How it Works
Cisco Systems
Loading...
OL-4015-08
User Manual
688 pgs5.67 Mb0
Table of contents
Loading...

Cisco Systems OL-4015-08 User Manual

Download

Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide

Corporate Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
Fax: 408 526-4100
Customer Order Number: Text Part Number: OL-4015-08
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pack et , PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0406R)
Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide
Copyright © 2005, Cisco Systems, Inc. All rights reserved.
Home Page 1
LAN Wizard 1
Ethernet Configuration 2
LAN Wizard: Select an Interface 3
LAN Wizard: IP Address and Subnet Mask 3
LAN Wizard: Enable DHCP Server 4
LAN Wizard: DHCP Address Pool 4
DHCP Options 5
LAN Wizard: VLAN Mode 6
LAN Wizard: Switch Port 6
IRB Bridge 7

CONTENTS

OL-4015-06
BVI Configuration 7
DHCP Pool for BVI 8
IRB for Ethernet 9
Layer 3 Ethernet Configuration 9
802.1Q Configuration 9 Trunking or Routing Configuration 9 Configure Switch Device Module 10
Summary 10
How Do I... 10
How Do I Configure a Static Route? 10 How Do I View Activity on My LAN Interface? 11 How Do I Enable or Disable an Interface? 12
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
iii
Contents
How Do I View the IOS Commands I Am Sending to the Router? 12 How Do I Launch the Wireless Application from SDM? 13
Create Connection Wizards 1
Create Connection 1
WAN Wizard Interface Welcome Window 2
ISDN Wizard Welcome Window 3
Analog Modem Welcome Window 3
Aux Backup Welcome Window 3
Select Interface 4
Encapsulation: PPPoE 4
IP Address: ATM or Ethernet with PPPoE/PPPoA 4
IP Address: ATM with RFC 1483 Routing 5
IP Address: Ethernet without PPPoE 6
IP Address: Serial with Point-to-Point Protocol 6
iv
IP Address: Serial with HDLC or Frame Relay 7
IP Address: ISDN BRI or Analog Modem 8
Authentication 9
Switch Type and SPIDs 9
Dial String 11
Backup Configuration 11
Backup Configuration: Primary Interface & Next Hop IP Addresses 12 Backup Configuration: Hostname or IP Address to be Tracked 12
Advanced Options 13
Encapsulation 13
PVC 15
Configure LMI and DLCI 16
Configure Clock Settings 17
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Delete Connection 19
Summary 21
Connectivity testing and troubleshooting 22
How Do I... 26
How Do I View the IOS Commands I Am Sending to the Router? 26 How Do I Configure an Unsupported WAN Interface? 26 How Do I Enable or Disable an Interface? 26 How Do I View Activity on My WAN Interface? 27 How Do I Configure NAT on a WAN Interface? 27 How Do I Configure NAT on an Unsupported Interface? 28 How Do I Configure a Dynamic Routing Protocol? 28 How Do I Configure Dial-on-Demand Routing for my ISDN or Asynchronous
Interface? How Do I Edit a Radio Interface Configuration? 30
Edit Interface/Connection 1
29
Contents
OL-4015-06
Connection: Ethernet for IRB 6
Connection: Ethernet for Routing 7
Existing Dynamic DNS Methods 8 Add Dynamic DNS Method 8
Wireless 10
Association 10
NAT 12
Edit Switch Port 12
General 13
QoS 15
Select Ethernet Configuration Type 16
Connection: VLAN 16
Connection: Subinterfaces 17
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
v
Contents
Add or Edit BVI Interface 18
Add Loopback Interface/Connection—Loopback 18
Connection: Ethernet LAN 19
Connection: Ethernet WAN 20
Ethernet Properties 21
Connection: Ethernet with No Encapsulation 22
Connection: ADSL 23
Connection: ADSL over ISDN 26
Connection: G.SHDSL 28
Configure DSL Controller 32
Connection: G.SHDSL with DSL Controller 34
Connection: Serial Interface, Frame Relay Encapsulation 36
Connection: Serial Interface, PPP Encapsulation 39
Connection: Serial Interface, HDLC Encapsulation 41
vi
Add or Edit GRE Tunnel' 42
Connection: ISDN BRI 44
Connection: Analog Modem 47
Connection: (AUX Backup) 49
Authentication 51
SPID Details 52
Dialer Options 53
Backup Configuration 55
Create Firewall 1
Basic Firewall Configuration Wizard 4
Basic Firewall Interface Configuration 4 Firewall Remote Management Access 4
Advanced Firewall Configuration Wizard 5
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Advanced Firewall Interface Configuration 5 Advanced Firewall DMZ Service Configuration 6
DMZ Service Configuration 7 Advanced Firewall Inspection Rule Configuration 7 Application Security Configuration 9 Domain Name Server Configuration 10 Summary 10
How Do I... 11
How Do I View Activity on My Firewall? 12 How Do I Configure a Firewall on an Unsupported Interface? 13 How Do I Configure a Firewall After I Have Configured a VPN? 14 How Do I Permit Specific Traffic Through a DMZ Interface? 15 How Do I Modify an Existing Firewall to Permit Traffic from a New Network
or Host? How Do I Configure NAT on an Unsupported Interface? 16 How Do I Configure NAT Passthrough for a Firewall? 17 How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 17 How Do I Associate a Rule with an Interface? 19 How Do I Disassociate an Access Rule from an Interface 19 How Do I Delete a Rule That Is Associated with an Interface? 20 How Do I Create an Access Rule for a Java List? 20 How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZ
Network?
16
21
Contents
OL-4015-06
Firewall Policy 1
Edit Firewall Policy/ACL 1
Add App-Name Application Entry 11 Add rpc Application Entry 11 Add Fragment application entry 12 Add or Edit http Application Entry 13 Java Applet Blocking 14
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
vii
Contents
SDM Warning: Inspection Rule 15 SDM Warning: Firewall 16
Application Security 17
Application Security Windows 17
No Application Security Policy 19
E-mail 20
HTTP 21
Header Options 23 Content Options 23
Instant Messaging 25
Point-to-Point Applications 25
Applications/Protocols 26
Global Timeouts and Thresholds 27
Associate Policy with an Interface 29 Edit Inspection Rule 30 Permit, Block, and Alarm Controls 31
viii
Site-to-Site VPN 33
Create Site to Site VPN 33
Site-to-Site VPN Wizard 36 View Defaults 37 VPN Connection Information 38 IKE Proposals 40 Transform Set 43 Traffic to Protect 45 Summary of the Configuration 46
Spoke Configuration 47 Secure GRE Tunnel (GRE-over-IPSec) 48 GRE Tunnel Information 48
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
VPN Authentication Information 49 Backup GRE Tunnel Information 51 Routing Information 52 Static Routing Information 53
Select Routing Protocol 54 Summary of Configuration 55
Edit Site-to-Site VPN 55
Add new connection 58 Add Additional Crypto Maps 59 Crypto Map Wizard: Welcome 60 Crypto Map Wizard: General 60 Crypto Map Wizard: Peers 62 Crypto Map Wizard: Transform Set 62 Crypto Map Wizard: Traffic to Protect 63 Crypto Map Wizard: Summary of the configuration 64 Delete Connection 65 Ping 65 Generate Mirror... 66 SDM Warning: NAT Rules with ACL 67
Contents
OL-4015-06
How Do I... 67
How Do I Create a VPN to More Than One Site? 68 After Configuring a VPN, How Do I Configure the VPN on the Peer Router? 70 How Do I Edit an Existing VPN Tunnel? 71 How Do I Confirm That My VPN Is Working? 72 How Do I Configure a Backup Peer for My VPN? 73 How Do I Accommodate Multiple Devices with Different Levels of VPN
Support?
73
How Do I Configure a VPN on an Unsupported Interface? 74 How Do I Configure a VPN After I Have Configured a Firewall? 75 How Do I Configure NAT Passthrough for a VPN? 75
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
ix
Contents
Easy VPN Remote 77
Create Easy VPN Remote 77
Configure an Easy VPN Remote Client 77 Connection Settings 78 Authentication 79 Interfaces 80 Summary of Configuration 82
Edit Easy VPN Remote 83
Add or Edit Easy VPN Remote 89 Add or Edit Easy VPN Remote: Easy VPN Settings 91 Add or Edit Easy VPN Remote: Authentication Information 94 Enter SSH Credentials 95 XAuth Login Window 96 Add or Edit Easy VPN Remote: General Settings 96
Network Extension Options 98 Add or Edit Easy VPN Remote: Authentication Information 98 Add or Edit Easy VPN Remote: Interfaces and Connections 100
How Do I... 101
How Do I Edit an Existing Easy VPN Connection? 102 How Do I Configure a Backup for an Easy VPN Connection? 102
Easy VPN Server 105
Create an Easy VPN Server 105
Welcome to the Easy VPN Server Wizard 106 Interface and Authentication 106 Group Authorization: Group Policy Lookup 107 User Authentication (XAuth) 108
User Accounts for XAuth 109
Add RADIUS Server 109 Group Authorization: User Group Policies 110
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
x
OL-4015-06
General Group Information 111 DNS and WINS Configuration 112 Split Tunneling 113 Client Settings 115
Choose Browser Proxy Settings 117
Add or Edit Browser Proxy Settings 117 User Authentication (XAuth) 119 Client Update 120
Add or Edit Client Update Entry 121 Summary 121
Browser Proxy Settings 122
Add or Edit Easy VPN Server 123
Add or Edit Easy VPN Server Connection 125 Restrict Access 126
Group Policies Configuration 126
Contents
OL-4015-06
Local Pools 129
Add or Edit IP Local Pool 130
Add IP Address Range 130
DMVPN 1
Dynamic Multipoint VPN 1
Dynamic Multipoint VPN (DMVPN) Hub Wizard 2
Type of Hub 3
Configure Pre-Shared Key 3
Hub GRE Tunnel Interface Configuration 4
Advanced Configuration for the Tunnel Interface 5
Primary Hub 6
Select Routing Protocol 7
Routing Information 7 Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xi
Contents
DMVPN Network Topology 9
Specify Hub Information 10
Spoke GRE Tunnel Interface Configuration 10
SDM Warning: DMVPN Dependency 11
Edit Dynamic Multipoint VPN (DMVPN) 12
General Panel 14 NHRP Panel 15
NHRP Map Configuration 16 Routing Panel 17
How Do I Configure a DMVPN Manually? 19
VPN Global Settings 21
VPN Global Settings 21
VPN Global Settings: IKE 23 VPN Global Settings: IPSec 24 VPN Key Encryption Settings 25
xii
IP Security 27
IPSec Policies 27
Add or Edit IPSec Policy 29 Add or Edit Crypto Map: General Panel 31 Add or Edit Crypto Map: Peer Information Panel 32 Add or Edit Crypto Map: Transform Sets Panel 32 Add or Edit Crypto Map: IPSec Rules Panel 34
Dynamic Crypto Map Sets 35
Add or Edit Dynamic Crypto Map Set 35 Associate Crypto Map with this IPSec Policy 36
IPSec Profiles 36
Add or Edit IPSec Profile and Add Dynamic Crypto Map 37
Transform Set 37
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Add or Edit Transform Set 40
IPSec Rules 43
Internet Key Exchange 45
Internet Key Exchange (IKE) 45
IKE Policies 46
Add or Edit IKE Policy 48 IKE Pre-shared Keys 50
Add or Edit Pre Shared Key 51
VPN Troubleshooting 53
VPN Troubleshooting 53
VPN Troubleshooting: Specify Easy VPN Client 55
VPN Troubleshooting: Generate Traffic 56
VPN Troubleshooting: Generate GRE Traffic 57
SDM Warning: SDM will enable router debugs... 58
Contents
OL-4015-06
Security Audit 1
Welcome Page 4
Interface Selection Page 4
Report Card Page 5
Fix It Page 5
Disable Finger Service 6 Disable PAD Service 7 Disable TCP Small Servers Service 7 Disable UDP Small Servers Service 8 Disable IP BOOTP Server Service 8 Disable IP Identification Service 9 Disable CDP 9 Disable IP Source Route 10
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xiii
Contents
Enable Password Encryption Service 10 Enable TCP Keepalives for Inbound Telnet Sessions 11 Enable TCP Keepalives for Outbound Telnet Sessions 11 Enable Sequence Numbers and Time Stamps on Debugs 11 Enable IP CEF 12 Disable IP Gratuitous ARPs 12 Set Minimum Password Length to Less Than 6 Characters 12 Set Authentication Failure Rate to Less Than 3 Retries 13 Set TCP Synwait Time 13 Set Banner 14 Enable Logging 14 Set Enable Secret Password 15 Disable SNMP 15 Set Scheduler Interval 16 Set Scheduler Allocate 16 Set Users 17 Enable Telnet Settings 17 Enable NetFlow Switching 17 Disable IP Redirects 18 Disable IP Proxy ARP 18 Disable IP Directed Broadcast 19 Disable MOP Service 20 Disable IP Unreachables 20 Disable IP Mask Reply 20 Disable IP Unreachables on NULL Interface 21 Enable Unicast RPF on Outside Interfaces 22 Enable Firewall on All of the Outside Interfaces 22 Set Access Class on HTTP Server Service 23 Set Access Class on VTY Lines 23 Enable SSH for Access to the Router 24
xiv
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Enable AAA 24
Configuration Summary Screen 25
SDM and Cisco IOS AutoSecure 25
Security Configurations SDM Can Undo 27
Undoing Security Audit Fixes 28
Add or Edit Telnet/SSH Account Screen 28
Configure User Accounts for Telnet/SSH Page 29
Enable Secret and Banner Page 30
Logging Page 31
Routing 1
Add or Edit IP Static Route 3
Add or Edit an RIP Route 5
Add or Edit an OSPF Route 5
Add or Edit EIGRP Route 7
Contents
OL-4015-06
Network Address Translation 1
Network Address Translation Wizards 1
Basic NAT Wizard: Welcome 2 Basic NAT Wizard: Connection 2 Summary 3 Advanced NAT Wizard: Welcome 3 Advanced NAT Wizard: Connection 4
Add IP Address 4 Advanced NAT Wizard: Networks 4
Add Network 5 Advanced NAT Wizard: Server Public IP Addresses 5
Add or Edit Address Translation Rule 6 Advanced NAT Wizard: VPN Conflict 8
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xv
Contents
Details 8
Network Address Translation Rules 8
Designate NAT Interfaces 12 Translation Timeout Settings 12 Edit Route Map 14
Edit Route Map Entry 15 Address Pools 15
Add or Edit Address Pool 16 Add or Edit Static Address Translation Rule: Inside to Outside 17 Add or Edit Static Address Translation Rule: Outside to Inside 20 Add or Edit Dynamic Address Translation Rule: Inside to Outside 23 Add or Edit Dynamic Address Translation Rule: Outside to Inside 26
How Do I . . . 28
How Do I Configure NAT With One LAN and Multiple WANs? 28
Intrusion Prevention System 31
xvi
IPS Rules 32
Create IPS Rule 32 Welcome to the IPS Rule Configuration Wizard 33 Select Interfaces 33 SDF Location 33 IPS Rule Wizard Summary 34 IPS Rules Configuration 34 Enable or Edit IPS on an Interface 37
Import Signatures 38
File Selection 39 Welcome to the IPS Signature Import Wizard 40 Signature Definition File (SDF) and Signature Selection 40 Signature Filter 40 Signature Edit 41
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Signature Import Wizard Summary 41 Signatures 42 Assign Actions 46 Import Signatures 46 Add, Edit, or Clone Signature 48 Add or Edit a Signature Location 49 Cisco Intrusion Prevention Alert Center 50 IPS-Supplied Signature Definition Files 50
Global Settings 51
Edit Global Settings 53
SDEE Messages 54
SDEE Message Text 55
Network Module Management 1
IDS Network Module Management 1
IDS Sensor Interface IP Address 3 IP Address Determination 4 IDS NM Configuration Checklist 5 IDS NM Interface Monitoring Configuration 7
Contents
OL-4015-06
Network Module Login 7
Feature Unavailable 7
Switch Module Interface Selection 8
Quality of Service 9
Create QoS Policy 9
QoS Wizard 10
Interface Selection 10
QoS Policy Generation 10
View QoS Class Details 12
Summary of the configuration 13
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xvii
Contents
Edit QoS Policy 13
Edit QoS Class 15 Add a Protocol 17 Interface Association 18
QoS Status 18
Network Admission Control 21
Create NAC Tab 21
Other Tasks in a NAC Implementation 22 Welcome 23 RADIUS Server 23 Select the Interface(s) 25 NAC Exception List 25
Configure Exception List Entry Dialog 26
Policy List 27
Add Exception Policy 27 Agentless Host Policy 28 NAC Router Management Access 29 Open Interface ACL 29
Details Window 30 Summary of the configuration 30
xviii
Edit NAC Tab 31
EAPoUDP Components 31 Exception List Window 32 Exception Policies Window 32
EAPoUDP Timeouts 33
Configure a NAC Policy 34
How Do I... 35
How Do I Configure a NAC Policy Server? 35 How Do Install and Configure a Posture Agent on a Host? 35
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Router Properties 1
Device Properties 1
Date and Time: Clock Properties 2
Date and Time Properties 3 NTP 4
Add or Edit NTP Server Details 5 SNTP 7
Add an NTP Server 7 Syslog 8 SNMP 8
Router Access 10
User Accounts: Configure User Accounts for Router Access 10
Add or Edit a Username 11 View Password 13
VTYs 13
Edit VTY Lines 14 Configure Management Access Policies 15 Add or Edit a Management Policy 17 Management Access Error Messages 18
SDM Warning: ANY Not Allowed 18
SDM Warning: Unsupported Access Control Entry 19
SDM Warning: SDM Not Allowed 19
SDM Warning: Current Host Not Allowed 19 SSH 20
Contents
OL-4015-06
DHCP Configuration 21
DHCP Pools 21 Add or Edit DHCP Pool 22 DHCP Bindings 23 Add or Edit DHCP Binding 24
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xix
Contents
DNS Properties 26
Dynamic DNS Methods 26
Add or Edit Dynamic DNS Method 27
ACL Editor 1
Useful Procedures for Access Rules and Firewalls 2
Rules Windows 3
Add or Edit a Rule 7 Associate with an Interface 9 Add a Standard Rule Entry 11 Add an Extended Rule Entry 13 Select a Rule 16
Port-to-Application Mapping 19
Port-to-Application Mappings 19
Add or Edit Port Map Entry 21
xx
Authentication, Authorization, and Accounting 23
AAA Main Window 23
AAA Servers and Groups 24
AAA Servers Window 25
Add or Edit a TACACS+ Server 26
Add or Edit a RADIUS Server 27
Edit Global Settings 27 AAA Server Groups Window 28 Authentication and Authorization Policies 29
Authentication and Authorization Windows 29
Authentication NAC 30
Add or Edit a Method List for Authentication or Authorization 31
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Router Provisioning 33
Router Provisioning from USB 33
Public Key Infrastructure 35
Certificate Wizards 35
Welcome to the SCEP Wizard 37 Certificate Authority (CA) Information 37
Advanced Options 39 Certificate Subject Name Attributes 39
Other Subject Attributes 40
RSA Keys 41
Summary 42
Enrollment Status 43
Cut and Paste Wizard Welcome 43
Enrollment Task 43
Contents
OL-4015-06
Enrollment Request 44
Continue with Unfinished Enrollment 44
Import CA certificate 45
Import Router Certificate(s) 46
Digital Certificates 46
Trustpoint Information 48 Certificate Details 48 Revocation Check 49 Revocation Check, CRL Only 49
RSA Keys Window 50
Generate RSA Key Pair 51
USB Tokens 52
Add or Edit USB Token 53
SDP Troubleshooting Tips 55
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xxi
Contents
Open Firewall 56
Open Firewall Details 57
Resetting to Factory Defaults 1
This Feature Not Supported 4
More About.... 1
IP Addresses and Subnet Masks 1
Host and Network Fields 3
Available Interface Configurations 4
DHCP Address Pools 5
Meanings of the Permit and Deny Keywords 6
Services and Ports 6
More About NAT 13
Static Address Translation Scenarios 13 Dynamic Address Translation Scenarios 16 Reasons that SDM Cannot Edit a NAT Rule 17
xxii
More About VPN 18
Cisco.com Resources 18 More about VPN Connections and IPSec Policies 19 More About IKE 21 More About IKE Policies 22 Allowable Transform Combinations 23
Reasons Why a Serial Interface or Subinterface Configuration May Be Read-Only
24
Reasons Why an ATM Interface or Subinterface Configuration May Be Read-Only
25
Reasons Why an Ethernet Interface Configuration May Be Read-Only 26
Reasons Why an ISDN BRI Interface Configuration May Be Read-Only 27
Reasons Why an Analog Modem Interface Configuration May Be Read-Only 28
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Firewall Policy Use Case Scenario 29
DMVPN Configuration Recommendations 32
SDM White Papers 34
Getting Started 1
What’s New in this Release? 2
Cisco IOS Versions Supported 2
Viewing Router Information 1
Overview 2
Interface Status 6
VPN Status 8
Firewall Status 13
Application Security Log 14
NAC Status 15
Contents
OL-4015-06
Logging 17
File Menu Commands 1
Save Running Config to PC 1
Deliver Configuration to Router 1
Write to Startup Config 2
Reset to Factory Defaults 2
File Management 2
Rename 4 New Folder 5
Save SDF to PC 5
Exit 5
Unable to perform ‘squeeze flash’ 5
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xxiii
Contents
Edit Menu Commands 9
Preferences 9
View Menu Commands 1
Home 1
Configure 1
Monitor 1
Running Config 2
Show Commands 2
SDM Default Rules 2
Refresh 3
Tools Menu Commands 1
Ping 1
Telnet 1
xxiv
Security Audit 1
USB Token PIN Settings 2
Update SDM 3
Help Menu Commands 1
Help Topics 1
SDM on CCO 1
About this router... 1
About SDM 1
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06

Home Page

The home page supplies basic information about the routers hardware, software, and configuration. This page contains the following sections:
Host Name
The configured name of the router.
About Your Router
Shows basic information about your router hardware and software, and contains the following fields:
Hardware Software
Model Type
Available/Total Memory
Shows the router model number.
Available RAM/Total RAM
IOS Version
SDM Version
CHAPTER
The version of Cisco IOS software that is currently running on the router.
The version of Cisco Cisco Router and Security Device Manager (SDM) software that is currently running on the router.
1
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 User’s Guide
1-1
Hardware Software
Total Flash Capacity
Feature Availability
Flash plus Webflash (if applicable)
The features available in the Cisco IOS image the router is using are designated by a check. The features SDM checks for are: IP, Firewall, VPN, IPS, and NAC.
More...
The More... link displays a popup window providing additional hardware and software details.
Hardware Details—In addition to the information presented in the About
Your Router section, this tab displays information about:
Where the router boots from–Flash or Configuration File.
Whether the router has accelerators, such as VPN accelerators.
A diagram of the hardware configuration, including flash memory and installed devices such as USB flash and USB tokens.
Software Details—In addition to the information presented in the About Your
Router section, this tab displays information about:
Chapter 1 Home Page
Configuration Overview
Note If you do not see feature information described in this help topic on the home
Cisco Router and Security Device Manager Version 2.2 User’s Guide
1-2
The feature sets included in the IOS image.
The version of SDM running.
This section of the home page summarizes the configuration settings that have been made.
page, the Cisco IOS image does not support the feature. For example, if the router is running a Cisco IOS image that does not support security features, the Firewall Policy, VPN, and Intrusion Prevention sections do not appear on the home page.
View Running Config
Click this button to display the routers running configuration.
OL-4015-08
Chapter 1 Home Page
Double-arrow head: Click to display/hide details.
SDM-supported WAN interfaces that are present on the router.
SDM-supported WAN connections that are present on the router.
Interfaces and Connections
Total Supported LAN
Configured LAN Interface
Up (n): The number of LAN and WAN connections that are up.
The total number of LAN interfaces that are present in the router.
The number of supported LAN interfaces currently configured on the
Down (n): The number of LAN and WAN connections that are down.
Total Supported WAN The number of
Total WAN Connections The total number of
router.
DHCP Server
Configured/ Not Configured
DHCP Pool (Detail view)
If one pool is configured, starting
Number of DHCP Clients (Detail view)
Current number of clients
leasing addresses. and ending address of DHCP pool.
If multiple pools are configured, list of configured pool names.
Interface Type IP/Mask Description
Name of configured interface
Interface type IP address and subnet
mask
Description of interface
Firewall Policies
OL-4015-08
Active/Inactive Trusted (n) Untrusted (n)DMZ (n)
ActiveA firewall is in place.
InactiveNo
The number of trusted (inside) interfaces.
The number of untrusted (outside) interfaces.
The number of DMZ interfaces.
firewall is in place.
Cisco Router and Security Device Manager Version 2.2 Users Guide
1-3
Chapter 1 Home Page
Firewall Policies
Interface Firewall Icon NAT Inspection Rule Access Rule
The name of the interface to which a firewall has been applied
Active/Inactive Trusted (n) Untrusted (n)DMZ (n)
Whether the interface is designated as an inside or an outside interface.
The name or number of the NAT rule applied to this interface.
The names or numbers of the inbound and outbound inspection rules.
The names or numbers of the inbound and outbound access rules.
Up (n)- The number of
VPN
active VPN connections.
IPSec (Site-to-Site)
Xauth Login Required
The number of configured site-to-site VPN connections.
The number of Easy VPN connections awaiting an Xauth
GRE over IPSec
Easy VPN Remote
The number of configured GRE over IPSec connections.
The number of configured Easy VPN Remote connections.
Login. See note.
No. of DMVPN Clients
If router is configured as a DMVPN hub, the number of DMVPN clients.
No. of Active VPN clients
If this router is functioning as an Easy VPN Server, the number of Easy VPN clients with active connections.
Interface Type IPSec Policy Description
The name of an interface with a configured VPN
The type of VPN connection configured on the interface.
The name of the IPSec policy associated with the VPN connection.
A description of the connection.
connection
1-4
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 1 Home Page
Note Some VPN servers or concentrators authenticate clients using Extended
Authentication (XAuth). This shows the number of VPN tunnels awaiting an Xauth login. If any Easy VPN tunnel awaits XAuth login, a separate message panel is shown with a Login button. Clicking Login allows you to enter the credentials for the tunnel.
If Xauth has been configured for a tunnel, it will not begin to function until
the login and password has been supplied. There is no timeout after which it will stop waiting; it will wait indefinitely for this information.
NAC Policies Active or Inactive
Interface Column NAC Policy Column
The name of the interface to which the policy is applied. For example, FastEthernet 0, or Ethernet 0/0.
The name of the NAC policy.
Routing Intrusion Prevention
No. of Static Routes
The number of static
Active Signatures
routes configured on the router.
Dynamic Routing Protocols
Lists any dynamic routing protocols that
No. of IPS-enabled interfaces
are configured on the router.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
The number of active signatures the router is using. These may be built in, or they may be loaded from a remote location.
The number of router interfaces on which IPS has been enabled.
1-5
Chapter 1 Home Page
1-6
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Interface
CHAPTER
2

LAN Wizard

The Cisco Router and Security Device Manager (SDM) LAN wizard guides you in the configuration of a LAN interface. The screen lists the LAN interfaces on the router. You can select any of the interfaces shown in the window, and click Configure to make the interface a LAN interface and configure it.
This window lists the router interfaces that were designated as inside interfaces in Startup configuration, and lists the Ethernet interfaces and switch ports that have not been configured as WAN interfaces. The list includes interfaces that have already been configured.
When you configure an interface as a LAN interface, SDM inserts the description text $ETH-LAN$ in the configuration file so that it recognizes the interface as a LAN interface in the future.
Configure
OL-4015-08
The name of the interface.
Click this button to configure an interface you have selected. If the interface has not been configured before, SDM will take you through the LAN Wizard to help you configure it. If the interface has been given a configuration using SDM, SDM displays an Edit window enabling you to change configuration settings.
The Configure button may be disabled if a LAN interface has been given a configuration that SDM does not support. For a list of such configurations, see
Reasons Why an Ethernet Interface Configuration May Be Read-Only.
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-1

Ethernet Configuration

What Do You Want to Do?
If you want to: Do this:
Configure or edit a LAN interface or LAN switch port.
Select the LAN interface or switch port in the list, and click Configure. If the interface has not been configured, or if you select a switch port, SDM will take you through a LAN wizard which you can use to configure the interface. If the interface has already been configured and if it is not a switch port, clicking Configure displays an Edit window in which you can make change to the LAN configuration.
Reconfigure the IP address, mask, or
Select an interface with an IP address, and click Configure. DHCP properties of an interface that has already been configured.
Perform specific LAN-related configurations for items such as DHCP servers or maximum transmission
Click Interfaces and Connections in the SDM category bar,
click the Edit Interfaces and Connections tab and perform
the configuration changes. unit (MTU) settings.
Find out how to perform related configuration tasks.
See one of the following procedures:
How Do I Configure a Static Route?
Chapter 2 LAN Wizard
How Do I View Activity on My LAN Interface?
How Do I Enable or Disable an Interface?
How Do I View the IOS Commands I Am Sending to the
How Do I Launch the Wireless Application from SDM?
You can return to this screen as often as necessary to configure additional LAN interfaces.
Ethernet Configuration
The wizard guides you through the configuration of an Ethernet interface on the LAN. You must provide the following information:
An IP address and subnet mask for the Ethernet interface
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-2
Router?
OL-4015-08
Chapter 2 LAN Wizard

LAN Wizard: Select an Interface

A DHCP address pool if you decide to use DHCP on this interface
The addresses of DNS and WINS servers on the WAN
A domain name
LAN Wizard: Select an Interface
Select the interface on which you want to configure a LAN connection in this window. This window lists interfaces that can support Ethernet LAN configurations.

LAN Wizard: IP Address and Subnet Mask

This window lets you configure an IP address and subnet mask for the Ethernet interface that you chose in the first window.
IP Address
Subnet Mask
OL-4015-08
Enter the IP address for the interface in dotted decimal format. Your network administrator should determine the IP addresses of LAN interfaces. For more information, see IP Addresses and Subnet Masks.
Enter the subnet mask. Obtain this value from your network administrator. The subnet mask enables the router to determine how much of the IP address is used to define the network and host portions of the address.
Alternatively, select the number of network bits. This value is used to calculate the subnet mask. Your network administrator can tell you the number of network bits to enter.
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-3

LAN Wizard: Enable DHCP Server

LAN Wizard: Enable DHCP Server
This screen lets you enable a DHCP server on your router. A DHCP server automatically assigns reusable IP addresses to the devices on the LAN. When a device becomes active on the network, the DHCP server grants it an IP address. When the device leaves the network, the IP address is returned to the pool for use by another device.
To enable a DHCP server on the router:
Click Yes .

LAN Wizard: DHCP Address Pool

This screen lets you configure the DHCP IP address pool. The IP addresses that the DHCP server assigns are drawn from a common pool that you configure by specifying the starting IP address in the range, and the ending address in the range.
For more information, see DHCP Address Pools.
Chapter 2 LAN Wizard
Starting IP
Ending IP
2-4
Note If there are discontinuous address pools configured on the router, then the
Starting IP and Ending IP address fields will be read-only.
Enter the beginning of the range of IP addresses for the DHCP server to use in assigning addresses to devices on the LAN. This is the lowest-numbered IP address in the range.
Enter the highest-numbered IP address in the range of IP addresses.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 2 LAN Wizard

DHCP Options

Use this window to configure DHCP options that will be sent to hosts on the LAN that are requesting IP addresses from the router. These are not options for the router that you are configuring; these are parameters that will be sent to the requesting hosts on the LAN. To set these properties for the router, click Additional Tasks on the SDM category bar, click DHCP, and configure these settings in the DHCP Pools window.
DNS Server 1
The DNS server is typically a server that maps a known device name with its IP address. If you have DNS server configured for your network, enter the IP address for that device here.
DNS Server 2
If there is an additional DNS server on the network, you can enter the IP address for that server in this field.
DHCP Options
Domain Name
WINS Server 1
WINS Server 2
OL-4015-08
The DHCP server that you are configuring on this router will provide services to other devices within this domain. Enter the name of the domain.
Some clients may require Windows Internet Naming Service (WINS) to connect to devices on the Internet. If there is a WINS server on the network, enter the IP address for the server in this field.
If there is an additional WINS server on the network, enter the IP address for the server in this field.
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-5

LAN Wizard: VLAN Mode

LAN Wizard: VLAN Mode
This screen lets you determine the type of VLAN information that will be carried over the switch port. Switch ports can be designated either to be in access mode, in which case they will forward only data that is destined for the VLAN to which they are assigned, or they can be designated to be in trunking mode, in which case they will forward data destined for all VLANs including the VLAN to which they are assigned.
If this switch port will be connected to a single device, such as a single PC or IP phone, or if this device will be connected to a port on a networking device, such as another switch, that is an access mode port, then select Single Device.
If this switch port will be connected to a port on a network device, such as another switch, that is a trunking mode, select Network Device.

LAN Wizard: Switch Port

This screen lets you assign an existing VLAN number to the switch port or to create a new VLAN interface to be assigned to the VLAN switch port.
Chapter 2 LAN Wizard
Existing VLAN
New VLAN
2-6
If you want to assign the switch port to a VLAN that has already been defined, such as the default VLAN (VLAN 1), enter the VLAN ID number in the Network (VLAN) Identifier field.
If you want to create a new VLAN interface to which the switch port will be assigned, enter the new VLAN ID number in the New VLAN field, and then enter the IP address and subnet mask of the new VLAN logical interface in the IP Address and Subnet Mask fields.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 2 LAN Wizard

IRB Bridge

Include this VLAN in an IRB bridge that will form a bridge with your wireless network. (Use Wireless Application to complete.)
If you check this box, the switch port will form part of a bridge with your wireless network. The other part of the bridge must be configured using the Wireless Application. The IP address and Subnet mask fields under New VLAN are disabled when this box is checked.
After completing this LAN configuration, do the following to launch the Wireless Application and complete the bridging configuration.
Step 1 Select Wireless Application from the SDM Tools menu. The Wireless
Application opens in a separate browser window.
Step 2 In the Wireless Application, click Wireless Express Security, and then click
Bridging to provide the information to complete the bridging configuration.
IRB Bridge
If you are configuring a VLAN to be part of an IRB bridge, the bridge must be a member of a bridge group.
To create a new bridge group that this interface will be part of, click Create a new bridge group and enter a value in the range 1 through 255.
To have this VLAN be a member of an existing bridge group, click Join an existing bridge group, and select a bridge group.
Note When you complete the bridge configuration in the Wireless Application, you
must use the same bridge group number entered in this screen.

BVI Configuration

Assign an IP address and subnet mask to the BVI interface. If you selected an existing bridge group in the previous screen, the IP address and subnet mask will appear in this screen. You can change it, or leave the values unchanged.
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-7

DHCP Pool for BVI

IP Address
Enter the IP address for the interface in dotted decimal format. Your network administrator should determine the IP addresses of LAN interfaces. For more information, see IP Addresses and Subnet Masks.
Net Mask
Enter the subnet mask. Obtain this value from your network administrator. The subnet mask enables the router to determine how much of the IP address is used to define the network and host portions of the address.
Net Bits
Alternatively, select the number of network bits. This value is used to calculate the subnet mask. Your network administrator can tell you the number of network bits to enter.
DHCP Pool for BVI
Chapter 2 LAN Wizard
When you configure the router as a DHCP server, you can create a pool of IP addresses that clients on the network can use. When a client logs off the network, the address it was using is returned to the pool for use by another host.
DHCP Server Configuration
Click this box if you want to have the router function as a DHCP server. Then, specify the starting and ending IP addresses in the pool. Be sure to specify IP addresses in the same subnet as the IP address you gave the interface. For example, If you gave the interface an IP address of 10.10.22.1, with a subnet mask of 255.255.255.0, you have over 250 addresses available for the pool, and you might specify a Start IP Address of 10.10.22.2, and an End IP Address of
10.10.22.253.
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-8
OL-4015-08
Chapter 2 LAN Wizard

IRB for Ethernet

If your router has a wireless interface, you can use Integrated Routing and Bridging to have this interface form part of a bridge to the wireless LAN, and enable traffic destined for the wireless network to be routed through this interface. Click Yes if you want to configure this Layer 3 interface for Integrated Routing and Bridging.
If you do not want this interface to be used in bridge to the wireless interface, click No. You will still be able to configure it as a regular routing interface.

Layer 3 Ethernet Configuration

SDM supports Layer 3 Ethernet configuration on routers with installed 3750 switch modules. You can create VLAN configurations and designate router Ethernet interfaces as DHCP servers.
IRB for Ethernet

802.1Q Configuration

You can configure a VLAN that does not use the 802.1Q encapsulation protocol used for trunking connections. Provide a VLAN ID number, and check Native VLAN if you do not want the VLAN to use 802.1Q tagging.
If you want to use the 802.1Q tagging, leave the Native VLAN box unchecked.

Trunking or Routing Configuration

You can configure Layer 3 Ethernet interfaces for 802.1Q trunking or for basic routing. If you configure the interface for 802.1Q trunking, you can configure VLANs on the interface, and you can configure a native VLAN that does not use the 802.1q encapsulation protocol. I f you configure the interface for routing, you cannot configure subinterfraces or additional VLANs on the interface.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
2-9
Chapter 2 LAN Wizard

Summary

Configure Switch Device Module

If you are configuring a Gigabit Ethernet interface for routing, you can provide information about the switch module in this window. It is not required that you provide this information.
You can provide an IP address and subnet mask for the switch module, and login credentials required to log on to the the switch module interface.
Check the box at the bottom of the screen if you want to log on to the switch module after providing the information in this wizard and delivering the configuration to the router.
Summary
This window provides a summary of the configuration changes that you made for the interface you selected.
To save this configuration to the routers running configuration and leave this wizard:
Click Finish. SDM saves the configuration changes to the routers running configuration. Although the changes take effect immediately, they will be lost if the router is turned off.
If you checked Preview commands before delivering to router in the User Preferences window, the Deliver window appears. In this window you can view the CLI commands that you are delivering to the router.

How Do I...

This section contains procedures for tasks that the wizard does not help you complete.

How Do I Configure a Static Route?

To configure a static route:
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-10
OL-4015-08
Chapter 2 LAN Wizard
Step 1 From the category bar, click Routing.
Step 2 In the Static Routing group, click Add....
Step 3 In the Prefix field, enter the IP address of the static route destination network.
Step 4 In the Prefix Mask field, enter the subnet mask of the destination network.
Step 5 If you want this static route to be the default route, check the Make this as the
Step 6 In the Forwarding group, select whether to identify a router interface or the
Step 7 Optionally, in the Distance Metric field, enter the distance metric to be stored in
Step 8 If you want to configure this static route to be a permanent route, which means
Step 9 Click OK.
How Do I...
The Add IP Static Route dialog box appears.
Default Route check box.
destination router IP address as the method to forward data, and then choose either the forwarding router interface or enter the destination router IP address.
the routing table.
that it will not be deleted even if the interface is shut down or the router is unable to communicate with the next router, check the Permanent Route check box.

How Do I View Activity on My LAN Interface?

You can view activity on a LAN interface by using the Monitor mode in SDM. Monitor mode can display statistics about the LAN interface, including the number of packets and bytes that have been sent or received by the interface, and the number of send or receive errors that have occurred. To display statistics about about a LAN interface:
Step 1 From the toolbar, click Monitor.
Step 2 From the left frame, click Interface Status.
Step 3 In the Select an Interface field, select the LAN interface for which you want to
view statistics.
Step 4 Select the data item(s) you want to view by checking the associated check box(es).
You can view up to four statistics at a time.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
2-11
How Do I...
Step 5 Click Start Monitoring to see statistics for all selected data items.
The Interface Details screen appears, displaying the statistics you selected. The screen defaults to showing real-time data, for which it polls the router every 10 seconds. If the interface is up and there is data transmitting across it, you should see an increase in the number of packets and bytes transferred across the interface.

How Do I Enable or Disable an Interface?

You can disable an interface without removing its configuration, and you can reenable an interface that you have disabled.
Step 1 Click Interfaces and Connections in the category bar.
Step 2 Click the Edit Interfaces and Connections tab.
Step 3 Select the interface that you want to disable or enable.
Chapter 2 LAN Wizard
Step 4 If the interface is enabled, the Disable button appears below the Interface List.
Click that button to disable the interface. If the interface is currently disabled, the Enable button appears below the Interface List. Click that button to disable the interface.

How Do I View the IOS Commands I Am Sending to the Router?

If you are completing a Wizard to configure a feature, you can view the Cisco IOS commands that you are sending to the router when you click Finish.
Step 1 From the SDM Edit menu, select Preferences.
Step 2 Check Preview commands before delivering to router.
Step 3 Click OK.
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-12
OL-4015-08
Chapter 2 LAN Wizard
The next time you use a wizard to configure the router and click Finish on the Summary window, the Deliver window will appear. In this window you can view the commands that you are delivering to the routers configuration. Click Deliver when you are finished reviewing the commands.
If you are editing a configuration, the Deliver window is displayed when you click OK in the dialog window. In this window you can view the Cisco IOS commands that you are sending to the router .

How Do I Launch the Wireless Application from SDM?

Use the following procedure to launch the wireless application from SDM.
Step 1 Go to the SDM Tools menu and select Wireless Application. The Wireless
Application launches in a separate browser window.
Step 2 In the left panel, click the title of the configuration screen that you want to work
in. To obtain help for any screen, click the help icon in the upper right corner. This icon looks like an open book with a question mark.
How Do I...
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
2-13
How Do I...
Chapter 2 LAN Wizard
2-14
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08

Create Connection Wizards

The Create Connection wizards let you configure LAN and WAN connections for all SDM-supported interfaces.

Create Connection

This window allows you to create new LAN and WAN connections.
Note You cannot use SDM to create WAN connections for Cisco 7000 series routers.
Create a New Connection
Choose a connection type in this area of the window. The types shown are based on the types of physical interfaces on the router and on which interfaces have not yet been configured. When you click a radio button for a connection type, a use case scenario diagram appears to the right illustrating that type of connection. If all interfaces have been configured, this area is not displayed.
CHAPTER
3
OL-4015-08
If the router has Asynchronous Transfer Mode (ATM) or Serial interfaces, multiple connections can be configured from a single interface because Cisco Router and Security Device Manager (SDM) configures subinterfaces for each interface of that type.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-1
WAN Wizard Interface Welcome Window
The Other (Unsupported by SDM) radio button appears if an unsupported logical or physical interface exists, or if a supported interface exists that has been given an unsupported configuration. When you click this radio button, Create New Connection is disabled, and a reason for the Other radio button appearing is given in the Information box.
If the router has radio interfaces but you do not see a Wireless radio button, you are not logged on as an SDM Administrator. If you need to use the Wireless Application, go to the SDM Tools menu, and select Wireless Application.
What Do You Want to Do?
If you want to: Do this:
Learn how to perform configurations that this wizard does not help you with.
See one of the following procedures:
How Do I View the IOS Commands I Am Sending to the
Router?
How Do I Configure an Unsupported WAN Interface?
How Do I Enable or Disable an Interface?
Chapter 3 Create Connection Wizards
How Do I View Activity on My WAN Interface?
How Do I Configure NAT on a WAN Interface?
How Do I Configure a Static Route?
How Do I Configure a Dynamic Routing Protocol?
How Do I Configure Dial-on-Demand Routing for my
ISDN or Asynchronous Interface?
Configure an interface that SDM does not support.
Refer to the software configuration guide for the router to use
the CLI to configure the interface.
WAN Wizard Interface Welcome Window
This window lists the types of connections you can configure for this interface using SDM. If you need to configure another type of connection for this interface, you can do so using the CLI.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-2
OL-4015-08
Chapter 3 Create Connection Wizards

ISDN Wizard Welcome Window

PPP is the only type of encoding supported over ISDN BRI by SDM.

Analog Modem Welcome Window

PPP is the only type of encoding supported over an analog modem connection by SDM.

Aux Backup Welcome Window

The option to configure the AUX port as a dial-up connection will only be shown for the Cisco 831 and 837 routers.
The Aux dial-backup radio button is disabled if any of the following conditions occur:
ISDN Wizard Welcome Window
OL-4015-08
When more than one default route exists
When one default route exists and the same is configured with interface other
than the primary WAN interface
The Aux dial-backup option will not be shown if any of the following conditions occur:
When the router is not using a Cisco IOS image that supports the Aux
dial-backup feature.
When a primary WAN interface is not configured
When the asynchronous interface is already configured
When the asynchronous interface is not configurable by SDM due to the
presence of unsupported Cisco IOS commands in the existing configuration
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-3

Select Interface

Select Interface
This window appears if there are more than one interface of the type you selected in the Create Connection window. Choose the interface that you want to use for this connection.
If you are configuring an Ethernet interface, SDM inserts the description text $ETH-WAN$ in the configuration file so that it will recognize the interface as a WAN interface in the future.

Encapsulation: PPPoE

This window lets you enable Point-to-Point-Protocol over Ethernet (PPPoE) encapsulation. This is necessary if your service provider or network administrator requires remote routers to communicate using PPPoE.
PPPoE is a protocol used by many asymmetric digital subscriber line (ADSL) service providers. Ask your service provider if PPPoE is used over your connection.
Chapter 3 Create Connection Wizards
If you choose PPPoE encapsulation, SDM automatically adds a dialer interface to the configuration, and this is shown in the Summary window.
Enable PPPoE Encapsulation
If your service provider requires that the router use PPPoE, check this box to enable PPPoE encapsulation. Uncheck this box if your service provider does not use PPPoE. This check box will not be available if your router is running a version of Cisco IOS that does not support PPPoE encapsulation.
IP Address: ATM or Ethernet with PPPoE/PPPoA
Choose the method that the WAN interface will use to obtain an IP address.
Static IP Address
If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-4
OL-4015-08
Chapter 3 Create Connection Wizards
Dynamic (DHCP Client)
If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses.
IP Unnumbered
Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use.
Easy IP (IP Negotiated)
Select Easy IP (IP Negotiated) if the router will obtain an IP address via PPP/IPCP address negotiation.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes. Click the Dynamic DNS button to configure dynamic DNS.

IP Address: ATM with RFC 1483 Routing

IP Address: ATM with RFC 1483 Routing
Choose the method that the WAN interface will use to obtain an IP address.
Static IP Address
If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses
and Subnet Masks.
Dynamic (DHCP Client)
If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-5

IP Address: Ethernet without PPPoE

IP Unnumbered
Click IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes. Click the Dynamic DNS button to configure dynamic DNS.
IP Address: Ethernet without PPPoE
Choose the method that the WAN interface will use to obtain an IP address.
Static IP Address
If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses
and Subnet Masks.
Chapter 3 Create Connection Wizards
Dynamic (DHCP Client)
If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes. Click the Dynamic DNS button to configure dynamic DNS.

IP Address: Serial with Point-to-Point Protocol

Choose the method that the point-to-point interface will use to obtain an IP address.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-6
OL-4015-08
Chapter 3 Create Connection Wizards
Static IP Address
If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses
and Subnet Masks.
IP Unnumbered
Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use.
Easy IP (IP Negotiated)
Select Easy IP (IP Negotiated) if the router will obtain an IP address via PPP/IPCP address negotiation.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes. Click the Dynamic DNS button to configure dynamic DNS.
IP Address: Serial with HDLC or Frame Relay
IP Address: Serial with HDLC or Frame Relay
Choose the method that the WAN interface will use to obtain an IP address. If Frame Relay encapsulation is used, SDM creates a subinterface, and the IP address is assigned to the subinterface SDM creates.
Static IP Address
If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses
and Subnet Masks.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-7
Chapter 3 Create Connection Wizards

IP Address: ISDN BRI or Analog Modem

IP Unnumbered
Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes. Click the Dynamic DNS button to configure dynamic DNS.
IP Address: ISDN BRI or Analog Modem
Choose the method that the ISDN BRI or analog modem interface will use to obtain an IP address.
Static IP Address
IP Unnumbered
Easy IP (IP Negotiated)
Dynamic DNS
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-8
If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses
and Subnet Masks.
Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface that has the IP address that you want the interface that you are configuring to use.
Select IP Negotiated if the interface will obtain an IP address from your ISP via PPP/IPCP address negotiation whenever a connection is made.
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes. Click the Dynamic DNS button to configure dynamic DNS.
OL-4015-08
Chapter 3 Create Connection Wizards
Authentication
This page is displayed if you enabled PPP for a serial connection, PPPoE or PPPoA encapsulation for an ATM or Ethernet connection, or if you are configuring an ISDN BRI or analog modem connection. Your service provider or network administrator may use a Challenge Handshake Authentication Protocol (CHAP) password or a Password Authentication Protocol (PAP ) password to secure the connection between the devices. This password secures both incoming and outgoing access.
Authentication Type
Check the box for the type of authentication used by your service provider. If you do not know which type your service provider uses, you can check both boxes: the router will attempt both types of authentication, and one attempt will succeed.
CHAP authentication is more secure than PAP authentication.
Username
Authentication
The username is given to you by your Internet service provider or network administrator and is used as the username for CHAP/PAP authentication.
Password
Enter the password exactly as given to you by your service provider. Passwords are case sensitive. For example, the password cisco is not the same as Cisco.
Confirm Password
Reenter the same password that you entered in the previous box.

Switch Type and SPIDs

ISDN BRI connections require identification of the ISDN switch type, and in some cases, identification of the B channels using Service Provider ID (SPID) numbers. This information will be provided to you by your service provider.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-9
Switch Type and SPIDs
ISDN Switch Type
Chapter 3 Create Connection Wizards
Select the ISDN switch type. Contact your ISDN service provider for the switch type for your connection.
SDM supports these BRI switch types:
For North America:
basic-5essLucent (AT&T) basic rate 5ESS switch
basic-dms100Northern Telecom DMS-100 basic rate switch
basic-niNational ISDN switches
For Australia, Europe, and the UK:
basic-1tr6German 1TR6 ISDN switch
basic-net3NET3 ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system
vn3French ISDN BRI switches
For Japan:
I Have SPIDs
3-10
nttJapanese NTT ISDN switches
For voice/PBX systems:
basic-qsigPINX (PBX) switches with QSIG signaling per Q.931
Check this check box if your service provider requires SPIDs.
Some service providers use SPIDs to define the services that are subscribed to by an ISDN device that is accessing the ISDN service provider. The service provider assigns the ISDN device one or more SPIDs when you first subscribe to the service. If you are using a service provider that requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid, assigned SPID to the service provider when the device accesses the switch to initialize the connection.
Currently, only the DMS-100 and NI switch types require SPIDs. The AT&T 5ESS switch type may support a SPID, but we recommend that you set up the ISDN service without SPIDs. In addition, SPIDs have significance only at the local access ISDN interface. Remote routers never receive the SPID.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 3 Create Connection Wizards
A SPID is usually a 7-digit telephone number with some optional numbers. However, service providers may use different numbering schemes. For the DMS-100 switch type, two SPIDs are assigned, one for each B channel.
SPID1
Enter the SPID for the first BRI B channel provided to you by your ISP.
SPID2
Enter the SPID for the second BRI B channel provided to you by your ISP.

Dial String

Enter the phone number of the remote end of the ISDN BRI or analog modem connection. This is the phone number that the ISDN BRI or analog modem interface will dial whenever a connection is made. The dial string is provided to you by your service provider.
Dial String

Backup Configuration

ISDN BRI and analog modem interfaces can be configured to work as backup interfaces to other, primary interfaces. In that case, an ISDN or analog modem connection will be made only if the primary interface goes down for some reason. If the primary interface and connection goes down, the ISDN or analog modem interface will immediately dial out and try to establish a connection so that network services are not lost.
Select whether this ISDN BRI or analog modem connection should act as a backup connection.
Note the following prerequisites:
The primary interface must be configured for Site-to-Site VPN.
The IOS image on your router must support the SAA ICMP Echo
Enhancement feature.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-11
Chapter 3 Create Connection Wizards
Backup Configuration

Backup Configuration: Primary Interface & Next Hop IP Addresses

In order for the ISDN BRI or analog modem connection to act as a backup connection, it must be associated with another interface on the router that will act as the primary connection. The ISDN BRI or analog modem connection will be made only if the connection on the primary interface goes down.
Primary Interface
Select the router interface that will maintain the primary connection.
Primary Next Hop IP Address
This field is optional. Enter the IP address to which the primary interface will connect when it is active, known as the next hop IP address.
Backup Next Hop IP Address
This field is optional. Enter the IP address to which the backup interface will connect when it is active, known as the next hop IP address.

Backup Configuration: Hostname or IP Address to be Tracked

This screen lets you identify a specific host to which connectivity must be maintained. The router will track connectivity to that host, and if the router discovers that connectivity has been lost by the primary interface, a backup connection will be initiated over the ISDN BRI or analog modem interface.
IP Address to be Tracked
Enter the IP address or host name of the destination host to which connectivity will be tracked. Please specify an infrequently-contacted destination as the site to be tracked.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-12
OL-4015-08
Chapter 3 Create Connection Wizards
Advanced Options
There are two advanced options available, based on the routers configuration: Default static route, and Port Address Translation (PAT). If the Static Route option is not visible in the window, a static route has already been configured on the router. If the PAT option is not visible, PAT has already been configured on an interface.
Default Static Route
Check this box if you want to configure a static route to the outside interface to which outgoing traffic will be routed. If a static route has already been configured on this router, this box will not appear.
Next Hop Address
If your service provider has given you a next hop IP address to use, enter the IP address in this field. If you leave this field blank, SDM will use the WAN interface that you are configuring as the next-hop interface.
Advanced Options
Port Address Translation
If devices on the LAN have private addresses, you can allow them to share a single public IP address. You can ensure that traffic goes to its proper destination by using PAT, which represents hosts on a LAN with a single IP address and uses different port numbers to distinguish the hosts. If PAT has already been configured on an interface, the PAT option will not be visible.
Inside Interface to be Translated
Choose the inside interface connected to the network whose host IP addresses you want to be translated.

Encapsulation

In this window, select the type of encapsulation that the WAN link will use. Ask your service provider or network administrator which type of encapsulation is used for this link. The interface type determines the types of encapsulation available.
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-13
Chapter 3 Create Connection Wizards
Encapsulation
Autodetect
Click Autodetect to have SDM discover the encapsulation type. If SDM succeeds, it will automatically supply the encapsulation type and other configuration parameters it discovers.
Note SDM supports autodetect on SB106, SB107, Cisco 836 and Cisco 837 routers.
However if you are configuring a Cisco 837 router and the router is running an IOS image of version 12.3(8)T or version 12.3(8.3)T, the autodetect feature is not supported.
Available Encapsulations
The encapsulations available if you have an ADSL, G.SHDSL, or ADSL over ISDN interface are shown in the following table.
Encapsulation Description
PPPoE Provides Point-to-Point Protocol over Ethernet encapsulation. This option is
available when you have selected an Ethernet interface or an ATM interface. An ATM subinterface and a dialer interface will be created when you configure PPPoE over an ATM interface.
The PPPoE radio button will be disabled if your router is running a version of Cisco IOS that does not support PPPoE encapsulation.
PPPoA Point-to-Point protocol over ATM. This option is available when you have
selected an ATM interface. An ATM subinterface and a dialer interface will be created when you configure PPPoA over an ATM interface.
The PPPoA radio button will be disabled if your router is running a version of Cisco IOS that does not support PPPoA encapsulation.
RFC 1483 routing
with AAL5-SNAP
This option is available when you have selected an ATM interface. An ATM subinterface will be created when you configure an RFC 1483 connection. This subinterface will be visible in the Summary window.
RFC 1483 routing with AAL5-MUX
This option is available when you have selected an ATM interface. An ATM subinterface will be created when you configure an RFC 1483 connection. This subinterface will be visible in the Summary window.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-14
OL-4015-08
Chapter 3 Create Connection Wizards
The encapsulations available if you have a serial interface are shown in the following table.
Encapsulation Description
Frame Relay
Provides Frame Relay encapsulation. This option is available when you have selected a serial interface. A serial subinterface will be created when you create a Frame Relay connection. This subinterface will be visible in the Summary window.
Note If a Frame Relay serial connection has been added to an
interface, only Frame Relay encapsulation will be enabled in this window when subsequent Serial connections are configured on the same interface.
PVC
Point-to-Point Protocol
High Level Data Link Control
PVC
ATM routing uses a two-layer hierarchical scheme, virtual paths, and virtual channels, denoted by the virtual path identifier (VPI) and virtual channel identifier (VCI), respectively. A particular virtual path may carry a number of different virtual channels corresponding to individual connections. When switching is performed based on the VPI, all cells on that particular virtual path are switched regardless of the VCI. An ATM switch may route according to VCI, VPI, or both VCI and VPI.
VPI
Enter the VPI value obtained from your service provider or system administrator. The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Enter the VPI value given to you by your service provider.
Provides PPP encapsulation. This option is available when you have selected a serial interface.
Provides HDLC encapsulation. This option is available when you have selected a serial interface.
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-15

Configure LMI and DLCI

VCI
Enter the VCI value obtained from your service provider or system administrator. The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that it may share with other connections. Enter the VCI value given to you by your service provider.
Cisco IOS Default Values
The values shown in the following table are Cisco IOS defaults. SDM will not overwrite these values if they have been changed during a prior configuration, but if your router has not been previously configured, these are the values that will be used:
Connection Type Parameter Value
ADSL
G.SHDSL
Operating mode Auto
Operating mode
Annex A (U.S.).
Chapter 3 Create Connection Wizards
Line Rate
Equipment type
ADSL over
Operating mode Auto
ISDN
Configure LMI and DLCI
If you are configuring a connection with Frame Relay encapsulation, you must specify the protocol used to monitor the connection, called the Local Management Identifier (LMI), and provide a unique identifier for this particular connection, called a data link connection identifier (DLCI).
LMI Type
Ask your service provider which of the following LMI types you should use.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-16
Auto
CPE
OL-4015-08
Chapter 3 Create Connection Wizards
LMI Type Description
ANSI Annex D defined by American National Standards Institute
Cisco LMI type defined jointly by Cisco Systems and three other
ITU-T Q.933 ITU-T Q.933 Annex A.
Autosense The default. This setting allows the router to detect which LMI
DLCI
Enter the DLCI in this field. This number must be unique among all DLCIs used on this interface.

Configure Clock Settings

(ANSI) standard T1.617.
companies.
type is being used by communicating with the switch and to then use that type. If autosense fails, the router will use the Cisco LMI type.
Use IETF Frame Relay Encapsulation
Internet Engineering Task Force (IETF) encapsulation. This option is used with connecting to non-Cisco routers. Check this box if you are connecting to a non_Cisco router on this interface.
Configure Clock Settings
The Clock Settings window is available when you are configuring a T1 or E1 link. The default Frame Relay clock settings are shown in this page. You should not change them unless you know you have different requirements.
Clock Source
Internal specifies that the clock be generated internally. Line specifies that the clock source be taken from the network. The clock synchronizes data transmission. The default is line.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-17
Configure Clock Settings
T1 Framing
Line Code
Data Coding
Chapter 3 Create Connection Wizards
This field configures the T1 or E1 link for operation with D4 Super Frame (sf) or Extended Superframe (esf). The default is esf.
This field configures the router for operation on binary 8-zeroes substitution (B8ZS) or alternate mark inversion (AMI) T1 lines. The b8zs setting ensures density on a T1 or E1 line by substituting intentional bipolar violations in bit positions 4 and 7 for a sequence of eight zero bits. When the router is configured with the ami setting, you must guarantee density in your router configuration with the data-coding inverted setting. The default is b8zs.
Click inverted if you know that user data is inverted on this link, or if Line Code is set to AMI. Otherwise leave this set to the default value normal. Data inversion is used with bit-oriented protocols such as HDLC, PPP, and Link Access Procedure, Balanced (LAPB) to ensure density on a T1 line with AMI encoding. These bit-oriented protocols perform zero insertions after every five “one” bits in the data stream. This has the effect of ensuring at least one zero in every eight bits. If the data stream is then inverted, it ensures that at least one out of every eight bits is a one.
If you do not want to use inverted data coding with the AMI line code, you must use the CLI to configure all time slots to 56 kbps. SDM will set data coding to inverted if the line code is AMI and there are no time slots configured for 56 kbps.
Facilities Data Link (FDL)
This field configures the router behavior on the Facilities Data Link (FDL) of the Extended Superframe. When configured with att, the router implements AT&T TR 54016. When configured with ansi, it implements ANSI T1.403. When you choose both, the router implements both att and ansi choices.When you choose none, the router ignores the FDL. The default is none. If T1 or E1 framing is set to sf, SDM will set FDL to none and make this field read-only.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-18
OL-4015-08
Chapter 3 Create Connection Wizards
Line Build Out (LBO)
This field is used to configure the Line Build Out (LBO) of the T1 link. The LBO decreases the transmit strength of the signal by -7.5 or -15 decibels. It is not likely to be needed on actual T1 or E1 lines. The default is none.
Remote Loopback Requests
This field specifies whether the router will go into loopback when a loopback code is received on the line. Choosing full will cause the router to accept full loopbacks, and choosing payload-v54 will cause the router to select payload loopbacks.
Enable Generation/Detection of Remote Alarms
Check this box if you want the router T1 link to generate remote alarms (yellow alarms) and to detect remote alarms being sent from the peer on the other end of the link.
The remote alarm is transmitted by a router when it detects an alarm condition: either a red alarm (loss of signal) or a blue alarm (unframed 1s). The receiving channel service unit/ data service unit (CSU/DSU) then knows that there is an error condition on the line.

Delete Connection

This setting should only be used when T1 framing is set to esf.
Delete Connection
You can delete a WAN connection that appears in the Edit Interface/Connections window. This window appears when you are deleting an interface configuration, and when the connection you want to delete contains associations such as Access Rules that have been applied to this interface. This window gives you the opportunity to save the associations for use with another connection.
When you delete a connection, the Create New Connection list is refreshed if the deletion makes a connection type available that was not available before the deletion.
You can automatically delete all associations that the connection has, or delete the associations later.
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-19
Delete Connection
To view the associations that the connection has:
Click View Details.
To delete the connection and all associations:
Click Automatically delete all associations, and then click OK to cause SDM to delete the connection and all of the associations.
To manually delete the association:
To manually delete the associations, click View Details to see a list of the associations that this connection has. Make note of the associations, then select I will delete the associations later, and then click OK. You must then delete the associations that the connection has, following the instructions in following list.
The possible associations, and the instructions for deleting them, are:
Default Static Route—The interface is configured as the forwarding interface
for a default static route. To delete the static route with which this interface is associated, click Configure; then click Routing. Click the static route in the Static Routing table, and click Delete.
Port Address Translation—PAT is configured, using the interface on which
this connection was created. To delete the PAT association, click Configure; then click NAT. Click the rule associated with this connection, and click Delete.
Chapter 3 Create Connection Wizards
3-20
NATThe interface is designated as either a NAT inside or NAT outside
interface. To delete the NAT association, click Configure; then click Interfaces and Connections. Click the connection in the Interface List, then click Edit. Click the NAT tab, then from the NAT pulldown, choose None.
ACLAn ACL is applied to the interface on which the connection was
created. To delete the ACL, click Configure; then click Interfaces and Connections. Click the connection in the Interface List; then click Edit.
Click the Association tab, then in the Access Rule group, click the ... button next to both the Inbound and Outbound fields, and click None.
InspectAn inspection rule is applied to the interface on which the
connection was created. To delete the inspection rule, click Configure; then click Interfaces and Connections. Click the connection in the Interface List, then click Edit. Click the Association tab; then in the Inspection Rule group, in both the Inbound and Outbound fields, choose None.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 3 Create Connection Wizards
CryptoA crypto map is applied to the interface on which the connection
was created. To delete the crypto map, click Configure; then click Interfaces and Connections. Click the connection in the Interface List, then click Edit.
Click the Association tab; then in the VPN group, in the IPSec Policy field, click None.
EZVPNAn Easy VPN is applied to the interface on which the connection
was created. To delete the Easy VPN, click Configure; then click Interfaces and Connections. Click the connection in the Interface List, then click Edit.
Click the Association tab; then in the VPN group, in the Easy VPN field, click None.
VPDNVPDN commands that are required for a PPPoE configuration are
present in the router configuration. If there are any other PPPoE connections configured on the router, do not delete the VPDN commands.
ip tcp adjust mss—This command is applied to a LAN interface to adjust the
TCP maximum size. If there are any other PPPoE connections configured on the router, do not delete this command.
Backup connection—When a backup connection is configured for the
primary interface.To delete the backup association, click Configure, then click Interfaces and Connections. Click the Backup interface in the Interface List, then click Edit. Click the Backup tab; uncheck the Enable Backup check box.
Summary
Summary
OL-4015-08
PAT on Backup connectionPAT is configured on the backup interface. To
delete the PAT association, click Configure; then click NAT. Click the rule associated with this connection, and then click Delete.
Floating Default Route on Backup connection—The Backup interface is
configured with a floating default static route. To delete the floating static route , click Configure; then click Routing. Click the floating static route in the Static Routing table, and click Delete.
This screen displays a summary of the WAN link that you configured.You can review this information, and if you need to change anything, you can click the Back button to return to the screen on which you need to make changes.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-21
Chapter 3 Create Connection Wizards

Connectivity testing and troubleshooting

Test the connectivity after configuring
Check this box if you want SDM to test the connection you have configured after it delivers the commands to the router. SDM will test the connection and report results in another window.
To save this configuration to the routers running configuration and leave this wizard:
Click Finish. SDM saves the configuration changes to the routers running configuration. The changes will take effect immediately, but will be lost if the router is turned off.
If you checked Preview commands before delivering to router in the SDM Preferences window, the Deliver window appears. In this window, you can view the CLI commands that you are delivering to the router.
Connectivity testing and troubleshooting
This window allows you to test a configured connection by pinging a remote host. If the ping fails, SDM reports the probable cause and suggests actions you can take to correct the problem.
Which connection types can be tested?
SDM can troubleshoot ADSL, G.SHDSL V1 and G.SHDSL V2 connections, using PPPoE, AAL5SNAP or AAL5MUX encapsulation.
SDM can troubleshoot Ethernet connections with PPPoE encapsulation.
SDM cannot troubleshoot unencapsulated Ethernet connections, Serial and T1 or E1 connections, Analog connections, and ISDN connections. SDM provides basic ping testing for these connection types.
What is Basic Ping Testing?
When SDM performs basic ping testing, it does the following:
1. Checks the interface status to see if it is up or down.
2. Checks DNS Settings, whether they be SDM default options or user-specified
hostnames.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-22
OL-4015-08
Chapter 3 Create Connection Wizards
3. Checks for DHCP and IPCP configurations on the interface.
4. Exits interface test.
5. Pings the destination.
SDM reports the results of each of these checks in the Activity/Status columns. If the ping succeeds, then the connection will be reported as successful. Otherwise the connection is reported down, and the test that failed is noted.
How does SDM Troubleshoot?
When SDM troubleshoots a connection, it performs a more extensive check than the basic ping test. If the router fails a test, SDM performs additional checks so it can provide you with the possible reasons for failure. For example, if Layer 2 status is down, SDM attempts to determine the reason(s), reports them, and recommends actions you can take to rectify the problem. SDM performs the following tasks:
1. Checks interface status. If the Layer 2 protocol is up, SDM goes to step 2.
If Layer 2 protocol status is down, SDM checks ATM PVC status for XDSL connections, or PPPoE status for encapsulated Ethernet connections.
Connectivity testing and troubleshooting
If the ATM PVC test fails, SDM displays possible reasons for the failure and actions you can take to correct the problem.
OL-4015-08
If the PPPoE connection is down, there is a cabling problem, and SDM displays appropriate reasons and actions.
After performing these checks, the test is terminated and SDM reports the results and suggests actions.
2. Checks DNS Settings, whether they be SDM default options or user-specified
hostnames.
3. Checks DHCP or IPCP configuration and status. If the router has an IP
address through either DHCP or IPCP SDM goes to step 4.
If the router is configured for DHCP or IPCP but has not received an IP address through either of these methods, SDM performs the checks in step a above. The test terminates and SDM reports the results and suggests actions.
4. Pings the destination. If the ping succeeds, SDM reports success.
If the ping fails on an xDSL connection with PPPoE encapsulation, SDM checks:
the ATM PVC status
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-23
Connectivity testing and troubleshooting
the PPPoE tunnel status
the PPP authentication status
After performing these checks, SDM reports the reason that the ping failed.
If the ping fails on an Ethernet with PPPoE encapsulation connection, SDM checks:
the PPPoE tunnel status
the PPP authentication status
After performing these checks, SDM reports the reason that the ping failed.
If the ping fails on an xDSL connection with AAL5SNAP or AAL5MUX encapsulation, SDM checks the ATM PVC status and reports the reason the ping failed.
IP Address/Hostname
Specify the server name to ping to test WAN interface.
Automatically determined by SDM
SDM pings its default host to test WAN interface. SDM detects the router's statically configured DNS servers, and dynamically imported DNS servers. SDM pings these servers, and if successful pings exit through the interface under test, SDM reports success. If no pings succeeded, or successful pings were not found to exit the interface under test, SDM reports failure.
Chapter 3 Create Connection Wizards
Summary
Details
3-24
User Specified
Specify the IP address of hostname of your choice for testing WAN interface.
Click this button if you want to view the summarized troubleshooting information.
Click this button if you want to view the detailed troubleshooting information.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 3 Create Connection Wizards
Activity
This column displays the troubleshooting activities.
Status
Displays the status of each troubleshooting activity by the following icons and text alerts:
Reason
This box provides the possible reason(s) for the WAN interface connection failure.
Connectivity testing and troubleshooting
The connection is up.
The connection is down.
Test is successful.
Test failed.
Recommended action(s)
This box provides a possible action/solution to rectify the problem.
What Do You Want to Do?
If you want to: Do this:
Troubleshoot the WAN interface connection.
Click Start button.
When test is running, Start button label will change to Stop. You have option to abort the troubleshooting while test is in progress.
Save the test report. Click Save Report button to save the test report in HTML
format.
This button will be active only when test is in progress or when the testing is complete.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-25
Chapter 3 Create Connection Wizards

How Do I...

How Do I...
This section contains procedures for tasks that the wizard does not help you complete.

How Do I View the IOS Commands I Am Sending to the Router?

See How Do I View the IOS Commands I Am Sending to the Router?

How Do I Configure an Unsupported WAN Interface?

SDM does not support configuration of every WAN interface that your router might support. If SDM discovers an interface in your router that it does not support, or a supported interface with an unsupported configuration, SDM displays a radio button labeled Other (Unsupported by SDM). The unsupported interface is displayed in the Interfaces and Connections window, but it cannot be configured using SDM.
To configure an unsupported interface, you must use the router command-line interface (CLI).

How Do I Enable or Disable an Interface?

You can disable an interface without removing its configuration, and you can reenable an interface that you have disabled.
Step 1 Click Configure on the SDM toolbar.
Step 2 Click Interfaces and Connections in the left frame.
Step 3 Click the interface that you want to disable or enable.
Step 4 If the interface is enabled, the Disable button appears below the Interface List.
Click it to disable the interface. If the interface is currently disabled, the Enable button appears in that location. Click that button to disable the interface.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-26
OL-4015-08
Chapter 3 Create Connection Wizards

How Do I View Activity on My WAN Interface?

You can view activity on a WA N interface by using the Monitor feature in SDM. Monitor screens can display statistics about the WAN interface, including the number of packets and bytes that have been sent or received by the interface, and the number of send or receive errors that have occurred. To display statistics about a WAN interface:
Step 1 From the toolbar, click Monitor.
Step 2 From the left frame, click Interface Status.
Step 3 In the Select an Interface field, select the WAN interface for which you want to
view statistics.
Step 4 Select the data item(s) you want to view by checking the associated check box(es).
You can view up to four statistics at a time.
Step 5 Click Show Details to see statistics for all selected data items.
The Interface Details screen appears, displaying the statistics you selected. The screen defaults to showing real-time data, for which it polls the router every 10 seconds. If the interface is up and there is data transmitting across it, you should see an increase in the number of packets and bytes transferred across the interface.
How Do I...

How Do I Configure NAT on a WAN Interface?

Step 1 Click Configure on the SDM toolbar.
Step 2 Click NAT in the left frame.
Step 3 In the NAT window, click Designate NAT interfaces.
Step 4 Find the interface for which you want to configure NAT.
Step 5 Check inside(trusted) next to the interface to designate the interface as an inside,
or trusted interface. An inside designation is typically used to designate an interface serving a LAN whose resources. must be protected. Check outside(untrusted) to designate it as an outside interface. Outside interfaces typically connect to an untrusted network. Click OK.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
3-27
Chapter 3 Create Connection Wizards
How Do I...
The interface is added to the pool of interfaces using NAT.
Step 6 Review the Network Address Translation Rules in the NAT window. If you need
to add, delete, or modify a rule, click the appropriate button on the NAT window to perform the configuration you need.
For more information, click the following links:
Add or Edit Static Address Translation Rule: Inside to Outside
Add or Edit Static Address Translation Rule: Outside to Inside
Add or Edit Dynamic Address Translation Rule: Inside to Outside
Add or Edit Dynamic Address Translation Rule: Outside to Inside

How Do I Configure NAT on an Unsupported Interface?

SDM can configure Network Address Translation (NAT) on an interface type unsupported by SDM. Before you can configure the firewall, you must first use the router CLI to configure the interface. The interface must have, at a minimum, an IP address configured, and it must be working. To verify that the connection is working, verify that the interface status is “Up.”
After you have configured the unsupported interface using the CLI, you can configure NAT using SDM. The unsupported interface will appear as “Other” on the router interface list.

How Do I Configure a Dynamic Routing Protocol?

To configure a dynamic routing protocol:
Step 1 From the toolbar, click Configure.
Step 2 From the left frame, click Routing.
Step 3 In the Dynamic Routing group, click the dynamic routing protocol that you want
to configure.
Step 4 Click Edit.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-28
OL-4015-08
Chapter 3 Create Connection Wizards
How Do I...
The Dynamic Routing dialog box appears, displaying the tab for the dynamic routing protocol you selected.
Step 5 Using the fields in the Dynamic Routing dialog box, configure the dynamic
routing protocol. If you need an explanation for any of the fields in the dialog box, click Help.
Step 6 When you have finished configuring the dynamic routing protocol, click OK.

How Do I Configure Dial-on-Demand Routing for my ISDN or Asynchronous Interface?

ISDN BRI and asynchronous connections are dial-up connections, meaning that in order to establish a connection, the router must dial a preconfigured phone number. Because these cost of these types of connections is usually determined by the amount of time that a connection was established, and in the case of an asynchronous connection, that a phone line will be tied up, it is often desirable to configure Dial-on-Demand Routing (DDR) for these connection types.
OL-4015-08
SDM can help you configure DDR by:
Letting you associate a rule (or ACL) with the connection, which causes the
router to establish the connection only when it recognizes network traffic that you have identified as interesting with the associated rule.
Setting idle timeouts, which cause the router to end a connection after a
specified amount of time when there is no activity on the connection.
Enabling multilink PPP, which causes an ISDN BRI connection to use only
one of the two B channels unless a specified percentage of bandwidth is exceeded on the first B channel. This has the advantage of saving costs when network traffic is low and the second B channel is not needed, but letting you utilize the full bandwidth of your ISDN BRI connection when needed.
To configure DDR on an existing ISDN BRI or asynchronous connection:
Step 1 Click Configure on the SDM toolbar.
Step 2 Click Interfaces and Connections in the left frame.
Step 3 Click the ISDN or asynchronous interface on which you want to configure DDR.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-29
How Do I...
Chapter 3 Create Connection Wizards
Step 4 Click Edit.
The Connection tab appears.
Step 5 Click Options.
The Edit Dialer Option dialog box appears.
Step 6 If you want the router to establish the connection only when it recognizes specific
IP traffic, click the Filter traffic based on selected ACL radio button, and either enter a rule (ACL) number that will identify which IP traffic should cause the router to dial out, or click the ... button to browse the list of rules and select the rule that you want to use to identify IP traffic from that list.
Step 7 If you want to configure the router to end the connection when the connection is
idle, i.e., no traffic passes across it, for a specified amount of time, in the Idle timeout field, enter the number of seconds the connection can remain idle before
the router ends the connection.
Step 8 If you are editing an ISDN connection, and you would like to use your second B
channel only when the traffic on the first B channel exceeds a certain threshold, check the Enable MultiLink PPP check box, then in the Load Threshold field, enter a number between 1 and 255, where 255 equals 100% of bandwidth, that will determine the threshold on the first B channel. When traffic on that channel exceeds that threshold, it will cause the router to connect the second B channel. In addition, in the Data direction field, you can choose whether this threshold should apply to outbound or inbound traffic.
Step 9 Click OK.

How Do I Edit a Radio Interface Configuration?

You must use the Wireless Application to edit an existing radio interface configuration.
Step 1 Click Configure on the SDM toolbar.
Step 2 Click Interfaces and Connections in the left frame, and then click the Edit
Interface/Connection tab.
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-30
OL-4015-08
Chapter 3 Create Connection Wizards
Step 3 Select the radio interface and click Edit. In the Connections tab, you can change
the IP address or bridging information. If you want to change other wireless parameters, click Launch Wireless Application.
How Do I...
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
3-31
How Do I...
Chapter 3 Create Connection Wizards
3-32
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Add
CHAPTER
4

Edit Interface/Connection

This window displays the routers interfaces and connections. The window also enables you to add, edit, and delete connections, and to enable or disable connections.
Clicking the Add button displays a drop-down menu. This menu will always have options to add a new loopback or tunnel interface, and if there are switch ports present on the router, this menu will have an option to add a new VLAN. When you select an unconfigured interface, and click Add, the menu contains choices for adding a connection on that interface.
If you want to reconfigure an interface, and see no choices except Loopback and Tunnel when you click Add, select the interface and click Delete. All the types of connections available for that kind of interface will appear in the Add menu. Click
Available Interface Configurations to see what configurations are available for
an interface.
Edit
OL-4015-08
When you select an interface and click Edit, a dialog appears. If the interface is a supported and configured interface and is not a switch port, the dialog will have a Connection tab, an Association tab, a NAT tab, and a General tab. If the interface is not supported, the dialog will have an Association tab, a NAT tab, and a General tab. If you select a switch port, the Edit Switch Port dialog appears. The Edit button will be disabled if the interface is supported and unconfigured.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-1
Delete
Summary
Details
Enable/Disable
Chapter 4 Edit Interface/Connection
Selecting a connection and clicking Delete displays a dialog box informing you of the associations this connection has and asking you if you want to remove the associations along with the connection. You can delete just the connection, or the connection and all of its associations.
Clicking the Summary button hides the details about the connection, restricting the information to the IP address, Type, Slot, Status, and Description.
Clicking Details displays the Details About Interface area, described next. Details about the interface are shown by default.
When you select an interface and click this button, the interface will be administratively shut down or brought up depending on its current state. This button will be disabled when you select an interface whose configuration has not been delivered to the router.
Test Connection
Interface List
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-2
Click to test the selected connection. A dialog appears that enables you to specify a remote host to ping through this connection. The dialog then reports on the success or failure of the test. If the test fails, information about why the test may have failed is given, along with the steps you need to take to correct the problem.
The interface list displays the physical interfaces and logical connections to which they are configured.
Interfaces
This column lists the physical and logical interfaces by name. If a logical interface has been configured for a physical interface, the logical interface is shown under the physical interface.
OL-4015-08
Chapter 4 Edit Interface/Connection
If SDM is running on a Cisco 7000 router, you will be able to create a connection only on Ethernet and Fast Ethernet interfaces.
IP Address
This column can contain the following types of IP addresses:
The configured IP address of the interface.
DHCP ClientThe interface receives an IP address from a Dynamic Host
Configuration Protocol (DHCP) server.
IP address negotiated—The interface receives an IP address via negotiation
with the remote device.
IP unnumbered—The router will use one of a pool of IP addresses supplied
by your service provider for your router, and for the devices on the LAN.
Not Applicable—The interface type cannot be assigned an IP address.
Type
The Type column displays the interface type, such as Ethernet, serial, or ATM.
Details About Interface
OL-4015-08
Slot
The number of the physical slot in the router that the interface is installed in. If SDM is running on a Cisco 1710 router, the slot field will be empty.
Status
This column shows whether this interface is up or down. The green icon with the upward-pointing arrowhead indicates the interface is up. The red icon with the downward-pointing arrowhead indicates that the interface is down.
Description
This column contains any descriptions provided for this connection.
This area of the window displays association and, if applicable, connection details about the interface selected in the Interface List. Association details include such information as Network Address Translation (NAT), Access, and inspection rules, IPSec policies, and Easy VPN configurations. Connection details include IP address, encapsulation type, and DHCP options.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-3
Chapter 4 Edit Interface/Connection
Item Name
The name of the configuration item, such as IP address/Subnet mask, or IPSec policy. The actual items listed in this column depend on the type of interface selected.
Item Value
If the named item has a configured value, it is displayed in this column.
Reset/Delete
Reset is enabled when the selected physical interface has a configured connection.
Delete is enabled when a supported logical interface, such as a loopback or tunnel is selected.
What do you want to do?
If you want to: Do this:
Add a new connection. Click Add, and select connection from the context menu.
Add a new logical interface. Click Add, and select logical interface from the context
menu.
Add a new VLAN interface Click Add, select New Logical Interface from the context
menu, and then select VLAN from the sub-menu.
Edit an existing interface. Highlight the interface you want to edit, and click Edit.
Reset a physical interface to an unconfigured state.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-4
Note If you are editing a GRE tunnel, the Connection tab
will not appear if the GRE tunnel has not been configured to use gre ip mode.
Select the physical interface, and click Reset.
OL-4015-08
Chapter 4 Edit Interface/Connection
If you want to: Do this:
Delete a logical interface. Select the interface you want to delete, and click Delete.
Find out how to perform related configuration tasks.
Why Are Some Interfaces or Connections Read-Only?
See one of the following procedures:
How Do I Configure a Static Route?
How Do I View Activity on My LAN Interface?
How Do I Enable or Disable an Interface?
How Do I View the IOS Commands I Am Sending to the
Router?
How Do I Configure an Unsupported WAN Interface?
How Do I View Activity on My WAN Interface?
How Do I Configure NAT on a WAN Interface?
How Do I Configure a Static Route?
How Do I Configure a Dynamic Routing Protocol?
OL-4015-08
There are many conditions that can prevent SDM from modifying a previously configured interface or subinterface.
For reasons why a previously configured serial interface or subinterface may
appear as read-only in the Interface List, see the help topic Reasons Why a
Serial Interface or Subinterface Configuration May Be Read-Only.
For reasons why a previously configured ATM interface or subinterface may
appear as read-only in the Interface List, see the help topic Reasons Why an
ATM Interface or Subinterface Configuration May Be Read-Only.
For reasons why a previously configured Ethernet LAN or WAN interface
may appear as read-only in the Interface List, see the help topic Reasons Why
an Ethernet Interface Configuration May Be Read-Only.
For reasons why a previously configured ISDN BRI interface may appear as
read-only in the Interface List, see the help topic Reasons Why an ISDN BRI
Interface Configuration May Be Read-Only.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-5

Connection: Ethernet for IRB

Connection: Ethernet for IRB
This dialog box contains the following fields if you selected Ethernet for IRB in the Configure list.
Current Bridge Group/Associated BVI
These read-only field contain the current bridge group value and the current Bridge-Group Virtual Interface (BVI) name.
Create a new Bridge Group/Join an existing Bridge Group
Select whether you want to make this interface a member of a new Bridge Group, or if you want to join an existing Bridge Group. If you want to create a new Bridge Group, enter a number in the range 1-255. If you want to have the interface join an existing Bridge Group, select the BVI interface that is already a member of that group.
IP Address
Chapter 4 Edit Interface/Connection
Dynamic DNS
4-6
Enter the IP address and subnet mask in the fields provided.
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes.
Note This feature appears only if supported by your Cisco servers IOS.
To choose a dynamic DNS method to use, do one of the following:
Enter the name of an existing dynamic DNS method.
Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods.
Choose an existing dynamic DNS method from a list.
Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 4 Edit Interface/Connection
Create a new dynamic DNS method.
Click the drop-down menu and choose to create a new dynamic DNS method.
To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu.

Connection: Ethernet for Routing

This dialog box contains the following fields if you selected Ethernet for Routing in the Configure list.
IP Address
Enter an IP address and subnet mask in the IP Address fields. This address will be the source IP address for traffic originating from this interface, and the destination IP address for traffic destined for hosts connected to this interface.
DHCP Relay
Connection: Ethernet for Routing
OL-4015-08
Click this button to enable the router to act as a DHCP relay. A device acting as a DHCP relay forwards DHCP requests to a DHCP server. When a device needs to have an IP address dynamically assigned, it broadcasts a DHCP request. A DHCP server replies to this request with an IP address. You can have a maximum of one DHCP relay or one DHCP server per subnetwork.
Note If the router has been previously configured to be a DHCP relay and is
configured to have more than one remote DHCP server IP address, these fields will be disabled.
IP Address of Remote DHCP Server
Enter the IP address of the DHCP server that will provide addresses to devices on the LAN.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-7
Connection: Ethernet for Routing
Dynamic DNS
Note This feature appears only if supported by your Cisco servers IOS.
Chapter 4 Edit Interface/Connection
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes.
To choose a dynamic DNS method to use, do one of the following:
Enter the name of an existing dynamic DNS method.
Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods.
Choose an existing dynamic DNS method from a list.
Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods.
Create a new dynamic DNS method.
Click the drop-down menu and choose to create a new dynamic DNS method.
To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu.

Existing Dynamic DNS Methods

This window allows you to choose a method to associate with a WAN interface.
The list of existing dynamic DNS methods shows each methods name and associated paramters. Select a method from the list, then click OK to associate it to the WAN interface.
To add, edit, or delete dynamic DNS methods, go to Configure > Additional Tasks > Dynamic DNS Methods.

Add Dynamic DNS Method

This window allows you to add a dynamic DNS method. Choose the type of method, HTTP or IETF, and configure it.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-8
OL-4015-08
Chapter 4 Edit Interface/Connection
HTTP
HTTP is a dynamic DNS method type that updates a DNS service provider with changes to the associated interfaces IP address.
Server
If using HTTP, choose the domain address of the DNS service provider from the drop-down menu.
Username
If using HTTP, enter a username for accessing the DNS service provider.
Password
If using HTTP, enter a password for accessing the DNS service provider.
IETF
Connection: Ethernet for Routing
DNS Server
Hostname
Domain Name
OL-4015-08
IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interfaces IP address.
If using IETF, and no DNS server has been configured for the router in Configure > Additional Tasks > DNS, then enter the IP address of your DNS server.
Enter a host name if HostName is not configured in Configure > Additional Tasks > Router Properties, or if you want to override HostName. The dynamic DNS method sends the host name along along with the interfaces new IP address.
Enter a domain name if Domain Name is not configured Configure > Additional Tasks > Router Properties, or if you want to override Domain Name. The dynamic DNS method sends the domain name along along with the interfaces new IP address.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-9

Wireless

Wireless
If the router has a wireless interface, you can launch the Wireless Application from this tab. You can also launch the Wireless Application from the Tools menu by selecting Tools>Wireless Application.
Association
Use this window to view, create, edit, or delete associations between interfaces and rules or VPN connections.
Interface
The name of the interface you selected in the Interfaces and Connections window.
Access Rule
The names or numbers of any access rules associated with this interface. Access rules permit or deny traffic that matches the IP address and service criteria specified in the rule.
Chapter 4 Edit Interface/Connection
4-10
Inbound
The name or number of an access rule applied to inbound traffic on this interface. If you want to apply a rule, click the button and either select an existing rule or create a rule and select it.
When a rule is applied to inbound traffic on an interface, the rule filters traffic before it enters the router. Any packet that the rule does not permit is dropped and will not be routed to another interface. When you apply a rule to the inbound direction on an interface, you are not only preventing it from entering a trusted network connected to the router, you are preventing it from being routed anywhere else by the local router.
Outbound
The name or number of an access rule applied to outbound traffic on this interface. If you want to apply a rule, click the button and either select an existing rule or create a rule and select it.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 4 Edit Interface/Connection
When a rule is applied to outbound traffic on an interface, the rule filters traffic after it has entered the router but before it exits the interface. Any packet that the rule does not permit is dropped before it leaves the interface.
Inspect Rule
The names of inspection rules associated with this interface. Inspection rules create temporary holes in firewalls so that hosts inside the firewall that started sessions can receive return traffic of the same type.
Inbound
The name or number of an inspection rule applied to inbound traffic on this interface. If you want to apply a rule, click the button and either select an existing rule or create a rule and select it.
Outbound
The name or number of an inspection rule applied to outbound traffic on this interface. If you want to apply a rule, click the button and either select an existing rule or create a rule and select it.
Association
VPN
OL-4015-08
VPNs protect traffic that may flow over lines that your organization does not control. You can use the selected interface in a VPN by associating it with an IPSec policy.
IPSec Policy
The configured IPSec policy associated with this interface. To associate the interface with an IPSec policy, select the policy from this list.
Note An interface can be associated with only one IPSec policy.
Note To create a GRE-over-IPSecTunnel, you must first associate the policy with the
Tunnel interface, and then associate it with the source interface for the tunnel. For example, if you wanted to associate a policy with Tunnel3, whose source interface
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-11
NAT
is Serial0/0, you would first select Tunnel3 in the Interfaces and Connections window, click Edit and associate the policy with it, and then click OK. Then you would select the Serial0/0 interface and associate the same policy with it.
EzVPN
If the interface is used in an Easy VPN connection, the name of the connection is shown here.
Note An interface cannot be used in both a virtual private network (VPN) connection
and an Easy VPN connection.
Making Association Changes
When you change the association properties of an interface, the changes are reflected in the lower portion of the Interfaces and Connections window. For example, if you associate an IPSec policy with the interface, the name of the IPSec policy appears in the lower portion of the window. If you delete an association, the value in the Name column changes to <None>.
Chapter 4 Edit Interface/Connection
NAT
If you intend to use this interface in a NAT configuration, you must designate it as either an inside or an outside interface. Select the traffic direction to which NAT is to be applied. If the interface connects to a LAN that the router serves, select Inside. If it connects to the Internet or to your organizations WAN, select Outside. If you have selected an interface that cannot be used in a NAT configuration, such as a logical interface, this field is disabled and contains the value Not Supported.

Edit Switch Port

This screen lets you edit VLAN information for Ethernet switch ports.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-12
OL-4015-08
Chapter 4 Edit Interface/Connection
Mode Group
Choose the type of VLAN information you want to be carried across this Ethernet switch port. Choosing Access causes the switch port to forward only data destined for the specific VLAN number. Choosing Trunking causes the switch port to forward data for all VLANs, including the VLAN data itself. Choose Trunking only for “trunking” VLAN ports that connect to other networking devices, such as another switch, that will connect to devices in multiple VLANs.
VLAN
To assign the switch port to a VLAN, enter the VLAN number to which this switch port should belong. If the switch port does not already have a VLAN associated with it, this field will show the default value of VLAN 1. To create a new VLAN interface corresponding the VLAN ID, enter that VLAN ID here and check the Make VLAN visible to interface list check box.
Make VLAN visible to interface list
Check this box if you want to create a new VLAN with the VLAN ID specified in the VLAN field.

General

Stacking Partner
Bridge Group Number
General
OL-4015-08
Select a switch module as the stacking partner to use. When a device contains multiple switching modules, these must be stacked before other stacking partners.
If you want this switch port to form part of a bridge to a wireless network, enter the number of an existing bridge group.
This window displays general security settings and allows you to enable or disable them by checking or unchecking the check box next to the name and description. If you have allowed the Security Audit feature to disable certain properties, but you want to reenable them, you can reenable them in this window. The properties listed in this screen are as follows:
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-13
General
Description
IP Directed Broadcasts
Chapter 4 Edit Interface/Connection
You can enter a short description in this field. This description will be visible in the theEdit Interfaces and Connections window. A description can help others who might be less familiar with the router configuration to understand the purpose of the configuration. A description such as “Accounting, or Test Net 5 lets SDM users know without their having to examine details of the configuration.
An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the financial services industry.
IP directed broadcasts are used in the extremely common and popular “smurf” Denial-of-Service attack, and they can also be used in related attacks. In a “smurf” attack, the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose address is being falsified.
IP Proxy ARP
4-14
Disabling IP directed broadcasts causes directed broadcasts that would otherwise be exploded into link-layer broadcasts at that interface to be dropped instead.
ARP is used by the network to convert IP addresses into MAC addresses. Normally ARP is confined to a single LAN, but a router can act as a proxy for ARP requests, making ARP queries available across multiple LAN segments. Because it breaks the LAN security barrier, proxy ARP should be used only between two LANs with an equal security level, and only when necessary.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 4 Edit Interface/Connection
IP Route Cache-Flow
This option enables the Cisco IOS NetFlow feature. Using NetFlow, you can determine packet distribution, protocol distribution, and current flows of data on the router. This is valuable data, particularly when searching for the source of a spoofed IP address attack.
IP Redirects
ICMP redirect messages instruct an end node to use a specific router as its path to a particular destination. In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one network hop. However, an attacker may violate these rules; some attacks are based on this. Disabling ICMP redirects will cause no operational impact to the network, and it eliminates this possible method of attack.
IP Mask-Reply
ICMP mask reply messages are sent when a network devices must know the subnet mask for a particular subnetwork in the internetwork. ICMP mask reply messages are sent to the device requesting the information by devices that have the requested information. These messages can be used by an attacker to gain network mapping information.
QoS
IP Unreachables
QoS
OL-4015-08
ICMP host unreachable messages are sent out if a router receives a nonbroadcast packet that uses an unknown protocol, or if the router receives a packet that it is unable to deliver to the ultimate destination because it knows of no route to the destination address. These messages can be used by an attacker to gain network mapping information.
You can associate a QoS policy with an interface in this tab, or dissociate a policy from an interface.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-15

Select Ethernet Configuration Type

Dissociate Current QoS Policy checkbox
Enabled when a QoS policy is associated with the interface. Check to dissociate the currently associated policy from the interface.
Associate an existing QoS policy checkbox
Click to associate an existing policy, and then select the QoS policy from the list.
Select Ethernet Configuration Type
This window is displayed when you click on an interface in the Interfaces and Connections window and SDM cannot determine whether it is configured as a LAN interface or as a WAN interface. When you configure an interface using SDM, you designate it as an inside or outside interface, and SDM adds a descriptive comment to the configuration file based on your designation. If you have configured an interface using the command-line interface (CLI), the configuration will not include this descriptive comment, and SDM will not have this information.
Chapter 4 Edit Interface/Connection
To indicate that the interface is a LAN interface:
Click LAN, and then click OK. SDM adds the comment line $ETH-LAN$ to the interface’s configuration, and the interface appears in the LAN wizard window, and appears with the designation Inside in the Interfaces and Connections window.
To indicate that the interface is a WAN interface:
Click WAN , and then click OK. SDM adds the comment line $ETH-WAN$ to the interface’s configuration, and the interface appears in the WAN wizard window, and appears with the designation Outside in the Interfaces and Connections window.

Connection: VLAN

This screen lets you configure a VLAN interface.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-16
OL-4015-08
Chapter 4 Edit Interface/Connection
VLAN ID
Enter the ID number of the new VLAN interface. If you are editing a VLAN interface, you cannot change the VLAN ID.
Native VLAN Checkbox
Check if this VLAN is a nontrunking VLAN.
IP Address Fields
IP Address Type
Select whether this VLAN interface will have a static IP address or no IP address. This field is visible when VLAN only is selected in the Configure As field.
IP Address
Enter the IP address of the VLAN interface.
Subnet Mask
Enter the subnet mask of the VLAN interface, or indicate the number of subnet bits using the scrolling field.

Connection: Subinterfaces

DHCP Relay
Click DHCP Relay for more information.
Connection: Subinterfaces
This window displays the subinterfaces configured for the interface that you chose, and enables you to add, edit, and remove configured subinterfaces. For each configured subinterface, the window displays the Subinterface ID, VLAN ID, IP address and mask, and a description, if one has been entered. For example, if the router had the interface FastEthernet 1, and the subinterfaces FastEthernet1.3 and FastEthernet1.5 were configured, this window might contain the following display
5 56 56.8.1.1/255.255.255.0 3 67 Bridge No. 77
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
4-17

Add or Edit BVI Interface

In this example, FastEthernet1.5 is configured for routing, and FastEthernet1.3 is configured for IRB.
Note You must choose the physical interface on which the subinterfaces are configured
to display this window. For the example described, you would have to choose FastEthernet 1 to display this window. If you chose FastEthernet1.3 or FastEthernet1.5 and clicked edit, you would display the edit dialog with the information for that interface.
Add, Edit, and Delete Buttons
Use these buttons to configure, edit, and remove subinterfaces from the selected physical interface.
Add or Edit BVI Interface
Add or edit a Bridge Group Virtual Interface (BVI) in this window. If your router has a Dot11Radio interface, a BVI is automatically created when you configure a new bridge group. This is done to support IRB bridging. You can change the IP address and subnet mask in this screen.
Chapter 4 Edit Interface/Connection
IP Address/Subnet Mask
Enter the IP address and subnet mask that you want to give the BVI.

Add Loopback Interface/Connection—Loopback

This window enables you to add a loopback interface to the selected interface.
IP Address
Select whether the loopback interface is to have no IP address or a static IP address.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-18
OL-4015-08
Chapter 4 Edit Interface/Connection
Static IP Address
If you selected Static IP address, enter that IP address in this field.
Subnet Mask
Enter the subnet mask in this field, or select the number of subnet bits from the field on the right. The subnet mask tells the router which bits of the IP address designate the network address and which bits designate the host address.
Connection: Ethernet LAN
Use this window to configure the IP address and DHCP properties of an Ethernet interface that you want to use as a LAN interface.
IP Address
Enter the IP address for this interface. Obtain the IP address value from your service provider or network administrator. For more information, refer to IP
Addresses and Subnet Masks.
Connection: Ethernet LAN
Subnet Mask
DHCP Relay
OL-4015-08
Enter the subnet mask. Obtain this value from your network administrator. The subnet mask enables the router to determine how much of the IP address is used to define the network and subnet portion of the address.
Click this button to enable the router to act as a DHCP relay. A device acting as a DHCP relay forwards DHCP requests to a DHCP server. When a device needs to have an IP address dynamically assigned, it broadcasts a DHCP request. A DHCP server replies to this request with an IP address. You can have a maximum of one DHCP relay or one DHCP server per subnetwork.
Note If the router has been previously configured to be a DHCP relay and is configured
to have more than one remote DHCP server IP address, this button will be disabled.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-19
Connection: Ethernet WAN
IP Address of Remote DHCP Server
If you clicked DHCP Relay, enter the IP address of the DHCP server that will provide addresses to devices on the LAN.
Connection: Ethernet WAN
This window lets you add an Ethernet WAN connection.
Enable PPPoE Encapsulation
Click this option if the connection must use PPPoE encapsulation. Your service provider can tell you whether the connection uses PPPoE. When you configure a PPPoE connection, a Dialer interface is automatically created.
IP Address
Select one of the following IP address types, and enter the information in the displayed fields. If the Ethernet connection is not using PPPoE, you will see only the Static IP address and Dynamic options.
Chapter 4 Edit Interface/Connection
4-20
Static IP Address
If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses
and Subnet Masks.
Dynamic (DHCP Client)
If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server from which addresses will be leased.
IP Unnumbered
Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, select the interface whose IP address you want the interface you are configuring to use.
Easy IP (IP Negotiated)
Select Easy IP (IP Negotiated) if the router will obtain an IP address via Point-to-Point Protocol/IP Control Protocol (PPP/IPCP) address negotiation.
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Chapter 4 Edit Interface/Connection
Authentication
Click this button to enter CHAP/PAP authentication password information.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes.
Note This feature appears only if supported by your Cisco servers IOS.
To choose a dynamic DNS method to use, do one of the following:
Enter the name of an existing dynamic DNS method.
Choose an existing dynamic DNS method from a list.
Create a new dynamic DNS method.

Ethernet Properties

Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods.
Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods.
Click the drop-down menu and choose to create a new dynamic DNS method.
To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu.
Ethernet Properties
This window enables you to configure properties for an Ethernet WAN link.
Enable PPPoE Encapsulation
Click Enable PPPoE encapsulation if your service provider requires that you use it. PPPoE specifies Point-to-Point Protocol over Ethernet encapsulation.
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-21

Connection: Ethernet with No Encapsulation

IP Address
Static IP Address
Available with PPPoE encapsulation and with no encapsulation. If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses and Subnet Masks.
Dynamic (DHCP Client)
Available with PPPoE encapsulation and with no encapsulation. If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses.
IP Unnumbered
Available with PPPoE encapsulation. Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use.
Easy IP (IP Negotiated)
Available with PPPoE encapsulation. Select Easy IP (IP Negotiated) if the router will obtain an IP address via PPP/IPCP address negotiation.
Chapter 4 Edit Interface/Connection
Authentication
Click this button to enter CHAP/PAP authentication password information.
Connection: Ethernet with No Encapsulation
Use this screen to configure an Ethernet connection with no encapsulation.
IP Address
Select how the router will obtain an IP address for this link.
Static IP address—If you choose static IP address, enter the IP address and
subnet mask, or network bits in the fields provided. For more information, refer to IP Addresses and Subnet Masks.
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-22
OL-4015-08
Chapter 4 Edit Interface/Connection
Dynamic IP addressIf you choose Dynamic, the router will lease an IP
Hostname
If your service provider inserts a host name for the router into the DHCP response that contains the dynamic IP address, you can enter that name in this field for informational purposes.
Dynamic DNS
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interfaces IP address changes.
Note This feature appears only if supported by your Cisco servers IOS.
To choose a dynamic DNS method to use, do one of the following:
Enter the name of an existing dynamic DNS method.
Connection: ADSL
address from a remote DHCP server. Then, enter the name or IP address of the DHCP server.
Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods.
Choose an existing dynamic DNS method from a list.
Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods.
Create a new dynamic DNS method.
Click the drop-down menu and choose to create a new dynamic DNS method.
To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu.
Connection: ADSL
This window enables you to specify or edit properties of a PPPoE link supported by an ADSL connection.
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-23
Connection: ADSL
Encapsulation
Virtual Path Identifier
Chapter 4 Edit Interface/Connection
Select the type of encapsulation that will be used for this link.
PPPoE specifies Point-to-Point Protocol over Ethernet encapsulation.
PPPoA specifies Point-to-Point Protocol over AT M encapsulation.
RFC 1483 Routing (AAL5 SNAP) specifies that each PVC can carry
multiple protocols.
RFC 1483 Routing (AAL5 MUX) specifies that each PVC carry only one
type of protocol.
If you are editing a connection, the encapsulation is shown, but not editable. If you need to change the encapsulation type, delete the connection, and recreate it, using the encapsulation type you need.
For more information on these encapsulation types, click Encapsulation.
The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Enter the VPI value given to you by your service provider.
If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and recreate it using the value you need.
Virtual Circuit Identifier
IP Address
Cisco Router and Security Device Manager Version 2.2 Users Guide
4-24
The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that it may share with other connections. Enter the VCI value given to you by your service provider.
If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and recreate it using the value you need.
Select how the router will obtain an IP address for this link.
Static IP address—If you choose static IP address, enter the IP address and
subnet mask, or network bits in the fields provided. For more information, refer to IP Addresses and Subnet Masks.
OL-4015-08
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use