Cisco Systems OL-16066-01 User Manual
APPENDIX
K
Router Platform User Interface
Reference
The main pages available in Cisco Security Manager for configuring and
managing platform-specific policies on Cisco IOS routers are discussed in the
following topics:
NAT policies:
• NAT Policy Page, page K-3
Interface policies:
• Router Interfaces Page, page K-17
• Never Block Networks Dialog Box, page N-132
• AIM-IPS Interface Settings Page, page K-34
• Dialer Policy Page, page K-36
• ADSL Policy Page, page K-42
• SHDSL Policy Page, page K-47
• PVC Policy Page, page K-54
OL-16066-01
• PPP/MLP Policy Page, page K-76
Device Admin policies:
• AAA Policy Page, page K-87
• Accounts and Credential s Policy Page, page K-98
• Bridging Policy Page, page K-102
• Clock Policy Page, page K-104
User Guide for Cisco Security Manager 3.2
K-1
Appendix K Router Platform User Interface Reference
• CPU Policy Page, page K-107
• Device Access policies:
–
HTTP Policy Page, page K-110
–
Console Policy Page, page K-117
–
VTY Policy Page, page K-129
–
Secure Shell Policy Page, page K-147
–
SNMP Policy Page, page K-149
• DNS Policy Page, page K-158
• Hostname Policy Page, page K-160
• Memory Policy Page, page K-161
• Secure Device Provisioning Policy Page, page K-163
• Server Access policies:
–
DHCP Policy Page, page K-167
–
NTP Policy Page, page K-174
K-2
Identity policies:
• 802.1x Policy Page, page K-179
• Network Admission Control Policy Page, page K-183
Logging policies:
• Logging Setup Policy Page, page K-192
• Syslog Servers Policy Page, page K-197
Quality of Service policies:
• Quality of Service Policy Page, page K-199
Routing policies:
• BGP Routing Policy Page, page K-219
• EIGRP Routing Policy Page, page K-226
• OSPF Interface Policy Page, page K-236
• OSPF Process Policy Page, page K-243
• RIP Routing Policy Page, page K-255
• Static Routing Policy Page, page K-263
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Tip Use the Policy Management page in the Security Manager Administration
window to control which router platform policy pages are available in Security
Manager. For more information, see Policy Management Page, page A-40.
NAT Policy Page
You can configure NAT policies on a Cisco IOS router from the following tabs on
the NAT policy page:
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
Network Address Translation (NAT) converts private, internal LAN addresses
into globally routable IP addresses. NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 15-5.
NAT Policy Page
Navigation Path
• (Device view) Select NAT from the Policy selector.
• (Policy view) Select NAT (Router) from the Policy Type selector.
Right-click NAT (Router) to create a policy, or select an existing policy from
the Shared Policy selector.
Related Topics
• Chapter K, “Router Platform User Interface Reference”
NAT Page—Interface Specification Tab
Use the NAT Interface Specification tab to define the inside and outside interfaces
on the router used for NAT. Inside interfaces are interfaces that connect to the
private networks served by the router. Outside interfaces are interfaces that
connect to the WAN or the Internet.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-3
Appendix K Router Platform User Interface Reference
NAT Policy Page
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Interface Specification tab.
Related Topics
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
Field Reference
Table K-1 NAT Interface Specification Tab
Element Description
NAT Inside Interfaces The interfaces that act as the inside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Inside Interfaces,
page K-4. From here you can define these interfaces.
NAT Outside Interfaces The interfaces that act as the outside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Outside Interfaces,
page K-5. From here you can define these interfaces.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Edit Interfaces Dialog Box—NAT Inside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the inside interfaces
for address translation. Inside interfaces typically connect to a LAN that the router
serves.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit
button in the NAT Inside Interfaces field.
Related Topics
• Designating Inside and Outside Interfaces, page 15-6
• Edit Interfaces Dialog Box—NAT Outside Interfaces, page K-5
User Guide for Cisco Security Manager 3.2
K-4
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-2 Edit Interfaces Dialog Box—NAT Inside Interfaces
Element Description
Interfaces The interfaces that act as the inside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
OK button Saves your changes and closes the dialog box. Your selections are displayed
in the NAT Inside Interfaces field of the NAT Interface Specification tab.
Edit Interfaces Dialog Box—NAT Outside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the outside interfaces
for address translation. Outside interfaces typically connect to your organization’s
WAN or to the Internet.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit
button in the NAT Outside Interfaces field.
Related Topics
• Designating Inside and Outside Interfaces, page 15-6
• Edit Interfaces Dialog Box—NAT Inside Interfaces, page K-4
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-5
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-3 Edit Interfaces Dialog Box—NAT Outside Interfaces
Element Description
Interfaces The interfaces that act as the outside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can define an interface role object.
OK button Saves your changes and closes the dialog box. Your selections are displayed
in the NAT Outside Interfaces field of the NAT Interface Specification tab.
NAT Page—Static Rules Tab
Use the NAT Static Rules tab to create, edit, and delete static address translation
rules. For more information, see Defining Static NAT Rules, page 15-8.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Static Rules tab.
Related Topics
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Dynamic Rules Tab, page K-12
• NAT Page—Timeouts Tab, page K-15
User Guide for Cisco Security Manager 3.2
K-6
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-4 NAT Static Rules Tab
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Original Address The original address (and optionally, the subnet mask) that is being
translated.
Translated Address The IP address to which the traffic is translated.
Port Redirection (When the static rule is defined on a port) Information about the port that is
being translated, including the local and global port numbers.
Advanced The advanced options that are enabled.
Add button Opens the NAT Static Rule Dialog Box, page K-7. From here you can create
a static translation rule.
Edit button Opens the NAT Static Rule Dialog Box, page K-7. From here you can edit
the selected static translation rule.
Delete button Deletes the selected static translation rules from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Static Rule Dialog Box
Use the NAT Static Rule dialog box to add or edit static address translation rules.
Navigation Path
Go to the NAT Page—Static Rules Tab, page K-6, then click the Add or Edit
button beneath the table.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-7
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
• Defining Static NAT Rules, page 15-8
• Disabling the Alias Option for Attached Subnets, page 15-15
• Disabling the Payload Option for Overlapping Networks, page 15-15
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
Field Reference
Table K-5 NAT Static Rule Dialog Box
Element Description
Static Rule Type The type of local address requiring translation by this static rule:
• Static Host—A single host requiring static address translation.
• Static Network—A subnet requiring static address translation.
• Static Port—A single port requiring static address translation. If you
select this option, you must define port redirection parameters.
Original Address Enter an address or the name of a network/host object, or click Select to
display an Object Selectors, page F-593.
• When Static Network is selected as the Static Rule Type, this field
defines the network address and subnet mask. For example, if you want
to create n-to-n mappings between the private addresses in a subnet to
corresponding inside global addresses, enter the address of the subnet
you want translated, and then enter the network mask in the Mask field.
K-8
• When Static Port or Static Host is selected as the Static Rule Type, this
field defines the IP address only. For example, if you want to create a
one-to-one mapping for a single host, enter the IP address of the host to
translate. Do not enter a subnet mask in the Mask field.
If the network or host you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From here
you can define a network/host object.
Note We recommend not entering a local address belonging to this router,
as it could cause Security Manager management traffic to be
translated. Translating this traffic will cause a loss of communication
between the router and Security Manager.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-5 NAT Static Rule Dialog Box (Continued)
Translated Address The type of address translation to perform:
• Specify IP—The IP address that acts as the translated address. Enter an
address or the name of a network/host object in the Translated
IP/Network field, or click Select to display an Object Selectors,
page F-593.
–
If you selected Static Port or Static Host as the static rule type (to
create a one-to-one mapping between a single inside local address
and a single inside global address), enter the global address in this
field. A subnet mask is not required.
–
If you selected Static Network as the static rule type (to map the
original, local addresses of a subnet to the corresponding global
addresses), enter the IP address that you want to use in the
translation in this field. The network mask is taken automatically
from the mask entered in the Original Address field.
If the network or host you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-477. From here
you can define a network/host object.
• Use Interface IP—The interface whose address should be used as the
translated address. (This is typically the interface from which translated
packets leave the router.) Enter the name of an interface or interface role
in the Interface field, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button or the Edit
button in the selector to display the Interface Role Dialog Box, page F-464.
From here you can create an interface role object.
Note The Interface option is not available when Static Network is the
selected static rule type. Only one static rule may be defined per
interface.
NAT Policy Page
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-9
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5 NAT Static Rule Dialog Box (Continued)
Port Redirection Applies only when Static Port is the selected static rule type.
Redirect Port—When selected, specifies port information for the inside
device in the translation. This enables you to use the same public IP address
for multiple devices as long as the port specified for each device is different.
Enter information in the following fields:
• Protocol—The protocol type: TCP or UDP.
• Local Port—The port number on the source network. Valid values range
from 1 to 65535.
• Global Port—The port number on the destination network that the router
is to use for this translation. Valid values range from 1 to 65535.
When deselected, port information is not included in the translation.
K-10
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5 NAT Static Rule Dialog Box (Continued)
Advanced Applies only when using the Translated IP option for address translation.
Defines advanced options:
• No Alias—When selected, prohibits an alias from being created for the
global address.
The alias option is used to answer Address Resolution Protocol (ARP)
requests for global addresses that are allocated by NAT. You can disable
this feature for static entries by selecting the No alias check box.
When deselected, global address aliases are permitted.
• No Payload—When selected, prohibits an embedded address or port in
the payload from being translated.
The payload option performs NAT between devices on overlapping
networks that share the same IP address. When an outside device sends
a DNS query to reach an inside device, the local address inside the
payload of the DNS reply is translated to a global address according to
the relevant NAT rule. You can disable this feature by selecting the No
payload check box.
When deselected, embedded addresses and ports in the payload may be
translated, as described above.
• Create Extended Translation Entry—When selected, creates an
extended translation entry (addresses and ports). This enables you to
associate multiple global addresses with a single local address. This is
the default.
When deselected, creates a simple translation entry that allows you to
associate a single global address with the local address.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-11
NAT Policy Page
NAT Page—Dynamic Rules Tab
Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address
translation rules. A dynamic address translation rule dynamically maps hosts to
addresses, using either the globally registered IP address of a specific interface or
addresses included in an address pool that are globally unique in the destination
network.
For more information, see Defining Dynamic NAT Rules, page 15-16.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Dynamic Rules tab.
Related Topics
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Timeouts Tab, page K-15
Field Reference
Appendix K Router Platform User Interface Reference
Table K-6 NAT Dynamic Rules Tab
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Traffic Flow The ACL that defines the traffic that is being translated.
Translated Address Indicates whether the translated address is based on an interface or on a
defined address pool.
Port Translation Indicates whether Port Address Translation (PAT) is being used by this
dynamic NAT rule.
Add button Opens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
create a dynamic translation rule.
Edit button Opens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
edit the selected dynamic translation rule.
Delete button Deletes the selected dynamic translation rules from the table.
User Guide for Cisco Security Manager 3.2
K-12
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-6 NAT Dynamic Rules Tab (Continued)
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Dynamic Rule Dialog Box
Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation
rules.
Navigation Path
Go to the NAT Page—Dynamic Rules Tab, page K-12, then click the Add or Edit
button beneath the table.
OL-16066-01
Related Topics
• Defining Dynamic NAT Rules, page 15-16
• Understanding Access Control List Objects, page 9-30
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
K-13
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-7 NAT Dynamic Rule Dialog Box
Element Description
Traffic Flow Access List—The extended ACL that specifies the traffic requiring dynamic
translation. Enter the name of an ACL object, or click Select to display an
Object Selectors, page F-593.
If the ACL you want is not listed, click the Create button in the selector to
display the dialog box for defining an extended ACL object. For more
information, see Add and Edit Extended Access List Pages, page F-34.
Note Make sure that the ACL you select does not permit the translation of
Security Manager management traffic over any device address on
this router. Translating this traffic will cause a loss of
communication between the router and Security Manager.
Translated Address The method for performing dynamic address translation:
• Interface—The router interface used for address translation. PAT is used
to distinguish each host on the network. Enter the name of an interface
or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From
here you can create an interface role object.
Enable Port Translation
(Overload)
User Guide for Cisco Security Manager 3.2
K-14
• Address Pool—Translates addresses using a set of addresses defined in
an address pool. Enter one or more address ranges, including the prefix,
using the format min1-max1/prefix (in CIDR notation). You can add as
many address ranges to the address pool as required, but all ranges must
share the same prefix. Separate multiple entries with commas.
When selected, the router uses port addressing (PAT) if the pool of available
addresses runs out.
When deselected, PAT is not used.
Note PAT is selected by default when you use an interface on the router as
the translated address.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-7 NAT Dynamic Rule Dialog Box (Continued)
NAT Policy Page
Do Not Translate VPN
Traffic (Site-to-Site
VPN only)
This setting applies only in situations where the NAT ACL overlaps the
crypto ACL used by the site-to-site VPN. Because the interface performs
NAT first, any traffic arriving from an address within this overlap would get
translated, causing the traffic to be sent unencrypted. Leaving this check box
selected prevents that from happening.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN traffic in
cases of overlapping addresses between the NAT ACL and the crypto ACL.
Note We recommend that you leave this check box selected, even when
performing NAT into IPsec, as this setting does not interfere with the
translation that is performed to avoid a clash between two networks
sharing the same set of internal addresses.
Note This option does not apply to remote access VPNs.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
NAT Page—Timeouts Tab
OL-16066-01
Use the NAT Timeouts tab to view or modify the default timeout values for PAT
(overload) translations. These timeouts cause a dynamic translation to expire after
a defined period of non-use. In addition, you can use this page to place a limit on
the number of entries allowed in the dynamic NAT table and to modify the default
timeout on all dynamic translations that are not PAT translations.
Note For more information about the Overload feature, see NAT Dynamic Rule Dialog
Box, page K-13.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Timeouts tab.
User Guide for Cisco Security Manager 3.2
K-15
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
• Specifying NAT Timeouts, page 15-19
• NAT Page—Interface Specification Tab, page K-3
• NAT Page—Static Rules Tab, page K-6
• NAT Page—Dynamic Rules Tab, page K-12
Field Reference
Table K-8 NAT Timeouts Tab
Element Description
Max Entries The maximum number of entries allowed in the dynamic NAT table. Values
range from 1 to 2147483647.
By default, this field is left blank, which means that the number of entries in
the table is unlimited.
Timeout (sec.) The timeout value applied to all dynamic translations except PAT (overload)
translations.
The default is 86400 seconds (24 hours).
UDP Timeout (sec.) The timeout value applied to User Datagram Protocol (UDP) ports. The
default is 300 seconds (5 minutes).
Note This value applies only when the Overload feature is enabled.
DNS Timeout (sec.) The timeout value applied to Domain Naming System (DNS) server
connections. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
TCP Timeout (sec.) The timeout value applied to Transmission Control Protocol (TCP) ports.
The default is 86400 seconds (24 hours).
Note This value applies only when the Overload feature is enabled.
FINRST Timeout (sec.) The timeout value applied when a Finish (FIN) packet or Reset (RST) packet
(both of which terminate connections) is found in the TCP stream. The
default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
User Guide for Cisco Security Manager 3.2
K-16
OL-16066-01
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-8 NAT Timeouts Tab (Continued)
ICMP Timeout (sec.) The timeout value applied to Internet Control Message Protocol (ICMP)
flows. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
PPTP Timeout (sec.) The timeout value applied to NAT Point-to-Point Tunneling Protocol (PPTP)
flows. The default is 86400 seconds (24 hours).
Note This value applies only when the Overload feature is enabled.
SYN Timeout (sec.) The timeout value applied to TCP flows after a synchronous transmission
(SYN) message (used for precise clocking) is encountered. The default is 60
seconds.
Note This value applies only when the Overload feature is enabled.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Router Interfaces Page
OL-16066-01
Use the Router Interfaces page to view, create, edit, and delete interface
definitions (physical and virtual) on a selected Cisco IOS router. The Router
Interfaces page displays interfaces that were discovered by Security Manager as
well as interfaces added manually after you added the device to the system.
For more information, see Basic Interface Settings on Cisco IOS Routers,
page 15-20.
Navigation Path
Select a Cisco IOS router from the Device selector, then select Interfaces >
Interfaces from the Policy selector.
Related Topics
• Available Interface Types, page 15-21
• Deleting a Cisco IOS Router Interface, page 15-27
User Guide for Cisco Security Manager 3.2
K-17
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Field Reference
Table K-9 Router Interfaces Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface Type The interface type. Subinterfaces are displayed indented beneath their parent
interface.
Interface Name The name of the interface.
Enabled Indicates whether the interface is currently enabled (managed by Security
Manager) or disabled (shutdown state).
IP Address The IP address of interfaces defined with a static address.
IP Address Type The type of IP address assigned to the interface—static, DHCP, PPPoE, or
unnumbered. (IP address is defined by a selected interface role.)
Interface Role The interface roles that are assigned to the selected interface.
Add button Opens the Create Router Interface Dialog Box, page K-18. From here you
can create an interface on the selected router.
Edit button Opens the Create Router Interface Dialog Box, page K-18. From here you
can edit the selected interface.
Delete button Deletes the selected interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Create Router Interface Dialog Box
Use the Create Router Interface dialog box to create and edit physical and virtual
interfaces on the selected Cisco IOS router.
User Guide for Cisco Security Manager 3.2
K-18
OL-16066-01
Appendix K Router Platform User Interface Reference
Note Unlike other router policies, the Interfaces policy cannot be shared among
multiple devices. The Advanced Settings policy, however, may be shared. See
Local Policies vs. Shared Policies, page 7-4.
Navigation Path
Go to the Router Interfaces Page, page K-17, then click the Add or Edit button
beneath the table.
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Deleting a Cisco IOS Router Interface, page 15-27
• Never Block Networks Dialog Box, page N-132
Field Reference
Table K-10 Create Router Interface Dialog Box
Router Interfaces Page
Element Description
Enabled When selected, the router interface is enabled.
When deselected, the router interface is in shutdown state. However, its
definition is not deleted.
Type Specifies whether you are defining an interface or subinterface.
Name Applies only to interfaces.
The name of the interface. Enter a name manually, or click Select to display
a dialog box for generating a name automatically. See Interface Auto Name
Generator Dialog Box, page K-24.
Note Logical interfaces require a number after the name:
—The valid range for dialer interfaces is 0-799.
—The valid range for loopback interfaces is 0-2147483647.
—The valid range for BVI interfaces is 1-255.
—The only valid value for null interfaces is 0.
Parent Applies only to subinterfaces.
The parent interface of the subinterface. Select the parent interface from the
displayed list.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-19
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
Subinterface ID Applies only to subinterfaces.
The ID number of the subinterface.
IP The source of the IP address for the interface:
• Static IP—Defines a static IP address and subnet mask for the interface.
Enter this information in the fields that appear below the option.
Note You can define the mask using either dotted decimal (for example,
255.255.255.255) or CIDR notation (/32). See Contiguous and
Discontiguous Network Masks, page 9-146.
• DHCP—The interface obtains its IP address dynamically from a DHCP
server.
• PPPoE—The router automatically negotiates its own registered IP
address from a central server (via PPP/IPCP). The following interface
types support PPPoE:
–
Async
–
Serial
–
High-Speed Serial Interface (HSSI)
K-20
–
Dialer
–
BRI, PRI (ISDN)
–
Virtual template
–
Multilink
• Unnumbered—The interface obtains its IP address from a different
interface on the device. Choose an interface from the Interface list. This
option can be used with point-to-point interfaces only.
Note Layer 2 interfaces do not support IP addresses. Deployment fails if
you define an IP address on a Layer 2 interface.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-10 Create Router Interface Dialog Box (Continued)
Layer Type The OSI layer at which the interface is defined:
• Unknown—The layer is unknown.
• Layer 2—The data link layer, which contains the protocols that control
the physical layer (Layer 1) and how data is framed before being
transmitted on the medium. Layer 2 is used for bridging and switching.
Layer 2 interfaces do not have IP addresses.
• Layer 3—The network layer, which is primarily responsible for the
routing of data in packets across logical internetwork paths. This routing
is accomplished through the use of IP addresses.
Duplex The interface transmission mode:
• None—The transmission mode is returned to its device-specific default
setting.
• Full—The interface transmits and receives at the same time (full
duplex).
• Half—The interface can transmit or receive, but not at the same time
(half duplex). This is the default.
Router Interfaces Page
OL-16066-01
• Auto—The router automatically detects and sets the appropriate
transmission mode, either full or half duplex.
Note When using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically
negotiate the transmission mode. Otherwise, select the appropriate
fixed mode.
Note You can configure a duplex value only if you set the Speed to a fixed
speed, not Auto.
Note This setting does not apply to serial, HSSI, ATM, PRI, DSL, tunnel,
or loopback interfaces.
User Guide for Cisco Security Manager 3.2
K-21
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
Speed Applies only to Fast Ethernet and Gigabit Ethernet interfaces.
The speed of the interface:
• 10—10 megabits per second (10Base-T networks).
• 100—100 megabits per second (100Base-T networks). This is the
default for Fast Ethernet interfaces.
• 1000—1000 megabits per second (Gigabit Ethernet networks). This is
the default for Gigabit Ethernet interfaces.
• Auto—The router automatically detects and sets appropriate interface
speed.
Note When using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically
negotiate the transmission speed. Otherwise, select the appropriate
fixed speed.
MTU The maximum transmission unit, which refers to the maximum packet size,
in bytes, that this interface can handle.
Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64
to 17940 bytes.
Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes.
Encapsulation The type of encapsulation performed by the interface:
• None—No encapsulation.
• DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q
standard. Applies only to Ethernet subinterfaces.
• Frame Relay—IETF Frame Relay encapsulation. Applies only to serial
interfaces (not serial subinterfaces).
Note IETF Frame Relay encapsulation provides interoperability between
a Cisco IOS router and equipment from other vendors. To configure
Cisco Frame Relay encapsulation, use CLI commands or
FlexConfigs.
User Guide for Cisco Security Manager 3.2
K-22
OL-16066-01
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
VLAN ID Applies only to subinterfaces with encapsulation type DOT1Q.
The VLAN ID associated with this subinterface. The VLAN ID specifies
where 802.1Q tagged packets are sent and received on this subinterface;
without a VLAN ID, the subinterface cannot send or receive traffic. Valid
values range from 1 to 4094.
Note All VLAN IDs must be unique among all subinterfaces configured
on the same physical interface.
Tip To configure DOT1Q encapsulation on an Ethernet interface without
associating the VLAN with a subinterface, enter the vlan-id dot1q
command using CLI commands or FlexConfigs. See Understanding
FlexConfig Objects, page 9-52. Configuring VLANs on the main
interface increases the number of VLANs that can be configured on
the router.
Native VLAN Applies only when the encapsulation type is DOT1Q and you are configuring
a physical interface that is meant to serve as an 802.1Q trunk interface.
Trunking is a way to carry traffic from several VLANs over a point-to-point
link between two devices.
When selected, the Native VLAN is associated with this interface, using the
ID specified in the VLAN ID field. (If no VLAN ID is specified for the
Native VLAN, the default is 1.) The native VLAN is the VLAN to which all
untagged VLAN packets are logically assigned by default. This includes the
management traffic associated with the VLAN. If no VLAN ID is defined,
the default is 1.
OL-16066-01
For example, if the VLAN ID of this interface is 1, all incoming untagged
packets and packets with VLAN ID 1 are received on the main interface and
not on a subinterface. Packets sent from the main interface are transmitted
without an 802.1Q tag.
When deselected, the Native VLAN is not associated with this interface.
Note The Native VLAN cannot be configured on a subinterface of the
trunk interface. Be sure to configure the same Native VLAN value at
both ends of the link; otherwise, traffic may be lost or sent to the
wrong VLAN.
User Guide for Cisco Security Manager 3.2
K-23
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
DLCI Applies only to serial subinterfaces with Frame Relay encapsulation.
Enter the data-link connection identifier to associate with the subinterface.
Valid values range from 16 to 1007.
Note Security Manager configures serial subinterfaces as point-to-point
not multipoint.
Description Additional information about the interface (up to 1024 characters).
Roles The interface roles assigned to this interface. A message is displayed if no
roles have yet been assigned.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Interface Auto Name Generator Dialog Box
K-24
Use the Interface Auto Name Generator dialog box to have Security Manager
generate a name for the interface based on the interface type and its location in
the router.
Navigation Path
Go to the Create Router Interface Dialog Box, page K-18, select Interface from
the Type list, then click Select in the Name field.
Related Topics
• Generating an Interface Name, page 15-26
• Router Interfaces Page, page K-17
• Basic Interface Settings on Cisco IOS Routers, page 15-20
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-11 Interface Auto Name Generator Dialog Box
Element Description
Type The type of interface. Your selection from this list forms the first part of the
generated name, as displayed in the Result field. For more information, see
Table 15-1 on page 15-21.
Card The card related to the interface.
Note When defining a BVI interface, enter the number of the
corresponding bridge group.
Slot The slot related to the interface.
Port The port related to the interface.
Note The information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
Result The name generated by Security Manager from the information you entered
for the interface type and location. The name displayed in this field is
read-only.
Tip After closing this dialog box, you can edit the generated name in the
Create Router Interface dialog box, if required.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the
source page.
Advanced Interface Settings Page
Use the Advanced Interface Settings page to view, create, edit, and delete
advanced interface definitions (physical and virtual) on a selected Cisco IOS
router. Examples of advanced settings include Cisco Discovery Protocol (CDP)
settings, ICMP message settings, and virtual fragment reassembly settings.
For more information, see Advanced Interface Settings on Cisco IOS Routers,
page 15-28.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-25
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Navigation Path
• (Device view) Select Interfaces > Settings > Advanced Settings from the
Policy selector.
• (Policy view) Select Router Interfaces > Settings > Advanced Settings
from the Policy Type selector. Right-click Advanced Settings to create a
policy, or select an existing policy from the Shared Policy selector.
Related Topics
• Router Interfaces Page, page K-17
• Available Interface Types, page 15-21
• Deleting a Cisco IOS Router Interface, page 15-27
Field Reference
Table K-12 Advanced Interface Settings Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface or interface role for which advanced settings are defined.
Max Bandwidth The bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
Load Interval The length of time used to calculate the average load for this interface.
CDP Indicates whether CDP and CDP logging are enabled on this interface.
Redirects Indicates whether ICMP redirect messages are enabled on this interface.
Unreachables Indicates whether ICMP unreachable messages are enabled on this interface.
Mask Reply Indicates whether ICMP mask reply messages are enabled on this interface.
Directed Broadcasts Indicates whether directed broadcasts that are intended for the subnet to
which this interface is attached are exploded as broadcasts on that subnet.
Add button Opens the Advanced Interface Settings Dialog Box, page K-27. From here
you can define advanced settings on the selected interface.
Edit button Opens the Advanced Interface Settings Dialog Box, page K-27. From here
you can edit the selected interface.
Delete button Deletes the selected advanced interface definitions from the table.
K-26
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-12 Advanced Interface Settings Page (Continued)
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
Advanced Interface Settings Dialog Box
Use the Advanced Interface Settings dialog box to define a variety of advanced
settings on a selected interface, including:
• Cisco Discovery Protocol (CDP) settings.
• Internet Control Message Protocol (ICMP) settings.
• Virtual fragmentation reassembly (VFR) settings.
• Directed broadcast settings.
OL-16066-01
• Load interval for determining the average load.
• Enabling proxy ARP.
• Enabling NBAR protocol discovery.
Navigation Path
Go to the Never Block Networks Dialog Box, page N-132, then click the Add or
Edit button beneath the table.
Related Topics
• Basic Interface Settings on Cisco IOS Routers, page 15-20
• Advanced Interface Settings on Cisco IOS Routers, page 15-28
• Deleting a Cisco IOS Router Interface, page 15-27
• Available Interface Types, page 15-21
User Guide for Cisco Security Manager 3.2
K-27
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-13 Advanced Interface Settings Dialog Box
Element Description
Interface The interface on which the advanced settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the
selector to display the Interface Role Dialog Box, page F-464. From here
you can create an interface role object.
Note You can define only one set of advanced settings per interface.
Note The only advanced settings supported on Layer 2 interfaces are Max.
Bandwidth, Load Interval, and CDP.
Max Bandwidth The bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
Note The value you define in this field is an informational parameter only;
it does not affect the physical interface.
Load Interval The length of time, in seconds, used to calculate the average load on the
interface. Valid values range from 30 to 600 seconds, in multiples of 30
seconds. The default is 300 seconds (5 minutes).
Modify the default to shorten the length of time over which load averages are
computed. You can do this if you want load computations to be more reactive
to short bursts of traffic.
K-28
Load data is gathered every 5 seconds. This data is used to compute load
statistics, including input/output rate in bits and packets per second, load,
and reliability. Load data is computed using a weighted-average calculation
in which recent load data has more weight in the computation than older load
data.
Tip You can use this option to increase or decrease the likelihood of
activating a backup interface; for example, a backup dial interface
may be triggered by a sudden spike in the load on an active interface.
Note Load interval is not supported on subinterfaces.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Advanced Interface Settings Page
TCP Maximum
Segment Size
The maximum segment size (MSS) of TCP SYN packets that pass through
this interface. Valid values range from 500 to 1460 bytes. If you do not
specify a value, the MSS is determined by the originating host.
This option helps prevent TCP sessions from being dropped as they pass
through the router. Use this option when the ICMP messages that perform
auto-negotiation of TCP frame size are blocked (for example, by a firewall).
We highly recommend using this option on the tunnel interfaces of DMVPN
networks.
For more information, see TCP MSS Adjustment at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_featur
e_guide09186a00804247fc.html
Note Typically, the optimum MSS is 1452 bytes. This value plus the
20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE
header add up to a 1500-byte packet that matches the MTU size for
the Ethernet link.
Helper Addresses The helper addresses that are used to forward User Datagram Protocol
(UDP) broadcasts that are received on this interface. Enter one or more
addresses or network/host objects, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the selector
to display the Network/Host Dialog Box, page F-477. From here, you can
define a network/host object.
OL-16066-01
By default, routers do not forward broadcasts outside of their subnet. Helper
addresses provide a solution by enabling the router to forward certain types
of UDP broadcasts as a unicast to an address on the destination subnet.
For more information, see Understanding Helper Addresses, page 15-29.
User Guide for Cisco Security Manager 3.2
K-29
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Cisco Discovery Protocol settings
Enable CDP When selected, the Cisco Discovery Protocol (CDP) is enabled on this
interface. This the default.
When deselected, CDP is disabled on this interface.
CDP is a media- and protocol-independent device-discovery protocol that
runs on all Cisco-manufactured equipment including routers, access servers,
bridges, and switches. It is primarily used to obtain protocol addresses of
neighboring devices and discover the platform of those devices.
Note ATM interfaces do not support CDP.
Log CDP Messages Applies only to Ethernet interfaces.
When selected, duplex mismatches for this interface are displayed in a log.
This is the default.
When deselected, duplex mismatches for this interface are not logged.
NetFlow settings
Enable Ingress
Accounting
When selected, NetFlow accounting is enabled on traffic arriving on this
interface.
When deselected, NetFlow accounting on arriving traffic is disabled. This is
the default.
Enable Egress
Accounting
User Guide for Cisco Security Manager 3.2
K-30
Cisco IOS NetFlow provides the metering base for a key set of applications
including network traffic accounting, usage-based network billing, network
planning, as well as Denial Services monitoring capabilities, network
monitoring, outbound marketing, and data mining capabilities for both
service provider and enterprise customers.
Note You must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this
option.
When selected, enables NetFlow accounting on traffic leaving this interface.
When deselected, disables NetFlow accounting on traffic leaving this
interface. This is the default.
Note You must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this
option.
OL-16066-01
Loading...