- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
- Discovering Policies on Cisco Catalyst Switches and Cisco 7600 Series Routers
- Viewing Catalyst Summary Information
- Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups
- Interfaces
- Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
- Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
- Interfaces/VLANs Page—Interfaces Tab
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Create and Edit Interface Dialog Boxes—Routed Port Mode
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Create and Edit Interface Dialog Boxes—Dynamic Mode
- Create and Edit Interface Dialog Boxes—Subinterfaces
- Create and Edit Interface Dialog Boxes—Unsupported Mode
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
Note From version 4.17, though Cisco Security Manager continues to support Cisco Catalyst switches features/functionality, it does not support any bug fixes or enhancements.
Cisco Security Manager supports the management and configuration of security services and other platform-specific services on Cisco Catalyst switches and Cisco 7600 Series routers.
You can manage Catalyst switches and 7600 devices configured in VTP transparent or VTP client/server mode. Security Manager manages switches configured in client/server mode by bypassing VLAN database management on the device (including VLAN creation, deletion, and monitoring VLANs in the VLAN database on switches).
Discovering Policies on Cisco Catalyst Switches and Cisco 7600 Series Routers
Note From version 4.17, though Cisco Security Manager continues to support Cisco Catalyst switches features/functionality, it does not support any bug fixes or enhancements.
You can discover the configurations of your Cisco Catalyst switches and Cisco 7600 Series Routers (as well as the configurations of the services modules and security contexts associated with them) and import the configurations as policies into Security Manager. This makes it possible to add existing devices and manage them with Security Manager without having to configure each device manually, policy by policy. For more information, see Adding Devices to the Device Inventory.
You can discover any command that Security Manager can configure. Discovery ignores unsupported commands, which means that they are left intact on the device even after subsequent deployments. Additionally, in cases where Security Manager can discover the command, but not all the subcommands and keywords related to that command, the unsupported elements are ignored and left intact on the device.
At any time, you can also rediscover the configurations of devices that you are already managing with Security Manager. Be aware, however, that we do not recommend rediscovery generally because performing rediscovery overwrites the policies that you have defined in Security Manager. For more information, see Discovering Policies on Devices Already in Security Manager.
Note We recommend that you perform deployment immediately after you discover policies, before you make any changes to policies or unassign policies from the device. (This recommendation also applies to any services module or security context hosted by the device.) Otherwise, the changes that you configure in Security Manager might not be deployed to the device. See Working with Deployment and the Configuration Archive.
Viewing Catalyst Summary Information
Use the Catalyst Summary Info page to view high-level system information, including any service modules, ports, and VLANs that Security Manager has discovered.
To view Catalyst summary information, in Device view, right-click a Catalyst switch or Cisco 7600 Series router, then select Catalyst Summary Info, or select Tools > Catalyst Summary Info.
Note If Security Manager has not completed discovery for a particular Cisco Catalyst switch or Cisco 7600 Series router, the Catalyst Summary Info page for that device displays this message: “No information is available. This information is acquired during device discovery.”
Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups
Use the Summary tab of the Interfaces/VLAN policy to view attributes of all VLANs, VLAN groups, interfaces, and subinterfaces configured on supported Catalyst 6500 Series and 7600 Series chassis and their associated services modules.
To view summary interface information, in Device view, select Interfaces/VLANs from the Policy selector, then click the Summary tab.
Note The Summary tab is available only for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers.
- Interfaces/VLANs Page—VLANs Tab
- Interfaces/VLANs Page—VLAN Groups Tab
- Interfaces/VLANs Page—Interfaces Tab
- Viewing Catalyst Summary Information
- Filtering Tables
Interfaces
You use the Interfaces tab on the Interfaces/VLANs page to view and manage the following types of ports:
- Access ports—A switching port that is used to connect host machines or servers. An access port belongs to and carries the traffic of only one VLAN. Traffic is received and sent in native formats with no VLAN tagging.
- Trunk ports—A switching port operating at Layer 2 to carry the traffic of multiple VLANs. Traffic is tagged with a VLAN number to differentiate traffic from each VLAN. A trunk port is used to connect switches to switches or to connect switches to routers.
- Routed ports—A physical port that acts like a port on a router. A routed port is not associated with a particular VLAN, and it behaves like a regular router interface. You can configure a routed port with a Layer 3 routing protocol.
- Dynamic ports—A port that can change dynamically to a trunk port if the neighboring port is configured as a trunk port.
- Unsupported ports—Ports on the Catalyst device that are not supported by Security Manager.
To display the Interfaces tab, select a Catalyst device in Device view, select Interfaces/VLANs from the Policy selector, then click the Interfaces tab in the work area.
The following topics describe the actions you can perform when defining interfaces on Catalyst devices:
- Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
- Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
- Interfaces/VLANs Page—Interfaces Tab
- VLANs
- VLAN Groups
- VLAN ACLs (VACLs)
- Chapter 68, “Managing Cisco Catalyst Switches and Cisco 7600 Series Routers”
Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
Note From version 4.17, though Cisco Security Manager continues to support Cisco Catalyst switches features/functionality, it does not support any bug fixes or enhancements.
You can create access ports, routed ports, or trunk ports on Cisco Catalyst Switches and Cisco 7600 Series Routers, with these restrictions:
- Each interface must have a name.
- You can associate an access port with only one VLAN.
- You can associate a trunk port with one or more VLANs.
- Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
- Creating or Editing VLANs
- Creating or Editing VLAN Groups
- Interfaces/VLANs Page—Interfaces Tab
- Interfaces
Step 1 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the Interfaces tab in the work area.
The Interfaces tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—Interfaces Tab.
Step 2 Do one of the following:
- To define the attributes of a new interface, click Add Row.
- To edit the attributes of an interface, select it in the list, then click Edit Row.
Step 3 (Optional) Deselect the Enable Interface check box if you want this interface to be in shutdown mode.
Step 4 From the Type list, select Interface or Subinterface :
Step 5 (Interfaces only) Enter a name for the interface. You can click Select to open a dialog box that will help you generate a standard name based on interface type and details about the interface’s location, such as card, slot, and subinterface. For more information on using the dialog box to generate an interface name, see Interface Auto Name Generator Dialog Box.
Step 6 (Interfaces only) Select an option from the Mode list to specify the port configuration type. The fields in the dialog box vary according to your selection.
Step 7 (Subinterfaces only) Select the parent interface of the subinterface, then enter the ID number.
Step 8 Define or configure the settings for the type that you selected:
- Access Port—See Create and Edit Interface Dialog Boxes—Access Port Mode for a description of the fields.
- Routed Port—See Create and Edit Interface Dialog Boxes—Routed Port Mode for a description of the fields.
- Trunk Port—See Create and Edit Interface Dialog Boxes—Trunk Port Mode for a description of the fields.
- Dynamic Port—See Create and Edit Interface Dialog Boxes—Dynamic Mode for a description of the fields.
- Subinterface—See Create and Edit Interface Dialog Boxes—Subinterfaces for a description of the fields.
- Unsupported—See Create and Edit Interface Dialog Boxes—Unsupported Mode for a description of the fields.
Step 9 From the Speed list, select an option to define the speed of the interface.
Step 10 If you defined a specific speed for the interface, and therefore the Duplex list is enabled, select a duplexing option.
Step 11 In the MTU field, enter the maximum transmission unit value.
Step 12 Configure whether to use flow control on inbound (Receive) and outbound (Send) traffic.
Step 13 (Optional) Enter a description for the interface in the Description field.
Step 14 Click OK to save your definitions locally on the client and close the dialog box.
Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
Note From version 4.17, though Cisco Security Manager continues to support Cisco Catalyst switches features/functionality, it does not support any bug fixes or enhancements.
Although you can delete the definition of an interface at any time, use this option with great care. If the relevant device includes the interface definition in any policy definitions, deleting the interface causes these policy definitions to fail when they are deployed to the device.
Step 1 (Device view) Select a Cisco Catalyst switch or Cisco 7600 Series router from the Device selector.
Step 2 Select Interfaces/VLANs from the Policy selector.
Step 3 Click the Interfaces tab in the work area.
The Interfaces tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—Interfaces Tab.
Step 4 Select an interface from the table, then click Delete Row. The interface is deleted.
Interfaces/VLANs Page—Interfaces Tab
Use the Interfaces tab to view and configure interfaces and subinterfaces on supported Cisco Catalyst switches and Cisco 7600 Series routers and their associated services modules (blades).
(Device view) Select Interfaces/VLANs from the Device selector, then click the Interfaces tab.
- Interfaces/VLANs Page—VLANs Tab
- Interfaces/VLANs Page—VLAN Groups Tab
- Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups
- Filtering Tables
|
|
---|---|
Interface type, chassis slot, and the number of the interface card. For example, FastEthernet 2/7 means Fast Ethernet, slot 2, interface 7. |
|
The VLAN ID associated with the described subinterface, displayed only for Ethernet interfaces and VLAN interfaces. |
|
Indicates whether the interface is enabled or disabled (shutdown state). |
|
The interface roles whose naming patterns match this interface. See Understanding Interface Role Objects. |
|
Opens the Create Interface dialog box, where you can define a new interface. For more information, see the instructions for the relevant mode:
|
|
Opens the Edit Interface dialog box, where you can edit the selected interface. For more information, see the instructions for the relevant mode:
|
|
Create and Edit Interface Dialog Boxes—Access Port Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in access port mode.
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Access Port from the Mode list.
- Create and Edit Interface Dialog Boxes—Routed Port Mode
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Create and Edit Interface Dialog Boxes—Dynamic Mode
- Interface Auto Name Generator Dialog Box
- Understanding FlexConfig Policies and Policy Objects
- Understanding Interface Role Objects
|
|
---|---|
When selected, enables the interface. When deselected, disables the interface using the shutdown command. |
|
Specifies whether the definitions apply to an interface or a subinterface. For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces. |
|
Displays the generated interface name, if the name has been set. Click Select to open the Interface Auto Name Generator Dialog Box. From here, you can enter or edit the details that Security Manager uses to generate an interface name. |
|
The port configuration type for this interface. Select Access Port to display the configuration options that are relevant for access ports. |
|
|
|
Displays the interface-specific identity of the VLAN to use in access port mode, if you have selected a VLAN. Otherwise, click Select to open the VLAN Selector Dialog Box. The VLAN ID specifies where 802.1Q tagged packets are sent and received on the subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094. Some VLAN IDs might be reserved on connected devices, so see the device documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration. Note All VLAN IDs must be unique among all subinterfaces configured on the same physical interface. |
|
When selected, enables you to restrict input to an interface by limiting the MAC addresses that are allowed to access the port. |
|
Applies only when Enable Port Security is selected. The maximum number of secure MAC addresses for the interface. Valid values range from 1 to 4097. Note Secure MAC addresses are configured dynamically using the MAC addresses of connected devices. |
|
The action to take if a security violation occurs:
A security violation occurs if a workstation whose MAC address is not in the address table attempts to access the interface after the maximum number of secure MAC addresses is configured. |
|
When selected, enables VACL capture. If the capture bit is set, ports with the capture function enabled can receive forwarded packets. |
|
Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box. Enter a comma-separated list of VLAN IDs or click Select to open the VLAN Selector Dialog Box. VACLs can capture VLAN packets only when they are initially routed or bridged into the VLAN. Only forwarded packets can be captured. |
|
|
|
The duplex setting of the interface:
If the speed is set to Auto, the duplex setting must also be set to Auto. |
|
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type. |
|
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns. Note For multiple context mode, the system description is independent of the context description. |
|
The flow control setting for incoming frames:
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full. |
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects. |
Create and Edit Interface Dialog Boxes—Routed Port Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical interfaces that run in routed port mode on Layer 3.
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Routed Port from the Mode list.
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Create and Edit Interface Dialog Boxes—Dynamic Mode
- Understanding Interface Role Objects
- Selecting Objects for Policies
- Understanding Networks/Hosts Objects
|
|
---|---|
When selected, enables the interface. When deselected, disables the interface using the shutdown command. |
|
Specifies whether the definitions apply to an interface or a subinterface. For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces. |
|
Displays the generated interface name, if the name has been set. Click Select to open the Interface Auto Name Generator Dialog Box. From here, you can enter or edit the details that Security Manager uses to generate an interface name. |
|
The port configuration type for this interface. Select Routed Port to display the configuration options that are relevant for routed ports. |
|
|
|
Enables you to enter an IP address, or you can click Select to open the Networks/Hosts Selector, where you can select an IP address. |
|
Enables you to assign a helper IP address to the interface. A helper IP address converts broadcast DHCP requests to unicast requests that are directed exclusively to the DHCP server. |
|
Enables you to specify the subnet mask. You can enter a netmask value or you can select a netmask from the list. If you enter a netmask, you can express its value in dotted decimal format (for example, 255.255.255.0) or you can enter the number of bits (for example, 24). Note Do not use 255.255.255.254 or 255.255.255.255 for any interface that is connected to your network; these netmasks cause all traffic on an interface to stop. |
|
|
|
The duplex setting of the interface:
If the speed is set to Auto, the duplex setting must also be set to Auto. |
|
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type. |
|
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns. Note For multiple context mode, the system description is independent of the context description. |
|
The flow control setting for incoming frames:
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full. |
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects. |
Create and Edit Interface Dialog Boxes—Trunk Port Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in trunk port mode.
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Trunk Port from the Mode list.
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Create and Edit Interface Dialog Boxes—Routed Port Mode
- Create and Edit Interface Dialog Boxes—Dynamic Mode
- Understanding FlexConfig Policies and Policy Objects
- Understanding Interface Role Objects
|
|
---|---|
When selected, enables the interface. When deselected, disables the interface using the shutdown command. |
|
Specifies whether the definitions apply to an interface or a subinterface. For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces. |
|
Displays the generated interface name, if the name has been set. Click Select to open the Interface Auto Name Generator Dialog Box. From here, you can enter or edit the details that Security Manager uses to generate an interface name. |
|
The port configuration type for this interface. Select Trunk Port to display the configuration options that are relevant for trunk ports. |
|
|
|
|
|
Enables you to select the Native VLAN to associate with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) This option applies to you only if you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface. You must first specify DOT1Q as the encapsulation type. The Native VLAN of a trunk interface is the VLAN to which all untagged VLAN packets are logically assigned. This includes the management traffic associated with the VLAN. When deselected, the Native VLAN is not associated with this interface. Note The Native VLAN cannot be configured on a subinterface of the trunk interface. Be sure to configure the same Native VLAN value at both ends of the link; otherwise, traffic may be lost or sent to the wrong VLAN. Click Select to open the VLAN Selector Dialog Box. From here, you can associate a native VLAN with the described interface. |
|
When selected, enables Dynamic Trunking Protocol (DTP) negotiation. DTP manages trunk auto-negotiation (ISL and 802.1Q) between devices. |
|
Enables you to specify which VLANs are allowed on the trunk. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200). Valid IDs range from 1 to 4094. Or, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs to include on the trunk. |
|
Enables you to specify which VLANs are eligible for pruning. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200.) Or, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs that are eligible for pruning. |
|
When selected, enables VACL capture. If the capture bit is set, ports with the capture function enabled can receive forwarded packets. |
|
Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box. Enter a comma-separated list of VLAN IDs, or click Select to open the VLAN Selector Dialog Box. VACLs can capture VLAN packets only when they are initially routed or bridged into the VLAN. Only forwarded packets can be captured. |
|
Applies only to devices running IOS Software Version 12.2(18)SXE2 or later. When selected, enables you to restrict input to an interface by limiting the MAC addresses that are allowed to access the port. When deselected, disables port security. Note If you select this option, the Enable DTP Negotiation option is automatically deselected. |
|
Applies only when Enable Port Security is selected. The maximum number of secure MAC addresses for the interface. Valid values range from 1 to 4097. Note Secure MAC addresses are configured dynamically using the MAC addresses of connected devices. |
|
The action to take if a security violation occurs:
A security violation occurs if a workstation whose MAC address is not in the address table attempts to access the interface after the maximum number of secure MAC addresses is configured. |
|
|
|
The duplex setting of the interface:
If the speed is set to Auto, the duplex setting must also be set to Auto. |
|
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type. |
|
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns. Note For multiple context mode, the system description is independent of the context description. |
|
The flow control setting for incoming frames:
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full. |
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects. |
Create and Edit Interface Dialog Boxes—Dynamic Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in dynamic mode. Dynamic ports can convert the link into a trunk link based on the settings of the neighboring port.
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Dynamic from the Mode list.
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Create and Edit Interface Dialog Boxes—Routed Port Mode
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Interface Auto Name Generator Dialog Box
- Understanding FlexConfig Policies and Policy Objects
- Understanding Interface Role Objects
|
|
---|---|
When selected, enables the interface. When deselected, disables the interface using the shutdown command. |
|
Specifies whether the definitions apply to an interface or a subinterface. For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces. |
|
Displays the generated interface name, if the name has been set. Click Select to open the Interface Auto Name Generator Dialog Box. From here, you can enter or edit the details that Security Manager uses to generate an interface name. |
|
The port configuration type for this interface. Select Dynamic to display the configuration options that are relevant for dynamic ports. |
|
|
|
The access VLAN ID to use when the port does not function as a trunking link. This can occur when the neighboring interface is not set to trunk, auto, or desirable mode. |
|
|
|
Enables you to select the Native VLAN to associate with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) This option applies to you only if you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface. You must first specify DOT1Q as the encapsulation type. The Native VLAN of a trunk interface is the VLAN to which all untagged VLAN packets are logically assigned. This includes the management traffic associated with the VLAN. When deselected, the Native VLAN is not associated with this interface. Note The Native VLAN cannot be configured on a subinterface of the trunk interface. Be sure to configure the same Native VLAN value at both ends of the link; otherwise, traffic may be lost or sent to the wrong VLAN. Click Select to open the VLAN Selector Dialog Box. From here, you can associate a native VLAN with the described interface. |
|
Enables you to specify which VLANs are allowed on the trunk. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200). Valid IDs range from 1 to 4094. Alternatively, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs to include on the trunk. |
|
Enables you to specify which VLANs are eligible for pruning. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200.) Alternatively, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs that are eligible for pruning. |
|
When selected, enables VACL capture. If the capture bit is set, ports with the capture function enabled can receive forwarded packets. |
|
Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box. Enter a comma-separated list of VLAN IDs or click Select to open the VLAN Selector Dialog Box. VACLs can capture VLAN packets only when they are initially routed or bridged into the VLAN. Only forwarded packets can be captured. |
|
|
|
The duplex setting of the interface:
If the speed is set to Auto, the duplex setting must also be set to Auto. |
|
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type. |
|
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns. Note For multiple context mode, the system description is independent of the context description. |
|
The flow control setting for incoming frames:
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full. |
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects. |
Create and Edit Interface Dialog Boxes—Subinterfaces
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of subinterfaces defined on Catalyst 6500/7600 devices.
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Subinterface from the Type list.
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Create and Edit Interface Dialog Boxes—Routed Port Mode
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Create and Edit Interface Dialog Boxes—Dynamic Mode
- Understanding Interface Role Objects
Create and Edit Interface Dialog Boxes—Unsupported Mode
If you discover an interface configured with a mode that is not supported by Security Manager (such as dot1q-tunnel or private-vlan), the interface is displayed in Unsupported mode. You can view the attributes of this interface, but you cannot make any changes to the configuration unless you first change the mode. All definition fields, other than Mode, are read-only.
Go to the Interfaces/VLANs Page—Interfaces Tab, select an interface whose mode is defined as Unsupported, then click Add or Edit to open the Create/Edit Interface dialog box.
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Create and Edit Interface Dialog Boxes—Routed Port Mode
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Create and Edit Interface Dialog Boxes—Dynamic Mode
|
|
---|---|
When selected, indicates that the interface is enabled. When deselected, indicates that the interface has been disabled using the shutdown command. |
|
Specifies whether the definitions apply to an interface or a subinterface. |
|
Displays Unsupported, which designates an interface whose mode is not supported by Security Manager. Select a different option to change the interface mode. Note If you change the interface mode, you can then modify the other settings in this dialog box. |
|
Displays the duplex setting of the interface:
If the speed is set to Auto, the duplex setting must also be set to Auto. |
|
Displays the maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type. |
|
Displays a text description of the interface. For multiple context mode, the system description is independent of the context description. |
|
Displays the flow control setting for incoming frames:
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full. |
|
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects. |
VLANs
A VLAN is a switched network that is segmented logically instead of on the basis of geography. For example, a VLAN might interconnect members of a geographically dispersed workgroup. VLANs offer a practical convenience for many organizations because they reduce the need to rearrange the physical placement of personnel, equipment, and network infrastructure. Properly configured VLANs are scalable, secure, and can simplify the tasks of network management.
A VLAN consists of hosts and network devices (such as bridges and routers), connected by a single bridging domain. Traffic between VLANs must be routed.
Security Manager helps you to create VLANs and define VLAN settings for the defined interfaces on Cisco Catalyst switches and Cisco 7600 Series routers, their supported services modules, and their security contexts.
The following topics describe the actions you can perform when defining VLANs on Catalyst devices:
- VLAN Groups
- VLAN ACLs (VACLs)
- Chapter 68, “Managing Cisco Catalyst Switches and Cisco 7600 Series Routers”
Creating or Editing VLANs
You can create a VLAN or reconfigure the attributes of a VLAN.
- Deleting VLANs
- Creating or Editing VLAN Groups
- Creating or Editing VACLs
- Create and Edit VLAN Dialog Boxes
- VLANs
Step 1 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the VLANs tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLANs Tab.
Step 2 Do one of the following:
- To define the attributes of a new VLAN, click Add Row.
- To edit the attributes of a VLAN, select it in the list, then click Edit Row.
See Create and Edit VLAN Dialog Boxes, for a description of the fields in the dialog box.
Step 3 In the VLAN ID field, enter a unique ID number for the VLAN. The number that you enter must not be assigned to any other VLAN in the bridging group.
Step 4 (Optional) Enter a name for the VLAN.
Step 5 (Optional) If the VLAN is part of a VLAN group, select the group ID, or select Add Group to open the Create VLAN Group dialog box. For more information, see Creating or Editing VLAN Groups.
Step 6 From the Status list, specify the status of the VLAN (active or suspended).
Step 7 From the Type list, select either Layer 2 or Layer 3.
Step 8 (Optional) For a Layer 3 VLAN, define a switched virtual interface (SVI):
a. To make the SVI active, select the Enable Interface check box. An SVI enables routing between VLANs and provides IP host connectivity to the switch. If you do not select this check box, the SVI is created in shutdown mode.
b. Enter the IP address for the SVI.
c. Enter the SVI subnet mask by typing it, or select a netmask value from the Subnet Mask list.
d. Enter an optional description, if required.
Step 9 Do one or both of the following:
- To associate access ports with the VLAN, enter their names in the Access Ports text box or click Select to open an interface selector.
- To associate trunk ports with the VLAN, enter their names in the Trunk Ports text box or click Select to open an interface selector.
See Interface Selector Dialog Box—VLAN ACL Content for a description of the fields in the dialog box. For more information about defining ports, see Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers.
Step 10 Click OK to save your definitions locally on the client and close the dialog box.
Deleting VLANs
You can delete a VLAN. However, deleting a VLAN does not delete it from any policy that might reference it. Ensure that your other policies do not use the VLAN before you delete it. When you submit your changes to the database, Security Manager points out any undefined VLANs that are referenced by other policies.
Step 1 (Device view) Select a Cisco Catalyst switch or Cisco 7600 Series router from the Device selector.
Step 2 Select Interfaces/VLANs from the Policies selector.
Step 3 Click the VLANs tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLANs Tab.
Step 4 Select a VLAN from the table, then click Delete Row.
Interfaces/VLANs Page—VLANs Tab
Use the VLANs tab to view and configure VLANs on supported Cisco Catalyst switches and Cisco 7600 Series routers.
- Interfaces/VLANs Page—VLAN Groups Tab
- Interfaces/VLANs Page—Interfaces Tab
- Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups
- Understanding FlexConfig Policies and Policy Objects
- Create and Edit VLAN Dialog Boxes
- Filtering Tables
Create and Edit VLAN Dialog Boxes
Use the Create VLAN dialog box (or the Edit VLAN dialog box) to configure or reconfigure VLAN settings and attributes.
Go to the Interfaces/VLANs Page—VLANs Tab, then click the Add or Edit button beneath the table.
- Understanding FlexConfig Policies and Policy Objects
- Create and Edit VLAN Group Dialog Boxes
- Interface Selector Dialog Box—VLAN ACL Content
|
|
---|---|
Displays the VLAN ID if one is configured. Otherwise, enter the ID manually. The VLAN ID specifies where 802.1Q tagged packets are sent and received on an interface or subinterface; without a VLAN ID, the interface or subinterface cannot send or receive traffic. Each VLAN must have an ID. Valid values range from 1 to 4094. Note All VLAN IDs must be unique among all subinterfaces configured on the same physical interface. |
|
Enter a name for the VLAN, or view the VLAN name if you entered one previously. Each VLAN must have an ID, and can optionally have a name. The maximum length is 32 characters. |
|
The VLAN group to which the VLAN belongs. A VLAN can be associated with one group only. You can associate the VLAN with an existing group, or select Add Group to open the Create VLAN Group dialog box. |
|
Indicates whether the specified VLAN is configured for Layer 2 or Layer 3, and enables you to choose the kind of VLAN that you prefer. A Layer 3 VLAN requires an IP address and creates a VLAN interface. |
|
Applies only when defining a Layer 3 VLAN.
|
|
Lists which access ports are associated with the specified VLAN, if any are associated, and enables you to add or remove access port associations for the specified VLAN. You can associate any number of access ports with a VLAN. Click Select to open the Access Port Selector Dialog Box. From here, you can associate access ports with the specified VLAN, or remove access port associations from the VLAN. |
|
Lists which trunk ports are associated with the specified VLAN, if any are associated, and enables you to add or remove trunk port associations for the specified VLAN. A VLAN can belong to the allowed list of one or more trunk ports. You can include a VLAN in a trunk port group. Click Select to open the Trunk Port Selector Dialog Box. From here, you can associate trunk ports with the specified VLAN, or remove trunk port associations from the VLAN. |
Access Port Selector Dialog Box
Use the Access Port Selector dialog box to define which access ports are associated with a selected VLAN.
Open the Create and Edit VLAN Dialog Boxes, then click Select in the Access Ports field.
- Create and Edit Interface Dialog Boxes—Access Port Mode
- Trunk Port Selector Dialog Box
- Filtering Tables
Trunk Port Selector Dialog Box
Use the Trunk Port Selector dialog box to define which trunk ports are associated with a selected VLAN.
Open the Create and Edit VLAN Dialog Boxes, then click Select in the Trunk Ports field.
- Create and Edit Interface Dialog Boxes—Trunk Port Mode
- Access Port Selector Dialog Box
- Filtering Tables
VLAN Groups
A VLAN group defines a logical collection of VLANs. The VLAN Groups tab on the Interfaces/VLANs page displays:
- All VLAN groups that are defined on the selected device.
- The service module slots to which a VLAN group is bound.
- Which VLANs belong to each VLAN group.
VLAN groups can be used when assigning VLANs to an FWSM security context. A VLAN group can be assigned to multiple FWSMs, and each FWSM can have multiple VLAN groups assigned to it. To perform this assignment, see Add/Edit Security Context Dialog Box (FWSM).
The following topics describe the actions you can perform when defining VLAN groups on Catalyst devices:
- Interfaces
- VLANs
- VLAN ACLs (VACLs)
- Chapter 68, “Managing Cisco Catalyst Switches and Cisco 7600 Series Routers”
Creating or Editing VLAN Groups
You can create VLAN groups. When you create a VLAN group, remember that:
- Each group must have an ID.
- You can associate a VLAN group with one or more FWSM modules.
- Each VLAN can be a member of only one VLAN group.
- Deleting VLAN Groups
- Creating or Editing VLANs
- Creating or Editing VACLs
- Interfaces/VLANs Page—VLAN Groups Tab
- VLAN Groups
Step 1 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the VLAN Groups tab in the work area.
The VLAN Groups tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLAN Groups Tab.
Step 2 Do one of the following:
- To define the attributes of a new VLAN group, click Add Row.
- To edit the attributes of a VLAN group, select it in the list, then click Edit Row.
See Create and Edit VLAN Group Dialog Boxes, for a description of the fields in this dialog box.
Step 3 In the VLAN Group ID field, enter a unique ID number for the VLAN group. The number that you enter must not be assigned to any other VLAN group.
Step 4 To associate the VLAN group with specific service module slots, enter their slot numbers in the Service Module Slots text box, or click Select to open a selector.
Note Defining this association makes it possible to later assign this VLAN group to a security context on the FWSM. See Add/Edit Security Context Dialog Box (FWSM).
Step 5 Enter the VLANs to add to the VLAN group, or click Select to open a selector.
Step 6 Click OK to save your definitions locally on the client and close the dialog box.
Deleting VLAN Groups
You can delete VLAN groups. Deleting a VLAN group has no affect on the VLANs in the group.
Step 1 (Device view) Select a Catalyst 6500 Series switch or Cisco 7600 Series router from the Device selector.
Step 2 Select Interfaces/VLANs from the Policy selector.
Step 3 Click the VLAN Groups tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—VLAN Groups Tab.
Step 4 Select a VLAN group from the table, then click Delete Row. The VLAN group is deleted.
Interfaces/VLANs Page—VLAN Groups Tab
Use the VLAN Groups tab to view and configure VLAN groups on supported 6500 Series switches and 7600 Series routers.
Note The VLAN Groups tab is available only for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers.
- Interfaces/VLANs Page—VLANs Tab
- Interfaces/VLANs Page—Interfaces Tab
- Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups
- Create and Edit VLAN Group Dialog Boxes
- Filtering Tables
Create and Edit VLAN Group Dialog Boxes
Use the Create and Edit VLAN Group dialog box to configure or reconfigure the attributes of VLAN groups, which are logical groups of VLANs that you want to associate with one another when you define VLAN port policies.
- Go to the Interfaces/VLANs Page—VLAN Groups Tab, then click the Add or Edit button beneath the table.
- Go to the Interfaces/VLANs Page—VLANs Tab, click the Add or Edit button beneath the table, then select Add Group from the Group list.
|
|
---|---|
The 802.1q VLAN group name. Valid values range from 1 to 65535. |
|
The chassis slot number (in which the relevant services module is installed) that is associated with the interface through which a particular VLAN participates in the VLAN group. Enter the slot number or click Select to open the Service Module Slot Selector Dialog Box. Note After you associate the VLAN group with a service module, such as an FWSM, you can assign the VLAN group to the security contexts of the FWSM. See Add/Edit Security Context Dialog Box (FWSM). |
|
The comma-separated IDs of all VLANs that are part of the group. Each VLAN can be a member of only one group. Click Select to open the Service Module Slot Selector Dialog Box. From here, you can select VLANs to include in the VLAN group. |
Service Module Slot Selector Dialog Box
Use the Service Module Slot Selector dialog box to associate a service module with a VLAN.
Go to the Create and Edit VLAN Group Dialog Boxes, then click Select in the Service Module Slots field.
VLAN Selector Dialog Box
Use the VLAN Selector dialog box to associate VLANs with interfaces, VLAN groups, security contexts, and VACLs.
You can access this dialog box when you define interfaces, VLAN groups, IDSM settings, or VACLs by clicking the Select button in any field used for defining VLANs.
VLAN ACLs (VACLs)
Cisco IOS standard or extended ACLs are configured on router interfaces only, and are applied on routed packets only. In contrast, Cisco Catalyst switches and Cisco 7600 Series routers can use VLAN ACLs (VACLs) to control the access of all packets that are bridged within a VLAN or that are routed to or from a VLAN for VACL capture through a WAN interface. VACLs:
- Are processed in hardware.
- Use Cisco IOS ACLs.
- Ignore any Cisco IOS ACL fields that are not supported in hardware.
Note Security Manager does not support the creation or configuration of MAC ACLs (MACLs), which are named ACLs that are sometimes used with VACLs to filter IPX, DECnet, AppleTalk, VINES, or XNS traffic based on MAC addresses.
When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against the VACL.
If you apply a VACL to a VLAN and you apply an ACL to a routed interface in that same VLAN, any packet coming into the VLAN is first checked against the VACL. Then, if permitted, the packet is checked against the input ACL before it reaches the routed interface.
When a packet is routed from one VLAN to another, it is first checked against the output ACL that is applied to the routed interface. Then, if permitted, the packet is checked against any VACLs that are configured for the destination VLAN.
If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is deny.
Security Manager uses VLAN access maps to configure VACLs. Conceptually similar to a route map, a VLAN access map is a container in which you place one or more statements (conditions that match an action) and number them by their order of importance. A VLAN access map must also identify the VLANs to which it is applied, contain the map name, and identify at least one VACL sequence.
A VACL sequence must have a sequence number and at least one action, and must match at least one ACL.
Devices evaluate map statements in sequence and you can associate more than one VLAN access map with any device chassis.
To manage a VACL, select a Catalyst device in Device View, then select Platform > VLAN Access Lists. You use VLAN access maps to configure VACLs for IP traffic.
The following topics describe the actions you can perform when defining VACLs on Catalyst devices:
Creating or Editing VACLs
When you can create or edit a VACL, you must:
- Name the VACL.
- Define the VLANs to which the VACL applies.
- Define a sequence map containing at least one VACL sequence.
- Deleting VACLs
- Creating or Editing VLANs
- Creating or Editing VLAN Groups
- Create and Edit VLAN ACL Dialog Boxes
- VLAN Access Lists Page
Step 1 Do one of the following:
- (Device view) Select a Catalyst device, then select Platform > VLAN Access Lists from the Policy selector.
- (Policy view) Select Catalyst Platform > VLAN Access Lists.
The VLAN Access Lists page is displayed. For a description of the fields on this page, see VLAN Access Lists Page.
Step 2 Do one of the following:
- To define the attributes of a new VACL, click Add Row.
- To edit the attributes of a VACL, select it in the list, then click Edit Row.
A dialog box opens. See Create and Edit VLAN ACL Dialog Boxes, for a description of the fields in the dialog box.
Step 3 Enter a name for the VACL in the VLAN ACL Name field.
Step 4 In the VLANs field, specify the VLANs to which the VACL should be applied, or click Select to open a VLAN selector.
Step 5 Define the sequence map:
a. Click Add Row or Edit Row beneath the Sequence Map table. A dialog box opens. See Create and Edit VLAN ACL Content Dialog Boxes.
b. Enter a number to identify the sequence.
c. Specify the standard and extended ACLs to assign to the sequence, or click Select to select the ACL object from a list or to create a new ACL object. For more information about ACL objects, see Creating Access Control List Objects.
d. Specify the action to perform on traffic that matches the ACLs defined in this sequence. (When you select Redirect as the action, you must specify the physical destination interfaces, or click Select to display a selector. See Specifying Interfaces During Policy Definition.)
e. Click OK to save your definitions locally on the client and close the dialog box. The sequence is displayed in the Sequence Map table.
f. Repeat the process to add sequences to the sequence map.
g. Use the up and down arrows to reorder the sequences, if required.
Note The order in which you place the sequences is significant. When a flow matches a permit ACL entry, the associated action is taken without checking the remaining sequences. When a flow matches a deny ACL entry, it is checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
Deleting VACLs
You can delete a VACL if it is not being used by any device, policy, or object.
You must delete all references to the VACL before you can remove it from the database. To locate all references to the VACL, run an object usage report for it. See Generating Object Usage Reports.
Step 1 Do one of the following:
- (Device view) Select a Catalyst device, then select Platform > VLAN Access Lists from the Policy selector.
- (Policy view) Select Catalyst Platform > VLAN Access Lists.
The VLAN Access Lists page is displayed. For a description of the fields on this page, see VLAN Access Lists Page.
Step 2 Click in a row to select a VACL, then click Delete.
Step 3 Click OK to save your changes.
VLAN Access Lists Page
Use the VLAN Access Lists page to view and configure VLAN access lists for Cisco Catalyst switches and Cisco 7600 Series routers.
You can access this page from:
- (Device view) Select Platform > VLAN Access Lists from the Device Policy selector.
- (Device view) Select Catalyst Platform >VLAN Access Lists from the Policy Types selector.
- Creating Access Control List Objects
- Create and Edit VLAN ACL Dialog Boxes
- Create and Edit VLAN ACL Content Dialog Boxes
- Filtering Tables
|
|
---|---|
|
|
Specifies the map sequence number. VACL sequences are applied in order of sequence, from lowest number to highest. |
|
Displays the Match ACLs, if any are defined. VACL matching occurs only when an ACL permit is encountered. ACL denies are ignored. |
|
Specify whether the action is to drop, drop and log, forward, forward and capture, or redirect packets. Note The redirect action helps you to specify as many as five interfaces, which can be physical interfaces or EtherChannels. You cannot redirect packets to an EtherChannel member or a VLAN interface. |
|
Interface-specific identity of the VLAN that a table row describes. The VLAN ID specifies where 802.1Q tagged packets are sent and received on the subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. |
|
Opens the Create VLAN ACL dialog box, where you can define a new VACL. |
|
Opens the Edit VLAN ACL dialog box, where you can edit the selected VACL. |
|
|
|
Valid sizes range from 0 to 2048 and the default is 500. Logged packets from new flows are dropped when the table is full. |
|
Displays the maximum redirect VACL logging packet rate per second. Valid rates range from 10 to 5000 packets per second and the default rate is 2000. Packets that exceed the limit are dropped. |
|
Displays the logging threshold if one is set. By default, no threshold is set. When you configure VACL logging, IP packets that are denied generate log messages on a per-flow basis if the threshold for a flow is reached in any interval of less than 5 minutes. Only dropped IP packets can be logged. |
|
Identifies the interface that captures forwarded packets in which the capture bit is set. You can configure any interface as the capture interface. The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured. Note The information shown here is read-only. To define capture interfaces, use the Create/Edit Interface dialog box. See Interfaces/VLANs Page—Interfaces Tab. |
Create and Edit VLAN ACL Dialog Boxes
Use the Create VLAN ACL dialog box (or the Edit VLAN ACL dialog box) to configure or reconfigure VACL attributes.
Go to the VLAN Access Lists Page, then click the Add or Edit button beneath the table.
|
|
---|---|
Enables you to designate the VLANs to which the VACL should be applied. Do one of the following:
|
|
The sequence maps included in the VLAN access map. A VLAN access map can consist of one or more map sequences, where each sequence pairs a match clause, which specifies an ACL object for traffic filtering, to an action clause, which specifies the action to take on packets that meet the criteria defined in the match ACLs.
|
Create and Edit VLAN ACL Content Dialog Boxes
Use the Create VLAN ACL Content dialog box (or the Edit VLAN ACL Content dialog box) to configure or reconfigure VACL sequences.
Go to the Create and Edit VLAN ACL Dialog Boxes, then click the Add or Edit button beneath the Sequence Map table.
|
|
---|---|
Specify the map sequence number for the VLAN access map. Valid values range from 1 to 65535. |
|
Specify which ACLs the sequence should include in its match clause. Enter the names of the standard and extended ACL objects to include in the sequence, or click Select to select them from a list or to create new ones. |
|
The option to perform on packets that meet the criteria defined in the match ACLs:
|
|
Applies only when the specified action is Redirect. The destination interfaces for redirect packets. Enter the names of up to five physical interfaces, or click Select to open the Interface Selector Dialog Box—VLAN ACL Content. The redirect interfaces must be in the VLAN for which the VACL access map is configured. Note You cannot redirect packets to an EtherChannel member or a VLAN interface. You also cannot redirect packets to a subinterface. |
Interface Selector Dialog Box—VLAN ACL Content
Use the Interface Selector dialog box to define redirect interfaces when you create entries for a VACL sequence map.
Open the Create and Edit VLAN ACL Content Dialog Boxes, select Redirect as the action, then click Select in the Interfaces field.
IDSM Settings
When you select a Catalyst device in Device view, then select Platform > IDSM Settings from the Policy selector, a list is displayed that:
- Displays the settings for data ports on Intrusion Detection System Service Modules (IDSMs).
- Helps you to organize IDSM data ports in channel groups.
The IDSM card detects and stops security threats on network connections. The card inspects the traffic that enters its two data ports and drops packets if a security threat is detected. The data port settings define:
- Which traffic is received by the data ports, as defined by the VLAN IDs.
- The sensing mode used by the data ports:
– Trunk (IPS)—The IDSM performs VLAN bridging between pairs of VLANs within the same data port, operating as an 802.1q trunk. The IDSM inspects the traffic it receives on each VLAN in a VLAN pair and can either forward the packets on the other VLAN in the pair or drop the packet if an intrusion attempt is detected.
– Capture (IDS)—The IDSM passively monitors network traffic that was copied to the data ports by the Catalyst switch using either VACL capture or SPAN. The data ports operate as 802.1q trunks that can be configured to trunk different VLANs. When operating in this passive mode, the IDSM cannot drop packets in response to a network intrusion attempt, but it can send TCP resets over the data ports in an attempt to block the intrusion.
Note Security Manager supports a subset of IDSM settings on chassis running IOS 12.2(18)SXF4 or later. Trunk (IPS) and Capture (IDS) modes are supported; inline mode is not supported. Security Manager cannot manage IDSM data ports that are part of a spanning tree or access VLAN.
For high-traffic networks, EtherChannel is used to perform load balancing among multiple data ports. These data ports might be located on different IDSM cards within the same Catalyst device.
EtherChannel is also used to redirect traffic in the event of port failure to the remaining ports within the channel group. This resiliency help preserve intrusion detection and prevention without user intervention and with minimum packet loss.
The following topics describe the actions you can perform when defining IDSM settings:
- Creating or Editing EtherChannel VLAN Definitions
- Deleting EtherChannel VLAN Definitions
- Creating or Editing Data Port VLAN Definitions
- Deleting Data Port VLAN Definitions
- IDSM Settings Page
Creating or Editing EtherChannel VLAN Definitions
When defining an EtherChannel VLAN definition, you must:
- Define the slot-port combination containing the data ports to include in the channel group.
- Select the sensing mode used by the data ports.
- Define which VLANs are forwarded to the data ports.
The following restrictions apply:
- You can have a single definition only for each channel group.
- You can have a single definition only for each slot-data port combination. This means that you cannot create an EtherChannel VLAN definition if a data port definition already exists for this slot-data port.
Step 1 Do one of the following:
- (Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
- (Policy view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page.
Step 2 Do one of the following:
- To create an IDSM EtherChannel VLAN definition, click Add Row beneath the EtherChannel VLANs table.
- To edit an IDSM EtherChannel VLAN definition, select it in the list, then click Edit Row beneath the table.
The IDSM EtherChannel VLAN dialog box is displayed. For a description of the fields in this dialog box, see Create and Edit IDSM EtherChannel VLANs Dialog Boxes.
Step 3 To assign a channel group number to the Ethernet interface for the VLAN, or to change the channel group number, enter a number in the Channel Group text box.
Step 4 To associate the VLAN with the numbered chassis slot where you installed your IDSM services module and to associate one module data port with the VLAN, do one of the following:
- Enter the slot-port number in the Slot-Ports text box.
- Click Select to open the IDSM Slot-Port Selector dialog box.
Note Associating one module data port with the VLAN enables you to configure the port at the group level instead of configuring it manually.
Step 5 From the Mode list, select the running mode of the EtherChannel VLAN. If you select Capture, select the check box to configure the specified channel group as a capture destination.
Note If you do not select this check box, the capture port is created in shutdown mode.
Step 6 To include a VLAN in the specified channel group, do one of the following:
You can enter or select more than one VLAN ID.
Step 7 Click OK to save your definitions locally on the client and close the dialog box.
Deleting EtherChannel VLAN Definitions
You can delete an EtherChannel VLAN definition on the IDSM.
Step 1 Do one of the following:
- (Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
- (Policy view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page.
Step 2 Click a row in the table to select the VLAN definition to delete.
Creating or Editing Data Port VLAN Definitions
When defining a data port VLAN definition, you must:
- Define the slot-port combination where the data port is located.
- Select the sensing mode used by the data port.
- Define which VLANs are forwarded to the data port.
The following restrictions apply:
- You may have a single definition only for each data port.
- You cannot create a data port definition if the port is already defined as part of a channel group.
Step 1 Do one of the following:
- (Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
- (Device view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page.
Step 2 Do one of the following:
- To create an IDSM data port VLAN definition, click Add Row beneath the Data Port VLANs table.
- To edit an IDSM data port VLAN definition, select it in the list, then click Edit Row beneath the table.
The IDSM Data Port VLAN dialog box is displayed. For a description of the fields in this dialog box, see Create and Edit IDSM Data Port VLANs Dialog Boxes.
Step 3 To associate the VLAN with the numbered chassis slot where you installed your IDSM services module and to associate one module data port with the VLAN, do one of the following:
- Enter the slot-port number in the Slot-Ports text box.
- Click Select to open the IDSM Slot-Port Selector dialog box.
Note Associating one module data port with the VLAN enables you to configure the port at the group level instead of configuring it manually.
Step 4 From the Mode list, select the running mode of the data port VLAN. If you select Capture, select the check box to configure the specified data port as a capture destination.
Note If you do not select this check box, the capture port is created in shutdown mode.
Step 5 To assign a VLAN to the specified data port, do one of the following:
You can enter or select more than one VLAN ID.
Step 6 Click OK to save your definitions locally on the client and close the dialog box.
Deleting Data Port VLAN Definitions
You can delete a data port VLAN definition on the IDSM.
Step 1 Do one of the following:
- (Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
- (Policy view) Select Catalyst Platform > IDSM Settings.
The IDSM Settings page is displayed. For a description of the fields on this page, see IDSM Settings Page.
Step 2 Click a row in the table to select the VLAN definition to delete.
IDSM Settings Page
Use the IDSM Settings page to view and configure the VLAN settings for data ports and channel groups on Intrusion Detection System Service Modules (IDSM).
You can access this page from:
- (Device view) Select Platform > IDSM Settings from the Device Policy selector.
- (Policy view) Select Catalyst Platform > IDSM Settings from the Policy Types selector.
- Create and Edit IDSM EtherChannel VLANs Dialog Boxes
- Create and Edit IDSM Data Port VLANs Dialog Boxes
- Chapter 46, “Managing Firewall Devices”
- Filtering Tables
Create and Edit IDSM EtherChannel VLANs Dialog Boxes
Use the Create IDSM EtherChannel VLANs dialog box (or the Edit IDSM EtherChannel VLANs dialog box) to configure or reconfigure the attributes of an IDSM EtherChannel VLAN.
Go to the IDSM Settings Page, then click the Add or Edit button beneath the EtherChannel VLANs table.
- Create and Edit IDSM Data Port VLANs Dialog Boxes
- IDSM Slot-Port Selector Dialog Box
- Service Module Slot Selector Dialog Box
|
|
---|---|
The EtherChannel group to which the Ethernet interface is assigned. |
|
Associates the chassis slot number (in which the relevant services module is installed) with the data port in the format x - y, where x is the slot number and y is the port number. For example, 2-1 refers to data port 1 in slot 2. Click Select to open the IDSM Slot-Port Selector Dialog Box. From here, you can select the IDSM slot-port combinations to include in the EtherChannel group. |
|
Applies only when the running mode is Capture (IDS). When selected, configures the specified channel group as a capture destination. When deselected, the channel group does not act as a capture destination. |
|
Identifies which VLANs the specified channel group should allow. Click Select to open the VLAN Selector Dialog Box. From here, you can select VLANs to include or exclude. |
Create and Edit IDSM Data Port VLANs Dialog Boxes
Use the Create IDSM Data Port VLANs dialog box (or the Edit IDSM Data Port VLANs dialog box) to define which traffic is directed to an IDSM data port and which sensing mode is used on that traffic.
Go to the IDSM Settings Page, then click the Add or Edit button beneath the Data Port VLANs table.
- Create and Edit IDSM EtherChannel VLANs Dialog Boxes
- IDSM Slot-Port Selector Dialog Box
- Service Module Slot Selector Dialog Box
|
|
---|---|
Associates the chassis slot number (in which the relevant services module is installed) with the data port in the format x - y, where x is the slot number and y is the port number. For example, 2-1 refers to data port 1 in slot 2. Click Select to open the IDSM Slot-Port Selector Dialog Box. From here, you can select the IDSM slot-port combinations to include in the data port VLAN definition. |
|
Applies only when the running mode is Capture (IDS). When selected, configures the specified channel group as a capture destination. When deselected, the channel group does not act as a capture destination. |
|
Identifies which VLANs the specified data port should allow. Click Select to open the VLAN Selector Dialog Box. From here, you can select VLANs to include or exclude. |
IDSM Slot-Port Selector Dialog Box
Use the IDSM Slot-Port Selector dialog box to associate slot-port objects with EtherChannel groups.
Go to the Create and Edit IDSM EtherChannel VLANs Dialog Boxes or the Create and Edit IDSM Data Port VLANs Dialog Boxes, then click Select in the Slot-Port field.