selected as the authentication method. When selected, EXEC authorization is based on the methods defined in the Prioritized Method List field. This type of authorization determines whether the user is permitted to open an EXEC (CLI) session. When deselected, the default EXEC authorization list defined in the router's AAA policy is used. See AAA Page—Authorization Tab. Note If you leave this option deselected, make sure that EXEC authorization is enabled in the router's AAA policy. Otherwise, you will be unable to connect to the device via HTTP or HTTPS (SSL). This applies to Security Manager as well as other applications, such as SDM and the device's web interface. |
Prioritized Method List |
Applies only when the Enable CLI/EXEC Operations Authorization check box is selected. Defines a sequential list of methods to be queried when authorizing a user to open an EXEC (CLI) session. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Authorization Override Dialog Box. From here you can configure a command authorization definition. |
Edit button |
Opens the Command Authorization Override Dialog Box. From here you can edit the command authorization definition. |
Delete button |
Deletes the selected command authorization definitions from the table. |
Use the Command Authorization Override dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15.
From the HTTP Page—AAA Tab, click the Add button beneath the Command Authorization Override table.
Use the Console page to configure access to the router over the console port. You can configure console policies on a Cisco IOS router from the following tabs on the Console policy page:
•Console Page—Authentication Tab
•Console Page—Authorization Tab
For more information, see Line Access on Cisco IOS Routers, page 13-57.
•(Device view) Select Platform > Device Admin > Device Access > Line Access > Console from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Device Access > Line Access > Console from the Policy Type selector. Right-click Console to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the Setup tab of the Console page to define the basic parameters of the console port. This includes the password for accessing the port, the privilege level assigned to users, the protocols that are permitted, and the ACLs that limit access.
Go to the Console Policy Page, then click the Setup tab.
•Console Page—Authentication Tab
•Console Page—Authorization Tab
•VTY Line Dialog Box—Setup Tab
|
|
---|---|
Password |
The password for accessing the console port. The password is case sensitive and can contain up to 80 alphanumeric characters. The first character cannot be a number. Spaces are not allowed. Enter the password again in the Confirm field. |
Privilege Level |
The privilege level assigned to users connected to the console port. Valid values range from 0 to 15: •0—Grants access to these commands only: disable, enable, exit, help, and logout. •1—Enables nonprivileged access to the router (normal EXEC-mode use privileges). •15—Enables privileged access to the router (traditional enable privileges). Note Levels 2-14 are not normally used in a default configuration, but custom configurations can be created by moving commands that are normally at level 15 to a lower level and commands that are normally at level 1 to a higher level. You can configure the privilege levels of commands using the CLI or by defining a FlexConfig. Note If you do not define a value, level 1 is assigned by default. This value does not appear in the device configuration. |
Disable all the EXEC sessions to the router via this line |
When selected, disables EXEC sessions over this line. Select this option when you want to allow only an outgoing connection on the console. This option is useful for keeping the console port free from unsolicited incoming data that can tie up the line. When deselected, EXEC sessions are enabled on the console port. This is the default. Note Selecting this option blocks all access to the device via the console port. |
Exec Timeout |
The amount of time (in seconds) that the EXEC command interpreter waits to detect user input on the console port. If no input is detected, the line is disconnected. Valid values range from 0 to 2147483. The default is 600 (10 minutes). Setting the value to 0 disables the timeout. Note Although the timeout is defined in seconds, it appears in the CLI in the format [mm ss]. |
Output Protocols |
The protocols that you can use for outgoing connections on the console port: •All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. •None—No protocols are permitted. This makes the port unusable by outgoing connections. •Protocol—Enables one or more of the following protocols: –SSH—Secure Shell protocol. –Telnet—Standard TCP/IP terminal emulation protocol. –rlogin—UNIX rlogin protocol. Note SSH and rlogin require that you configure AAA authentication. See Console Page—Authentication Tab. Note Not all IOS Software Versions support rlogin as an output protocol. |
Inbound Access List |
The name of the ACL object that restricts incoming connections on the console port. Enter the name of the ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. |
Permit VRF Interface Connections |
Applies only when an inbound ACL is defined on the console port. When selected, accepts incoming connections from interfaces that belong to a VRF. When deselected, rejects incoming connections from interfaces that belong to a VRF. |
Outbound Access List |
The name of the ACL object that restricts outgoing connections on the console port. Enter the name of an ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. |
Use the Authentication tab of the Console page to define the AAA authentication methods to perform on users who attempt to access the console port.
Go to the Console Policy Page, then click the Authentication tab.
•Console Page—Authorization Tab
•VTY Line Dialog Box—Authentication Tab
|
|
---|---|
Authenticate Using |
Authentication settings for the console port: •None—Authentication is not performed. This is the default. •Local Database—Uses the local username database for authentication. •AAA Policy Default List—Uses the default authentication method list that is defined in the device's AAA policy. See AAA Page—Authentication Tab. •Custom Method List—Uses the authentication methods specified in the Authentication Method List field. Note If you select local authentication, preview the full configuration before deployment to make sure that the aaa new-model command is not configured by another policy (for example, by configuring a method list in the AAA policy) or is already configured on the device itself. |
Prioritized Method List |
Applies only when Custom Method List is selected as the authentication method. Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Use the Authorization tab of the Console page to define the EXEC and command authorization methods to perform on users who access the console port.
Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 13-46.
Go to the Console Policy Page, then click the Authorization tab.
•Console Page—Authentication Tab
•VTY Line Dialog Box—Authorization Tab
|
|
---|---|
|
|
Authorize EXEC Operations Using |
The authorization method that determines whether a user is allowed to run an EXEC session: •None—Authorization is not performed. This is the default. •AAA Policy Default List—Uses the default authorization method list that is defined in the device's AAA policy. See AAA Page—Authorization Tab. •Custom Method List—Uses the authorization methods specified in the EXEC Method List field. |
Prioritized Method List |
Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. Note RADIUS uses the same server for authentication and authorization. Therefore, if you use define a RADIUS method list for authentication, you must define the same method list for authorization. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Authorization Dialog Box—Line Access. From here you can configure a command authorization definition. |
Edit button |
Opens the Command Authorization Dialog Box—Line Access. From here you can edit the command authorization definition. |
Delete button |
Deletes the selected command authorization definitions from the table. |
Use the Accounting tab of the Console page to define the EXEC, connection, and command accounting methods to perform on users who access the console port.
Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 13-46.
Go to the Console Policy Page, then click the Accounting tab.
•Console Page—Authentication Tab
•Console Page—Authorization Tab
•VTY Line Dialog Box—Accounting Tab
|
|
---|---|
|
|
Perform EXEC Accounting Using |
The accounting method to use for recording basic information about user EXEC sessions: •None—Accounting is not performed. This is the default. •AAA Policy Default List—Uses the default EXEC accounting method list that is defined in the device's AAA policy. See AAA Page—Accounting Tab. •Custom Method List—Uses the accounting methods specified in the EXEC Method List field. EXEC accounting records basic details about EXEC sessions, such as the username, date, start and stop times, and the access server IP address. |
Generate Accounting Records for |
Applies only when Custom Method List is selected as the EXEC method. Defines when the device sends an accounting notice to the accounting server: •Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record. This is the default. •Stop Only—Generates an accounting record at the end of the user process only. •None—No accounting records are generated. |
Prioritized Method List |
Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Enable Broadcast to Multiple Servers |
Applies only when Method List is selected as the EXEC method. When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group. When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list. |
|
|
Perform Connection Accounting Using |
The accounting method to use for recording information about outbound connections made over the console line: •None—Accounting is not performed. This is the default. •AAA Policy Default List—Uses the default connection accounting method list that is defined in the device's AAA policy. See AAA Page—Accounting Tab. •Custom Method List—Uses the accounting methods specified in the Connection Method List field. Connection accounting records details about outgoing connections over the line, such as Telnet and rlogin connections. |
Generate Accounting Records for |
Applies only when Custom Method List is selected as the connection method. Defines when the device sends an accounting notice to the accounting server: •Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record. This is the default. •Stop Only—Generates an accounting record at the end of the user process only. •None—No accounting records are generated. |
Prioritized Method List |
Applies only when Custom Method List is selected as the connection method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Enable Broadcast to Multiple Servers |
Applies only when Custom Method List is selected as the connection method. When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group. When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Generate Accounting Records for |
The points in the process where the device sends an accounting notice to the accounting server. |
Enable Broadcast |
Whether accounting records are broadcast to multiple servers simultaneously. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Accounting Dialog Box—Line Access. From here you can configure a command accounting definition. |
Edit button |
Opens the Command Accounting Dialog Box—Line Access. From here you can edit the command accounting definition. |
Delete button |
Deletes the selected command accounting definitions from the table. |
Use the VTY page to configure up to 16 VTY lines for remote access to the router. In addition to configuring individual lines, you can configure a group of lines that share the same definition.
For more information, see Line Access on Cisco IOS Routers, page 13-57.
•(Device view) Select Platform > Device Admin > Device Access > Line Access > VTY from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Device Access > Line Access > VTY from the Policy Type selector. Right-click VTY to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Line |
The relative line number of the VTY line. This field may also contain multiple VTY lines configured as a contiguous group. |
|
|
Input Protocols |
The protocols that you can use for incoming connections on the VTY line. |
Output Protocols |
The protocols that you can use for outgoing connections on the VTY line. |
Privilege Level |
The privilege level assigned to users. |
Exec Timeout |
The amount of time the EXEC command interpreter waits until user input is detected. |
Inbound ACL |
The ACL used to limit inbound traffic. |
Outbound ACL |
The ACL used to limit outbound traffic. |
Authentication |
The type of AAA authentication used. |
Authorization |
The types of AAA authorization used. |
Accounting |
The types of AAA accounting used. |
|
|
Add button |
Opens the VTY Line Dialog Box. From here you can define a VTY line or line group. |
Edit button |
Opens the VTY Line Dialog Box. From here you can edit the VTY line or line group. |
Delete button |
Deletes the selected VTY lines from the table. If you delete a VTY line from an IOS device, any subsequent lines are also deleted. For example, if the device contains lines 0-9 and you delete line 5, lines 6-9 are deleted as well. Note If you delete any of the default VTY lines (0-4) on the device, the input protocol settings are retained and the other default settings are restored. This helps prevent you from cutting off remote access to the device. |
Use the VTY Line dialog box to configure one or more VTY lines (up to 16) that enable remote users to access the router. When you configure a VTY line, you can define the type of authentication and authorization to perform on users who access the lines.
Go to the VTY Policy Page, then click the Add or Edit button beneath the table.
•Line Access on Cisco IOS Routers, page 13-57
|
|
---|---|
Setup tab |
Defines the basic configuration of the VTY line or line group. See VTY Line Dialog Box—Setup Tab. |
Authentication tab |
Defines the type of AAA authentication to perform on users who access the VTY line. See VTY Line Dialog Box—Authentication Tab. |
Authorization tab |
Defines the types of AAA authorization to perform on users who access the VTY line. See VTY Line Dialog Box—Authorization Tab. |
Accounting tab |
Defines the types of AAA accounting to perform on users who access the VTY line. See VTY Line Dialog Box—Accounting Tab. |
Use the Setup tab of the VTY Line dialog box to define the basic parameters of the VTY line. This includes the password for accessing the line, the privilege level assigned to users, the protocols that are permitted on the line, and the ACLs that limit access.
Go to the VTY Line Dialog Box, then click the Setup tab.
•Defining VTY Line Setup Parameters, page 13-60
•VTY Line Dialog Box—Authentication Tab
•VTY Line Dialog Box—Authorization Tab
•VTY Line Dialog Box—Accounting Tab
|
|
---|---|
Starting VTY Line Number |
The relative line number of the VTY line. If you are configuring a group of VTY lines, enter the number of the first line in the group. Valid values range from 0 to 15. Note Although different routers support a different number of VTY lines (from four to several thousand), Security Manager supports a maximum of 16 lines per device. You cannot configure the same line number more than once. |
Ending VTY Line Number |
Applies only when configuring a group of lines. The relative line number of the last VTY line in the group. Note When you configure a group of lines, all the lines in the group must fall within one of two ranges, 0-4 or 6-15. |
Password |
The password for accessing this VTY line. The password is case sensitive and can contain up to 80 alphanumeric characters. The first character cannot be a number. Spaces are not allowed. Enter the password again in the Confirm field. |
Privilege Level |
The privilege level assigned to users on this VTY line. Valid values range from 0 to 15: •0—Grants access to these commands only: disable, enable, exit, help, and logout. •1—Enables nonprivileged access to the router (normal EXEC-mode use privileges). •15—Enables privileged access to the router (traditional enable privileges). Note Levels 2-14 are not normally used in a default configuration, but custom configurations can be created by moving commands that are normally at level 15 to a lower level and commands that are normally at level 1 to a higher level. You can configure the privilege levels of commands using the CLI or by defining a FlexConfig. Note If you do not define a value, level 1 is assigned by default. This value does not appear in the device configuration. |
Disable all the EXEC sessions to the router via this line |
When selected, EXEC sessions are disabled over this line. Select this option when you want to allow only an outgoing connection on this line. This option is useful for keeping a particular line free from unsolicited incoming data that can tie up the line. When deselected, EXEC sessions are enabled over this line. This is the default. |
Exec Timeout |
The amount of time (in seconds) that the EXEC command interpreter waits to detect user input on the line. If no input is detected, the line is disconnected. Valid values range from 0 to 2147483. The default is 600 (10 minutes). Setting the value to 0 disables the timeout. Note Although the timeout is defined in seconds, it appears in the CLI in the format [mm ss]. |
Input Protocols |
The protocols that you can use for incoming connections on this line: •All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. •None—No protocols are permitted. This makes the port unusable by incoming SSH, Telnet, and rlogin connections. Note Setting the input protocols setting to None might prevent Security Manager from connecting to the device after deployment. The device can still be managed using SSL, if SSL is enabled in the HTTP policy. See HTTP Page—Setup Tab. •Protocol—Enables one or more of the following protocols: –SSH—Secure Shell protocol. –Telnet—Standard TCP/IP terminal emulation protocol. –rlogin—UNIX rlogin protocol. Note SSH and rlogin require that you configure AAA authentication. See VTY Line Dialog Box—Authentication Tab. Note Not all IOS Software Versions support rlogin as an input protocol. |
Output Protocols |
The protocols that you can use for outgoing connections on this line: •All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. •None—No protocols are permitted. This makes the port unusable by outgoing connections. •Protocol—Enables one or more of the following protocols: –SSH—Secure Shell protocol. –Telnet—Standard TCP/IP terminal emulation protocol. –rlogin—UNIX rlogin protocol. Note SSH and rlogin require that you configure AAA authentication. See VTY Line Dialog Box—Authentication Tab. Note Not all IOS Software Versions support rlogin as an output protocol. |
Inbound Access List |
The name of the ACL object that restricts incoming connections on this line. Enter the name of the ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. |
Permit VRF Interface Connections |
Applies only when an inbound ACL is defined on this line. When selected, accepts incoming connections from interfaces that belong to a VRF. When deselected, rejects incoming connections from interfaces that belong to a VRF. |
Outbound Access List |
The name of the ACL object that restricts outgoing connections on this line. Enter the name of the ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. |
Use the Authentication tab of the VTY Line dialog box to define the authentication methods to perform on users who attempt to access the selected VTY line or group of lines.
Go to the VTY Line Dialog Box, then click the Authentication tab.
•Defining VTY Line AAA Settings, page 13-62
•VTY Line Dialog Box—Setup Tab
•VTY Line Dialog Box—Authorization Tab
•VTY Line Dialog Box—Accounting Tab
•Console Page—Authentication Tab
|
|
---|---|
Authenticate Using |
Authentication settings for the VTY line: •None—Authentication is not performed. This is the default. •Local Database—Uses the local username database for authentication. •AAA Policy Default List—Uses the default authentication method list that is defined in the device's AAA policy. See AAA Page—Authentication Tab. •Custom Method List—Uses the authentication methods specified in the Prioritized Method List field. Note If you select local authentication, preview the full configuration before deployment to make sure that the aaa new-model command is not configured by another policy (for example, by configuring a method list in the AAA policy) or is already configured on the device itself. |
Prioritized Method List |
Applies only when Custom Method List is selected as the authentication method. Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Use the Authorization tab of the VTY Line dialog box to define the EXEC and command authorization methods to perform on users who access the selected VTY line or group of lines.
Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 13-46.
Go to the VTY Line Dialog Box, then click the Authorization tab.
•Defining VTY Line AAA Settings, page 13-62
•VTY Line Dialog Box—Setup Tab
•VTY Line Dialog Box—Authentication Tab
•VTY Line Dialog Box—Accounting Tab
•Console Page—Authentication Tab
|
|
---|---|
|
|
Authorize EXEC Operations Using |
The authorization method that determines whether a user is allowed to run an EXEC session: •None—Authorization is not performed. This is the default. •AAA Policy Default List—Uses the default authorization method list that is defined in the device's AAA policy. See AAA Page—Authorization Tab. •Custom Method List—Uses the authorization methods specified in the Prioritized Method List field. |
Prioritized Method List |
Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. Note RADIUS uses the same server for authentication and authorization. Therefore, if you use define a RADIUS method list for authentication, you must define the same method list for authorization. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Authorization Dialog Box—Line Access. From here you can configure a command authorization definition. |
Edit button |
Opens the Command Authorization Dialog Box—Line Access. From here you can edit the command authorization definition. |
Delete button |
Deletes the selected command authorization definitions from the table. |
Use the Accounting tab of the VTY Line dialog box to define the EXEC, connection, and command accounting methods to perform on users who access the selected VTY line or group of lines.
Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 13-46.
Go to the VTY Line Dialog Box, then click the Accounting tab.
•Defining VTY Line AAA Settings, page 13-62
•VTY Line Dialog Box—Setup Tab
•VTY Line Dialog Box—Authentication Tab
|
|
---|---|
|
|
Perform EXEC Accounting Using |
The accounting method to use for recording basic information about user EXEC sessions: •None—Accounting is not performed. This is the default. •AAA Policy Default List—Uses the default EXEC accounting method list that is defined in the device's AAA policy. See AAA Page—Accounting Tab. •Custom Method List—Uses the accounting methods specified in the Prioritized Method List field. EXEC accounting records basic details about EXEC sessions, such as the username, date, start and stop times, and the access server IP address. |
Generate Accounting Records for |
Applies only when Custom Method List is selected as the EXEC method. Defines when the device sends an accounting notice to the accounting server: •Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record. This is the default. •Stop Only—Generates an accounting record at the end of the user process only. •None—No accounting records are generated. |
Prioritized Method List |
Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Enable Broadcast to Multiple Servers |
Applies only when Method List is selected as the EXEC method. When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group. When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list. |
|
|
Perform Connection Accounting Using |
The accounting method to use for recording information about outbound connections made over the VTY line: •None—Accounting is not performed. This is the default. •AAA Policy Default List—Uses the default connection accounting method list that is defined in the device's AAA policy. See AAA Page—Accounting Tab. •Custom Method List—Uses the accounting methods specified in the Prioritized Method List field. Connection accounting records details about outgoing connections over the line, such as Telnet and rlogin connections. |
Generate Accounting Records for |
Applies only when Custom Method List is selected as the connection method. Defines when the device sends an accounting notice to the accounting server: •Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record. This is the default. •Stop Only—Generates an accounting record at the end of the user process only. •None—No accounting records are generated. |
Prioritized Method List |
Applies only when Custom Method List is selected as the connection method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Enable Broadcast to Multiple Servers |
Applies only when Custom Method List is selected as the connection method. When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group. When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list. |
|
|
Privilege Level |
The privilege level to which the command authorization definition applies. |
Generate Accounting Records for |
The points in the process where the device sends an accounting notice to the accounting server. |
Enable Broadcast |
Whether accounting records are broadcast to multiple servers simultaneously. |
Prioritized Method List |
The method list to use when authorizing users with this privilege level. |
Add button |
Opens the Command Accounting Dialog Box—Line Access. From here you can configure a command accounting definition. |
Edit button |
Opens the Command Accounting Dialog Box—Line Access. From here you can edit the command accounting definition. |
Delete button |
Deletes the selected command accounting definitions from the table. |
Use the Command Authorization dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15.
From the Console Page—Authorization Tab or the VTY Line Dialog Box—Authorization Tab, click the Add button beneath the Command Authorization table.
|
|
---|---|
Privilege Level |
The privilege level for which you want to define a command authorization list. Valid values range from 0 to 15. Note If you do not define a value, level 1 is assigned by default. This value does not appear in the device configuration. |
AAA Policy Default List |
Select this option to apply the default authorization list defined in the device's AAA policy to the EXEC commands associated with this privilege level. See Command Accounting Dialog Box. |
Custom Method List |
Select this option to define an authorization method list for this privilege level. |
Prioritized Method List |
Applies only when the Custom Method List option is selected. Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it. The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received. Note If you select None as a method, it must appear as the last method in the list. |
Use the Command Accounting dialog box to define which methods to use when recording information about the EXEC commands that are executed for a given privilege. Each accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the name of the user who executed it.
From the Console Page—Accounting Tab or the VTY Line Dialog Box—Accounting Tab, click the Add button beneath the Command Accounting table.
Use the Secure Shell page to change the default SSH settings on the router and to define additional optional settings, if required.
For more information, see Optional SSH Settings on Cisco IOS Routers, page 13-64.
Note You must configure SSH on the device using CLI commands before adding the device to Security Manager. This is because Security Manager uses SSH (as well as SSL) to communicate with Cisco IOS routers. For more information, see Setting Up SSH, page 4-5.
•(Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Right-click Secure Shell to create a policy, or select an existing policy from the Shared Policy selector.
•Chapter 4, "Preparing Devices for Management"
•"Router Platform User Interface Reference"
|
|
---|---|
SSH Version |
The version of SSH to use when connecting to the router: •1 and 2—SSH version 1 and SSH version 2. This is the default. •1—SSH version 1 only. •2—SSH version 2 only. |
Timeout |
The amount of time the router should wait for the SSH client to respond during the negotiation phase before disconnecting. The default value (and the maximum) is 120 seconds. Note After negotiation finishes and the EXEC session begins, the timeout configured for the VTY line applies. See VTY Line Dialog Box—Setup Tab. |
Authentication Retries |
The number of times the router attempts to authenticate SSH clients. Valid values range from 0 to 5. The default is 3. |
Source Interface |
The source address for all SSH packets sent to the SSH client. If you do not define a value in this field, the address of the closest interface to the destination (that is, the output interface through which SSH packets are sent) is used. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can define an interface role object. |
RSA Key Pair |
The name of the RSA key pair to use for SSH connections. If you do not enter a value, the router uses the RSA key pair generated from its hostname and domain name. This is the default. |
Regenerate Key During Deployment |
When selected, regenerates the RSA key pair on the router during the next deployment. This option is useful if you are concerned that the secrecy of the keys might be compromised. When deselected, a new key pair is not generated. Note This check box is not deselected automatically after deployment. If you do not return to this policy to deselect the check box, the key is regenerated each time you deploy. Note This option requires interaction with the device during deployment. Therefore, you should use it only when deploying to live devices, not when deploying to a file. Note A key pair must already exist on the device before you select this option; otherwise, deployment will fail. (This will typically be the case, since IOS routers must have SSH enabled in order to be added to Security Manager.) |
Modulus Size |
Applies only when the Regenerate Key check box is selected. The size of the modulus used to generate a new key pair. A larger modulus is more secure but takes longer to generate. Valid values range from 360 to 2048 bits. The default is 1024 bits. |
Use the SNMP page to configure the parameters necessary to send traps from the router to a designated SNMP host. These traps are unsolicited messages that notify the SNMP host of important events occurring on the router.
For more information, see Defining SNMP Agent Properties, page 13-66.
•(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.
•SNMP on Cisco IOS Routers, page 13-66
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
|
|
Community String |
The community string used for accessing the router's MIB. |
Type |
The community string type—read-only or read-write. |
ACL |
The standard ACL that defines the IP addresses permitted to access the router's MIB. |
Add button |
Opens the Permission Dialog Box. From here you can enter the community string and type required to generate traps. |
Edit button |
Opens the Permission Dialog Box. From here you can edit the selected permissions profile. |
Delete button |
Deletes the selected permissions profiles from the table. |
|
|
Host IP Address |
The IP address of the SNMP host receiving the traps generated by the router. |
SNMP Version |
The SNMP version being used by the router. |
UDP Port |
The UDP port that is being used by the SNMP host. |
Add button |
Opens the Trap Receiver Dialog Box. From here you can define the SNMP host that receives the traps generated by the router. |
Edit button |
Open the Trap Receiver Dialog Box. From here you can edit the selected SNMP host. |
Delete button |
Deletes the selected SNMP hosts from the table. |
|
|
SNMP Server Properties |
The name and contact information of the system administrator responsible for the SNMP server/agent (that is, the router). The person managing the SNMP host can use this information when tracking down the source of unusual events. The maximum length of each of these properties is 255 characters, including spaces. Note The values entered in these fields are text-only and do not affect the operation of the router. |
Configure Traps button |
Opens a dialog box for selecting which SNMP traps the router should generate. See SNMP Traps Dialog Box. |
Use the Permission dialog box to define the community string and string type required by the SNMP policy. The community string is an embedded password for accessing the Management Information Base (MIB) that stores operational data about the router.
Go to SNMP Policy Page, then click the Add or Edit button beneath the Permissions table.
•Defining SNMP Agent Properties, page 13-66
•SNMP on Cisco IOS Routers, page 13-66
|
|
---|---|
Community String |
The community string for accessing the router's MIB. String length ranges from 1 to 128 characters. |
Access Control Lists |
Applies only to routers running Cisco IOS Software Release 12.3(2)T and up (T-train) or any 12.4 version. The standard ACL containing the IP addresses that can access the router's MIB. Defining an ACL provides an additional layer of security by limiting the source addresses that can make use of the community string. Enter the name of an ACL object, or click Select to display an Object Selectors, page F-205. If the standard ACL you want is not listed, click the Create button in the selector to create it. |
Read-Write |
This community string type provides read-write access to all objects in the MIB (except community strings). |
Read-Only |
This community string type provides read-only access to all objects in the MIB (except community strings). This is the default. |
Use the Trap Receiver dialog box to define the SNMP hosts that receive traps generated by the router. This includes defining the version of SNMP to use.
Go to the SNMP Policy Page, then click the Add or Edit button beneath the
Trap Receiver table.
•Defining SNMP Agent Properties, page 13-66
•SNMP on Cisco IOS Routers, page 13-66
|
|
---|---|
Host IP Address |
The IP address of the SNMP host receiving the traps generated by the router. Enter an IP address or the name of a network/host object, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. |
SNMP Version |
The version of SNMP to use—version 1, version 2c, or version 3. |
Community String |
Applies only when version 1 or version 2c is selected. The password required to access the SNMP host. Enter the string again in the Confirm field. Note We recommend that you use one of the strings defined in the Permissions table as the password to the SNMP host. You may, however, enter a different password. String length ranges from 1 to 128 characters. Your entry does not appear in the Permissions table and is read-only. |
User Name |
Applies only when version 3 is selected. The password required to access the SNMP host. Enter the string again in the Confirm field. Note We recommend that you use one of the strings defined in the Permissions table as the password to the SNMP host. You may, however, enter a different password. String length ranges from 1 to 128 characters. Your entry does not appear in the Permissions table and is read-only. |
SNMPv3 Security |
Applies only when version 3 is selected. The level of security to apply to SNMP traffic: •No MD5, No DES—No packet authentication. •MD5 (auth)—MD5 authentication, but no encryption. •DES (priv)—MD5 authentication and DES encryption. |
UDP Port |
The port number for the SNMP host. The default is 162. Valid values range from 0 to 65535. |
Use the SNMP Traps dialog box to select the events in the router that should generate SNMP traps. To lessen possible degradation of system performance, select only those traps that are needed for network monitoring purposes.
Tip You can configure SNMP traps not included in this dialog box by defining FlexConfigs. For more information, see Understanding FlexConfig Policies and Policy Objects, page 18-1.
Go to the SNMP Policy Page, then click Configure Traps.
•Enabling SNMP Traps, page 13-67
•SNMP on Cisco IOS Routers, page 13-66
|
|
---|---|
Standard SNMP Traps |
Enables or disables standard SNMP traps. Options are: •Cold start—Sends a trap when the router reinitializes in a way that could change the configuration of the SNMP agent (or any other trap-receiving entity). •Warm start—Sends a trap when the router reinitializes in a way that does not change the configuration of the SNMP agent (or any other trap-receiving entity). •Authentication—Sends a trap if an SNMP request from the SNMP host fails because of an invalid community string. |
IPsec Traps |
Enables or disables individual IPsec-related traps. Options are: •Cryptomap—Sends a trap when a crypto map entry is added to, or removed from, the device's crypto map set. Additionally, this option sends a trap when a crypto map set is attached to, or detached from, an active interface. •Too Many SAs—Sends a trap if an attempt is made to create a security association (SA) when there is insufficient memory on the device. •Tunnel—Sends a trap when an IPsec Phase 2 tunnel becomes active or inactive. For more information, see Understanding IPsec Tunnel Policies, page 9-48. |
ISAKMP Traps |
Enables or disables individual Internet Security Association and Key Exchange Protocol (ISAKMP) traps. Options are: •Policy—Sends a trap when an ISAKMP policy is created or deleted. •Tunnel—Sends a trap when a Phase 1 IKE tunnel becomes active or inactive. For more information, see Understanding IKE, page 9-45. |
Other Traps |
Enables or disables additional SNMP traps. Options are: •Syslog—Sends syslog messages to the SNMP host. •TTY—Sends Cisco-specific notifications when a Transmission Control Protocol (TCP) connection closes. •BGP—Sends notifications when Border Gateway Protocol (BGP) state changes occur. See BGP Routing on Cisco IOS Routers, page 13-118. •IP Multicast—(Applicable to multicast routers only) Sends a trap if the router fails to receive a defined number of heartbeat packets from heartbeat sources within a defined time interval. •CPU—Sends a trap when CPU usage rises and remains above an upper threshold or falls and remains below a lower threshold. Note To implement the IP multicast and CPU traps, you must define additional command-line interface (CLI) commands (ip multicast heartbeat and cpu threshold, respectively) using FlexConfigs or the CLI. For more information about the ip multicast heartbeat command, see Cisco IOS IP Command Reference, Volume 3 of 3: Multicast. For more information about the cpu threshold command, see CPU Thresholding Notification. Both of these documents are available on Cisco.com. •HSRP—Sends Hot Standby Routing Protocol (HSRP) notifications. Note Most Cisco 800 Series routers do not support the HSRP trap. |
Select All button |
Enables all the SNMP traps displayed in the dialog box. |
Deselect All button |
Disables all the SNMP traps displayed in the dialog box. |
Use the DNS policy page to define the local IP host table and the Domain Name System (DNS) servers that the router should use for translating hostnames to IP addresses. You can also prevent the router from performing DNS lookups by disabling the DNS feature.
•(Device view) Select Platform > Device Admin > DNS from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > DNS from the Policy Type selector. Right-click DNS to create a policy, or select an existing policy from the Shared Policy selector.
•DNS on Cisco IOS Routers, page 13-68
•"Router Platform User Interface Reference"
|
|
---|---|
Servers |
The DNS servers used by the router to perform DNS lookups. Enter one or more addresses or network/host objects, or click Select to display an Object Selectors, page F-205. You can define a maximum of six DNS servers. If the address you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. |
Hosts |
The local host table configured on the router. When a user types in a hostname, the router checks this table first before querying the DNS servers defined in the Servers field. Click Add to display the IP Host Dialog Box. From here you can define a hostname and the IP addresses to associate with that hostname. Note To edit an entry in the host table, select it, then click Edit. To remove an entry, select it, then click Delete. |
Domain Lookup |
When selected, the router performs lookups on the defined DNS servers. This is the default. When deselected, lookups on remote DNS servers are disabled. |
Use the IP Host dialog box to configure the host table on the router. This is the table of static, local mappings that the router uses to translate hostnames to IP addresses. If the router does not find the required entry in the host table, it queries the DNS servers that are defined on the DNS page.
Go to the DNS Policy Page, then click Add under Hosts.
•DNS on Cisco IOS Routers, page 13-68
|
|
---|---|
Host Name |
The hostname to include in the router's local host table. |
Addresses |
The addresses to associate with the hostname. Enter one or more addresses or network/host objects, or click Select to display an Object Selectors, page F-205. You can define a maximum of three addresses per hostname. If the address you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. |
Use the Hostname page to define the hostname and domain name assigned to the router. For more information, see Defining Hostname Policies, page 13-70.
•(Device view) Select Platform > Device Admin > Hostname from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Hostname from the Policy Type selector. Right-click Hostname to create a policy, or select an existing policy from the Shared Policy selector.
•Hostnames and Domain Names on Cisco IOS Routers, page 13-70
•"Router Platform User Interface Reference"
Use the Memory page to define settings related to router memory, including:
•The amount of time to retain the memory log.
•The thresholds for available processor and I/O memory.
•The amount of memory reserved for critical log messages.
•Whether to perform sanity checks on buffers and queues.
•Whether to enable the "memory-allocation lite" feature.
For more information, see Defining Router Memory Settings, page 13-71.
•(Device view) Select Platform > Device Admin > Memory from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Memory from the Policy Type selector. Right-click Memory to create a policy, or select an existing policy from the Shared Policy selector.
•Memory Settings on Cisco IOS Routers, page 13-70
•Syslog Logging Setup Policy Page
•"Router Platform User Interface Reference"
Secure Device Provisioning (SDP) policies (formerly known as Easy Secure Device Deployment or EzSDD) enable you to configure a Cisco IOS router as a registrar. This is the SDP component that retrieves bootstrap configurations for petitioners, which are remote-site devices that are enrolling in the network security infrastructure. These devices uses the bootstrap configuration for first-time configuration purposes. The registrar also verifies the identity of the introducer, which is the user who introduces the petitioner to the registrar.
For more information, see Defining Secure Device Provisioning Policies, page 13-73.
•(Device view) Select Platform > Device Admin > Secure Device Provisioning from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Secure Device Provisioning from the Policy Type selector. Create a new policy or select an existing one.
•Secure Device Provisioning on Cisco IOS Routers, page 13-71
•Secure Device Provisioning Workflow, page 13-73
•Understanding AAA Server and Server Group Objects, page 8-15
•Understanding FlexConfig Policies and Policy Objects, page 18-1
|
|
---|---|
Introducer Authentication (AAA) |
The AAA server group that authenticates the username and password supplied by the introducer. Enter the name of a AAA server group object, or click Select to select it from a list or to create a new object. Note To configure a separate AAA server group for authenticating administrative introducers, see Configuring a AAA Server Group for Administrative Introducers, page 13-75. |
Petitioner Authentication |
The CA server that authenticates the identity of the petitioner: •Local CA Server—Select this option when the router itself is already configured to act as the CA server. Enter the name of the local CA in the field provided. Note If you have not configured the router as the CA server, enter the command Crypto pki server [name] using the CLI or FlexConfigs. This command is mandatory when you deploy an SDP policy configured with a local CA server. •Remote CA Server—Select this option when using an external CA server. Enter the name of a a PKI enrollment object, or click Select to select it from a list or to create a new object. For more information about PKI enrollment objects, see PKI Enrollment Dialog Box, page F-142. |
Introduction Page |
The source of the introduction page to display to the introducer after authorization is performed: •Use default introduction page—Uses a default page provided with Security Manager. •Specify introduction page URL—Uses the introduction page specified in the URL field. Supported protocols include: FTP, HTTP, HTTPS, null, NVRAM, RCP, SCP, system, TFTP, Webflash, and XMODEM. |
Bootstrap Configuration |
The source of the bootstrap configuration to provide to the petitioner for first-time configuration: •Non-Security Manager URL—Used when the bootstrap configuration is located externally to Security Manager. Enter its location in the URL field. If required, enter a username and password to access the server containing the bootstrap configuration. •Security Manager URL—Used when Security Manager is providing the bootstrap configuration. Enter information in the following fields: –FlexConfig—The FlexConfig that contains the basic CLI structure required to create the bootstrap configuration. Enter the name of a FlexConfig object, or click Select to display a selector. After selecting the FlexConfig, you must enter a username and password to access the Security Manager server that contains the FlexConfig. –Device name formula—The formula required by Security Manager to determine the device name of the petitioner from the username that the introducer supplied. Typically a fixed relationship exists between the username and the device name, which enables a formula like this to be established. The default formula is $n, which uses the introducer name to determine the device name. The device name is required to determine the configuration file that the petitioner should receive. If required, enter a username and password to access the server containing the bootstrap configuration. The password can contain alphanumeric characters, but cannot consist of a single digit. |
Use the DHCP policy page to define a DHCP server policy on the selected router. This includes specifying the address pools used by the DHCP server when assigning addresses to requesting clients.
For more information, see Defining DHCP Policies, page 13-78.
•(Device view) Select Platform > Device Admin > Server Access > DHCP from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Server Access > DHCP from the Policy Type selector. Right-click DHCP to create a policy, or select an existing policy from the Shared Policy selector.
•DHCP on Cisco IOS Routers, page 13-76
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
|
|
Database URL |
The URL of the external DHCP database agent. |
Timeout |
The amount of time to wait (in seconds) for a response from the external DHCP database agent before aborting a database transfer. |
Write Delay |
The interval (in seconds) between DHCP assignment updates sent to the external DHCP database agent. |
Add button |
Opens the DHCP Database Dialog Box. From here you can define a DHCP database agent. |
Edit button |
Opens the DHCP Database Dialog Box. From here you can edit the selected DHCP database agent. |
Delete button |
Deletes the selected DHCP database agents. |
|
|
Excluded IPs or IP Ranges |
The IP addresses and/or address ranges to exclude from DHCP. These addresses are not assigned by the DHCP server to DHCP clients requesting addresses. Enter one or more network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. |
|
|
Name |
The name of the IP pool. |
Network |
The IP address and subnet mask of the IP pool. |
Default Router |
The IP addresses of the default routers used by DHCP clients. |
DNS Server |
The IP addresses of the DNS servers used by DHCP clients. |
NetBIOS (WINS) Server |
The IP addresses of the Windows Internet Naming Service (WINS) servers used by Microsoft DHCP clients. |
Domain Name |
The domain name for DHCP clients. |
Import All |
Indicates whether the remote DHCP server imports certain DHCP options from a centralized DHCP server. |
Secured ARP |
Indicates whether secured ARP is enabled on this IP pool to help prevent IP spoofing by unauthorized users. |
Lease |
The duration of the lease for each IP address assigned by the DHCP server from this IP pool. |
Option 150 |
The IP address of the TFTP server required by IP phones for configuration, as defined using DHCP option 150. |
Option 66 |
The IP address of the TFTP server required by IP phones for configuration, as defined using DHCP option 66. |
Add button |
Opens the IP Pool Dialog Box. From here you can define a DHCP IP address pool. |
Edit button |
Opens the IP Pool Dialog Box. From here you can edit the selected IP pool. |
Delete button |
Deletes the selected IP pools. |
|
|
Policy |
The policy that DHCP relay agents implement when they receive messages already containing relay information: •Drop—The relay agent discards messages with existing relay information if option-82 information is also present. •Keep—The relay agent retains existing relay information. •Replace—The relay agent overwrites existing information with its own relay information. |
Option |
When selected, enables DHCP Option 82 data insertion in message requests forwarded from the DHCP client to the server. DHCP Option 82 provides the DHCP server with both the switch and port ID of the requesting client. This option makes it possible to locate where a user is physically connected to the network and prevent spoofing. See Understanding DHCP Option 82, page 13-77. When deselected, DHCP Option 82 is disabled. |
Check |
When selected, DHCP Option 82 reply packets received from the DHCP server are validated. Invalid messages are dropped; valid messages are stripped of the option-82 field before being forwarded to the DHCP client. When deselected, the option-82 field is removed from the packet without being checked first for validity. |
Use the DHCP Database dialog box to define external DHCP database agents that contain the automatic bindings. Each database URL that you define must be unique.
For more information, see Understanding DHCP Database Agents, page 13-76.
Go to the DHCP Policy Page, then click the Add or Edit button beneath the Databases table.
•Defining DHCP Policies, page 13-78
•DHCP on Cisco IOS Routers, page 13-76
Use the IP Pool dialog box to define one or more address pools, which the DHCP server uses to assign dynamic addresses to DHCP clients. You must define at least one address pool, unless you have defined an external DHCP database agent.
Go to the DHCP Policy Page, then click the Add or Edit button beneath the IP Pools table.
•Defining DHCP Address Pools, page 13-79
•Understanding DHCP Database Agents, page 13-76
•DHCP on Cisco IOS Routers, page 13-76
|
|
---|---|
Pool Name |
The name of the IP pool. |
Network |
The IP address and subnet mask of the IP pool. This subnet contains the range of available IP addresses that the DHCP server may assign to clients. Enter an address and mask or the name of a network/host object, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. |
Default Router Addresses |
The IP addresses of the default routers for DHCP clients using this IP pool. After a DHCP client is booted, it begins sending packets to this router, which should be located on the same subnet as the client. Enter up to eight (8) network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. |
DNS Server Addresses |
The IP addresses of the DNS servers that DHCP clients using this IP pool should query when they need to correlate hostnames to IP addresses. Enter up to eight (8) network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. |
NetBIOS (WINS) Server Addresses |
The IP addresses of the Windows Internet Naming Service (WINS) servers used by Microsoft DHCP clients to correlate hostnames to IP addresses within a general grouping of networks. Enter up to eight (8) network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. |
Domain Name |
The domain name for DHCP clients using this IP pool. This name places these clients in the general grouping of networks that make up the domain. |
Import All |
When selected, enables remote DHCP servers to import specific DHCP options (such as the DNS server) from a centralized server. Use this option to enable configuration information to be updated automatically. When deselected, all DHCP options are local to this specific server. |
Secured ARP |
When selected, enables the DHCP Authorized ARP feature, which limits the leasing of IP addresses to authorized mobile users. This feature helps prevent IP spoofing by unauthorized users. See Understanding Secured ARP, page 13-78. When deselected, the DHCP Authorized ARP feature is disabled. Note This feature also disables dynamic ARP learning on an interface. |
Lease Never Expires |
When selected, the DHCP server permanently assigns IP addresses to its clients. When deselected, addresses are leased for a predefined amount of time, as defined in the Time Length field. |
Time Length (DD:HH:MM) |
Applies only when the Lease Never Expires check box is deselected. The duration of the lease provided to each IP address assigned from this IP pool (using the format DD:HH:MM). After the lease expires, the assigned IP address is no longer valid and is returned to the pool. |
Option 66 (IP Addresses) |
The IP address of the TFTP server used to provide configuration files to IP phones. These configuration files define parameters required by IP phones to connect to Cisco CallManager. Enter up to eight (8) network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. Note This option is functionally similar to option 150. Either or both options may be used. |
Option 150 (IP Addresses) |
The IP address of the TFTP server used to provide configuration files to IP phones. These configuration files define parameters required by IP phones to connect to Cisco CallManager. Enter up to eight (8) network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. Note This option is functionally similar to option 66. Either or both options may be used. |
Use the NTP page to define one or more NTP servers that the router can use for time synchronization. This includes enabling authentication, if required, and defining a global source interface for all traffic sent to these servers.
For more information, see Defining NTP Servers, page 13-80.
•(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector.
•(Policy view) Select Router Platform > Device Admin > Server Access > NTP from the Policy Type selector. Right-click NTP to create a policy, or select an existing policy from the Shared Policy selector.
•NTP on Cisco IOS Routers, page 13-80
•"Router Platform User Interface Reference"
•Understanding Interface Role Objects, page 8-33
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Source Interface |
The source address for all packets sent to an NTP server. This setting might be necessary when the NTP server cannot respond to the address from which the packet originated (for example, due to a firewall). The source interface must have an IP address. If you do not define a value in this field, the address of the outgoing interface is used. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can define an interface role object. Note The source interface defined in this field is a global setting that you can override for individual NTP servers. For more information, see NTP Server Dialog Box. |
Enable NTP Authentication |
When selected, enables authentication using MD5 when connecting to an NTP server. When deselected, authentication is disabled. |
|
|
IP Address |
The IP address of the NTP server. |
Source Interface |
The source address for all packets sent to this NTP server. This setting overrides the global setting defined at the top of the page. |
Preferred |
Indicates whether this NTP server is preferred over other NTP servers of similar accuracy. Note By default, preferred servers are listed first in the table. |
Key Number |
The ID number of the key used for authentication with this NTP server. |
Trusted |
Indicates whether the authentication key defined for this NTP server is a trusted key. |
Add button |
Opens the NTP Server Dialog Box. From here you can define an NTP server. |
Edit button |
Opens the NTP Server Dialog Box. From here you can edit the selected NTP server. |
Delete button |
Deletes the selected NTP server from the table. If the key defined on the server you delete is not defined on a different NTP server, the key is also deleted. |
Use the NTP Server dialog box to define the address of an NTP server that the router can use to perform time synchronization. In addition, you can use this dialog box to define a default source interface for NTP packets sent to this server and authentication parameters.
Go to the NTP Policy Page, then click the Add or Edit button beneath the table.
•Defining NTP Servers, page 13-80
•NTP on Cisco IOS Routers, page 13-80
•Understanding Interface Role Objects, page 8-33
|
|
---|---|
IP Address |
The IP address of the NTP server. Enter an address or the name of a network/host object, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here, you can define a network/host object. |
Source Interface |
The source address for all packets sent to this NTP server. This setting might be necessary when the NTP server cannot respond to the address from which the packet originated (for example, due to a firewall). The source interface must have an IP address. If you do not define a value in this field and there is no global setting, the address of the outgoing interface is used. Note This setting overrides the global setting you defined on the NTP Policy Page. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can define an interface role object. |
Preferred |
When selected, this NTP server is preferred over other NTP servers of similar accuracy. If this server is used for synchronization, the time offset used to correct the local clock is calculated from this server only. Note If a different NTP server is significantly more accurate than the preferred server (for example, stratum 2 versus stratum 3), the router synchronizes to the more accurate server. When deselected, this NTP server is not given preference over other NTP servers of similar accuracy. The time offset used to correct the local clock is calculated by taking the combined offset of all NTP servers. We recommend that you configure an NTP server as preferred only when multiple servers have the same stratum and you can rely on the accuracy of the preferred server. |
Authentication Key |
The MD5 key that is used to authenticate associations with the NTP server. •Key Number—The ID number of the authentication key. Enter the key number or select a previously defined number from the list. •Key Value—An arbitrary string of up to 32 characters that defines the authentication key. Enter the string again in the Confirm field. •Trusted—When selected, this key authenticates the identity of systems attempting to synchronize with this server. When deselected, this key is not used for authentication. If you select a key number from the list and then change the key value, you are warned that saving this change affects any other NTP servers using the same authentication key. Note To use authentication, you must enable it from the NTP Policy Page. |
Use the 802.1x policy page to create policies that limit VPN access to authorized users. Authenticated traffic is allowed to pass through a designated physical interface on the router. Unauthenticated traffic is allowed to pass through a virtual interface to the Internet but is not allowed to access the VPN.
For more information, see Defining 802.1x Policies, page 13-85.
Note 802.1x policies require DHCP address pools in order to assign IP addresses to clients. You define these pools by defining a DHCP policy on the same router. See DHCP Policy Page.
•(Device view) Select Platform > Identity > 802.1x from the Policy selector.
•(Policy view) Select Router Platform > Identity > 802.1x from the Policy Type selector. Right-click 802.1x to create a policy, or select an existing policy from the Shared Policy selector.
•802.1x on Cisco IOS Routers, page 13-82
•Understanding AAA Server and Server Group Objects, page 8-15
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
•"Router Platform User Interface Reference"
|
|
---|---|
AAA Server Group |
The RADIUS AAA server group that authenticates the credentials of users trying to access a VPN tunnel. Enter the name of a AAA server group object, or click Add to display an Object Selectors, page F-205. If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-6. From here you can define a AAA server group object. Note Each AAA server in the selected group must be configured to communicate with an interface that exists on the router; otherwise, validation fails. |
Virtual Template |
Mandatory for all routers except Integrated Services Routers (ISRs). The untrusted, virtual interface that provides Internet access to unauthenticated traffic. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can create an interface role object. Note You do not need to configure a virtual template for ISRs, because they automatically use VLANs to provide access. If you do define a virtual template, however, it is used instead of the VLAN. Note Deployment might fail if PPP is defined on the virtual template defined here. See PPP Dialog Box. |
Interface |
The trusted, physical interface that provides VPN access to authenticated traffic. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can create an interface role object. Note The pattern defined in the interface role must represent only one physical interface on the selected device. This interface should be the internal protected interface that you configured as part of the VPN topology. For more information, see Endpoints Page, page G-7. |
Number of retries |
The number of times the physical interface resends an Extensible Authentication Protocol (EAP) request/identity frame to a client if a response is not received before restarting authentication. Valid values range from 1 to 10. The default is 2. Note You should change the default only to adjust for unusual circumstances, such as unreliable links or specific problems with certain clients and authentication servers. |
Control type |
The control state of the interface, which determines whether the host is granted access to the network. Options are: •Force Authorize—Disables 802.1x authentication and causes the interface to move to the authorized state without requiring any authentication exchange. This means the interface transmits and receives normal traffic without 802.1x-based authentication of the host. This is the default. •Auto—Enables 802.1x authentication and causes the interface to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the interface. If a host is successfully authenticated, the interface state changes to authorized, which enables all frames from the host through the interface. |
Enable client reauthentication |
When selected, enables periodic reauthentication of client PCs on the 802.1x interface. Reauthentication is performed after the interval defined in the Client reauthentication period timeout field. The default period is 3600 seconds (1 hour). When deselected, periodic reauthentication is not performed. |
Client reauthentication period timeout |
Applies only when the Enable client reauthentication check box is selected. The number of seconds between client reauthentication attempts. Valid values range from 1 to 65535 seconds. The default is 3600 seconds (1 hour). |
Quiet period |
The amount of time the router remains in a quiet state after a failed authentication exchange with the client. Authentication exchanges might fail, for example, because the client provided an invalid password. Valid values range from 1 to 65535 seconds. The default is 120 seconds. Note Entering a value smaller than the default provides a faster response time to the user. |
Rate Limit period |
The interval after which the interface throttles the EAP-Start packets it receives from malfunctioning client PCs. Use this setting, called rate limiting, to prevent these clients from wasting router processing power. Valid values range from 1 to 65535 seconds. By default, rate limiting is disabled. Note To disable an existing rate limit, delete the value defined in this field and leave the field blank. |
AAA Server timeout |
The number of seconds the router waits before retransmitting packets to the AAA server. If the router sends an 802.1x packet to the AAA server and the server does not respond, the router sends another packet after this interval elapses. Valid values range from 1 to 65535 seconds. The default is 30 seconds. |
Supplicant period |
The number of seconds the router waits before retransmitting EAP-Request/Identity packets to the supplicant (client PC). If the router sends an EAP-Request/Identity packet to the client PC (supplicant) and the supplicant does not respond, the router sends the packet again after this interval elapses. Valid values range from 1 to 65535 seconds. The default is 30 seconds. |
Network Admission Control (NAC) policies enable Cisco IOS routers acting as network access devices (NADs) to enforce access privileges when an endpoint tries to connect to a network. Access decisions are made on the basis of information provided by the endpoint device, such as its current antivirus state, thus keeping insecure nodes from infecting the network.
You can configure NAC policies on a Cisco IOS router from the following tabs on the Network Admission Control policy page:
•Network Admission Control Page—Setup Tab
•Network Admission Control Page—Interfaces Tab
•Network Admission Control Page—Identities Tab
For more information, see Network Admission Control on Cisco IOS Routers, page 13-86.
•(Device view) Select Platform > Identity > Network Admission Control from the Policy selector.
•(Policy view) Select Router Platform > Identity > Network Admission Control from the Policy Type selector. Right-click Network Admission Control to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the Network Admission Control Setup tab to select the Cisco Secure Access Control Servers used for authentication during the NAC process, as well as to define the EAP over UDP settings for communications between the NAD and the client seeking access to the network.
Go to the Network Admission Control Policy Page, then click the Setup tab.
•Defining NAC Setup Parameters, page 13-89
•Network Admission Control Page—Interfaces Tab
•Network Admission Control Page—Identities Tab
•Understanding AAA Server and Server Group Objects, page 8-15
|
|
---|---|
AAA Server Group |
The AAA server group used for NAC authentication. You must select a server group consisting of Cisco Secure Access Control Server (ACS) devices running the RADIUS protocol. Enter the name of a AAA server group object, or click Select to display an Object Selectors, page F-205. If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-6. From here you can define a AAA server group object. Note Each AAA server in the selected group must be configured to communicate with an interface that exists on the router; otherwise, validation fails. |
Backup AAA Server Group 1 |
The backup AAA server group in case the AAA servers in the main group are down. |
Backup AAA Server Group 2 |
The secondary backup AAA server group in case the AAA servers in the main group and the first backup group are down. |
|
|
Allow IP Station ID |
When selected, enables an IP address to be included in the calling-station-id field of RADIUS requests sent to the ACS. When deselected, IP addresses are not included in the calling-station-id field of RADIUS requests sent to the ACS. |
Allow Clientless |
When selected, enables devices that do not have the Cisco Trust Agent (CTA) installed to be authenticated through the use of a username and password configured on the ACS. If you select this check box, enter the username and password (including confirmation) in the fields provided. When deselected, NAC prevents devices lacking the CTA from accessing the network, if their traffic matches the intercept ACL (see NAC Interface Configuration Dialog Box). Note This feature is not supported on routers running Cisco IOS Software Release 12.4(6)T or later. |
Max Retry |
The maximum number of retries that all NAC interfaces on this router should make when initiating an EAP over UDP session with a connecting device. Valid values range from 1 to 3. The default is 3. Note You can override this global value on a specific interface, if required. See Network Admission Control Page—Interfaces Tab. |
Rate Limit |
The number of EAP over UDP posture validations that the router can handle simultaneously. Additional devices cannot be validated until one or more devices drop off. Valid values range from 1 to 200. The default is 20. If you set this value to 0, rate limiting is turned off. |
Port |
The UDP port to use for EAP over UDP sessions. Valid values range from 1 to 65535. The default is 21862. Note For NAC to work, the default ACL on this router must permit UDP traffic over the port designated here for EAP over UDP traffic. For more information, see Working with Access Rules, page 11-17. |
Enable Logging |
When selected, EAP over UDP events on this router are logged to the device. When deselected, EAP over UDP logging is disabled. This is the default. |
Use the Network Admission Control Interfaces tab to select and configure the router interfaces on which to perform NAC. This includes configuring the Intercept ACL and selected EoU interface parameters. A NAC policy must include at least one interface definition in order to function.
Go to the Network Admission Control Policy Page, then click the Interfaces tab.
•Defining NAC Interface Parameters, page 13-90
•Network Admission Control Page—Setup Tab
•Network Admission Control Page—Identities Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Interfaces |
The name of the interface on which NAC is being performed. |
Intercept ACL |
The name of the Intercept ACL, which determines the incoming traffic that triggers the interface to make a posture validation check. |
EoU Max Retries |
The maximum number of retries that this interface should perform when it initializes an EoU session with a connecting device. |
Revalidate |
Indicates whether the interface revalidates its EoU sessions to make sure they are still active. |
Add button |
Opens the NAC Interface Configuration Dialog Box. From here you can define a NAC interface. |
Edit button |
Opens the NAC Interface Configuration Dialog Box. From here you can edit the selected NAC interface. |
Delete button |
Deletes the selected NAC interfaces from the table. |
Use the NAC Interface Configuration dialog box to add or edit the router interfaces on which NAC is being performed.
Go to the Network Admission Control Page—Interfaces Tab, then click the Add or Edit button beneath the table.
•Defining NAC Interface Parameters, page 13-90
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Creating Interface Role Objects, page 8-34
•Creating Access Control List Objects, page 8-23
|
|
---|---|
Interface |
The interface that will perform NAC on connecting devices. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to create it. |
Intercept ACL |
The ACL that defines the traffic requiring posture validation. Enter the name of an ACL object, or click Add to display an Object Selectors, page F-205. If the ACL you want is not listed, click the Create button in the selector to create it. Note If an authentication proxy is configured on the same interface as NAC, the same Intercept ACL must be used in both policies. Otherwise, deployment may fail. For more information about authentication proxies, see Configuring Settings for AAA (IOS), page 11-44. |
EAP over UDP Max Retries |
The maximum number of times that the router should try to initiate an EoU session with a connecting device. Valid values range from 1 to 3. The default is 3. Note Subinterfaces support the default value only. |
Enable EoU Session Revalidation |
When selected, the router revalidates its EoU sessions as required. This is the default. When deselected, EoU session revalidation is not performed. Note Subinterfaces support the default value only. |
Use the Network Admission Control Identities tab to view, create, edit, and delete NAC identity profiles and identity actions. Identity profiles define a specific action to perform on traffic received from selected devices, as identified by their IP address, MAC address, or device type. In this way, devices with identity profiles are handled by NAC without having to undergo posture validation against an ACS.
Go to the Network Admission Control Policy Page, then click the Interfaces tab.
•Defining NAC Identity Parameters, page 13-91
•Network Admission Control Page—Setup Tab
•Network Admission Control Page—Interfaces Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
|
|
Profile Definition |
The type of identity profile—device IP address, MAC address, or device type (IP phone). |
Action Name |
The name of the action (defined in the Identity Actions table) that is assigned to this NAC identity profile. |
Add button |
Opens the NAC Identity Profile Dialog Box. From here you can define an identity profile. |
Edit button |
Opens the NAC Identity Profile Dialog Box. From here you can edit a selected identity profile. |
Delete button |
Deletes the selected identity profiles from the table. |
|
|
Action Name |
The name of the identity action. |
ACL |
The ACL applied to profiles to which this identity action is assigned. |
Redirect URL |
The URL to which traffic from devices to which this identity action is assigned are redirected. |
Add button |
Opens the NAC Identity Action Dialog Box for defining a NAC identity action. |
Edit button |
Opens the NAC Identity Action Dialog Box for editing a selected NAC identity action. |
Delete button |
Deletes the selected identity actions from the table. |
Use the NAC Identity Profile dialog box to add or edit the NAC profiles assigned to devices that match a specific identity. Identity profiles define a NAC action to apply to all traffic coming from a specific device, based on its IP address, MAC address, or device type (for IP phones).
Go to the Network Admission Control Page—Identities Tab, then click the Add or Edit button beneath the Identity Profiles table.
•NAC Identity Action Dialog Box
•Defining NAC Identity Parameters, page 13-91
|
|
---|---|
Action Name |
The name of the action to assign to the profile. Enter the name of an action, or click Select to display a selector. For more information about creating actions, see NAC Identity Action Dialog Box. |
Profile Definition |
The device to which this profile is assigned: •IP Address—The IP address of the device to which this profile should be assigned. The same IP address cannot be used in more than one profile. •MAC Address—The MAC address of the device to which this profile should be assigned. •Cisco IP Phone—Used when defining a NAC identity profile for Cisco IP phones. |
Use the NAC Identity Action dialog box to add or edit the actions assigned to NAC identity profiles.
Go to the Network Admission Control Page—Identities Tab, then click the Add or Edit button beneath the Identity Actions table.
•NAC Identity Profile Dialog Box
•Defining NAC Identity Parameters, page 13-91
•Creating Access Control List Objects, page 8-23
|
|
---|---|
Name |
A descriptive name for the identity action. Use this name when you select an action to assign to a NAC identity profile. See NAC Identity Profile Dialog Box. |
Access Control Lists |
The ACL that defines how to handle traffic received from a device which is assigned a profile that includes this action. Enter the name of an ACL object, or click Add to display an Object Selectors, page F-205. If the ACL you want is not listed, click the Create button in the selector to create it. Note You cannot select the same ACL object that is being used for the intercept ACL. See NAC Interface Configuration Dialog Box. |
Redirect URL |
The address of the remediation server to which traffic from the device should be redirected. Redirect URLs are usually of the form http://URL or https://URL. |
Use the Syslog Logging Setup page to enable syslog logging and define basic logging parameters on the selected Cisco IOS router.
For more information, see Defining Syslog Logging Setup Parameters, page 13-93.
Note We strongly recommend that you define an NTP policy on all routers on which logging is enabled in order to create accurate timestamps for each log message. For more information, see NTP Policy Page.
Note If you unassign a logging setup policy, the default logging configuration is restored on the device upon deployment.
•(Device view) Select Platform > Logging > Syslog Logging Setup from the Policy selector.
•(Policy view) Select Router Platform > Logging > Syslog Logging Setup from the Policy Type selector. Right-click Syslog Logging Setup to create a policy, or select an existing policy from the Shared Policy selector.
•Logging on Cisco IOS Routers, page 13-92
•NTP on Cisco IOS Routers, page 13-80
•"Router Platform User Interface Reference"
•Understanding Interface Role Objects, page 8-33
|
|
---|---|
Enable Logging |
When selected, syslog logging is enabled on the device. When deselected, logging is disabled on the device. This is the default. |
Source Interface |
The source address for all outgoing log messages sent to a syslog server. This setting may be necessary when the syslog server cannot respond to the address from which the log message originated (for example, due to a firewall). If you do not define a value in this field, the address of the outgoing interface is used. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can define an interface role object. |
Trap |
Defines which log messages are forwarded to a syslog server: •Enable Trap—When selected, log messages are sent to the syslog server. This is the default. When deselected, log messages are not sent. •Trap Level—The lowest severity level of messages that are logged and sent to the syslog server. All messages of this severity and greater are logged. Severity levels are identified by a name and a number. For more information, see Table 13-5 on page 13-96. |
Logging Buffer |
Defines whether log messages are saved locally to a buffer on the device. •Enable Buffer—When selected, log messages are saved to a buffer on the device. This is the default. When deselected, a log buffer is not maintained on the device. •Buffer Size—The size of the buffer in bytes. Valid values range from 4096 to 4294967295 bytes (4 kilobytes to 4 gigabytes). The default size varies by platform. Make sure not to make the buffer so large that the router runs out of memory for other tasks; otherwise, deployment might fail. Note The maximum buffer size might be smaller on some devices. •Severity Level—The lowest severity level of messages that are saved in the buffer. All messages of this severity and greater are saved. On most Cisco IOS routers, the default severity level is 7 (debugging). Severity levels are identified by a name and a number. For more information, see Table 13-5 on page 13-96. •Use XML Format—When selected, log messages are saved to a buffer in XML format. (You can configure both the regular buffer and the XML buffer in the same policy.) When deselected, an XML buffer is not maintained on the device. •Buffer Size—The size of the XML buffer in bytes. Valid values range from 4096 to 4294967295 bytes (4 kilobytes to 4 gigabytes). Note The maximum buffer size might be smaller on some devices. |
Rate Limit |
Limits the rate of log messages sent to the syslog server. •Enable Rate Limit—When selected, the rate limit is enabled. When deselected, the rate limit is disabled. •Messages per Sec.—The maximum number of logging messages that can be sent per second. Valid values range from 1 to 10000. The default is 10 messages per second. •Exclude—The types of messages to exclude from the rate limit. This setting excludes the severity level you select as well as all messages with a lower severity level number (that is, more severe). The default is 3 (errors), which excludes all log messages with a severity level of 3, 2 (critical), 1 (alerts), or 0 (emergencies) from the rate limit. For more information about severity levels, see Table 13-5 on page 13-96. •All Messages—When selected, the rate limit applies to all messages except console messages. •Console Messages—When selected, the rate limit applies to console messages only. |
Origin ID |
The origin identifier that is added to the beginning of all syslog messages sent from this device to the remote syslog server. The origin identifier is useful in cases where you send output from multiple devices to a single syslog server. •ID Type—The type of origin identifier added to the beginning of each syslog message. Options are: –IP Address—The IP address of the source device. –Hostname—The hostname of the source device. –String—User-defined text. •Value—Applies only when you select String as the ID type. Enter the text of the user-defined string. Spaces are permitted, except for the first character. Note The origin identifier is not added to messages sent to local destinations, such as the buffer, the console, and the monitor. |
Use the Syslog Servers page to create, edit, and delete servers that collect log messages from the router.
For more information, see Defining Syslog Servers, page 13-95.
Note To enable logging to the syslog servers defined on this page, you must enable logging and define basic parameters on the Syslog Logging Setup Policy Page.
•(Device view) Select Platform > Logging > Syslog Servers from the Policy selector.
•(Policy view) Select Router Platform > Logging > Syslog Servers from the Policy Type selector. Right-click Syslog Servers to create a policy, or select an existing policy from the
Shared Policy selector.
•Logging on Cisco IOS Routers, page 13-92
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
IP Address |
The name of the syslog server, as represented by a network/host object, or its IP address. |
XML |
Indicates whether the syslog server receives log messages in XML format. |
Add button |
Opens the Syslog Server Dialog Box. From here you can define a syslog server. |
Edit button |
Opens the Syslog Server Dialog Box. From here you can edit the selected syslog server. |
Delete button |
Deletes the selected syslog server from the table. |
Use the Syslog Server dialog box to define the server that collects syslog messages from the router. You can also define whether the log messages it receives are in XML format or plain text.
Note To enable logging to the syslog servers defined on this page, you must enable logging and define basic parameters on the Syslog Logging Setup Policy Page.
Go to the Syslog Servers Policy Page, then click the Add or Edit button beneath the table.
•Defining Syslog Servers, page 13-95
•Logging on Cisco IOS Routers, page 13-92
•Understanding Network/Host Objects, page 8-65
|
|
---|---|
IP Address |
The IP address of the syslog server. Enter an IP address or the name of a network/host object, or click Select to display an Object Selectors, page F-205. If the network/host object you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. |
Forward Messages in XML Format |
When selected, log messages are sent to the syslog server in XML format. When deselected, log messages are sent to the syslog server as plain text. |
Use the NetFlow page to enable NetFlow recording and define its parameters on the selected Cisco IOS router.
The NetFlow page consists of two tabbed panels: Setup and Interfaces. The Setup tab provides global configuration parameters for NetFlow collection on the router. The Interfaces tab lists router interfaces for which NetFlow data collection is configured, and allows enabling and disabling ingress and egress accounting on a per-interface basis.
Note We strongly recommend that you define an NTP policy on all routers on which logging is enabled in order to create accurate timestamps for each log message. For more information, see NTP Policy Page.
•(Device view) Select Platform > Logging > NetFlow from the Policy selector.
•(Policy view) Select Router Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click NetFlow to create a new policy.
•NetFlow on Cisco IOS Routers, page 13-96
•Defining NetFlow Parameters, page 13-97
•Adding and Editing NetFlow Interface Settings
•Logging on Cisco IOS Routers, page 13-92
•NTP on Cisco IOS Routers, page 13-80
|
|
---|---|
|
|
Primary Destination |
Choose IP Address or Hostname to enable NetFlow data collection on this router, and to enable related configuration fields, used to specify the primary NetFlow collector. •IP Address - Enter the IP address of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535) •Hostname - Enter the fully qualified domain name of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535) |
Redundant Destination |
Choose IP Address or Hostname to specify a secondary NetFlow collector. Transmission of NetFlow data to this collector takes place regardless of whether the Primary Destination is enabled or disabled. •IP Address - Enter the IP address of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535) •Hostname - Enter the fully qualified domain name of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535). |
Source Interface |
The router interface through which flow data will be transmitted to the collector destination(s). Enter an interface name, or click Select to display an Object Selectors, page F-205 dialog box where you can select from a list of available interfaces. |
Version |
Choose a NetFlow version number from this drop-down list to define the record format used for flow data. You can choose the blank entry to disable NetFlow data collection. •Primary Destination - Choose IP Address or Hostname from this list to enable NetFlow collection and to specify how the primary NetFlow collector will be defined. You can choose the blank entry to disable this option. –IP Address - Enter the IP address of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector. –Hostname - Enter the fully qualified domain name of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector. •Redundant Destination - Choose IP Address or Hostname from this list to specify how the back-up NetFlow collector will be defined. You can choose the blank entry to disable this option. –IP Address - Enter the IP address of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector. –Hostname - Enter the fully qualified domain name of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector. Note If you define a Primary and a Redundant Destination, flow data is transmitted to both. •Source Interface - Specify the router interface through which flow data will be transmitted to the collector destination(s). •Version - Define the record format to be used for flow data by choosing the appropriate NetFlow version number from this drop-down list. You can choose the blank entry to disable this option. –1 - The original record format. No additional parameters are required. –5 - The most widely adopted format; includes Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers. If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option. |
Version (cont.) |
Check Enable BGP Nexthop to include BGP next hop information in the flow caches. (Note that with version 5, this information is visible in the caches, but it is not exported.) Check Enable BGP Nexthop to include BGP next hop information in the flow records. Note AS information collection is resource intensive, especially for origin-as. If you are not interested in monitoring peering arrangements, disabling AS collection may improve performance. |
|
|
Interface |
The names of the interfaces on which NetFlow collection is configured. |
Enable Ingress |
"Enabled" indicates flow recording is enabled on this interface for incoming traffic; "Disabled" indicates incoming traffic is not recorded for this interface. |
Enable Egress |
"Enabled" indicates flow recording is enabled on this interface for outgoing traffic; "Disabled" indicates outgoing traffic is not recorded for this interface. |
Add Row |
Click this button to open the Add NetFlow Interface Settings dialog box. Adding a NetFlow interface is described in Adding and Editing NetFlow Interface Settings. |
Edit Row |
Click this button to open the Edit NetFlow Interface Settings dialog box for the selected interface. Editing NetFlow interfaces is described in Adding and Editing NetFlow Interface Settings. |
Delete Row |
Click this button to delete the selected interface. You will be asked to confirm the deletion. |
Use the Add NetFlow Interface Settings and Edit NetFlow Interface Settings dialog boxes to enable and disable NetFlow ingress and egress reporting for specific router interfaces.
Note Except for their titles, these two dialog boxes are identical. The following information applies to both.
Go to the NetFlow Policy Page, then click the Add Row or Edit Row button beneath the table.
•Defining NetFlow Parameters, page 13-97
•Logging on Cisco IOS Routers, page 13-92
|
|
---|---|
Interface |
The name of the interface. Enter an interface ID, or click Select to display an Object Selectors, page F-205 dialog box where you can select from a list of available interfaces. |
Enable Ingress Accounting |
When this option is selected, NetFlow records are collected for traffic arriving on this interface. Deselect this option to halt data collection on this interface for incoming traffic. |
Enable Egress Accounting |
When this option is selected, NetFlow records are collected for traffic departing from this interface. Deselect this option to halt data collection on this interface for outgoing traffic. |
Use the Quality of Service page to view, create, and edit QoS classes on specific interfaces of the selected device or on the control plane. QoS policies enable you to define techniques for managing the delay, delay variation (jitter), bandwidth, and packet loss parameters on a network. In addition, you can use the Quality of Service page to configure hierarchical shaping on an interface as an alternative to configuring shaping parameters for individual QoS classes.
For more information, see Quality of Service on Cisco IOS Routers, page 13-99.
•(Device view) Select Platform > Quality of Service from the Policy selector.
•(Policy view) Select Router Platform > Quality of Service from the Policy Type selector. Create a new policy or select an existing policy from the Shared Policy selector.
•Defining QoS Policies, page 13-108
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Apply To |
The router component on which to define the QoS policy: •Interfaces—Configures QoS classes on specific interfaces. •Control Plane—Configures QoS on the router control plane. See Understanding Control Plane Policing, page 13-107. Note If you configure QoS on both the interfaces and the control plane of the same device, only the control plane configuration is deployed. |
Interface Table |
If you are defining classes on interfaces, the upper table lists the interfaces on which you are defining QoS classes. The direction column indicates the direction of traffic through the interface to which the classes apply (Output or Input). The classes you can define vary based on the direction. The other fields indicate whether you defined shaping on the interface, and if shaping is defined, the type of hierarchical shaping (average or peak), the committed information rate (CIR), and the sustained and excess burst size. For detailed information about the attributes, see QoS Policy Dialog Box. •To add an interface to the table, click the Add button. •To edit the settings for an interface, select it and click the Edit button. •To delete an interface, select it and click the Delete button. |
QoS Classes Table |
The classes defined for the interface selected in the upper table, or for the control plane. Each row represents a separate class. The No. column indicates the order of the classes, and is very important: QoS is applied to packets on a first-match basis, based on class order. The Default Class column indicates whether this class is the default for all packets on the interface that do not match the criteria of the other defined classes. Make this the last class in the list. The remaining columns indicate the match criteria for the class, and the packet marking, queuing and congestion avoidance, policing, and shaping defined for the class, if any. For detailed information about the attributes, see QoS Class Dialog Box. •To add class to the table, click the Add button. •To edit the settings for a class, select it and click the Edit button. •To delete a class, select it and click the Delete button. •To change the order of a class, select it and click the Up and Down arrow buttons to reposition it. |
Use the QoS Policy dialog box to select an interface on which you want to define QoS parameters. In addition, you can use this dialog box to configure a single set of shaping parameters for all the traffic on the selected interface (known as hierarchical shaping). Using hierarchical shaping eliminates the need to configure shaping parameters for each QoS class defined on the interface.
Note This dialog box is not applicable when defining a QoS policy on the control plane. For more information, see Defining QoS on the Control Plane, page 13-110.
After you create your QoS interface definitions, you can define one or more QoS classes for each interface. For more information, see QoS Class Dialog Box.
Go to the Quality of Service Policy Page, then click the Add or Edit button beneath the upper table to define a QoS interface definition.
•Defining QoS Policies, page 13-108
•Quality of Service on Cisco IOS Routers, page 13-99
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
|
|
---|---|
Interface |
The interface on which QoS is defined. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can create an interface role object. |
Direction |
The direction of the traffic on which to configure QoS: •Output—Traffic that exits the interface. •Input—Traffic that enters the interface. |
|
|
Enable Shaping |
When selected, configures hierarchical traffic shaping on the selected interface. When deselected, hierarchical shaping is not used. Note Shaping can be performed only on output traffic. |
Type |
The type of shaping to perform: •Average—Limits the data rate for each interval to the sustained burst rate (also known as the Committed Burst rate or Bc), achieving an average rate no higher than the committed information rate (CIR). Additional packets are buffered until they can be sent. •Peak—Limits the data rate for each interval to the sustained burst rate plus the excess burst rate (Be). Additional packets are buffered until they can be sent. |
CIR |
The average data rate (also known as the committed information rate or CIR). You can define this amount by: •Percentage—Valid values range from 0 to 100% of the overall available bandwidth. •Bit/sec—Valid values range from 8000 to 1000000000 bits per second, and must be in multiples of 8000. Although data bursts during an interval may exceed this rate, the average data rate over any multiple integral of the interval will not exceed this rate. |
Sustained Burst |
The normal burst size. If you select average as the shaping type, data bursts during an interval are limited to this value. The range of valid values is determined by the CIR: •When the CIR is defined by percentage—Valid values range from 10 to 2000 milliseconds. •When the CIR is defined by an absolute value—Valid values range from 1000 to 154400000 bytes, in multiples of 128 bytes. Note We recommend that you leave this field blank when the CIR is defined by an absolute value. This allows the algorithms used by the device to determine the optimal sustained burst value. |
Excess Burst |
The excess burst size. If you select peak as the shaping type, data bursts during an interval can equal the sum of the sustained burst value plus this value. The average data rate over multiple intervals, however, will continue to conform to the CIR. The range of valid values is determined by the CIR: •When the CIR is defined by percentage—Valid values range from 10 to 2000 milliseconds. •When the CIR is defined by an absolute value—Valid values range from 1000 to 154400000 bytes, in multiples of 128 bytes. Note If you do not configure this field when the CIR is defined by an absolute value, the sustained burst value is used. |
Use the QoS Class dialog box to create or edit a QoS class on a selected interface or control plane of a Cisco IOS router. You can define up to 16 classes on a single interface and 256 classes for the device as a whole.
Note QoS is applied to packets on a first-match basis. The router examines the table of QoS classes starting from the top and applies the properties of the first class whose matching criteria matches the packet. Therefore, it is important that you define and order your classes carefully. The default class should be placed last to prevent traffic that matches a specific class from being treated as unmatched traffic.
Go to the Quality of Service Policy Page. Complete the options at the top of the page, then do one of the following:
•To create a QoS class, select an interface from the upper table, then click the Add button beneath the QoS Class table. When creating a QoS class for the control plane, just click the Add button beneath the table.
•To edit a QoS class:
–Select the interface whose class you want to edit from the upper table (Not required when selecting the control plane.).
–Select the relevant class defined for that interface in the QoS Classes table. (Not required when selecting the control plane.)
–Click the Edit button under the QoS Class table.
•Defining QoS Policies, page 13-108
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
|
|
---|---|
Set as Default Class |
When selected, enables you to define the default class for all traffic that does not match the other QoS classes on this interface. When deselected, enables you to define a specific QoS class on this interface. Note When you define the default class, you do not configure any matching parameters; by definition the class consists of all traffic that does not match any of the other classes. Therefore, the Matching tab is disabled. |
Matching tab |
Defines the traffic that is included in this QoS class. See QoS Class Dialog Box—Matching Tab. |
Marking tab |
Marks the traffic in this class so that downstream devices can properly identify it. See QoS Class Dialog Box—Marking Tab. |
Queuing and Congestion Avoidance tab |
Defines how to queue the output traffic in this class. See QoS Class Dialog Box—Queuing and Congestion Avoidance Tab. |
Policing tab |
Limits the traffic flow for this class to a configured rate. See QoS Class Dialog Box—Policing Tab. |
Shaping tab |
Controls the flow of output traffic for this class so that it conforms with the requirements of downstream devices. See QoS Class Dialog Box—Shaping Tab. |
Note When you configure a QoS policy on the control plane, only the Matching tab and Policing tab are available.
Use the Matching tab of the QoS Class dialog box to define which traffic over the selected interface is considered to be part of this class.
Note When you define the default class, the Matching tab is disabled.
Go to the QoS Class Dialog Box, then click the Matching tab.
•Defining QoS Class Matching Parameters, page 13-111
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
•Quality of Service Policy Page
•Creating Access Control List Objects, page 8-23
|
|
---|---|
Match Method |
The traffic matching option used for this class: •Any—Assigns traffic matching any of the defined class map criteria to this QoS class. •All—Assigns only traffic matching all of the defined class map criteria to this QoS class. |
Protocol |
One or more protocols included in this class map. Click Add to display a selector. Select one or more items from the Available Protocols list, then click >> to add them to the Selected Protocols list. The only protocol available for the control plane is ARP; ARP and CDP are not available for input classes configured on an interface. When you finish, click OK to return to the QoS Class dialog box. Your selections are displayed in the Protocol field. Note To remove a protocol from the QoS class, select it from the Protocol field, then click Delete. |
Precedence |
One or more IP Precedence (IPP) values included in this class map. Click Add to display a selector. Select one or more items from the Available Precedences list, then click >> to add them to the Selected Precedences list. Note For more information about IP precedence values, see Table 13-6 on page 13-101. When you finish, click OK to return to the QoS Class dialog box. Your selections are displayed in the Precedence field. Note To remove an IPP value from the QoS class, select it from the Precedence field, then click Delete. |
DSCP |
One or more Differentiated Services Code Point (DSCP) values included in this class map. Click Add to display a selector. Select one or more items (up to eight) from the Available DSCPs list, then click >> to add them to the Selected DSCPs list. When you finish, click OK to return to the QoS Class dialog box. Your selections are displayed in the DSCP field. Note To remove a DSCP value from the QoS class, select it from the DSCP field, then click Delete. |
ACL |
The ACLs that are used for defining which traffic requires QoS. Enter one or more ACL objects, or click Select to display an Object Selectors, page F-205. For more information, see Edit ACLs Dialog Box—QoS Classes. Use the up and down arrows to order the ACLs in the list. We recommend that you place frequently used ACLs at the top of the list to optimize the matching process. |
When configuring a QoS policy on a Cisco IOS router, use the Edit ACLs dialog box to specify which ACLs should be included in the matching criteria for the selected class. Traffic matching this criteria is included as part of the class.
Go to the QoS Class Dialog Box—Matching Tab, then click Edit in the ACL field.
•Defining QoS Class Matching Parameters, page 13-111
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
•Quality of Service Policy Page
|
|
---|---|
Access Control Lists |
The ACLs to include as part of the matching criteria for the selected QoS class. Enter the names of the ACLs or click Select to use an Object Selectors, page F-205. For more information, see Creating Access Control List Objects, page 8-23. |
Select button |
Opens an Object Selectors, page F-205 for selecting ACLs. Using the selector eliminates the need to manually enter this information. If the ACL you want is not listed, click the Create button in the selector to create it. |
Use the Marking tab of the QoS Class dialog box to classify packets. Traffic policers and shapers use these classifications to ensure adherence to the contracted level of service. Downstream devices use this classification to identify the packets and apply the appropriate QoS functions to them.
Note The Marking tab is unavailable when you define a QoS policy on the control plane.
Go to the QoS Class Dialog Box, then click the Marking tab.
•Defining QoS Class Marking Parameters, page 13-113
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
•Quality of Service Policy Page
Use the Queuing and Congestion Avoidance tab of the QoS Class dialog box to perform Class-Based Weighted Fair Queuing (CBWFQ) on the output traffic in the selected QoS class. Queuing prioritizes traffic and manages congestion on your network by determining the order in which packets are sent out over an interface. Queuing and congestion avoidance applies only to interface classes for output traffic.
The fields displayed in the Queuing tab depend on whether you are defining a specific QoS class or the default class (by selecting Set as Default Class), and also by the type of router and the Cisco IOS software version.
Go to the QoS Class Dialog Box, then click the Queuing and Congestion Avoidance tab.
•Defining QoS Class Queuing Parameters, page 13-114
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
•Quality of Service Policy Page
|
|
---|---|
Enable Queuing and Congestion Avoidance |
Whether to configure queuing and congestion avoidance properties in the QoS class. |
Priority (Non-default classes only.) |
Configure low-latency queuing (LLQ) in this class to ensure that priority traffic, such as voice traffic, receives the defined bandwidth (see Low-Latency Queuing, page 13-103). Specify the amount of bandwidth allocated to high-priority traffic on this interface by: •Percentage—Valid values range from 0 to 100%. •Kbit/sec—Valid values range from 8-2000000 kilobits per second. Note You can define this option for one class only per interface. If you select this option, the Shaping tab is disabled. |
Fair Queue Number of Dynamic Queues (Default class only.) |
Configure class-based weighted fair queuing in this class. If the device is running an IOS software version lower than 12.4(20)T, you must specify the number of dynamic queues to reserve for this class. You should base your number on the available bandwidth of the interface. You can specify a number between 16 and 4096 that is a power to 2. For information on the default number of queues the device uses, see Default Class Queuing, page 13-104. Available bandwidth is evenly distributed among the queues unless you configure a queue limit. |
Bandwidth |
Configure the minimum bandwidth to guarantee to this class. You can define this amount by: •Percentage—Valid values range from 0 to 100% of the total available bandwidth. •Kbit/sec—Valid values range from 8-2000000 kilobits per second. |
Enable Fair Queue (Non-default class only.) |
When you configure bandwidth for a non-default class, whether to also enable class-based weighted fair queuing (CBWFQ). The device calculates the number of queues to configure based on the available bandwidth, and distributes the bandwidth evenly among the queues unless you configure a queue limit. This option is available only for Aggregation Services Routers (ASR) and for routers running 12.4(20)T and higher. |
Queue Limit |
The maximum number of packets that can be queued for the class. Any additional packets are dropped using tail drop until the congestion is gone. This is the default option for limiting queue size unless Weighted Random Early Detection (WRED) is configured. |
WRED Weight for Mean Queue Depth |
The exponential weight factor to use to calculate the average queue size. Use this option when defining WRED instead of tail drop (queue limit) for this class. When the queue size exceeds the value determined by this weight factor, WRED randomly discards packets until the transmitting protocol decreases its transmission rate to ease congestion. Exponent values range from 1 to 16. The default is 9. This option is best suited for protocols like TCP, which respond to dropped packets by decreasing the transmission rate. We recommend that you do not change the default unless you determine that your applications would benefit from the change. |
Use the Policing tab of the QoS Class dialog box to configure rate limits on the traffic in a selected QoS class. Excess traffic is either dropped or transmitted with a different (typically lower) priority.
Go to the QoS Class Dialog Box, then click the Policing tab.
•Defining QoS Class Policing Parameters, page 13-115
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
•Quality of Service Policy Page
|
|
---|---|
Enable Policing |
When selected, enables you to configure Class-Based Policing to control the maximum rate of traffic for this class. Security Manager uses a two-token bucket algorithm, which includes a defined violate action that is performed when neither bucket can accommodate the incoming packet. When deselected, disables all policing options for the selected QoS class. |
CIR |
The average data rate (also known as the committed information rate or CIR). You can define this amount by: •Percentage—Valid values range from 0 to 100% of the overall available bandwidth. •Bit/sec—Valid values range from 8000 to 2000000000 bits per second. In the token bucket algorithm, this rate represents the token arrival rate for filling both token buckets. Traffic that falls under this rate always conforms. Note When you configure Understanding Control Plane Policing, page 13-107, you must define the CIR in bits per second. |
Conform Burst |
The normal burst size, which determines how large traffic bursts can be before some traffic exceeds the rate limit. In the token bucket algorithm, it represents the full size of the first (conform) token bucket. The range of valid values is determined by the CIR: •When the CIR is defined by percentage—Valid values range from 1 to 2000 milliseconds. •When the CIR is defined by an absolute value—Valid values range from 1000-512000000 bytes. |
Excess Burst |
The excess burst size, which determines how large traffic bursts can be before all traffic exceeds the rate limit. In the token bucket algorithm, it represents the full size of the second (exceed) token bucket. The range of valid values is determined by the CIR: •When the CIR is defined by percentage—Valid values range from 1 to 2000 milliseconds. •When the CIR is defined by an absolute value—Valid values range from 1000-512000000 bytes. |
Conform action |
The action to take on packets that conform to the rate limit: •transmit—Transmits the packet. •set-prec-transmit—Sets the IP precedence to a value you specify (0 to 7) and then sends the packet. Not available on the control plane. •set-dscp-transmit—Sets the DSCP to a value you specify (0 to 63) and then sends the packet. Not available on the control plane. •drop—Drops the packet. |
Exceed action |
The action to take on packets that exceed the rate limit, but can be handled using the second (exceed) token bucket. The actions available for selection depend on the defined conform action. For example, if you select one of the set options as the conform action, you cannot select transmit as the exceed action. If you select drop as the conform action, then you must also select drop as the exceed action. |
Violate action |
The action to take on packets that cannot be serviced by either the conform bucket or the exceed bucket. The actions available for selection depend on the defined exceed action. For example, if you select one of the set options as the exceed action, you cannot select transmit as the violate action. If you select drop as the exceed action, then you must also select drop as the violate action. |
Use the Shaping tab of the QoS Class dialog box to control the rate of output traffic for the selected QoS class. Shaping typically delays excess traffic by using a buffer, or queuing mechanism, to hold packets and shape the flow when the data rate of the source is higher than expected.
Note The Shaping tab is unavailable when you define a QoS policy on the control plane, use hierarchical shaping on the interface, define a QoS class for input traffic, or perform queuing on priority traffic.
Go to the QoS Class Dialog Box, then click the Shaping tab.
•Defining QoS Class Shaping Parameters, page 13-117
•Defining QoS on Interfaces, page 13-108
•Defining QoS on the Control Plane, page 13-110
•Quality of Service Policy Page
Border Gateway Protocol (BGP) is an exterior gateway protocol (EGP) that performs routing between multiple autonomous systems or domains and exchanges routing and reachability information with other BGP systems. BGP is used to exchange routing information on the Internet and is the protocol used between Internet service providers.
You can configure BGP routing policies from the following tabs on the BGP Routing page:
For more information, see BGP Routing on Cisco IOS Routers, page 13-118.
•(Device view) Select Platform > Routing > BGP from the Policy selector.
•(Policy view) Select Router Platform > Routing > BGP from the Policy Type selector. Right-click BGP to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the BGP Setup tab to define the number of the autonomous system (AS) in which the selected router is located. You must then define which networks are included in the AS and which networks are the internal and external neighbors of the router. Additionally, you can enable or disable options that govern the interaction between BGP and Interior Gateway Protocols (IGPs), such as OSPF and EIGRP. Use a third option to enable the logging of messages from BGP neighbors.
Go to the BGP Routing Policy Page, then click the Setup tab.
•Defining BGP Routes, page 13-118
•Specifying IP Addresses During Policy Definition, page 8-68
•Understanding Network/Host Objects, page 8-65
|
|
---|---|
AS Number |
The number of the autonomous system in which the router is located. Valid values range from 1 to 65535. This number enables a BGP routing process. |
Networks |
The networks associated with the BGP route. Enter one or more network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. Note To remove a network from the route, select it from the Network field, then click Delete. |
Neighbors |
The internal neighbors (those located in the same AS as the router) and external neighbors (located in different ASs) of the router. See Neighbors Dialog Box. |
Auto-Summary |
When selected, automatic summarization is enabled. When a subnet is redistributed from an IGP (such as RIP, OSPF or EIGRP) into BGP, this BGP version 3 feature injects only the network route into the BGP table. Automatic summarization reduces the size and complexity of the routing table that the router must maintain. When deselected, automatic summarization is disabled. This is the default. |
Synchronization |
When selected, synchronization is enabled. Use this feature to ensure that all routers in your network are consistent about the routes they advertise. Synchronization forces BGP to wait until the IGP propagates routing information across the AS. When deselected, synchronization is disabled. You can disable synchronization if this router does not pass traffic from a different AS to a third AS, or if all the routers in the AS are running BGP. Disabling this feature has the benefit of reducing the number of routes the IGP must carry, which improves convergence times. This is the default. |
Log-Neighbor |
When selected, enables the logging of messages that are generated when a BGP neighbors resets, connects to the network, or is disconnected. This is the default. When deselected, message logging is disabled. |
Use the Neighbors dialog box to define the internal and external neighbors of the selected router.
Go to the BGP Page—Setup Tab, then click the Add or Edit button in the Neighbors field.
•Defining BGP Routes, page 13-118
•Specifying IP Addresses During Policy Definition, page 8-68
•Understanding Network/Host Objects, page 8-65
|
|
---|---|
AS Number |
The number of the AS containing BGP neighbors. Internal neighbors have the same AS number as the network of the selected router. External neighbors have a different AS number. |
IP Address |
The IP addresses of the hosts that are neighbors of the router. BGP neighbors exchange routing information with each other whenever changes to the routing table are detected. When you define BGP neighbors, the IP addresses cannot belong to an interface on the selected router. In addition, you cannot define the same IP address in more than one AS. Enter one or more addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the host you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. Note To remove a host from the list of BGP neighbors, select it from the Hosts field, then click Delete. |
Use the BGP Redistribution tab to view, create, edit, and delete redistribution settings when performing redistribution into a BGP autonomous system (AS).
Note You must define BGP setup parameters before you can access the BGP Redistribution tab. See BGP Page—Setup Tab.
Go to the BGP Routing Policy Page, then click the Redistribution tab.
•Redistributing Routes into BGP, page 13-120
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Protocol |
The protocol that is being redistributed. |
AS/Process ID |
The AS number or process ID of the route being redistributed. |
Metric |
The value that determines the priority of the redistributed route. |
Match |
When redistributing an OSPF process, indicates the types of OSPF routes that are being redistributed. |
Static Type |
When redistributing static routes, indicates the type of static route, IP or OSI. |
Add button |
Opens the BGP Redistribution Mapping Dialog Box. From here you can define BGP redistribution mappings. |
Edit button |
Opens the BGP Redistribution Mapping Dialog Box. From here you can edit the selected BGP redistribution mapping. |
Delete button |
Deletes the selected BGP redistribution mappings from the table. |
Use the BGP Redistribution Mapping dialog box to add or edit the properties of a BGP redistribution mapping.
Go to the BGP Page—Redistribution Tab, then click the Add or Edit button beneath the table.
•Redistributing Routes into BGP, page 13-120
Enhanced Interior Gateway Routing Protocol (EIGRP) is a scalable interior gateway protocol that provides extremely quick convergence times with minimal network traffic.
You can configure EIGRP routing policies from the following tabs on the EIGRP Routing page:
•EIGRP Page—Redistribution Tab
For more information, see EIGRP Routing on Cisco IOS Routers, page 13-121.
•(Device view) Select Platform > Routing > EIGRP from the Policy selector.
•(Policy view) Select Router Platform > Routing > EIGRP from the Policy Type selector. Right-click EIGRP to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the EIGRP Setup tab to view, create, edit, and delete EIGRP routes.
Go to the EIGRP Routing Policy Page, then click the Setup tab.
•Defining EIGRP Routes, page 13-121
•EIGRP Page—Redistribution Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
AS Number |
The autonomous system number that identifies the autonomous system to other routers. |
Networks |
The names of the networks included in the route. |
Passive Interfaces |
The interfaces that neither send nor receive routing updates from their neighbors. |
Auto-Summary |
Indicates whether auto summarization is activated on the selected route. |
Add button |
Opens the EIGRP Setup Dialog Box. From here you can create an EIGRP route. |
Edit button |
Opens the EIGRP Setup Dialog Box. From here you can edit the selected EIGRP route. |
Delete button |
Deletes the selected EIGRP routes from the table. |
Use the EIGRP Setup dialog box to add or edit EIGRP routes.
Go to the EIGRP Page—Setup Tab, then click the Add or Edit button beneath the table.
•Defining EIGRP Routes, page 13-121
•Specifying IP Addresses During Policy Definition, page 8-68
•Understanding Network/Host Objects, page 8-65
Use the EIGRP Interfaces tab to create, edit, and delete interface properties for selected EIGRP autonomous systems. This includes modifying the default hello interval and disabling split horizon.
Note You can access the EIGRP Interfaces tab only after defining at least one EIGRP autonomous system in the Setup tab. See EIGRP Page—Setup Tab.
Go to the EIGRP Routing Policy Page, then click the Interfaces tab.
•Defining EIGRP Interface Properties, page 13-122
•EIGRP Page—Redistribution Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
AS Number |
The EIGRP autonomous system number for which interface properties are defined. |
Interfaces |
The interfaces related to the selected EIGRP autonomous system that have specially defined values. |
Split Horizon |
Indicates whether the split horizon feature is enabled or disabled for the selected interface. |
Hello Interval |
The defined interval between hello packets sent to neighboring routers. |
Add button |
Opens the EIGRP Interface Dialog Box. From here you can create an EIGRP interface definition. |
Edit button |
Opens the EIGRP Interface Dialog Box. From here you can edit the selected EIGRP interface definition. |
Delete button |
Deletes the selected EIGRP interface definitions from the table. |
Use the EIGRP Interface dialog box to add or edit interface definitions for a selected EIGRP autonomous system.
Go to the EIGRP Page—Interfaces Tab, then click the Add or Edit button beneath the table.
•Defining EIGRP Interface Properties, page 13-122
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
|
|
---|---|
AS Number |
Selects the EIGRP autonomous system number whose interface properties you want to modify. For more information about EIGRP autonomous systems, see EIGRP Setup Dialog Box. |
Interface |
Specifies the EIGRP interface you wish to configure. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can create an interface role object. |
Hello Interval |
The default interval between hello packets sent by the router to its neighbors. Routers send hello packets to each other to dynamically learn of other routers on their directly attached networks. Valid values range from 1 to 65535 seconds. The default is 5 seconds. |
Split Horizon |
When selected, the split horizon feature is used to prevent routing loops. When deselected, split horizon is disabled. When split horizon is disabled, the router can advertise a route out of the same interface through which it learned the route. Disabling split horizon is often useful when dealing with nonbroadcast networks, such as Frame Relay and SMDS. Note Changing the split horizon setting on an interface resets all adjacencies with EIGRP neighbors that are reachable over that interface. |
Use the EIGRP Redistribution tab to create, edit, and delete EIGRP redistribution mappings.
Go to the EIGRP Routing Policy Page, then click the Redistribution tab.
•Redistributing Routes into EIGRP, page 13-124
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
EIGRP AS Number |
The area ID of the EIGRP route into which other routes are being redistributed. |
Protocol |
The protocol that is being redistributed. |
AS/Process ID |
The AS number or process ID of the route being redistributed. |
Bandwidth |
The minimum bandwidth of the path for the EIGRP route, as defined for the route metric. |
Delay |
The mean latency of the path, as defined for the route metric. |
Reliability |
A value representing the estimated reliability of the path, as defined for the route metric. |
Effective Bandwidth |
A value representing the effective load on the link, as defined for the route metric. |
MTU |
The minimum MTU of the path, as defined for the route metric. |
Match |
When redistributing an OSPF process, indicates the types of OSPF routes that are being redistributed. |
Add button |
Opens the EIGRP Redistribution Mapping Dialog Box. From here you can define EIGRP redistribution mappings. |
Edit button |
Opens the EIGRP Redistribution Mapping Dialog Box. From here you can edit the selected EIGRP redistribution mapping. |
Delete button |
Deletes the selected EIGRP redistribution mappings from the table. |
Use the EIGRP Redistribution Mapping dialog box to add or edit the properties of an EIGRP redistribution mapping.
Go to the EIGRP Page—Redistribution Tab, then click the Add or Edit button beneath the table.
Note You must create at least one EIGRP AS before you can access the EIGRP Redistribution dialog box. See EIGRP Page—Setup Tab.
•Redistributing Routes into EIGRP, page 13-124
|
|
---|---|
EIGRP AS Numbers |
The EIGRP AS into which other routes are being redistributed. You must select an ID number from the list of EIGRP autonomous systems defined in the EIGRP Page—Setup Tab. |
Protocol to Redistribute |
The routing protocol that is being redistributed: •Static—Redistributes static routes. You can define a single mapping for each route. •EIGRP—Redistributes an EIGRP autonomous system. Enter the AS number in the displayed field. You can define a single mapping for each AS. •BGP—Redistributes a BGP autonomous system. You can define a single BGP mapping on each device. If you configured a BGP AS in the BGP Setup tab, the AS number is displayed. Otherwise, a message is displayed indicating that no BGP AS was defined. See BGP Page—Redistribution Tab. |
Protocol to Redistribute (continued) |
•OSPF—Redistributes a different OSPF process. You can define a single mapping for each process. Select a process from the displayed list, then select one or more match criteria: –Internal—Routes that are internal to a specific AS. –External1—Routes that are external to the AS and imported into OSPF as a Type 1 external route. –External2—Routes that are external to the AS and imported into the selected process as a Type 2 external route. –NSAAExternal1—Not-So-Stubby Area (NSSA) routes that are external to the AS and imported into the selected process as Type 1 external routes. –NSAAExternal2—(NSSA) routes that are external to the AS and imported into the selected process as Type 2 external routes. •RIP—Redistributes RIP routes. •Connected—Redistributes routes that are established automatically by virtue of having enabled IP on an interface. These routes are redistributed as external to the AS. |
Metrics |
The default metric (cost) of the redistributed route. Metric parameters include: •Bandwidth—The minimum bandwidth of the path in kilobits per second. Valid values range from 1 to 4294967295. •Delay—The mean latency of the path in units of 10 microseconds. Valid values range from 0 to 4294967295. •Reliability—A value expressing the estimated reliability of the link. Valid values range from 0 to 255, where 255 represents 100% reliability. •Effective Bandwidth—A value expressing the effective load on the link. Valid values range from 1 to 255, where 255 represents 100% utilization. •MTU of Path—The maximum transmission unit of the path. Valid values range from 1 to 65535 bytes. |
Use the OSPF Interface page to view, create, edit, and delete interface-specific OSPF settings. For more information, see Defining OSPF Interface Settings, page 13-131.
•(Device view) Select Platform > Routing > OSPF Interface from the Policy selector.
•(Policy view) Select Router Platform > Routing > OSPF Interface from the Policy Type selector. Right-click OSPF Interface to create a policy, or select an existing policy from the
Shared Policy selector.
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Interfaces |
The name of an interface (as defined by an interface role) on which OSPF is enabled. |
Authentication |
The type of OSPF neighbor authentication enabled for the selected interface. |
Key ID |
The identification number of the authentication key used for MD5 authentication. |
Cost |
The cost of sending packets over the selected interface, if this value is different from the cost as normally calculated. |
Priority |
The priority of the selected interface. |
MTU Ignore |
Indicates whether Maximum Transmission Rate (MTU) detection is disabled on the selected interface. |
Database Filter |
Indicates whether link-state advertisement (LSA) flooding is disabled on the selected interface. |
Hello Interval |
The interval between hello packets (in seconds) sent over this interface. |
Transmit Delay |
The amount of time OSPF waits (in seconds) before flooding an LSA over the link. |
Retransmit Interval |
The interval between LSA retransmissions (in seconds) over the selected interface. |
Dead Interval |
The interval OSPF waits (in seconds) before declaring a neighboring router dead because of an absence of hello packets. |
Network Type |
The network type configured for the selected interface, if it differs from the default medium. |
Add button |
Opens the OSPF Interface Dialog Box. From here you can define the properties of an OSPF interface. |
Edit button |
Opens the OSPF Interface Dialog Box. From here you can edit the properties of the selected OSPF interface. |
Delete button |
Deletes the selected OSPF interface definitions from the table. |
Use the OSPF Interface dialog box to add or edit the properties of OSPF interfaces.
Go to the OSPF Interface Policy Page, then click the Add or Edit button beneath the table.
•Defining OSPF Interface Settings, page 13-131
•OSPF Routing on Cisco IOS Routers, page 13-125
•Basic Interface Settings on Cisco IOS Routers, page 13-13
•Understanding Interface Role Objects, page 8-33
|
|
---|---|
Interface |
The OSPF interface to configure. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can define an interface role object. |
Authentication |
Type—The authentication type used by the selected interface: •MD5—Uses the MD5 hash algorithm for authentication. This is the default. •Clear Text—Uses a clear text password for authentication. •None—Uses no authentication. Note The authentication type used on an interface must match the authentication type defined for the area. Note Use plain text authentication only when security is not an issue, for example, to ensure that misconfigured hosts do not participate in routing. •Key ID—Available only when MD5 is selected as the authentication type. The identification number of the authentication key. This number must be shared with all other devices sending updates to, and receiving updates from, the selected device. Valid values range from 1 to 255. •Key—The shared key used for authentication (MD5 or clear text). This key must be shared with all other devices sending updates to, and receiving updates from, the selected device. Enter this key again in the Confirm field. When using clear text, the key can include any continuous string of characters that can be entered from the keyboard (up to 8 bytes). When using MD5, the key can include alphanumeric characters only (up to 16 bytes). |
Cost |
The cost of sending packets over this interface. A value entered here overrides the default calculated cost (10 8 /bandwidth in bits per second). Valid values range from 1 to 65535. |
Priority |
The default priority of the interface. The priority is used to determine which routers become the designated router (DR) and backup designated router (BDR) for that segment. The higher the number, the higher the priority. The default priority is 1. Valid values range from 0 to 255. Note To exclude the interface from election as DR or BDR, assign a priority of 0. Configure router priority only for interfaces to multiaccess networks, not point-to-point networks. |
MTU Ignore |
When selected, ignores MTU mismatches between neighboring routers. When deselected, MTU mismatch detection is enabled. Note Typically, this option is not used, because it can cause routers to become stuck in exstart/exchange state, which prevents OSPF adjacency from being established. |
Database Filter |
When selected, blocks link-state advertisement (LSA) flooding to the selected interface. When deselected, LSA flooding is permitted. Note We recommend that you enable this option on fully-meshed networks. This option is not available for point-to-multipoint networks. |
Hello Interval |
The default interval (in seconds) between hello packets sent over the selected interface. These packets are used by neighboring routers to confirm the router sending the packets is still operating. Valid values range 1 to 65535 seconds. Note The hello interval must be the same for all routers and access servers in the network. |
Transmit Delay |
The amount of time OSPF waits (in seconds) before flooding an LSA over the link. The default is 1 second. Valid values range from 1 to 65535 seconds. Note When you configure slow links or on-demand links that queue traffic before sending it in bursts, we recommend that you take these link delays into account when defining this value. |
Retransmit Interval |
The interval between LSA retransmissions (in seconds) over the selected interface. The default is 5 seconds. Valid values range from 1 to 65535 seconds. Note We recommend that you increase this value for serial lines and virtual links. |
Dead Interval |
The interval (in seconds) after which an interface declares its neighbor dead if no hello packets are received. Valid values range from 1 to 655335 seconds. Note The value of the dead interval is typically the hello interval value multiplied by 4. The dead interval must be the same for all routers and access servers in the network. |
Configure Network Type |
When selected, enables you to select a network type that differs from the default medium used by the interface. When deselected, the network type is equivalent to the default medium used by the interface. For nonbroadcast multiaccess (NBMA) networks (such as ATM and Frame Relay), options are: •Broadcast—Treats the NBMA network as a broadcast network, which eliminates the need to configure neighbors. Use this option when there are virtual circuits from every router to every router (fully meshed network). •Point-to-Multipoint—Treats the nonbroadcast network as a series of point-to-point links. This option is easier to configure, less costly, and more reliable than NBMA or point-to-point networks. •Point-to-Multipoint Non-Broadcast—Statically maintains the known neighbors of the network. Selecting this option helps avoid the problem of losing neighbors that were learned dynamically through the reception of hello packets. Note Another option for NBMA networks is to configure neighbors manually using FlexConfigs. See Understanding FlexConfig Policies and Policy Objects, page 18-1. For broadcast networks (such as Ethernet, Token Ring, and FDDI), you can select: •Non-Broadcast—Treats the broadcast network as a nonbroadcast network. •Point-to-Point—Treats the broadcast network as a point-to-point network. You can use this option, for example, to configure a broadcast network (such as Ethernet) as a nonbroadcast multiaccess (NBMA) network if not all routers in the network support multicast addressing. |
OSPF is an interior gateway routing protocol that uses link states instead of distance vectors for path selection. OSPF propagates link-state advertisements (LSAs) instead of routing table updates, which enables OSPF networks to converge quickly.
You can configure OSPF process policies from the following tabs on the OSPF Process page:
•OSPF Process Page—Redistribution Tab
For more information, see OSPF Routing on Cisco IOS Routers, page 13-125.
Note For more information about OSPF interface policies, see OSPF Interface Policy Page.
•(Device view) Select Platform > Routing > OSPF Process from the Policy selector.
•(Policy view) Select Router Platform > Routing > OSPF Process from the Policy Type selector. Right-click OSPF Process to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the OSPF Process Setup tab to create, edit, and delete OSPF processes. This includes selecting those interfaces that will remain passive, which means that they will not send routing updates to their neighbors. You can create as many processes for each router as required.
Go to the OSPF Process Policy Page, then click the Setup tab.
•Defining OSPF Process Settings, page 13-126
•OSPF Process Page—Redistribution Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Process ID |
The process ID that identifies the OSPF routing process to other routers. |
Passive Interfaces |
The interfaces that do not send out routing updates. |
Add button |
Opens the OSPF Setup Dialog Box. From here you can define an OSPF process. |
Edit button |
Opens the OSPF Setup Dialog Box. From here you can edit the selected OSPF process. |
Delete button |
Deletes the selected OSPF processes from the table. |
Use the OSPF Setup dialog box to add or edit an OSPF process.
Go to the OSPF Process Page—Setup Tab, then click the Add or Edit button beneath the table.
•Defining OSPF Process Settings, page 13-126
|
|
---|---|
Process ID |
The process ID number for the OSPF process. This number identifies the OSPF process to other routers. It does not need to match the process ID on other devices. Valid values are from 1 to 65535. |
Passive Interfaces |
The interfaces that do not send updates to their routing neighbors. Click Edit to display the Edit Interfaces Dialog Box—OSPF Passive Interfaces. From here you can define these interfaces. Note When you make an interface passive, OSPF suppresses the sending of hello packets to neighboring routers. The interface will continue to receive routing updates, however. |
When you configure an OSPF routing policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will not send updates to their routing neighbors. Separate multiple names or roles with commas. Click Select to select interface names or roles from a list of existing objects, or to create new interface role objects.
Go to the OSPF Setup Dialog Box, then click the Edit button in the Passive Interfaces field.
•Defining OSPF Process Settings, page 13-126
Use the OSPF Area tab to create, edit, and delete the areas and networks contained in each OSPF process. This includes selecting the type of authentication used by each area.
Go to the OSPF Process Policy Page, then click the Area tab.
•Defining OSPF Area Settings, page 13-127
•OSPF Process Page—Redistribution Tab
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Area ID |
The ID number of the area associated with the process. |
Process ID |
The process ID that identifies the OSPF routing process to other routers. |
Networks |
The networks included in the area. |
Authentication |
The authentication type used by the area—MD5, clear text, or none. |
Add button |
Open the OSPF Area Dialog Box. From here you can define an OSPF area. |
Edit button |
Opens the OSPF Area Dialog Box. From here you can edit the selected OSPF area. |
Delete button |
Deletes the selected OSPF areas from the table. |
Use the OSPF Area dialog box to add or edit the properties of an OSPF area. You should define at least one area for each OSPF process (see OSPF Setup Dialog Box), but deployment will not fail if you do not.
Go to the OSPF Process Page—Area Tab, then click the Add or Edit button beneath the table.
•Defining OSPF Area Settings, page 13-127
•Specifying IP Addresses During Policy Definition, page 8-68
•Understanding Network/Host Objects, page 8-65
|
|
---|---|
Process ID |
The process ID associated with the OSPF area. The list contains the OSPF processes defined in the OSPF Process Page—Setup Tab. |
Area ID |
The area ID number associated with the selected process. Valid values range from 0 to 4294967295. |
Networks |
The networks to add to the OSPF area. Enter one or more network addresses or network/host objects, or click Select to display an Object Selectors, page F-205. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. |
Authentication |
The type of authentication used for the area: •MD5—(Recommended) Uses the MD5 hash algorithm for authentication. •Clear Text—Uses clear text for authentication. •None—No authentication is used. Note The authentication type must be the same for all routers and access servers in an area. |
Use the OSPF Process Redistribution tab to create, edit, and delete OSPF redistribution mappings. This includes defining the maximum number of routes that can be redistributed into OSPF from other protocols or other OSPF processes.
Go to the OSPF Process Policy Page, then click the Redistribution tab.
•Redistributing Routes into OSPF, page 13-128
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
|
|
OSPF Process ID |
The ID of the OSPF routing domain into which other routes are being redistributed. |
Protocol |
The protocol that is being redistributed. |
AS/Process ID |
The AS number or process ID of the route that is being redistributed. |
Match |
When redistributing an OSPF process, indicates the types of OSPF routes that are being redistributed. |
Metric |
The value that determines the priority of the redistributed route. |
Metric Type |
The external link type associated with the default route advertised into the OSPF routing domain. |
Subnets |
Indicates whether routes that are subnetted are also being redistributed. |
Add button |
Opens the OSPF Redistribution Mapping Dialog Box. From here you can define OSPF redistribution mappings. |
Edit button |
Opens the OSPF Redistribution Mapping Dialog Box. From here you can edit the selected OSPF redistribution mapping. |
Delete button |
Deletes the selected redistribution mappings from the table. |
|
|
OSPF Process ID |
The ID of the OSPF routing domain for which a maximum prefix values has been defined. |
Max Prefix |
The maximum number of prefixes (routes) that may be redistributed to the selected OSPF process. |
Threshold |
The percentage of the maximum prefix value that acts as a threshold for triggering a warning message. |
Action |
Indicates whether redistribution to this OSPF process will stop when the maximum is reached, or whether only a warning is displayed. |
Add button |
Opens the OSPF Max Prefix Mapping Dialog Box. From here you can define maximum prefix values for OSPF processes. |
Edit button |
Opens the OSPF Max Prefix Mapping Dialog Box. From here you can edit the maximum prefix value defined for the selected OSPF process. |
Delete button |
Deletes the selected max prefix mappings from the table. |
Use the OSPF Redistribution Mapping dialog box to add or edit the properties of an OSPF redistribution mapping.
Go to the OSPF Process Page—Redistribution Tab, then click the Add or Edit button beneath the Redistribution Mapping table.
Note You must create at least one OSPF process before you can access the OSPF Redistribution dialog box. See OSPF Process Page—Setup Tab.
•OSPF Max Prefix Mapping Dialog Box
•Redistributing Routes into OSPF, page 13-128
|
|
---|---|
Process ID |
The OSPF process into which other routes are being redistributed. You must select a process ID number from the list of OSPF processes defined in the OSPF Process Page—Setup Tab. |
Protocol to Redistribute |
The routing protocol that is being redistributed: •Static—Redistributes static routes. You can define a single mapping for each route. •EIGRP—Redistributes an EIGRP autonomous system. Enter the AS number in the displayed field. You can define a single mapping for each AS. •BGP—Redistributes a BGP autonomous system. You can define a single BGP mapping on each device. If you configured a BGP AS in the BGP Setup tab, the AS number is displayed. Otherwise, a message is displayed indicating that no BGP AS was defined. See BGP Page—Redistribution Tab. |
Protocol to Redistribute (continued) |
•OSPF—Redistributes a different OSPF process. You can define a single mapping for each process. Select a process from the displayed list, then select one or more match criteria: –Internal—Routes that are internal to a specific AS. –External1—Routes that are external to the AS and imported into OSPF as a Type 1 external route. –External2—Routes that are external to the AS and imported into the selected process as a Type 2 external route. –NSAAExternal1—Not-So-Stubby Area (NSSA) routes that are external to the AS and imported into the selected process as Type 1 external routes. –NSAAExternal2—(NSSA) routes that are external to the AS and imported into the selected process as Type 2 external routes. •RIP—Redistributes RIP routes. You can define a single mapping for each route. •Connected—Redistributes routes that are established automatically by virtue of having enabled IP on an interface. These routes are redistributed as external to the AS. |
Default Metric |
A value representing the cost of the redistributed route. |
Metric Type |
The external link type that is associated with the route being redistributed into the OSPF routing domain: •1—Type 1 external route. The metric is the sum of the external redistributed cost and the internal OSPF cost. •2—Type 2 external route. The metric is equal to the external redistributed cost, as defined in the Metric field. This is the default. |
Limit to Subnets |
When selected, only subnetted routes are redistributed. When deselected, subnetted routes are not redistributed. |
Use the OSPF Max Prefix Mapping dialog box to add or edit the maximum number of routes that can be redistributed into an OSPF process.
Go to the OSPF Process Page—Redistribution Tab, then click the Add or Edit button beneath the Prefix Mapping table.
•OSPF Redistribution Mapping Dialog Box
•Redistributing Routes into OSPF, page 13-128
|
|
---|---|
Process ID |
The OSPF process into which other routes are being redistributed. The list contains the OSPF processes defined in the OSPF Process Page—Setup Tab. |
Max Prefix |
The maximum number of prefixes (routes) that can be redistributed into the selected OSPF process. Limiting the number of redistributed routes helps prevent the router from being flooded by an excessive number of routes. |
Threshold |
The percentage of the maximum prefix value that acts as a threshold for triggering warning messages. The default is 75%. Note This warning is triggered whether or not the Warning-Only check box is selected. |
When maximum routes reached |
The action to take when the maximum number of redistributed routes is reached: •Enforce Maximum Route—Prevents additional routes from being redistributed when the defined maximum prefix value is reached. This is the default. •Warning Only—Issues a warning when the maximum number of routes is reached, but does not prevent additional routes from being redistributed. |
RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. Security Manager supports RIP version 2 only, which includes support for neighbor authentication when routing updates are exchanged.
You can configure RIP routing policies from the following tabs on the RIP Routing page:
For more information, see RIP Routing on Cisco IOS Routers, page 13-136.
•(Device view) Select Platform > Routing > RIP from the Policy selector.
•(Policy view) Select Router Platform > Routing > RIP from the Policy Type selector. Right-click RIP to create a policy, or select an existing policy from the Shared Policy selector.
•"Router Platform User Interface Reference"
Use the RIP Setup tab to create, edit, and delete RIP routes.
Go to the RIP Routing Policy Page, then click the Setup tab.
•Defining RIP Setup Parameters, page 13-137
•Specifying IP Addresses During Policy Definition, page 8-68
•Understanding Network/Host Objects, page 8-65
Use the RIP Authentication tab to view, create, edit, and delete the neighbor authentication settings of RIP interfaces.
Go to the RIP Routing Policy Page, then click the Authentication tab.
•Defining RIP Interface Authentication Settings, page 13-138
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Interfaces |
The name of an interface (as defined by an interface role) on which RIP is enabled. |
Authentication |
The type of RIP neighbor authentication that is enabled for the selected interface role—clear text or MD5. |
Key ID |
The identification number of the authentication key used for MD5 authentication. |
Add button |
Opens the RIP Authentication Dialog Box. From here you can define authentication for an additional RIP interface. |
Edit button |
Opens the RIP Authentication Dialog Box. From here you can edit the authentication properties of the selected RIP interface. |
Delete button |
Deletes the selected authentication definitions from the table. |
Use the RIP Authentication dialog box to add or edit the neighbor authentication properties of RIP interfaces.
Go to the RIP Page—Authentication Tab, then click the Add or Edit button beneath the table.
•Defining RIP Interface Authentication Settings, page 13-138
|
|
---|---|
Interface |
The interface for which you want to define authentication properties. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here you can define an interface role object. Note You cannot specify two different authentication configurations for the same interface. |
Authentication |
The type of authentication to apply to the interface: •MD5—(Recommended) Uses the MD5 hash algorithm for authentication. •Clear Text—Uses clear text for authentication. Note Use plain text authentication only when security is not an issue, for example, to ensure that misconfigured hosts do not participate in routing. |
Key ID |
Available only when MD5 is selected as the authentication type. The identification number of the authentication key. This number must be shared with all other devices sending updates to, and receiving updates from, the selected device. Valid values range from 0 to 2147483647. |
Key |
The shared key used for authentication (MD5 or clear text). This key must be shared with all other devices sending updates to, and receiving updates from, the selected device. The key can contain up to 80 alphanumeric characters; the first character cannot be a number. Spaces are allowed. Enter the key again in the Confirm field. |
Use the RIP Redistribution tab to view, create, edit, and delete redistribution settings when performing redistribution into an RIP routing domain.
Note You must define RIP setup parameters before you can access the RIP Redistribution tab. See RIP Page—Setup Tab.
Go to the RIP Routing Policy Page, then click the Redistribution tab.
•Redistributing Routes into RIP, page 13-139
|
|
---|---|
Protocol |
The protocol that is being redistributed. |
AS/Process ID |
The autonomous system (AS) number or process ID of the route being redistributed. |
Metric |
The value that determines the priority of the redistributed route. |
Match |
When redistributing an OSPF process, indicates which types of OSPF routes are being redistributed. |
Add button |
Opens the RIP Redistribution Mapping Dialog Box. From here you can define a RIP redistribution mapping. |
Edit button |
Opens the RIP Redistribution Mapping Dialog Box. From here you can edit the selected RIP redistribution mapping. |
Delete button |
Deletes the selected redistribution mappings from the table. |
Use the RIP Redistribution Mapping dialog box to add or edit the properties of an RIP redistribution mapping.
Go to the RIP Page—Redistribution Tab, then click the Add or Edit button beneath the table.
•Redistributing Routes into RIP, page 13-139
|
|
---|---|
Protocol to Redistribute |
The routing protocol that is being redistributed: •Static—Redistributes static routes. You can define a single mapping for each route. •EIGRP—Redistributes an EIGRP autonomous system. Enter the AS number in the displayed field. You can define a single mapping for each AS. •BGP—Redistributes a BGP autonomous system. You can define a single BGP mapping on each device. If you configured a BGP AS in the BGP Setup tab, the AS number is displayed. Otherwise, a message is displayed indicating that no BGP AS was defined. See BGP Page—Redistribution Tab. |
Protocol to Redistribute (continued) |
•OSPF—Redistributes a different OSPF process. You can define a single mapping for each process. Select a process from the displayed list, then select one or more match criteria: –Internal—Routes that are internal to a specific AS. –External1—Routes that are external to the AS and imported into OSPF as a Type 1 external route. –External2—Routes that are external to the AS and imported into the selected process as a Type 2 external route. –NSAAExternal1—Not-So-Stubby Area (NSSA) routes that are external to the AS and imported into the selected process as Type 1 external routes. –NSAAExternal2—(NSSA) routes that are external to the AS and imported into the selected process as Type 2 external routes. •Connected—Redistributes routes that are established automatically by virtue of having enabled IP on an interface. These routes are redistributed as external to the AS. |
Default Metric |
Establishes a default value for the redistributed route. Valid values range from 0 to 16. |
Transparent Metric |
When selected, maintains the original metric of the route being redistributed. When deselected, the value specified in the Metric field is used. |
Use the Static Routing page to create, edit, and delete static routes. For more information, see Defining Static Routes, page 13-140.
•(Device view) Select Platform > Routing > Static Routing from the Policy selector.
•(Policy view) Select Router Platform > Routing > Static Routing from the Policy Type selector. Right-click Static Routing to create a policy, or select an existing policy from the Shared Policy selector.
•Static Routing on Cisco IOS Routers, page 13-140
•"Router Platform User Interface Reference"
•Table Columns and Column Heading Features, page 2-18
|
|
---|---|
Prefix |
The destination IP address of the static route. |
Prefix Mask |
The net mask of the selected IP address. |
Default Route |
Indicates whether the static route is the default route for unknown packets being forwarded by this router. |
Interface or IP Address |
The IP address or the interface name associated with the gateway router that is the next hop address for this router. |
Distance |
The number of hops from the gateway IP to the destination. The metric determines the priority of this route. The fewer the hops, the higher the priority assigned to the route, based on lower costs. When two routing entries specify the same network, the entry with the lower metric (that is, the higher priority) is selected. |
Permanent Route |
Indicates whether the static route is defined as a permanent route, which means that it will not be removed even if the interface is shut down or if the router is unable to communicate with the next router. |
Add button |
Opens the Static Routing Dialog Box. From here you can create a static route. |
Edit button |
Opens the Static Routing Dialog Box. From here you can edit the selected static route. |
Delete button |
Deletes the selected static routes from the table. |
Use the Static Routing dialog box to add or edit static routes.
Go to the Static Routing Policy Page, then click the Add or Edit button beneath the table.
•Defining Static Routes, page 13-140
•Static Routing on Cisco IOS Routers, page 13-140
|
|
---|---|
Destination Network |
Address information for the destination network defined by this static route. •Use as Default Route—When selected, makes this the default route on this router. A default route is used when the route from a source to a destination is unknown or when it is not feasible for the router to maintain many routes in its routing table. All unknown outbound packets are forwarded over the default route. When deselected, this static route is not the default route. •Prefix—The IP address of the destination network. Enter an IP address or the name of a network/host object, or click Select to display an Object Selectors, page F-205. The prefix must be a class A, B, or C network or host IP. A host IP can begin with 0 unless it contains a discontiguous mask. All subnet addresses are valid. If the network you want is not listed, click the Create button in the selector to display the Add or Edit Network/Host Dialog Box, page F-141. From here you can define a network/host object. |
Forwarding (Next Hop) |
The method of forwarding data to the destination network: •Forwarding Interface—The router interface that forwards packets to the remote network. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-205. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-56. From here, you can define an interface role object. •Forwarding IP—The IP address of the next hop router that receives and forwards packets to the remote network. Enter an IP address or the name of a network/host object, or click Select to display an Object Selectors, page F-205. |
Distance Metric |
The number of hops to the destination network (gateway IP). The default is 1 if no value is specified. The range is from 1 to 255. This metric (also known as administrative distance) is a measurement of route expense based on the number of hops to the network on which a specified host resides. This hop count includes all the networks a packet must traverse, including the destination network. Therefore, all directly connected networks have a metric of 1. Because the metric is based on expense, it is used to identify the priority of the static route. If two routing entries specify the same network, the route with the lower metric value (that is, the lower cost) is given a higher priority and is selected. Note Under certain circumstances, it is useful to assign a static route a lower priority (larger distance metric) than a dynamic route. This enables the static route to act as a backup, "floating," route when the dynamic route is unavailable. |
Permanent route |
When selected, prevents this static route entry from being deleted, even in cases where the interface is shut down or the router cannot communicate with the next router. When deselected, this static route can be deleted. |