Cisco Systems OL-16066-01 User Manual

APPENDIX
K
Router Platform User Interface Reference
NAT policies:
NAT Policy Page, page K-3
Interface policies:
Router Interfaces Page, page K-17
Never Block Networks Dialog Box, page N-132
AIM-IPS Interface Settings Page, page K-34
Dialer Policy Page, page K-36
ADSL Policy Page, page K-42
SHDSL Policy Page, page K-47
PVC Policy Page, page K-54
OL-16066-01
PPP/MLP Policy Page, page K-76
Device Admin policies:
AAA Policy Page, page K-87
Accounts and Credential s Policy Page, page K-98
Bridging Policy Page, page K-102
Clock Policy Page, page K-104
User Guide for Cisco Security Manager 3.2
K-1
Appendix K Router Platform User Interface Reference
CPU Policy Page, page K-107
Device Access policies:
HTTP Policy Page, page K-110
Console Policy Page, page K-117
VTY Policy Page, page K-129
Secure Shell Policy Page, page K-147
SNMP Policy Page, page K-149
DNS Policy Page, page K-158
Hostname Policy Page, page K-160
Memory Policy Page, page K-161
Secure Device Provisioning Policy Page, page K-163
Server Access policies:
DHCP Policy Page, page K-167
NTP Policy Page, page K-174
K-2
Identity policies:
802.1x Policy Page, page K-179
Network Admission Control Policy Page, page K-183
Logging policies:
Logging Setup Policy Page, page K-192
Syslog Servers Policy Page, page K-197
Quality of Service policies:
Quality of Service Policy Page, page K-199
Routing policies:
BGP Routing Policy Page, page K-219
EIGRP Routing Policy Page, page K-226
OSPF Interface Policy Page, page K-236
OSPF Process Policy Page, page K-243
RIP Routing Policy Page, page K-255
Static Routing Policy Page, page K-263
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Tip Use the Policy Management page in the Security Manager Administration
window to control which router platform policy pages are available in Security Manager. For more information, see Policy Management Page, page A-40.

NAT Policy Page

You can configure NAT policies on a Cisco IOS router from the following tabs on the NAT policy page:
NAT Page—Interface Specification Tab, page K-3
NAT Page—Static Rules Tab, page K-6
NAT Page—Dynamic Rules Tab, page K-12
NAT Page—Timeouts Tab, page K-15
Network Address Translation (NAT) converts private, internal LAN addresses into globally routable IP addresses. NAT enables a small number of public IP addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 15-5.
NAT Policy Page
Navigation Path
• (Device view) Select NAT from the Policy selector.
• (Policy view) Select NAT (Router) from the Policy Type selector.
Right-click NAT (Router) to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Chapter K, “Router Platform User Interface Reference”
NAT Page—Interface Specification Tab
Use the NAT Interface Specification tab to define the inside and outside interfaces on the router used for NAT. Inside interfaces are interfaces that connect to the private networks served by the router. Outside interfaces are interfaces that connect to the WAN or the Internet.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-3
Appendix K Router Platform User Interface Reference
NAT Policy Page
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Interface Specification tab.
Related Topics
NAT Page—Static Rules Tab, page K-6
NAT Page—Dynamic Rules Tab, page K-12
NAT Page—Timeouts Tab, page K-15
Field Reference
Table K-1 NAT Interface Specification Tab
Element Description
NAT Inside Interfaces The interfaces that act as the inside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Inside Interfaces,
page K-4. From here you can define these interfaces.
NAT Outside Interfaces The interfaces that act as the outside interfaces for address translation. Click
Edit to display the Edit Interfaces Dialog Box—NAT Outside Interfaces,
page K-5. From here you can define these interfaces.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Edit Interfaces Dialog Box—NAT Inside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will act as the inside interfaces for address translation. Inside interfaces typically connect to a LAN that the router serves.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit button in the NAT Inside Interfaces field.
Related Topics
Designating Inside and Outside Interfaces, page 15-6
Edit Interfaces Dialog Box—NAT Outside Interfaces, page K-5
User Guide for Cisco Security Manager 3.2
K-4
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-2 Edit Interfaces Dialog Box—NAT Inside Interfaces
Element Description
Interfaces The interfaces that act as the inside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this information.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can define an interface role object.
OK button Saves your changes and closes the dialog box. Your selections are displayed
in the NAT Inside Interfaces field of the NAT Interface Specification tab.
Edit Interfaces Dialog Box—NAT Outside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will act as the outside interfaces for address translation. Outside interfaces typically connect to your organization’s WAN or to the Internet.
Navigation Path
Go to the NAT Page—Interface Specification Tab, page K-3, then click the Edit button in the NAT Outside Interfaces field.
Related Topics
Designating Inside and Outside Interfaces, page 15-6
Edit Interfaces Dialog Box—NAT Inside Interfaces, page K-4
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-5
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-3 Edit Interfaces Dialog Box—NAT Outside Interfaces
Element Description
Interfaces The interfaces that act as the outside interfaces for address translation. You
can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition,
page 9-135.
Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface
roles. Using the selector eliminates the need to manually enter this information.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can define an interface role object.
OK button Saves your changes and closes the dialog box. Your selections are displayed
in the NAT Outside Interfaces field of the NAT Interface Specification tab.
NAT Page—Static Rules Tab
Use the NAT Static Rules tab to create, edit, and delete static address translation rules. For more information, see Defining Static NAT Rules, page 15-8.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Static Rules tab.
Related Topics
NAT Page—Interface Specification Tab, page K-3
NAT Page—Dynamic Rules Tab, page K-12
NAT Page—Timeouts Tab, page K-15
User Guide for Cisco Security Manager 3.2
K-6
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-4 NAT Static Rules Tab
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Original Address The original address (and optionally, the subnet mask) that is being
translated.
Translated Address The IP address to which the traffic is translated.
Port Redirection (When the static rule is defined on a port) Information about the port that is
being translated, including the local and global port numbers.
Advanced The advanced options that are enabled.
Add button Opens the NAT Static Rule Dialog Box, page K-7. From here you can create
a static translation rule.
Edit button Opens the NAT Static Rule Dialog Box, page K-7. From here you can edit
the selected static translation rule.
Delete button Deletes the selected static translation rules from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

NAT Static Rule Dialog Box

Use the NAT Static Rule dialog box to add or edit static address translation rules.
Navigation Path
Go to the NAT Page—Static Rules Tab, page K-6, then click the Add or Edit button beneath the table.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-7
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
Defining Static NAT Rules, page 15-8
Disabling the Alias Option for Attached Subnets, page 15-15
Disabling the Payload Option for Overlapping Networks, page 15-15
Basic Interface Settings on Cisco IOS Routers, page 15-20
Understanding Interface Role Objects, page 9-132
Field Reference
Table K-5 NAT Static Rule Dialog Box
Element Description
Static Rule Type The type of local address requiring translation by this static rule:
Static Host—A single host requiring static address translation.
Static Network—A subnet requiring static address translation.
Static Port—A single port requiring static address translation. If you
select this option, you must define port redirection parameters.
Original Address Enter an address or the name of a network/host object, or click Select to
display an Object Selectors, page F-593.
When Static Network is selected as the Static Rule Type, this field
defines the network address and subnet mask. For example, if you want to create n-to-n mappings between the private addresses in a subnet to corresponding inside global addresses, enter the address of the subnet you want translated, and then enter the network mask in the Mask field.
K-8
When Static Port or Static Host is selected as the Static Rule Type, this
field defines the IP address only. For example, if you want to create a one-to-one mapping for a single host, enter the IP address of the host to translate. Do not enter a subnet mask in the Mask field.
If the network or host you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477. From here you can define a network/host object.
Note We recommend not entering a local address belonging to this router,
as it could cause Security Manager management traffic to be translated. Translating this traffic will cause a loss of communication between the router and Security Manager.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-5 NAT Static Rule Dialog Box (Continued)
Translated Address The type of address translation to perform:
Specify IP—The IP address that acts as the translated address. Enter an
address or the name of a network/host object in the Translated IP/Network field, or click Select to display an Object Selectors,
page F-593.
If you selected Static Port or Static Host as the static rule type (to create a one-to-one mapping between a single inside local address and a single inside global address), enter the global address in this field. A subnet mask is not required.
If you selected Static Network as the static rule type (to map the original, local addresses of a subnet to the corresponding global addresses), enter the IP address that you want to use in the translation in this field. The network mask is taken automatically from the mask entered in the Original Address field.
If the network or host you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477. From here you can define a network/host object.
Use Interface IP—The interface whose address should be used as the
translated address. (This is typically the interface from which translated packets leave the router.) Enter the name of an interface or interface role in the Interface field, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button or the Edit button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
Note The Interface option is not available when Static Network is the
selected static rule type. Only one static rule may be defined per interface.
NAT Policy Page
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-9
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5 NAT Static Rule Dialog Box (Continued)
Port Redirection Applies only when Static Port is the selected static rule type.
Redirect Port—When selected, specifies port information for the inside device in the translation. This enables you to use the same public IP address for multiple devices as long as the port specified for each device is different. Enter information in the following fields:
Protocol—The protocol type: TCP or UDP.
Local Port—The port number on the source network. Valid values range
from 1 to 65535.
Global Port—The port number on the destination network that the router
is to use for this translation. Valid values range from 1 to 65535.
When deselected, port information is not included in the translation.
K-10
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-5 NAT Static Rule Dialog Box (Continued)
Advanced Applies only when using the Translated IP option for address translation.
Defines advanced options:
No Alias—When selected, prohibits an alias from being created for the
global address.
The alias option is used to answer Address Resolution Protocol (ARP) requests for global addresses that are allocated by NAT. You can disable this feature for static entries by selecting the No alias check box.
When deselected, global address aliases are permitted.
No Payload—When selected, prohibits an embedded address or port in
the payload from being translated.
The payload option performs NAT between devices on overlapping networks that share the same IP address. When an outside device sends a DNS query to reach an inside device, the local address inside the payload of the DNS reply is translated to a global address according to the relevant NAT rule. You can disable this feature by selecting the No payload check box.
When deselected, embedded addresses and ports in the payload may be translated, as described above.
Create Extended Translation Entry—When selected, creates an
extended translation entry (addresses and ports). This enables you to associate multiple global addresses with a single local address. This is the default.
When deselected, creates a simple translation entry that allows you to associate a single global address with the local address.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-11
NAT Policy Page
NAT Page—Dynamic Rules Tab
Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address translation rules. A dynamic address translation rule dynamically maps hosts to addresses, using either the globally registered IP address of a specific interface or addresses included in an address pool that are globally unique in the destination network.
For more information, see Defining Dynamic NAT Rules, page 15-16.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Dynamic Rules tab.
Related Topics
NAT Page—Interface Specification Tab, page K-3
NAT Page—Static Rules Tab, page K-6
NAT Page—Timeouts Tab, page K-15
Field Reference
Appendix K Router Platform User Interface Reference
Table K-6 NAT Dynamic Rules Tab
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Traffic Flow The ACL that defines the traffic that is being translated.
Translated Address Indicates whether the translated address is based on an interface or on a
defined address pool.
Port Translation Indicates whether Port Address Translation (PAT) is being used by this
dynamic NAT rule.
Add button Opens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
create a dynamic translation rule.
Edit button Opens the NAT Dynamic Rule Dialog Box, page K-13. From here you can
edit the selected dynamic translation rule.
Delete button Deletes the selected dynamic translation rules from the table.
User Guide for Cisco Security Manager 3.2
K-12
OL-16066-01
Appendix K Router Platform User Interface Reference
NAT Policy Page
Table K-6 NAT Dynamic Rules Tab (Continued)
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

NAT Dynamic Rule Dialog Box

Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation rules.
Navigation Path
Go to the NAT Page—Dynamic Rules Tab, page K-12, then click the Add or Edit button beneath the table.
OL-16066-01
Related Topics
Defining Dynamic NAT Rules, page 15-16
Understanding Access Control List Objects, page 9-30
Basic Interface Settings on Cisco IOS Routers, page 15-20
Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
K-13
Appendix K Router Platform User Interface Reference
NAT Policy Page
Field Reference
Table K-7 NAT Dynamic Rule Dialog Box
Element Description
Traffic Flow Access List—The extended ACL that specifies the traffic requiring dynamic
translation. Enter the name of an ACL object, or click Select to display an
Object Selectors, page F-593.
If the ACL you want is not listed, click the Create button in the selector to display the dialog box for defining an extended ACL object. For more information, see Add and Edit Extended Access List Pages, page F-34.
Note Make sure that the ACL you select does not permit the translation of
Security Manager management traffic over any device address on this router. Translating this traffic will cause a loss of communication between the router and Security Manager.
Translated Address The method for performing dynamic address translation:
Interface—The router interface used for address translation. PAT is used
to distinguish each host on the network. Enter the name of an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
Enable Port Translation (Overload)
User Guide for Cisco Security Manager 3.2
K-14
Address Pool—Translates addresses using a set of addresses defined in
an address pool. Enter one or more address ranges, including the prefix, using the format min1-max1/prefix (in CIDR notation). You can add as many address ranges to the address pool as required, but all ranges must share the same prefix. Separate multiple entries with commas.
When selected, the router uses port addressing (PAT) if the pool of available addresses runs out.
When deselected, PAT is not used.
Note PAT is selected by default when you use an interface on the router as
the translated address.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-7 NAT Dynamic Rule Dialog Box (Continued)
NAT Policy Page
Do Not Translate VPN Traffic (Site-to-Site VPN only)
This setting applies only in situations where the NAT ACL overlaps the crypto ACL used by the site-to-site VPN. Because the interface performs NAT first, any traffic arriving from an address within this overlap would get translated, causing the traffic to be sent unencrypted. Leaving this check box selected prevents that from happening.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN traffic in cases of overlapping addresses between the NAT ACL and the crypto ACL.
Note We recommend that you leave this check box selected, even when
performing NAT into IPsec, as this setting does not interfere with the translation that is performed to avoid a clash between two networks sharing the same set of internal addresses.
Note This option does not apply to remote access VPNs.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
NAT Page—Timeouts Tab
OL-16066-01
Use the NAT Timeouts tab to view or modify the default timeout values for PAT (overload) translations. These timeouts cause a dynamic translation to expire after a defined period of non-use. In addition, you can use this page to place a limit on the number of entries allowed in the dynamic NAT table and to modify the default timeout on all dynamic translations that are not PAT translations.
Note For more information about the Overload feature, see NAT Dynamic Rule Dialog
Box, page K-13.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Timeouts tab.
User Guide for Cisco Security Manager 3.2
K-15
Appendix K Router Platform User Interface Reference
NAT Policy Page
Related Topics
Specifying NAT Timeouts, page 15-19
NAT Page—Interface Specification Tab, page K-3
NAT Page—Static Rules Tab, page K-6
NAT Page—Dynamic Rules Tab, page K-12
Field Reference
Table K-8 NAT Timeouts Tab
Element Description
Max Entries The maximum number of entries allowed in the dynamic NAT table. Values
range from 1 to 2147483647.
By default, this field is left blank, which means that the number of entries in the table is unlimited.
Timeout (sec.) The timeout value applied to all dynamic translations except PAT (overload)
translations.
The default is 86400 seconds (24 hours).
UDP Timeout (sec.) The timeout value applied to User Datagram Protocol (UDP) ports. The
default is 300 seconds (5 minutes).
Note This value applies only when the Overload feature is enabled.
DNS Timeout (sec.) The timeout value applied to Domain Naming System (DNS) server
connections. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
TCP Timeout (sec.) The timeout value applied to Transmission Control Protocol (TCP) ports.
The default is 86400 seconds (24 hours).
Note This value applies only when the Overload feature is enabled.
FINRST Timeout (sec.) The timeout value applied when a Finish (FIN) packet or Reset (RST) packet
(both of which terminate connections) is found in the TCP stream. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
User Guide for Cisco Security Manager 3.2
K-16
OL-16066-01
Appendix K Router Platform User Interface Reference

Router Interfaces Page

Table K-8 NAT Timeouts Tab (Continued)
ICMP Timeout (sec.) The timeout value applied to Internet Control Message Protocol (ICMP)
flows. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
PPTP Timeout (sec.) The timeout value applied to NAT Point-to-Point Tunneling Protocol (PPTP)
flows. The default is 86400 seconds (24 hours).
Note This value applies only when the Overload feature is enabled.
SYN Timeout (sec.) The timeout value applied to TCP flows after a synchronous transmission
(SYN) message (used for precise clocking) is encountered. The default is 60 seconds.
Note This value applies only when the Overload feature is enabled.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Router Interfaces Page
OL-16066-01
Use the Router Interfaces page to view, create, edit, and delete interface definitions (physical and virtual) on a selected Cisco IOS router. The Router Interfaces page displays interfaces that were discovered by Security Manager as well as interfaces added manually after you added the device to the system.
For more information, see Basic Interface Settings on Cisco IOS Routers,
page 15-20.
Navigation Path
Select a Cisco IOS router from the Device selector, then select Interfaces > Interfaces from the Policy selector.
Related Topics
Available Interface Types, page 15-21
Deleting a Cisco IOS Router Interface, page 15-27
User Guide for Cisco Security Manager 3.2
K-17
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Field Reference
Table K-9 Router Interfaces Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface Type The interface type. Subinterfaces are displayed indented beneath their parent
interface.
Interface Name The name of the interface.
Enabled Indicates whether the interface is currently enabled (managed by Security
Manager) or disabled (shutdown state).
IP Address The IP address of interfaces defined with a static address.
IP Address Type The type of IP address assigned to the interface—static, DHCP, PPPoE, or
unnumbered. (IP address is defined by a selected interface role.)
Interface Role The interface roles that are assigned to the selected interface.
Add button Opens the Create Router Interface Dialog Box, page K-18. From here you
can create an interface on the selected router.
Edit button Opens the Create Router Interface Dialog Box, page K-18. From here you
can edit the selected interface.
Delete button Deletes the selected interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

Create Router Interface Dialog Box

Use the Create Router Interface dialog box to create and edit physical and virtual interfaces on the selected Cisco IOS router.
User Guide for Cisco Security Manager 3.2
K-18
OL-16066-01
Appendix K Router Platform User Interface Reference
Note Unlike other router policies, the Interfaces policy cannot be shared among
multiple devices. The Advanced Settings policy, however, may be shared. See
Local Policies vs. Shared Policies, page 7-4.
Navigation Path
Go to the Router Interfaces Page, page K-17, then click the Add or Edit button beneath the table.
Related Topics
Basic Interface Settings on Cisco IOS Routers, page 15-20
Deleting a Cisco IOS Router Interface, page 15-27
Never Block Networks Dialog Box, page N-132
Field Reference
Table K-10 Create Router Interface Dialog Box
Router Interfaces Page
Element Description
Enabled When selected, the router interface is enabled.
When deselected, the router interface is in shutdown state. However, its definition is not deleted.
Type Specifies whether you are defining an interface or subinterface.
Name Applies only to interfaces.
The name of the interface. Enter a name manually, or click Select to display a dialog box for generating a name automatically. See Interface Auto Name
Generator Dialog Box, page K-24.
Note Logical interfaces require a number after the name:
—The valid range for dialer interfaces is 0-799. —The valid range for loopback interfaces is 0-2147483647. —The valid range for BVI interfaces is 1-255. —The only valid value for null interfaces is 0.
Parent Applies only to subinterfaces.
The parent interface of the subinterface. Select the parent interface from the displayed list.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-19
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
Subinterface ID Applies only to subinterfaces.
The ID number of the subinterface.
IP The source of the IP address for the interface:
Static IP—Defines a static IP address and subnet mask for the interface.
Enter this information in the fields that appear below the option.
Note You can define the mask using either dotted decimal (for example,
255.255.255.255) or CIDR notation (/32). See Contiguous and
Discontiguous Network Masks, page 9-146.
DHCP—The interface obtains its IP address dynamically from a DHCP
server.
PPPoE—The router automatically negotiates its own registered IP
address from a central server (via PPP/IPCP). The following interface types support PPPoE:
Async
Serial
High-Speed Serial Interface (HSSI)
K-20
Dialer
BRI, PRI (ISDN)
Virtual template
Multilink
Unnumbered—The interface obtains its IP address from a different
interface on the device. Choose an interface from the Interface list. This option can be used with point-to-point interfaces only.
Note Layer 2 interfaces do not support IP addresses. Deployment fails if
you define an IP address on a Layer 2 interface.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-10 Create Router Interface Dialog Box (Continued)
Layer Type The OSI layer at which the interface is defined:
Unknown—The layer is unknown.
Layer 2—The data link layer, which contains the protocols that control
the physical layer (Layer 1) and how data is framed before being transmitted on the medium. Layer 2 is used for bridging and switching. Layer 2 interfaces do not have IP addresses.
Layer 3—The network layer, which is primarily responsible for the
routing of data in packets across logical internetwork paths. This routing is accomplished through the use of IP addresses.
Duplex The interface transmission mode:
None—The transmission mode is returned to its device-specific default
setting.
Full—The interface transmits and receives at the same time (full
duplex).
Half—The interface can transmit or receive, but not at the same time
(half duplex). This is the default.
Router Interfaces Page
OL-16066-01
Auto—The router automatically detects and sets the appropriate
transmission mode, either full or half duplex.
Note When using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, select the appropriate fixed mode.
Note You can configure a duplex value only if you set the Speed to a fixed
speed, not Auto.
Note This setting does not apply to serial, HSSI, ATM, PRI, DSL, tunnel,
or loopback interfaces.
User Guide for Cisco Security Manager 3.2
K-21
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
Speed Applies only to Fast Ethernet and Gigabit Ethernet interfaces.
The speed of the interface:
10—10 megabits per second (10Base-T networks).
100—100 megabits per second (100Base-T networks). This is the
default for Fast Ethernet interfaces.
1000—1000 megabits per second (Gigabit Ethernet networks). This is
the default for Gigabit Ethernet interfaces.
Auto—The router automatically detects and sets appropriate interface
speed.
Note When using Auto mode, be sure that the port on the active network
device to which you connect this interface is also set to automatically negotiate the transmission speed. Otherwise, select the appropriate fixed speed.
MTU The maximum transmission unit, which refers to the maximum packet size,
in bytes, that this interface can handle.
Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64 to 17940 bytes.
Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes.
Encapsulation The type of encapsulation performed by the interface:
None—No encapsulation.
DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q
standard. Applies only to Ethernet subinterfaces.
Frame Relay—IETF Frame Relay encapsulation. Applies only to serial
interfaces (not serial subinterfaces).
Note IETF Frame Relay encapsulation provides interoperability between
a Cisco IOS router and equipment from other vendors. To configure Cisco Frame Relay encapsulation, use CLI commands or FlexConfigs.
User Guide for Cisco Security Manager 3.2
K-22
OL-16066-01
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
VLAN ID Applies only to subinterfaces with encapsulation type DOT1Q.
The VLAN ID associated with this subinterface. The VLAN ID specifies where 802.1Q tagged packets are sent and received on this subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094.
Note All VLAN IDs must be unique among all subinterfaces configured
on the same physical interface.
Tip To configure DOT1Q encapsulation on an Ethernet interface without
associating the VLAN with a subinterface, enter the vlan-id dot1q command using CLI commands or FlexConfigs. See Understanding
FlexConfig Objects, page 9-52. Configuring VLANs on the main
interface increases the number of VLANs that can be configured on the router.
Native VLAN Applies only when the encapsulation type is DOT1Q and you are configuring
a physical interface that is meant to serve as an 802.1Q trunk interface. Trunking is a way to carry traffic from several VLANs over a point-to-point link between two devices.
When selected, the Native VLAN is associated with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) The native VLAN is the VLAN to which all untagged VLAN packets are logically assigned by default. This includes the management traffic associated with the VLAN. If no VLAN ID is defined, the default is 1.
OL-16066-01
For example, if the VLAN ID of this interface is 1, all incoming untagged packets and packets with VLAN ID 1 are received on the main interface and not on a subinterface. Packets sent from the main interface are transmitted without an 802.1Q tag.
When deselected, the Native VLAN is not associated with this interface.
Note The Native VLAN cannot be configured on a subinterface of the
trunk interface. Be sure to configure the same Native VLAN value at both ends of the link; otherwise, traffic may be lost or sent to the wrong VLAN.
User Guide for Cisco Security Manager 3.2
K-23
Appendix K Router Platform User Interface Reference
Router Interfaces Page
Table K-10 Create Router Interface Dialog Box (Continued)
DLCI Applies only to serial subinterfaces with Frame Relay encapsulation.
Enter the data-link connection identifier to associate with the subinterface. Valid values range from 16 to 1007.
Note Security Manager configures serial subinterfaces as point-to-point
not multipoint.
Description Additional information about the interface (up to 1024 characters).
Roles The interface roles assigned to this interface. A message is displayed if no
roles have yet been assigned.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.

Interface Auto Name Generator Dialog Box

K-24
Use the Interface Auto Name Generator dialog box to have Security Manager generate a name for the interface based on the interface type and its location in the router.
Navigation Path
Go to the Create Router Interface Dialog Box, page K-18, select Interface from the Type list, then click Select in the Name field.
Related Topics
Generating an Interface Name, page 15-26
Router Interfaces Page, page K-17
Basic Interface Settings on Cisco IOS Routers, page 15-20
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference

Advanced Interface Settings Page

Field Reference
Table K-11 Interface Auto Name Generator Dialog Box
Element Description
Type The type of interface. Your selection from this list forms the first part of the
generated name, as displayed in the Result field. For more information, see
Table 15-1 on page 15-21.
Card The card related to the interface.
Note When defining a BVI interface, enter the number of the
corresponding bridge group.
Slot The slot related to the interface.
Port The port related to the interface.
Note The information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
Result The name generated by Security Manager from the information you entered
for the interface type and location. The name displayed in this field is read-only.
Tip After closing this dialog box, you can edit the generated name in the
Create Router Interface dialog box, if required.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
Advanced Interface Settings Page
Use the Advanced Interface Settings page to view, create, edit, and delete advanced interface definitions (physical and virtual) on a selected Cisco IOS router. Examples of advanced settings include Cisco Discovery Protocol (CDP) settings, ICMP message settings, and virtual fragment reassembly settings.
For more information, see Advanced Interface Settings on Cisco IOS Routers,
page 15-28.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-25
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Navigation Path
• (Device view) Select Interfaces > Settings > Advanced Settings from the
Policy selector.
• (Policy view) Select Router Interfaces > Settings > Advanced Settings
from the Policy Type selector. Right-click Advanced Settings to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Router Interfaces Page, page K-17
Available Interface Types, page 15-21
Deleting a Cisco IOS Router Interface, page 15-27
Field Reference
Table K-12 Advanced Interface Settings Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface or interface role for which advanced settings are defined.
Max Bandwidth The bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
Load Interval The length of time used to calculate the average load for this interface.
CDP Indicates whether CDP and CDP logging are enabled on this interface.
Redirects Indicates whether ICMP redirect messages are enabled on this interface.
Unreachables Indicates whether ICMP unreachable messages are enabled on this interface.
Mask Reply Indicates whether ICMP mask reply messages are enabled on this interface.
Directed Broadcasts Indicates whether directed broadcasts that are intended for the subnet to
which this interface is attached are exploded as broadcasts on that subnet.
Add button Opens the Advanced Interface Settings Dialog Box, page K-27. From here
you can define advanced settings on the selected interface.
Edit button Opens the Advanced Interface Settings Dialog Box, page K-27. From here
you can edit the selected interface.
Delete button Deletes the selected advanced interface definitions from the table.
K-26
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-12 Advanced Interface Settings Page (Continued)
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

Advanced Interface Settings Dialog Box

Use the Advanced Interface Settings dialog box to define a variety of advanced settings on a selected interface, including:
Cisco Discovery Protocol (CDP) settings.
Internet Control Message Protocol (ICMP) settings.
Virtual fragmentation reassembly (VFR) settings.
Directed broadcast settings.
OL-16066-01
Load interval for determining the average load.
Enabling proxy ARP.
Enabling NBAR protocol discovery.
Navigation Path
Go to the Never Block Networks Dialog Box, page N-132, then click the Add or Edit button beneath the table.
Related Topics
Basic Interface Settings on Cisco IOS Routers, page 15-20
Advanced Interface Settings on Cisco IOS Routers, page 15-28
Deleting a Cisco IOS Router Interface, page 15-27
Available Interface Types, page 15-21
User Guide for Cisco Security Manager 3.2
K-27
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Field Reference
Table K-13 Advanced Interface Settings Dialog Box
Element Description
Interface The interface on which the advanced settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
Note You can define only one set of advanced settings per interface.
Note The only advanced settings supported on Layer 2 interfaces are Max.
Bandwidth, Load Interval, and CDP.
Max Bandwidth The bandwidth value to communicate to higher-level protocols in kilobits
per second (kbps).
Note The value you define in this field is an informational parameter only;
it does not affect the physical interface.
Load Interval The length of time, in seconds, used to calculate the average load on the
interface. Valid values range from 30 to 600 seconds, in multiples of 30 seconds. The default is 300 seconds (5 minutes).
Modify the default to shorten the length of time over which load averages are computed. You can do this if you want load computations to be more reactive to short bursts of traffic.
K-28
Load data is gathered every 5 seconds. This data is used to compute load statistics, including input/output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data.
Tip You can use this option to increase or decrease the likelihood of
activating a backup interface; for example, a backup dial interface may be triggered by a sudden spike in the load on an active interface.
Note Load interval is not supported on subinterfaces.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Advanced Interface Settings Page
TCP Maximum Segment Size
The maximum segment size (MSS) of TCP SYN packets that pass through this interface. Valid values range from 500 to 1460 bytes. If you do not specify a value, the MSS is determined by the originating host.
This option helps prevent TCP sessions from being dropped as they pass through the router. Use this option when the ICMP messages that perform auto-negotiation of TCP frame size are blocked (for example, by a firewall). We highly recommend using this option on the tunnel interfaces of DMVPN networks.
For more information, see TCP MSS Adjustment at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_featur e_guide09186a00804247fc.html
Note Typically, the optimum MSS is 1452 bytes. This value plus the
20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link.
Helper Addresses The helper addresses that are used to forward User Datagram Protocol
(UDP) broadcasts that are received on this interface. Enter one or more addresses or network/host objects, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477. From here, you can define a network/host object.
OL-16066-01
By default, routers do not forward broadcasts outside of their subnet. Helper addresses provide a solution by enabling the router to forward certain types of UDP broadcasts as a unicast to an address on the destination subnet.
For more information, see Understanding Helper Addresses, page 15-29.
User Guide for Cisco Security Manager 3.2
K-29
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Cisco Discovery Protocol settings
Enable CDP When selected, the Cisco Discovery Protocol (CDP) is enabled on this
interface. This the default.
When deselected, CDP is disabled on this interface.
CDP is a media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. It is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices.
Note ATM interfaces do not support CDP.
Log CDP Messages Applies only to Ethernet interfaces.
When selected, duplex mismatches for this interface are displayed in a log. This is the default.
When deselected, duplex mismatches for this interface are not logged.
NetFlow settings
Enable Ingress Accounting
When selected, NetFlow accounting is enabled on traffic arriving on this interface.
When deselected, NetFlow accounting on arriving traffic is disabled. This is the default.
Enable Egress Accounting
User Guide for Cisco Security Manager 3.2
K-30
Cisco IOS NetFlow provides the metering base for a key set of applications including network traffic accounting, usage-based network billing, network planning, as well as Denial Services monitoring capabilities, network monitoring, outbound marketing, and data mining capabilities for both service provider and enterprise customers.
Note You must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this option.
When selected, enables NetFlow accounting on traffic leaving this interface.
When deselected, disables NetFlow accounting on traffic leaving this interface. This is the default.
Note You must use the CLI or FlexConfigs to enable Cisco Express
Forwarding (CEF) or distributed CEF (dCEF) before using this option.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
ICMP Messages settings
Enable Redirect Messages
Enable Unreachable Messages
When selected, enables the sending of Internet Control Message Protocol (ICMP) redirect messages if the device is forced to resend a packet through the same interface on which it was received to another device on the same subnet. This is the default.
When deselected, disabled redirect messages.
Redirect messages are sent when the device wants to instruct the originator of the packet to remove it from the route and substitute a different device that offers a more direct path to the destination.
When selected, enables the sending of ICMP unreachable messages. This is the default.
When deselected, disables unreachable messages.
Unreachable messages are sent in two circumstances:
If the interface receives a nonbroadcast packet destined for itself that
uses an unknown protocol. In this case, it sends an ICMP unreachable message to the source.
If the device receives a packet that it cannot deliver to its ultimate
destination because it knows of no route to the destination address. In this case, it sends an ICMP host unreachable message to the originator of the packet.
Advanced Interface Settings Page
Enable Mask Reply Messages
OL-16066-01
Note This is the only advanced setting supported by the null0 interface.
When selected, enables the sending of ICMP mask reply messages.
When deselected, disables mask reply messages. This is the default.
Mask reply messages are sent in response to mask request messages, which are sent when a device needs to know the subnet mask for a particular subnetwork.
User Guide for Cisco Security Manager 3.2
K-31
Appendix K Router Platform User Interface Reference
Advanced Interface Settings Page
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Additional settings
Enable Virtual Fragment Reassembly (VFR)
Enable Proxy ARP When selected, enables proxy Address Resolution Protocol (ARP) on the
Enable NBAR Protocol Discovery
When selected, virtual fragmentation reassembly (VFR) is enabled on this interface.
When deselected, disables VFR. This is the default.
VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs that can protect the network from various fragmentation attacks. For more information, see Virtual Fragmentation Reassembly at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_virt _frag_reassm_ps6441_TSD_Products_Configuration_Guide_Chapter.html
interface. This is the default.
When deselected, disables proxy ARP.
Proxy ARP, defined in RFC 1027, is the technique in which one host, usually a router, answers ARP requests intended for another machine, thereby accepting responsibility for routing packets to the real destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway.
When selected, enables network-based application recognition (NBAR) on this interface to discover traffic and keep traffic statistics for all protocols known to NBAR.
When deselected, disables NBAR. This is the default.
K-32
Protocol discovery provides a method to discover application protocols traversing an interface so that QoS policies can be developed and applied to them. For more information, go to:
http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a 00800a3ded.shtml
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-13 Advanced Interface Settings Dialog Box (Continued)
Advanced Interface Settings Page
Enable Directed Broadcasts
When selected, directed broadcast packets are “exploded” as a link-layer broadcast when this interface is directly connected to the destination subnet.
When deselected, directed broadcast packets that are intended for the subnet to which this interface is directly connected are dropped rather than being broadcast. This is the default.
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address on a different subnet from the node on which it originated. In such cases, the packet is forwarded as if it was a unicast packet until it reaches its destination subnet.
This option affects only the final transmission of the directed broadcast on its destination subnet; it does not affect the transit unicast routing of IP directed broadcasts.
Note Because directed broadcasts, and particularly ICMP directed
broadcasts, have been abused by malicious persons, we recommend deselecting this option on interfaces where directed broadcasts are not needed.
ACL Applies only when directed broadcasts are enabled.
The standard access list that determines which directed broadcasts are permitted to be broadcast on the destination subnet. All other directed broadcasts destined for the subnet to which this interface is directly connected are dropped. Enter the name of an ACL object, or click Select to display an Object Selectors, page F-593.
If the standard ACL you want is not listed, click the Create button in the selector to display the Add and Edit Standard Access List Pages, page F-42. From here you can create an ACL object.
Note To prevent misuse by malicious persons, we recommend using ACLs
to restrict the use of directed broadcasts.
Advanced Interface Settings buttons
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-33
Appendix K Router Platform User Interface Reference

AIM-IPS Interface Settings Page

AIM-IPS Interface Settings Page
Use the AIM-IPS Interface Settings page to define the settings on the Cisco Intrusion Prevention System Advanced Integration Module. You can install AIM-IPS in Cisco 1841, 2800 series, and 3800 series routers.
Note AIM-IPS must be running IPS 6.0 or later.
Caution Cisco IOS IPS and the Cisco IPS AIM cannot be used together. Cisco IOS IPS
must be disabled when the AIM IPS is installed.
Navigation Path
• (Device view) Select Interfaces > Settings > AIM-IPS from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > AIM-IPS from the
Policy Type selector. Right-click AIM-IPS to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-14 AIM-IPS Interface Settings Page
Element Description
AIM-IPS Interface Settings table
Interface Name A name selected from among available interfaces.
Select button Opens the Interface Selector dialog box.
Fail Over Mode Fail open or fail closed. The default value is fail open.
AIM-IPS Service Module Monitoring Settings table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
User Guide for Cisco Security Manager 3.2
K-34
OL-16066-01
Appendix K Router Platform User Interface Reference
AIM-IPS Interface Settings Page
Table K-14 AIM-IPS Interface Settings Page (Continued)
Interface Name The name of the interface role that the AIM-IPS uses.
Monitoring Mode Inline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic
flow, allowing it to stop attacks by dropping malicious traffic before it reaches the intended target. In promiscuous mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet.
Access List Optional. Used to configure a standard monitoring access list on the router
and apply that access list to filter traffic for inspection. A matched ACL causes traffic not to be inspected for that ACL. More information on the options for the access-list command is available in the Cisco IOS Command Reference.
Add button Opens the IPS Monitoring Information Dialog Box, page K-35. From here
you can define an IPS monitoring interface.
Edit button Opens the IPS Monitoring Information Dialog Box, page K-35. From here
you can edit an IPS monitoring interface.
Delete button Deletes the selected IPS monitoring interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

IPS Monitoring Information Dialog Box

Use the IPS Monitoring Information dialog box to add or edit the properties of AIM-IPS interfaces.
Navigation Path
Go to the AIM-IPS Interface Settings Page, page K-34, then click the Add or Edit button beneath the AIM-IPS Service Module Monitoring Settings table.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-35
Appendix K Router Platform User Interface Reference

Dialer Policy Page

Related Topics
Basic Interface Settings on Cisco IOS Routers, page 15-20
Field Reference
Table K-15 IPS Monitoring Information Dialog Box
Element Description
Interface Name A name selected from among available interfaces.
Select button Opens the Interface Selector dialog box.
Monitoring Mode Inline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic
flow, allowing it to stop attacks by dropping malicious traffic before it reaches the intended target. In promiscuous mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet.
Access List Optional. Used to configure a standard monitoring access list on the router
and apply that access list to filter traffic for inspection. A matched ACL causes traffic not to be inspected for that ACL. More information on the options for the access-list command is available in the Cisco IOS Command Reference.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
Dialer Policy Page
Use the Dialer page to define the relationship between physical Basic Rate Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when you configure the dial backup feature for site-to-site VPNs.
For more information, see Dialer Interfaces on Cisco IOS Routers, page 15-33.
Navigation Path
• (Device view) Select Interfaces > Settings > Dialer from the Policy selector.
User Guide for Cisco Security Manager 3.2
K-36
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
• (Policy view) Select Router Interfaces > Settings > Dialer from the Policy
Type selector. Right-click Dialer to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
Configuring Dial Backup, page 10-37
Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-16 Dialer Page
Element Description
Dialer Profiles table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface role that the dialer interface uses.
Profile Name The name of the dialer profile.
Dial Pool The dialing pool that this dialer profile uses.
Dial Group The dialer group that this dialer profile uses.
Interesting Traffic ACL The ACL that defines which traffic can use this dialer profile.
Dial String The phone number that the dialer calls.
Idle Timeout The defined interval after which an uncontested idle line is disconnected.
Fast Idle The defined interval after which a contested idle line is disconnected.
Add button Opens the Dialer Profile Dialog Box, page K-38. From here you can define
a dialer profile.
Edit button Opens the Dialer Profile Dialog Box, page K-38. From here you can edit the
selected dialer profile.
Delete button Deletes the selected dialer profiles from the table.
Dialer Physical Interfaces (BRI) table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The name of the interface role that the physical interface uses.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-37
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Table K-16 Dialer Page (Continued)
Pools The dial pools related to this physical interface.
Switch Type The ISDN switch type that the physical interface uses.
SPID1 The first service provider identifier (SPID) related to this interface.
SPID2 The second SPID related to this interface.
Add button Opens the Dialer Physical Interface Dialog Box, page K-40. From here you
can define a dialer physical interface.
Edit button Opens the Dialer Physical Interface Dialog Box, page K-40. From here you
can edit the selected dialer physical interface.
Delete button Deletes the selected dialer physical interfaces from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

Dialer Profile Dialog Box

Use the Dialer Profile dialog box to add or edit dialer profiles.
Navigation Path
Go to the Dialer Policy Page, page K-36, then click the Add or Edit button beneath the Dialer Profile table.
Related Topics
Dialer Physical Interface Dialog Box, page K-40
Defining Dialer Profiles, page 15-34
Dialer Interfaces on Cisco IOS Routers, page 15-33
User Guide for Cisco Security Manager 3.2
K-38
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Basic Interface Settings on Cisco IOS Routers, page 15-20
Understanding Interface Role Objects, page 9-132
Field Reference
Table K-17 Dialer Profile Dialog Box
Element Description
Name A descriptive name for the dialer profile. This name enables you to assign
the correct dialer pool to the physical interface. You can also use the profile name as a reference to the site to which this dialer interface serves as a backup.
Interface The virtual dialer interface to associate with the dialer profile. Enter the
name of an interface or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
Pool ID The dialer pool ID. Each pool can contain multiple physical interfaces and
can be associated with multiple dialer interfaces. Each dialer interface, however, is associated with only one pool.
Group The group ID, which identifies the dialer group that this dialer interface uses.
Interesting Traffic ACL The extended, numbered ACL that defines which packets are permitted to
initiate calls using this dialer profile.
Enter the name of an extended, numbered ACL object, or click Select to display an Object Selectors, page F-593. The valid ACL number range is 100 to 199.
If the extended ACL you want is not listed, click the Create button in the selector to display the Extended Tab, page F-32. From here you can create an ACL object.
Dialer String (Remote
The phone number of the destination that the dialer contacts.
Phone Number)
Idle Timeout The default amount of idle time before an uncontested line is disconnected.
The default is 120 seconds.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-39
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Table K-17 Dialer Profile Dialog Box (Continued)
Fast Idle Timeout The default amount of idle time before a contested line is disconnected. The
default is 20 seconds.
Line contention occurs when a busy line is requested to send another packet to a different destination.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.

Dialer Physical Interface Dialog Box

Use the Dialer Physical Interface dialog box to add or edit the properties that associate physical BRI interfaces with dialer interfaces.
Note Use FlexConfigs to define other types of physical dialer interfaces, such as ATM
and Ethernet. For more information, see Understanding FlexConfig Objects,
page 9-52.
K-40
Navigation Path
Go to the Dialer Policy Page, page K-36, then click the Add or Edit button beneath the Dialer Physical Interfaces table.
Related Topics
Dialer Profile Dialog Box, page K-38
Defining BRI Interface Properties, page 15-36
Dialer Interfaces on Cisco IOS Routers, page 15-33
Basic Interface Settings on Cisco IOS Routers, page 15-20
Understanding Interface Role Objects, page 9-132
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Dialer Policy Page
Field Reference
Table K-18 Dialer Physical Interface Dialog Box
Element Description
ISDN BRI The physical BRI interface associated with the dialer interface. Enter the
name of an interface or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
Pools Associates dialer pools with a physical interface. Enter the names of one or
more pools (as defined in the Dialer Profile Dialog Box, page K-38), or click Select to display a selector. Use commas to separate multiple entries.
Switch Type The ISDN switch type.
Options for North America are:
basic-5ess—Lucent (AT&T) basic rate 5ESS switch
basic-dms100—Northern Telecom DMS-100 basic rate switch
OL-16066-01
basic-ni—National ISDN switches
Options for Australia, Europe, and the UK are:
basic-1tr6—German 1TR6 ISDN switch
basic-net3—NET3 ISDN BRI for Norway NET3, Australia NET3, and
New Zealand NET3 switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system
vn3—French VN3 and VN4 ISDN BRI switches
Option for Japan is:
ntt—Japanese NTT ISDN switches
Option for Voice/PBX system is:
basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 ()
User Guide for Cisco Security Manager 3.2
K-41
Appendix K Router Platform User Interface Reference

ADSL Policy Page

Table K-18 Dialer Physical Interface Dialog Box (Continued)
SPID1 Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as
the switch type.
The service provider identifier (SPID) for the ISDN service to which the interface subscribes. Some service providers in North America assign SPIDs to ISDN devices when you first subscribe to an ISDN service. If you are using a service provider that requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid assigned SPID to the service provider when accessing the switch to initialize the connection.
Valid SPIDs can contain up to 20 characters, including spaces and special characters.
Note We recommend that you do not enter a SPID for interfaces using the
AT&T 5ESS switch type, even though they are supported.
SPID2 Applies only when you select DMS-100 or NI as the switch type.
The service provider identifier (SPID) for a second ISDN service to which the interface subscribes. Valid SPIDs can contain up to 20 alphanumeric characters (no spaces are permitted).
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
ADSL Policy Page
Use the ADSL page to create, edit, and delete ADSL definitions on the ATM interfaces of the router. For more information, see Defining ADSL Settings,
page 15-40.
Navigation Path
• (Device view) Select Interfaces > Settings > DSL > ADSL from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > DSL > ADSL from the
Policy Type selector. Right-click ADSL to create a policy, or select an existing policy from the Shared Policy selector.
User Guide for Cisco Security Manager 3.2
K-42
OL-16066-01
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Related Topics
PVC Policy Page, page K-54
SHDSL Policy Page, page K-47
ADSL on Cisco IOS Routers, page 15-38
Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-19 ADSL Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
ATM Interface The ATM interface on which ADSL settings are defined.
Interface Card The type of device or ADSL interface card on which the ATM interface
resides.
Bandwidth Change Indicates whether the router makes dynamic adjustments to VC bandwidth
as overall bandwidth changes. (This is relevant only when IMA groups are configured on the ATM interface.)
DSL Operating Mode The DSL operating mode for this interface.
Tone Low Indicates whether the interface is using the low tone set (carrier tones 29
through 48).
Add button Opens the ADSL Settings Dialog Box, page K-44. From here you can define
the ADSL settings for a selected ATM interface.
Edit button Opens the ADSL Settings Dialog Box, page K-44. From here you can edit
the selected ADSL definition.
Delete button Deletes the selected ADSL definition from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-43
ADSL Policy Page
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

ADSL Settings Dialog Box

Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM interface.
Note When you configure ADSL settings, we highly recommend that you select the
type of device or interface card on which the ATM interface is defined. ADSL settings are highly dependent on the hardware. Defining the hardware type in Security Manager enables proper validation of your configuration for a successful deployment to your devices.
Navigation Path
Go to the ADSL Policy Page, page K-42, then click the Add or Edit button beneath the table.
Appendix K Router Platform User Interface Reference
K-44
Related Topics
Defining ADSL Settings, page 15-40
PVC Policy Page, page K-54
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
ADSL Policy Page
Field Reference
Table K-20 ADSL Settings Dialog Box
Element Description
ATM Interface The ATM interface on which ADSL settings are defined. Enter the name of
an interface or interface role, or click Select to display an Object Selectors,
page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can define an interface role object.
Note We recommend that you do not define an interface role that includes
ATM interfaces from different interface cards. The different settings supported by each card type may cause deployment to fail.
Note You can create only one ADSL definition per interface.
Interface Card The device type or the type of interface card installed on the router:
[blank]—The interface card type is not defined.
WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL
over POTS (ordinary telephone lines).
WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides
ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the router warns the DSLAM of imminent line drops when the router is about to lose power.)
OL-16066-01
WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides
ADSL over POTS with Dying Gasp support.
HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that
provides ADSL over POTS.
HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that
provides ADSL over ISDN.
HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over POTS with an ISDN BRI port for backup.
HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over ISDN with an ISDN BRI port for backup.
User Guide for Cisco Security Manager 3.2
K-45
ADSL Policy Page
Table K-20 ADSL Settings Dialog Box (Continued)
Appendix K Router Platform User Interface Reference
Interface Card (continued)
Allow bandwidth change on ATM PVCs
857 ADSL—Cisco 857 Integrated Service Router with an ADSL
interface.
876 ADSL—Cisco 876 Integrated Services Router with an ADSL
interface.
877 ADSL—Cisco 877 Integrated Services Router with an ADSL
interface.
1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that
provides ADSL over POTS.
1802 ADSLoISDN—Cisco 1802 Integrated Services Router that
provides ADSL over ISDN.
Note When discovering from a live device, the correct interface card type
will already be displayed. If you did not perform discovery on a live device, or if Security Manager cannot detect the type of interface card installed on the device, this field displays “Unknown”.
When selected, the router makes dynamic adjustments to VC bandwidth in response to changes in the overall bandwidth of the Inverse Multiplexing over ATM (IMA) group defined on the ATM interface.
When deselected, PVC bandwidth must be adjusted manually (using the CLI) whenever an individual physical link in the IMA group goes up or down.
K-46
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference

SHDSL Policy Page

Table K-20 ADSL Settings Dialog Box (Continued)
DSL Operating Mode The operating mode configured for this ADSL line:
auto—Performs automatic negotiation with the DSLAM located at the
central office (CO). This is the default.
ansi-dmt—The line trains in ANSI T1.413 Issue 2 mode.
itu-dmt—The line trains in G.992.1 mode.
splitterless—The line trains in G.992.2 (G.Lite) mode.
etsi—The line trains in ETSI (European Telecommunications Standards
Institute) mode.
adsl2—The line trains in G.992.3 (adsl2)mode.
adsl2+—The line trains in G.992.5 (adsl2+) mode.
Note See Table 15-3 on page 15-39 for a description of the operating
modes that are supported by each card type.
Use low tone set When selected, the interface card uses carrier tones 29 through 48.
When deselected, the interface card uses carrier tones 33 through 56.
Note Leave this option deselected when the interface card is operating in
accordance with Deutsche Telekom specification U-R2.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
SHDSL Policy Page
Use the SHDSL page to create, edit, and delete DSL controller definitions on the router. For more information, see Defining SHDSL Controllers, page 15-44.
Navigation Path
• (Device view) Select Interfaces > Settings > DSL > SHDSL from the Policy
selector.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-47
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
• (Policy view) Select Router Interfaces > Settings > DSL > SHDSL from the
Policy Type selector. Right-click SHDSL to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
PVC Policy Page, page K-54
ADSL Policy Page, page K-42
SHDSL on Cisco IOS Routers, page 15-43
Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-21 SHDSL Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Name The name of the DSL controller.
Description An optional description of the controller.
Shutdown Indicates whether the DSL controller is in shutdown mode.
Configure ATM Mode Indicates whether the DSL controller has been set into ATM mode.
Line Termination The line termination set for the router (CPE or CO).
DSL Mode The operating mode defined for the DSL controller.
Line Mode The line mode defined for the DSL controller.
Line Rate The line rate (in kbps) defined for the DSL controller.
Note A value is displayed in this column only if the line mode is not set to
Auto.
SNR Margin Current The current signal-to-noise ratio on the controller.
SNR Margin Snext The self near-end crosstalk (Snext) signal-to-noise ratio on the controller.
Add button Opens the SHDSL Controller Dialog Box, page K-49. From here you can
define the settings for a DSL controller.
Edit button Opens the SHDSL Controller Dialog Box, page K-49. From here you can
edit the selected DSL controller definition.
User Guide for Cisco Security Manager 3.2
K-48
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-21 SHDSL Page (Continued)
Delete button Deletes the selected DSL controller definition from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

SHDSL Controller Dialog Box

Use the SHDSL Controller dialog box to configure SHDSL controllers.
Navigation Path
Go to the SHDSL Policy Page, page K-47, then click the Add or Edit button beneath the table.
Related Topics
Defining SHDSL Controllers, page 15-44
PVC Policy Page, page K-54
Discovering Policies on Devices Already in Security Manager, page 7-10
Field Reference
Table K-22 SHDSL Dialog Box
Element Description
Name The name of the controller. Enter a name manually, or click Select to display
a dialog box for generating a name. See Controller Auto Name Generator
Dialog Box, page K-53.
Description Additional information about the controller (up to 80 characters).
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-49
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22 SHDSL Dialog Box (Continued)
Shutdown When selected, the DSL controller is in shutdown state. However, its
definition is not deleted.
When deselected, the DSL controller is enabled. This is the default.
Configure ATM mode When selected, sets the controller into ATM mode and creates an ATM
interface with the same ID as the controller. This is the default. You must enable ATM mode and then perform rediscovery to configure ATM or PVCs on the device.
When deselected, ATM mode is disabled. No ATM interface is created on deployment.
Note You cannot remove ATM mode from a controller after it has been
saved in Security Manager.
Line Termination The line termination that is set for the router:
CPE—Customer premises equipment. This is the default.
CO—Central office.
DSL Mode The DSL operating mode, including regional operating parameters, used by
the controller:
[blank]—The operating mode is not defined. (When deployed, the
Annex A standard for North America is used.)
Line Mode settings
User Guide for Cisco Security Manager 3.2
K-50
A—Supports Annex A of the G.991.2 standard for North America.
A-B—Supports Annex A or Annex B. Available only when the Line
Term is set to CPE. The appropriate mode is selected when the line trains.
A-B-ANFP—Supports Annex A or Annex B-ANFP. Available only
when the Line Term is set to CPE. The appropriate mode is selected when the line trains.
B—Supports Annex B of the G.991.2 standard for Europe.
B-ANFP—Supports Annex B-ANFP (Access Network Frequency Plan).
Note The available DSL modes are dependent on the selected line
termination.
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-22 SHDSL Dialog Box (Continued)
Line Mode The line mode used by the controller:
auto—The controller operates in the same mode as the other line
termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the default for CPE line termination.
2-wire—The controller operates in two-wire mode. This is the default
for CO line termination.
4-wire—The controller operates in four-wire mode.
Note You can select Auto only when you configure the controller as the
CPE.
Line Applies only when the Line Mode is defined as 2-wire.
The pair of wires to use:
line-zero—RJ-11 pin 1 and pin 2. This is the default for CO line
termination.
line-one—RJ-11 pin 3 and pin 4.
Exchange Handshake Applies only when the Line Mode is defined as 4-wire.
The type of handshake mode to use:
[blank]—The handshake mode is not specified. (When deployed, the
enhanced option is used.) This is the default.
SHDSL Policy Page
OL-16066-01
enhanced—Exchanges handshake status on both wire pairs.
standard—Exchanges handshake status on the master wire pair only.
User Guide for Cisco Security Manager 3.2
K-51
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22 SHDSL Dialog Box (Continued)
Line Rate Does not apply when the Line Mode is defined as Auto.
The DSL line rate (in kbps) available for the SHDSL port:
auto—The controller selects the line rate. This is available only in
2-wire mode.
Supported line rates:
For 2-wire mode: 192, 256, 320, 384, 448, 512, 576, 640, 704, 768, 832, 896, 960, 1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664, 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, and 2304.
For 4-wire mode: 384, 512, 640, 768, 896, 1024, 1152, 1280, 1408, 1536, 1664, 1792, 1920, 2048, 2176, 2304, 2432, 2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712, 3840, 3968, 4096, 4224, 4352, 4480, and 4608.
Note Third-party equipment may use a line rate that includes an additional
SHDSL overhead of 8 kbps for 2-wire mode or 16 kbps for 4-wire mode.
SNR Margin settings
Current The current signal-to-noise (SNR) ratio on the controller, in decibels (dB).
Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than current noise margin plus SNR ratio threshold during training time. If any external noise is applied that is less than the set SNR margin, the line will be stable.
Note Select disable to disable the current SNR.
Snext The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the
controller, in decibels. Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than SNEXT threshold during training time. If any external noise is applied that is less than the set SNEXT margin, the line will be stable.
Note Select disable to disable the SNEXT SNR.
SHDSL dialog box buttons
User Guide for Cisco Security Manager 3.2
K-52
OL-16066-01
Appendix K Router Platform User Interface Reference
SHDSL Policy Page
Table K-22 SHDSL Dialog Box (Continued)
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.

Controller Auto Name Generator Dialog Box

Use the Controller Auto Name Generator dialog box to have Security Manager generate a name for the DSL controller based on its location in the router.
Navigation Path
Go to the SHDSL Controller Dialog Box, page K-49, then click Select in the Name field.
Related Topics
Defining SHDSL Controllers, page 15-44
SHDSL Policy Page, page K-47
PVC Policy Page, page K-54
Field Reference
Table K-23 Controller Auto Name Generator Dialog Box
Element Description
Type The type of interface. This field displays the value DSL and is read-only.
Card The card related to the controller.
Slot The slot related to the controller.
Port The port related to the controller.
Note The information you enter in these fields forms the remainder of the
generated name, as displayed in the Result field.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-53
Appendix K Router Platform User Interface Reference

PVC Policy Page

Table K-23 Controller Auto Name Generator Dialog Box (Continued)
Result The name generated by Security Manager from the information you entered
for the controller location. The name displayed in this field is read-only.
Tip After closing this dialog box, you can edit the generated name in the
SHDSL dialog box, if required.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
PVC Policy Page
Use the PVC page to create, edit, and delete permanent virtual connections (PVCs) on the router. PVCs allow direct and permanent connections between sites to provide a service that is similar to a leased line. These PVCs can be used in ADSL, SHDSL, or pure ATM environments. For more information, see Defining
ATM PVCs, page 15-52.
K-54
Navigation Path
• (Device view) Select Interfaces > Settings > PVC from the Policy selector.
• (Policy view) Select Router Interfaces > Settings > PVC from the Policy
Type selector. Right-click PVC to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
ADSL Policy Page, page K-42
SHDSL Policy Page, page K-47
PVCs on Cisco IOS Routers, page 15-46
Chapter K, “Router Platform User Interface Reference”
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Ta b le K -2 4 P VC Pa ge
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
ATM Interface The ATM interface on which the PVC is defined.
Interface Card The type of device or WAN interface card on which the ATM interface
resides.
PVC ID The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the
PVC.
Settings Additional settings configured for the PVC, including encapsulation, the
number of PPPoE sessions, and the VPN service name.
QoS Quality-of-service settings defined for the PVC, such as traffic shaping.
Protocol The IP protocol mappings (static maps or Inverse ARP) configured for the
PVC.
OAM The F5 Operation, Administration, and Maintenance (OAM) loopback,
continuity check, and AIS/RDI definitions configured for the PVC.
OAM-PVC The OAM management cells that are configured for the PVC.
Add button Opens the PVC Dialog Box, page K-56. From here you can define a PVC.
Edit button Opens the PVC Dialog Box, page K-56. From here you can edit the selected
PVC.
Delete button Deletes the selected PVC from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
OL-16066-01
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Guide for Cisco Security Manager 3.2
K-55
Appendix K Router Platform User Interface Reference
PVC Policy Page

PVC Dialog Box

Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs).
Navigation Path
Go to the PVC Policy Page, page K-54, then click the Add or Edit button beneath the table.
Related Topics
Defining ATM PVCs, page 15-52
Field Reference
Ta b le K -2 5 P VC Di al og Bo x
Element Description
ATM Interface The ATM interface on which the PVC is defined. Enter the name of an
interface, subinterface, or interface role, or click Select to display an Object
Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can define an interface role object.
Note We strongly recommend not defining an interface role that includes
ATM interfaces from different interface cards. The different settings supported by each card type may cause deployment to fail.
K-56
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-25 PVC Dialog Box (Continued)
Interface Card The type of WAN interface card installed on the router or the router type:
[blank]—The interface card type is not defined.
WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL
over POTS (ordinary telephone lines).
WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides
ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the router warns the DSLAM of imminent line drops when the router is about to lose power.)
WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides
ADSL over POTS with Dying Gasp support.
HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that
provides ADSL over POTS.
HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that
provides ADSL over ISDN.
HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over POTS with an ISDN BRI port for backup.
HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card
that provides ADSL over ISDN with an ISDN BRI port for backup.
WIC-1-SHDSL-V2—A 1-port multiline G.SHDSL WAN interface card
with support for 2-wire mode and enhanced 4-wire mode.
OL-16066-01
WIC-1-SHDSL-V3—A 1-port multiline G.SHDSL WAN interface card
with support for 2-wire mode and 4-wire mode (standard & enhanced).
NM-1A-T3—A 1-port ATM network module with a T3 link.
NM-1A-OC3-POM—A 1-port ATM network module with an optical
carrier level 3 (OC-3) link and three operating modes (multimode, single-mode intermediate reach (SMIR), and single-mode long-reach (SMLR)).
User Guide for Cisco Security Manager 3.2
K-57
PVC Policy Page
Table K-25 PVC Dialog Box (Continued)
Appendix K Router Platform User Interface Reference
Interface Card (continued)
NM-1A-E3—A 1-port ATM network module with an E3 link.
857 ADSL—Cisco 857 Integrated Service Router with an ADSL
interface.
876 ADSL—Cisco 876 Integrated Services Router with an ADSL
interface.
877 ADSL—Cisco 877 Integrated Services Router with an ADSL
interface.
878 G.SHDSL—Cisco 878 Integrated Services Router with a G.SHDSL
interface.
1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that
provides ADSL over POTS.
1802 ADSLoISDN—Cisco 1802 Integrated Services Router that
provides ADSL over ISDN.
1803 G.SHDSL—Cisco 1803 Integrated Services Router that provides
4-wire G.SHDSL.
Note To ensure proper policy validation, we highly recommend that you
define a value in this field. When you discover a live device, the correct interface card type will already be displayed. If you did not perform discovery on a live device, or if Security Manager cannot detect the type of interface card installed on the device, this field displays “Unknown”.
Settings tab Defines basic PVC settings, such as the VPI/VCI and encapsulation. See
PVC Dialog Box—Settings Tab, page K-59.
QoS tab Defines ATM traffic shaping and other quality-of-service settings for the
PVC. See PVC Dialog Box—QoS Tab, page K-63.
Protocol tab Defines the IP protocol mappings configured for the PVC (static maps or
Inverse ARP). See PVC Dialog Box—Protocol Tab, page K-67.
Advanced button Defines F5 Operation, Administration, and Maintenance (OAM) settings for
the PVC. See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
K-58
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-25 PVC Dialog Box (Continued)
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
PVC Dialog Box—Settings Tab
Use the Settings tab of the PVC dialog box to configure the basic settings of the PVC, including:
ID settings.
Encapsulation settings.
Whether ILMI and Inverse ARP are enabled.
The maximum number of PPPoE sessions.
The static domain (VPN service) name to use for PPPoA.
OL-16066-01
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the Settings tab.
Related Topics
PVC Dialog Box—QoS Tab, page K-63
PVC Dialog Box—Protocol Tab, page K-67
PVC Advanced Settings Dialog Box, page K-69
Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
K-59
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-26 PVC Dialog Box—Settings Tab
Element Description
PVC ID settings
VPI The virtual path identifier of the PVC. In conjunction with the VCI,
identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values for most platforms range from 0 to 255.
For Cisco 2600 and 3600 Series routers using Inverse Multiplexing for ATM (IMA), valid values range from 0 to 15, 64 to 79, 128 to 143, and 192 to 207.
Note VPI/VCI values must be unique for all the PVCs configured on a
selected interface. VPI/VCI values are unique to a single link only and might change as cells traverse the ATM network.
VCI The 16-bit virtual channel identifier of the PVC. In conjunction with the
VPI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values vary by platform. Typically, values up to 31 are reserved for special traffic (such as ILMI) and should not be used. 3 and 4 are invalid.
Note VPI/VCI values must be unique for all the PVCs configured on a
selected interface. VPI/VCI values are unique to a single link only and might change as cells traverse the ATM network.
Handle An optional name to identify the PVC. The maximum length is 15
characters.
Management PVC (ILMI)
Does not apply when configuring the PVC on a subinterface.
When selected, designates this PVC as the management PVC for this ATM interface by enabling communication with the Interim Local Management Interface (ILMI). ILMI is a protocol defined by the ATM Forum for setting and capturing physical layer, ATM layer, virtual path, and virtual circuit parameters on ATM interfaces. See Understanding ILMI, page 15-50.
When deselected, this PVC does not act as the management PVC. This is the default.
Note The VPI/VCI for the management PVC is typically set to 0/16.
K-60
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26 PVC Dialog Box—Settings Tab (Continued)
Encapsulation settings
Type Does not apply when the Management PVC (ILMI) check box is enabled.
The ATM adaptation layer (AAL) and encapsulation type to use on the PVC:
[blank]—The encapsulation type is not defined. (When deployed,
aal5snap is applied.)
aal2—For PVCs dedicated to AAL2 Voice over ATM. AAL2 is used for
variable bit rate (VBR) traffic, which can be either realtime (VBR-RT) or non-realtime (VBR-NRT).
aal5autoppp—Enables the router to distinguish between incoming PPP
over ATM (PPPoA) and PPP over Ethernet (PPPoE) sessions and create virtual access for both PPP types based on demand.
aal5ciscoppp—For the proprietary Cisco version of PPP over ATM.
aal5mux—Enables you to dedicate the PVC to a single protocol, as
defined in the Protocol field.
aal5nlpid—Enables ATM interfaces to work with High-Speed Serial
Interfaces (HSSI) that are using an ATM data service unit (ADSU) and running ATM-Data Exchange Interface (DXI).
aal5snap—Supports Inverse ARP and incorporates the Logical Link
Control/Subnetwork Access Protocol (LLC/SNAP) that precedes the protocol datagram. This allows multiple protocols to traverse the same PVC.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-61
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26 PVC Dialog Box—Settings Tab (Continued)
Virtual Template The virtual template used for PPP over ATM on this PVC. Enter the name of
a virtual template interface or interface role, or click Select to display an
Object Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can define an interface role object.
When a user dials in, the virtual template is used to configure a virtual access interface. When the user is done, the virtual access interface goes down and the resources are freed for other dial-in users.
Note If you modify the virtual template settings on an existing PVC, you
must enter the shutdown command followed by the no shutdown command on the ATM subinterface to restart the interface. This causes the newly configured parameters to take effect.
Protocol Applies only when aal5mux is the defined encapsulation type.
The protocol carried by the MUX-encapsulated PVC:
frame-relay—Frame-Relay-ATM Network Interworking (FRF.5) on the
Cisco MC3810.
fr-atm-srv—Frame-Relay-ATM Service Interworking (FRF.8) on the
Cisco MC3810.
ip—IP protocol.
ppp—IETF-compliant PPP over ATM. You must specify a virtual
template when using this protocol type.
voice—Voice over ATM.
Additional settings
Enable ILMI When selected, enables ILMI management on this PVC.
When deselected, ILMI management on this PVC is disabled.
User Guide for Cisco Security Manager 3.2
K-62
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-26 PVC Dialog Box—Settings Tab (Continued)
Inverse ARP When selected, the Inverse Address Resolution Protocol (Inverse ARP) is
enabled on the PVC.
When deselected, Inverse ARP is disabled. This is the default.
Inverse ARP is used to learn the Layer 3 addresses at the remote ends of established connections. These addresses must be learned before the virtual circuit can be used.
Note Use the Protocol tab to define static mappings of IP addresses instead
of dynamically learning the addresses using Inverse ARP. See PVC
Dialog Box—Protocol Tab, page K-67.
PPPoE Max Sessions The maximum number of PPP over Ethernet sessions that are permitted on
the PVC.
VPN Service Name The static domain name to use on this PVC. The maximum length is 128
characters.
Use this option when you want PPP over ATM (PPPoA) sessions in the PVC to be forwarded according to the domain name supplied, without starting PPP.
PVC Dialog Box—QoS Tab
Use the QoS tab of the PVC dialog box to configure the ATM traffic shaping and other quality-of-service settings of the PVC, including:
The limit on packets placed on transmission rings.
The QoS service.
Whether random detection is enabled.
These settings regulate the flow of traffic over the PVC by queuing traffic that exceeds the defined allowable bit rates.
Note QoS values are highly hardware dependent. Please refer to your router
documentation for additional details about the settings that can be configured on your device.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-63
Appendix K Router Platform User Interface Reference
PVC Policy Page
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the QoS tab.
Related Topics
PVC Dialog Box—Settings Tab, page K-59
PVC Dialog Box—Protocol Tab, page K-67
PVC Advanced Settings Dialog Box, page K-69
Defining ATM PVCs, page 15-52
Quality of Service Policy Page, page K-199
Understanding Policing and Shaping Parameters, page 15-159
Field Reference
Table K-27 PVC Dialog Box—QoS Tab
Element Description
Tx Ring Limit The maximum number of transmission packets that can be placed on a
transmission ring on the WAN interface card (WIC) or interface.
K-64
The range of valid values depends on the type of interface card selected in the Settings tab. See PVC Dialog Box—Settings Tab, page K-59.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-27 PVC Dialog Box—QoS Tab (Continued)
Traffic Shaping settings
Traffic Shaping The type of service to define on the PVC:
[null]—The bit rate is not defined.
ABR—Available Bit Rate. A best-effort service suitable for applications
that do not require guarantees against cell loss or delays.
CBR—Constant Bit Rate service. Delay-sensitive data, such as voice or
video, is sent at a fixed rate, providing a service similar to a leased line.
UBR—Unspecified Bit Rate service. A best-effort service suitable for
applications that are tolerant to delay and do not require realtime responses.
UBR+—Unspecified Bit Rate service. Unlike UBR, UBR+ attempts to
maintain a guaranteed minimum rate.
VBR-NRT—Variable Bit Rate - Non-Real Time service. A service
suitable for non-realtime applications that are bursty in nature. VBR is more efficient than CBR and more reliable than UBR.
PVC Policy Page
VBR-RT—Variable Bit Rate - Real Time service. A service suitable for
realtime applications that are bursty in nature.
For more information about each service class, see Understanding ATM
Service Classes, page 15-48.
ABR The following fields are displayed when ABR is selected as the Bit Rate:
PCR—The peak cell rate in kilobits per second (kbps). It specifies the
maximum value of the ABR.
MCR—The minimum cell rate in kilobits per second (kbps). It specifies
the minimum value of the ABR.
The ABR varies between the MCR and the PCR. It is dynamically controlled using congestion control mechanisms.
CBR The following field is displayed when CBR is selected as the Bit Rate:
Rate—The constant bit rate (also known as the average cell rate) for the
PVC in kilobits per second (kbps). An ATM VC configured for CBR can send cells at this rate for as long as required.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-65
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-27 PVC Dialog Box—QoS Tab (Continued)
UBR The following field is displayed when UBR is selected as the Bit Rate:
PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
UBR+ The following fields are displayed when UBR+ is selected as the Bit Rate:
PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
MCR—The minimum guaranteed cell rate for output in kilobits per
second (kbps). Traffic is always allowed to be sent at this rate.
Note UBR+ requires Cisco IOS Software Release 12.4(2)XA or later, or
version 12.4(6)T or later.
VBR-NRT The following fields are displayed when VBR-NRT is selected as the Bit
Rate:
PCR—The peak cell rate for output in kilobits per second (kbps). Cells
in excess of the PCR may be discarded.
SCR—The sustained cell rate for output in kilobits per second (kbps).
This value, which must be lower than or equal to the PCR, represents the maximum rate at which cells can be transmitted without incurring data loss.
MBS—The maximum burst cell size for output. This value represents
the number of cells that can be transmitted above the SCR but below the PCR without penalty.
VBR-RT The following fields are displayed when VBR-RT is selected as the Bit Rate:
Peak Rate—The peak information rate for realtime traffic in kilobits per
second (kbps).
Average Rate—The average information rate for realtime traffic in
kilobits per second (kbps). This value must be lower than or equal to the peak rate.
Burst—The burst size for realtime traffic, in number of cells. Configure
this value if the PVC carries bursty traffic.
These values configure traffic shaping between realtime traffic (such as voice and video) and data traffic to ensure that the carrier does not discard realtime traffic, for example, voice calls.
User Guide for Cisco Security Manager 3.2
K-66
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-27 PVC Dialog Box—QoS Tab (Continued)
IP QoS settings
Random Detect When selected, enables Weighted Random Early Detection (WRED) or
VIP-distributed WRED (DWRED) on the PVC.
When deselected, WRED and DWRED are disabled. This is the default.
WRED is a queue management method that selectively drops packets as the interface becomes congested. See Tail Drop vs. WRED, page 15-156.
PVC Dialog Box—Protocol Tab
Use the Protocol tab of the PVC dialog box to add, edit, or delete the protocol mappings configured for the PVC. You may configured static mappings or Inverse ARP (broadcast or nonbroadcast) for each PVC, but not both.
Note IP is the only protocol supported by Security Manager for protocol mapping on
ATM networks.
OL-16066-01
Note You cannot define protocol mappings on the Management PVC (ILMI).
Navigation Path
Go to the PVC Dialog Box, page K-56, then click the Protocol tab.
Related Topics
PVC Dialog Box—Settings Tab, page K-59
PVC Dialog Box—QoS Tab, page K-63
PVC Advanced Settings Dialog Box, page K-69
Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
K-67
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-28 PVC Dialog Box—Protocol Tab
Element Description
IP Protocol Mapping Displays the IP protocol mappings configured for the PVC.
Add button Opens the Define Mapping Dialog Box, page K-68. From here you can
define an IP protocol mapping.
Edit button Opens the Define Mapping Dialog Box, page K-68. From here you can edit
the selected mapping.
Delete button Deletes the selected mapping from the table.

Define Mapping Dialog Box

Use the Define Mapping dialog box to configure the IP protocol mappings to use on the ATM PVC. Mappings are required by the PVC to discover which IP address is reachable at the other end of a connection. Mappings can either be learned dynamically using Inverse ARP (InARP) or defined statically. Static mappings are best suited for simple networks that contain only a few nodes.
K-68
Note Inverse ARP is only supported for the aal5snap encapsulation type. See PVC
Dialog Box—Settings Tab, page K-59.
Tip Use the CLI or FlexConfigs to configure mappings for protocols other than IP.
Navigation Path
Go to the PVC Dialog Box—Protocol Tab, page K-67, then click Add or Edit.
Related Topics
PVC Dialog Box, page K-56
Defining ATM PVCs, page 15-52
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Field Reference
Table K-29 Define Mapping Dialog Box
Element Description
IP Options The type of IP protocol mapping to use:
IP Address—Select this option when using static mapping. Enter the
address or network/host object, or click Select to display an Object
Selectors, page F-593.
If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477. From here, you can define a network/host object.
InARP—Inverse ARP. Select this option when using dynamic mapping.
This allows the PVC to resolve its own network addresses without configuring a static map. Dynamic mappings age out and are refreshed periodically every 15 minutes by default.
Note InARP can be used only when aal5snap is the defined encapsulation
type for the PVC. See PVC Dialog Box—Settings Tab, page K-59.
Broadcast Options Indicates whether to use this map entry when sending IP broadcast packets
(such as EIGRP updates):
Broadcast—The map entry is used for broadcast packets.
No Broadcast—The map entry is used only for unicast packets.
None—Broadcast options are disabled.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.

PVC Advanced Settings Dialog Box

Use the PVC Advanced Settings dialog box to configure F5 Operation, Administration, and Maintenance (OAM) functionality on an ATM PVC. OAM is used to detect connectivity failures at the ATM layer.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-69
Appendix K Router Platform User Interface Reference
PVC Policy Page
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
Navigation Path
Go to the PVC Dialog Box, page K-56, then click Advanced.
Related Topics
PVC Policy Page, page K-54
Field Reference
Table K-30 PVC Advanced Settings Dialog Box
Element Description
OAM tab Defines loopback, connectivity check, and AIS/RDI settings. See PVC
Advanced Settings Dialog Box—OAM Tab, page K-70.
OAM-PVC tab Enables OAM loopbacks and connectivity checks on the PVC. See PVC
Advanced Settings Dialog Box—OAM-PVC Tab, page K-73.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
PVC Advanced Settings Dialog Box—OAM Tab
Use the OAM tab of the PVC Advanced Settings dialog box to define:
The number of loopback cell responses that move the PVC to the down or up
state.
The number of alarm indication signal/remote defect indication (AIS/RDI)
cells that move the PVC to the down or up state.
The number and frequency of segment/end continuity check (CC) activation
and deactivation requests that are sent on this PVC.
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
User Guide for Cisco Security Manager 3.2
K-70
OL-16066-01
Appendix K Router Platform User Interface Reference
Note The settings defined in this tab are dependent on the settings defined in the
OAM-PVC tab. See PVC Advanced Settings Dialog Box—OAM-PVC Tab,
page K-73.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-69, then click the OAM tab.
Related Topics
PVC Dialog Box, page K-56
Field Reference
Table K-31 PVC Advanced Settings Dialog Box—OAM Tab
Element Description
Retry settings
Enable OAM Retry When selected, OAM management settings can be defined.
When deselected, OAM management settings cannot be defined.
PVC Policy Page
Note If Enable OAM Management is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not applied.
Down Count The number of consecutive, unreceived, end-to-end loopback cell responses
that cause the PVC to move to the down state. The default is 3.
Up Count The number of consecutive end-to-end loopback cell responses that must be
received in order to move the PVC to the up state. The default is 5.
Retry Frequency The interval between loopback cell verification transmissions in seconds.
The default is 1 second.
If a PVC is up and a loopback cell response is not received within the specified interval (as defined in the Frequency field of the PVC-OAM tab), loopback cells are transmitted at the frequency defined here to verify whether the PVC is down. If the number of consecutive cells that do not receive a response matches the defined down count, the PVC is moved to the down state.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-71
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-31 PVC Advanced Settings Dialog Box—OAM Tab (Continued)
AIS-RDI settings
Enable AIS-RDI Detection
Down Count The number of consecutive AIS/RDI cells that cause the PVC to go down.
Up Count The number of seconds after which a PVC is brought up if no AIS/RDI cells
Segment Continuity Check settings
Enable Segment Continuity Check
When selected, alarm indication signal (AIS) cells and remote defect indication (RDI) cells are used to report connectivity failures at the ATM layer of the PVC.
When deselected, AIS/RDI cells are disabled.
AIS cells notify downstream devices of the connectivity failure. The last ATM switch then generates RDI cells in the upstream direction towards the device that sent the original failure notification.
Valid values range from 1 to 60. The default is 1.
are received. Valid values range from 3 to 60 seconds. The default is 3.
When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of a segment.
When deselected, segment CC activation and deactivation requests are disabled.
Note If Configure Continuity Check is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not applied.
Activation Count The maximum number of times that the activation request is sent before the
receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
Deactivation Count The maximum number of times that the deactivation request is sent before
the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
Retry Frequency The interval between activation/deactivation retries, in seconds. The default
is 30 seconds.
User Guide for Cisco Security Manager 3.2
K-72
OL-16066-01
Appendix K Router Platform User Interface Reference
PVC Policy Page
Table K-31 PVC Advanced Settings Dialog Box—OAM Tab (Continued)
End-to-End Continuity Check settings
Enable End-to-End Continuity Check
Activation Count The maximum number of times that the activation request is sent before the
Deactivation Count The maximum number of times that the deactivation request is sent before
Retry Frequency The interval between activation/deactivation retries, in seconds. The default
When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of the PVC.
When deselected, segment CC activation and deactivation requests are disabled.
Note If Configure Continuity Check is deselected in the OAM-PVC tab,
these settings are saved in the device configuration but are not applied.
receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
is 30 seconds.
PVC Advanced Settings Dialog Box—OAM-PVC Tab
Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable loopback cells and connectivity checks (CCs) on the PVC. These functions test the connectivity of the virtual connection.
For more information, see Defining OAM Management on ATM PVCs,
page 15-56.
Note Use the OAM tab to define additional settings related to the settings on this tab.
See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-69, then click the OAM-PVC tab.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-73
Appendix K Router Platform User Interface Reference
PVC Policy Page
Related Topics
PVC Dialog Box, page K-56
Field Reference
Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab
Element Description
OAM settings
Enable OAM Management
Frequency The interval between loopback cell transmissions. Valid values range from 0
Segment Continuity Check settings
Segment Continuity Check
When selected, OAM loopback cell generation and OAM management are enabled on the PVC.
When deselected, OAM loopback cells and OAM management are disabled. However, continuity checks can still be performed.
to 600 seconds.
The current configuration of OAM F5 continuity checks performed on PVC segments:
None—Segment continuity checks (CC) are disabled.
Deny Activation Requests—The PVC rejects activation requests from
peer devices, which prevents OAM F5 CC management from being activated on the PVC.
K-74
Configure Continuity Check—Segment CCs are enabled on the PVC.
The router on which CC management is configured sends a CC activation request to the router at the other end of the segment, directing it to act as either a source or a sink.
Segment CCs occur on a PVC segment between the router and a first-hop ATM swi tc h.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued)
Direction Applies only when CC management is enabled.
The direction in which CC cells are transmitted:
both—CC cells are transmitted in both directions.
sink—CC cells are transmitted toward the router that initiated the CC
activation request.
source—CC cells are transmitted away from the router that initiated the
CC activation request.
Keep VC up after segment failure
Keep VC up after end-to-end failure
End-to-End Continuity Check settings
End-to-End Continuity Check
When selected, the PVC is kept in the up state when CC cells detect connectivity failure.
When deselected, the PVC is brought down when CC cells detect connectivity failure.
When selected, specifies that if AIS/RDI cells are received, the PVC is not brought down because of end CC failure or loopback failure.
When deselected, the PVC is brought down because of end CC failure or loopback failure.
The current configuration of OAM F5 end-to-end continuity checks on the PVC:
PVC Policy Page
OL-16066-01
None—End-to-end continuity checks (CC) are disabled.
Deny Activation Requests—The PVC rejects activation requests from
peer devices, which prevents OAM F5 CC management from being activated on the PVC.
Configure Continuity Check—End-to-end CCs are enabled on the PVC.
The router on which CC management is configured sends a CC activation request to the router at the other end of the connection, directing it to act as either a source or a sink.
End-to-end CC monitoring is performed on the entire PVC between two ATM end stations.
User Guide for Cisco Security Manager 3.2
K-75
Appendix K Router Platform User Interface Reference

PPP/MLP Policy Page

Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued)
Direction Applies only when CC management is enabled.
The direction in which CC cells are transmitted:
both—CC cells are transmitted in both directions.
sink—CC cells are transmitted toward the router that initiated the CC
activation request.
source—CC cells are transmitted away from the router that initiated the
CC activation request.
Keep VC up after end-to-end failure
Keep VC up after segment failure
When selected, the PVC is kept in the up state when CC cells detect connectivity failure.
When deselected, the PVC is brought down when CC cells detect connectivity failure.
When selected, specifies that if AIS/RDI cells are received, the PVC is not brought down because of a segment CC failure.
When deselected, the PVC is brought down because of a segment CC failure.
PPP/MLP Policy Page
Use the PPP/MLP page to create, edit, and delete PPP connections on the router. For more information, see Defining PPP Connections, page 15-61.
Navigation Path
• (Device view) Select Interfaces > Settings > PPP/MLP from the Policy
selector.
• (Policy view) Select Router Interfaces > Settings > PPP/MLP from the
Policy Type selector. Right-click PPP/MLP to create a policy, or select an existing policy from the Shared Policies selector.
Related Topics
PPP on Cisco IOS Routers, page 15-58
Chapter K, “Router Platform User Interface Reference”
User Guide for Cisco Security Manager 3.2
K-76
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Field Reference
Table K-33 PPP/MLP Page
Element Description
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
Interface The interface that is configured for PPP/MLP.
Authentication The types of authentication used on the PPP connection.
Authorization The method list used for AAA authorization on the PPP connection.
Multilink Indicates whether Multilink PPP (MLP) is enabled on this PPP connection.
Endpoint The type of default endpoint discriminator to use when negotiating the use
of MLP with the peer.
Multiclass Indicates whether the Multiclass Multilink PPP (MCMP) feature is enabled
on this PPP connection.
Group The number of the multilink-group interface to which the physical link is
restricted.
Interleave Indicates whether the PPP multilink interleave feature is enabled on this PPP
connection.
Add button Opens the PPP Dialog Box, page K-78. From here you can define the
authentication and multilink settings for the PPP connection.
Edit button Opens the PPP Dialog Box, page K-78. From here you can edit the selected
PPP connection.
Delete button Deletes the selected PPP connection from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
OL-16066-01
Note To publish your changes, click the Submit button on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
User Guide for Cisco Security Manager 3.2
K-77
PPP/MLP Policy Page

PPP Dialog Box

Use the PPP dialog box to configure PPP connections on the router. When you configure a PPP connection, you can define the type of authentication and authorization to perform and define multilink parameters.
Navigation Path
Go to the PPP/MLP Policy Page, page K-76, then click the Add or Edit button beneath the table.
Related Topics
Defining PPP Connections, page 15-61
Appendix K Router Platform User Interface Reference
K-78
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Field Reference
Table K-34 PPP Dialog Box
Element Description
Interface The interface on which PPP encapsulation is enabled. Enter the name of an
interface or interface role, or click Select to display an Object Selectors,
page F-593.
The following interface types support PPP:
Async
Group-Async
Serial
High-Speed Serial Interface (HSSI)
Dialer
BRI, PRI (ISDN)
Virtual template
Multilink
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
You cannot define PPP on:
Subinterfaces.
Serial interfaces with Frame Relay encapsulation.
Virtual template interfaces defined as Ethernet or tunnel types (serial is
supported).
Note You can define only one PPP connection per interface.
Note Deployment might fail if you define PPP on a virtual template that is
also used in an 802.1x policy. See 802.1x Policy Page, page K-179.
PPP tab Defines the type of authentication and authorization to perform on the PPP
connection. See PPP Dialog Box—PPP Tab, page K-80.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-79
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-34 PPP Dialog Box (Continued)
MLP tab Defines how to split and recombine sequential datagrams across multiple
logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP
Tab, page K-84.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
PPP Dialog Box—PPP Tab
Use the PPP tab of the PPP dialog box to define the types of authentication and authorization to perform on the PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-78, then click the PPP tab.
Related Topics
PPP Dialog Box—MLP Tab, page K-84
Field Reference
Table K-35 PPP Dialog Box—PPP Tab
Element Description
Authentication settings
PPP Encapsulation When selected, indicates that PPP encapsulation is enabled for the selected
interface. This field is read-only.
User Guide for Cisco Security Manager 3.2
K-80
OL-16066-01
Appendix K Router Platform User Interface Reference
Table K-35 PPP Dialog Box—PPP Tab (Continued)
Protocol The authentication protocols to use:
CHAP—Challenge-Handshake Authentication Protocol.
PAP—Password Authentication Protocol.
MS-CHAP—Version 1 of the Microsoft version of CHAP (RFC 2433).
MS-CHAP-2—Version 2 of the Microsoft version of CHAP (RFC
2759).
EAP—Extensible Authentication Protocol.
You may select one or more authentication protocols, as required.
Options The authentication options to use:
Call In—When selected, authentication is performed on incoming calls.
Call Out—When selected, authentication is performed on outgoing
calls.
Call Back—When selected, authentication is performed on callback.
One Time—When selected, one-time passwords are used for
authentication. One-time passwords are considered highly secure since each one is used only once. When deselected, one-time passwords are not used.
Note AAA authentication must be enabled in order to use one-time
passwords. See AAA Policy Page, page K-87. One-time passwords cannot be used with CHAP.
PPP/MLP Policy Page
OL-16066-01
Optional—When selected, allows a mobile station in a Packet Data
Serving Node (PDSN) configuration to receive Simple IP and Mobile IP services without using CHAP or PAP.
When deselected, mobile stations must use CHAP or PAP to receive Simple IP and Mobile IP services.
User Guide for Cisco Security Manager 3.2
K-81
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-35 PPP Dialog Box—PPP Tab (Continued)
Authenticate Using AAA authentication settings for the PPP connection:
PPP Default List—Defines a default list of methods to be queried when
authenticating a user for PPP. Enter the names of one or more AAA server group objects (up to four) in the Prioritized Method List field, or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
Tip After you create the default list for one PPP connection, you can use
it for other PPP connections on this device.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-12. From here you can define a AAA server group object.
Prioritized Method List—Defines a sequential list of methods to be
queried when authenticating a user for this PPP connection only.
Note Leave this field blank to perform authentication using the local
database on the router.
PAP Authentication settings
Username The username to send in PAP authentication requests. The username is case
sensitive.
Password The password to send in PAP authentication requests. Enter the password
again in the Confirm field. The password can contain 1 to 25 uppercase or lowercase alphanumeric characters. The password is case sensitive.
The username and password are sent if the peer requests the router to authenticate itself using PAP.
Encrypted Password When selected, this indicates that the password you entered is already
encrypted.
When deselected, this indicates that the password you entered is in clear text.
User Guide for Cisco Security Manager 3.2
K-82
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-35 PPP Dialog Box—PPP Tab (Continued)
CHAP Authentication settings
Hostname By default, the router uses its hostname to identify itself to the peer. If
required, you can enter a different hostname to use for all CHAP challenges and responses. For example, use this field to specify a common alias for all routers in a rotary group.
Secret The secret used to compute the response value for any CHAP challenge from
an unknown peer. Enter the secret again in the Confirm field.
Encrypted Secret When selected, this indicates that the password you entered is already
encrypted. When deselected, this indicates that the password you entered is in clear text.
Authorization settings
Authorize Using AAA authorization settings for the PPP connection:
AAA Policy Default List—Uses the default authorization method list
that is defined in the device’s AAA policy. See AAA Policy Page,
page K-87.
Prioritized Method List—Defines a sequential list of methods to be
queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object
Selectors, page F-593. Use the tranverse arrows in the AAA Sever
Groups Selector to select server groups and then the up and down arrows to define the order in which selected server groups should be used.
Note The device tries initially to authorize users using the first method in
the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
OL-16066-01
If the AAA server group you want is not listed, you can click the Create button in the selector to display the AAA Server Group Dialog Box,
page F-12. From here you can define a AAA server group object.
Note Leave this field blank to perform authorization using the local
database on the router.
User Guide for Cisco Security Manager 3.2
K-83
PPP/MLP Policy Page
PPP Dialog Box—MLP Tab
Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters for the selected PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-78, then click the MLP tab.
Related Topics
PPP Dialog Box—PPP Tab, page K-80
Field Reference
Table K-36 PPP Dialog Box—MLP Tab
Element Description
Enable Multilink PPP (MLP)
Allow Multiple Data Classes
Enable Interleaving of Packets Among Fragments of Larger Packets
When selected, MLP is enabled on this PPP connection.
When deselected, MLP is disabled.
When selected, enables multiple data classes on the MLP bundle. Delay-sensitive traffic is placed into Class 1, where it can be interleaved but never fragmented. Normal data traffic is placed into Class 0, which is subject to fragmentation just as regular multilink packets are.
When deselected, all traffic is subject to fragmentation.
When selected, enables the interleaving of packets among the fragments of larger packets on the MLP bundle.
Note If you enable interleaving without defining a fragment delay, the
default delay of 30 seconds is configured. This value does not appear in Security Manager or in the device configuration.
Appendix K Router Platform User Interface Reference
K-84
When deselected, interleaving is disabled.
Note Serial interfaces do not support interleaving.
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-36 PPP Dialog Box—MLP Tab (Continued)
Multilink Group Applies only to serial, Group-Async, and multilink interfaces.
Restricts the physical link to the selected multilink-group interface. Enter the name of a multilink interface or interface role, or click Select to display an
Object Selectors, page F-593.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
This option is typically used in static leased-line environments, where the remote systems to which the device’s serial lines are connected are known in advance.
In effect, this option dedicates a specific interfaces to a particular user, even when that user is not connected. If a peer at the other end of the link tries to join a different bundle, the connected is severed.
Maximum Fragment Delay
The maximum amount of time that should be required to transmit a fragment on the MLP bundle. Valid values range from 1 to 1000 milliseconds.
Fragment size is determined by the defined fragment delay and the bandwidth of the links.
Note Serial interfaces do not support this feature.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-85
Appendix K Router Platform User Interface Reference
PPP/MLP Policy Page
Table K-36 PPP Dialog Box—MLP Tab (Continued)
Endpoint Type The identifier used by the router when transmitting packets on the MLP
bundle:
[null]—Negotiation is conducted without using an endpoint
discriminator. (No CLI command is generated.)
Hostname—The hostname of the router. This option is useful when
multiple routers are using the same username to authenticate but have different hostnames.
IP—A defined IP address. Enter an address or the name of a
network/host object, or click Select to display an Object Selectors,
page F-593.
MAC—The MAC address of a specific interface. Enter the name of an
interface or interface role, or click Select to display an Object Selectors,
page F-593.
None—Negotiation is conducted without using an endpoint
discriminator. (The relevant CLI command is generated, but no endpoint discriminator is provided.) This option is useful when the router is connected to a malfunctioning peer that does not handle the endpoint discriminator properly.
Phone—An E.164-compliant telephone number. Enter the number in the
field displayed.
String—A character string. Enter the string in the field displayed.
The default endpoint discriminator is either the globally configured hostname, or the PAP username or CHAP hostname (depending on the authentication protocol being used), if you have configured those values on the PPP tab.
MRRU Local Peer The maximum receive reconstructed unit (MRRU) value of the local peer.
This value represents the maximum size packet that the local router is capable of receiving.
Valid values range from 128 to 16384 bytes. The default is the maximum transmission unit (MTU) of the multilink group interface and 1524 bytes for all other interfaces.
User Guide for Cisco Security Manager 3.2
K-86
OL-16066-01
Appendix K Router Platform User Interface Reference

AAA Policy Page

Table K-36 PPP Dialog Box—MLP Tab (Continued)
MRRU Remote Peer The maximum receive reconstructed unit (MRRU) value of the remote peer.
This value represents the maximum size packet that the remote peer is capable of receiving.
Valid values range from 128 to 16384 bytes. The default is 1524 bytes.
Maximum FIFO Queue Size
Maximum QoS Queue Size
The maximum queue depth when the bundle uses first-in, first-out (FIFO) queuing. Valid values range from 2 to 255 packets. The default is 8.
The maximum queue depth when the bundle uses non-FIFO queuing. Valid values range from 2 to 255 packets. The default is 2.
AAA Policy Page
Use the AAA page to define the default authentication, authorization, and accounting methods to use on the router. You do this by configuring method lists, which define which methods to use and the sequence in which to use them.
OL-16066-01
Note You can use the method lists defined in this policy as default settings when you
configure AAA on the router’s console port and VTY lines. See Console Policy
Page, page K-117 and VTY Policy Page, page K-129.
Navigation Path
• (Device view) Select Platform > Device Admin > AAA from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > AAA from the
Policy Type selector. Right-click AAA to create a policy, or select an existing policy from the Shared Policy selector.
Related Topics
AAA on Cisco IOS Routers, page 15-66
Understanding AAA Server Objects, page 9-22
Understanding AAA Server Group Objects, page 9-15
Console Policy Page, page K-117
User Guide for Cisco Security Manager 3.2
K-87
Appendix K Router Platform User Interface Reference
AAA Policy Page
VTY Policy Page, page K-129
Chapter K, “Router Platform User Interface Reference”
Field Reference
Table K-37 AAA Page
Element Description
Authentication tab Defines the login authentication methods to use and the sequence in which
to use them. See AAA Page—Authentication Tab, page K-88.
Authorization tab Defines the types of network, EXEC, and command authorization to perform
and the methods to use for each type. See AAA Page—Authorization Tab,
page K-90.
Accounting tab Defines types of connection, EXEC, and command accounting to perform
and the methods to use for each type. See AAA Page—Accounting Tab,
page K-93.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
AAA Page—Authentication Tab
Use the Authentication tab of the AAA page to define the methods used to authenticate users who access the device. Authentication methods are defined in a method list, which define the security protocols to use, such as RADIUS and TAC AC S+ .
Note You can use the method list defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Authentication tab.
Related Topics
Defining AAA Services, page 15-70
User Guide for Cisco Security Manager 3.2
K-88
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Understanding Method Lists, page 15-69
AAA Server Group Dialog Box, page F-12
Predefined AAA Authentication Server Groups, page 9-15
Field Reference
Table K-38 AAA Page—Authentication Tab
Element Description
Enable Device Login Authentication
Prioritized Method List Defines a sequential list of methods to be queried when authenticating a user.
When selected, enables the authentication of all users when they log in to the device, using the methods defined in the method list.
When deselected, authentication is not performed.
Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
Supported methods include Line, Local, Kerberos, RADIUS, TACACS+, and None.
Maximum Number of Attempts
OL-16066-01
Note If you select None as a method, it must appear as the last method in
the list.
The maximum number of unsuccessful authentication attempts before a user is locked out. This feature is disabled by default. Valid values range from 1 to 65535.
Note From the standpoint of the user, there is no distinction between a
normal authentication failure and an authentication failure due to being locked out. The system administrator has to explicitly clear the status of a locked-out user using clear commands.
User Guide for Cisco Security Manager 3.2
K-89
AAA Policy Page
AAA Page—Authorization Tab
Use the Authorization tab of the AAA page to define the type of authorization services to enable on the device and the methods to use for each type. Security Manager supports the following types of authorization:
Network—Authorizes various types of network connections, such as PPP.
EXEC—Authorizes the launching of EXEC sessions.
Command—Authorizes the use of all EXEC mode commands that are
associated with specific privilege levels.
Note You can use the method lists defined in this policy on the console and
VTY lines that are used to communicate with the device. See Console
Policy Page, page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Authorization tab.
Appendix K Router Platform User Interface Reference
Related Topics
Defining AAA Services, page 15-70
Supported Authorization Types, page 15-67
Understanding Method Lists, page 15-69
AAA Server Group Dialog Box, page F-12
Field Reference
Table K-39 AAA Page—Authorization Tab
Element Description
Network Authorization settings
Enable Network Authorization
When selected, enables the authorization of network connections, such as PPP, SLIP, or ARAP connections, using the methods defined in the method list.
When deselected, network authorization is not performed.
User Guide for Cisco Security Manager 3.2
K-90
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-39 AAA Page—Authorization Tab (Continued)
Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
Supported methods include RADIUS, TACACS+, Local, and None.
Note RADIUS uses the same server for authentication and authorization.
Therefore, if you use define a RADIUS method list for authentication, you must define the same method list for authorization.
Note If you select None as a method, it must appear as the last method in
the list.
EXEC Authorization settings
Enable CLI/EXEC Operations Authorization
Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Command Authorization settings
Filter Enables you to filter the information displayed in the table. For more
Privilege Level The privilege level to which the command authorization definition applies.
Prioritized Method List The method list to use when authorizing users with this privilege level.
When selected, this type of authorization determines whether the user is permitted to open an EXEC (CLI) session, using the methods defined in the method list.
When deselected, EXEC authorization is not performed.
Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
information, see Filtering Tables, page 3-24.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-91
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-39 AAA Page—Authorization Tab (Continued)
Add button Opens the Command Authorization Dialog Box, page K-92. From here you
can configure a command authorization definition.
Edit button Opens the Command Authorization Dialog Box, page K-92. From here you
can edit the command authorization definition.
Delete button Deletes the selected command authorization definitions from the table.

Command Authorization Dialog Box

Use the Command Authorization dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege level. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15.
Navigation Path
From the AAA Page—Authorization Tab, page K-90, click the Add button beneath the Command Authorization table.
Related Topics
Defining AAA Services, page 15-70
Supported Authorization Types, page 15-67
Understanding Method Lists, page 15-69
Field Reference
Table K-40 Command Authorization Dialog Box
Element Description
Privilege Level The privilege level for which you want to define a command accounting list.
Valid values range from 0 to 15.
User Guide for Cisco Security Manager 3.2
K-92
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-40 Command Authorization Dialog Box (Continued)
Prioritized Method List Defines a sequential list of methods to be used when authorizing a user. Enter
the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-12. From here you can define a AAA server group object.
Supported methods include TACACS+, Local, and None.
Note If you select None as a method, it must appear as the last method in
the list.
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
AAA Page—Accounting Tab
Use the Accounting tab of the AAA page to define the type of accounting services to enable on the device and the methods to use for each type. Security Manager supports the following types of accounting:
Connection—Records information about all outbound connections made
from this device.
EXEC—Records information about user EXEC sessions on the devices,
including the username, date, start and stop times, and the IP address.
Command—Records information about the EXEC commands executed on
the device by users with specific privilege levels.
In addition, you use the Accounting page to determine when accounting records should be generated and whether they should be broadcast to more than one AAA server.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-93
AAA Policy Page
Note You can use the method lists defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136.
Navigation Path
Go to the AAA Policy Page, page K-87, then click the Accounting tab.
Related Topics
Defining AAA Services, page 15-70
Supported Accounting Types, page 15-67
Understanding Method Lists, page 15-69
AAA Server Group Dialog Box, page F-12
Field Reference
Table K-41 AAA Page—Accounting Tab
Appendix K Router Platform User Interface Reference
Element Description
Connection Accounting settings
Enable Connection Accounting
When selected, enables the recording of information about outbound connections (such as Telnet) made over this device, using the methods defined in the method list.
When deselected, connection accounting is not performed.
Generate Accounting Records for
Defines when the device sends an accounting notice to the accounting server:
Start and Stop—Generates accounting records at the beginning and the
end of the user process. The user process begins regardless of whether the accounting server receives the “start” accounting record.
Stop Only—Generates an accounting record at the end of the user
process only.
None—Disables this type of accounting.
User Guide for Cisco Security Manager 3.2
K-94
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Table K-41 AAA Page—Accounting Tab (Continued)
Prioritized Method List Defines a sequential list of methods to be queried when creating connection
accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors,
page F-593. Use the up and down arrows in the object selector to define the
order in which the selected server groups should be used.
Supported methods include RADIUS and TACACS+.
Enable Broadcast to Multiple Servers
EXEC Accounting Settings
Enable CLI/EXEC Operations Accounting
Generate Accounting Records for
Prioritized Method List Defines a sequential list of methods to be queried when creating connection
Enable Broadcast to Multiple Servers
Command Accounting settings
Filter Enables you to filter the information displayed in the table. For more
Privilege Level The privilege level to which the command authorization definition applies.
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.
When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list.
When selected, enables the recording of basic information about user EXEC sessions, using the methods defined in the method list.
When deselected, EXEC accounting is not performed.
See description Table N-91 on page N-131.
accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors,
page F-593. Use the up and down arrows in the object selector to define the
order in which the selected server groups should be used.
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.
information, see Filtering Tables, page 3-24.
OL-16066-01
User Guide for Cisco Security Manager 3.2
K-95
AAA Policy Page
Table K-41 AAA Page—Accounting Tab (Continued)
Appendix K Router Platform User Interface Reference
Generate Accounting Records for
The points in the process where the device sends an accounting notice to the accounting server.
Enable Broadcast Whether accounting records are broadcast to multiple servers
simultaneously.
Prioritized Method List The method list to use when authorizing users with this privilege level.
Add button Opens the Command Accounting Dialog Box, page K-96. From here you can
configure a command accounting definition.
Edit button Opens the Command Accounting Dialog Box, page K-96. From here you can
edit the command accounting definition.
Delete button Deletes the selected command accounting definitions from the table.

Command Accounting Dialog Box

Use the Command Accounting dialog box to define which methods to use when recording information about the EXEC commands that are executed for a given privilege level. Each accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the name of the user who executed it.
Navigation Path
From the AAA Page—Accounting Tab, page K-93, click the Add button beneath the Command Accounting table.
K-96
Related Topics
Defining AAA Services, page 15-70
Supported Accounting Types, page 15-67
Understanding Method Lists, page 15-69
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
AAA Policy Page
Field Reference
Table K-42 Command Accounting Dialog Box
Element Description
Privilege Level The privilege level for which you want to define a command accounting list.
Valid values range from 0 to 15.
Generate Accounting Records for
Prioritized Method List Defines a sequential list of methods to be used when creating accounting
Defines when the device sends an accounting notice to the accounting server:
Start and Stop—Generates accounting records at the beginning and the
end of the user process. The user process begins regardless of whether the accounting server receives the “start” accounting record.
Stop Only—Generates an accounting record at the end of the user
process only.
None—No accounting records are generated.
records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
Enable Broadcast to Multiple Servers
OL-16066-01
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-12. From here you can define a AAA server group object.
TACACS+ is the only supported method, but you can select multiple AAA server groups configured with TACACS+.
Note If you select None as a method, it must appear as the last method in
the list.
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.
When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list.
User Guide for Cisco Security Manager 3.2
K-97
Appendix K Router Platform User Interface Reference

Accounts and Credential s Policy Page

Table K-42 Command Accounting Dialog Box (Continued)
OK button Saves your changes locally on the client and closes the dialog box.
Note To save your changes to the Security Manager server so that they are
not lost when you log out or close your client, click Save on the source page.
Accounts and Credential s Policy Page
Use the Accounts and Credentials page to define the enable password or enable secret password assigned to the router. In addition, you can define a list of usernames that can be used to access the router.
For more information, see Defining Accounts and Credential Policies,
page 15-73.
Navigation Path
• (Device view) Select Platform > Device Admin > Accounts and
Credentials from the Policy selector.
(Policy view) Select Router Platform > Device Admin > Accounts and
Credentials from the Policy Type selector. Right-click Accounts and Credentials to create a policy, or select an existing policy from the Shared
Policy selector.
K-98
Related Topics
User Accounts and Device Credentials on Cisco IOS Routers, page 15-72
Chapter K, “Router Platform User Interface Reference”
User Account Dialog Box, page K-100
User Guide for Cisco Security Manager 3.2
OL-16066-01
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Field Reference
Table K-43 Accounts and Credentials Page
Element Description
Enable Secret Password The enable secret password for entering privileged EXEC mode on the
router. This option offers better security than the Enable Password option.
The enable secret password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed.
Note You can discover an encrypted password, but any password you enter
must be in clear text. If you modify an encrypted password, it is saved as clear text.
Note After you set an enable secret password, you can switch to an enable
password only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image.
Enable Password The enable password for entering privileged EXEC mode on the router.
The enable password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed.
Note You must enter the password in clear text.
Enable Password Encryption Service
When selected, encrypts all passwords on the device, including the enable password (which is otherwise saved in clear text).
For example, use this option to encrypt username passwords, authentication key passwords, console and VTY line access passwords, and BGP neighbor passwords. This command is primarily used for keeping unauthorized individuals from viewing your passwords in your configuration file.
When deselected, device passwords are stored unencrypted in the configuration file.
Note This option does not provide a high level of network security. You
should also take additional network security measures.
User Accounts Table
Filter Enables you to filter the information displayed in the table. For more
information, see Filtering Tables, page 3-24.
User Guide for Cisco Security Manager 3.2
OL-16066-01
K-99
Appendix K Router Platform User Interface Reference
Accounts and Credential s Policy Page
Table K-43 Accounts and Credentials Page (Continued)
Username The username that can be used to access the router. The username must be a
single word up to 64 characters in length. Spaces and quotation marks are not allowed.
Encryption Indicates whether password information for the user is encrypted using MD5
encryption.
Privilege Level The privilege level assigned to the user.
Add button Opens the User Account Dialog Box, page K-100. From here you can define
a user account.
Edit button Opens the User Account Dialog Box, page K-100. From here you can edit
the selected user.
Delete button Deletes the selected user accounts from the table.
Save button Saves your changes to the Security Manager server but keeps them private.
Note To publish your changes, click the Submit icon on the toolbar.
Tip To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.

User Account Dialog Box

Employ the User Account dialog box to define a username and password combination that can be used by Security Manager to access the router. You can also define the privilege level of the user account, which determines whether you can configure all commands on this router or only a subset of them.
Note Remember—there may be additional user accounts defined on the router using
other methods, such as the CLI.
User Guide for Cisco Security Manager 3.2
K-100
OL-16066-01
Loading...