The main pages available in Cisco Security Manager for configuring and
managing platform-specific policies on Cisco IOS routers are discussed in the
following topics:
NAT policies:
• NAT Policy Page, page K-3
Interface policies:
• Router Interfaces Page, page K-17
• Never Block Networks Dialog Box, page N-132
• AIM-IPS Interface Settings Page, page K-34
• Dialer Policy Page, page K-36
• ADSL Policy Page, page K-42
• SHDSL Policy Page, page K-47
• PVC Policy Page, page K-54
OL-16066-01
• PPP/MLP Policy Page, page K-76
Device Admin policies:
• AAA Policy Page, page K-87
• Accounts and Credential s Policy Page, page K-98
• Bridging Policy Page, page K-102
• Clock Policy Page, page K-104
User Guide for Cisco Security Manager 3.2
K-1
Appendix K Router Platform User Interface Reference
• Network Admission Control Policy Page, page K-183
Logging policies:
• Logging Setup Policy Page, page K-192
• Syslog Servers Policy Page, page K-197
Quality of Service policies:
• Quality of Service Policy Page, page K-199
Routing policies:
• BGP Routing Policy Page, page K-219
• EIGRP Routing Policy Page, page K-226
• OSPF Interface Policy Page, page K-236
• OSPF Process Policy Page, page K-243
• RIP Routing Policy Page, page K-255
• Static Routing Policy Page, page K-263
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
TipUse the Policy Management page in the Security Manager Administration
window to control which router platform policy pages are available in Security
Manager. For more information, see Policy Management Page, page A-40.
NAT Policy Page
You can configure NAT policies on a Cisco IOS router from the following tabs on
the NAT policy page:
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
Network Address Translation (NAT) converts private, internal LAN addresses
into globally routable IP addresses. NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 15-5.
NAT Policy Page
Navigation Path
• (Device view) Select NAT from the Policy selector.
• (Policy view) Select NAT (Router) from the Policy Type selector.
Right-click NAT (Router) to create a policy, or select an existing policy from
the Shared Policy selector.
Related Topics
• Chapter K, “Router Platform User Interface Reference”
NAT Page—Interface Specification Tab
Use the NAT Interface Specification tab to define the inside and outside interfaces
on the router used for NAT. Inside interfaces are interfaces that connect to the
private networks served by the router. Outside interfaces are interfaces that
connect to the WAN or the Internet.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-3
Appendix K Router Platform User Interface Reference
NAT Policy Page
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Interface Specification tab.
Related Topics
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
Field Reference
Table K-1NAT Interface Specification Tab
ElementDescription
NAT Inside InterfacesThe interfaces that act as the inside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Inside Interfaces,
page K-4. From here you can define these interfaces.
NAT Outside Interfaces The interfaces that act as the outside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Outside Interfaces,
page K-5. From here you can define these interfaces.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit button on the toolbar.
Edit Interfaces Dialog Box—NAT Inside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the inside interfaces
for address translation. Inside interfaces typically connect to a LAN that the router
serves.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit
button in the NAT Inside Interfaces field.
Related Topics
• Designating Inside and Outside Interfaces, page 15-6
InterfacesThe interfaces that act as the inside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select buttonOpens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
OK buttonSaves your changes and closes the dialog box. Your selections are displayed
in the NAT Inside Interfaces field of the NAT Interface Specification tab.
Edit Interfaces Dialog Box—NAT Outside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the outside interfaces
for address translation. Outside interfaces typically connect to your organization’s
WAN or to the Internet.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit
button in the NAT Outside Interfaces field.
Related Topics
• Designating Inside and Outside Interfaces, page 15-6
InterfacesThe interfaces that act as the outside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select buttonOpens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
OK buttonSaves your changes and closes the dialog box. Your selections are displayed
in the NAT Outside Interfaces field of the NAT Interface Specification tab.
NAT Page—Static Rules Tab
Use the NAT Static Rules tab to create, edit, and delete static address translation
rules. For more information, see Defining Static NAT Rules, page 15-8.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Static Rules tab.
Related Topics
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
User Guide for Cisco Security Manager 3.2
K-6
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-4NAT Static Rules Tab
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Original AddressThe original address (and optionally, the subnet mask) that is being
translated.
Translated AddressThe IP address to which the traffic is translated.
Port Redirection(When the static rule is defined on a port) Information about the port that is
being translated, including the local and global port numbers.
AdvancedThe advanced options that are enabled.
Add buttonOpens the NAT Static Rule Dialog Box, page K-7. From here you can create
a static translation rule.
Edit buttonOpens the NAT Static Rule Dialog Box, page K-7. From here you can edit
the selected static translation rule.
Delete buttonDeletes the selected static translation rules from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit icon on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Static Rule Dialog Box
Use the NAT Static Rule dialog box to add or edit static address translation rules.
Navigation Path
Go to the NAT Page—Static Rules Tab, page K-6, then click the Add or Edit
button beneath the table.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-7
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
• Defining Static NAT Rules, page 15-8
• Disabling the Alias Option for Attached Subnets, page 15-15
• Disabling the Payload Option for Overlapping Networks, page 15-15
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
Field Reference
Table K-5NAT Static Rule Dialog Box
ElementDescription
Static Rule TypeThe type of local address requiring translation by this static rule:
• Static Host—A single host requiring static address translation.
• Static Port—A single port requiring static address translation. If you
select this option, you must define port redirection parameters.
Original AddressEnter an address or the name of a network/host object, or click Select to
display an Object Selectors, page F-593.
• When Static Network is selected as the Static Rule Type, this field
defines the network address and subnet mask. For example, if you want
to create n-to-n mappings between the private addresses in a subnet to
corresponding inside global addresses, enter the address of the subnet
you want translated, and then enter the network mask in the Mask field.
K-8
• When Static Port or Static Host is selected as the Static Rule Type, this
field defines the IP address only. For example, if you want to create a
one-to-one mapping for a single host, enter the IP address of the host to
translate. Do not enter a subnet mask in the Mask field.
If the network or host you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From here
you can define a network/host object.
NoteWe recommend not entering a local address belonging to this router,
as it could cause Security Manager management traffic to be
translated. Translating this traffic will cause a loss of communication
between the router and Security Manager.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-5NAT Static Rule Dialog Box (Continued)
Translated AddressThe type of address translation to perform:
• Specify IP—The IP address that acts as the translated address. Enter an
address or the name of a network/host object in the Translated
IP/Network field, or click Select to display an Object Selectors,
page F-593.
–
If you selected Static Port or Static Host as the static rule type (to
create a one-to-one mapping between a single inside local address
and a single inside global address), enter the global address in this
field. A subnet mask is not required.
–
If you selected Static Network as the static rule type (to map the
original, local addresses of a subnet to the corresponding global
addresses), enter the IP address that you want to use in the
translation in this field. The network mask is taken automatically
from the mask entered in the Original Address field.
If the network or host you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From here
you can define a network/host object.
• Use Interface IP—The interface whose address should be used as the
translated address. (This is typically the interface from which translated
packets leave the router.) Enter the name of an interface or interface role
in the Interface field, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button or the Edit
button in the selector to display the Interface Role Dialog Box, page F-464.
From here you can create an interface role object.
NoteThe Interface option is not available when Static Network is the
selected static rule type. Only one static rule may be defined per
interface.
NAT Policy Page
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-9
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5NAT Static Rule Dialog Box (Continued)
Port RedirectionApplies only when Static Port is the selected static rule type.
Redirect Port—When selected, specifies port information for the inside
device in the translation. This enables you to use the same public IP address
for multiple devices as long as the port specified for each device is different.
Enter information in the following fields:
• Protocol—The protocol type: TCP or UDP.
• Local Port—The port number on the source network. Valid values range
from 1 to 65535.
• Global Port—The port number on the destination network that the router
is to use for this translation. Valid values range from 1 to 65535.
When deselected, port information is not included in the translation.
K-10
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5NAT Static Rule Dialog Box (Continued)
AdvancedApplies only when using the Translated IP option for address translation.
Defines advanced options:
• No Alias—When selected, prohibits an alias from being created for the
global address.
The alias option is used to answer Address Resolution Protocol (ARP)
requests for global addresses that are allocated by NAT. You can disable
this feature for static entries by selecting the No alias check box.
When deselected, global address aliases are permitted.
• No Payload—When selected, prohibits an embedded address or port in
the payload from being translated.
The payload option performs NAT between devices on overlapping
networks that share the same IP address. When an outside device sends
a DNS query to reach an inside device, the local address inside the
payload of the DNS reply is translated to a global address according to
the relevant NAT rule. You can disable this feature by selecting the No
payload check box.
When deselected, embedded addresses and ports in the payload may be
translated, as described above.
• Create Extended Translation Entry—When selected, creates an
extended translation entry (addresses and ports). This enables you to
associate multiple global addresses with a single local address. This is
the default.
When deselected, creates a simple translation entry that allows you to
associate a single global address with the local address.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-11
NAT Policy Page
NAT Page—Dynamic Rules Tab
Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address
translation rules. A dynamic address translation rule dynamically maps hosts to
addresses, using either the globally registered IP address of a specific interface or
addresses included in an address pool that are globally unique in the destination
network.
For more information, see Defining Dynamic NAT Rules, page 15-16.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Dynamic Rules tab.
Related Topics
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Timeouts Tab, page K-15
Field Reference
Appendix K Router Platform User Interface Reference
Table K-6NAT Dynamic Rules Tab
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Traffic FlowThe ACL that defines the traffic that is being translated.
Translated AddressIndicates whether the translated address is based on an interface or on a
defined address pool.
Port TranslationIndicates whether Port Address Translation (PAT) is being used by this
dynamic NAT rule.
Add buttonOpens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
create a dynamic translation rule.
Edit buttonOpens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
edit the selected dynamic translation rule.
Delete buttonDeletes the selected dynamic translation rules from the table.
User Guide for Cisco Security Manager 3.2
K-12
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-6NAT Dynamic Rules Tab (Continued)
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit icon on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Dynamic Rule Dialog Box
Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation
rules.
Navigation Path
Go to the NAT Page—Dynamic Rules Tab, page K-12, then click the Add or Edit
button beneath the table.
OL-16066-01
Related Topics
• Defining Dynamic NAT Rules, page 15-16
• Understanding Access Control List Objects, page 9-30
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
K-13
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-7NAT Dynamic Rule Dialog Box
ElementDescription
Traffic FlowAccess List—The extended ACL that specifies the traffic requiring dynamic
translation. Enter the name of an ACL object, or click Select to display an
Object Selectors, page F-593.
If the ACL you want is not listed, click the Create button in the selector to
display the dialog box for defining an extended ACL object. For more
information, see Add and Edit Extended Access List Pages, page F-34.
NoteMake sure that the ACL you select does not permit the translation of
Security Manager management traffic over any device address on
this router. Translating this traffic will cause a loss of
communication between the router and Security Manager.
Translated AddressThe method for performing dynamic address translation:
• Interface—The router interface used for address translation. PAT is used
to distinguish each host on the network. Enter the name of an interface
or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From
here you can create an interface role object.
Enable Port Translation
(Overload)
User Guide for Cisco Security Manager 3.2
K-14
• Address Pool—Translates addresses using a set of addresses defined in
an address pool. Enter one or more address ranges, including the prefix,
using the format min1-max1/prefix (in CIDR notation). You can add as
many address ranges to the address pool as required, but all ranges must
share the same prefix. Separate multiple entries with commas.
When selected, the router uses port addressing (PAT) if the pool of available
addresses runs out.
When deselected, PAT is not used.
NotePAT is selected by default when you use an interface on the router as
the translated address.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-7NAT Dynamic Rule Dialog Box (Continued)
NAT Policy Page
Do Not Translate VPN
Traffic (Site-to-Site
VPN only)
This setting applies only in situations where the NAT ACL overlaps the
crypto ACL used by the site-to-site VPN. Because the interface performs
NAT first, any traffic arriving from an address within this overlap would get
translated, causing the traffic to be sent unencrypted. Leaving this check box
selected prevents that from happening.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN traffic in
cases of overlapping addresses between the NAT ACL and the crypto ACL.
NoteWe recommend that you leave this check box selected, even when
performing NAT into IPsec, as this setting does not interfere with the
translation that is performed to avoid a clash between two networks
sharing the same set of internal addresses.
NoteThis option does not apply to remote access VPNs.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
NAT Page—Timeouts Tab
OL-16066-01
Use the NAT Timeouts tab to view or modify the default timeout values for PAT
(overload) translations. These timeouts cause a dynamic translation to expire after
a defined period of non-use. In addition, you can use this page to place a limit on
the number of entries allowed in the dynamic NAT table and to modify the default
timeout on all dynamic translations that are not PAT translations.
NoteFor more information about the Overload feature, see NAT Dynamic Rule Dialog
Box, page K-13.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Timeouts tab.
User Guide for Cisco Security Manager 3.2
K-15
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
• Specifying NAT Timeouts, page 15-19
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
Field Reference
Table K-8NAT Timeouts Tab
ElementDescription
Max EntriesThe maximum number of entries allowed in the dynamic NAT table. Values
range from 1 to 2147483647.
By default, this field is left blank, which means that the number of entries in
the table is unlimited.
Timeout (sec.)The timeout value applied to all dynamic translations except PAT (overload)
translations.
The default is 86400 seconds (24 hours).
UDP Timeout (sec.)The timeout value applied to User Datagram Protocol (UDP) ports. The
default is 300 seconds (5 minutes).
NoteThis value applies only when the Overload feature is enabled.
DNS Timeout (sec.)The timeout value applied to Domain Naming System (DNS) server
connections. The default is 60 seconds.
NoteThis value applies only when the Overload feature is enabled.
TCP Timeout (sec.)The timeout value applied to Transmission Control Protocol (TCP) ports.
The default is 86400 seconds (24 hours).
NoteThis value applies only when the Overload feature is enabled.
FINRST Timeout (sec.) The timeout value applied when a Finish (FIN) packet or Reset (RST) packet
(both of which terminate connections) is found in the TCP stream. The
default is 60 seconds.
NoteThis value applies only when the Overload feature is enabled.
User Guide for Cisco Security Manager 3.2
K-16
OL-16066-01
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-8NAT Timeouts Tab (Continued)
ICMP Timeout (sec.)The timeout value applied to Internet Control Message Protocol (ICMP)
flows. The default is 60 seconds.
NoteThis value applies only when the Overload feature is enabled.
PPTP Timeout (sec.)The timeout value applied to NAT Point-to-Point Tunneling Protocol (PPTP)
flows. The default is 86400 seconds (24 hours).
NoteThis value applies only when the Overload feature is enabled.
SYN Timeout (sec.)The timeout value applied to TCP flows after a synchronous transmission
(SYN) message (used for precise clocking) is encountered. The default is 60
seconds.
NoteThis value applies only when the Overload feature is enabled.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit button on the toolbar.
Router Interfaces Page
OL-16066-01
Use the Router Interfaces page to view, create, edit, and delete interface
definitions (physical and virtual) on a selected Cisco IOS router. The Router
Interfaces page displays interfaces that were discovered by Security Manager as
well as interfaces added manually after you added the device to the system.
For more information, see Basic Interface Settings on Cisco IOS Routers,
page 15-20.
Navigation Path
Select a Cisco IOS router from the Device selector, then select Interfaces >
Interfaces from the Policy selector.
Related Topics
• Available Interface Types, page 15-21
• Deleting a Cisco IOS Router Interface, page 15-27
User Guide for Cisco Security Manager 3.2
K-17
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Field Reference
Table K-9Router Interfaces Page
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface TypeThe interface type. Subinterfaces are displayed indented beneath their parent
interface.
Interface NameThe name of the interface.
EnabledIndicates whether the interface is currently enabled (managed by Security
Manager) or disabled (shutdown state).
IP AddressThe IP address of interfaces defined with a static address.
IP Address TypeThe type of IP address assigned to the interface—static, DHCP, PPPoE, or
unnumbered. (IP address is defined by a selected interface role.)
Interface RoleThe interface roles that are assigned to the selected interface.
Add buttonOpens the Create Router Interface Dialog Box, page K-18. From here you
can create an interface on the selected router.
Edit buttonOpens the Create Router Interface Dialog Box, page K-18. From here you
can edit the selected interface.
Delete buttonDeletes the selected interfaces from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit button on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Create Router Interface Dialog Box
Use the Create Router Interface dialog box to create and edit physical and virtual
interfaces on the selected Cisco IOS router.
User Guide for Cisco Security Manager 3.2
K-18
OL-16066-01
Appendix K Router Platform User Interface Reference
NoteUnlike other router policies, the Interfaces policy cannot be shared among
multiple devices. The Advanced Settings policy, however, may be shared. See
Local Policies vs. Shared Policies, page 7-4.
Navigation Path
Go to the Router Interfaces Page, page K-17, then click the Add or Edit button
beneath the table.
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Deleting a Cisco IOS Router Interface, page 15-27
• Never Block Networks Dialog Box, page N-132
Field Reference
Table K-10Create Router Interface Dialog Box
Router Interfaces Page
ElementDescription
EnabledWhen selected, the router interface is enabled.
When deselected, the router interface is in shutdown state. However, its
definition is not deleted.
TypeSpecifies whether you are defining an interface or subinterface.
NameApplies only to interfaces.
The name of the interface. Enter a name manually, or click Select to display
a dialog box for generating a name automatically. See Interface Auto Name
Generator Dialog Box, page K-24.
NoteLogical interfaces require a number after the name:
—The valid range for dialer interfaces is 0-799.
—The valid range for loopback interfaces is 0-2147483647.
—The valid range for BVI interfaces is 1-255.
—The only valid value for null interfaces is 0.
ParentApplies only to subinterfaces.
The parent interface of the subinterface. Select the parent interface from the
displayed list.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-19
Appendix K Router Platform User Interface Reference
Layer TypeThe OSI layer at which the interface is defined:
• Unknown—The layer is unknown.
• Layer 2—The data link layer, which contains the protocols that control
the physical layer (Layer 1) and how data is framed before being
transmitted on the medium. Layer 2 is used for bridging and switching.
Layer 2 interfaces do not have IP addresses.
• Layer 3—The network layer, which is primarily responsible for the
routing of data in packets across logical internetwork paths. This routing
is accomplished through the use of IP addresses.
DuplexThe interface transmission mode:
• None—The transmission mode is returned to its device-specific default
setting.
• Full—The interface transmits and receives at the same time (full
duplex).
• Half—The interface can transmit or receive, but not at the same time
(half duplex). This is the default.
Router Interfaces Page
OL-16066-01
• Auto—The router automatically detects and sets the appropriate
transmission mode, either full or half duplex.
NoteWhen using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically
negotiate the transmission mode. Otherwise, select the appropriate
fixed mode.
NoteYou can configure a duplex value only if you set the Speed to a fixed
speed, not Auto.
NoteThis setting does not apply to serial, HSSI, ATM, PRI, DSL, tunnel,
or loopback interfaces.
User Guide for Cisco Security Manager 3.2
K-21
Appendix K Router Platform User Interface Reference
SpeedApplies only to Fast Ethernet and Gigabit Ethernet interfaces.
The speed of the interface:
• 10—10 megabits per second (10Base-T networks).
• 100—100 megabits per second (100Base-T networks). This is the
default for Fast Ethernet interfaces.
• 1000—1000 megabits per second (Gigabit Ethernet networks). This is
the default for Gigabit Ethernet interfaces.
• Auto—The router automatically detects and sets appropriate interface
speed.
NoteWhen using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically
negotiate the transmission speed. Otherwise, select the appropriate
fixed speed.
MTUThe maximum transmission unit, which refers to the maximum packet size,
in bytes, that this interface can handle.
Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64
to 17940 bytes.
Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes.
EncapsulationThe type of encapsulation performed by the interface:
• None—No encapsulation.
• DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q
standard. Applies only to Ethernet subinterfaces.
• Frame Relay—IETF Frame Relay encapsulation. Applies only to serial
interfaces (not serial subinterfaces).
NoteIETF Frame Relay encapsulation provides interoperability between
a Cisco IOS router and equipment from other vendors. To configure
Cisco Frame Relay encapsulation, use CLI commands or
FlexConfigs.
User Guide for Cisco Security Manager 3.2
K-22
OL-16066-01
Appendix K Router Platform User Interface Reference
VLAN IDApplies only to subinterfaces with encapsulation type DOT1Q.
The VLAN ID associated with this subinterface. The VLAN ID specifies
where 802.1Q tagged packets are sent and received on this subinterface;
without a VLAN ID, the subinterface cannot send or receive traffic. Valid
values range from 1 to 4094.
NoteAll VLAN IDs must be unique among all subinterfaces configured
on the same physical interface.
TipTo configure DOT1Q encapsulation on an Ethernet interface without
associating the VLAN with a subinterface, enter the vlan-id dot1q
command using CLI commands or FlexConfigs. See Understanding
FlexConfig Objects, page 9-52. Configuring VLANs on the main
interface increases the number of VLANs that can be configured on
the router.
Native VLANApplies only when the encapsulation type is DOT1Q and you are configuring
a physical interface that is meant to serve as an 802.1Q trunk interface.
Trunking is a way to carry traffic from several VLANs over a point-to-point
link between two devices.
When selected, the Native VLAN is associated with this interface, using the
ID specified in the VLAN ID field. (If no VLAN ID is specified for the
Native VLAN, the default is 1.) The native VLAN is the VLAN to which all
untagged VLAN packets are logically assigned by default. This includes the
management traffic associated with the VLAN. If no VLAN ID is defined,
the default is 1.
OL-16066-01
For example, if the VLAN ID of this interface is 1, all incoming untagged
packets and packets with VLAN ID 1 are received on the main interface and
not on a subinterface. Packets sent from the main interface are transmitted
without an 802.1Q tag.
When deselected, the Native VLAN is not associated with this interface.
NoteThe Native VLAN cannot be configured on a subinterface of the
trunk interface. Be sure to configure the same Native VLAN value at
both ends of the link; otherwise, traffic may be lost or sent to the
wrong VLAN.
User Guide for Cisco Security Manager 3.2
K-23
Appendix K Router Platform User Interface Reference
DLCIApplies only to serial subinterfaces with Frame Relay encapsulation.
Enter the data-link connection identifier to associate with the subinterface.
Valid values range from 16 to 1007.
NoteSecurity Manager configures serial subinterfaces as point-to-point
not multipoint.
DescriptionAdditional information about the interface (up to 1024 characters).
RolesThe interface roles assigned to this interface. A message is displayed if no
roles have yet been assigned.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Interface Auto Name Generator Dialog Box
K-24
Use the Interface Auto Name Generator dialog box to have Security Manager
generate a name for the interface based on the interface type and its location in
the router.
Navigation Path
Go to the Create Router Interface Dialog Box, page K-18, select Interface from
the Type list, then click Select in the Name field.
Related Topics
• Generating an Interface Name, page 15-26
• Router Interfaces Page, page K-17
• Basic Interface Settings on Cisco IOS Routers, page 15-20
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-11Interface Auto Name Generator Dialog Box
ElementDescription
TypeThe type of interface. Your selection from this list forms the first part of the
generated name, as displayed in the Result field. For more information, see
Table 15-1 on page 15-21.
CardThe card related to the interface.
NoteWhen defining a BVI interface, enter the number of the
corresponding bridge group.
SlotThe slot related to the interface.
PortThe port related to the interface.
NoteThe information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
ResultThe name generated by Security Manager from the information you entered
for the interface type and location. The name displayed in this field is
read-only.
TipAfter closing this dialog box, you can edit the generated name in the
Create Router Interface dialog box, if required.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Advanced Interface Settings Page
Use the Advanced Interface Settings page to view, create, edit, and delete
advanced interface definitions (physical and virtual) on a selected Cisco IOS
router. Examples of advanced settings include Cisco Discovery Protocol (CDP)
settings, ICMP message settings, and virtual fragment reassembly settings.
For more information, see Advanced Interface Settings on Cisco IOS Routers,
page 15-28.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-25
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Navigation Path
• (Device view) Select Interfaces > Settings > Advanced Settings from the
Go to the Never Block Networks Dialog Box, page N-132, then click the Add or
Edit button beneath the table.
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Advanced Interface Settings on Cisco IOS Routers, page 15-28
• Deleting a Cisco IOS Router Interface, page 15-27
• Available Interface Types, page 15-21
User Guide for Cisco Security Manager 3.2
K-27
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-13Advanced Interface Settings Dialog Box
ElementDescription
InterfaceThe interface on which the advanced settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
NoteYou can define only one set of advanced settings per interface.
NoteThe only advanced settings supported on Layer 2 interfaces are Max.
Bandwidth, Load Interval, and CDP.
Max BandwidthThe bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
NoteThe value you define in this field is an informational parameter only;
it does not affect the physical interface.
Load IntervalThe length of time, in seconds, used to calculate the average load on the
interface. Valid values range from 30 to 600 seconds, in multiples of 30
seconds. The default is 300 seconds (5 minutes).
Modify the default to shorten the length of time over which load averages are
computed. You can do this if you want load computations to be more reactive
to short bursts of traffic.
K-28
Load data is gathered every 5 seconds. This data is used to compute load
statistics, including input/output rate in bits and packets per second, load,
and reliability. Load data is computed using a weighted-average calculation
in which recent load data has more weight in the computation than older load
data.
TipYou can use this option to increase or decrease the likelihood of
activating a backup interface; for example, a backup dial interface
may be triggered by a sudden spike in the load on an active interface.
NoteLoad interval is not supported on subinterfaces.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
The maximum segment size (MSS) of TCP SYN packets that pass through
this interface. Valid values range from 500 to 1460 bytes. If you do not
specify a value, the MSS is determined by the originating host.
This option helps prevent TCP sessions from being dropped as they pass
through the router. Use this option when the ICMP messages that perform
auto-negotiation of TCP frame size are blocked (for example, by a firewall).
We highly recommend using this option on the tunnel interfaces of DMVPN
networks.
For more information, see TCP MSS Adjustment at this URL:
NoteTypically, the optimum MSS is 1452 bytes. This value plus the
20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE
header add up to a 1500-byte packet that matches the MTU size for
the Ethernet link.
Helper AddressesThe helper addresses that are used to forward User Datagram Protocol
(UDP) broadcasts that are received on this interface. Enter one or more
addresses or network/host objects, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the selector
to display the Network/Host Dialog Box, page F-477. From here, you can
define a network/host object.
OL-16066-01
By default, routers do not forward broadcasts outside of their subnet. Helper
addresses provide a solution by enabling the router to forward certain types
of UDP broadcasts as a unicast to an address on the destination subnet.
For more information, see Understanding Helper Addresses, page 15-29.
User Guide for Cisco Security Manager 3.2
K-29
Appendix K Router Platform User Interface Reference
Enable CDPWhen selected, the Cisco Discovery Protocol (CDP) is enabled on this
interface. This the default.
When deselected, CDP is disabled on this interface.
CDP is a media- and protocol-independent device-discovery protocol that
runs on all Cisco-manufactured equipment including routers, access servers,
bridges, and switches. It is primarily used to obtain protocol addresses of
neighboring devices and discover the platform of those devices.
NoteATM interfaces do not support CDP.
Log CDP MessagesApplies only to Ethernet interfaces.
When selected, duplex mismatches for this interface are displayed in a log.
This is the default.
When deselected, duplex mismatches for this interface are not logged.
NetFlow settings
Enable Ingress
Accounting
When selected, NetFlow accounting is enabled on traffic arriving on this
interface.
When deselected, NetFlow accounting on arriving traffic is disabled. This is
the default.
Enable Egress
Accounting
User Guide for Cisco Security Manager 3.2
K-30
Cisco IOS NetFlow provides the metering base for a key set of applications
including network traffic accounting, usage-based network billing, network
planning, as well as Denial Services monitoring capabilities, network
monitoring, outbound marketing, and data mining capabilities for both
service provider and enterprise customers.
NoteYou must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this
option.
When selected, enables NetFlow accounting on traffic leaving this interface.
When deselected, disables NetFlow accounting on traffic leaving this
interface. This is the default.
NoteYou must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this
option.
OL-16066-01
Appendix K Router Platform User Interface Reference
When selected, enables the sending of Internet Control Message Protocol
(ICMP) redirect messages if the device is forced to resend a packet through
the same interface on which it was received to another device on the same
subnet. This is the default.
When deselected, disabled redirect messages.
Redirect messages are sent when the device wants to instruct the originator
of the packet to remove it from the route and substitute a different device that
offers a more direct path to the destination.
When selected, enables the sending of ICMP unreachable messages. This is
the default.
When deselected, disables unreachable messages.
Unreachable messages are sent in two circumstances:
• If the interface receives a nonbroadcast packet destined for itself that
uses an unknown protocol. In this case, it sends an ICMP unreachable
message to the source.
• If the device receives a packet that it cannot deliver to its ultimate
destination because it knows of no route to the destination address. In
this case, it sends an ICMP host unreachable message to the originator
of the packet.
Advanced Interface Settings Page
Enable Mask Reply
Messages
OL-16066-01
NoteThis is the only advanced setting supported by the null0 interface.
When selected, enables the sending of ICMP mask reply messages.
When deselected, disables mask reply messages. This is the default.
Mask reply messages are sent in response to mask request messages, which
are sent when a device needs to know the subnet mask for a particular
subnetwork.
User Guide for Cisco Security Manager 3.2
K-31
Appendix K Router Platform User Interface Reference
Enable Proxy ARPWhen selected, enables proxy Address Resolution Protocol (ARP) on the
Enable NBAR Protocol
Discovery
When selected, virtual fragmentation reassembly (VFR) is enabled on this
interface.
When deselected, disables VFR. This is the default.
VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs
that can protect the network from various fragmentation attacks. For more
information, see Virtual Fragmentation Reassembly at this URL:
Proxy ARP, defined in RFC 1027, is the technique in which one host, usually
a router, answers ARP requests intended for another machine, thereby
accepting responsibility for routing packets to the real destination. Proxy
ARP can help machines on a subnet reach remote subnets without
configuring routing or a default gateway.
When selected, enables network-based application recognition (NBAR) on
this interface to discover traffic and keep traffic statistics for all protocols
known to NBAR.
When deselected, disables NBAR. This is the default.
K-32
Protocol discovery provides a method to discover application protocols
traversing an interface so that QoS policies can be developed and applied to
them. For more information, go to:
When selected, directed broadcast packets are “exploded” as a link-layer
broadcast when this interface is directly connected to the destination subnet.
When deselected, directed broadcast packets that are intended for the subnet
to which this interface is directly connected are dropped rather than being
broadcast. This is the default.
An IP directed broadcast is an IP packet whose destination address is a valid
broadcast address on a different subnet from the node on which it originated.
In such cases, the packet is forwarded as if it was a unicast packet until it
reaches its destination subnet.
This option affects only the final transmission of the directed broadcast on
its destination subnet; it does not affect the transit unicast routing of IP
directed broadcasts.
NoteBecause directed broadcasts, and particularly ICMP directed
broadcasts, have been abused by malicious persons, we recommend
deselecting this option on interfaces where directed broadcasts are
not needed.
ACLApplies only when directed broadcasts are enabled.
The standard access list that determines which directed broadcasts are
permitted to be broadcast on the destination subnet. All other directed
broadcasts destined for the subnet to which this interface is directly
connected are dropped. Enter the name of an ACL object, or click Select to
display an Object Selectors, page F-593.
If the standard ACL you want is not listed, click the Create button in the
selector to display the Add and Edit Standard Access List Pages, page F-42.
From here you can create an ACL object.
NoteTo prevent misuse by malicious persons, we recommend using ACLs
to restrict the use of directed broadcasts.
Advanced Interface Settings buttons
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-33
Appendix K Router Platform User Interface Reference
AIM-IPS Interface Settings Page
AIM-IPS Interface Settings Page
Use the AIM-IPS Interface Settings page to define the settings on the Cisco
Intrusion Prevention System Advanced Integration Module. You can install
AIM-IPS in Cisco 1841, 2800 series, and 3800 series routers.
NoteAIM-IPS must be running IPS 6.0 or later.
CautionCisco IOS IPS and the Cisco IPS AIM cannot be used together. Cisco IOS IPS
must be disabled when the AIM IPS is installed.
Navigation Path
• (Device view) Select Interfaces > Settings > AIM-IPS from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > AIM-IPS from the
Policy Type selector. Right-click AIM-IPS to create a policy, or select an
existing policy from the Shared Policy selector.
Related Topics
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-14AIM-IPS Interface Settings Page
ElementDescription
AIM-IPS Interface Settings table
Interface NameA name selected from among available interfaces.
Select buttonOpens the Interface Selector dialog box.
Fail Over ModeFail open or fail closed. The default value is fail open.
AIM-IPS Service Module Monitoring Settings table
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
User Guide for Cisco Security Manager 3.2
K-34
OL-16066-01
Appendix K Router Platform User Interface Reference
Interface NameThe name of the interface role that the AIM-IPS uses.
Monitoring ModeInline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic
flow, allowing it to stop attacks by dropping malicious traffic before it
reaches the intended target. In promiscuous mode, packets do not flow
through the sensor; the sensor analyzes a copy of the monitored traffic rather
than the actual forwarded packet.
Access ListOptional. Used to configure a standard monitoring access list on the router
and apply that access list to filter traffic for inspection. A matched ACL
causes traffic not to be inspected for that ACL. More information on the
options for the access-list command is available in the Cisco IOS Command
Reference.
Add buttonOpens the IPS Monitoring Information Dialog Box, page K-35. From here
you can define an IPS monitoring interface.
Edit buttonOpens the IPS Monitoring Information Dialog Box, page K-35. From here
you can edit an IPS monitoring interface.
Delete buttonDeletes the selected IPS monitoring interfaces from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit icon on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
IPS Monitoring Information Dialog Box
Use the IPS Monitoring Information dialog box to add or edit the properties of
AIM-IPS interfaces.
Navigation Path
Go to the AIM-IPS Interface Settings Page, page K-34, then click the Add or Edit
button beneath the AIM-IPS Service Module Monitoring Settings table.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-35
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
Field Reference
Table K-15IPS Monitoring Information Dialog Box
ElementDescription
Interface NameA name selected from among available interfaces.
Select buttonOpens the Interface Selector dialog box.
Monitoring ModeInline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic
flow, allowing it to stop attacks by dropping malicious traffic before it
reaches the intended target. In promiscuous mode, packets do not flow
through the sensor; the sensor analyzes a copy of the monitored traffic rather
than the actual forwarded packet.
Access ListOptional. Used to configure a standard monitoring access list on the router
and apply that access list to filter traffic for inspection. A matched ACL
causes traffic not to be inspected for that ACL. More information on the
options for the access-list command is available in the Cisco IOS Command
Reference.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Dialer Policy Page
Use the Dialer page to define the relationship between physical Basic Rate
Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when
you configure the dial backup feature for site-to-site VPNs.
For more information, see Dialer Interfaces on Cisco IOS Routers, page 15-33.
Navigation Path
• (Device view) Select Interfaces > Settings > Dialer from the Policy selector.
User Guide for Cisco Security Manager 3.2
K-36
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
• (Policy view) Select Router Interfaces > Settings > Dialer from the Policy
Type selector. Right-click Dialer to create a policy, or select an existing
policy from the Shared Policy selector.
Related Topics
• Configuring Dial Backup, page 10-37
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-16Dialer Page
ElementDescription
Dialer Profiles table
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
InterfaceThe interface role that the dialer interface uses.
Profile NameThe name of the dialer profile.
Dial PoolThe dialing pool that this dialer profile uses.
Dial GroupThe dialer group that this dialer profile uses.
Interesting Traffic ACL The ACL that defines which traffic can use this dialer profile.
Dial StringThe phone number that the dialer calls.
Idle TimeoutThe defined interval after which an uncontested idle line is disconnected.
Fast IdleThe defined interval after which a contested idle line is disconnected.
Add buttonOpens the Dialer Profile Dialog Box, page K-38. From here you can define
a dialer profile.
Edit buttonOpens the Dialer Profile Dialog Box, page K-38. From here you can edit the
selected dialer profile.
Delete buttonDeletes the selected dialer profiles from the table.
Dialer Physical Interfaces (BRI) table
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
InterfaceThe name of the interface role that the physical interface uses.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-37
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Table K-16Dialer Page (Continued)
PoolsThe dial pools related to this physical interface.
Switch TypeThe ISDN switch type that the physical interface uses.
SPID1The first service provider identifier (SPID) related to this interface.
SPID2The second SPID related to this interface.
Add buttonOpens the Dialer Physical Interface Dialog Box, page K-40. From here you
can define a dialer physical interface.
Edit buttonOpens the Dialer Physical Interface Dialog Box, page K-40. From here you
can edit the selected dialer physical interface.
Delete buttonDeletes the selected dialer physical interfaces from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit icon on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Dialer Profile Dialog Box
Use the Dialer Profile dialog box to add or edit dialer profiles.
Navigation Path
Go to the Dialer Policy Page, page K-36, then click the Add or Edit button
beneath the Dialer Profile table.
Related Topics
• Dialer Physical Interface Dialog Box, page K-40
• Defining Dialer Profiles, page 15-34
• Dialer Interfaces on Cisco IOS Routers, page 15-33
User Guide for Cisco Security Manager 3.2
K-38
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
Field Reference
Table K-17Dialer Profile Dialog Box
ElementDescription
NameA descriptive name for the dialer profile. This name enables you to assign
the correct dialer pool to the physical interface. You can also use the profile
name as a reference to the site to which this dialer interface serves as a
backup.
InterfaceThe virtual dialer interface to associate with the dialer profile. Enter the
name of an interface or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
Pool IDThe dialer pool ID. Each pool can contain multiple physical interfaces and
can be associated with multiple dialer interfaces. Each dialer interface,
however, is associated with only one pool.
GroupThe group ID, which identifies the dialer group that this dialer interface uses.
Interesting Traffic ACL The extended, numbered ACL that defines which packets are permitted to
initiate calls using this dialer profile.
Enter the name of an extended, numbered ACL object, or click Select to
display an Object Selectors, page F-593. The valid ACL number range is 100
to 199.
If the extended ACL you want is not listed, click the Create button in the
selector to display the Extended Tab, page F-32. From here you can create
an ACL object.
Dialer String (Remote
The phone number of the destination that the dialer contacts.
Phone Number)
Idle TimeoutThe default amount of idle time before an uncontested line is disconnected.
The default is 120 seconds.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-39
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Table K-17Dialer Profile Dialog Box (Continued)
Fast Idle TimeoutThe default amount of idle time before a contested line is disconnected. The
default is 20 seconds.
Line contention occurs when a busy line is requested to send another packet
to a different destination.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Dialer Physical Interface Dialog Box
Use the Dialer Physical Interface dialog box to add or edit the properties that
associate physical BRI interfaces with dialer interfaces.
NoteUse FlexConfigs to define other types of physical dialer interfaces, such as ATM
and Ethernet. For more information, see Understanding FlexConfig Objects,
page 9-52.
K-40
Navigation Path
Go to the Dialer Policy Page, page K-36, then click the Add or Edit button
beneath the Dialer Physical Interfaces table.
Related Topics
• Dialer Profile Dialog Box, page K-38
• Defining BRI Interface Properties, page 15-36
• Dialer Interfaces on Cisco IOS Routers, page 15-33
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Field Reference
Table K-18Dialer Physical Interface Dialog Box
ElementDescription
ISDN BRIThe physical BRI interface associated with the dialer interface. Enter the
name of an interface or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
PoolsAssociates dialer pools with a physical interface. Enter the names of one or
more pools (as defined in the Dialer Profile Dialog Box, page K-38), or click Select to display a selector. Use commas to separate multiple entries.
SPID1Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as
the switch type.
The service provider identifier (SPID) for the ISDN service to which the
interface subscribes. Some service providers in North America assign SPIDs
to ISDN devices when you first subscribe to an ISDN service. If you are
using a service provider that requires SPIDs, your ISDN device cannot place
or receive calls until it sends a valid assigned SPID to the service provider
when accessing the switch to initialize the connection.
Valid SPIDs can contain up to 20 characters, including spaces and special
characters.
NoteWe recommend that you do not enter a SPID for interfaces using the
AT&T 5ESS switch type, even though they are supported.
SPID2Applies only when you select DMS-100 or NI as the switch type.
The service provider identifier (SPID) for a second ISDN service to which
the interface subscribes. Valid SPIDs can contain up to 20 alphanumeric
characters (no spaces are permitted).
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
ADSL Policy Page
Use the ADSL page to create, edit, and delete ADSL definitions on the ATM
interfaces of the router. For more information, see Defining ADSL Settings,
page 15-40.
Navigation Path
• (Device view) Select Interfaces > Settings > DSL > ADSL from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > DSL > ADSL from the
Policy Type selector. Right-click ADSL to create a policy, or select an
existing policy from the Shared Policy selector.
User Guide for Cisco Security Manager 3.2
K-42
OL-16066-01
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Related Topics
• PVC Policy Page, page K-54
• SHDSL Policy Page, page K-47
• ADSL on Cisco IOS Routers, page 15-38
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-19ADSL Page
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
ATM InterfaceThe ATM interface on which ADSL settings are defined.
Interface CardThe type of device or ADSL interface card on which the ATM interface
resides.
Bandwidth ChangeIndicates whether the router makes dynamic adjustments to VC bandwidth
as overall bandwidth changes. (This is relevant only when IMA groups are
configured on the ATM interface.)
DSL Operating ModeThe DSL operating mode for this interface.
Tone LowIndicates whether the interface is using the low tone set (carrier tones 29
through 48).
Add buttonOpens the ADSL Settings Dialog Box, page K-44. From here you can define
the ADSL settings for a selected ATM interface.
Edit buttonOpens the ADSL Settings Dialog Box, page K-44. From here you can edit
the selected ADSL definition.
Delete buttonDeletes the selected ADSL definition from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit button on the toolbar.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-43
ADSL Policy Page
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
ADSL Settings Dialog Box
Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM
interface.
NoteWhen you configure ADSL settings, we highly recommend that you select the
type of device or interface card on which the ATM interface is defined. ADSL
settings are highly dependent on the hardware. Defining the hardware type in
Security Manager enables proper validation of your configuration for a successful
deployment to your devices.
Navigation Path
Go to the ADSL Policy Page, page K-42, then click the Add or Edit button
beneath the table.
Appendix K Router Platform User Interface Reference
K-44
Related Topics
• Defining ADSL Settings, page 15-40
• PVC Policy Page, page K-54
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Field Reference
Table K-20ADSL Settings Dialog Box
ElementDescription
ATM InterfaceThe ATM interface on which ADSL settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
NoteWe recommend that you do not define an interface role that includes
ATM interfaces from different interface cards. The different settings
supported by each card type may cause deployment to fail.
NoteYou can create only one ADSL definition per interface.
Interface CardThe device type or the type of interface card installed on the router:
• [blank]—The interface card type is not defined.
• WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL
over POTS (ordinary telephone lines).
• WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides
ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the
router warns the DSLAM of imminent line drops when the router is
about to lose power.)
OL-16066-01
• WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides
ADSL over POTS with Dying Gasp support.
• HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that
provides ADSL over POTS.
• HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that
provides ADSL over ISDN.
• HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over POTS with an ISDN BRI port for backup.
• HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over ISDN with an ISDN BRI port for backup.
User Guide for Cisco Security Manager 3.2
K-45
ADSL Policy Page
Table K-20ADSL Settings Dialog Box (Continued)
Appendix K Router Platform User Interface Reference
Interface Card
(continued)
Allow bandwidth
change on ATM PVCs
• 857 ADSL—Cisco 857 Integrated Service Router with an ADSL
interface.
• 876 ADSL—Cisco 876 Integrated Services Router with an ADSL
interface.
• 877 ADSL—Cisco 877 Integrated Services Router with an ADSL
interface.
• 1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that
provides ADSL over POTS.
• 1802 ADSLoISDN—Cisco 1802 Integrated Services Router that
provides ADSL over ISDN.
NoteWhen discovering from a live device, the correct interface card type
will already be displayed. If you did not perform discovery on a live
device, or if Security Manager cannot detect the type of interface
card installed on the device, this field displays “Unknown”.
When selected, the router makes dynamic adjustments to VC bandwidth in
response to changes in the overall bandwidth of the Inverse Multiplexing
over ATM (IMA) group defined on the ATM interface.
When deselected, PVC bandwidth must be adjusted manually (using the
CLI) whenever an individual physical link in the IMA group goes up or
down.
K-46
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-20ADSL Settings Dialog Box (Continued)
DSL Operating ModeThe operating mode configured for this ADSL line:
• auto—Performs automatic negotiation with the DSLAM located at the
central office (CO). This is the default.
• ansi-dmt—The line trains in ANSI T1.413 Issue 2 mode.
• itu-dmt—The line trains in G.992.1 mode.
• splitterless—The line trains in G.992.2 (G.Lite) mode.
• etsi—The line trains in ETSI (European Telecommunications Standards
Institute) mode.
• adsl2—The line trains in G.992.3 (adsl2)mode.
• adsl2+—The line trains in G.992.5 (adsl2+) mode.
NoteSee Table 15-3 on page 15-39 for a description of the operating
modes that are supported by each card type.
Use low tone setWhen selected, the interface card uses carrier tones 29 through 48.
When deselected, the interface card uses carrier tones 33 through 56.
NoteLeave this option deselected when the interface card is operating in
accordance with Deutsche Telekom specification U-R2.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
SHDSL Policy Page
Use the SHDSL page to create, edit, and delete DSL controller definitions on the
router. For more information, see Defining SHDSL Controllers, page 15-44.
Navigation Path
• (Device view) Select Interfaces > Settings > DSL > SHDSL from the Policy
selector.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-47
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
• (Policy view) Select Router Interfaces > Settings > DSL > SHDSL from the
Policy Type selector. Right-click SHDSL to create a policy, or select an
existing policy from the Shared Policy selector.
Related Topics
• PVC Policy Page, page K-54
• ADSL Policy Page, page K-42
• SHDSL on Cisco IOS Routers, page 15-43
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-21SHDSL Page
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
NameThe name of the DSL controller.
DescriptionAn optional description of the controller.
ShutdownIndicates whether the DSL controller is in shutdown mode.
Configure ATM ModeIndicates whether the DSL controller has been set into ATM mode.
Line TerminationThe line termination set for the router (CPE or CO).
DSL ModeThe operating mode defined for the DSL controller.
Line ModeThe line mode defined for the DSL controller.
Line RateThe line rate (in kbps) defined for the DSL controller.
NoteA value is displayed in this column only if the line mode is not set to
Auto.
SNR Margin CurrentThe current signal-to-noise ratio on the controller.
SNR Margin SnextThe self near-end crosstalk (Snext) signal-to-noise ratio on the controller.
Add buttonOpens the SHDSL Controller Dialog Box, page K-49. From here you can
define the settings for a DSL controller.
Edit buttonOpens the SHDSL Controller Dialog Box, page K-49. From here you can
edit the selected DSL controller definition.
User Guide for Cisco Security Manager 3.2
K-48
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-21SHDSL Page (Continued)
Delete buttonDeletes the selected DSL controller definition from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit button on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
SHDSL Controller Dialog Box
Use the SHDSL Controller dialog box to configure SHDSL controllers.
Navigation Path
Go to the SHDSL Policy Page, page K-47, then click the Add or Edit button
beneath the table.
Related Topics
• Defining SHDSL Controllers, page 15-44
• PVC Policy Page, page K-54
• Discovering Policies on Devices Already in Security Manager, page 7-10
Field Reference
Table K-22SHDSL Dialog Box
ElementDescription
NameThe name of the controller. Enter a name manually, or click Select to display
a dialog box for generating a name. See Controller Auto Name Generator
Dialog Box, page K-53.
DescriptionAdditional information about the controller (up to 80 characters).
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-49
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22SHDSL Dialog Box (Continued)
ShutdownWhen selected, the DSL controller is in shutdown state. However, its
definition is not deleted.
When deselected, the DSL controller is enabled. This is the default.
Configure ATM modeWhen selected, sets the controller into ATM mode and creates an ATM
interface with the same ID as the controller. This is the default. You must
enable ATM mode and then perform rediscovery to configure ATM or PVCs
on the device.
When deselected, ATM mode is disabled. No ATM interface is created on
deployment.
NoteYou cannot remove ATM mode from a controller after it has been
saved in Security Manager.
Line TerminationThe line termination that is set for the router:
• CPE—Customer premises equipment. This is the default.
• CO—Central office.
DSL ModeThe DSL operating mode, including regional operating parameters, used by
the controller:
• [blank]—The operating mode is not defined. (When deployed, the
Annex A standard for North America is used.)
Line Mode settings
User Guide for Cisco Security Manager 3.2
K-50
• A—Supports Annex A of the G.991.2 standard for North America.
• A-B—Supports Annex A or Annex B. Available only when the Line
Term is set to CPE. The appropriate mode is selected when the line
trains.
• A-B-ANFP—Supports Annex A or Annex B-ANFP. Available only
when the Line Term is set to CPE. The appropriate mode is selected
when the line trains.
• B—Supports Annex B of the G.991.2 standard for Europe.
• B-ANFP—Supports Annex B-ANFP (Access Network Frequency Plan).
NoteThe available DSL modes are dependent on the selected line
termination.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-22SHDSL Dialog Box (Continued)
Line ModeThe line mode used by the controller:
• auto—The controller operates in the same mode as the other line
termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the
default for CPE line termination.
• 2-wire—The controller operates in two-wire mode. This is the default
for CO line termination.
• 4-wire—The controller operates in four-wire mode.
NoteYou can select Auto only when you configure the controller as the
CPE.
LineApplies only when the Line Mode is defined as 2-wire.
The pair of wires to use:
• line-zero—RJ-11 pin 1 and pin 2. This is the default for CO line
termination.
• line-one—RJ-11 pin 3 and pin 4.
Exchange HandshakeApplies only when the Line Mode is defined as 4-wire.
The type of handshake mode to use:
• [blank]—The handshake mode is not specified. (When deployed, the
enhanced option is used.) This is the default.
SHDSL Policy Page
OL-16066-01
• enhanced—Exchanges handshake status on both wire pairs.
• standard—Exchanges handshake status on the master wire pair only.
User Guide for Cisco Security Manager 3.2
K-51
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22SHDSL Dialog Box (Continued)
Line RateDoes not apply when the Line Mode is defined as Auto.
The DSL line rate (in kbps) available for the SHDSL port:
• auto—The controller selects the line rate. This is available only in
NoteThird-party equipment may use a line rate that includes an additional
SHDSL overhead of 8 kbps for 2-wire mode or 16 kbps for 4-wire
mode.
SNR Margin settings
CurrentThe current signal-to-noise (SNR) ratio on the controller, in decibels (dB).
Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than
current noise margin plus SNR ratio threshold during training time. If any
external noise is applied that is less than the set SNR margin, the line will be
stable.
NoteSelect disable to disable the current SNR.
Snext The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the
controller, in decibels. Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than
SNEXT threshold during training time. If any external noise is applied that
is less than the set SNEXT margin, the line will be stable.
NoteSelect disable to disable the SNEXT SNR.
SHDSL dialog box buttons
User Guide for Cisco Security Manager 3.2
K-52
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22SHDSL Dialog Box (Continued)
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Controller Auto Name Generator Dialog Box
Use the Controller Auto Name Generator dialog box to have Security Manager
generate a name for the DSL controller based on its location in the router.
Navigation Path
Go to the SHDSL Controller Dialog Box, page K-49, then click Select in the
Name field.
Related Topics
• Defining SHDSL Controllers, page 15-44
• SHDSL Policy Page, page K-47
• PVC Policy Page, page K-54
Field Reference
Table K-23Controller Auto Name Generator Dialog Box
ElementDescription
TypeThe type of interface. This field displays the value DSL and is read-only.
CardThe card related to the controller.
SlotThe slot related to the controller.
PortThe port related to the controller.
NoteThe information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-53
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-23Controller Auto Name Generator Dialog Box (Continued)
ResultThe name generated by Security Manager from the information you entered
for the controller location. The name displayed in this field is read-only.
TipAfter closing this dialog box, you can edit the generated name in the
SHDSL dialog box, if required.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Policy Page
Use the PVC page to create, edit, and delete permanent virtual connections
(PVCs) on the router. PVCs allow direct and permanent connections between sites
to provide a service that is similar to a leased line. These PVCs can be used in
ADSL, SHDSL, or pure ATM environments. For more information, see Defining
ATM PVCs, page 15-52.
K-54
Navigation Path
• (Device view) Select Interfaces > Settings > PVC from the Policy selector.
• (Policy view) Select Router Interfaces > Settings > PVC from the Policy
Type selector. Right-click PVC to create a policy, or select an existing policy
from the Shared Policy selector.
Related Topics
• ADSL Policy Page, page K-42
• SHDSL Policy Page, page K-47
• PVCs on Cisco IOS Routers, page 15-46
• Chapter K, “Router Platform User Interface Reference”
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Ta b le K -2 4P VC Pa ge
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
ATM InterfaceThe ATM interface on which the PVC is defined.
Interface CardThe type of device or WAN interface card on which the ATM interface
resides.
PVC IDThe Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the
PVC.
SettingsAdditional settings configured for the PVC, including encapsulation, the
number of PPPoE sessions, and the VPN service name.
QoSQuality-of-service settings defined for the PVC, such as traffic shaping.
ProtocolThe IP protocol mappings (static maps or Inverse ARP) configured for the
PVC.
OAMThe F5 Operation, Administration, and Maintenance (OAM) loopback,
continuity check, and AIS/RDI definitions configured for the PVC.
OAM-PVCThe OAM management cells that are configured for the PVC.
Add buttonOpens the PVC Dialog Box, page K-56. From here you can define a PVC.
Edit buttonOpens the PVC Dialog Box, page K-56. From here you can edit the selected
PVC.
Delete buttonDeletes the selected PVC from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
OL-16066-01
NoteTo publish your changes, click the Submit button on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Guide for Cisco Security Manager 3.2
K-55
Appendix K Router Platform User Interface Reference
PVC Policy Page
PVC Dialog Box
Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs).
Navigation Path
Go to the PVC Policy Page, page K-54, then click the Add or Edit button beneath
the table.
Related Topics
• Defining ATM PVCs, page 15-52
Field Reference
Ta b le K -2 5P VC Di al og Bo x
ElementDescription
ATM InterfaceThe ATM interface on which the PVC is defined. Enter the name of an
interface, subinterface, or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
NoteWe strongly recommend not defining an interface role that includes
ATM interfaces from different interface cards. The different settings
supported by each card type may cause deployment to fail.
K-56
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-25PVC Dialog Box (Continued)
Interface CardThe type of WAN interface card installed on the router or the router type:
• [blank]—The interface card type is not defined.
• WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL
over POTS (ordinary telephone lines).
• WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides
ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the
router warns the DSLAM of imminent line drops when the router is
about to lose power.)
• WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides
ADSL over POTS with Dying Gasp support.
• HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that
provides ADSL over POTS.
• HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that
provides ADSL over ISDN.
• HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over POTS with an ISDN BRI port for backup.
• HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over ISDN with an ISDN BRI port for backup.
• WIC-1-SHDSL-V2—A 1-port multiline G.SHDSL WAN interface card
with support for 2-wire mode and enhanced 4-wire mode.
OL-16066-01
• WIC-1-SHDSL-V3—A 1-port multiline G.SHDSL WAN interface card
with support for 2-wire mode and 4-wire mode (standard & enhanced).
• NM-1A-T3—A 1-port ATM network module with a T3 link.
• NM-1A-OC3-POM—A 1-port ATM network module with an optical
carrier level 3 (OC-3) link and three operating modes (multimode,
single-mode intermediate reach (SMIR), and single-mode long-reach
(SMLR)).
User Guide for Cisco Security Manager 3.2
K-57
PVC Policy Page
Table K-25PVC Dialog Box (Continued)
Appendix K Router Platform User Interface Reference
Interface Card
(continued)
• NM-1A-E3—A 1-port ATM network module with an E3 link.
• 857 ADSL—Cisco 857 Integrated Service Router with an ADSL
interface.
• 876 ADSL—Cisco 876 Integrated Services Router with an ADSL
interface.
• 877 ADSL—Cisco 877 Integrated Services Router with an ADSL
interface.
• 878 G.SHDSL—Cisco 878 Integrated Services Router with a G.SHDSL
interface.
• 1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that
provides ADSL over POTS.
• 1802 ADSLoISDN—Cisco 1802 Integrated Services Router that
provides ADSL over ISDN.
• 1803 G.SHDSL—Cisco 1803 Integrated Services Router that provides
4-wire G.SHDSL.
NoteTo ensure proper policy validation, we highly recommend that you
define a value in this field. When you discover a live device, the
correct interface card type will already be displayed. If you did not
perform discovery on a live device, or if Security Manager cannot
detect the type of interface card installed on the device, this field
displays “Unknown”.
Settings tabDefines basic PVC settings, such as the VPI/VCI and encapsulation. See
PVC Dialog Box—Settings Tab, page K-59.
QoS tabDefines ATM traffic shaping and other quality-of-service settings for the
PVC. See PVC Dialog Box—QoS Tab, page K-63.
Protocol tabDefines the IP protocol mappings configured for the PVC (static maps or
Inverse ARP). See PVC Dialog Box—Protocol Tab, page K-67.
Advanced buttonDefines F5 Operation, Administration, and Maintenance (OAM) settings for
the PVC. See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
K-58
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-25PVC Dialog Box (Continued)
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Dialog Box—Settings Tab
Use the Settings tab of the PVC dialog box to configure the basic settings of the
PVC, including:
• ID settings.
• Encapsulation settings.
• Whether ILMI and Inverse ARP are enabled.
• The maximum number of PPPoE sessions.
• The static domain (VPN service) name to use for PPPoA.
OL-16066-01
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the Settings tab.
Related Topics
• PVC Dialog Box—QoS Tab, page K-63
• PVC Dialog Box—Protocol Tab, page K-67
• PVC Advanced Settings Dialog Box, page K-69
• Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
K-59
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-26PVC Dialog Box—Settings Tab
ElementDescription
PVC ID settings
VPIThe virtual path identifier of the PVC. In conjunction with the VCI,
identifies the next destination of a cell as it passes through a series of ATM
switches on the way to its destination. Valid values for most platforms range
from 0 to 255.
For Cisco 2600 and 3600 Series routers using Inverse Multiplexing for ATM
(IMA), valid values range from 0 to 15, 64 to 79, 128 to 143, and 192 to 207.
NoteVPI/VCI values must be unique for all the PVCs configured on a
selected interface. VPI/VCI values are unique to a single link only
and might change as cells traverse the ATM network.
VCIThe 16-bit virtual channel identifier of the PVC. In conjunction with the
VPI, identifies the next destination of a cell as it passes through a series of
ATM switches on the way to its destination. Valid values vary by platform.
Typically, values up to 31 are reserved for special traffic (such as ILMI) and
should not be used. 3 and 4 are invalid.
NoteVPI/VCI values must be unique for all the PVCs configured on a
selected interface. VPI/VCI values are unique to a single link only
and might change as cells traverse the ATM network.
HandleAn optional name to identify the PVC. The maximum length is 15
characters.
Management PVC
(ILMI)
Does not apply when configuring the PVC on a subinterface.
When selected, designates this PVC as the management PVC for this ATM
interface by enabling communication with the Interim Local Management
Interface (ILMI). ILMI is a protocol defined by the ATM Forum for setting
and capturing physical layer, ATM layer, virtual path, and virtual circuit
parameters on ATM interfaces. See Understanding ILMI, page 15-50.
When deselected, this PVC does not act as the management PVC. This is the
default.
NoteThe VPI/VCI for the management PVC is typically set to 0/16.
K-60
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26PVC Dialog Box—Settings Tab (Continued)
Encapsulation settings
TypeDoes not apply when the Management PVC (ILMI) check box is enabled.
The ATM adaptation layer (AAL) and encapsulation type to use on the PVC:
• [blank]—The encapsulation type is not defined. (When deployed,
aal5snap is applied.)
• aal2—For PVCs dedicated to AAL2 Voice over ATM. AAL2 is used for
variable bit rate (VBR) traffic, which can be either realtime (VBR-RT)
or non-realtime (VBR-NRT).
• aal5autoppp—Enables the router to distinguish between incoming PPP
over ATM (PPPoA) and PPP over Ethernet (PPPoE) sessions and create
virtual access for both PPP types based on demand.
• aal5ciscoppp—For the proprietary Cisco version of PPP over ATM.
• aal5mux—Enables you to dedicate the PVC to a single protocol, as
defined in the Protocol field.
• aal5nlpid—Enables ATM interfaces to work with High-Speed Serial
Interfaces (HSSI) that are using an ATM data service unit (ADSU) and
running ATM-Data Exchange Interface (DXI).
• aal5snap—Supports Inverse ARP and incorporates the Logical Link
Control/Subnetwork Access Protocol (LLC/SNAP) that precedes the
protocol datagram. This allows multiple protocols to traverse the same
PVC.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-61
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26PVC Dialog Box—Settings Tab (Continued)
Virtual TemplateThe virtual template used for PPP over ATM on this PVC. Enter the name of
a virtual template interface or interface role, or click Select to display an
Object Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
When a user dials in, the virtual template is used to configure a virtual access
interface. When the user is done, the virtual access interface goes down and
the resources are freed for other dial-in users.
NoteIf you modify the virtual template settings on an existing PVC, you
must enter the shutdown command followed by the no shutdown
command on the ATM subinterface to restart the interface. This
causes the newly configured parameters to take effect.
ProtocolApplies only when aal5mux is the defined encapsulation type.
The protocol carried by the MUX-encapsulated PVC:
• frame-relay—Frame-Relay-ATM Network Interworking (FRF.5) on the
Cisco MC3810.
• fr-atm-srv—Frame-Relay-ATM Service Interworking (FRF.8) on the
Cisco MC3810.
• ip—IP protocol.
• ppp—IETF-compliant PPP over ATM. You must specify a virtual
template when using this protocol type.
• voice—Voice over ATM.
Additional settings
Enable ILMIWhen selected, enables ILMI management on this PVC.
When deselected, ILMI management on this PVC is disabled.
User Guide for Cisco Security Manager 3.2
K-62
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26PVC Dialog Box—Settings Tab (Continued)
Inverse ARPWhen selected, the Inverse Address Resolution Protocol (Inverse ARP) is
enabled on the PVC.
When deselected, Inverse ARP is disabled. This is the default.
Inverse ARP is used to learn the Layer 3 addresses at the remote ends of
established connections. These addresses must be learned before the virtual
circuit can be used.
NoteUse the Protocol tab to define static mappings of IP addresses instead
of dynamically learning the addresses using Inverse ARP. See PVC
Dialog Box—Protocol Tab, page K-67.
PPPoE Max SessionsThe maximum number of PPP over Ethernet sessions that are permitted on
the PVC.
VPN Service NameThe static domain name to use on this PVC. The maximum length is 128
characters.
Use this option when you want PPP over ATM (PPPoA) sessions in the PVC
to be forwarded according to the domain name supplied, without starting
PPP.
PVC Dialog Box—QoS Tab
Use the QoS tab of the PVC dialog box to configure the ATM traffic shaping and
other quality-of-service settings of the PVC, including:
• The limit on packets placed on transmission rings.
• The QoS service.
• Whether random detection is enabled.
These settings regulate the flow of traffic over the PVC by queuing traffic that
exceeds the defined allowable bit rates.
NoteQoS values are highly hardware dependent. Please refer to your router
documentation for additional details about the settings that can be configured on
your device.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-63
Appendix K Router Platform User Interface Reference
PVC Policy Page
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the QoS tab.
Related Topics
• PVC Dialog Box—Settings Tab, page K-59
• PVC Dialog Box—Protocol Tab, page K-67
• PVC Advanced Settings Dialog Box, page K-69
• Defining ATM PVCs, page 15-52
• Quality of Service Policy Page, page K-199
• Understanding Policing and Shaping Parameters, page 15-159
Field Reference
Table K-27PVC Dialog Box—QoS Tab
ElementDescription
Tx Ring LimitThe maximum number of transmission packets that can be placed on a
transmission ring on the WAN interface card (WIC) or interface.
K-64
The range of valid values depends on the type of interface card selected in
the Settings tab. See PVC Dialog Box—Settings Tab, page K-59.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-27PVC Dialog Box—QoS Tab (Continued)
Traffic Shaping settings
Traffic ShapingThe type of service to define on the PVC:
• [null]—The bit rate is not defined.
• ABR—Available Bit Rate. A best-effort service suitable for applications
that do not require guarantees against cell loss or delays.
• CBR—Constant Bit Rate service. Delay-sensitive data, such as voice or
video, is sent at a fixed rate, providing a service similar to a leased line.
• UBR—Unspecified Bit Rate service. A best-effort service suitable for
applications that are tolerant to delay and do not require realtime
responses.
• UBR+—Unspecified Bit Rate service. Unlike UBR, UBR+ attempts to
maintain a guaranteed minimum rate.
• VBR-NRT—Variable Bit Rate - Non-Real Time service. A service
suitable for non-realtime applications that are bursty in nature. VBR is
more efficient than CBR and more reliable than UBR.
PVC Policy Page
• VBR-RT—Variable Bit Rate - Real Time service. A service suitable for
realtime applications that are bursty in nature.
For more information about each service class, see Understanding ATM
Service Classes, page 15-48.
ABRThe following fields are displayed when ABR is selected as the Bit Rate:
• PCR—The peak cell rate in kilobits per second (kbps). It specifies the
maximum value of the ABR.
• MCR—The minimum cell rate in kilobits per second (kbps). It specifies
the minimum value of the ABR.
The ABR varies between the MCR and the PCR. It is dynamically controlled
using congestion control mechanisms.
CBRThe following field is displayed when CBR is selected as the Bit Rate:
• Rate—The constant bit rate (also known as the average cell rate) for the
PVC in kilobits per second (kbps). An ATM VC configured for CBR can
send cells at this rate for as long as required.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-65
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-27PVC Dialog Box—QoS Tab (Continued)
UBRThe following field is displayed when UBR is selected as the Bit Rate:
• PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
UBR+The following fields are displayed when UBR+ is selected as the Bit Rate:
• PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
• MCR—The minimum guaranteed cell rate for output in kilobits per
second (kbps). Traffic is always allowed to be sent at this rate.
NoteUBR+ requires Cisco IOS Software Release 12.4(2)XA or later, or
version 12.4(6)T or later.
VBR-NRTThe following fields are displayed when VBR-NRT is selected as the Bit
Rate:
• PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
• SCR—The sustained cell rate for output in kilobits per second (kbps).
This value, which must be lower than or equal to the PCR, represents the
maximum rate at which cells can be transmitted without incurring data
loss.
• MBS—The maximum burst cell size for output. This value represents
the number of cells that can be transmitted above the SCR but below the
PCR without penalty.
VBR-RTThe following fields are displayed when VBR-RT is selected as the Bit Rate:
• Peak Rate—The peak information rate for realtime traffic in kilobits per
second (kbps).
• Average Rate—The average information rate for realtime traffic in
kilobits per second (kbps). This value must be lower than or equal to the
peak rate.
• Burst—The burst size for realtime traffic, in number of cells. Configure
this value if the PVC carries bursty traffic.
These values configure traffic shaping between realtime traffic (such as
voice and video) and data traffic to ensure that the carrier does not discard
realtime traffic, for example, voice calls.
User Guide for Cisco Security Manager 3.2
K-66
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-27PVC Dialog Box—QoS Tab (Continued)
IP QoS settings
Random DetectWhen selected, enables Weighted Random Early Detection (WRED) or
VIP-distributed WRED (DWRED) on the PVC.
When deselected, WRED and DWRED are disabled. This is the default.
WRED is a queue management method that selectively drops packets as the
interface becomes congested. See Tail Drop vs. WRED, page 15-156.
PVC Dialog Box—Protocol Tab
Use the Protocol tab of the PVC dialog box to add, edit, or delete the protocol
mappings configured for the PVC. You may configured static mappings or Inverse
ARP (broadcast or nonbroadcast) for each PVC, but not both.
NoteIP is the only protocol supported by Security Manager for protocol mapping on
ATM networks.
OL-16066-01
NoteYou cannot define protocol mappings on the Management PVC (ILMI).
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the Protocol tab.
Related Topics
• PVC Dialog Box—Settings Tab, page K-59
• PVC Dialog Box—QoS Tab, page K-63
• PVC Advanced Settings Dialog Box, page K-69
• Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
K-67
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-28PVC Dialog Box—Protocol Tab
ElementDescription
IP Protocol MappingDisplays the IP protocol mappings configured for the PVC.
Add buttonOpens the Define Mapping Dialog Box, page K-68. From here you can
define an IP protocol mapping.
Edit buttonOpens the Define Mapping Dialog Box, page K-68. From here you can edit
the selected mapping.
Delete buttonDeletes the selected mapping from the table.
Define Mapping Dialog Box
Use the Define Mapping dialog box to configure the IP protocol mappings to use
on the ATM PVC. Mappings are required by the PVC to discover which IP address
is reachable at the other end of a connection. Mappings can either be learned
dynamically using Inverse ARP (InARP) or defined statically. Static mappings are
best suited for simple networks that contain only a few nodes.
K-68
NoteInverse ARP is only supported for the aal5snap encapsulation type. See PVC
Dialog Box—Settings Tab, page K-59.
TipUse the CLI or FlexConfigs to configure mappings for protocols other than IP.
Navigation Path
Go to the PVC Dialog Box—Protocol Tab, page K-67, then click Add or Edit.
Related Topics
• PVC Dialog Box, page K-56
• Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-29Define Mapping Dialog Box
ElementDescription
IP OptionsThe type of IP protocol mapping to use:
• IP Address—Select this option when using static mapping. Enter the
address or network/host object, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From
here, you can define a network/host object.
• InARP—Inverse ARP. Select this option when using dynamic mapping.
This allows the PVC to resolve its own network addresses without
configuring a static map. Dynamic mappings age out and are refreshed
periodically every 15 minutes by default.
NoteInARP can be used only when aal5snap is the defined encapsulation
type for the PVC. See PVC Dialog Box—Settings Tab, page K-59.
Broadcast OptionsIndicates whether to use this map entry when sending IP broadcast packets
(such as EIGRP updates):
• Broadcast—The map entry is used for broadcast packets.
• No Broadcast—The map entry is used only for unicast packets.
• None—Broadcast options are disabled.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PVC Advanced Settings Dialog Box
Use the PVC Advanced Settings dialog box to configure F5 Operation,
Administration, and Maintenance (OAM) functionality on an ATM PVC. OAM is
used to detect connectivity failures at the ATM layer.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-69
Appendix K Router Platform User Interface Reference
PVC Policy Page
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
Navigation Path
Go to the PVC Dialog Box, page K-56, then click Advanced.
Related Topics
• PVC Policy Page, page K-54
Field Reference
Table K-30PVC Advanced Settings Dialog Box
ElementDescription
OAM tabDefines loopback, connectivity check, and AIS/RDI settings. See PVC
Advanced Settings Dialog Box—OAM Tab, page K-70.
OAM-PVC tabEnables OAM loopbacks and connectivity checks on the PVC. See PVC
Enable OAM RetryWhen selected, OAM management settings can be defined.
When deselected, OAM management settings cannot be defined.
PVC Policy Page
NoteIf Enable OAM Management is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not
applied.
Down CountThe number of consecutive, unreceived, end-to-end loopback cell responses
that cause the PVC to move to the down state. The default is 3.
Up CountThe number of consecutive end-to-end loopback cell responses that must be
received in order to move the PVC to the up state. The default is 5.
Retry FrequencyThe interval between loopback cell verification transmissions in seconds.
The default is 1 second.
If a PVC is up and a loopback cell response is not received within the
specified interval (as defined in the Frequency field of the PVC-OAM tab),
loopback cells are transmitted at the frequency defined here to verify
whether the PVC is down. If the number of consecutive cells that do not
receive a response matches the defined down count, the PVC is moved to the
down state.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-71
Appendix K Router Platform User Interface Reference
Down CountThe number of consecutive AIS/RDI cells that cause the PVC to go down.
Up CountThe number of seconds after which a PVC is brought up if no AIS/RDI cells
Segment Continuity Check settings
Enable Segment
Continuity Check
When selected, alarm indication signal (AIS) cells and remote defect
indication (RDI) cells are used to report connectivity failures at the ATM
layer of the PVC.
When deselected, AIS/RDI cells are disabled.
AIS cells notify downstream devices of the connectivity failure. The last
ATM switch then generates RDI cells in the upstream direction towards the
device that sent the original failure notification.
Valid values range from 1 to 60. The default is 1.
are received. Valid values range from 3 to 60 seconds. The default is 3.
When selected, OAM F5 continuity check (CC) activation and deactivation
requests are sent to a device at the other end of a segment.
When deselected, segment CC activation and deactivation requests are
disabled.
NoteIf Configure Continuity Check is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not
applied.
Activation CountThe maximum number of times that the activation request is sent before the
receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
Deactivation CountThe maximum number of times that the deactivation request is sent before
the receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
Retry FrequencyThe interval between activation/deactivation retries, in seconds. The default
is 30 seconds.
User Guide for Cisco Security Manager 3.2
K-72
OL-16066-01
Appendix K Router Platform User Interface Reference
Activation CountThe maximum number of times that the activation request is sent before the
Deactivation CountThe maximum number of times that the deactivation request is sent before
Retry FrequencyThe interval between activation/deactivation retries, in seconds. The default
When selected, OAM F5 continuity check (CC) activation and deactivation
requests are sent to a device at the other end of the PVC.
When deselected, segment CC activation and deactivation requests are
disabled.
NoteIf Configure Continuity Check is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not
applied.
receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
the receipt of an acknowledgement. Valid values range from 3 to 600. The
default is 3.
is 30 seconds.
PVC Advanced Settings Dialog Box—OAM-PVC Tab
Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable
loopback cells and connectivity checks (CCs) on the PVC. These functions test
the connectivity of the virtual connection.
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
NoteUse the OAM tab to define additional settings related to the settings on this tab.
See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-69, then click the OAM-PVC tab.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-73
Appendix K Router Platform User Interface Reference
FrequencyThe interval between loopback cell transmissions. Valid values range from 0
Segment Continuity Check settings
Segment Continuity
Check
When selected, OAM loopback cell generation and OAM management are
enabled on the PVC.
When deselected, OAM loopback cells and OAM management are disabled.
However, continuity checks can still be performed.
to 600 seconds.
The current configuration of OAM F5 continuity checks performed on PVC
segments:
• None—Segment continuity checks (CC) are disabled.
• Deny Activation Requests—The PVC rejects activation requests from
peer devices, which prevents OAM F5 CC management from being
activated on the PVC.
K-74
• Configure Continuity Check—Segment CCs are enabled on the PVC.
The router on which CC management is configured sends a CC
activation request to the router at the other end of the segment, directing
it to act as either a source or a sink.
Segment CCs occur on a PVC segment between the router and a first-hop
ATM swi tc h.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
DirectionApplies only when CC management is enabled.
The direction in which CC cells are transmitted:
• both—CC cells are transmitted in both directions.
• sink—CC cells are transmitted toward the router that initiated the CC
activation request.
• source—CC cells are transmitted away from the router that initiated the
CC activation request.
Keep VC up after
segment failure
Keep VC up after
end-to-end failure
End-to-End Continuity Check settings
End-to-End Continuity
Check
When selected, the PVC is kept in the up state when CC cells detect
connectivity failure.
When deselected, the PVC is brought down when CC cells detect
connectivity failure.
When selected, specifies that if AIS/RDI cells are received, the PVC is not
brought down because of end CC failure or loopback failure.
When deselected, the PVC is brought down because of end CC failure or
loopback failure.
The current configuration of OAM F5 end-to-end continuity checks on the
PVC:
PVC Policy Page
OL-16066-01
• None—End-to-end continuity checks (CC) are disabled.
• Deny Activation Requests—The PVC rejects activation requests from
peer devices, which prevents OAM F5 CC management from being
activated on the PVC.
• Configure Continuity Check—End-to-end CCs are enabled on the PVC.
The router on which CC management is configured sends a CC
activation request to the router at the other end of the connection,
directing it to act as either a source or a sink.
End-to-end CC monitoring is performed on the entire PVC between two
ATM end stations.
User Guide for Cisco Security Manager 3.2
K-75
Appendix K Router Platform User Interface Reference
DirectionApplies only when CC management is enabled.
The direction in which CC cells are transmitted:
• both—CC cells are transmitted in both directions.
• sink—CC cells are transmitted toward the router that initiated the CC
activation request.
• source—CC cells are transmitted away from the router that initiated the
CC activation request.
Keep VC up after
end-to-end failure
Keep VC up after
segment failure
When selected, the PVC is kept in the up state when CC cells detect
connectivity failure.
When deselected, the PVC is brought down when CC cells detect
connectivity failure.
When selected, specifies that if AIS/RDI cells are received, the PVC is not
brought down because of a segment CC failure.
When deselected, the PVC is brought down because of a segment CC failure.
PPP/MLP Policy Page
Use the PPP/MLP page to create, edit, and delete PPP connections on the router.
For more information, see Defining PPP Connections, page 15-61.
Navigation Path
• (Device view) Select Interfaces > Settings > PPP/MLP from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > PPP/MLP from the
Policy Type selector. Right-click PPP/MLP to create a policy, or select an
existing policy from the Shared Policies selector.
Related Topics
• PPP on Cisco IOS Routers, page 15-58
• Chapter K, “Router Platform User Interface Reference”
User Guide for Cisco Security Manager 3.2
K-76
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Field Reference
Table K-33PPP/MLP Page
ElementDescription
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
InterfaceThe interface that is configured for PPP/MLP.
AuthenticationThe types of authentication used on the PPP connection.
AuthorizationThe method list used for AAA authorization on the PPP connection.
MultilinkIndicates whether Multilink PPP (MLP) is enabled on this PPP connection.
EndpointThe type of default endpoint discriminator to use when negotiating the use
of MLP with the peer.
MulticlassIndicates whether the Multiclass Multilink PPP (MCMP) feature is enabled
on this PPP connection.
GroupThe number of the multilink-group interface to which the physical link is
restricted.
InterleaveIndicates whether the PPP multilink interleave feature is enabled on this PPP
connection.
Add buttonOpens the PPP Dialog Box, page K-78. From here you can define the
authentication and multilink settings for the PPP connection.
Edit buttonOpens the PPP Dialog Box, page K-78. From here you can edit the selected
PPP connection.
Delete buttonDeletes the selected PPP connection from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
OL-16066-01
NoteTo publish your changes, click the Submit button on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Guide for Cisco Security Manager 3.2
K-77
PPP/MLP Policy Page
PPP Dialog Box
Use the PPP dialog box to configure PPP connections on the router. When you
configure a PPP connection, you can define the type of authentication and
authorization to perform and define multilink parameters.
Navigation Path
Go to the PPP/MLP Policy Page, page K-76, then click the Add or Edit button
beneath the table.
Related Topics
• Defining PPP Connections, page 15-61
Appendix K Router Platform User Interface Reference
K-78
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Field Reference
Table K-34PPP Dialog Box
ElementDescription
InterfaceThe interface on which PPP encapsulation is enabled. Enter the name of an
interface or interface role, or click Select to display an Object Selectors,
page F-593.
The following interface types support PPP:
• Async
• Group-Async
• Serial
• High-Speed Serial Interface (HSSI)
• Dialer
• BRI, PRI (ISDN)
• Virtual template
• Multilink
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
You cannot define PPP on:
• Subinterfaces.
• Serial interfaces with Frame Relay encapsulation.
• Virtual template interfaces defined as Ethernet or tunnel types (serial is
supported).
NoteYou can define only one PPP connection per interface.
NoteDeployment might fail if you define PPP on a virtual template that is
also used in an 802.1x policy. See 802.1x Policy Page, page K-179.
PPP tabDefines the type of authentication and authorization to perform on the PPP
connection. See PPP Dialog Box—PPP Tab, page K-80.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-79
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-34PPP Dialog Box (Continued)
MLP tabDefines how to split and recombine sequential datagrams across multiple
logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP
Tab, page K-84.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
PPP Dialog Box—PPP Tab
Use the PPP tab of the PPP dialog box to define the types of authentication and
authorization to perform on the PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-78, then click the PPP tab.
Related Topics
• PPP Dialog Box—MLP Tab, page K-84
Field Reference
Table K-35PPP Dialog Box—PPP Tab
ElementDescription
Authentication settings
PPP EncapsulationWhen selected, indicates that PPP encapsulation is enabled for the selected
interface. This field is read-only.
User Guide for Cisco Security Manager 3.2
K-80
OL-16066-01
Appendix K Router Platform User Interface Reference
• MS-CHAP—Version 1 of the Microsoft version of CHAP (RFC 2433).
• MS-CHAP-2—Version 2 of the Microsoft version of CHAP (RFC
2759).
• EAP—Extensible Authentication Protocol.
You may select one or more authentication protocols, as required.
OptionsThe authentication options to use:
• Call In—When selected, authentication is performed on incoming calls.
• Call Out—When selected, authentication is performed on outgoing
calls.
• Call Back—When selected, authentication is performed on callback.
• One Time—When selected, one-time passwords are used for
authentication. One-time passwords are considered highly secure since
each one is used only once. When deselected, one-time passwords are
not used.
NoteAAA authentication must be enabled in order to use one-time
passwords. See AAA Policy Page, page K-87. One-time passwords
cannot be used with CHAP.
PPP/MLP Policy Page
OL-16066-01
• Optional—When selected, allows a mobile station in a Packet Data
Serving Node (PDSN) configuration to receive Simple IP and Mobile IP
services without using CHAP or PAP.
When deselected, mobile stations must use CHAP or PAP to receive Simple
IP and Mobile IP services.
User Guide for Cisco Security Manager 3.2
K-81
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-35PPP Dialog Box—PPP Tab (Continued)
Authenticate UsingAAA authentication settings for the PPP connection:
• PPP Default List—Defines a default list of methods to be queried when
authenticating a user for PPP. Enter the names of one or more AAA
server group objects (up to four) in the Prioritized Method List field, or
click Select to display an Object Selectors, page F-593. Use the up and
down arrows in the object selector to define the order in which the
selected server groups should be used.
The device tries initially to authenticate users using the first method in the
list. If that method fails to respond, the device tries the next method, and so
on, until a response is received.
TipAfter you create the default list for one PPP connection, you can use
it for other PPP connections on this device.
If the AAA server group you want is not listed, click the Create button in the
selector to display the AAA Server Group Dialog Box, page F-12. From here
you can define a AAA server group object.
• Prioritized Method List—Defines a sequential list of methods to be
queried when authenticating a user for this PPP connection only.
NoteLeave this field blank to perform authentication using the local
database on the router.
PAP Authentication settings
UsernameThe username to send in PAP authentication requests. The username is case
sensitive.
PasswordThe password to send in PAP authentication requests. Enter the password
again in the Confirm field. The password can contain 1 to 25 uppercase or
lowercase alphanumeric characters. The password is case sensitive.
The username and password are sent if the peer requests the router to
authenticate itself using PAP.
Encrypted PasswordWhen selected, this indicates that the password you entered is already
encrypted.
When deselected, this indicates that the password you entered is in clear text.
User Guide for Cisco Security Manager 3.2
K-82
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-35PPP Dialog Box—PPP Tab (Continued)
CHAP Authentication settings
HostnameBy default, the router uses its hostname to identify itself to the peer. If
required, you can enter a different hostname to use for all CHAP challenges
and responses. For example, use this field to specify a common alias for all
routers in a rotary group.
SecretThe secret used to compute the response value for any CHAP challenge from
an unknown peer. Enter the secret again in the Confirm field.
Encrypted SecretWhen selected, this indicates that the password you entered is already
encrypted. When deselected, this indicates that the password you entered is
in clear text.
Authorization settings
Authorize UsingAAA authorization settings for the PPP connection:
• AAA Policy Default List—Uses the default authorization method list
that is defined in the device’s AAA policy. See AAA Policy Page,
page K-87.
• Prioritized Method List—Defines a sequential list of methods to be
queried when authorizing a user. Enter the names of one or more AAA
server group objects (up to four), or click Select to display an Object
Selectors, page F-593. Use the tranverse arrows in the AAA Sever
Groups Selector to select server groups and then the up and down arrows
to define the order in which selected server groups should be used.
NoteThe device tries initially to authorize users using the first method in
the list. If that method fails to respond, the device tries the next
method, and so on, until a response is received.
OL-16066-01
If the AAA server group you want is not listed, you can click the Create
button in the selector to display the AAA Server Group Dialog Box,
page F-12. From here you can define a AAA server group object.
NoteLeave this field blank to perform authorization using the local
database on the router.
User Guide for Cisco Security Manager 3.2
K-83
PPP/MLP Policy Page
PPP Dialog Box—MLP Tab
Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters
for the selected PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-78, then click the MLP tab.
Related Topics
• PPP Dialog Box—PPP Tab, page K-80
Field Reference
Table K-36PPP Dialog Box—MLP Tab
ElementDescription
Enable Multilink PPP
(MLP)
Allow Multiple Data
Classes
Enable Interleaving of
Packets Among
Fragments of Larger
Packets
When selected, MLP is enabled on this PPP connection.
When deselected, MLP is disabled.
When selected, enables multiple data classes on the MLP bundle.
Delay-sensitive traffic is placed into Class 1, where it can be interleaved but
never fragmented. Normal data traffic is placed into Class 0, which is subject
to fragmentation just as regular multilink packets are.
When deselected, all traffic is subject to fragmentation.
When selected, enables the interleaving of packets among the fragments of
larger packets on the MLP bundle.
NoteIf you enable interleaving without defining a fragment delay, the
default delay of 30 seconds is configured. This value does not appear
in Security Manager or in the device configuration.
Appendix K Router Platform User Interface Reference
K-84
When deselected, interleaving is disabled.
NoteSerial interfaces do not support interleaving.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-36PPP Dialog Box—MLP Tab (Continued)
Multilink GroupApplies only to serial, Group-Async, and multilink interfaces.
Restricts the physical link to the selected multilink-group interface. Enter the
name of a multilink interface or interface role, or click Select to display an
Object Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
This option is typically used in static leased-line environments, where the
remote systems to which the device’s serial lines are connected are known in
advance.
In effect, this option dedicates a specific interfaces to a particular user, even
when that user is not connected. If a peer at the other end of the link tries to
join a different bundle, the connected is severed.
Maximum Fragment
Delay
The maximum amount of time that should be required to transmit a fragment
on the MLP bundle. Valid values range from 1 to 1000 milliseconds.
Fragment size is determined by the defined fragment delay and the
bandwidth of the links.
NoteSerial interfaces do not support this feature.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-85
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-36PPP Dialog Box—MLP Tab (Continued)
Endpoint TypeThe identifier used by the router when transmitting packets on the MLP
bundle:
• [null]—Negotiation is conducted without using an endpoint
discriminator. (No CLI command is generated.)
• Hostname—The hostname of the router. This option is useful when
multiple routers are using the same username to authenticate but have
different hostnames.
• IP—A defined IP address. Enter an address or the name of a
network/host object, or click Select to display an Object Selectors,
page F-593.
• MAC—The MAC address of a specific interface. Enter the name of an
interface or interface role, or click Select to display an Object Selectors,
page F-593.
• None—Negotiation is conducted without using an endpoint
discriminator. (The relevant CLI command is generated, but no endpoint
discriminator is provided.) This option is useful when the router is
connected to a malfunctioning peer that does not handle the endpoint
discriminator properly.
• Phone—An E.164-compliant telephone number. Enter the number in the
field displayed.
• String—A character string. Enter the string in the field displayed.
The default endpoint discriminator is either the globally configured
hostname, or the PAP username or CHAP hostname (depending on the
authentication protocol being used), if you have configured those values on
the PPP tab.
MRRU Local PeerThe maximum receive reconstructed unit (MRRU) value of the local peer.
This value represents the maximum size packet that the local router is
capable of receiving.
Valid values range from 128 to 16384 bytes. The default is the maximum
transmission unit (MTU) of the multilink group interface and 1524 bytes for
all other interfaces.
User Guide for Cisco Security Manager 3.2
K-86
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-36PPP Dialog Box—MLP Tab (Continued)
MRRU Remote PeerThe maximum receive reconstructed unit (MRRU) value of the remote peer.
This value represents the maximum size packet that the remote peer is
capable of receiving.
Valid values range from 128 to 16384 bytes. The default is 1524 bytes.
Maximum FIFO Queue
Size
Maximum QoS Queue
Size
The maximum queue depth when the bundle uses first-in, first-out (FIFO)
queuing. Valid values range from 2 to 255 packets. The default is 8.
The maximum queue depth when the bundle uses non-FIFO queuing. Valid
values range from 2 to 255 packets. The default is 2.
AAA Policy Page
Use the AAA page to define the default authentication, authorization, and
accounting methods to use on the router. You do this by configuring method lists,
which define which methods to use and the sequence in which to use them.
OL-16066-01
NoteYou can use the method lists defined in this policy as default settings when you
configure AAA on the router’s console port and VTY lines. See Console Policy
Page, page K-117 and VTY Policy Page, page K-129.
Navigation Path
• (Device view) Select Platform > Device Admin > AAA from the Policy
selector.
• (Policy view) Select Router Platform > Device Admin > AAA from the
Policy Type selector. Right-click AAA to create a policy, or select an existing
policy from the Shared Policy selector.
Related Topics
• AAA on Cisco IOS Routers, page 15-66
• Understanding AAA Server Objects, page 9-22
• Understanding AAA Server Group Objects, page 9-15
• Console Policy Page, page K-117
User Guide for Cisco Security Manager 3.2
K-87
Appendix K Router Platform User Interface Reference
AAA Policy Page
• VTY Policy Page, page K-129
• Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-37AAA Page
ElementDescription
Authentication tabDefines the login authentication methods to use and the sequence in which
to use them. See AAA Page—Authentication Tab, page K-88.
Authorization tabDefines the types of network, EXEC, and command authorization to perform
and the methods to use for each type. See AAA Page—Authorization Tab,
page K-90.
Accounting tabDefines types of connection, EXEC, and command accounting to perform
and the methods to use for each type. See AAA Page—Accounting Tab,
page K-93.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit icon on the toolbar.
AAA Page—Authentication Tab
Use the Authentication tab of the AAA page to define the methods used to
authenticate users who access the device. Authentication methods are defined in
a method list, which define the security protocols to use, such as RADIUS and
TAC AC S+ .
NoteYou can use the method list defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Authentication tab.
Related Topics
• Defining AAA Services, page 15-70
User Guide for Cisco Security Manager 3.2
K-88
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
• Understanding Method Lists, page 15-69
• AAA Server Group Dialog Box, page F-12
• Predefined AAA Authentication Server Groups, page 9-15
Field Reference
Table K-38AAA Page—Authentication Tab
ElementDescription
Enable Device Login
Authentication
Prioritized Method List Defines a sequential list of methods to be queried when authenticating a user.
When selected, enables the authentication of all users when they log in to the
device, using the methods defined in the method list.
When deselected, authentication is not performed.
Enter the names of one or more AAA server group objects (up to four), or
click Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authenticate users using the first method in the
list. If that method fails to respond, the device tries the next method, and so
on, until a response is received.
Supported methods include Line, Local, Kerberos, RADIUS, TACACS+,
and None.
Maximum Number of
Attempts
OL-16066-01
NoteIf you select None as a method, it must appear as the last method in
the list.
The maximum number of unsuccessful authentication attempts before a user
is locked out. This feature is disabled by default. Valid values range from 1
to 65535.
NoteFrom the standpoint of the user, there is no distinction between a
normal authentication failure and an authentication failure due to
being locked out. The system administrator has to explicitly clear the
status of a locked-out user using clear commands.
User Guide for Cisco Security Manager 3.2
K-89
AAA Policy Page
AAA Page—Authorization Tab
Use the Authorization tab of the AAA page to define the type of authorization
services to enable on the device and the methods to use for each type. Security
Manager supports the following types of authorization:
• Network—Authorizes various types of network connections, such as PPP.
• EXEC—Authorizes the launching of EXEC sessions.
• Command—Authorizes the use of all EXEC mode commands that are
associated with specific privilege levels.
NoteYou can use the method lists defined in this policy on the console and
VTY lines that are used to communicate with the device. See Console
Policy Page, page K-117 and VTY Line Dialog Box—Authentication
Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Authorization tab.
Appendix K Router Platform User Interface Reference
Related Topics
• Defining AAA Services, page 15-70
• Supported Authorization Types, page 15-67
• Understanding Method Lists, page 15-69
• AAA Server Group Dialog Box, page F-12
Field Reference
Table K-39AAA Page—Authorization Tab
ElementDescription
Network Authorization settings
Enable Network
Authorization
When selected, enables the authorization of network connections, such as
PPP, SLIP, or ARAP connections, using the methods defined in the method
list.
When deselected, network authorization is not performed.
User Guide for Cisco Security Manager 3.2
K-90
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-39AAA Page—Authorization Tab (Continued)
Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Enter the names of one or more AAA server group objects (up to four), or
click Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first method in the list.
If that method fails to respond, the device tries the next method, and so on,
until a response is received.
Supported methods include RADIUS, TACACS+, Local, and None.
NoteRADIUS uses the same server for authentication and authorization.
Therefore, if you use define a RADIUS method list for
authentication, you must define the same method list for
authorization.
NoteIf you select None as a method, it must appear as the last method in
the list.
EXEC Authorization settings
Enable CLI/EXEC
Operations
Authorization
Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Command Authorization settings
FilterEnables you to filter the information displayed in the table. For more
Privilege LevelThe privilege level to which the command authorization definition applies.
Prioritized Method List The method list to use when authorizing users with this privilege level.
When selected, this type of authorization determines whether the user is
permitted to open an EXEC (CLI) session, using the methods defined in the
method list.
When deselected, EXEC authorization is not performed.
Enter the names of one or more AAA server group objects (up to four), or
click Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first method in the list.
If that method fails to respond, the device tries the next method, and so on,
until a response is received.
information, see Filtering Tables, page 3-24.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-91
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-39AAA Page—Authorization Tab (Continued)
Add buttonOpens the Command Authorization Dialog Box, page K-92. From here you
can configure a command authorization definition.
Edit buttonOpens the Command Authorization Dialog Box, page K-92. From here you
can edit the command authorization definition.
Delete buttonDeletes the selected command authorization definitions from the table.
Command Authorization Dialog Box
Use the Command Authorization dialog box to define which methods to use when
authorizing the EXEC commands that are associated with a given privilege level.
This enables you to authorize all commands associated with a specific privilege
level, from 0 to 15.
Navigation Path
From the AAA Page—Authorization Tab, page K-90, click the Add button
beneath the Command Authorization table.
Related Topics
• Defining AAA Services, page 15-70
• Supported Authorization Types, page 15-67
• Understanding Method Lists, page 15-69
Field Reference
Table K-40Command Authorization Dialog Box
ElementDescription
Privilege LevelThe privilege level for which you want to define a command accounting list.
Valid values range from 0 to 15.
User Guide for Cisco Security Manager 3.2
K-92
OL-16066-01
Appendix K Router Platform User Interface Reference
Prioritized Method List Defines a sequential list of methods to be used when authorizing a user. Enter
the names of one or more AAA server group objects (up to four), or click
Select to display an Object Selectors, page F-593. Use the up and down
arrows in the object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first method in the list.
If that method fails to respond, the device tries the next method, and so on,
until a response is received.
If the AAA server group you want is not listed, click the Create button in the
selector to display the AAA Server Group Dialog Box, page F-12. From here
you can define a AAA server group object.
Supported methods include TACACS+, Local, and None.
NoteIf you select None as a method, it must appear as the last method in
the list.
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
AAA Page—Accounting Tab
Use the Accounting tab of the AAA page to define the type of accounting services
to enable on the device and the methods to use for each type. Security Manager
supports the following types of accounting:
• Connection—Records information about all outbound connections made
from this device.
• EXEC—Records information about user EXEC sessions on the devices,
including the username, date, start and stop times, and the IP address.
• Command—Records information about the EXEC commands executed on
the device by users with specific privilege levels.
In addition, you use the Accounting page to determine when accounting records
should be generated and whether they should be broadcast to more than one AAA
server.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-93
AAA Policy Page
NoteYou can use the method lists defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Accounting tab.
Related Topics
• Defining AAA Services, page 15-70
• Supported Accounting Types, page 15-67
• Understanding Method Lists, page 15-69
• AAA Server Group Dialog Box, page F-12
Field Reference
Table K-41AAA Page—Accounting Tab
Appendix K Router Platform User Interface Reference
ElementDescription
Connection Accounting settings
Enable Connection
Accounting
When selected, enables the recording of information about outbound
connections (such as Telnet) made over this device, using the methods
defined in the method list.
When deselected, connection accounting is not performed.
Generate Accounting
Records for
Defines when the device sends an accounting notice to the accounting server:
• Start and Stop—Generates accounting records at the beginning and the
end of the user process. The user process begins regardless of whether
the accounting server receives the “start” accounting record.
• Stop Only—Generates an accounting record at the end of the user
process only.
• None—Disables this type of accounting.
User Guide for Cisco Security Manager 3.2
K-94
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-41AAA Page—Accounting Tab (Continued)
Prioritized Method List Defines a sequential list of methods to be queried when creating connection
accounting records for a user. Enter the names of one or more AAA server
group objects (up to four), or click Select to display an Object Selectors,
page F-593. Use the up and down arrows in the object selector to define the
order in which the selected server groups should be used.
Supported methods include RADIUS and TACACS+.
Enable Broadcast to
Multiple Servers
EXEC Accounting Settings
Enable CLI/EXEC
Operations Accounting
Generate Accounting
Records for
Prioritized Method List Defines a sequential list of methods to be queried when creating connection
Enable Broadcast to
Multiple Servers
Command Accounting settings
FilterEnables you to filter the information displayed in the table. For more
Privilege LevelThe privilege level to which the command authorization definition applies.
When selected, enables the sending of accounting records to multiple AAA
servers. Accounting records are sent simultaneously to the first server in
each AAA server group defined in the method list. If the first server is
unavailable, failover occurs using the backup servers defined within that
group.
When deselected, accounting records are sent only to the first server in the
first AAA server group defined in the method list.
When selected, enables the recording of basic information about user EXEC
sessions, using the methods defined in the method list.
When deselected, EXEC accounting is not performed.
See description Table N-91 on page N-131.
accounting records for a user. Enter the names of one or more AAA server
group objects (up to four), or click Select to display an Object Selectors,
page F-593. Use the up and down arrows in the object selector to define the
order in which the selected server groups should be used.
When selected, enables the sending of accounting records to multiple AAA
servers. Accounting records are sent simultaneously to the first server in
each AAA server group defined in the method list. If the first server is
unavailable, failover occurs using the backup servers defined within that
group.
information, see Filtering Tables, page 3-24.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-95
AAA Policy Page
Table K-41AAA Page—Accounting Tab (Continued)
Appendix K Router Platform User Interface Reference
Generate Accounting
Records for
The points in the process where the device sends an accounting notice to the
accounting server.
Enable BroadcastWhether accounting records are broadcast to multiple servers
simultaneously.
Prioritized Method List The method list to use when authorizing users with this privilege level.
Add buttonOpens the Command Accounting Dialog Box, page K-96. From here you can
configure a command accounting definition.
Edit buttonOpens the Command Accounting Dialog Box, page K-96. From here you can
edit the command accounting definition.
Delete buttonDeletes the selected command accounting definitions from the table.
Command Accounting Dialog Box
Use the Command Accounting dialog box to define which methods to use when
recording information about the EXEC commands that are executed for a given
privilege level. Each accounting record includes a list of the commands executed
for that privilege level, as well as the date and time each command was executed,
and the name of the user who executed it.
Navigation Path
From the AAA Page—Accounting Tab, page K-93, click the Add button beneath
the Command Accounting table.
K-96
Related Topics
• Defining AAA Services, page 15-70
• Supported Accounting Types, page 15-67
• Understanding Method Lists, page 15-69
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Field Reference
Table K-42Command Accounting Dialog Box
ElementDescription
Privilege LevelThe privilege level for which you want to define a command accounting list.
Valid values range from 0 to 15.
Generate Accounting
Records for
Prioritized Method List Defines a sequential list of methods to be used when creating accounting
Defines when the device sends an accounting notice to the accounting server:
• Start and Stop—Generates accounting records at the beginning and the
end of the user process. The user process begins regardless of whether
the accounting server receives the “start” accounting record.
• Stop Only—Generates an accounting record at the end of the user
process only.
• None—No accounting records are generated.
records for a user. Enter the names of one or more AAA server group objects
(up to four), or click Select to display an Object Selectors, page F-593. Use
the up and down arrows in the object selector to define the order in which the
selected server groups should be used.
The device tries initially to perform accounting using the first method in the
list. If that method fails to respond, the device tries the next method, and so
on, until a response is received.
Enable Broadcast to
Multiple Servers
OL-16066-01
If the AAA server group you want is not listed, click the Create button in the
selector to display the AAA Server Group Dialog Box, page F-12. From here
you can define a AAA server group object.
TACACS+ is the only supported method, but you can select multiple AAA
server groups configured with TACACS+.
NoteIf you select None as a method, it must appear as the last method in
the list.
When selected, enables the sending of accounting records to multiple AAA
servers. Accounting records are sent simultaneously to the first server in
each AAA server group defined in the method list. If the first server is
unavailable, failover occurs using the backup servers defined within that
group.
When deselected, accounting records are sent only to the first server in the
first AAA server group defined in the method list.
User Guide for Cisco Security Manager 3.2
K-97
Appendix K Router Platform User Interface Reference
OK buttonSaves your changes locally on the client and closes the dialog box.
NoteTo save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Accounts and Credential s Policy Page
Use the Accounts and Credentials page to define the enable password or enable
secret password assigned to the router. In addition, you can define a list of
usernames that can be used to access the router.
For more information, see Defining Accounts and Credential Policies,
Credentials from the Policy Type selector. Right-click Accounts and
Credentials to create a policy, or select an existing policy from the Shared
Policy selector.
K-98
Related Topics
• User Accounts and Device Credentials on Cisco IOS Routers, page 15-72
• Chapter K, “Router Platform User Interface Reference”
• User Account Dialog Box, page K-100
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Field Reference
Table K-43Accounts and Credentials Page
ElementDescription
Enable Secret Password The enable secret password for entering privileged EXEC mode on the
router. This option offers better security than the Enable Password option.
The enable secret password can contain between 1-25 alphanumeric
characters. The first character must be a letter. Spaces are allowed, but
leading spaces are ignored. Question marks are also allowed.
NoteYou can discover an encrypted password, but any password you enter
must be in clear text. If you modify an encrypted password, it is
saved as clear text.
NoteAfter you set an enable secret password, you can switch to an enable
password only if the enable secret is disabled or an older version of
Cisco IOS software is being used, such as when running an older
rxboot image.
Enable PasswordThe enable password for entering privileged EXEC mode on the router.
The enable password can contain between 1-25 alphanumeric characters.
The first character must be a letter. Spaces are allowed, but leading spaces
are ignored. Question marks are also allowed.
NoteYou must enter the password in clear text.
Enable Password
Encryption Service
When selected, encrypts all passwords on the device, including the enable
password (which is otherwise saved in clear text).
For example, use this option to encrypt username passwords, authentication
key passwords, console and VTY line access passwords, and BGP neighbor
passwords. This command is primarily used for keeping unauthorized
individuals from viewing your passwords in your configuration file.
When deselected, device passwords are stored unencrypted in the
configuration file.
NoteThis option does not provide a high level of network security. You
should also take additional network security measures.
User Accounts Table
FilterEnables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-99
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Table K-43Accounts and Credentials Page (Continued)
UsernameThe username that can be used to access the router. The username must be a
single word up to 64 characters in length. Spaces and quotation marks are
not allowed.
EncryptionIndicates whether password information for the user is encrypted using MD5
encryption.
Privilege LevelThe privilege level assigned to the user.
Add buttonOpens the User Account Dialog Box, page K-100. From here you can define
a user account.
Edit buttonOpens the User Account Dialog Box, page K-100. From here you can edit
the selected user.
Delete buttonDeletes the selected user accounts from the table.
Save buttonSaves your changes to the Security Manager server but keeps them private.
NoteTo publish your changes, click the Submit icon on the toolbar.
TipTo choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Account Dialog Box
Employ the User Account dialog box to define a username and password
combination that can be used by Security Manager to access the router. You can
also define the privilege level of the user account, which determines whether you
can configure all commands on this router or only a subset of them.
NoteRemember—there may be additional user accounts defined on the router using
other methods, such as the CLI.
User Guide for Cisco Security Manager 3.2
K-100
OL-16066-01
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.