APPENDIX
K
Router Platform User Interface
Reference
The main pages available in Cisco Security Manager for configuring and
managing platform-specific policies on Cisco IOS routers are discussed in the
following topics:
NAT policies:
• NAT Policy Page, page K-3
Interface policies:
• Router Interfaces Page, page K-17
• Never Block Networks Dialog Box, page N-132
• AIM-IPS Interface Settings Page, page K-34
• Dialer Policy Page, page K-36
• ADSL Policy Page, page K-42
• SHDSL Policy Page, page K-47
• PVC Policy Page, page K-54
OL-16066-01
• PPP/MLP Policy Page, page K-76
Device Admin policies:
• AAA Policy Page, page K-87
• Accounts and Credential s Policy Page, page K-98
• Bridging Policy Page, page K-102
• Clock Policy Page, page K-104
User Guide for Cisco Security Manager 3.2
K-1
Appendix K Router Platform User Interface Reference
• CPU Policy Page, page K-107
• Device Access policies:
–
HTTP Policy Page, page K-110
–
Console Policy Page, page K-117
–
VTY Policy Page, page K-129
–
Secure Shell Policy Page, page K-147
–
SNMP Policy Page, page K-149
• DNS Policy Page, page K-158
• Hostname Policy Page, page K-160
• Memory Policy Page, page K-161
• Secure Device Provisioning Policy Page, page K-163
• Server Access policies:
–
DHCP Policy Page, page K-167
–
NTP Policy Page, page K-174
K-2
Identity policies:
• 802.1x Policy Page, page K-179
• Network Admission Control Policy Page, page K-183
Logging policies:
• Logging Setup Policy Page, page K-192
• Syslog Servers Policy Page, page K-197
Quality of Service policies:
• Quality of Service Policy Page, page K-199
Routing policies:
• BGP Routing Policy Page, page K-219
• EIGRP Routing Policy Page, page K-226
• OSPF Interface Policy Page, page K-236
• OSPF Process Policy Page, page K-243
• RIP Routing Policy Page, page K-255
• Static Routing Policy Page, page K-263
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Tip Use the Policy Management page in the Security Manager Administration
window to control which router platform policy pages are available in Security
Manager. For more information, see Policy Management Page, page A-40.
NAT Policy Page
You can configure NAT policies on a Cisco IOS router from the following tabs on
the NAT policy page:
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
Network Address Translation (NAT) converts private, internal LAN addresses
into globally routable IP addresses. NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 15-5.
NAT Policy Page
Navigation Path
• (Device view) Select NAT from the Policy selector.
• (Policy view) Select NAT (Router) from the Policy Type selector.
Right-click NAT (Router) to create a policy, or select an existing policy from
the Shared Policy selector.
Related Topics
• Chapter K, “Router Platform User Interface Reference”
NAT Page—Interface Specification Tab
Use the NAT Interface Specification tab to define the inside and outside interfaces
on the router used for NAT. Inside interfaces are interfaces that connect to the
private networks served by the router. Outside interfaces are interfaces that
connect to the WAN or the Internet.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-3
Appendix K Router Platform User Interface Reference
NAT Policy Page
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Interface Specification tab.
Related Topics
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
Field Reference
Table K-1 NAT Interface Specification Tab
Element Description
NAT Inside Interfaces The interfaces that act as the inside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Inside Interfaces,
page K-4. From here you can define these interfaces.
NAT Outside Interfaces The interfaces that act as the outside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Outside Interfaces,
page K-5. From here you can define these interfaces.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Edit Interfaces Dialog Box—NAT Inside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the inside interfaces
for address translation. Inside interfaces typically connect to a LAN that the router
serves.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit
button in the NAT Inside Interfaces field.
Related Topics
• Designating Inside and Outside Interfaces, page 15-6
• Edit Interfaces Dialog Box—NAT Outside Interfaces, page K-5
User Guide for Cisco Security Manager 3.2
K-4
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-2 Edit Interfaces Dialog Box—NAT Inside Interfaces
Element Description
Interfaces The interfaces that act as the inside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
OK button Saves your changes and closes the dialog box. Your selections are displayed
in the NAT Inside Interfaces field of the NAT Interface Specification tab.
Edit Interfaces Dialog Box—NAT Outside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the outside interfaces
for address translation. Outside interfaces typically connect to your organization’s
WAN or to the Internet.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit
button in the NAT Outside Interfaces field.
Related Topics
• Designating Inside and Outside Interfaces, page 15-6
• Edit Interfaces Dialog Box—NAT Inside Interfaces, page K-4
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-5
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-3 Edit Interfaces Dialog Box—NAT Outside Interfaces
Element Description
Interfaces The interfaces that act as the outside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
OK button Saves your changes and closes the dialog box. Your selections are displayed
in the NAT Outside Interfaces field of the NAT Interface Specification tab.
NAT Page—Static Rules Tab
Use the NAT Static Rules tab to create, edit, and delete static address translation
rules. For more information, see Defining Static NAT Rules, page 15-8.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Static Rules tab.
Related Topics
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
User Guide for Cisco Security Manager 3.2
K-6
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-4 NAT Static Rules Tab
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Original Address The original address (and optionally, the subnet mask) that is being
translated.
Translated Address The IP address to which the traffic is translated.
Port Redirection (When the static rule is defined on a port) Information about the port that is
being translated, including the local and global port numbers.
Advanced The advanced options that are enabled.
Add button Opens the NAT Static Rule Dialog Box, page K-7. From here you can create
a static translation rule.
Edit button Opens the NAT Static Rule Dialog Box, page K-7. From here you can edit
the selected static translation rule.
Delete button Deletes the selected static translation rules from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Static Rule Dialog Box
Use the NAT Static Rule dialog box to add or edit static address translation rules.
Navigation Path
Go to the NAT Page—Static Rules Tab, page K-6, then click the Add or Edit
button beneath the table.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-7
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
• Defining Static NAT Rules, page 15-8
• Disabling the Alias Option for Attached Subnets, page 15-15
• Disabling the Payload Option for Overlapping Networks, page 15-15
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
Field Reference
Table K-5 NAT Static Rule Dialog Box
Element Description
Static Rule Type The type of local address requiring translation by this static rule:
• Static Host—A single host requiring static address translation.
• Static Network—A subnet requiring static address translation.
• Static Port—A single port requiring static address translation. If you
select this option, you must define port redirection parameters.
Original Address Enter an address or the name of a network/host object, or click Select to
display an Object Selectors, page F-593.
• When Static Network is selected as the Static Rule Type, this field
defines the network address and subnet mask. For example, if you want
to create n-to-n mappings between the private addresses in a subnet to
corresponding inside global addresses, enter the address of the subnet
you want translated, and then enter the network mask in the Mask field.
K-8
• When Static Port or Static Host is selected as the Static Rule Type, this
field defines the IP address only. For example, if you want to create a
one-to-one mapping for a single host, enter the IP address of the host to
translate. Do not enter a subnet mask in the Mask field.
If the network or host you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From here
you can define a network/host object.
Note We recommend not entering a local address belonging to this router,
as it could cause Security Manager management traffic to be
translated. Translating this traffic will cause a loss of communication
between the router and Security Manager.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-5 NAT Static Rule Dialog Box (Continued)
Translated Address The type of address translation to perform:
• Specify IP—The IP address that acts as the translated address. Enter an
address or the name of a network/host object in the Translated
IP/Network field, or click Select to display an Object Selectors,
page F-593.
–
If you selected Static Port or Static Host as the static rule type (to
create a one-to-one mapping between a single inside local address
and a single inside global address), enter the global address in this
field. A subnet mask is not required.
–
If you selected Static Network as the static rule type (to map the
original, local addresses of a subnet to the corresponding global
addresses), enter the IP address that you want to use in the
translation in this field. The network mask is taken automatically
from the mask entered in the Original Address field.
If the network or host you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From here
you can define a network/host object.
• Use Interface IP—The interface whose address should be used as the
translated address. (This is typically the interface from which translated
packets leave the router.) Enter the name of an interface or interface role
in the Interface field, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button or the Edit
button in the selector to display the Interface Role Dialog Box, page F-464.
From here you can create an interface role object.
Note The Interface option is not available when Static Network is the
selected static rule type. Only one static rule may be defined per
interface.
NAT Policy Page
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-9
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5 NAT Static Rule Dialog Box (Continued)
Port Redirection Applies only when Static Port is the selected static rule type.
Redirect Port—When selected, specifies port information for the inside
device in the translation. This enables you to use the same public IP address
for multiple devices as long as the port specified for each device is different.
Enter information in the following fields:
• Protocol—The protocol type: TCP or UDP.
• Local Port—The port number on the source network. Valid values range
from 1 to 65535.
• Global Port—The port number on the destination network that the router
is to use for this translation. Valid values range from 1 to 65535.
When deselected, port information is not included in the translation.
K-10
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5 NAT Static Rule Dialog Box (Continued)
Advanced Applies only when using the Translated IP option for address translation.
Defines advanced options:
• No Alias—When selected, prohibits an alias from being created for the
global address.
The alias option is used to answer Address Resolution Protocol (ARP)
requests for global addresses that are allocated by NAT. You can disable
this feature for static entries by selecting the No alias check box.
When deselected, global address aliases are permitted.
• No Payload—When selected, prohibits an embedded address or port in
the payload from being translated.
The payload option performs NAT between devices on overlapping
networks that share the same IP address. When an outside device sends
a DNS query to reach an inside device, the local address inside the
payload of the DNS reply is translated to a global address according to
the relevant NAT rule. You can disable this feature by selecting the No
payload check box.
When deselected, embedded addresses and ports in the payload may be
translated, as described above.
• Create Extended Translation Entry—When selected, creates an
extended translation entry (addresses and ports). This enables you to
associate multiple global addresses with a single local address. This is
the default.
When deselected, creates a simple translation entry that allows you to
associate a single global address with the local address.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-11
NAT Policy Page
NAT Page—Dynamic Rules Tab
Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address
translation rules. A dynamic address translation rule dynamically maps hosts to
addresses, using either the globally registered IP address of a specific interface or
addresses included in an address pool that are globally unique in the destination
network.
For more information, see Defining Dynamic NAT Rules, page 15-16.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Dynamic Rules tab.
Related Topics
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Timeouts Tab, page K-15
Field Reference
Appendix K Router Platform User Interface Reference
Table K-6 NAT Dynamic Rules Tab
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Traffic Flow The ACL that defines the traffic that is being translated.
Translated Address Indicates whether the translated address is based on an interface or on a
defined address pool.
Port Translation Indicates whether Port Address Translation (PAT) is being used by this
dynamic NAT rule.
Add button Opens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
create a dynamic translation rule.
Edit button Opens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
edit the selected dynamic translation rule.
Delete button Deletes the selected dynamic translation rules from the table.
User Guide for Cisco Security Manager 3.2
K-12
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-6 NAT Dynamic Rules Tab (Continued)
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Dynamic Rule Dialog Box
Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation
rules.
Navigation Path
Go to the NAT Page—Dynamic Rules Tab, page K-12, then click the Add or Edit
button beneath the table.
OL-16066-01
Related Topics
• Defining Dynamic NAT Rules, page 15-16
• Understanding Access Control List Objects, page 9-30
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
K-13
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-7 NAT Dynamic Rule Dialog Box
Element Description
Traffic Flow Access List—The extended ACL that specifies the traffic requiring dynamic
translation. Enter the name of an ACL object, or click Select to display an
Object Selectors, page F-593.
If the ACL you want is not listed, click the Create button in the selector to
display the dialog box for defining an extended ACL object. For more
information, see Add and Edit Extended Access List Pages, page F-34.
Note Make sure that the ACL you select does not permit the translation of
Security Manager management traffic over any device address on
this router. Translating this traffic will cause a loss of
communication between the router and Security Manager.
Translated Address The method for performing dynamic address translation:
• Interface—The router interface used for address translation. PAT is used
to distinguish each host on the network. Enter the name of an interface
or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From
here you can create an interface role object.
Enable Port Translation
(Overload)
User Guide for Cisco Security Manager 3.2
K-14
• Address Pool—Translates addresses using a set of addresses defined in
an address pool. Enter one or more address ranges, including the prefix,
using the format min1-max1/prefix (in CIDR notation). You can add as
many address ranges to the address pool as required, but all ranges must
share the same prefix. Separate multiple entries with commas.
When selected, the router uses port addressing (PAT) if the pool of available
addresses runs out.
When deselected, PAT is not used.
Note PAT is selected by default when you use an interface on the router as
the translated address.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-7 NAT Dynamic Rule Dialog Box (Continued)
NAT Policy Page
Do Not Translate VPN
Traffic (Site-to-Site
VPN only)
This setting applies only in situations where the NAT ACL overlaps the
crypto ACL used by the site-to-site VPN. Because the interface performs
NAT first, any traffic arriving from an address within this overlap would get
translated, causing the traffic to be sent unencrypted. Leaving this check box
selected prevents that from happening.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN traffic in
cases of overlapping addresses between the NAT ACL and the crypto ACL.
Note We recommend that you leave this check box selected, even when
performing NAT into IPsec, as this setting does not interfere with the
translation that is performed to avoid a clash between two networks
sharing the same set of internal addresses.
Note This option does not apply to remote access VPNs.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
NAT Page—Timeouts Tab
OL-16066-01
Use the NAT Timeouts tab to view or modify the default timeout values for PAT
(overload) translations. These timeouts cause a dynamic translation to expire after
a defined period of non-use. In addition, you can use this page to place a limit on
the number of entries allowed in the dynamic NAT table and to modify the default
timeout on all dynamic translations that are not PAT translations.
Note For more information about the Overload feature, see NAT Dynamic Rule Dialog
Box, page K-13.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Timeouts tab.
User Guide for Cisco Security Manager 3.2
K-15
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
• Specifying NAT Timeouts, page 15-19
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
Field Reference
Table K-8 NAT Timeouts Tab
Element Description
Max Entries The maximum number of entries allowed in the dynamic NAT table. Values
range from 1 to 2147483647.
By default, this field is left blank, which means that the number of entries in
the table is unlimited.
Timeout (sec.) The timeout value applied to all dynamic translations except PAT (overload)
translations.
The default is 86400 seconds (24 hours).
UDP Timeout (sec.) The timeout value applied to User Datagram Protocol (UDP) ports. The
default is 300 seconds (5 minutes).
Note This value applies only when the Overload feature is enabled.
DNS Timeout (sec.) The timeout value applied to Domain Naming System (DNS) server
connections. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
TCP Timeout (sec.) The timeout value applied to Transmission Control Protocol (TCP) ports.
The default is 86400 seconds (24 hours).
Note This value applies only when the Overload feature is enabled.
FINRST Timeout (sec.) The timeout value applied when a Finish (FIN) packet or Reset (RST) packet
(both of which terminate connections) is found in the TCP stream. The
default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
User Guide for Cisco Security Manager 3.2
K-16
OL-16066-01
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-8 NAT Timeouts Tab (Continued)
ICMP Timeout (sec.) The timeout value applied to Internet Control Message Protocol (ICMP)
flows. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
PPTP Timeout (sec.) The timeout value applied to NAT Point-to-Point Tunneling Protocol (PPTP)
flows. The default is 86400 seconds (24 hours).
Note This value applies only when the Overload feature is enabled.
SYN Timeout (sec.) The timeout value applied to TCP flows after a synchronous transmission
(SYN) message (used for precise clocking) is encountered. The default is 60
seconds.
Note This value applies only when the Overload feature is enabled.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Router Interfaces Page
OL-16066-01
Use the Router Interfaces page to view, create, edit, and delete interface
definitions (physical and virtual) on a selected Cisco IOS router. The Router
Interfaces page displays interfaces that were discovered by Security Manager as
well as interfaces added manually after you added the device to the system.
For more information, see Basic Interface Settings on Cisco IOS Routers,
page 15-20.
Navigation Path
Select a Cisco IOS router from the Device selector, then select Interfaces >
Interfaces from the Policy selector.
Related Topics
• Available Interface Types, page 15-21
• Deleting a Cisco IOS Router Interface, page 15-27
User Guide for Cisco Security Manager 3.2
K-17
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Field Reference
Table K-9 Router Interfaces Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface Type The interface type. Subinterfaces are displayed indented beneath their parent
interface.
Interface Name The name of the interface.
Enabled Indicates whether the interface is currently enabled (managed by Security
Manager) or disabled (shutdown state).
IP Address The IP address of interfaces defined with a static address.
IP Address Type The type of IP address assigned to the interface—static, DHCP, PPPoE, or
unnumbered. (IP address is defined by a selected interface role.)
Interface Role The interface roles that are assigned to the selected interface.
Add button Opens the Create Router Interface Dialog Box, page K-18. From here you
can create an interface on the selected router.
Edit button Opens the Create Router Interface Dialog Box, page K-18. From here you
can edit the selected interface.
Delete button Deletes the selected interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Create Router Interface Dialog Box
Use the Create Router Interface dialog box to create and edit physical and virtual
interfaces on the selected Cisco IOS router.
User Guide for Cisco Security Manager 3.2
K-18
OL-16066-01
Appendix K Router Platform User Interface Reference
Note Unlike other router policies, the Interfaces policy cannot be shared among
multiple devices. The Advanced Settings policy, however, may be shared. See
Local Policies vs. Shared Policies, page 7-4.
Navigation Path
Go to the Router Interfaces Page, page K-17, then click the Add or Edit button
beneath the table.
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Deleting a Cisco IOS Router Interface, page 15-27
• Never Block Networks Dialog Box, page N-132
Field Reference
Table K-10 Create Router Interface Dialog Box
Router Interfaces Page
Element Description
Enabled When selected, the router interface is enabled.
When deselected, the router interface is in shutdown state. However, its
definition is not deleted.
Type Specifies whether you are defining an interface or subinterface.
Name Applies only to interfaces.
The name of the interface. Enter a name manually, or click Select to display
a dialog box for generating a name automatically. See Interface Auto Name
Generator Dialog Box, page K-24.
Note Logical interfaces require a number after the name:
—The valid range for dialer interfaces is 0-799.
—The valid range for loopback interfaces is 0-2147483647.
—The valid range for BVI interfaces is 1-255.
—The only valid value for null interfaces is 0.
Parent Applies only to subinterfaces.
The parent interface of the subinterface. Select the parent interface from the
displayed list.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-19
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
Subinterface ID Applies only to subinterfaces.
The ID number of the subinterface.
IP The source of the IP address for the interface:
• Static IP—Defines a static IP address and subnet mask for the interface.
Enter this information in the fields that appear below the option.
Note You can define the mask using either dotted decimal (for example,
255.255.255.255) or CIDR notation (/32). See Contiguous and
Discontiguous Network Masks, page 9-146.
• DHCP—The interface obtains its IP address dynamically from a DHCP
server.
• PPPoE—The router automatically negotiates its own registered IP
address from a central server (via PPP/IPCP). The following interface
types support PPPoE:
–
Async
–
Serial
–
High-Speed Serial Interface (HSSI)
K-20
–
Dialer
–
BRI, PRI (ISDN)
–
Virtual template
–
Multilink
• Unnumbered—The interface obtains its IP address from a different
interface on the device. Choose an interface from the Interface list. This
option can be used with point-to-point interfaces only.
Note Layer 2 interfaces do not support IP addresses. Deployment fails if
you define an IP address on a Layer 2 interface.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-10 Create Router Interface Dialog Box (Continued)
Layer Type The OSI layer at which the interface is defined:
• Unknown—The layer is unknown.
• Layer 2—The data link layer, which contains the protocols that control
the physical layer (Layer 1) and how data is framed before being
transmitted on the medium. Layer 2 is used for bridging and switching.
Layer 2 interfaces do not have IP addresses.
• Layer 3—The network layer, which is primarily responsible for the
routing of data in packets across logical internetwork paths. This routing
is accomplished through the use of IP addresses.
Duplex The interface transmission mode:
• None—The transmission mode is returned to its device-specific default
setting.
• Full—The interface transmits and receives at the same time (full
duplex).
• Half—The interface can transmit or receive, but not at the same time
(half duplex). This is the default.
Router Interfaces Page
OL-16066-01
• Auto—The router automatically detects and sets the appropriate
transmission mode, either full or half duplex.
Note When using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically
negotiate the transmission mode. Otherwise, select the appropriate
fixed mode.
Note You can configure a duplex value only if you set the Speed to a fixed
speed, not Auto.
Note This setting does not apply to serial, HSSI, ATM, PRI, DSL, tunnel,
or loopback interfaces.
User Guide for Cisco Security Manager 3.2
K-21
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
Speed Applies only to Fast Ethernet and Gigabit Ethernet interfaces.
The speed of the interface:
• 10—10 megabits per second (10Base-T networks).
• 100—100 megabits per second (100Base-T networks). This is the
default for Fast Ethernet interfaces.
• 1000—1000 megabits per second (Gigabit Ethernet networks). This is
the default for Gigabit Ethernet interfaces.
• Auto—The router automatically detects and sets appropriate interface
speed.
Note When using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically
negotiate the transmission speed. Otherwise, select the appropriate
fixed speed.
MTU The maximum transmission unit, which refers to the maximum packet size,
in bytes, that this interface can handle.
Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64
to 17940 bytes.
Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes.
Encapsulation The type of encapsulation performed by the interface:
• None—No encapsulation.
• DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q
standard. Applies only to Ethernet subinterfaces.
• Frame Relay—IETF Frame Relay encapsulation. Applies only to serial
interfaces (not serial subinterfaces).
Note IETF Frame Relay encapsulation provides interoperability between
a Cisco IOS router and equipment from other vendors. To configure
Cisco Frame Relay encapsulation, use CLI commands or
FlexConfigs.
User Guide for Cisco Security Manager 3.2
K-22
OL-16066-01
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
VLAN ID Applies only to subinterfaces with encapsulation type DOT1Q.
The VLAN ID associated with this subinterface. The VLAN ID specifies
where 802.1Q tagged packets are sent and received on this subinterface;
without a VLAN ID, the subinterface cannot send or receive traffic. Valid
values range from 1 to 4094.
Note All VLAN IDs must be unique among all subinterfaces configured
on the same physical interface.
Tip To configure DOT1Q encapsulation on an Ethernet interface without
associating the VLAN with a subinterface, enter the vlan-id dot1q
command using CLI commands or FlexConfigs. See Understanding
FlexConfig Objects, page 9-52. Configuring VLANs on the main
interface increases the number of VLANs that can be configured on
the router.
Native VLAN Applies only when the encapsulation type is DOT1Q and you are configuring
a physical interface that is meant to serve as an 802.1Q trunk interface.
Trunking is a way to carry traffic from several VLANs over a point-to-point
link between two devices.
When selected, the Native VLAN is associated with this interface, using the
ID specified in the VLAN ID field. (If no VLAN ID is specified for the
Native VLAN, the default is 1.) The native VLAN is the VLAN to which all
untagged VLAN packets are logically assigned by default. This includes the
management traffic associated with the VLAN. If no VLAN ID is defined,
the default is 1.
OL-16066-01
For example, if the VLAN ID of this interface is 1, all incoming untagged
packets and packets with VLAN ID 1 are received on the main interface and
not on a subinterface. Packets sent from the main interface are transmitted
without an 802.1Q tag.
When deselected, the Native VLAN is not associated with this interface.
Note The Native VLAN cannot be configured on a subinterface of the
trunk interface. Be sure to configure the same Native VLAN value at
both ends of the link; otherwise, traffic may be lost or sent to the
wrong VLAN.
User Guide for Cisco Security Manager 3.2
K-23
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
DLCI Applies only to serial subinterfaces with Frame Relay encapsulation.
Enter the data-link connection identifier to associate with the subinterface.
Valid values range from 16 to 1007.
Note Security Manager configures serial subinterfaces as point-to-point
not multipoint.
Description Additional information about the interface (up to 1024 characters).
Roles The interface roles assigned to this interface. A message is displayed if no
roles have yet been assigned.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Interface Auto Name Generator Dialog Box
K-24
Use the Interface Auto Name Generator dialog box to have Security Manager
generate a name for the interface based on the interface type and its location in
the router.
Navigation Path
Go to the Create Router Interface Dialog Box, page K-18, select Interface from
the Type list, then click Select in the Name field.
Related Topics
• Generating an Interface Name, page 15-26
• Router Interfaces Page, page K-17
• Basic Interface Settings on Cisco IOS Routers, page 15-20
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-11 Interface Auto Name Generator Dialog Box
Element Description
Type The type of interface. Your selection from this list forms the first part of the
generated name, as displayed in the Result field. For more information, see
Table 15-1 on page 15-21.
Card The card related to the interface.
Note When defining a BVI interface, enter the number of the
corresponding bridge group.
Slot The slot related to the interface.
Port The port related to the interface.
Note The information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
Result The name generated by Security Manager from the information you entered
for the interface type and location. The name displayed in this field is
read-only.
Tip After closing this dialog box, you can edit the generated name in the
Create Router Interface dialog box, if required.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Advanced Interface Settings Page
Use the Advanced Interface Settings page to view, create, edit, and delete
advanced interface definitions (physical and virtual) on a selected Cisco IOS
router. Examples of advanced settings include Cisco Discovery Protocol (CDP)
settings, ICMP message settings, and virtual fragment reassembly settings.
For more information, see Advanced Interface Settings on Cisco IOS Routers,
page 15-28.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-25
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Navigation Path
• (Device view) Select Interfaces > Settings > Advanced Settings from the
Policy selector.
• (Policy view) Select Router Interfaces > Settings > Advanced Settings
from the Policy Type selector. Right-click Advanced Settings to create a
policy, or select an existing policy from the Shared Policy selector.
Related Topics
• Router Interfaces Page, page K-17
• Available Interface Types, page 15-21
• Deleting a Cisco IOS Router Interface, page 15-27
Field Reference
Table K-12 Advanced Interface Settings Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface or interface role for which advanced settings are defined.
Max Bandwidth The bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
Load Interval The length of time used to calculate the average load for this interface.
CDP Indicates whether CDP and CDP logging are enabled on this interface.
Redirects Indicates whether ICMP redirect messages are enabled on this interface.
Unreachables Indicates whether ICMP unreachable messages are enabled on this interface.
Mask Reply Indicates whether ICMP mask reply messages are enabled on this interface.
Directed Broadcasts Indicates whether directed broadcasts that are intended for the subnet to
which this interface is attached are exploded as broadcasts on that subnet.
Add button Opens the Advanced Interface Settings Dialog Box, page K-27. From here
you can define advanced settings on the selected interface.
Edit button Opens the Advanced Interface Settings Dialog Box, page K-27. From here
you can edit the selected interface.
Delete button Deletes the selected advanced interface definitions from the table.
K-26
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-12 Advanced Interface Settings Page (Continued)
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Advanced Interface Settings Dialog Box
Use the Advanced Interface Settings dialog box to define a variety of advanced
settings on a selected interface, including:
• Cisco Discovery Protocol (CDP) settings.
• Internet Control Message Protocol (ICMP) settings.
• Virtual fragmentation reassembly (VFR) settings.
• Directed broadcast settings.
OL-16066-01
• Load interval for determining the average load.
• Enabling proxy ARP.
• Enabling NBAR protocol discovery.
Navigation Path
Go to the Never Block Networks Dialog Box, page N-132, then click the Add or
Edit button beneath the table.
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Advanced Interface Settings on Cisco IOS Routers, page 15-28
• Deleting a Cisco IOS Router Interface, page 15-27
• Available Interface Types, page 15-21
User Guide for Cisco Security Manager 3.2
K-27
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-13 Advanced Interface Settings Dialog Box
Element Description
Interface The interface on which the advanced settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
Note You can define only one set of advanced settings per interface.
Note The only advanced settings supported on Layer 2 interfaces are Max.
Bandwidth, Load Interval, and CDP.
Max Bandwidth The bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
Note The value you define in this field is an informational parameter only;
it does not affect the physical interface.
Load Interval The length of time, in seconds, used to calculate the average load on the
interface. Valid values range from 30 to 600 seconds, in multiples of 30
seconds. The default is 300 seconds (5 minutes).
Modify the default to shorten the length of time over which load averages are
computed. You can do this if you want load computations to be more reactive
to short bursts of traffic.
K-28
Load data is gathered every 5 seconds. This data is used to compute load
statistics, including input/output rate in bits and packets per second, load,
and reliability. Load data is computed using a weighted-average calculation
in which recent load data has more weight in the computation than older load
data.
Tip You can use this option to increase or decrease the likelihood of
activating a backup interface; for example, a backup dial interface
may be triggered by a sudden spike in the load on an active interface.
Note Load interval is not supported on subinterfaces.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Advanced Interface Settings Page
TCP Maximum
Segment Size
The maximum segment size (MSS) of TCP SYN packets that pass through
this interface. Valid values range from 500 to 1460 bytes. If you do not
specify a value, the MSS is determined by the originating host.
This option helps prevent TCP sessions from being dropped as they pass
through the router. Use this option when the ICMP messages that perform
auto-negotiation of TCP frame size are blocked (for example, by a firewall).
We highly recommend using this option on the tunnel interfaces of DMVPN
networks.
For more information, see TCP MSS Adjustment at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_featur
e_guide09186a00804247fc.html
Note Typically, the optimum MSS is 1452 bytes. This value plus the
20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE
header add up to a 1500-byte packet that matches the MTU size for
the Ethernet link.
Helper Addresses The helper addresses that are used to forward User Datagram Protocol
(UDP) broadcasts that are received on this interface. Enter one or more
addresses or network/host objects, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the selector
to display the Network/Host Dialog Box, page F-477. From here, you can
define a network/host object.
OL-16066-01
By default, routers do not forward broadcasts outside of their subnet. Helper
addresses provide a solution by enabling the router to forward certain types
of UDP broadcasts as a unicast to an address on the destination subnet.
For more information, see Understanding Helper Addresses, page 15-29.
User Guide for Cisco Security Manager 3.2
K-29
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Cisco Discovery Protocol settings
Enable CDP When selected, the Cisco Discovery Protocol (CDP) is enabled on this
interface. This the default.
When deselected, CDP is disabled on this interface.
CDP is a media- and protocol-independent device-discovery protocol that
runs on all Cisco-manufactured equipment including routers, access servers,
bridges, and switches. It is primarily used to obtain protocol addresses of
neighboring devices and discover the platform of those devices.
Note ATM interfaces do not support CDP.
Log CDP Messages Applies only to Ethernet interfaces.
When selected, duplex mismatches for this interface are displayed in a log.
This is the default.
When deselected, duplex mismatches for this interface are not logged.
NetFlow settings
Enable Ingress
Accounting
When selected, NetFlow accounting is enabled on traffic arriving on this
interface.
When deselected, NetFlow accounting on arriving traffic is disabled. This is
the default.
Enable Egress
Accounting
User Guide for Cisco Security Manager 3.2
K-30
Cisco IOS NetFlow provides the metering base for a key set of applications
including network traffic accounting, usage-based network billing, network
planning, as well as Denial Services monitoring capabilities, network
monitoring, outbound marketing, and data mining capabilities for both
service provider and enterprise customers.
Note You must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this
option.
When selected, enables NetFlow accounting on traffic leaving this interface.
When deselected, disables NetFlow accounting on traffic leaving this
interface. This is the default.
Note You must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this
option.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
ICMP Messages settings
Enable Redirect
Messages
Enable Unreachable
Messages
When selected, enables the sending of Internet Control Message Protocol
(ICMP) redirect messages if the device is forced to resend a packet through
the same interface on which it was received to another device on the same
subnet. This is the default.
When deselected, disabled redirect messages.
Redirect messages are sent when the device wants to instruct the originator
of the packet to remove it from the route and substitute a different device that
offers a more direct path to the destination.
When selected, enables the sending of ICMP unreachable messages. This is
the default.
When deselected, disables unreachable messages.
Unreachable messages are sent in two circumstances:
• If the interface receives a nonbroadcast packet destined for itself that
uses an unknown protocol. In this case, it sends an ICMP unreachable
message to the source.
• If the device receives a packet that it cannot deliver to its ultimate
destination because it knows of no route to the destination address. In
this case, it sends an ICMP host unreachable message to the originator
of the packet.
Advanced Interface Settings Page
Enable Mask Reply
Messages
OL-16066-01
Note This is the only advanced setting supported by the null0 interface.
When selected, enables the sending of ICMP mask reply messages.
When deselected, disables mask reply messages. This is the default.
Mask reply messages are sent in response to mask request messages, which
are sent when a device needs to know the subnet mask for a particular
subnetwork.
User Guide for Cisco Security Manager 3.2
K-31
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Additional settings
Enable Virtual
Fragment Reassembly
(VFR)
Enable Proxy ARP When selected, enables proxy Address Resolution Protocol (ARP) on the
Enable NBAR Protocol
Discovery
When selected, virtual fragmentation reassembly (VFR) is enabled on this
interface.
When deselected, disables VFR. This is the default.
VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs
that can protect the network from various fragmentation attacks. For more
information, see Virtual Fragmentation Reassembly at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_virt
_frag_reassm_ps6441_TSD_Products_Configuration_Guide_Chapter.html
interface. This is the default.
When deselected, disables proxy ARP.
Proxy ARP, defined in RFC 1027, is the technique in which one host, usually
a router, answers ARP requests intended for another machine, thereby
accepting responsibility for routing packets to the real destination. Proxy
ARP can help machines on a subnet reach remote subnets without
configuring routing or a default gateway.
When selected, enables network-based application recognition (NBAR) on
this interface to discover traffic and keep traffic statistics for all protocols
known to NBAR.
When deselected, disables NBAR. This is the default.
K-32
Protocol discovery provides a method to discover application protocols
traversing an interface so that QoS policies can be developed and applied to
them. For more information, go to:
http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a
00800a3ded.shtml
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Advanced Interface Settings Page
Enable Directed
Broadcasts
When selected, directed broadcast packets are “exploded” as a link-layer
broadcast when this interface is directly connected to the destination subnet.
When deselected, directed broadcast packets that are intended for the subnet
to which this interface is directly connected are dropped rather than being
broadcast. This is the default.
An IP directed broadcast is an IP packet whose destination address is a valid
broadcast address on a different subnet from the node on which it originated.
In such cases, the packet is forwarded as if it was a unicast packet until it
reaches its destination subnet.
This option affects only the final transmission of the directed broadcast on
its destination subnet; it does not affect the transit unicast routing of IP
directed broadcasts.
Note Because directed broadcasts, and particularly ICMP directed
broadcasts, have been abused by malicious persons, we recommend
deselecting this option on interfaces where directed broadcasts are
not needed.
ACL Applies only when directed broadcasts are enabled.
The standard access list that determines which directed broadcasts are
permitted to be broadcast on the destination subnet. All other directed
broadcasts destined for the subnet to which this interface is directly
connected are dropped. Enter the name of an ACL object, or click Select to
display an Object Selectors, page F-593.
If the standard ACL you want is not listed, click the Create button in the
selector to display the Add and Edit Standard Access List Pages, page F-42.
From here you can create an ACL object.
Note To prevent misuse by malicious persons, we recommend using ACLs
to restrict the use of directed broadcasts.
Advanced Interface Settings buttons
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-33
Appendix K Router Platform User Interface Reference
AIM-IPS Interface Settings Page
AIM-IPS Interface Settings Page
Use the AIM-IPS Interface Settings page to define the settings on the Cisco
Intrusion Prevention System Advanced Integration Module. You can install
AIM-IPS in Cisco 1841, 2800 series, and 3800 series routers.
Note AIM-IPS must be running IPS 6.0 or later.
Caution Cisco IOS IPS and the Cisco IPS AIM cannot be used together. Cisco IOS IPS
must be disabled when the AIM IPS is installed.
Navigation Path
• (Device view) Select Interfaces > Settings > AIM-IPS from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > AIM-IPS from the
Policy Type selector. Right-click AIM-IPS to create a policy, or select an
existing policy from the Shared Policy selector.
Related Topics
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-14 AIM-IPS Interface Settings Page
Element Description
AIM-IPS Interface Settings table
Interface Name A name selected from among available interfaces.
Select button Opens the Interface Selector dialog box.
Fail Over Mode Fail open or fail closed. The default value is fail open.
AIM-IPS Service Module Monitoring Settings table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
User Guide for Cisco Security Manager 3.2
K-34
OL-16066-01
Appendix K Router Platform User Interface Reference
AIM-IPS Interface Settings Page
Table K-14 AIM-IPS Interface Settings Page (Continued)
Interface Name The name of the interface role that the AIM-IPS uses.
Monitoring Mode Inline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic
flow, allowing it to stop attacks by dropping malicious traffic before it
reaches the intended target. In promiscuous mode, packets do not flow
through the sensor; the sensor analyzes a copy of the monitored traffic rather
than the actual forwarded packet.
Access List Optional. Used to configure a standard monitoring access list on the router
and apply that access list to filter traffic for inspection. A matched ACL
causes traffic not to be inspected for that ACL. More information on the
options for the access-list command is available in the Cisco IOS Command
Reference.
Add button Opens the IPS Monitoring Information Dialog Box, page K-35. From here
you can define an IPS monitoring interface.
Edit button Opens the IPS Monitoring Information Dialog Box, page K-35. From here
you can edit an IPS monitoring interface.
Delete button Deletes the selected IPS monitoring interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
IPS Monitoring Information Dialog Box
Use the IPS Monitoring Information dialog box to add or edit the properties of
AIM-IPS interfaces.
Navigation Path
Go to the AIM-IPS Interface Settings Page, page K-34, then click the Add or Edit
button beneath the AIM-IPS Service Module Monitoring Settings table.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-35
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
Field Reference
Table K-15 IPS Monitoring Information Dialog Box
Element Description
Interface Name A name selected from among available interfaces.
Select button Opens the Interface Selector dialog box.
Monitoring Mode Inline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic
flow, allowing it to stop attacks by dropping malicious traffic before it
reaches the intended target. In promiscuous mode, packets do not flow
through the sensor; the sensor analyzes a copy of the monitored traffic rather
than the actual forwarded packet.
Access List Optional. Used to configure a standard monitoring access list on the router
and apply that access list to filter traffic for inspection. A matched ACL
causes traffic not to be inspected for that ACL. More information on the
options for the access-list command is available in the Cisco IOS Command
Reference.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Dialer Policy Page
Use the Dialer page to define the relationship between physical Basic Rate
Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when
you configure the dial backup feature for site-to-site VPNs.
For more information, see Dialer Interfaces on Cisco IOS Routers, page 15-33.
Navigation Path
• (Device view) Select Interfaces > Settings > Dialer from the Policy selector.
User Guide for Cisco Security Manager 3.2
K-36
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
• (Policy view) Select Router Interfaces > Settings > Dialer from the Policy
Type selector. Right-click Dialer to create a policy, or select an existing
policy from the Shared Policy selector.
Related Topics
• Configuring Dial Backup, page 10-37
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-16 Dialer Page
Element Description
Dialer Profiles table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface role that the dialer interface uses.
Profile Name The name of the dialer profile.
Dial Pool The dialing pool that this dialer profile uses.
Dial Group The dialer group that this dialer profile uses.
Interesting Traffic ACL The ACL that defines which traffic can use this dialer profile.
Dial String The phone number that the dialer calls.
Idle Timeout The defined interval after which an uncontested idle line is disconnected.
Fast Idle The defined interval after which a contested idle line is disconnected.
Add button Opens the Dialer Profile Dialog Box, page K-38. From here you can define
a dialer profile.
Edit button Opens the Dialer Profile Dialog Box, page K-38. From here you can edit the
selected dialer profile.
Delete button Deletes the selected dialer profiles from the table.
Dialer Physical Interfaces (BRI) table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The name of the interface role that the physical interface uses.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-37
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Table K-16 Dialer Page (Continued)
Pools The dial pools related to this physical interface.
Switch Type The ISDN switch type that the physical interface uses.
SPID1 The first service provider identifier (SPID) related to this interface.
SPID2 The second SPID related to this interface.
Add button Opens the Dialer Physical Interface Dialog Box, page K-40. From here you
can define a dialer physical interface.
Edit button Opens the Dialer Physical Interface Dialog Box, page K-40. From here you
can edit the selected dialer physical interface.
Delete button Deletes the selected dialer physical interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Dialer Profile Dialog Box
Use the Dialer Profile dialog box to add or edit dialer profiles.
Navigation Path
Go to the Dialer Policy Page, page K-36, then click the Add or Edit button
beneath the Dialer Profile table.
Related Topics
• Dialer Physical Interface Dialog Box, page K-40
• Defining Dialer Profiles, page 15-34
• Dialer Interfaces on Cisco IOS Routers, page 15-33
User Guide for Cisco Security Manager 3.2
K-38
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
Field Reference
Table K-17 Dialer Profile Dialog Box
Element Description
Name A descriptive name for the dialer profile. This name enables you to assign
the correct dialer pool to the physical interface. You can also use the profile
name as a reference to the site to which this dialer interface serves as a
backup.
Interface The virtual dialer interface to associate with the dialer profile. Enter the
name of an interface or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
Pool ID The dialer pool ID. Each pool can contain multiple physical interfaces and
can be associated with multiple dialer interfaces. Each dialer interface,
however, is associated with only one pool.
Group The group ID, which identifies the dialer group that this dialer interface uses.
Interesting Traffic ACL The extended, numbered ACL that defines which packets are permitted to
initiate calls using this dialer profile.
Enter the name of an extended, numbered ACL object, or click Select to
display an Object Selectors, page F-593. The valid ACL number range is 100
to 199.
If the extended ACL you want is not listed, click the Create button in the
selector to display the Extended Tab, page F-32. From here you can create
an ACL object.
Dialer String (Remote
The phone number of the destination that the dialer contacts.
Phone Number)
Idle Timeout The default amount of idle time before an uncontested line is disconnected.
The default is 120 seconds.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-39
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Table K-17 Dialer Profile Dialog Box (Continued)
Fast Idle Timeout The default amount of idle time before a contested line is disconnected. The
default is 20 seconds.
Line contention occurs when a busy line is requested to send another packet
to a different destination.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Dialer Physical Interface Dialog Box
Use the Dialer Physical Interface dialog box to add or edit the properties that
associate physical BRI interfaces with dialer interfaces.
Note Use FlexConfigs to define other types of physical dialer interfaces, such as ATM
and Ethernet. For more information, see Understanding FlexConfig Objects,
page 9-52.
K-40
Navigation Path
Go to the Dialer Policy Page, page K-36, then click the Add or Edit button
beneath the Dialer Physical Interfaces table.
Related Topics
• Dialer Profile Dialog Box, page K-38
• Defining BRI Interface Properties, page 15-36
• Dialer Interfaces on Cisco IOS Routers, page 15-33
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Field Reference
Table K-18 Dialer Physical Interface Dialog Box
Element Description
ISDN BRI The physical BRI interface associated with the dialer interface. Enter the
name of an interface or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
Pools Associates dialer pools with a physical interface. Enter the names of one or
more pools (as defined in the Dialer Profile Dialog Box, page K-38), or click
Select to display a selector. Use commas to separate multiple entries.
Switch Type The ISDN switch type.
Options for North America are:
• basic-5ess—Lucent (AT&T) basic rate 5ESS switch
• basic-dms100—Northern Telecom DMS-100 basic rate switch
OL-16066-01
• basic-ni—National ISDN switches
Options for Australia, Europe, and the UK are:
• basic-1tr6—German 1TR6 ISDN switch
• basic-net3—NET3 ISDN BRI for Norway NET3, Australia NET3, and
New Zealand NET3 switch types; ETSI-compliant switch types for
Euro-ISDN E-DSS1 signaling system
• vn3—French VN3 and VN4 ISDN BRI switches
Option for Japan is:
• ntt—Japanese NTT ISDN switches
Option for Voice/PBX system is:
• basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 ()
User Guide for Cisco Security Manager 3.2
K-41
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Table K-18 Dialer Physical Interface Dialog Box (Continued)
SPID1 Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as
the switch type.
The service provider identifier (SPID) for the ISDN service to which the
interface subscribes. Some service providers in North America assign SPIDs
to ISDN devices when you first subscribe to an ISDN service. If you are
using a service provider that requires SPIDs, your ISDN device cannot place
or receive calls until it sends a valid assigned SPID to the service provider
when accessing the switch to initialize the connection.
Valid SPIDs can contain up to 20 characters, including spaces and special
characters.
Note We recommend that you do not enter a SPID for interfaces using the
AT&T 5ESS switch type, even though they are supported.
SPID2 Applies only when you select DMS-100 or NI as the switch type.
The service provider identifier (SPID) for a second ISDN service to which
the interface subscribes. Valid SPIDs can contain up to 20 alphanumeric
characters (no spaces are permitted).
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
ADSL Policy Page
Use the ADSL page to create, edit, and delete ADSL definitions on the ATM
interfaces of the router. For more information, see Defining ADSL Settings,
page 15-40.
Navigation Path
• (Device view) Select Interfaces > Settings > DSL > ADSL from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > DSL > ADSL from the
Policy Type selector. Right-click ADSL to create a policy, or select an
existing policy from the Shared Policy selector.
User Guide for Cisco Security Manager 3.2
K-42
OL-16066-01
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Related Topics
• PVC Policy Page, page K-54
• SHDSL Policy Page, page K-47
• ADSL on Cisco IOS Routers, page 15-38
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-19 ADSL Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
ATM Interface The ATM interface on which ADSL settings are defined.
Interface Card The type of device or ADSL interface card on which the ATM interface
resides.
Bandwidth Change Indicates whether the router makes dynamic adjustments to VC bandwidth
as overall bandwidth changes. (This is relevant only when IMA groups are
configured on the ATM interface.)
DSL Operating Mode The DSL operating mode for this interface.
Tone Low Indicates whether the interface is using the low tone set (carrier tones 29
through 48).
Add button Opens the ADSL Settings Dialog Box, page K-44. From here you can define
the ADSL settings for a selected ATM interface.
Edit button Opens the ADSL Settings Dialog Box, page K-44. From here you can edit
the selected ADSL definition.
Delete button Deletes the selected ADSL definition from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-43
ADSL Policy Page
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
ADSL Settings Dialog Box
Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM
interface.
Note When you configure ADSL settings, we highly recommend that you select the
type of device or interface card on which the ATM interface is defined. ADSL
settings are highly dependent on the hardware. Defining the hardware type in
Security Manager enables proper validation of your configuration for a successful
deployment to your devices.
Navigation Path
Go to the ADSL Policy Page, page K-42, then click the Add or Edit button
beneath the table.
Appendix K Router Platform User Interface Reference
K-44
Related Topics
• Defining ADSL Settings, page 15-40
• PVC Policy Page, page K-54
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Field Reference
Table K-20 ADSL Settings Dialog Box
Element Description
ATM Interface The ATM interface on which ADSL settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
Note We recommend that you do not define an interface role that includes
ATM interfaces from different interface cards. The different settings
supported by each card type may cause deployment to fail.
Note You can create only one ADSL definition per interface.
Interface Card The device type or the type of interface card installed on the router:
• [blank]—The interface card type is not defined.
• WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL
over POTS (ordinary telephone lines).
• WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides
ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the
router warns the DSLAM of imminent line drops when the router is
about to lose power.)
OL-16066-01
• WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides
ADSL over POTS with Dying Gasp support.
• HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that
provides ADSL over POTS.
• HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that
provides ADSL over ISDN.
• HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over POTS with an ISDN BRI port for backup.
• HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over ISDN with an ISDN BRI port for backup.
User Guide for Cisco Security Manager 3.2
K-45
ADSL Policy Page
Table K-20 ADSL Settings Dialog Box (Continued)
Appendix K Router Platform User Interface Reference
Interface Card
(continued)
Allow bandwidth
change on ATM PVCs
• 857 ADSL—Cisco 857 Integrated Service Router with an ADSL
interface.
• 876 ADSL—Cisco 876 Integrated Services Router with an ADSL
interface.
• 877 ADSL—Cisco 877 Integrated Services Router with an ADSL
interface.
• 1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that
provides ADSL over POTS.
• 1802 ADSLoISDN—Cisco 1802 Integrated Services Router that
provides ADSL over ISDN.
Note When discovering from a live device, the correct interface card type
will already be displayed. If you did not perform discovery on a live
device, or if Security Manager cannot detect the type of interface
card installed on the device, this field displays “Unknown”.
When selected, the router makes dynamic adjustments to VC bandwidth in
response to changes in the overall bandwidth of the Inverse Multiplexing
over ATM (IMA) group defined on the ATM interface.
When deselected, PVC bandwidth must be adjusted manually (using the
CLI) whenever an individual physical link in the IMA group goes up or
down.
K-46
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-20 ADSL Settings Dialog Box (Continued)
DSL Operating Mode The operating mode configured for this ADSL line:
• auto—Performs automatic negotiation with the DSLAM located at the
central office (CO). This is the default.
• ansi-dmt—The line trains in ANSI T1.413 Issue 2 mode.
• itu-dmt—The line trains in G.992.1 mode.
• splitterless—The line trains in G.992.2 (G.Lite) mode.
• etsi—The line trains in ETSI (European Telecommunications Standards
Institute) mode.
• adsl2—The line trains in G.992.3 (adsl2)mode.
• adsl2+—The line trains in G.992.5 (adsl2+) mode.
Note See Table 15-3 on page 15-39 for a description of the operating
modes that are supported by each card type.
Use low tone set When selected, the interface card uses carrier tones 29 through 48.
When deselected, the interface card uses carrier tones 33 through 56.
Note Leave this option deselected when the interface card is operating in
accordance with Deutsche Telekom specification U-R2.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
SHDSL Policy Page
Use the SHDSL page to create, edit, and delete DSL controller definitions on the
router. For more information, see Defining SHDSL Controllers, page 15-44.
Navigation Path
• (Device view) Select Interfaces > Settings > DSL > SHDSL from the Policy
selector.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-47
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
• (Policy view) Select Router Interfaces > Settings > DSL > SHDSL from the
Policy Type selector. Right-click SHDSL to create a policy, or select an
existing policy from the Shared Policy selector.
Related Topics
• PVC Policy Page, page K-54
• ADSL Policy Page, page K-42
• SHDSL on Cisco IOS Routers, page 15-43
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-21 SHDSL Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Name The name of the DSL controller.
Description An optional description of the controller.
Shutdown Indicates whether the DSL controller is in shutdown mode.
Configure ATM Mode Indicates whether the DSL controller has been set into ATM mode.
Line Termination The line termination set for the router (CPE or CO).
DSL Mode The operating mode defined for the DSL controller.
Line Mode The line mode defined for the DSL controller.
Line Rate The line rate (in kbps) defined for the DSL controller.
Note A value is displayed in this column only if the line mode is not set to
Auto.
SNR Margin Current The current signal-to-noise ratio on the controller.
SNR Margin Snext The self near-end crosstalk (Snext) signal-to-noise ratio on the controller.
Add button Opens the SHDSL Controller Dialog Box, page K-49. From here you can
define the settings for a DSL controller.
Edit button Opens the SHDSL Controller Dialog Box, page K-49. From here you can
edit the selected DSL controller definition.
User Guide for Cisco Security Manager 3.2
K-48
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-21 SHDSL Page (Continued)
Delete button Deletes the selected DSL controller definition from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
SHDSL Controller Dialog Box
Use the SHDSL Controller dialog box to configure SHDSL controllers.
Navigation Path
Go to the SHDSL Policy Page, page K-47, then click the Add or Edit button
beneath the table.
Related Topics
• Defining SHDSL Controllers, page 15-44
• PVC Policy Page, page K-54
• Discovering Policies on Devices Already in Security Manager, page 7-10
Field Reference
Table K-22 SHDSL Dialog Box
Element Description
Name The name of the controller. Enter a name manually, or click Select to display
a dialog box for generating a name. See Controller Auto Name Generator
Dialog Box, page K-53.
Description Additional information about the controller (up to 80 characters).
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-49
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22 SHDSL Dialog Box (Continued)
Shutdown When selected, the DSL controller is in shutdown state. However, its
definition is not deleted.
When deselected, the DSL controller is enabled. This is the default.
Configure ATM mode When selected, sets the controller into ATM mode and creates an ATM
interface with the same ID as the controller. This is the default. You must
enable ATM mode and then perform rediscovery to configure ATM or PVCs
on the device.
When deselected, ATM mode is disabled. No ATM interface is created on
deployment.
Note You cannot remove ATM mode from a controller after it has been
saved in Security Manager.
Line Termination The line termination that is set for the router:
• CPE—Customer premises equipment. This is the default.
• CO—Central office.
DSL Mode The DSL operating mode, including regional operating parameters, used by
the controller:
• [blank]—The operating mode is not defined. (When deployed, the
Annex A standard for North America is used.)
Line Mode settings
User Guide for Cisco Security Manager 3.2
K-50
• A—Supports Annex A of the G.991.2 standard for North America.
• A-B—Supports Annex A or Annex B. Available only when the Line
Term is set to CPE. The appropriate mode is selected when the line
trains.
• A-B-ANFP—Supports Annex A or Annex B-ANFP. Available only
when the Line Term is set to CPE. The appropriate mode is selected
when the line trains.
• B—Supports Annex B of the G.991.2 standard for Europe.
• B-ANFP—Supports Annex B-ANFP (Access Network Frequency Plan).
Note The available DSL modes are dependent on the selected line
termination.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-22 SHDSL Dialog Box (Continued)
Line Mode The line mode used by the controller:
• auto—The controller operates in the same mode as the other line
termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the
default for CPE line termination.
• 2-wire—The controller operates in two-wire mode. This is the default
for CO line termination.
• 4-wire—The controller operates in four-wire mode.
Note You can select Auto only when you configure the controller as the
CPE.
Line Applies only when the Line Mode is defined as 2-wire.
The pair of wires to use:
• line-zero—RJ-11 pin 1 and pin 2. This is the default for CO line
termination.
• line-one—RJ-11 pin 3 and pin 4.
Exchange Handshake Applies only when the Line Mode is defined as 4-wire.
The type of handshake mode to use:
• [blank]—The handshake mode is not specified. (When deployed, the
enhanced option is used.) This is the default.
SHDSL Policy Page
OL-16066-01
• enhanced—Exchanges handshake status on both wire pairs.
• standard—Exchanges handshake status on the master wire pair only.
User Guide for Cisco Security Manager 3.2
K-51
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22 SHDSL Dialog Box (Continued)
Line Rate Does not apply when the Line Mode is defined as Auto.
The DSL line rate (in kbps) available for the SHDSL port:
• auto—The controller selects the line rate. This is available only in
2-wire mode.
• Supported line rates:
–
For 2-wire mode: 192, 256, 320, 384, 448, 512, 576, 640, 704, 768,
832, 896, 960, 1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472,
1536, 1600, 1664, 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176,
2240, and 2304.
–
For 4-wire mode: 384, 512, 640, 768, 896, 1024, 1152, 1280, 1408,
1536, 1664, 1792, 1920, 2048, 2176, 2304, 2432, 2560, 2688, 2816,
2944, 3072, 3200, 3328, 3456, 3584, 3712, 3840, 3968, 4096, 4224,
4352, 4480, and 4608.
Note Third-party equipment may use a line rate that includes an additional
SHDSL overhead of 8 kbps for 2-wire mode or 16 kbps for 4-wire
mode.
SNR Margin settings
Current The current signal-to-noise (SNR) ratio on the controller, in decibels (dB).
Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than
current noise margin plus SNR ratio threshold during training time. If any
external noise is applied that is less than the set SNR margin, the line will be
stable.
Note Select disable to disable the current SNR.
Snext The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the
controller, in decibels. Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than
SNEXT threshold during training time. If any external noise is applied that
is less than the set SNEXT margin, the line will be stable.
Note Select disable to disable the SNEXT SNR.
SHDSL dialog box buttons
User Guide for Cisco Security Manager 3.2
K-52
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22 SHDSL Dialog Box (Continued)
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Controller Auto Name Generator Dialog Box
Use the Controller Auto Name Generator dialog box to have Security Manager
generate a name for the DSL controller based on its location in the router.
Navigation Path
Go to the SHDSL Controller Dialog Box, page K-49, then click Select in the
Name field.
Related Topics
• Defining SHDSL Controllers, page 15-44
• SHDSL Policy Page, page K-47
• PVC Policy Page, page K-54
Field Reference
Table K-23 Controller Auto Name Generator Dialog Box
Element Description
Type The type of interface. This field displays the value DSL and is read-only.
Card The card related to the controller.
Slot The slot related to the controller.
Port The port related to the controller.
Note The information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-53
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-23 Controller Auto Name Generator Dialog Box (Continued)
Result The name generated by Security Manager from the information you entered
for the controller location. The name displayed in this field is read-only.
Tip After closing this dialog box, you can edit the generated name in the
SHDSL dialog box, if required.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Policy Page
Use the PVC page to create, edit, and delete permanent virtual connections
(PVCs) on the router. PVCs allow direct and permanent connections between sites
to provide a service that is similar to a leased line. These PVCs can be used in
ADSL, SHDSL, or pure ATM environments. For more information, see Defining
ATM PVCs, page 15-52.
K-54
Navigation Path
• (Device view) Select Interfaces > Settings > PVC from the Policy selector.
• (Policy view) Select Router Interfaces > Settings > PVC from the Policy
Type selector. Right-click PVC to create a policy, or select an existing policy
from the Shared Policy selector.
Related Topics
• ADSL Policy Page, page K-42
• SHDSL Policy Page, page K-47
• PVCs on Cisco IOS Routers, page 15-46
• Chapter K, “Router Platform User Interface Reference”
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Ta b le K -2 4 P VC Pa ge
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
ATM Interface The ATM interface on which the PVC is defined.
Interface Card The type of device or WAN interface card on which the ATM interface
resides.
PVC ID The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the
PVC.
Settings Additional settings configured for the PVC, including encapsulation, the
number of PPPoE sessions, and the VPN service name.
QoS Quality-of-service settings defined for the PVC, such as traffic shaping.
Protocol The IP protocol mappings (static maps or Inverse ARP) configured for the
PVC.
OAM The F5 Operation, Administration, and Maintenance (OAM) loopback,
continuity check, and AIS/RDI definitions configured for the PVC.
OAM-PVC The OAM management cells that are configured for the PVC.
Add button Opens the PVC Dialog Box, page K-56. From here you can define a PVC.
Edit button Opens the PVC Dialog Box, page K-56. From here you can edit the selected
PVC.
Delete button Deletes the selected PVC from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
OL-16066-01
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Guide for Cisco Security Manager 3.2
K-55
Appendix K Router Platform User Interface Reference
PVC Policy Page
PVC Dialog Box
Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs).
Navigation Path
Go to the PVC Policy Page, page K-54, then click the Add or Edit button beneath
the table.
Related Topics
• Defining ATM PVCs, page 15-52
Field Reference
Ta b le K -2 5 P VC Di al og Bo x
Element Description
ATM Interface The ATM interface on which the PVC is defined. Enter the name of an
interface, subinterface, or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
Note We strongly recommend not defining an interface role that includes
ATM interfaces from different interface cards. The different settings
supported by each card type may cause deployment to fail.
K-56
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-25 PVC Dialog Box (Continued)
Interface Card The type of WAN interface card installed on the router or the router type:
• [blank]—The interface card type is not defined.
• WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL
over POTS (ordinary telephone lines).
• WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides
ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the
router warns the DSLAM of imminent line drops when the router is
about to lose power.)
• WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides
ADSL over POTS with Dying Gasp support.
• HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that
provides ADSL over POTS.
• HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that
provides ADSL over ISDN.
• HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over POTS with an ISDN BRI port for backup.
• HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over ISDN with an ISDN BRI port for backup.
• WIC-1-SHDSL-V2—A 1-port multiline G.SHDSL WAN interface card
with support for 2-wire mode and enhanced 4-wire mode.
OL-16066-01
• WIC-1-SHDSL-V3—A 1-port multiline G.SHDSL WAN interface card
with support for 2-wire mode and 4-wire mode (standard & enhanced).
• NM-1A-T3—A 1-port ATM network module with a T3 link.
• NM-1A-OC3-POM—A 1-port ATM network module with an optical
carrier level 3 (OC-3) link and three operating modes (multimode,
single-mode intermediate reach (SMIR), and single-mode long-reach
(SMLR)).
User Guide for Cisco Security Manager 3.2
K-57
PVC Policy Page
Table K-25 PVC Dialog Box (Continued)
Appendix K Router Platform User Interface Reference
Interface Card
(continued)
• NM-1A-E3—A 1-port ATM network module with an E3 link.
• 857 ADSL—Cisco 857 Integrated Service Router with an ADSL
interface.
• 876 ADSL—Cisco 876 Integrated Services Router with an ADSL
interface.
• 877 ADSL—Cisco 877 Integrated Services Router with an ADSL
interface.
• 878 G.SHDSL—Cisco 878 Integrated Services Router with a G.SHDSL
interface.
• 1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that
provides ADSL over POTS.
• 1802 ADSLoISDN—Cisco 1802 Integrated Services Router that
provides ADSL over ISDN.
• 1803 G.SHDSL—Cisco 1803 Integrated Services Router that provides
4-wire G.SHDSL.
Note To ensure proper policy validation, we highly recommend that you
define a value in this field. When you discover a live device, the
correct interface card type will already be displayed. If you did not
perform discovery on a live device, or if Security Manager cannot
detect the type of interface card installed on the device, this field
displays “Unknown”.
Settings tab Defines basic PVC settings, such as the VPI/VCI and encapsulation. See
PVC Dialog Box—Settings Tab, page K-59.
QoS tab Defines ATM traffic shaping and other quality-of-service settings for the
PVC. See PVC Dialog Box—QoS Tab, page K-63.
Protocol tab Defines the IP protocol mappings configured for the PVC (static maps or
Inverse ARP). See PVC Dialog Box—Protocol Tab, page K-67.
Advanced button Defines F5 Operation, Administration, and Maintenance (OAM) settings for
the PVC. See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
K-58
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-25 PVC Dialog Box (Continued)
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Dialog Box—Settings Tab
Use the Settings tab of the PVC dialog box to configure the basic settings of the
PVC, including:
• ID settings.
• Encapsulation settings.
• Whether ILMI and Inverse ARP are enabled.
• The maximum number of PPPoE sessions.
• The static domain (VPN service) name to use for PPPoA.
OL-16066-01
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the Settings tab.
Related Topics
• PVC Dialog Box—QoS Tab, page K-63
• PVC Dialog Box—Protocol Tab, page K-67
• PVC Advanced Settings Dialog Box, page K-69
• Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
K-59
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-26 PVC Dialog Box—Settings Tab
Element Description
PVC ID settings
VPI The virtual path identifier of the PVC. In conjunction with the VCI,
identifies the next destination of a cell as it passes through a series of ATM
switches on the way to its destination. Valid values for most platforms range
from 0 to 255.
For Cisco 2600 and 3600 Series routers using Inverse Multiplexing for ATM
(IMA), valid values range from 0 to 15, 64 to 79, 128 to 143, and 192 to 207.
Note VPI/VCI values must be unique for all the PVCs configured on a
selected interface. VPI/VCI values are unique to a single link only
and might change as cells traverse the ATM network.
VCI The 16-bit virtual channel identifier of the PVC. In conjunction with the
VPI, identifies the next destination of a cell as it passes through a series of
ATM switches on the way to its destination. Valid values vary by platform.
Typically, values up to 31 are reserved for special traffic (such as ILMI) and
should not be used. 3 and 4 are invalid.
Note VPI/VCI values must be unique for all the PVCs configured on a
selected interface. VPI/VCI values are unique to a single link only
and might change as cells traverse the ATM network.
Handle An optional name to identify the PVC. The maximum length is 15
characters.
Management PVC
(ILMI)
Does not apply when configuring the PVC on a subinterface.
When selected, designates this PVC as the management PVC for this ATM
interface by enabling communication with the Interim Local Management
Interface (ILMI). ILMI is a protocol defined by the ATM Forum for setting
and capturing physical layer, ATM layer, virtual path, and virtual circuit
parameters on ATM interfaces. See Understanding ILMI, page 15-50.
When deselected, this PVC does not act as the management PVC. This is the
default.
Note The VPI/VCI for the management PVC is typically set to 0/16.
K-60
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26 PVC Dialog Box—Settings Tab (Continued)
Encapsulation settings
Type Does not apply when the Management PVC (ILMI) check box is enabled.
The ATM adaptation layer (AAL) and encapsulation type to use on the PVC:
• [blank]—The encapsulation type is not defined. (When deployed,
aal5snap is applied.)
• aal2—For PVCs dedicated to AAL2 Voice over ATM. AAL2 is used for
variable bit rate (VBR) traffic, which can be either realtime (VBR-RT)
or non-realtime (VBR-NRT).
• aal5autoppp—Enables the router to distinguish between incoming PPP
over ATM (PPPoA) and PPP over Ethernet (PPPoE) sessions and create
virtual access for both PPP types based on demand.
• aal5ciscoppp—For the proprietary Cisco version of PPP over ATM.
• aal5mux—Enables you to dedicate the PVC to a single protocol, as
defined in the Protocol field.
• aal5nlpid—Enables ATM interfaces to work with High-Speed Serial
Interfaces (HSSI) that are using an ATM data service unit (ADSU) and
running ATM-Data Exchange Interface (DXI).
• aal5snap—Supports Inverse ARP and incorporates the Logical Link
Control/Subnetwork Access Protocol (LLC/SNAP) that precedes the
protocol datagram. This allows multiple protocols to traverse the same
PVC.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-61
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26 PVC Dialog Box—Settings Tab (Continued)
Virtual Template The virtual template used for PPP over ATM on this PVC. Enter the name of
a virtual template interface or interface role, or click Select to display an
Object Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
When a user dials in, the virtual template is used to configure a virtual access
interface. When the user is done, the virtual access interface goes down and
the resources are freed for other dial-in users.
Note If you modify the virtual template settings on an existing PVC, you
must enter the shutdown command followed by the no shutdown
command on the ATM subinterface to restart the interface. This
causes the newly configured parameters to take effect.
Protocol Applies only when aal5mux is the defined encapsulation type.
The protocol carried by the MUX-encapsulated PVC:
• frame-relay—Frame-Relay-ATM Network Interworking (FRF.5) on the
Cisco MC3810.
• fr-atm-srv—Frame-Relay-ATM Service Interworking (FRF.8) on the
Cisco MC3810.
• ip—IP protocol.
• ppp—IETF-compliant PPP over ATM. You must specify a virtual
template when using this protocol type.
• voice—Voice over ATM.
Additional settings
Enable ILMI When selected, enables ILMI management on this PVC.
When deselected, ILMI management on this PVC is disabled.
User Guide for Cisco Security Manager 3.2
K-62
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26 PVC Dialog Box—Settings Tab (Continued)
Inverse ARP When selected, the Inverse Address Resolution Protocol (Inverse ARP) is
enabled on the PVC.
When deselected, Inverse ARP is disabled. This is the default.
Inverse ARP is used to learn the Layer 3 addresses at the remote ends of
established connections. These addresses must be learned before the virtual
circuit can be used.
Note Use the Protocol tab to define static mappings of IP addresses instead
of dynamically learning the addresses using Inverse ARP. See PVC
Dialog Box—Protocol Tab, page K-67.
PPPoE Max Sessions The maximum number of PPP over Ethernet sessions that are permitted on
the PVC.
VPN Service Name The static domain name to use on this PVC. The maximum length is 128
characters.
Use this option when you want PPP over ATM (PPPoA) sessions in the PVC
to be forwarded according to the domain name supplied, without starting
PPP.
PVC Dialog Box—QoS Tab
Use the QoS tab of the PVC dialog box to configure the ATM traffic shaping and
other quality-of-service settings of the PVC, including:
• The limit on packets placed on transmission rings.
• The QoS service.
• Whether random detection is enabled.
These settings regulate the flow of traffic over the PVC by queuing traffic that
exceeds the defined allowable bit rates.
Note QoS values are highly hardware dependent. Please refer to your router
documentation for additional details about the settings that can be configured on
your device.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-63
Appendix K Router Platform User Interface Reference
PVC Policy Page
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the QoS tab.
Related Topics
• PVC Dialog Box—Settings Tab, page K-59
• PVC Dialog Box—Protocol Tab, page K-67
• PVC Advanced Settings Dialog Box, page K-69
• Defining ATM PVCs, page 15-52
• Quality of Service Policy Page, page K-199
• Understanding Policing and Shaping Parameters, page 15-159
Field Reference
Table K-27 PVC Dialog Box—QoS Tab
Element Description
Tx Ring Limit The maximum number of transmission packets that can be placed on a
transmission ring on the WAN interface card (WIC) or interface.
K-64
The range of valid values depends on the type of interface card selected in
the Settings tab. See PVC Dialog Box—Settings Tab, page K-59.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-27 PVC Dialog Box—QoS Tab (Continued)
Traffic Shaping settings
Traffic Shaping The type of service to define on the PVC:
• [null]—The bit rate is not defined.
• ABR—Available Bit Rate. A best-effort service suitable for applications
that do not require guarantees against cell loss or delays.
• CBR—Constant Bit Rate service. Delay-sensitive data, such as voice or
video, is sent at a fixed rate, providing a service similar to a leased line.
• UBR—Unspecified Bit Rate service. A best-effort service suitable for
applications that are tolerant to delay and do not require realtime
responses.
• UBR+—Unspecified Bit Rate service. Unlike UBR, UBR+ attempts to
maintain a guaranteed minimum rate.
• VBR-NRT—Variable Bit Rate - Non-Real Time service. A service
suitable for non-realtime applications that are bursty in nature. VBR is
more efficient than CBR and more reliable than UBR.
PVC Policy Page
• VBR-RT—Variable Bit Rate - Real Time service. A service suitable for
realtime applications that are bursty in nature.
For more information about each service class, see Understanding ATM
Service Classes, page 15-48.
ABR The following fields are displayed when ABR is selected as the Bit Rate:
• PCR—The peak cell rate in kilobits per second (kbps). It specifies the
maximum value of the ABR.
• MCR—The minimum cell rate in kilobits per second (kbps). It specifies
the minimum value of the ABR.
The ABR varies between the MCR and the PCR. It is dynamically controlled
using congestion control mechanisms.
CBR The following field is displayed when CBR is selected as the Bit Rate:
• Rate—The constant bit rate (also known as the average cell rate) for the
PVC in kilobits per second (kbps). An ATM VC configured for CBR can
send cells at this rate for as long as required.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-65
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-27 PVC Dialog Box—QoS Tab (Continued)
UBR The following field is displayed when UBR is selected as the Bit Rate:
• PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
UBR+ The following fields are displayed when UBR+ is selected as the Bit Rate:
• PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
• MCR—The minimum guaranteed cell rate for output in kilobits per
second (kbps). Traffic is always allowed to be sent at this rate.
Note UBR+ requires Cisco IOS Software Release 12.4(2)XA or later, or
version 12.4(6)T or later.
VBR-NRT The following fields are displayed when VBR-NRT is selected as the Bit
Rate:
• PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
• SCR—The sustained cell rate for output in kilobits per second (kbps).
This value, which must be lower than or equal to the PCR, represents the
maximum rate at which cells can be transmitted without incurring data
loss.
• MBS—The maximum burst cell size for output. This value represents
the number of cells that can be transmitted above the SCR but below the
PCR without penalty.
VBR-RT The following fields are displayed when VBR-RT is selected as the Bit Rate:
• Peak Rate—The peak information rate for realtime traffic in kilobits per
second (kbps).
• Average Rate—The average information rate for realtime traffic in
kilobits per second (kbps). This value must be lower than or equal to the
peak rate.
• Burst—The burst size for realtime traffic, in number of cells. Configure
this value if the PVC carries bursty traffic.
These values configure traffic shaping between realtime traffic (such as
voice and video) and data traffic to ensure that the carrier does not discard
realtime traffic, for example, voice calls.
User Guide for Cisco Security Manager 3.2
K-66
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-27 PVC Dialog Box—QoS Tab (Continued)
IP QoS settings
Random Detect When selected, enables Weighted Random Early Detection (WRED) or
VIP-distributed WRED (DWRED) on the PVC.
When deselected, WRED and DWRED are disabled. This is the default.
WRED is a queue management method that selectively drops packets as the
interface becomes congested. See Tail Drop vs. WRED, page 15-156.
PVC Dialog Box—Protocol Tab
Use the Protocol tab of the PVC dialog box to add, edit, or delete the protocol
mappings configured for the PVC. You may configured static mappings or Inverse
ARP (broadcast or nonbroadcast) for each PVC, but not both.
Note IP is the only protocol supported by Security Manager for protocol mapping on
ATM networks.
OL-16066-01
Note You cannot define protocol mappings on the Management PVC (ILMI).
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the Protocol tab.
Related Topics
• PVC Dialog Box—Settings Tab, page K-59
• PVC Dialog Box—QoS Tab, page K-63
• PVC Advanced Settings Dialog Box, page K-69
• Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
K-67
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-28 PVC Dialog Box—Protocol Tab
Element Description
IP Protocol Mapping Displays the IP protocol mappings configured for the PVC.
Add button Opens the Define Mapping Dialog Box, page K-68. From here you can
define an IP protocol mapping.
Edit button Opens the Define Mapping Dialog Box, page K-68. From here you can edit
the selected mapping.
Delete button Deletes the selected mapping from the table.
Define Mapping Dialog Box
Use the Define Mapping dialog box to configure the IP protocol mappings to use
on the ATM PVC. Mappings are required by the PVC to discover which IP address
is reachable at the other end of a connection. Mappings can either be learned
dynamically using Inverse ARP (InARP) or defined statically. Static mappings are
best suited for simple networks that contain only a few nodes.
K-68
Note Inverse ARP is only supported for the aal5snap encapsulation type. See PVC
Dialog Box—Settings Tab, page K-59.
Tip Use the CLI or FlexConfigs to configure mappings for protocols other than IP.
Navigation Path
Go to the PVC Dialog Box—Protocol Tab, page K-67, then click Add or Edit.
Related Topics
• PVC Dialog Box, page K-56
• Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-29 Define Mapping Dialog Box
Element Description
IP Options The type of IP protocol mapping to use:
• IP Address—Select this option when using static mapping. Enter the
address or network/host object, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From
here, you can define a network/host object.
• InARP—Inverse ARP. Select this option when using dynamic mapping.
This allows the PVC to resolve its own network addresses without
configuring a static map. Dynamic mappings age out and are refreshed
periodically every 15 minutes by default.
Note InARP can be used only when aal5snap is the defined encapsulation
type for the PVC. See PVC Dialog Box—Settings Tab, page K-59.
Broadcast Options Indicates whether to use this map entry when sending IP broadcast packets
(such as EIGRP updates):
• Broadcast—The map entry is used for broadcast packets.
• No Broadcast—The map entry is used only for unicast packets.
• None—Broadcast options are disabled.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Advanced Settings Dialog Box
Use the PVC Advanced Settings dialog box to configure F5 Operation,
Administration, and Maintenance (OAM) functionality on an ATM PVC. OAM is
used to detect connectivity failures at the ATM layer.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-69
Appendix K Router Platform User Interface Reference
PVC Policy Page
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
Navigation Path
Go to the PVC Dialog Box, page K-56, then click Advanced.
Related Topics
• PVC Policy Page, page K-54
Field Reference
Table K-30 PVC Advanced Settings Dialog Box
Element Description
OAM tab Defines loopback, connectivity check, and AIS/RDI settings. See PVC
Advanced Settings Dialog Box—OAM Tab, page K-70.
OAM-PVC tab Enables OAM loopbacks and connectivity checks on the PVC. See PVC
Advanced Settings Dialog Box—OAM-PVC Tab, page K-73.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Advanced Settings Dialog Box—OAM Tab
Use the OAM tab of the PVC Advanced Settings dialog box to define:
• The number of loopback cell responses that move the PVC to the down or up
state.
• The number of alarm indication signal/remote defect indication (AIS/RDI)
cells that move the PVC to the down or up state.
• The number and frequency of segment/end continuity check (CC) activation
and deactivation requests that are sent on this PVC.
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
User Guide for Cisco Security Manager 3.2
K-70
OL-16066-01
Appendix K Router Platform User Interface Reference
Note The settings defined in this tab are dependent on the settings defined in the
OAM-PVC tab. See PVC Advanced Settings Dialog Box—OAM-PVC Tab,
page K-73.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-69, then click the OAM
tab.
Related Topics
• PVC Dialog Box, page K-56
Field Reference
Table K-31 PVC Advanced Settings Dialog Box—OAM Tab
Element Description
Retry settings
Enable OAM Retry When selected, OAM management settings can be defined.
When deselected, OAM management settings cannot be defined.
PVC Policy Page
Note If Enable OAM Management is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not
applied.
Down Count The number of consecutive, unreceived, end-to-end loopback cell responses
that cause the PVC to move to the down state. The default is 3.
Up Count The number of consecutive end-to-end loopback cell responses that must be
received in order to move the PVC to the up state. The default is 5.
Retry Frequency The interval between loopback cell verification transmissions in seconds.
The default is 1 second.
If a PVC is up and a loopback cell response is not received within the
specified interval (as defined in the Frequency field of the PVC-OAM tab),
loopback cells are transmitted at the frequency defined here to verify
whether the PVC is down. If the number of consecutive cells that do not
receive a response matches the defined down count, the PVC is moved to the
down state.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-71
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-31 PVC Advanced Settings Dialog Box—OAM Tab (Continued)
AIS-RDI settings
Enable AIS-RDI
Detection
Down Count The number of consecutive AIS/RDI cells that cause the PVC to go down.
Up Count The number of seconds after which a PVC is brought up if no AIS/RDI cells
Segment Continuity Check settings
Enable Segment
Continuity Check
When selected, alarm indication signal (AIS) cells and remote defect
indication (RDI) cells are used to report connectivity failures at the ATM
layer of the PVC.
When deselected, AIS/RDI cells are disabled.
AIS cells notify downstream devices of the connectivity failure. The last
ATM switch then generates RDI cells in the upstream direction towards the
device that sent the original failure notification.
Valid values range from 1 to 60. The default is 1.
are received. Valid values range from 3 to 60 seconds. The default is 3.
When selected, OAM F5 continuity check (CC) activation and deactivation
requests are sent to a device at the other end of a segment.
When deselected, segment CC activation and deactivation requests are
disabled.
Note If Configure Continuity Check is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not
applied.
Activation Count The maximum number of times that the activation request is sent before the
receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
Deactivation Count The maximum number of times that the deactivation request is sent before
the receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
Retry Frequency The interval between activation/deactivation retries, in seconds. The default
is 30 seconds.
User Guide for Cisco Security Manager 3.2
K-72
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-31 PVC Advanced Settings Dialog Box—OAM Tab (Continued)
End-to-End Continuity Check settings
Enable End-to-End
Continuity Check
Activation Count The maximum number of times that the activation request is sent before the
Deactivation Count The maximum number of times that the deactivation request is sent before
Retry Frequency The interval between activation/deactivation retries, in seconds. The default
When selected, OAM F5 continuity check (CC) activation and deactivation
requests are sent to a device at the other end of the PVC.
When deselected, segment CC activation and deactivation requests are
disabled.
Note If Configure Continuity Check is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not
applied.
receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
the receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
is 30 seconds.
PVC Advanced Settings Dialog Box—OAM-PVC Tab
Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable
loopback cells and connectivity checks (CCs) on the PVC. These functions test
the connectivity of the virtual connection.
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
Note Use the OAM tab to define additional settings related to the settings on this tab.
See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-69, then click the
OAM-PVC tab.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-73
Appendix K Router Platform User Interface Reference
PVC Policy Page
Related Topics
• PVC Dialog Box, page K-56
Field Reference
Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab
Element Description
OAM settings
Enable OAM
Management
Frequency The interval between loopback cell transmissions. Valid values range from 0
Segment Continuity Check settings
Segment Continuity
Check
When selected, OAM loopback cell generation and OAM management are
enabled on the PVC.
When deselected, OAM loopback cells and OAM management are disabled.
However, continuity checks can still be performed.
to 600 seconds.
The current configuration of OAM F5 continuity checks performed on PVC
segments:
• None—Segment continuity checks (CC) are disabled.
• Deny Activation Requests—The PVC rejects activation requests from
peer devices, which prevents OAM F5 CC management from being
activated on the PVC.
K-74
• Configure Continuity Check—Segment CCs are enabled on the PVC.
The router on which CC management is configured sends a CC
activation request to the router at the other end of the segment, directing
it to act as either a source or a sink.
Segment CCs occur on a PVC segment between the router and a first-hop
ATM swi tc h.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued)
Direction Applies only when CC management is enabled.
The direction in which CC cells are transmitted:
• both—CC cells are transmitted in both directions.
• sink—CC cells are transmitted toward the router that initiated the CC
activation request.
• source—CC cells are transmitted away from the router that initiated the
CC activation request.
Keep VC up after
segment failure
Keep VC up after
end-to-end failure
End-to-End Continuity Check settings
End-to-End Continuity
Check
When selected, the PVC is kept in the up state when CC cells detect
connectivity failure.
When deselected, the PVC is brought down when CC cells detect
connectivity failure.
When selected, specifies that if AIS/RDI cells are received, the PVC is not
brought down because of end CC failure or loopback failure.
When deselected, the PVC is brought down because of end CC failure or
loopback failure.
The current configuration of OAM F5 end-to-end continuity checks on the
PVC:
PVC Policy Page
OL-16066-01
• None—End-to-end continuity checks (CC) are disabled.
• Deny Activation Requests—The PVC rejects activation requests from
peer devices, which prevents OAM F5 CC management from being
activated on the PVC.
• Configure Continuity Check—End-to-end CCs are enabled on the PVC.
The router on which CC management is configured sends a CC
activation request to the router at the other end of the connection,
directing it to act as either a source or a sink.
End-to-end CC monitoring is performed on the entire PVC between two
ATM end stations.
User Guide for Cisco Security Manager 3.2
K-75
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued)
Direction Applies only when CC management is enabled.
The direction in which CC cells are transmitted:
• both—CC cells are transmitted in both directions.
• sink—CC cells are transmitted toward the router that initiated the CC
activation request.
• source—CC cells are transmitted away from the router that initiated the
CC activation request.
Keep VC up after
end-to-end failure
Keep VC up after
segment failure
When selected, the PVC is kept in the up state when CC cells detect
connectivity failure.
When deselected, the PVC is brought down when CC cells detect
connectivity failure.
When selected, specifies that if AIS/RDI cells are received, the PVC is not
brought down because of a segment CC failure.
When deselected, the PVC is brought down because of a segment CC failure.
PPP/MLP Policy Page
Use the PPP/MLP page to create, edit, and delete PPP connections on the router.
For more information, see Defining PPP Connections, page 15-61.
Navigation Path
• (Device view) Select Interfaces > Settings > PPP/MLP from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > PPP/MLP from the
Policy Type selector. Right-click PPP/MLP to create a policy, or select an
existing policy from the Shared Policies selector.
Related Topics
• PPP on Cisco IOS Routers, page 15-58
• Chapter K, “Router Platform User Interface Reference”
User Guide for Cisco Security Manager 3.2
K-76
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Field Reference
Table K-33 PPP/MLP Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface that is configured for PPP/MLP.
Authentication The types of authentication used on the PPP connection.
Authorization The method list used for AAA authorization on the PPP connection.
Multilink Indicates whether Multilink PPP (MLP) is enabled on this PPP connection.
Endpoint The type of default endpoint discriminator to use when negotiating the use
of MLP with the peer.
Multiclass Indicates whether the Multiclass Multilink PPP (MCMP) feature is enabled
on this PPP connection.
Group The number of the multilink-group interface to which the physical link is
restricted.
Interleave Indicates whether the PPP multilink interleave feature is enabled on this PPP
connection.
Add button Opens the PPP Dialog Box, page K-78. From here you can define the
authentication and multilink settings for the PPP connection.
Edit button Opens the PPP Dialog Box, page K-78. From here you can edit the selected
PPP connection.
Delete button Deletes the selected PPP connection from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
OL-16066-01
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Guide for Cisco Security Manager 3.2
K-77
PPP/MLP Policy Page
PPP Dialog Box
Use the PPP dialog box to configure PPP connections on the router. When you
configure a PPP connection, you can define the type of authentication and
authorization to perform and define multilink parameters.
Navigation Path
Go to the PPP/MLP Policy Page, page K-76, then click the Add or Edit button
beneath the table.
Related Topics
• Defining PPP Connections, page 15-61
Appendix K Router Platform User Interface Reference
K-78
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Field Reference
Table K-34 PPP Dialog Box
Element Description
Interface The interface on which PPP encapsulation is enabled. Enter the name of an
interface or interface role, or click Select to display an Object Selectors,
page F-593.
The following interface types support PPP:
• Async
• Group-Async
• Serial
• High-Speed Serial Interface (HSSI)
• Dialer
• BRI, PRI (ISDN)
• Virtual template
• Multilink
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
You cannot define PPP on:
• Subinterfaces.
• Serial interfaces with Frame Relay encapsulation.
• Virtual template interfaces defined as Ethernet or tunnel types (serial is
supported).
Note You can define only one PPP connection per interface.
Note Deployment might fail if you define PPP on a virtual template that is
also used in an 802.1x policy. See 802.1x Policy Page, page K-179.
PPP tab Defines the type of authentication and authorization to perform on the PPP
connection. See PPP Dialog Box—PPP Tab, page K-80.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-79
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-34 PPP Dialog Box (Continued)
MLP tab Defines how to split and recombine sequential datagrams across multiple
logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP
Tab, page K-84.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PPP Dialog Box—PPP Tab
Use the PPP tab of the PPP dialog box to define the types of authentication and
authorization to perform on the PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-78, then click the PPP tab.
Related Topics
• PPP Dialog Box—MLP Tab, page K-84
Field Reference
Table K-35 PPP Dialog Box—PPP Tab
Element Description
Authentication settings
PPP Encapsulation When selected, indicates that PPP encapsulation is enabled for the selected
interface. This field is read-only.
User Guide for Cisco Security Manager 3.2
K-80
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-35 PPP Dialog Box—PPP Tab (Continued)
Protocol The authentication protocols to use:
• CHAP—Challenge-Handshake Authentication Protocol.
• PAP—Password Authentication Protocol.
• MS-CHAP—Version 1 of the Microsoft version of CHAP (RFC 2433).
• MS-CHAP-2—Version 2 of the Microsoft version of CHAP (RFC
2759).
• EAP—Extensible Authentication Protocol.
You may select one or more authentication protocols, as required.
Options The authentication options to use:
• Call In—When selected, authentication is performed on incoming calls.
• Call Out—When selected, authentication is performed on outgoing
calls.
• Call Back—When selected, authentication is performed on callback.
• One Time—When selected, one-time passwords are used for
authentication. One-time passwords are considered highly secure since
each one is used only once. When deselected, one-time passwords are
not used.
Note AAA authentication must be enabled in order to use one-time
passwords. See AAA Policy Page, page K-87. One-time passwords
cannot be used with CHAP.
PPP/MLP Policy Page
OL-16066-01
• Optional—When selected, allows a mobile station in a Packet Data
Serving Node (PDSN) configuration to receive Simple IP and Mobile IP
services without using CHAP or PAP.
When deselected, mobile stations must use CHAP or PAP to receive Simple
IP and Mobile IP services.
User Guide for Cisco Security Manager 3.2
K-81
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-35 PPP Dialog Box—PPP Tab (Continued)
Authenticate Using AAA authentication settings for the PPP connection:
• PPP Default List—Defines a default list of methods to be queried when
authenticating a user for PPP. Enter the names of one or more AAA
server group objects (up to four) in the Prioritized Method List field, or
click Select to display an Object Selectors, page F-593. Use the up and
down arrows in the object selector to define the order in which the
selected server groups should be used.
The device tries initially to authenticate users using the first method in the
list. If that method fails to respond, the device tries the next method, and so
on, until a response is received.
Tip After you create the default list for one PPP connection, you can use
it for other PPP connections on this device.
If the AAA server group you want is not listed, click the Create button in the
selector to display the AAA Server Group Dialog Box, page F-12. From here
you can define a AAA server group object.
• Prioritized Method List—Defines a sequential list of methods to be
queried when authenticating a user for this PPP connection only.
Note Leave this field blank to perform authentication using the local
database on the router.
PAP Authentication settings
Username The username to send in PAP authentication requests. The username is case
sensitive.
Password The password to send in PAP authentication requests. Enter the password
again in the Confirm field. The password can contain 1 to 25 uppercase or
lowercase alphanumeric characters. The password is case sensitive.
The username and password are sent if the peer requests the router to
authenticate itself using PAP.
Encrypted Password When selected, this indicates that the password you entered is already
encrypted.
When deselected, this indicates that the password you entered is in clear text.
User Guide for Cisco Security Manager 3.2
K-82
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-35 PPP Dialog Box—PPP Tab (Continued)
CHAP Authentication settings
Hostname By default, the router uses its hostname to identify itself to the peer. If
required, you can enter a different hostname to use for all CHAP challenges
and responses. For example, use this field to specify a common alias for all
routers in a rotary group.
Secret The secret used to compute the response value for any CHAP challenge from
an unknown peer. Enter the secret again in the Confirm field.
Encrypted Secret When selected, this indicates that the password you entered is already
encrypted. When deselected, this indicates that the password you entered is
in clear text.
Authorization settings
Authorize Using AAA authorization settings for the PPP connection:
• AAA Policy Default List—Uses the default authorization method list
that is defined in the device’s AAA policy. See AAA Policy Page,
page K-87.
• Prioritized Method List—Defines a sequential list of methods to be
queried when authorizing a user. Enter the names of one or more AAA
server group objects (up to four), or click Select to display an Object
Selectors, page F-593. Use the tranverse arrows in the AAA Sever
Groups Selector to select server groups and then the up and down arrows
to define the order in which selected server groups should be used.
Note The device tries initially to authorize users using the first method in
the list. If that method fails to respond, the device tries the next
method, and so on, until a response is received.
OL-16066-01
If the AAA server group you want is not listed, you can click the Create
button in the selector to display the AAA Server Group Dialog Box,
page F-12. From here you can define a AAA server group object.
Note Leave this field blank to perform authorization using the local
database on the router.
User Guide for Cisco Security Manager 3.2
K-83
PPP/MLP Policy Page
PPP Dialog Box—MLP Tab
Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters
for the selected PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-78, then click the MLP tab.
Related Topics
• PPP Dialog Box—PPP Tab, page K-80
Field Reference
Table K-36 PPP Dialog Box—MLP Tab
Element Description
Enable Multilink PPP
(MLP)
Allow Multiple Data
Classes
Enable Interleaving of
Packets Among
Fragments of Larger
Packets
When selected, MLP is enabled on this PPP connection.
When deselected, MLP is disabled.
When selected, enables multiple data classes on the MLP bundle.
Delay-sensitive traffic is placed into Class 1, where it can be interleaved but
never fragmented. Normal data traffic is placed into Class 0, which is subject
to fragmentation just as regular multilink packets are.
When deselected, all traffic is subject to fragmentation.
When selected, enables the interleaving of packets among the fragments of
larger packets on the MLP bundle.
Note If you enable interleaving without defining a fragment delay, the
default delay of 30 seconds is configured. This value does not appear
in Security Manager or in the device configuration.
Appendix K Router Platform User Interface Reference
K-84
When deselected, interleaving is disabled.
Note Serial interfaces do not support interleaving.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-36 PPP Dialog Box—MLP Tab (Continued)
Multilink Group Applies only to serial, Group-Async, and multilink interfaces.
Restricts the physical link to the selected multilink-group interface. Enter the
name of a multilink interface or interface role, or click Select to display an
Object Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
This option is typically used in static leased-line environments, where the
remote systems to which the device’s serial lines are connected are known in
advance.
In effect, this option dedicates a specific interfaces to a particular user, even
when that user is not connected. If a peer at the other end of the link tries to
join a different bundle, the connected is severed.
Maximum Fragment
Delay
The maximum amount of time that should be required to transmit a fragment
on the MLP bundle. Valid values range from 1 to 1000 milliseconds.
Fragment size is determined by the defined fragment delay and the
bandwidth of the links.
Note Serial interfaces do not support this feature.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-85
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-36 PPP Dialog Box—MLP Tab (Continued)
Endpoint Type The identifier used by the router when transmitting packets on the MLP
bundle:
• [null]—Negotiation is conducted without using an endpoint
discriminator. (No CLI command is generated.)
• Hostname—The hostname of the router. This option is useful when
multiple routers are using the same username to authenticate but have
different hostnames.
• IP—A defined IP address. Enter an address or the name of a
network/host object, or click Select to display an Object Selectors,
page F-593.
• MAC—The MAC address of a specific interface. Enter the name of an
interface or interface role, or click Select to display an Object Selectors,
page F-593.
• None—Negotiation is conducted without using an endpoint
discriminator. (The relevant CLI command is generated, but no endpoint
discriminator is provided.) This option is useful when the router is
connected to a malfunctioning peer that does not handle the endpoint
discriminator properly.
• Phone—An E.164-compliant telephone number. Enter the number in the
field displayed.
• String—A character string. Enter the string in the field displayed.
The default endpoint discriminator is either the globally configured
hostname, or the PAP username or CHAP hostname (depending on the
authentication protocol being used), if you have configured those values on
the PPP tab.
MRRU Local Peer The maximum receive reconstructed unit (MRRU) value of the local peer.
This value represents the maximum size packet that the local router is
capable of receiving.
Valid values range from 128 to 16384 bytes. The default is the maximum
transmission unit (MTU) of the multilink group interface and 1524 bytes for
all other interfaces.
User Guide for Cisco Security Manager 3.2
K-86
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-36 PPP Dialog Box—MLP Tab (Continued)
MRRU Remote Peer The maximum receive reconstructed unit (MRRU) value of the remote peer.
This value represents the maximum size packet that the remote peer is
capable of receiving.
Valid values range from 128 to 16384 bytes. The default is 1524 bytes.
Maximum FIFO Queue
Size
Maximum QoS Queue
Size
The maximum queue depth when the bundle uses first-in, first-out (FIFO)
queuing. Valid values range from 2 to 255 packets. The default is 8.
The maximum queue depth when the bundle uses non-FIFO queuing. Valid
values range from 2 to 255 packets. The default is 2.
AAA Policy Page
Use the AAA page to define the default authentication, authorization, and
accounting methods to use on the router. You do this by configuring method lists,
which define which methods to use and the sequence in which to use them.
OL-16066-01
Note You can use the method lists defined in this policy as default settings when you
configure AAA on the router’s console port and VTY lines. See Console Policy
Page, page K-117 and VTY Policy Page, page K-129.
Navigation Path
• (Device view) Select Platform > Device Admin > AAA from the Policy
selector.
• (Policy view) Select Router Platform > Device Admin > AAA from the
Policy Type selector. Right-click AAA to create a policy, or select an existing
policy from the Shared Policy selector.
Related Topics
• AAA on Cisco IOS Routers, page 15-66
• Understanding AAA Server Objects, page 9-22
• Understanding AAA Server Group Objects, page 9-15
• Console Policy Page, page K-117
User Guide for Cisco Security Manager 3.2
K-87
Appendix K Router Platform User Interface Reference
AAA Policy Page
• VTY Policy Page, page K-129
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-37 AAA Page
Element Description
Authentication tab Defines the login authentication methods to use and the sequence in which
to use them. See AAA Page—Authentication Tab, page K-88.
Authorization tab Defines the types of network, EXEC, and command authorization to perform
and the methods to use for each type. See AAA Page—Authorization Tab,
page K-90.
Accounting tab Defines types of connection, EXEC, and command accounting to perform
and the methods to use for each type. See AAA Page—Accounting Tab,
page K-93.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
AAA Page—Authentication Tab
Use the Authentication tab of the AAA page to define the methods used to
authenticate users who access the device. Authentication methods are defined in
a method list, which define the security protocols to use, such as RADIUS and
TAC AC S+ .
Note You can use the method list defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Authentication tab.
Related Topics
• Defining AAA Services, page 15-70
User Guide for Cisco Security Manager 3.2
K-88
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
• Understanding Method Lists, page 15-69
• AAA Server Group Dialog Box, page F-12
• Predefined AAA Authentication Server Groups, page 9-15
Field Reference
Table K-38 AAA Page—Authentication Tab
Element Description
Enable Device Login
Authentication
Prioritized Method List Defines a sequential list of methods to be queried when authenticating a user.
When selected, enables the authentication of all users when they log in to the
device, using the methods defined in the method list.
When deselected, authentication is not performed.
Enter the names of one or more AAA server group objects (up to four), or
click Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authenticate users using the first method in the
list. If that method fails to respond, the device tries the next method, and so
on, until a response is received.
Supported methods include Line, Local, Kerberos, RADIUS, TACACS+,
and None.
Maximum Number of
Attempts
OL-16066-01
Note If you select None as a method, it must appear as the last method in
the list.
The maximum number of unsuccessful authentication attempts before a user
is locked out. This feature is disabled by default. Valid values range from 1
to 65535.
Note From the standpoint of the user, there is no distinction between a
normal authentication failure and an authentication failure due to
being locked out. The system administrator has to explicitly clear the
status of a locked-out user using clear commands.
User Guide for Cisco Security Manager 3.2
K-89
AAA Policy Page
AAA Page—Authorization Tab
Use the Authorization tab of the AAA page to define the type of authorization
services to enable on the device and the methods to use for each type. Security
Manager supports the following types of authorization:
• Network—Authorizes various types of network connections, such as PPP.
• EXEC—Authorizes the launching of EXEC sessions.
• Command—Authorizes the use of all EXEC mode commands that are
associated with specific privilege levels.
Note You can use the method lists defined in this policy on the console and
VTY lines that are used to communicate with the device. See Console
Policy Page, page K-117 and VTY Line Dialog Box—Authentication
Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Authorization tab.
Appendix K Router Platform User Interface Reference
Related Topics
• Defining AAA Services, page 15-70
• Supported Authorization Types, page 15-67
• Understanding Method Lists, page 15-69
• AAA Server Group Dialog Box, page F-12
Field Reference
Table K-39 AAA Page—Authorization Tab
Element Description
Network Authorization settings
Enable Network
Authorization
When selected, enables the authorization of network connections, such as
PPP, SLIP, or ARAP connections, using the methods defined in the method
list.
When deselected, network authorization is not performed.
User Guide for Cisco Security Manager 3.2
K-90
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-39 AAA Page—Authorization Tab (Continued)
Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Enter the names of one or more AAA server group objects (up to four), or
click Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first method in the list.
If that method fails to respond, the device tries the next method, and so on,
until a response is received.
Supported methods include RADIUS, TACACS+, Local, and None.
Note RADIUS uses the same server for authentication and authorization.
Therefore, if you use define a RADIUS method list for
authentication, you must define the same method list for
authorization.
Note If you select None as a method, it must appear as the last method in
the list.
EXEC Authorization settings
Enable CLI/EXEC
Operations
Authorization
Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Command Authorization settings
Filter Enables you to filter the information displayed in the table. For more
Privilege Level The privilege level to which the command authorization definition applies.
Prioritized Method List The method list to use when authorizing users with this privilege level.
When selected, this type of authorization determines whether the user is
permitted to open an EXEC (CLI) session, using the methods defined in the
method list.
When deselected, EXEC authorization is not performed.
Enter the names of one or more AAA server group objects (up to four), or
click Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first method in the list.
If that method fails to respond, the device tries the next method, and so on,
until a response is received.
information, see Filtering Tables, page 3-24.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-91
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-39 AAA Page—Authorization Tab (Continued)
Add button Opens the Command Authorization Dialog Box, page K-92. From here you
can configure a command authorization definition.
Edit button Opens the Command Authorization Dialog Box, page K-92. From here you
can edit the command authorization definition.
Delete button Deletes the selected command authorization definitions from the table.
Command Authorization Dialog Box
Use the Command Authorization dialog box to define which methods to use when
authorizing the EXEC commands that are associated with a given privilege level.
This enables you to authorize all commands associated with a specific privilege
level, from 0 to 15.
Navigation Path
From the AAA Page—Authorization Tab, page K-90, click the Add button
beneath the Command Authorization table.
Related Topics
• Defining AAA Services, page 15-70
• Supported Authorization Types, page 15-67
• Understanding Method Lists, page 15-69
Field Reference
Table K-40 Command Authorization Dialog Box
Element Description
Privilege Level The privilege level for which you want to define a command accounting list.
Valid values range from 0 to 15.
User Guide for Cisco Security Manager 3.2
K-92
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-40 Command Authorization Dialog Box (Continued)
Prioritized Method List Defines a sequential list of methods to be used when authorizing a user. Enter
the names of one or more AAA server group objects (up to four), or click
Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first method in the list.
If that method fails to respond, the device tries the next method, and so on,
until a response is received.
If the AAA server group you want is not listed, click the Create button in the
selector to display the AAA Server Group Dialog Box, page F-12. From here
you can define a AAA server group object.
Supported methods include TACACS+, Local, and None.
Note If you select None as a method, it must appear as the last method in
the list.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
AAA Page—Accounting Tab
Use the Accounting tab of the AAA page to define the type of accounting services
to enable on the device and the methods to use for each type. Security Manager
supports the following types of accounting:
• Connection—Records information about all outbound connections made
from this device.
• EXEC—Records information about user EXEC sessions on the devices,
including the username, date, start and stop times, and the IP address.
• Command—Records information about the EXEC commands executed on
the device by users with specific privilege levels.
In addition, you use the Accounting page to determine when accounting records
should be generated and whether they should be broadcast to more than one AAA
server.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-93
AAA Policy Page
Note You can use the method lists defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Accounting tab.
Related Topics
• Defining AAA Services, page 15-70
• Supported Accounting Types, page 15-67
• Understanding Method Lists, page 15-69
• AAA Server Group Dialog Box, page F-12
Field Reference
Table K-41 AAA Page—Accounting Tab
Appendix K Router Platform User Interface Reference
Element Description
Connection Accounting settings
Enable Connection
Accounting
When selected, enables the recording of information about outbound
connections (such as Telnet) made over this device, using the methods
defined in the method list.
When deselected, connection accounting is not performed.
Generate Accounting
Records for
Defines when the device sends an accounting notice to the accounting server:
• Start and Stop—Generates accounting records at the beginning and the
end of the user process. The user process begins regardless of whether
the accounting server receives the “start” accounting record.
• Stop Only—Generates an accounting record at the end of the user
process only.
• None—Disables this type of accounting.
User Guide for Cisco Security Manager 3.2
K-94
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-41 AAA Page—Accounting Tab (Continued)
Prioritized Method List Defines a sequential list of methods to be queried when creating connection
accounting records for a user. Enter the names of one or more AAA server
group objects (up to four), or click Select to display an Object Selectors,
page F-593. Use the up and down arrows in the object selector to define the
order in which the selected server groups should be used.
Supported methods include RADIUS and TACACS+.
Enable Broadcast to
Multiple Servers
EXEC Accounting Settings
Enable CLI/EXEC
Operations Accounting
Generate Accounting
Records for
Prioritized Method List Defines a sequential list of methods to be queried when creating connection
Enable Broadcast to
Multiple Servers
Command Accounting settings
Filter Enables you to filter the information displayed in the table. For more
Privilege Level The privilege level to which the command authorization definition applies.
When selected, enables the sending of accounting records to multiple AAA
servers. Accounting records are sent simultaneously to the first server in
each AAA server group defined in the method list. If the first server is
unavailable, failover occurs using the backup servers defined within that
group.
When deselected, accounting records are sent only to the first server in the
first AAA server group defined in the method list.
When selected, enables the recording of basic information about user EXEC
sessions, using the methods defined in the method list.
When deselected, EXEC accounting is not performed.
See description Table N-91 on page N-131.
accounting records for a user. Enter the names of one or more AAA server
group objects (up to four), or click Select to display an Object Selectors,
page F-593. Use the up and down arrows in the object selector to define the
order in which the selected server groups should be used.
When selected, enables the sending of accounting records to multiple AAA
servers. Accounting records are sent simultaneously to the first server in
each AAA server group defined in the method list. If the first server is
unavailable, failover occurs using the backup servers defined within that
group.
information, see Filtering Tables, page 3-24.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-95
AAA Policy Page
Table K-41 AAA Page—Accounting Tab (Continued)
Appendix K Router Platform User Interface Reference
Generate Accounting
Records for
The points in the process where the device sends an accounting notice to the
accounting server.
Enable Broadcast Whether accounting records are broadcast to multiple servers
simultaneously.
Prioritized Method List The method list to use when authorizing users with this privilege level.
Add button Opens the Command Accounting Dialog Box, page K-96. From here you can
configure a command accounting definition.
Edit button Opens the Command Accounting Dialog Box, page K-96. From here you can
edit the command accounting definition.
Delete button Deletes the selected command accounting definitions from the table.
Command Accounting Dialog Box
Use the Command Accounting dialog box to define which methods to use when
recording information about the EXEC commands that are executed for a given
privilege level. Each accounting record includes a list of the commands executed
for that privilege level, as well as the date and time each command was executed,
and the name of the user who executed it.
Navigation Path
From the AAA Page—Accounting Tab, page K-93, click the Add button beneath
the Command Accounting table.
K-96
Related Topics
• Defining AAA Services, page 15-70
• Supported Accounting Types, page 15-67
• Understanding Method Lists, page 15-69
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Field Reference
Table K-42 Command Accounting Dialog Box
Element Description
Privilege Level The privilege level for which you want to define a command accounting list.
Valid values range from 0 to 15.
Generate Accounting
Records for
Prioritized Method List Defines a sequential list of methods to be used when creating accounting
Defines when the device sends an accounting notice to the accounting server:
• Start and Stop—Generates accounting records at the beginning and the
end of the user process. The user process begins regardless of whether
the accounting server receives the “start” accounting record.
• Stop Only—Generates an accounting record at the end of the user
process only.
• None—No accounting records are generated.
records for a user. Enter the names of one or more AAA server group objects
(up to four), or click Select to display an Object Selectors, page F-593. Use
the up and down arrows in the object selector to define the order in which the
selected server groups should be used.
The device tries initially to perform accounting using the first method in the
list. If that method fails to respond, the device tries the next method, and so
on, until a response is received.
Enable Broadcast to
Multiple Servers
OL-16066-01
If the AAA server group you want is not listed, click the Create button in the
selector to display the AAA Server Group Dialog Box, page F-12. From here
you can define a AAA server group object.
TACACS+ is the only supported method, but you can select multiple AAA
server groups configured with TACACS+.
Note If you select None as a method, it must appear as the last method in
the list.
When selected, enables the sending of accounting records to multiple AAA
servers. Accounting records are sent simultaneously to the first server in
each AAA server group defined in the method list. If the first server is
unavailable, failover occurs using the backup servers defined within that
group.
When deselected, accounting records are sent only to the first server in the
first AAA server group defined in the method list.
User Guide for Cisco Security Manager 3.2
K-97
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Table K-42 Command Accounting Dialog Box (Continued)
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Accounts and Credential s Policy Page
Use the Accounts and Credentials page to define the enable password or enable
secret password assigned to the router. In addition, you can define a list of
usernames that can be used to access the router.
For more information, see Defining Accounts and Credential Policies,
page 15-73.
Navigation Path
• (Device view) Select Platform > Device Admin > Accounts and
Credentials from the Policy selector.
• (Policy view) Select Router Platform > Device Admin > Accounts and
Credentials from the Policy Type selector. Right-click Accounts and
Credentials to create a policy, or select an existing policy from the Shared
Policy selector.
K-98
Related Topics
• User Accounts and Device Credentials on Cisco IOS Routers, page 15-72
• Chapter K, “Router Platform User Interface Reference”
• User Account Dialog Box, page K-100
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Field Reference
Table K-43 Accounts and Credentials Page
Element Description
Enable Secret Password The enable secret password for entering privileged EXEC mode on the
router. This option offers better security than the Enable Password option.
The enable secret password can contain between 1-25 alphanumeric
characters. The first character must be a letter. Spaces are allowed, but
leading spaces are ignored. Question marks are also allowed.
Note You can discover an encrypted password, but any password you enter
must be in clear text. If you modify an encrypted password, it is
saved as clear text.
Note After you set an enable secret password, you can switch to an enable
password only if the enable secret is disabled or an older version of
Cisco IOS software is being used, such as when running an older
rxboot image.
Enable Password The enable password for entering privileged EXEC mode on the router.
The enable password can contain between 1-25 alphanumeric characters.
The first character must be a letter. Spaces are allowed, but leading spaces
are ignored. Question marks are also allowed.
Note You must enter the password in clear text.
Enable Password
Encryption Service
When selected, encrypts all passwords on the device, including the enable
password (which is otherwise saved in clear text).
For example, use this option to encrypt username passwords, authentication
key passwords, console and VTY line access passwords, and BGP neighbor
passwords. This command is primarily used for keeping unauthorized
individuals from viewing your passwords in your configuration file.
When deselected, device passwords are stored unencrypted in the
configuration file.
Note This option does not provide a high level of network security. You
should also take additional network security measures.
User Accounts Table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-99
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Table K-43 Accounts and Credentials Page (Continued)
Username The username that can be used to access the router. The username must be a
single word up to 64 characters in length. Spaces and quotation marks are
not allowed.
Encryption Indicates whether password information for the user is encrypted using MD5
encryption.
Privilege Level The privilege level assigned to the user.
Add button Opens the User Account Dialog Box, page K-100. From here you can define
a user account.
Edit button Opens the User Account Dialog Box, page K-100. From here you can edit
the selected user.
Delete button Deletes the selected user accounts from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Account Dialog Box
Employ the User Account dialog box to define a username and password
combination that can be used by Security Manager to access the router. You can
also define the privilege level of the user account, which determines whether you
can configure all commands on this router or only a subset of them.
Note Remember—there may be additional user accounts defined on the router using
other methods, such as the CLI.
User Guide for Cisco Security Manager 3.2
K-100
OL-16066-01
Loading...