Cisco Router and Security Device
Manager User’s Guide
2.5
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number:
Text Part Number: OL-4015-12
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Cisco Router and Security Device Manager 2.5 User’s Guide
© 2007 Cisco Systems, Inc. All rights reserved.
Home Page 1
Creating a New Connection 1
Creating a New Connection 1
New Connection Reference 2
Create Connection 2
Additional Procedures 3
How Do I Configure a Static Route? 4
How Do I View Activity on My LAN Interface? 4
How Do I Enable or Disable an Interface? 5
How Do I View the IOS Commands I Am Sending to the Router? 5
How Do I Launch the Wireless Application from Cisco SDM? 6
How Do I Configure an Unsupported WAN Interface? 6
How Do I Enable or Disable an Interface? 7
How Do I View Activity on My WAN Interface? 7
How Do I Configure NAT on a WAN Interface? 8
How Do I Configure NAT on an Unsupported Interface? 9
How Do I Configure a Dynamic Routing Protocol? 9
How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous
Interface?
How Do I Edit a Radio Interface Configuration? 11
10
CONTENTS
OL-4015-12
LAN Wizard 1
Ethernet Configuration 2
LAN Wizard: Select an Interface 2
LAN Wizard: IP Address and Subnet Mask 3
Cisco Router and Security Device Manager 2.5 User’s Guide
iii
Contents
LAN Wizard: Enable DHCP Server 3
LAN Wizard: DHCP Address Pool 4
DHCP Options 4
LAN Wizard: VLAN Mode 5
LAN Wizard: Switch Port 6
IRB Bridge 7
BVI Configuration 8
DHCP Pool for BVI 8
IRB for Ethernet 9
Layer 3 Ethernet Configuration 9
802.1Q Configuration 10
Trunking or Routing Configuration 10
Configure Switch Device Module 10
Configure Gigabit Ethernet Interface 11
Summary 11
iv
802.1x Authentication 1
LAN Wizard: 802.1x Authentication (Switch Ports) 1
Advanced Options 2
LAN Wizard: RADIUS Servers for 802.1x Authentication 4
Edit 802.1x Authentication (Switch Ports) 6
LAN Wizard: 802.1x Authentication (VLAN or Ethernet) 7
802.1x Exception List 8
802.1x Authentication on Layer 3 Interfaces 9
Edit 802.1x Authentication 10
How Do I ... 11
How Do I Configure 802.1x Authentication on More Than One Ethernet
Port?
11
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Configuring WAN Connections 1
Configuring an Ethernet WAN Connection 1
Ethernet WAN Connection Reference 2
WAN Wizard Interface Welcome Window 2
Select Interface 3
IP Address: Ethernet without PPPoE 3
Encapsulation: PPPoE 4
Summary 5
Advanced Options 5
Configuring a Serial Connection 6
Serial Connection Reference 7
IP Address: Serial with Point-to-Point Protocol 7
IP Address: Serial with HDLC or Frame Relay 8
Authentication 9
Configure LMI and DLCI 10
Configure Clock Settings 11
Contents
OL-4015-12
Configuring a DSL Connection 13
DSL Connection Reference 14
IP Address: ATM or Ethernet with PPPoE/PPPoA 14
IP Address: ATM with RFC 1483 Routing 15
Encapsulation Autodetect 16
PVC 18
Configuring an ISDN Connection 20
ISDN Connection Reference 20
ISDN Wizard Welcome Window 21
IP Address: ISDN BRI or Analog Modem 21
Switch Type and SPIDs 22
Dial String 23
Configuring an Aux Backup Connection 24
Aux Backup Connection Reference 24
Cisco Router and Security Device Manager 2.5 User’s Guide
v
Contents
Aux Backup Welcome Window 25
Backup Configuration 25
Backup Configuration: Primary Interface and Next Hop IP Addresses 26
Backup Configuration: Hostname or IP Address to Be Tracked 27
Configuring an Analog Modem Connection 27
Analog Modem Connection Reference 28
Analog Modem Welcome 28
Configuring a Cable Modem Connection 29
Cable Modem Connection Reference 29
Cable Modem Connection Wizard Welcome 30
Select Interface 30
Summary 30
Edit Interface/Connection 1
Connection: Ethernet for IRB 5
Connection: Ethernet for Routing 6
Existing Dynamic DNS Methods 7
Add Dynamic DNS Method 7
vi
Wireless 9
Association 9
NAT 11
Edit Switch Port 12
Application Service 13
General 14
Select Ethernet Configuration Type 16
Connection: VLAN 17
Subinterfaces List 17
Add or Edit BVI Interface 18
Add or Edit Loopback Interface 18
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Connection: Virtual Template Interface 19
Connection: Ethernet LAN 19
Connection: Ethernet WAN 20
Connection: Ethernet Properties 22
Connection: Ethernet with No Encapsulation 24
Connection: ADSL 25
Connection: ADSL over ISDN 28
Connection: G.SHDSL 30
Connection: Cable Modem 34
Configure DSL Controller 35
Add a G.SHDSL Connection 37
Connection: Serial Interface, Frame Relay Encapsulation 40
Connection: Serial Interface, PPP Encapsulation 43
Connection: Serial Interface, HDLC Encapsulation 45
Contents
OL-4015-12
Add or Edit GRE Tunnel 46
Connection: ISDN BRI 48
Connection: Analog Modem 51
Connection: (AUX Backup) 53
Authentication 55
SPID Details 56
Dialer Options 57
Backup Configuration 59
Delete Connection 60
Connectivity Testing and Troubleshooting 62
Wide Area Application Services 1
Configuring a WAAS Connection 2
WAAS Reference 3
Cisco Router and Security Device Manager 2.5 User’s Guide
vii
Contents
NM WAAS 4
Integrated Service Engine 6
WCCP 7
Central Manager Registration 8
Create Firewall 1
Basic Firewall Configuration Wizard 4
Basic Firewall Interface Configuration 4
Configuring Firewall for Remote Access 5
Advanced Firewall Configuration Wizard 5
Advanced Firewall Interface Configuration 5
Advanced Firewall DMZ Service Configuration 6
DMZ Service Configuration 7
Application Security Configuration 8
Domain Name Server Configuration 9
URL Filter Server Configuration 9
Select Interface Zone 9
ZPF Inside Zones 10
Voice Configuration 10
Summary 11
SDM Warning: SDM Access 13
viii
How Do I... 15
How Do I View Activity on My Firewall? 15
How Do I Configure a Firewall on an Unsupported Interface? 17
How Do I Configure a Firewall After I Have Configured a VPN? 17
How Do I Permit Specific Traffic Through a DMZ Interface? 18
How Do I Modify an Existing Firewall to Permit Traffic from a New Network
or Host?
19
How Do I Configure NAT on an Unsupported Interface? 19
How Do I Configure NAT Passthrough for a Firewall? 20
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 20
How Do I Associate a Rule with an Interface? 22
How Do I Disassociate an Access Rule from an Interface 22
How Do I Delete a Rule That Is Associated with an Interface? 23
How Do I Create an Access Rule for a Java List? 23
How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZ
Network?
Firewall Policy 1
Edit Firewall Policy/ACL 1
Choose a Traffic Flow 3
Examine the Traffic Diagram and Choose a Traffic Direction 4
Make Changes to Access Rules 6
Make Changes to Inspection Rules 10
Add App-Name Application Entry 12
Add rpc Application Entry 12
Add Fragment application entry 13
Add or Edit http Application Entry 14
Java Applet Blocking 15
Cisco SDM Warning: Inspection Rule 16
Cisco SDM Warning: Firewall 17
Contents
24
OL-4015-12
Edit Firewall Policy 17
Add a New Rule 21
Add Traffic 22
Application Inspection 23
URL Filter 24
Quality of Service 24
Inspect Parameter 24
Select Traffic 24
Delete Rule 25
Cisco Router and Security Device Manager 2.5 User’s Guide
ix
Contents
Application Security 1
Application Security Windows 1
No Application Security Policy 3
E-mail 4
Instant Messaging 5
Peer-to-Peer Applications 6
URL Filtering 7
HTTP 8
Header Options 9
Content Options 10
Applications/Protocols 12
Timeouts and Thresholds for Inspect Parameter Maps and CBAC 13
Associate Policy with an Interface 16
Edit Inspection Rule 16
Permit, Block, and Alarm Controls 17
Site-to-Site VPN 1
VPN Design Guide 1
Create Site to Site VPN 1
Site-to-Site VPN Wizard 4
View Defaults 5
VPN Connection Information 6
IKE Proposals 8
Transform Set 11
Traffic to Protect 13
Summary of the Configuration 14
Spoke Configuration 15
Secure GRE Tunnel (GRE-over-IPSec) 16
GRE Tunnel Information 16
Cisco Router and Security Device Manager 2.5 User’s Guide
x
OL-4015-12
VPN Authentication Information 17
Backup GRE Tunnel Information 18
Routing Information 19
Static Routing Information 20
Select Routing Protocol 22
Summary of Configuration 23
Edit Site-to-Site VPN 23
Add new connection 26
Add Additional Crypto Maps 26
Crypto Map Wizard: Welcome 27
Crypto Map Wizard: Summary of the configuration 28
Delete Connection 28
Ping 29
Generate Mirror... 29
Cisco SDM Warning: NAT Rules with ACL 30
How Do I... 31
How Do I Create a VPN to More Than One Site? 31
After Configuring a VPN, How Do I Configure the VPN on the Peer Router? 33
How Do I Edit an Existing VPN Tunnel? 34
How Do I Confirm That My VPN Is Working? 35
How Do I Configure a Backup Peer for My VPN? 36
How Do I Accommodate Multiple Devices with Different Levels of VPN
Support?
How Do I Configure a VPN on an Unsupported Interface? 37
How Do I Configure a VPN After I Have Configured a Firewall? 38
How Do I Configure NAT Passthrough for a VPN? 38
36
Contents
OL-4015-12
Easy VPN Remote 1
Creating an Easy VPN Remote Connection 2
Create Easy VPN Remote Reference 3
Cisco Router and Security Device Manager 2.5 User’s Guide
xi
Contents
Create Easy VPN Remote 4
Configure an Easy VPN Remote Client 5
Easy VPN Remote Wizard: Network Information 5
Easy VPN Remote Wizard: Identical Address Configuration 6
Easy VPN Remote Wizard: Interfaces and Connection Settings 7
Easy VPN Remote Wizard: Server Information 9
Easy VPN Remote Wizard: Authentication 11
Easy VPN Remote Wizard: Summary of Configuration 13
Administering Easy VPN Remote Connections 14
Editing an Existing Easy VPN Remote Connection 15
Creating a New Easy VPN Remote Connection 15
Deleting an Easy VPN Remote Connection 16
Resetting an Established Easy VPN Remote Connection 16
Connecting to an Easy VPN Server 17
Connecting other Subnets to the VPN Tunnel 17
Administering Easy VPN Remote Reference 18
Edit Easy VPN Remote 18
Add or Edit Easy VPN Remote 23
Add or Edit Easy VPN Remote: General Settings 25
Network Extension Options 28
Add or Edit Easy VPN Remote: Easy VPN Settings 28
Add or Edit Easy VPN Remote: Authentication Information 30
Add or Edit Easy VPN Remote: Easy VPN Client Phase III
Authentication
Add or Edit Easy VPN Remote: Interfaces and Connections 35
Add or Edit Easy VPN Remote: Identical Addressing 37
Easy VPN Remote: Add a Device 39
Enter SSH Credentials 39
XAuth Login Window 40
33
xii
Other Procedures 40
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
How Do I Edit an Existing Easy VPN Connection? 40
How Do I Configure a Backup for an Easy VPN Connection? 41
Easy VPN Server 1
Creating an Easy VPN Server Connection 1
Create an Easy VPN Server Reference 3
Create an Easy VPN Server 4
Welcome to the Easy VPN Server Wizard 4
Interface and Authentication 4
Group Authorization and Group Policy Lookup 5
User Authentication (XAuth) 6
User Accounts for XAuth 7
Add RADIUS Server 8
Group Authorization: User Group Policies 9
General Group Information 10
DNS and WINS Configuration 11
Split Tunneling 11
Client Settings 12
Choose Browser Proxy Settings 15
Add or Edit Browser Proxy Settings 16
User Authentication (XAuth) 17
Client Update 18
Add or Edit Client Update Entry 19
Cisco Tunneling Control Protocol 20
Summary 21
Browser Proxy Settings 21
Contents
OL-4015-12
Editing Easy VPN Server Connections 23
Edit Easy VPN Server Reference 23
Edit Easy VPN Server 24
Add or Edit Easy VPN Server Connection 25
Cisco Router and Security Device Manager 2.5 User’s Guide
xiii
Contents
Restrict Access 26
Group Policies Configuration 26
IP Pools 29
Add or Edit IP Local Pool 29
Add IP Address Range 30
Enhanced Easy VPN 1
Interface and Authentication 1
RADIUS Servers 2
Group Authorization and Group User Policies 4
Add or Edit Easy VPN Server: General Tab 5
Add or Edit Easy VPN Server: IKE Tab 6
Add or Edit Easy VPN Server: IPSec Tab 8
Create Virtual Tunnel Interface 10
DMVPN 1
Dynamic Multipoint VPN 1
Dynamic Multipoint VPN (DMVPN) Hub Wizard 2
Type of Hub 3
Configure Pre-Shared Key 3
Hub GRE Tunnel Interface Configuration 4
Advanced Configuration for the Tunnel Interface 5
Primary Hub 6
Select Routing Protocol 7
Routing Information 7
Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9
DMVPN Network Topology 9
Specify Hub Information 10
Spoke GRE Tunnel Interface Configuration 10
Cisco SDM Warning: DMVPN Dependency 11
xiv
Edit Dynamic Multipoint VPN (DMVPN) 12
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
General Panel 14
NHRP Panel 15
NHRP Map Configuration 16
Routing Panel 17
How Do I Configure a DMVPN Manually? 19
VPN Global Settings 1
VPN Global Settings 1
VPN Global Settings: IKE 3
VPN Global Settings: IPSec 4
VPN Global Settings: Easy VPN Server 5
VPN Key Encryption Settings 6
IP Security 1
IPSec Policies 1
Add or Edit IPSec Policy 3
Add or Edit Crypto Map: General 5
Add or Edit Crypto Map: Peer Information 6
Add or Edit Crypto Map: Transform Sets 7
Add or Edit Crypto Map: Protecting Traffic 9
Contents
OL-4015-12
Dynamic Crypto Map Sets 11
Add or Edit Dynamic Crypto Map Set 11
Associate Crypto Map with this IPSec Policy 12
IPSec Profiles 12
Add or Edit IPSec Profile 13
Add or Edit IPSec Profile and Add Dynamic Crypto Map 14
Transform Set 15
Add or Edit Transform Set 18
IPSec Rules 20
Cisco Router and Security Device Manager 2.5 User’s Guide
xv
Contents
Internet Key Exchange 1
Internet Key Exchange (IKE) 1
IKE Policies 2
Add or Edit IKE Policy 4
IKE Pre-shared Keys 6
Add or Edit Pre Shared Key 7
IKE Profiles 8
Add or Edit an IKE Profile 9
Public Key Infrastructure 1
Certificate Wizards 1
Welcome to the SCEP Wizard 2
Certificate Authority (CA) Information 3
Advanced Options 4
Certificate Subject Name Attributes 4
Other Subject Attributes 6
xvi
RSA Keys 7
Summary 8
CA Server Certificate 9
Enrollment Status 9
Cut and Paste Wizard Welcome 9
Enrollment Task 10
Enrollment Request 10
Continue with Unfinished Enrollment 11
Import CA certificate 12
Import Router Certificate(s) 12
Digital Certificates 13
Trustpoint Information 15
Certificate Details 15
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Revocation Check 15
Revocation Check, CRL Only 16
RSA Keys Window 16
Generate RSA Key Pair 17
USB Token Credentials 18
USB Tokens 19
Add or Edit USB Token 20
Open Firewall 22
Open Firewall Details 23
Certificate Authority Server 1
Create CA Server 1
Prerequisite Tasks for PKI Configurations 2
CA Server Wizard: Welcome 3
CA Server Wizard: Certificate Authority Information 3
Advanced Options 5
CA Server Wizard: RSA Keys 7
Open Firewall 8
CA Server Wizard: Summary 8
Contents
OL-4015-12
Manage CA Server 9
Backup CA Server 11
Manage CA Server Restore Window 11
Restore CA Server 11
Edit CA Server Settings: General Tab 12
Edit CA Server Settings: Advanced Tab 13
Manage CA Server: CA Server Not Configured 13
Manage Certificates 13
Pending Requests 13
Revoked Certificates 15
Revoke Certificate 16
Cisco Router and Security Device Manager 2.5 User’s Guide
xvii
Contents
Cisco IOS SSL VPN 1
Cisco IOS SSL VPN links on Cisco.com 2
Creating an SSL VPN Connection 2
Create an SSL VPN Connection Reference 3
Create SSL VPN 4
Persistent Self-Signed Certificate 6
Welcome 7
SSL VPN Gateways 7
User Authentication 8
Configure Intranet Websites 10
Add or Edit URL 10
Customize SSL VPN Portal 11
SSL VPN Passthrough Configuration 11
User Policy 12
Details of SSL VPN Group Policy: Policyname 12
Select the SSL VPN User Group 13
Select Advanced Features 13
Thin Client (Port Forwarding) 13
Add or Edit a Server 14
Full Tunnel 15
Locating the Install Bundle for Cisco SDM 16
Enable Cisco Secure Desktop 18
Common Internet File System 19
Enable Clientless Citrix 19
Summary 20
xviii
Editing SSL VPN Connections 20
Editing SSL VPN Connection Reference 21
Edit SSL VPN 22
SSL VPN Context 23
Designate Inside and Outside Interfaces 25
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Select a Gateway 25
Context: Group Policies 26
Group Policy: General Tab 26
Group Policy: Clientless Tab 27
Group Policy: Thin Client Tab 29
Group Policy: SSL VPN Client (Full Tunnel) Tab 29
Advanced Tunnel Options 31
DNS and WINS Servers 33
Context: HTML Settings 33
Select Color 35
Context: NetBIOS Name Server Lists 35
Add or Edit a NBNS Server List 35
Add or Edit an NBNS Server 36
Context: Port Forward Lists 36
Add or Edit a Port Forward List 36
Context: URL Lists 36
Add or Edit a URL List 37
Context: Cisco Secure Desktop 37
SSL VPN Gateways 37
Add or Edit a SSL VPN Gateway 38
Packages 39
Install Package 40
Contents
OL-4015-12
Additional Help Topics 40
Cisco IOS SSL VPN Contexts, Gateways, and Policies 40
Learn More about Port Forwarding Servers 46
Learn More About Group Policies 47
Learn More About Split Tunneling 48
How do I verify that my Cisco IOS SSL VPN is working? 49
How do I configure a Cisco IOS SSL VPN after I have configured a
firewall?
50
Cisco Router and Security Device Manager 2.5 User’s Guide
xix
Contents
How do I associate a VRF instance with a Cisco IOS SSL VPN context? 50
SSL VPN Enhancements 1
SSL VPN Reference 1
SSL VPN Context: Access Control Lists 1
Add or Edit Application ACL 2
Add ACL Entry 3
Action URL Time Range 4
Add or Edit Action URL Time Range Dialog 5
Add or Edit Absolute Time Range Entry 6
Add or Edit Periodic Time Range Entry 7
VPN Troubleshooting 1
VPN Troubleshooting 1
VPN Troubleshooting: Specify Easy VPN Client 3
VPN Troubleshooting: Generate Traffic 4
xx
VPN Troubleshooting: Generate GRE Traffic 5
Cisco SDM Warning: SDM will enable router debugs... 6
Security Audit 1
Welcome Page 4
Interface Selection Page 4
Report Card Page 5
Fix It Page 5
Disable Finger Service 6
Disable PAD Service 7
Disable TCP Small Servers Service 7
Disable UDP Small Servers Service 8
Disable IP BOOTP Server Service 8
Disable IP Identification Service 9
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Disable CDP 9
Disable IP Source Route 10
Enable Password Encryption Service 10
Enable TCP Keepalives for Inbound Telnet Sessions 11
Enable TCP Keepalives for Outbound Telnet Sessions 11
Enable Sequence Numbers and Time Stamps on Debugs 11
Enable IP CEF 12
Disable IP Gratuitous ARPs 12
Set Minimum Password Length to Less Than 6 Characters 12
Set Authentication Failure Rate to Less Than 3 Retries 13
Set TCP Synwait Time 13
Set Banner 14
Enable Logging 14
Set Enable Secret Password 15
Disable SNMP 15
Set Scheduler Interval 16
Set Scheduler Allocate 16
Set Users 17
Enable Telnet Settings 17
Enable NetFlow Switching 17
Disable IP Redirects 18
Disable IP Proxy ARP 18
Disable IP Directed Broadcast 19
Disable MOP Service 20
Disable IP Unreachables 20
Disable IP Mask Reply 20
Disable IP Unreachables on NULL Interface 21
Enable Unicast RPF on Outside Interfaces 22
Enable Firewall on All of the Outside Interfaces 22
Set Access Class on HTTP Server Service 23
Contents
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
xxi
Contents
Set Access Class on VTY Lines 23
Enable SSH for Access to the Router 24
Enable AAA 24
Configuration Summary Screen 25
Cisco SDM and Cisco IOS AutoSecure 25
Security Configurations Cisco SDM Can Undo 27
Undoing Security Audit Fixes 28
Add or Edit Telnet/SSH Account Screen 28
Configure User Accounts for Telnet/SSH Page 29
Enable Secret and Banner Page 30
Logging Page 31
Routing 1
Add or Edit IP Static Route 3
Add or Edit an RIP Route 5
xxii
Add or Edit an OSPF Route 5
Add or Edit EIGRP Route 7
Network Address Translation 1
Network Address Translation Wizards 1
Basic NAT Wizard: Welcome 2
Basic NAT Wizard: Connection 2
Summary 3
Advanced NAT Wizard: Welcome 3
Advanced NAT Wizard: Connection 4
Add IP Address 4
Advanced NAT Wizard: Networks 4
Add Network 5
Advanced NAT Wizard: Server Public IP Addresses 5
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Add or Edit Address Translation Rule 6
Advanced NAT Wizard: ACL Conflict 7
Details 8
Network Address Translation Rules 8
Designate NAT Interfaces 12
Translation Timeout Settings 12
Edit Route Map 13
Edit Route Map Entry 14
Address Pools 15
Add or Edit Address Pool 16
Add or Edit Static Address Translation Rule: Inside to Outside 17
Add or Edit Static Address Translation Rule: Outside to Inside 20
Add or Edit Dynamic Address Translation Rule: Inside to Outside 23
Add or Edit Dynamic Address Translation Rule: Outside to Inside 26
How Do I . . . 28
How do I Configure Address Translation for Outside to Inside 28
How Do I Configure NAT With One LAN and Multiple WANs? 29
Contents
OL-4015-12
Cisco IOS IPS 1
Create IPS 2
Create IPS: Welcome 3
Create IPS: Select Interfaces 3
Create IPS: SDF Location 3
Create IPS: Signature File 4
Create IPS: Configuration File Location and Category 5
Add or Edit a Config Location 6
Directory Selection 7
Signature File 7
Create IPS: Summary 8
Create IPS: Summary 8
Cisco Router and Security Device Manager 2.5 User’s Guide
xxiii
Contents
Edit IPS 9
Edit IPS: IPS Policies 10
Enable or Edit IPS on an Interface 13
Edit IPS: Global Settings 14
Edit Global Settings 16
Add or Edit a Signature Location 17
Edit IPS: SDEE Messages 18
SDEE Message Text 19
Edit IPS: Global Settings 22
Edit Global Settings 23
Edit IPS Prerequisites 24
Add Public Key 25
Edit IPS: Auto Update 25
Edit IPS: SEAP Configuration 27
Edit IPS: SEAP Configuration: Target Value Rating 28
Add Target Value Rating 29
Edit IPS: SEAP Configuration: Event Action Overrides 29
Add or Edit an Event Action Override 31
Edit IPS: SEAP Configuration: Event Action Filters 32
Add or Edit an Event Action Filter 34
Edit IPS: Signatures 36
Edit IPS: Signatures 42
Edit Signature 46
File Selection 49
Assign Actions 50
Import Signatures 51
Add, Edit, or Clone Signature 53
Cisco Security Center 55
IPS-Supplied Signature Definition Files 55
xxiv
Security Dashboard 56
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
IPS Migration 59
Migration Wizard: Welcome 59
Migration Wizard: Choose the IOS IPS Backup Signature File 60
Signature File 60
Java Heap Size 60
Network Module Management 1
IDS Network Module Management 1
IDS Sensor Interface IP Address 3
IP Address Determination 4
IDS NM Configuration Checklist 5
IDS NM Interface Monitoring Configuration 7
Network Module Login 7
Feature Unavailable 7
Switch Module Interface Selection 7
Contents
OL-4015-12
Quality of Service 1
Creating a QoS Policy 1
Create a QoS Policy Reference 2
Create QoS Policy 2
QoS Wizard 3
Interface Selection 3
Queuing for Outbound Traffic 4
Add a New Traffic Class 5
Policing for Outbound Traffic 7
QoS Policy Generation 7
QoS Configuration Summary 8
Editing QoS Policies 9
Edit QoS Policy Reference 10
Edit QoS Policy 10
Cisco Router and Security Device Manager 2.5 User’s Guide
xxv
Contents
Add Class for the New Policy 13
Add Service Policy to Class 14
Associate or Disassociate the QoS Policy 15
Add or Edit a QoS Class 15
Edit Match DSCP Values 18
Edit Match Protocol Values 19
Add Custom Protocols 19
Edit Match ACL 19
Configure Policing 19
Configure Shaping 20
Configure Queuing 21
Network Admission Control 1
Create NAC Tab 1
Other Tasks in a NAC Implementation 2
Welcome 3
NAC Policy Servers 4
Interface Selection 6
NAC Exception List 7
Add or Edit an Exception List Entry 7
Choose an Exception Policy 8
Add Exception Policy 9
Agentless Host Policy 10
Configuring NAC for Remote Access 10
Modify Firewall 11
Details Window 11
Summary of the configuration 12
xxvi
Edit NAC Tab 13
NAC Components 14
Exception List Window 14
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Exception Policies Window 15
NAC Timeouts 15
Configure a NAC Policy 17
How Do I... 18
How Do I Configure a NAC Policy Server? 18
How Do I Install and Configure a Posture Agent on a Host? 18
Router Properties 1
Device Properties 1
Date and Time: Clock Properties 2
Date and Time Properties 3
NTP 4
Add or Edit NTP Server Details 5
SNTP 6
Add an NTP Server 7
Logging 8
SNMP 9
Netflow 10
Netflow Talkers 10
Contents
OL-4015-12
Router Access 11
User Accounts: Configure User Accounts for Router Access 11
Add or Edit a Username 12
View Password 14
vty Settings 15
Edit vty Lines 15
Configure Management Access Policies 17
Add or Edit a Management Policy 19
Management Access Error Messages 20
SSH 22
DHCP Configuration 23
Cisco Router and Security Device Manager 2.5 User’s Guide
xxvii
Contents
DHCP Pools 23
Add or Edit DHCP Pool 25
DHCP Bindings 26
Add or Edit DHCP Binding 27
DNS Properties 28
Dynamic DNS Methods 28
Add or Edit Dynamic DNS Method 29
ACL Editor 1
Useful Procedures for Access Rules and Firewalls 3
Rules Windows 3
Add or Edit a Rule 7
Associate with an Interface 10
Add a Standard Rule Entry 11
Add an Extended Rule Entry 13
Select a Rule 16
xxviii
Port-to-Application Mapping 1
Port-to-Application Mappings 1
Add or Edit Port Map Entry 3
Zone-Based Policy Firewall 1
Zone Window 2
Add or Edit a Zone 3
Zone-Based Policy General Rules 3
Zone Pairs 5
Add or Edit a Zone Pair 5
Add a Zone 6
Select a Zone 7
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Authentication, Authorization, and Accounting 1
Configuring AAA 2
AAA Screen Reference 2
AAA Root Screen 3
AAA Servers and Server Groups 4
AAA Servers 4
Add or Edit a TACACS+ Server 5
Add or Edit a RADIUS Server 6
Edit Global Settings 7
AAA Server Groups 8
Add or Edit AAA Server Group 9
Authentication and Authorization Policies 10
Authentication and Authorization 10
Authentication NAC 11
Authentication 802.1x 12
Add or Edit a Method List for Authentication or Authorization 13
Contents
OL-4015-12
Router Provisioning 1
Secure Device Provisioning 1
Router Provisioning from USB 2
Router Provisioning from USB (Load File) 2
SDP Troubleshooting Tips 2
Cisco Common Classification Policy Language 1
Policy Map 1
Policy Map Windows 1
Add or Edit a QoS Policy Map 3
Associate a Policy Map to Interface 3
Add an Inspection Policy Map 5
Layer 7 Policy Map 5
Cisco Router and Security Device Manager 2.5 User’s Guide
xxix
Contents
Application Inspection 5
Configure Deep Packet Inspection 6
Class Maps 6
Associate Class Map 7
Class Map Advanced Options 7
QoS Class Map 8
Add or Edit a QoS Class Map 9
Add or Edit a QoS Class Map 9
Select a Class Map 9
Deep Inspection 9
Class Map and Application Service Group Windows 9
Add or Edit an Inspect Class Map 12
Associate Parameter Map 12
Add an HTTP Inspection Class Map 13
HTTP Request Header 13
HTTP Request Header Fields 14
HTTP Request Body 15
HTTP Request Header Arguments 15
HTTP Method 16
Request Port Misuse 16
Request URI 16
Response Header 17
Response Header Fields 18
HTTP Response Body 19
HTTP Response Status Line 19
Request/Response Header Criteria 20
HTTP Request/Response Header Fields 20
Request/Response Body 21
Request/Response Protocol Violation 22
Add or Edit an IMAP Class Map 22
xxx
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Add or Edit an SMTP Class Map 22
Add or Edit a SUNRPC Class Map 23
Add or Edit an Instant Messaging Class Map 23
Add or Edit a Point-to-Point Class Map 23
Add P2P Rule 24
Add or Edit a POP3 Class Map 24
Parameter Maps 25
Parameter Map Windows 25
Add or Edit a Parameter Map for Protocol Information 25
Add or Edit a Server Entry 26
Add or Edit Regular Expression 26
Add a Pattern 27
Build Regular Expression 28
Regular Expression Metacharacters 30
URL Filtering 1
Contents
OL-4015-12
URL Filtering Window 2
Edit Global Settings 2
General Settings for URL Filtering 3
Local URL List 5
Add or Edit Local URL 6
Import URL List 7
URL Filter Servers 7
Add or Edit a URL Filter Server 8
URL Filtering Precedence 9
Configuration Management 1
Manually Editing the Configuration File 1
Config Editor 2
Reset to Factory Defaults 3
Cisco Router and Security Device Manager 2.5 User’s Guide
xxxi
Contents
This Feature Not Supported 6
More About.... 1
IP Addresses and Subnet Masks 1
Host and Network Fields 3
Available Interface Configurations 4
DHCP Address Pools 5
Meanings of the Permit and Deny Keywords 6
Services and Ports 6
More About NAT 13
Static Address Translation Scenarios 13
Dynamic Address Translation Scenarios 16
Reasons that Cisco SDM Cannot Edit a NAT Rule 17
More About VPN 18
Cisco.com Resources 18
More about VPN Connections and IPSec Policies 19
More About IKE 21
More About IKE Policies 22
Allowable Transform Combinations 23
xxxii
Reasons Why a Serial Interface or Subinterface Configuration May Be
Read-Only
24
Reasons Why an ATM Interface or Subinterface Configuration May Be
Read-Only
25
Reasons Why an Ethernet Interface Configuration May Be Read-Only 26
Reasons Why an ISDN BRI Interface Configuration May Be Read-Only 27
Reasons Why an Analog Modem Interface Configuration May Be Read-Only 28
Firewall Policy Use Case Scenario 29
DMVPN Configuration Recommendations 29
Cisco SDM White Papers 31
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Getting Started 1
What’s New in this Release? 2
Cisco IOS Versions Supported 4
Viewing Router Information 1
Overview 2
Interface Status 6
Firewall Status 9
Zone-Based Policy Firewall Status 10
VPN Status 12
IPSec Tunnels 12
DMVPN Tunnels 14
Easy VPN Server 15
IKE SAs 17
SSL VPN Components 18
SSL VPN Context 19
User Sessions 19
URL Mangling 20
Port Forwarding 20
CIFS 20
Full Tunnel 21
User List 21
Contents
OL-4015-12
Traffic Status 23
Netflow Top Talkers 23
Top Protocols 23
Top Talkers 24
QoS 25
Application/Protocol Traffic 27
NAC Status 28
Cisco Router and Security Device Manager 2.5 User’s Guide
xxxiii
Contents
Logging 29
Syslog 29
Firewall Log 32
Application Security Log 34
SDEE Message Log 35
IPS Status 37
IPS Signature Statistics 38
IPS Alert Statistics 39
802.1x Authentication Status 40
File Menu Commands 1
Save Running Config to PC 1
Deliver Configuration to Router 1
Write to Startup Config 2
Reset to Factory Defaults 2
xxxiv
File Management 2
Rename 5
New Folder 5
Save SDF to PC 6
Exit 6
Unable to perform squeeze flash 6
Edit Menu Commands 1
Preferences 1
View Menu Commands 1
Home 1
Configure 1
Monitor 1
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Running Config 2
Show Commands 2
Cisco SDM Default Rules 3
Refresh 4
Tools Menu Commands 1
Ping 1
Telnet 1
Security Audit 1
USB Token PIN Settings 2
Wireless Application 3
Update Cisco SDM 3
CCO Login 4
Help Menu Commands 1
Contents
OL-4015-12
Help Topics 1
Cisco SDM on CCO 1
Hardware/Software Matrix 1
About this router... 2
About Cisco SDM 2
Cisco Router and Security Device Manager 2.5 User’s Guide
xxxv
Contents
xxxvi
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Home Page
The home page supplies basic information about the router hardware, software,
and configuration. This page contains the following sections:
Host Name
The configured name of the router.
About Your Router
Shows basic information about your router hardware and software, and contains
the following fields:
Hardware Software
Model Type
Available/Total Memory
Shows the router model
number.
Available RAM/Total
RAM
IOS Version
Cisco SDM Version
CHAPTER
The version of Cisco
IOS software that is
currently running on the
router.
The version of Cisco
Router and Security
Device Manager (Cisco
SDM) software that is
currently running on the
router.
1
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
1-1
Hardware Software
Total Flash Capacity
Feature Availability
Flash plus Webflash (if
applicable)
The features available in the Cisco IOS image the router is using are
designated by a check. The features Cisco SDM checks for are: IP, Firewall,
VPN, IPS, and NAC.
More...
The More... link displays a popup window providing additional hardware and
software details.
• Hardware Details—In addition to the information presented in the About
Your Router section, this tab displays information about:
–
Where the router boots from–Flash or Configuration File.
–
Whether the router has accelerators, such as VPN accelerators.
–
A diagram of the hardware configuration, including flash memory and
installed devices such as USB flash and USB tokens.
• Software Details—In addition to the information presented in the About Your
Router section, this tab displays information about:
Chapter 1 Home Page
Configuration Overview
Note If you do not see feature information described in this help topic on the home
Cisco Router and Security Device Manager 2.5 User’s Guide
1-2
–
The feature sets included in the IOS image.
–
The version of Cisco SDM running.
This section of the home page summarizes the configuration settings that have
been made.
page, the Cisco IOS image does not support the feature. For example, if the router
is running a Cisco IOS image that does not support security features, the Firewall
Policy, VPN, and Intrusion Prevention sections do not appear on the home page.
View Running Config
Click this button to display the router’s running configuration.
OL-4015-12
Chapter 1 Home Page
Double-arrow head: Click
to display/hide details.
SDM-supported WAN
interfaces that are present
on the router.
The total number of Cisco
SDM-supported WAN
connections that are
present on the router.
Interfaces and
Connections
Total Supported LAN
Configured LAN Interface
Up (n): The number of
LAN and WAN
connections that are
up.
The total number of
LAN interfaces that
are present in the
router.
The number of
supported LAN
interfaces currently
configured on the
Down (n): The number
of LAN and WAN
connections that are
down.
Total Supported WAN The number of Cisco
Total WAN
Connections
router.
DHCP Server
Configured/
Not Configured
DHCP Pool (Detail view)
If one pool is
configured, starting
Number of DHCP Clients
(Detail view)
Current number of clients
leasing addresses.
and ending address of
DHCP pool.
If multiple pools are
configured, list of
configured pool
names.
Interface Type IP/Mask Description
Name of configured
interface
Interface type IP address and subnet
mask
Description of interface
Firewall Policies
OL-4015-12
Active/Inactive Trusted (n) Untrusted (n)DMZ (n)
Active—A firewall
is in place.
Inactive—No
The number of
trusted (inside)
interfaces.
The number of
untrusted (outside)
interfaces.
The number of
DMZ interfaces.
firewall is in place.
Cisco Router and Security Device Manager 2.5 User’s Guide
1-3
Chapter 1 Home Page
Firewall Policies
Interface Firewall Icon NAT Inspection Rule Access Rule
The name of the
interface to which
a firewall has been
applied
Active/Inactive Trusted (n) Untrusted (n)DMZ (n)
Whether the
interface is
designated as an
inside or an
outside interface.
The name or
number of the NAT
rule applied to this
interface.
The names or
numbers of the
inbound and
outbound
inspection rules.
The names or
numbers of the
inbound and
outbound access
rules.
Up (n)- The number of
VPN
active VPN
connections.
IPSec (Site-to-Site)
Xauth Login Required
The number of
configured site-to-site
VPN connections.
The number of Easy
VPN connections
awaiting an Xauth
GRE over IPSec
Easy VPN Remote
The number of
configured GRE over
IPSec connections.
The number of
configured Easy VPN
Remote connections.
Login. See note.
No. of DMVPN Clients
If router is configured
as a DMVPN hub, the
number of DMVPN
clients.
No. of Active VPN clients
If this router is
functioning as an Easy
VPN Server, the number
of Easy VPN clients
with active connections.
Interface Type IPSec Policy Description
The name of an
interface with a
configured VPN
The type of VPN
connection configured
on the interface.
The name of the IPSec
policy associated with
the VPN connection.
A description of the
connection.
connection
1-4
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 1 Home Page
Note • Some VPN servers or concentrators authenticate clients using Extended
Authentication (XAuth). This shows the number of VPN tunnels awaiting an
Xauth login. If any Easy VPN tunnel awaits XAuth login, a separate message
panel is shown with a Login button. Clicking Login allows you to enter the
credentials for the tunnel.
• If Xauth has been configured for a tunnel, it will not begin to function until
the login and password has been supplied. There is no timeout after which it
will stop waiting; it will wait indefinitely for this information.
NAC Policies Active or Inactive
Interface Column NAC Policy Column
The name of the interface to which the
policy is applied. For example,
FastEthernet 0, or Ethernet 0/0.
The name of the NAC policy.
Routing
No. of Static
Routes
Dynamic
Routing
Protocols
OL-4015-12
The number of static
routes configured on
the router.
Lists any dynamic
routing protocols
that are configured
on the router.
Intrusion
Prevention
Active Signatures
The number of active
signatures the router is
using. These may be
built in, or they may be
loaded from a remote
location.
No. of IPS-enabled
interfaces
The number of router
interfaces on which IPS
has been enabled.
Cisco Router and Security Device Manager 2.5 User’s Guide
1-5
Routing
Intrusion
Prevention
SDF Version
Security
Dashboard
Chapter 1 Home Page
The version of SDF
files on this router.
A link to the IPS
Security Dashboard,
where the top-ten
signatures can be
viewed and deployed.
1-6
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Creating a New Connection
The Cisco SDM connection wizards guide you LAN and WAN configurations,
and check the information that you enter against the existing configuration,
warning you of any problems.
This chapter contains the following sections:
• Creating a New Connection
• New Connection Reference
• Additional Procedures
Creating a New Connection
Complete these steps to create a new connection:
Step 1 On the Cisco SDM toolbar, click Configure.
CHAPTER
2
OL-4015-12
Step 2 On the Tasks bar, click Interfaces and Connections.
Step 3 In the Create New Connection box, choose the type of connection that you want
to configure. Information about the type of connection you choose is displayed in
the Information box, and the Use Case Scenario area displays a graphic showing
the kind of connection that you chose.
Step 4 Click Create New Connection to get started.
Cisco Router and Security Device Manager 2.5 User’s Guide
2-1
New Connection Reference
New Connection Reference
The following topic describes the screen referred to in this chapter:
• Create Connection
Create Connection
This window allows you to create new LAN and WAN connections.
Note You cannot use Cisco SDM to create WAN connections for Cisco 7000 series
routers.
Field Reference
Table 2-1 describes the fields in this screen.
Table 2-1 Create Connection Fields
Chapter 2 Creating a New Connection
Element Description
Create New Connection Choose a connection type to configure on the physical interfaces
available on your router. Only interfaces that have not been
configured are available. If all interfaces have been configured, this
area of the window is not displayed.
If the router has Asynchronous Transfer Mode (ATM) or serial
interfaces, multiple connections can be configured from a single
interface because Cisco Router and Security Device Manager II
(Cisco SDM) configures subinterfaces for each interface of that
type.
The Other (Unsupported by Cisco SDM) radio button appears if an
unsupported logical or physical interface exists, or if a supported
interface exists that has been given an unsupported configuration.
When you click the Other (Unsupported by Cisco SDM) radio
button, the Create New Connection button is disabled.
Cisco Router and Security Device Manager 2.5 User’s Guide
2-2
OL-4015-12
Chapter 2 Creating a New Connection
Additional Procedures
Table 2-1 Create Connection Fields
Element Description
If the router has radio interfaces but you do not see a Wireless radio
button, you are not logged on as an Cisco SDM Administrator. If
you need to use the wireless application, go to the Cisco SDM Tools
menu and choose Wireless Application.
Use Case Scenario When you click the radio button for a connection type, a network
diagram appears illustrating that type of connection.
Information The information area displays more information about the
connection type you choose. For example, if you choose Ethernet
LAN, theinformation area may display the text “Configure Ethernet
LAN interface for straight routing and 802.1q trunking.”
Create New Connection button Click Create New Connection to start the wizard for the type of
connection you chose.
Additional Procedures
OL-4015-12
This section contains procedures for tasks that the wizard does not help you
complete.
This section contains the following topics:
• How Do I Configure a Static Route?
• How Do I View Activity on My LAN Interface?
• How Do I Enable or Disable an Interface?
• How Do I View the IOS Commands I Am Sending to the Router?
• How Do I Configure an Unsupported WAN Interface?
• How Do I Enable or Disable an Interface?
• How Do I View Activity on My WAN Interface?
• How Do I Configure NAT on a WAN Interface?
• How Do I Configure a Static Route?
• How Do I Configure a Dynamic Routing Protocol?
Cisco Router and Security Device Manager 2.5 User’s Guide
2-3
Additional Procedures
• How Do I Configure Dial-on-Demand Routing for My ISDN or
Asynchronous Interface?
How Do I Configure a Static Route?
To configure a static route:
Step 1 From the task bar, click Routing.
Step 2 In the Static Routing group, click Add....
The Add IP Static Route dialog box appears.
Step 3 In the Prefix field, enter the IP address of the static route destination network.
Step 4 In the Prefix Mask field, enter the subnet mask of the destination network.
Step 5 If you want this static route to be the default route, check the Make this as the
Default Route check box.
Step 6 In the Forwarding group, select whether to identify a router interface or the
destination router IP address as the method to forward data, and then choose either
the forwarding router interface or enter the destination router IP address.
Step 7 Optionally, in the Distance Metric field, enter the distance metric to be stored in
the routing table.
Chapter 2 Creating a New Connection
Step 8 If you want to configure this static route to be a permanent route, which means
that it will not be deleted even if the interface is shut down or the router is unable
to communicate with the next router, check the Permanent Route check box.
Step 9 Click OK.
How Do I View Activity on My LAN Interface?
You can view activity on a LAN interface by using the Monitor mode in Cisco
SDM. Monitor mode can display statistics about the LAN interface, including the
number of packets and bytes that have been sent or received by the interface, and
the number of send or receive errors that have occurred. To display statistics about
about a LAN interface:
Cisco Router and Security Device Manager 2.5 User’s Guide
2-4
OL-4015-12
Chapter 2 Creating a New Connection
Step 1 From the toolbar, click Monitor.
Step 2 From the left frame, click Interface Status.
Step 3 In the Select an Interface field, select the LAN interface for which you want to
view statistics.
Step 4 Select the data item(s) you want to view by checking the associated check box(es).
You can view up to four statistics at a time.
Step 5 Click Start Monitoring to see statistics for all selected data items.
The Interface Details screen appears, displaying the statistics you selected. The
screen defaults to showing real-time data, for which it polls the router every
10 seconds. If the interface is up and there is data transmitting across it, you
should see an increase in the number of packets and bytes transferred across the
interface.
How Do I Enable or Disable an Interface?
Additional Procedures
You can disable an interface without removing its configuration, and you can
reenable an interface that you have disabled.
Step 1 Click Interfaces and Connections in the task bar.
Step 2 Click the Edit Interfaces and Connections tab.
Step 3 Select the interface that you want to disable or enable.
Step 4 If the interface is enabled, the Disable button appears below the Interface List.
Click that button to disable the interface. If the interface is currently disabled, the
Enable button appears below the Interface List. Click that button to disable the
interface.
How Do I View the IOS Commands I Am Sending to the Router?
If you are completing a Wizard to configure a feature, you can view the Cisco IOS
commands that you are sending to the router when you click Finish.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
2-5
Chapter 2 Creating a New Connection
Additional Procedures
Step 1 From the Cisco SDM Edit menu, select Preferences.
Step 2 Check Preview commands before delivering to router.
Step 3 Click OK.
The next time you use a wizard to configure the router and click Finish on the
Summary window, the Deliver window will appear. In this window you can view
the commands that you are delivering to the router’s configuration. Click Deliver
when you are finished reviewing the commands.
If you are editing a configuration, the Deliver window is displayed when you click
OK in the dialog window. In this window you can view the Cisco IOS commands
that you are sending to the router .
How Do I Launch the Wireless Application from Cisco SDM?
Use the following procedure to launch the wireless application from Cisco SDM.
Step 1 Go to the Cisco SDM Tools menu and select Wireless Application. The Wireless
Application launches in a separate browser window.
Step 2 In the left panel, click the title of the configuration screen that you want to work
in. To obtain help for any screen, click the help icon in the upper right corner. This
icon looks like an open book with a question mark.
How Do I Configure an Unsupported WAN Interface?
Cisco SDM does not support configuration of every WA N interface that your
router might support. If Cisco SDM discovers an interface in your router that it
does not support, or a supported interface with an unsupported configuration,
Cisco SDM displays a radio button labeled Other (Unsupported by Cisco SDM).
The unsupported interface is displayed in the Interfaces and Connections window,
but it cannot be configured using Cisco SDM.
Cisco Router and Security Device Manager 2.5 User’s Guide
2-6
OL-4015-12
Chapter 2 Creating a New Connection
To configure an unsupported interface, you must use the router command-line
interface (CLI).
How Do I Enable or Disable an Interface?
You can disable an interface without removing its configuration, and you can
reenable an interface that you have disabled.
Step 1 Click Configure on the Cisco SDM toolbar.
Step 2 Click Interfaces and Connections in the left frame.
Step 3 Click the interface that you want to disable or enable.
Step 4 If the interface is enabled, the Disable button appears below the Interface List.
Click it to disable the interface. If the interface is currently disabled, the Enable
button appears in that location. Click that button to disable the interface.
Additional Procedures
How Do I View Activity on My WAN Interface?
You can view activity on a WA N interface by using the Monitor feature in Cisco
SDM. Monitor screens can display statistics about the WAN interface, including
the number of packets and bytes that have been sent or received by the interface,
and the number of send or receive errors that have occurred. To display statistics
about a WAN interface:
Step 1 From the toolbar, click Monitor.
Step 2 From the left frame, click Interface Status.
Step 3 In the Select an Interface field, choose the WAN interface for which you want to
view statistics.
Step 4 Choose the data item(s) you want to view by checking the associated check
box(es). You can view up to four statistics at a time.
Step 5 Click Show Details to see statistics for all selected data items.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
2-7
Chapter 2 Creating a New Connection
Additional Procedures
The Interface Details screen appears, displaying the statistics you selected. The
screen defaults to showing real-time data, for which it polls the router every
10 seconds. If the interface is up and there is data transmitting across it, you
should see an increase in the number of packets and bytes transferred across the
interface.
How Do I Configure NAT on a WAN Interface?
Step 1 Click Configure on the Cisco SDM toolbar.
Step 2 Click NAT in the left frame.
Step 3 In the NAT window, click Designate NAT interfaces.
Step 4 Find the interface for which you want to configure NAT.
Step 5 Check inside(trusted) next to the interface to designate the interface as an inside,
or trusted interface. An inside designation is typically used to designate an
interface serving a LAN whose resources. must be protected. Check
outside(untrusted) to designate it as an outside interface. Outside interfaces
typically connect to an untrusted network. Click OK.
The interface is added to the pool of interfaces using NAT.
2-8
Step 6 Review the Network Address Translation Rules in the NAT window. If you need
to add, delete, or modify a rule, click the appropriate button on the NAT window
to perform the configuration you need.
For more information, click the following links:
• Add or Edit Static Address Translation Rule: Inside to Outside
• Add or Edit Static Address Translation Rule: Outside to Inside
• Add or Edit Dynamic Address Translation Rule: Inside to Outside
• Add or Edit Dynamic Address Translation Rule: Outside to Inside
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 2 Creating a New Connection
Additional Procedures
How Do I Configure NAT on an Unsupported Interface?
Cisco SDM can configure Network Address Translation (NAT) on an interface
type unsupported by Cisco SDM. Before you can configure the firewall, you must
first use the router CLI to configure the interface. The interface must have, at a
minimum, an IP address configured, and it must be working. To verify that the
connection is working, verify that the interface status is “Up.”
After you have configured the unsupported interface using the CLI, you can
configure NAT using Cisco SDM. The unsupported interface will appear as
“Other” on the router interface list.
How Do I Configure a Dynamic Routing Protocol?
To configure a dynamic routing protocol:
Step 1 From the toolbar, click Configure.
Step 2 From the left frame, click Routing.
Step 3 In the Dynamic Routing group, click the dynamic routing protocol that you want
to configure.
OL-4015-12
Step 4 Click Edit.
The Dynamic Routing dialog box appears, displaying the tab for the dynamic
routing protocol you selected.
Step 5 Using the fields in the Dynamic Routing dialog box, configure the dynamic
routing protocol. If you need an explanation for any of the fields in the dialog box,
click Help.
Step 6 When you have finished configuring the dynamic routing protocol, click OK.
Cisco Router and Security Device Manager 2.5 User’s Guide
2-9
Chapter 2 Creating a New Connection
Additional Procedures
How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous Interface?
ISDN BRI and asynchronous connections are dial-up connections, meaning that
in order to establish a connection, the router must dial a preconfigured phone
number. Because the cost of these types of connections is usually determined by
the amount of time that a connection was established, and in the case of an
asynchronous connection, that a phone line will be tied up, it is often desirable to
configure Dial-on-Demand Routing (DDR) for these connection types.
Cisco SDM can help you configure DDR by:
• Letting you associate a rule (or ACL) with the connection, which causes the
router to establish the connection only when it recognizes network traffic that
you have identified as interesting with the associated rule.
• Setting idle timeouts, which cause the router to end a connection after a
specified amount of time when there is no activity on the connection.
• Enabling multilink PPP, which causes an ISDN BRI connection to use only
one of the two B channels unless a specified percentage of bandwidth is
exceeded on the first B channel. This has the advantage of saving costs when
network traffic is low and the second B channel is not needed, but letting you
utilize the full bandwidth of your ISDN BRI connection when needed.
2-10
To configure DDR on an existing ISDN BRI or asynchronous connection:
Step 1 Click Configure on the Cisco SDM toolbar.
Step 2 Click Interfaces and Connections in the left frame.
Step 3 Click the ISDN or asynchronous interface on which you want to configure DDR.
Step 4 Click Edit.
The Connection tab appears.
Step 5 Click Options.
The Edit Dialer Option dialog box appears.
Step 6 If you want the router to establish the connection only when it recognizes specific
IP traffic, click the Filter traffic based on selected ACL radio button, and either
enter a rule (ACL) number that will identify which IP traffic should cause the
router to dial out, or click the ... button to browse the list of rules and choose the
rule that you want to use to identify IP traffic from that list.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 2 Creating a New Connection
Step 7 If you want to configure the router to end the connection when the connection is
idle, i.e., no traffic passes across it, for a specified amount of time, in the Idle
timeout field, enter the number of seconds the connection can remain idle before
the router ends the connection.
Step 8 If you are editing an ISDN connection, and you would like to use your second B
channel only when the traffic on the first B channel exceeds a certain threshold,
check the Enable MultiLink PPP check box, then in the Load Threshold field,
enter a number between 1 and 255, where 255 equals 100% of bandwidth, that will
determine the threshold on the first B channel. When traffic on that channel
exceeds that threshold, it will cause the router to connect the second B channel.
In addition, in the Data direction field, you can choose whether this threshold
should apply to outbound or inbound traffic.
Step 9 Click OK.
How Do I Edit a Radio Interface Configuration?
Additional Procedures
OL-4015-12
You must use the Wireless Application to edit an existing radio interface
configuration.
Step 1 Click Configure on the Cisco SDM toolbar.
Step 2 Click Interfaces and Connections in the left frame, and then click the Edit
Interface/Connection tab.
Step 3 Choose the radio interface and click Edit. In the Connections tab, you can change
the IP address or bridging information. If you want to change other wireless
parameters, click Launch Wireless Application.
Cisco Router and Security Device Manager 2.5 User’s Guide
2-11
Additional Procedures
Chapter 2 Creating a New Connection
2-12
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
CHAPTER
3
LAN Wizard
The Cisco Router and Security Device Manager (Cisco SDM) LAN wizard guides
you in the configuration of a LAN interface. The screen lists the LAN interfaces
on the router. You can select any of the interfaces shown in the window, and click
Configure to make the interface a LAN interface and configure it.
This window lists the router interfaces that were designated as inside interfaces in
Startup configuration, and lists the Ethernet interfaces and switch ports that have
not been configured as WAN interfaces. The list includes interfaces that have
already been configured.
When you configure an interface as a LAN interface, Cisco SDM inserts the
description text $ETH-LAN$ in the configuration file so that it recognizes the
interface as a LAN interface in the future.
You can return to this screen as often as necessary to configure additional LAN
interfaces.
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
3-1
Chapter 3 LAN Wizard
Ethernet Configuration
Field Reference
Table 3-1 IP Address and Subnet Mask
Element Description
Interface The name of the interface
Configure To configure an interface you have selected, click Configure. If the
interface has not been configured before, Cisco SDM will take you through
the LAN Wizard to help you configure it. If the interface has been given a
configuration using Cisco SDM, Cisco SDM displays an Edit window
enabling you to change configuration settings.
The Configure button may be disabled if a LAN interface has been given a
configuration that Cisco SDM does not support. For a list of such
configurations, see Reasons Why an Ethernet Interface Configuration May
Be Read-Only.
Ethernet Configuration
The wizard guides you through the configuration of an Ethernet interface on the
LAN. You must provide the following information:
• An IP address and subnet mask for the Ethernet interface
• A DHCP address pool if you decide to use DHCP on this interface
• The addresses of DNS and WINS servers on the WAN
• A domain name
LAN Wizard: Select an Interface
Select the interface on which you want to configure a LAN connection in this
window. This window lists interfaces that can support Ethernet LAN
configurations.
Cisco Router and Security Device Manager 2.5 User’s Guide
3-2
OL-4015-12
Chapter 3 LAN Wizard
LAN Wizard: IP Address and Subnet Mask
LAN Wizard: IP Address and Subnet Mask
This window lets you configure an IP address and subnet mask for the Ethernet
interface that you chose in the first window.
Field Reference
Table 3-2 IP Address and Subnet Mask
Element Description
IP Address Enter the IP address for the interface in dotted decimal format. Your
network administrator should determine the IP addresses of LAN
interfaces. For more information, see IP Addresses and Subnet Masks.
Subnet Mask Enter the subnet mask. Obtain this value from your network administrator.
The subnet mask enables the router to determine how much of the IP
address is used to define the network and host portions of the address.
Alternatively, select the number of network bits. This value is used to
calculate the subnet mask. Your network administrator can tell you the
number of network bits to enter.
LAN Wizard: Enable DHCP Server
This screen lets you enable a DHCP server on your router. A DHCP server
automatically assigns reusable IP addresses to the devices on the LAN. When a
device becomes active on the network, the DHCP server grants it an IP address.
When the device leaves the network, the IP address is returned to the pool for use
by another device.
Field Reference
Table 3-3 IP Address and Subnet Mask
Element Description
Enable DHCP Server To configure the router as a DHCP server on this interface, click Yes .
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
3-3
Chapter 3 LAN Wizard
LAN Wizard: DHCP Address Pool
LAN Wizard: DHCP Address Pool
This screen lets you configure the DHCP IP address pool. The IP addresses that
the DHCP server assigns are drawn from a common pool that you configure by
specifying the starting IP address in the range, and the ending address in the
range.
For more information, see DHCP Address Pools.
Note If there are discontinuous address pools configured on the router, then the
Starting IP and Ending IP address fields will be read-only.
Field Reference
Table 3-4 DHCP Address Pool
Element Description
Starting IP Enter the beginning of the range of IP addresses for the DHCP server to use
in assigning addresses to devices on the LAN. This is the lowest-numbered
IP address in the range.
Ending IP Enter the highest-numbered IP address in the range of IP addresses.
DNS Server and WINS
Server Fields
If this window displays DNS Server and WINS Server fields, you can click
DHCP Options for information on them.
DHCP Options
Use this window to configure DHCP options that will be sent to hosts on the LAN
that are requesting IP addresses from the router. These are not options for the
router that you are configuring; these are parameters that will be sent to the
requesting hosts on the LAN. To set these properties for the router, click
Additional Tasks on the Cisco SDM category bar, click DHCP, and configure
these settings in the DHCP Pools window.
Cisco Router and Security Device Manager 2.5 User’s Guide
3-4
OL-4015-12
Chapter 3 LAN Wizard
LAN Wizard: VLAN Mode
Field Reference
Table 3-5 IP Address and Subnet Mask
Element Description
DNS Server 1 The DNS server is typically a server that maps a known device name with
its IP address. If you have DNS server configured for your network, enter
the IP address for that device here.
DNS Server 2 If there is an additional DNS server on the network, you can enter the IP
address for that server in this field.
Domain Name The DHCP server that you are configuring on this router will provide
services to other devices within this domain. Enter the name of the domain.
WINS Server 1 Some clients may require Windows Internet Naming Service (WINS) to
connect to devices on the Internet. If there is a WINS server on the network,
enter the IP address for the server in this field.
WINS Server 2 If there is an additional WINS server on the network, enter the IP address
for the server in this field.
LAN Wizard: VLAN Mode
This screen lets you determine the type of VLAN information that will be carried
over the switch port. Switch ports can be designated either to be in access mode,
in which case they will forward only data that is destined for the VLAN to which
they are assigned, or they can be designated to be in trunking mode, in which case
they will forward data destined for all VLANs including the VLAN to which they
are assigned.
If this switch port will be connected to a single device, such as a single PC or IP
phone, or if this device will be connected to a port on a networking device, such
as another switch, that is an access mode port, then select Single Device.
If this switch port will be connected to a port on a network device, such as another
switch, that is a trunking mode, select Network Device.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
3-5
Chapter 3 LAN Wizard
LAN Wizard: Switch Port
Field Reference
Table 3-6 IP Address and Subnet Mask
Element Description
Single Device If this switch port will be connected to a single device, such as a single PC
or IP phone, or if this device will be connected to a port on a networking
device, such as another switch, that is an access mode port, then choose
Single Device.
Network Device If this switch port will be connected to a port on a network device, such as
another switch, that is a trunking mode, choose Network Device.
LAN Wizard: Switch Port
This screen lets you assign an existing VLAN number to the switch port or to
create a new VLAN interface to be assigned to the VLAN switch port.
Field Reference
Table 3-7 IP Address and Subnet Mask
Element Description
Existing VLAN If you want to assign the switch port to a VLAN that has already been
defined, such as the default VLAN (VLAN 1), enter the VLAN ID number
in the Network (VLAN) Identifier field.
New VLAN If you want to create a new VLAN interface to which the switch port will
be assigned, enter the new VLAN ID number in the New VLAN field, and
then enter the IP address and subnet mask of the new VLAN logical
interface in the IP Address and Subnet Mask fields.
Include this VLAN in an
IRB bridge...
Cisco Router and Security Device Manager 2.5 User’s Guide
3-6
If you want the switch port to form part of a bridge with your wireless
network, check this box. The other part of the bridge must be configured
using the Wireless Application. The IP address and Subnet mask fields
under New VLAN are disabled when this box is checked.
OL-4015-12
Chapter 3 LAN Wizard
Step 1 Select Wireless Application from the Cisco SDM Tools menu. The Wireless
Step 2 In the Wireless Application, click Wireless Express Security, and then click
IRB Bridge
IRB Bridge
Launching the Wireless Application
After completing this LAN configuration, do the following to launch the Wireless
Application and complete the bridging configuration.
Application opens in a separate browser window.
Bridging to provide the information to complete the bridging configuration.
If you are configuring a VLAN to be part of an IRB bridge, the bridge must be a
member of a bridge group.
To create a new bridge group that this interface will be part of, click Create a new
bridge group and enter a value in the range 1 through 255.
To have this VLAN be a member of an existing bridge group, click Join an
existing bridge group, and select a bridge group.
Note When you complete the bridge configuration in the Wireless Application, you
must use the same bridge group number entered in this screen.
Field Reference
Table 3-8 IP Address and Subnet Mask
Element Description
Create a new bridge
group
Join an existing bridge
group
OL-4015-12
To create a new bridge group that this interface will be part of, click Create
a new bridge group and enter a value in the range 1 through 255.
To have this VLAN be a member of an existing bridge group, click Join an
existing bridge group, and select a bridge group.
Cisco Router and Security Device Manager 2.5 User’s Guide
3-7
Chapter 3 LAN Wizard
BVI Configuration
BVI Configuration
Assign an IP address and subnet mask to the BVI interface. If you selected an
existing bridge group in the previous screen, the IP address and subnet mask will
appear in this screen. You can change it, or leave the values unchanged.
Field Reference
Table 3-9 BVI Configuration
Element Description
IP Address Enter the IP address for the interface in dotted decimal format. Your
network administrator should determine the IP addresses of LAN
interfaces. For more information, see IP Addresses and Subnet Masks.
Net Mask Enter the subnet mask. Obtain this value from your network administrator.
The subnet mask enables the router to determine how much of the IP
address is used to define the network and host portions of the address.
Net Bits Alternatively, select the number of network bits. This value is used to
calculate the subnet mask. Your network administrator can tell you the
number of network bits to enter.
DHCP Pool for BVI
When you configure the router as a DHCP server, you can create a pool of IP
addresses that clients on the network can use. When a client logs off the network,
the address it was using is returned to the pool for use by another host.
Cisco Router and Security Device Manager 2.5 User’s Guide
3-8
OL-4015-12
Chapter 3 LAN Wizard
IRB for Ethernet
Field Reference
Table 3-10 DHCP Pool for BVI
Element Description
DHCP Server
Configuration
Start IP Enter the starting IP address for the pool. Be sure to specify IP addresses in
End IP Enter the ending IP address for the pool. Using the above example, the end
If you want to have the router function as a DHCP server, check DHCP
Server Configuration.
the same subnet as the IP address you gave the interface. For example, If
you gave the interface an IP address of 10.10.22.1, with a subnet mask of
255.255.255.0, you have over 250 addresses available for the pool, and you
might specify a start IP Address of 10.10.22.2.
IP address would be 10.10.22.254.
IRB for Ethernet
If your router has a wireless interface, you can use Integrated Routing and
Bridging to have this interface form part of a bridge to the wireless LAN, and
enable traffic destined for the wireless network to be routed through this interface.
Click Yes if you want to configure this Layer 3 interface for Integrated Routing
and Bridging.
If you do not want this interface to be used in bridge to the wireless interface, click
No. You will still be able to configure it as a regular routing interface.
Layer 3 Ethernet Configuration
Cisco SDM supports Layer 3 Ethernet configuration on routers with installed
3750 switch modules. You can create VLAN configurations and designate router
Ethernet interfaces as DHCP servers.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
3-9
Chapter 3 LAN Wizard
Layer 3 Ethernet Configuration
802.1Q Configuration
You can configure a VLAN that does not use the 802.1Q encapsulation protocol
used for trunking connections. Provide a VLAN ID number, and check Native
VLAN if you do not want the VLAN to use 802.1Q tagging.
If you want to use the 802.1Q tagging, leave the Native VLAN box unchecked.
Field Reference
Table 3-11 IP Address and Subnet Mask
Element Description
VLAN ID (1-4094) Enter a VLAN ID number from 1 to 4094. Cisco SDM displays a message
telling you to enter a different VLAN ID if the ID that you enter is already
in use.
Native VLAN If you do not want the VLAN to use 802.1Q tagging, check Native VLAN.
If you want the VLAN to use 802.1Q tagging, leave this box unchecked.
Trunking or Routing Configuration
You can configure Layer 3 Ethernet interfaces for 802.1Q trunking or for basic
routing. If you configure the interface for 802.1Q trunking, you can configure
VLANs on the interface, and you can configure a native VLAN that does not use
the 802.1q encapsulation protocol. I f you configure the interface for routing, you
cannot configure subinterfraces or additional VLANs on the interface.
Configure Switch Device Module
If you are configuring a Gigabit Ethernet interface for routing, you can provide
information about the switch module in this window. It is not required that you
provide this information.
You can provide an IP address and subnet mask for the switch module, and login
credentials required to log on to the the switch module interface.
Cisco Router and Security Device Manager 2.5 User’s Guide
3-10
OL-4015-12
Chapter 3 LAN Wizard
Check the box at the bottom of the screen if you want to log on to the switch
module after providing the information in this wizard and delivering the
configuration to the router.
Configure Gigabit Ethernet Interface
Provide IP address and subnet mask information for Gigabit Ethernet interfaces
in this window. For more information on IP addresses and subnet masks, see LAN
Wizard: IP Address and Subnet Mask.
Field Reference
Table 3-12 IP Address and Subnet Mask
Element Description
IP Address of Physical
Interface
IP Address of VLAN
Subinterface
Enter the IP address and subnet mask for the physical Gigabit Ethernet
interface in these fields.
Provide the IP address and subnet mask for the VLAN subinterface that you
want to create on the physical interface. These fields appear if you are
configuring this interface for routing. These fields do not appear if you are
configuring this interface for Integrated Routing and Bridging (IRB).
Summary
Summary
This window provides a summary of the configuration changes that you made for
the interface you selected.
To save this configuration to the router’s running configuration and leave this wizard:
Click Finish. Cisco SDM saves the configuration changes to the router’s running
configuration. Although the changes take effect immediately, they will be lost if
the router is turned off.
If you checked Preview commands before delivering to router in the User
Preferences window, the Deliver window appears. In this window you can view
the CLI commands that you are delivering to the router.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
3-11
Summary
Chapter 3 LAN Wizard
3-12
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
CHAPTER
4
802.1x Authentication
802.1x authentication allows a remote Cisco IOS router to connect authenticated
VPN users to a secure network through a VPN tunnel that is up at all times. The
Cisco IOS router will authenticate users through a RADIUS server on the secure
network.
802.1x authentication is applied to switch ports or Ethernet (routed) ports, but not
to both types of interfaces. If 802.1x authentication is applied to an Ethernet port,
non-authenticated users can be routed outside the VPN tunnel to the Internet.
802.1x authentication is configured on interfaces by using the LAN wizard.
However, before you can enable 802.1x on any interface, AAA must be enabled
on your Cisco IOS router. If you attempt to use the LAN wizard before AAA is
enabled, a window appears asking if you want to enable AAA. If you choose to
enable AAA, then the 802.1x configuration screens will appear as part of the LAN
wizard. If you choose to not enable AAA, then the 802.1x configuration screens
will not appear.
LAN Wizard: 802.1x Authentication (Switch Ports)
This window allows you to enable 802.1x authentication on the switch port or
ports you selected for configuration using the LAN wizard.
Enable 802.1x Authentication
Check Enable 802.1x Authentication to enable 802.1x authentication on the
switch port.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
4-1
LAN Wizard: 802.1x Authentication (Switch Ports)
Host Mode
Choose Single or Multiple. Single mode allows only one authenticated client to
have access. Multiple mode allows for any number of clients to have access once
a single client has been authenticated.
Note Ports on Cisco 85x and Cisco 87x routers can be set only to multiple host mode.
Single mode is disabled for these routers.
Guest VLAN
Check Guest VLAN to enable a VLAN for clients lacking 802.1x support. If you
enable this option, choose a VLAN form the VLAN drop-down list.
Auth-Fail VLAN
Check Auth-Fail VLAN to enable a VLAN for clients that fail 802.1x
authorization. If you enable this option, choose a VLAN form the VLAN
drop-down list.
Chapter 4 802.1x Authentication
Periodic Reauthentication
Check Periodic Reauthentication to force reauthentication of 802.1x clients on
a regular interval. Choose to configure the interval locally, or to allow the
RADIUS server to set the interval. If you choose to configure the reauthentication
interval locally, enter a value in the range of 1–65535 seconds. The default setting
is 3600 seconds.
Advanced Options
Click Advanced Options to open a window with additional 802.1x authentication
parameters.
Advanced Options
This window allows you to change the default values for a number of 802.1x
authentication parameters.
Cisco Router and Security Device Manager 2.5 User’s Guide
4-2
OL-4015-12
Chapter 4 802.1x Authentication
Radius Server Timeout
Enter the time, in seconds, that your Cisco IOS router waits before timing out its
connection to the RADIUS server. Values must be in the range of 1–65535
seconds. The default setting is 30 seconds.
Supplicant Reply Timeout
Enter the time, in seconds, that your Cisco IOS router waits for a reply from an
802.1x client before timing out its connection to that client. Values must be in the
range of 1–65535 seconds. The default setting is 30 seconds.
Supplicant Retries Timeout
Enter the time, in seconds, that your Cisco IOS router retries an 802.1x client
before timing out its connection to that client. Values must be in the range of
1–65535 seconds. The default setting is 30 seconds.
Quiet Period
LAN Wizard: 802.1x Authentication (Switch Ports)
Enter the time, in seconds, that your Cisco IOS router will wait between the initial
connection to a client and when a login request is sent. Values must be in the range
of 1–65535 seconds. The default setting is 60 seconds.
Rate Limit Period
Values must be in the range of 1–65535 seconds. However, the default setting is
0 seconds, which turns off Rate Limit Period.
Maximum Reauthentication Attempts
Enter the maximum number of times your Cisco IOS router tries to reauthenticate
an 802.1x client. Values must be in the range 1–10. The default setting is 2.
Maximum Retries
Enter the maximum number of login requests that can be sent to the client. Values
must be in the range 1–10. The default setting is 2.
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
4-3
Chapter 4 802.1x Authentication
LAN Wizard: RADIUS Servers for 802.1x Authentication
Reset to Defaults
Click Reset to Defaults to reset all advanced options to their default values.
LAN Wizard: RADIUS Servers for 802.1x
Authentication
802.1x authentication information is configured and stored in a policy database
residing on RADIUS servers running Cisco Secure ACS version 3.3. The router
must validate the credentials of 802.1x clients by communicating with a RADIUS
server. Use this window to provide the information the router needs to contact one
or more RADIUS servers. Each RADIUS server that you specify must have Cisco
Secure ACS software version 3.3 installed and configured.
Note All of your Cisco IOS router interfaces enabled with 802.1x authorization will use
the RADIUS servers set up in this window. When you configure a new interface,
you will see this screen again. Additions or changes to the RADIUS server
information, however, do not have to be made.
Choose the RADIUS client source
Configuring the RADIUS source allows you to specify the source IP address to be
sent in RADIUS packets bound for the RADIUS server. If you need more
information about an interface, choose the interface and click the Details button.
The source IP address in the RADIUS packets sent from the router must be
configured as the NAD IP address in the Cisco ACS version 3.3 or later.
If you choose Router chooses source, the source IP address in the RADIUS
packets will be the address of interface through which the RADIUS packets exit
the router.
If you choose an interface, the source IP address in the RADIUS packets will be
the address of the interface that you chose as the RADIUS client source.
Cisco Router and Security Device Manager 2.5 User’s Guide
4-4
OL-4015-12
Chapter 4 802.1x Authentication
Note Cisco IOS software allows a single RADIUS source interface to be configured on
the router. If the router already has a configured RADIUS source and you choose
a different source, the source IP address placed in the packets sent to the RADIUS
server changes to the IP address of the new source, and may not match the NAD
IP address configured on the Cisco ACS.
Details
If you need a quick snapshot of the information about an interface before choosing
it, click Details. The screen shows you the IP address and subnet mask, the access
rules and inspection rules applied to the interface, the IPSec policy and QoS
policy applied, and whether there is an Easy VPN configuration on the interface.
Server IP, Timeout, and Parameters Columns
The Server IP, Timeout, and Parameters columns contain the information that the
router uses to contact a RADIUS server. If no RADIUS server information is
associated with the chosen interface, these columns are blank.
LAN Wizard: RADIUS Servers for 802.1x Authentication
Use for 802.1x Check Box
Check this box if you want to use the listed RADIUS server for 802.1x. The server
must have the required 802.1x authorization information configured if 802.1x is
used successfully.
Add, Edit, and Ping
To provide information for a RADIUS server, click the Add button and enter the
information in the screen displayed. Choose a row and click Edit to modify the
information for a RADIUS server. Choose a row and click Ping to test the
connection between the router and a RADIUS server.
Note When performing a ping test, enter the IP address of the RADIUS source interface
in the source field in the ping dialog. If you chose Router chooses source, you
need not provide any value in the ping dialog source field.
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
4-5
Chapter 4 802.1x Authentication
Edit 802.1x Authentication (Switch Ports)
The Edit and Ping buttons are disabled when no RADIUS server information is
available for the chosen interface.
Edit 802.1x Authentication (Switch Ports)
This window allows you to enable and configure 802.1x authentication
parameters.
If a message is displayed indicating that the port is operating in trunk mode
instead of the 802.1x authentication parameters, then the switch cannot have
802.1x authentication enabled.
If the 802.1x authentication parameters appear but are disabled, then one of the
following is true:
• AAA has not been enabled.
To enable AAA, go to Configure > Additional Tasks > AAA.
• AAA has been enabled, but an 802.1x authentication policy has not been
configured.
To configure an 802.1x authentication policy, go to Configure > Additional
Tasks > AAA > Authentication Policies > 802.1x.
Enable 802.1x Authentication
Check Enable 802.1x Authentication to enable 802.1x authentication on this
switch port.
Host Mode
Choose Single or Multiple. Single mode allows only one authenticated client to
have access. Multiple mode allows for any number of clients to have access once
a single client has been authenticated.
Note Ports on Cisco 87x routers can be set only to multiple host mode. Single mode is
disabled for these routers.
Cisco Router and Security Device Manager 2.5 User’s Guide
4-6
OL-4015-12
Chapter 4 802.1x Authentication
Guest VLAN
Check Guest VLAN to enable a VLAN for clients lacking 802.1x support. If you
enable this option, choose a VLAN form the VLAN drop-down list.
Auth-Fail VLAN
Check Auth-Fail VLAN to enable a VLAN for clients that fail 802.1x
authorization. If you enable this option, choose a VLAN form the VLAN
drop-down list.
Periodic Reauthentication
Check Periodic Reauthentication to force reauthentication of 802.1x clients on
a regular interval. Choose to configure the interval locally, or to allow the
RADIUS server to set the interval. If you choose to configure the reauthentication
interval locally, enter a value in the range of 1–65535 seconds. The default setting
is 3600 seconds.
Advanced Options
LAN Wizard: 802.1x Authentication (VLAN or Ethernet)
Click Advanced Options to open a window with additional 802.1x authentication
parameters.
LAN Wizard: 802.1x Authentication (VLAN or
Ethernet)
This window allows you to enable 802.1x authentication on the Ethernet port you
selected for configuration using the LAN wizard. For Cisco 87x routers, this
window is available for configuring a VLAN with 802.1x authentication.
Note Before configuring 802.1x on VLAN, be sure that 802.1x is not configured on any
VLAN switch ports. Also be sure that the VLAN is configured for DHCP.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
4-7
Chapter 4 802.1x Authentication
LAN Wizard: 802.1x Authentication (VLAN or Ethernet)
Use 802.1x Authentication to separate trusted and untrusted traffic on the interface
Check Use 802.1x Authentication to separate trusted and untrusted traffic on
the interface to enable 802.1x authentication.
Exception Lists
Click Exception Lists to create or edit an exception list. An exception list
exempts certain clients from 802.1x authentication while allowing them to use the
VPN tunnel.
Exempt Cisco IP phones from 802.1x authentication
Check Exempt Cisco IP phones from 802.1x authentication to exempt Cisco IP
phones from 802.1x authentication while allowing them to use the VPN tunnel.
802.1x Exception List
An exception list exempts certain clients from 802.1x authentication while
allowing them to use the VPN tunnel. Exempt clients are identified by their MAC
addresses.
Add
4-8
Click Add to open a window where you can add the MAC address of a client. The
MAC address must be in the format that matches one of these examples:
• 0030.6eb1.37e4
• 00-30-6e-b1-37-e4
Cisco SDM rejects misformatted MAC addresses, except for MAC addresses
shorter than the given examples. Shorter MAC addresses will be padded with a
“0” (zero) for each missing digit.
Note Cisco SDM’s 802.1x feature does not support the CLI option that associates
policies with MAC addresses and will not include in the exception list MAC
addresses that have a policy associated with them.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 4 802.1x Authentication
802.1x Authentication on Layer 3 Interfaces
Delete
Click Delete to remove a chosen client from the exception list.
802.1x Authentication on Layer 3 Interfaces
This window allows you to configure 802.1x authentication on a Layer 3
Interface. It lists Ethernet ports and VLAN interfaces that have or can be
configured with 802.1x authentication, allows you to choose a Virtual Template
interface for untrusted clients, and create an exception list for clients to bypass
802.1x authentication.
Note If policies have been set using the CLI, they will appear as read-only information
in this window. In this case, only enabling or disabling 802.1x is allowed in this
window.
Prerequisite Tasks
If a prerequisite task appears in the window, it must be completed before 802.1x
authentication can be configured. A message explaining the prerequisite task is
displayed, along with a link to the window where the task can be completed.
Enable 802.1x Authentication Globally
Check Enable 802.1x Authentication Globally to enable 802.1x authentication
on all Ethernet ports.
Interfaces Table
The Interfaces table has the following columns:
Interface—Displays the name of the Ethernet or VLAN interface.
802.1x Authentication—Indicates whether 802.1x authentication is enabled for
the Ethernet port.
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
4-9
802.1x Authentication on Layer 3 Interfaces
Edit
Click Edit to open a window of editable 802.1x authentication parameters. The
parameters are the 802.1x authentication settings for the interface chosen in the
Interfaces table.
Untrusted User Policy
Choose a Virtual Template interface from the drop-down list. The chosen Virtual
Template interface represents the policy applied to clients that fail 802.1x
authentication.
Click the Details button to see more information about the chosen Virtual
Template interface.
Exception List
For more information about the exception list, see 802.1x Exception List.
Exempt Cisco IP phones from 802.1x authentication
Chapter 4 802.1x Authentication
Check Exempt Cisco IP phones from 802.1x authentication to exempt Cisco IP
phones from 802.1x authentication while allowing them to use the VPN tunnel.
Apply Changes
Click Apply Changes for the changes you made to take effect.
Discard Changes
Click Discard Changes to erase the unapplied changes you made.
Edit 802.1x Authentication
This window allows you to enable and change the default values for a number of
802.1x authentication parameters.
Cisco Router and Security Device Manager 2.5 User’s Guide
4-10
OL-4015-12
Chapter 4 802.1x Authentication
Enable 802.1x Authentication
Check Enable 802.1x Authentication to enable 802.1x authentication on the
Ethernet port.
Periodic Reauthentication
Check Periodic Reauthentication to force reauthentication of 802.1x clients on
a regular interval. Choose to configure the interval locally, or to allow the
RADIUS server to set the interval. If you choose to configure the reauthentication
interval locally, enter a value in the range of 1–65535 seconds. The default setting
is 3600 seconds.
Advanced Options
Click Advanced Options for descriptions of the fields in the Advanced Options
box.
How Do I ...
How Do I ...
This section contains procedures for tasks that the wizard does not help you
complete.
How Do I Configure 802.1x Authentication on More Than One Ethernet Port?
Once you configure 802.1x authentication on an interface, the LAN wizard will
no longer display any 802.1x options for Ethernet ports because Cisco SDM uses
the 802.1x configuration globally.
Note For configuring switches, the LAN wizard will continue to display the 802.1x
options.
If you want to edit the 802.lx authentication configuration on an Ethernet port, go
to Configure > Additional Tasks > 802.1x.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
4-11
How Do I ...
Chapter 4 802.1x Authentication
4-12
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
CHAPTER
Configuring WAN Connections
The WAN wizards enable you to configure WAN connections for all Cisco
SDM-supported interfaces.
This chapter contains the following sections:
• Configuring an Ethernet WAN Connection
• Configuring a Serial Connection
• Configuring a DSL Connection
• Configuring an ISDN Connection
• Configuring an Aux Backup Connection
• Configuring an Analog Modem Connection
• Configuring a Cable Modem Connection
Configuring an Ethernet WAN Connection
5
OL-4015-12
Complete these steps to configure an Ethernet WAN Connection:
Step 1 If you want to review the IOS CLI commands that you send to the router when
you complete the configuration, go to the Cisco SDM toolbar, and click Edit >
Preferences > Preview commands before delivering to router.
Step 2 In the Cisco SDM toolbar, click Configure.
Step 3 In the Cisco SDM taskbar, click Interfaces and Connections.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-1
Configuring an Ethernet WAN Connection
Step 4 In the Create Connection tab, click Ethernet WAN.
Step 5 Click Create Connection to start the wizard. The wizard Welcome screen
describes the tasks you will complete.
Step 6 Click Next to go to the subsequent screens to configure the connection.
Step 7 Cisco SDM displays the Summary screen when you have completed the
configuration. Review the configuration. If you need to make changes, click Back
to return to the screen in which you need to make changes, then return to the
Summary screen.
Step 8 If you want to test the connection after sending the configuration to the router,
check Te st the connectivity after configuring. After you click Finish, Cisco
SDM tests the connection and displays the test results in another screen.
Step 9 To send the configuration to the router, click Finish.
The Ethernet WAN Connection Reference describes the screens that Cisco SDM
displays.
Chapter 5 Configuring WAN Connections
Ethernet WAN Connection Reference
• WAN Wizard Interface Welcome Window
• Select Interface
• Encapsulation: PPPoE
• IP Address: Ethernet without PPPoE
• IP Address: ATM or Ethernet with PPPoE/PPPoA
• Authentication
• Advanced Options
• Summary
WAN Wizard Interface Welcome Window
This window lists the types of connections you can configure for this interface
using Cisco SDM. If you need to configure another type of connection for this
interface, you can do so using the CLI.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-2
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring an Ethernet WAN Connection
Select Interface
This window appears if there is more than one interface of the type you selected
in the Create Connection window. Choose the interface that you want to use for
this connection.
Field Reference
Table 5-1 describes the fields in this screen.
Table 5-1 Select Interface Fields
Element Description
Check Boxes Check the box next to the interface that you want to use for this
connection.
If you are configuring an Ethernet interface, Cisco SDM inserts the
description text $ETH-WAN$ in the configuration file so that it will
recognize the interface as a WAN interface in the future.
Enable Dynamic DNS Click Enable Dynamic DNS if you want to update your DNS
servers automatically whenever the WAN interface IP address
changes. Click the Dynamic DNS button to configure dynamic
DNS.
The Enable Dynamic DNS option is not shown for all connection
types.
IP Address: Ethernet without PPPoE
Choose the method that the WAN interface will use to obtain an IP address.
Field Reference
Table 5-2 describes the fields in this screen.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
5-3
Chapter 5 Configuring WAN Connections
Configuring an Ethernet WAN Connection
Table 5-2 Ethernet without PPPoE IP Address Fields
Element Description
Static IP Address If you choose Static IP Address, enter the IP address and subnet
mask or the network bits in the fields provided. For more
information, see IP Addresses and Subnet Masks.
Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a
remote DHCP server. Enter the name of the DHCP server that will
assign addresses.
Dynamic DNS Choose dynamic DNS if you want to update your DNS servers
automatically whenever the WAN interface IP address changes.
Click the Dynamic DNS button to configure dynamic DNS.
Encapsulation: PPPoE
This window lets you enable Point-to-Point-Protocol over Ethernet (PPPoE)
encapsulation. This is necessary if your service provider or network administrator
requires remote routers to communicate using PPPoE.
PPPoE is a protocol used by many asymmetric digital subscriber line (ADSL)
service providers. Ask your service provider if PPPoE is used over your
connection.
If you choose PPPoE encapsulation, Cisco SDM automatically adds a dialer
interface to the configuration, and this is shown in the Summary window.
Field Reference
Table 5-3 describes the fields in this screen.
Table 5-3 PPoE Encapsulation Fields
Element Description
Enable PPPoE Encapsulation If your service provider requires that the router use PPPoE, check
this box to enable PPPoE encapsulation. Uncheck this box if your
service provider does not use PPPoE. This check box will not be
available if your router is running a version of Cisco IOS that does
not support PPPoE encapsulation.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-4
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring an Ethernet WAN Connection
Summary
This screen displays a summary of the WAN link that you configured.You can
review this information, and if you need to change anything, you can click the
Back button to return to the screen on which you need to make changes.
Button Reference
Table 5-4 describes the buttons in this screen.
Table 5-4 WAN Summary Buttons
Element Description
Test the connectivity after
configuring
To save this configuration to the router’s running configuration and leave this wizard:
Click Finish. Cisco SDM saves the configuration changes to the router’s running
configuration. The changes will take effect immediately, but will be lost if the
router is turned off.
Check this box if you want Cisco SDM to test the connection you
have configured after it delivers the commands to the router. Cisco
SDM will test the connection and report results in another window.
Advanced Options
OL-4015-12
If you checked Preview commands before delivering to router in the Cisco
SDM Preferences window, the Deliver window appears. In this window, you can
view the CLI commands that you are delivering to the router.
There are two advanced options available, based on the router’s configuration:
Default static route, and Port Address Translation (PAT). If the Static Route
option is not visible in the window, a static route has already been configured on
the router. If the PAT option is not visible, PAT has already been configured on an
interface.
Field Reference
Table 5-5 describes the fields in this screen.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-5
Chapter 5 Configuring WAN Connections
Configuring a Serial Connection
Table 5-5 Advanced Options Fields
Element Description
Default Static Route Check this box if you want to configure a static route to the outside
interface to which outgoing traffic will be routed. If a static route
has already been configured on this router, this box does not appear.
Next Hop Address If your service provider has given you a next-hop IP address to use,
enter the IP address in this field. If you leave this field blank, Cisco
SDM will use the WAN interface that you are configuring as the
next-hop interface.
Port Address Translation If devices on the LAN have private addresses, you can allow them
to share a single public IP address. You can ensure that traffic goes
to its proper destination by using PAT, which represents hosts on a
LAN with a single IP address and uses different port numbers to
distinguish the hosts. If PAT has already been configured on an
interface, the PAT option will not be visible.
Inside Interface to be Translated Choose the inside interface connected to the network whose host IP
addresses you want to be translated.
Configuring a Serial Connection
Complete these steps to configure a Serial connection:
Step 1 If you want to review the IOS CLI commands that you send to the router when
you complete the configuration, go to the Cisco SDM toolbar, and click Edit >
Preferences > Preview commands before delivering to router.
Step 2 In the Cisco SDM toolbar, click Configure.
Step 3 In the Cisco SDM taskbar, click Interfaces and Connections.
Step 4 In the Create Connection tab, click Serial.
Step 5 Click Create Connection to start the wizard. The wizard Welcome screen
describes the tasks you will complete.
Step 6 Click Next to go to the subsequent screens to configure the connection.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-6
OL-4015-12
Chapter 5 Configuring WAN Connections
Step 7 Cisco SDM displays the Summary screen when you have completed the
configuration. Review the configuration. If you need to make changes, click Back
to return to the screen in which you need to make changes, then return to the
Summary screen.
Step 8 If you want to test the connection after sending the configuration to the router,
check Te st the connectivity after configuring. After you click Finish, Cisco
SDM tests the connection and displays the test results in another screen.
Step 9 To send the configuration to the router, click Finish.
The Serial Connection Reference describes the screens that Cisco SDM displays.
Serial Connection Reference
• WAN Wizard Interface Welcome Window
• Select Interface
• IP Address: Serial with Point-to-Point Protocol
Configuring a Serial Connection
• IP Address: Serial with HDLC or Frame Relay
• Authentication
• Configure LMI and DLCI
• Configure Clock Settings
• Advanced Options
• Summary
IP Address: Serial with Point-to-Point Protocol
Choose the method that the point-to-point interface will use to obtain an IP
address.
Field Reference
Table 5-6 describes the fields in this screen.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
5-7
Chapter 5 Configuring WAN Connections
Configuring a Serial Connection
Table 5-6 Serial Connection with Point-to-Point Protocol
Element Description
Static IP Address If you choose Static IP Address, enter the IP address and subnet
mask or the network bits in the fields provided. For more
information, see IP Addresses and Subnet Masks.
IP Unnumbered Choose IP Unnumbered if you want the interface to share an IP
address that has already been assigned to another interface. Then
choose the interface whose IP address you want to use for the
interface you are configuring.
Easy IP (IP Negotiated) Choose Easy IP (IP Negotiated) if the router will obtain an IP
address through PPP/IPCP address negotiation.
Dynamic DNS Choose dynamic DNS if you want to update your DNS servers
automatically whenever the WAN interface IP address changes.
Click the Dynamic DNS button to configure dynamic DNS.
IP Address: Serial with HDLC or Frame Relay
Choose the method that the WAN interface will use to obtain an IP address. If
Frame Relay encapsulation is used, Cisco SDM creates a subinterface, and the IP
address is assigned to the subinterface Cisco SDM creates.
Field Reference
Table 5-7 describes the fields in this screen.
Table 5-7 Serial Connection with HDLC or Frame Relay Fields
Element Description
Static IP Address If you choose Static IP Address, enter the IP address and subnet
mask or the network bits in the fields provided. For more
information, see IP Addresses and Subnet Masks.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-8
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring a Serial Connection
Table 5-7 Serial Connection with HDLC or Frame Relay Fields
Element Description
IP Unnumbered Choose IP Unnumbered if you want the interface to share an IP
address that has already been assigned to another interface. Then
choose the interface whose IP address you want to use for the
interface you are configuring.
Dynamic DNS Choose dynamic DNS if you want to update your DNS servers
automatically whenever the WAN interface IP address changes.
Click the Dynamic DNS button to configure dynamic DNS.
Authentication
This page is displayed if you enabled or are configuring:
• PPP for a serial connection
• PPPoE or PPPoA encapsulation for an ATM connection
• PPPoE or PPPoA encapsulation for an Ethernet connection
• An ISDN BRI or analog modem connection
OL-4015-12
Your service provider or network administrator may use a Challenge Handshake
Authentication Protocol (CHAP) password or a Password Authentication Protocol
(PAP) password to secure the connection between the devices. This password
secures both incoming and outgoing access.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-9
Chapter 5 Configuring WAN Connections
Configuring a Serial Connection
Field Reference
Table 5-8 describes the fields in this screen.
Table 5-8 Authentication Fields
Element Description
Authentication Type Check the box for the type of authentication used by your service
provider. If you do not know which type your service provider uses,
you can check both boxes: the router will attempt both types of
authentication, and one attempt will succeed.
CHAP authentication is more secure than PAP authentication.
Username The username is given to you by your Internet service provider or
network administrator and is used as the username for CHAP or
PAP authentication.
Password Enter the password exactly as given to you by your service provider.
Passwords are case sensitive. For example, the password cisco is not
the same as Cisco.
Confirm Password Reenter the same password that you entered in the previous box.
Configure LMI and DLCI
If you are configuring a connection with Frame Relay encapsulation, you must
specify the protocol used to monitor the connection, called the Local Management
Identifier (LMI), and provide a unique identifier for this particular connection,
called a data link connection identifier (DLCI).
Field Reference
Table 5-9 describes the fields in this screen.
Table 5-9 LMI and DLCI Fields
Element Description
LMI Type
ANSI Annex D defined by American National Standards Institute (ANSI)
standard T1.617.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-10
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring a Serial Connection
Table 5-9 LMI and DLCI Fields
Element Description
Cisco LMI type defined jointly by Cisco Systems and three other
companies.
ITU-T Q.933 ITU-T Q.933 Annex A.
Autosense The default. This setting allows the router to detect which LMI type
is being used by communicating with the switch and to then use that
type. If autosense fails, the router will use the Cisco LMI type.
DLCI Enter the DLCI in this field. This number must be unique among all
DLCIs used on this interface.
Use IETF Frame Relay
Encapsulation
Internet Engineering Task Force (IETF) encapsulation. This option
is used with connecting to non-Cisco routers. Check this box if you
are connecting to a non-Cisco router on this interface.
Configure Clock Settings
The Clock Settings window is available when you are configuring a T1 or E1 link.
The default Frame Relay clock settings are shown in this page. You should not
change them unless you know you have different requirements.
Field Reference
Table 5-10 describes the fields in this screen.
Table 5-10 Clock Settings Fields
Element Description
Clock Source Internal specifies that the clock be generated internally. Line
specifies that the clock source be taken from the network. The clock
synchronizes data transmission. The default is line.
T1 Framing This field configures the T1 or E1 link for operation with D4 Super
Frame (sf) or Extended Superframe (esf). The default is esf.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
5-11
Chapter 5 Configuring WAN Connections
Configuring a Serial Connection
Table 5-10 Clock Settings Fields
Element Description
Line Code This field configures the router for operation on binary 8-zeros
substitution (B8ZS) or alternate mark inversion (AMI) T1 lines. The
b8zs setting ensures density on a T1 or E1 line by substituting
intentional bipolar violations in bit positions 4 and 7 for a sequence
of eight zero bits. When the router is configured with the AMI
setting, you must use the data-coding inverted setting to ensure
density on the T1 line. The default is b8zs.
Data Coding Click inverted if you know that user data is inverted on this link, or
if the Line Code field is set to AMI. Otherwise leave this set to the
default value normal. Data inversion is used with bit-oriented
protocols such as HDLC, PPP, and Link Access Procedure,
Balanced (LAPB) to ensure density on a T1 line with AMI
encoding. These bit-oriented protocols perform “zero insertions”
after every five “one” bits in the data stream. This has the effect of
ensuring at least one zero in every eight bits. If the data stream is
then inverted, it ensures that at least one out of every eight bits is a
one.
Cisco SDM will set data coding to inverted if the line code is AMI
and there are no time slots configured for 56 kbps. If you do not
want to use inverted data coding with the AMI line code, you must
use the CLI to configure all time slots to 56 kbps.
Facilities Data Link (FDL) This field configures the router behavior on the Facilities Data Link
(FDL) of the Extended Superframe. When configured with att, the
router implements AT&T TR 54016. When configured with ansi, it
implements ANSI T1.403. When you choose both, the router
implements both att and ansi choices.When you choose none, the
router ignores the FDL. The default is none. If T1 or E1 framing
is set to sf, Cisco SDM will set FDL to none and make this field
read-only.
Line Build Out (LBO) This field is used to configure the line build out (LBO) of the T1
link. The LBO decreases the transmit strength of the signal by –7.5
or –15 decibels. It is not likely to be needed on actual T1 or E1 lines.
The default is none.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-12
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring a DSL Connection
Table 5-10 Clock Settings Fields
Element Description
Remote Loopback Requests This field specifies whether the router will go into loopback mode
when a loopback code is received on the line. Choosing full causes
the router to accept full loopbacks, while choosing payload-v54
will cause the router to choose payload loopbacks.
Enable Generation/Detection of
Remote Alarms
Check this box if you want the router T1 link to generate remote
alarms (yellow alarms) and to detect remote alarms being sent from
the peer on the other end of the link.
The remote alarm is transmitted by a router when it detects an alarm
condition: either a red alarm (loss of signal) or a blue alarm
(unframed 1s). The receiving channel service unit/data service unit
(CSU/DSU) then knows that there is an error condition on the line.
This setting should only be used when T1 framing is set to esf.
Configuring a DSL Connection
OL-4015-12
Complete these steps to configure an ADSL, or G.SHDSL connection:
Step 1 If you want to review the IOS CLI commands that you send to the router when
you complete the configuration, go to the Cisco SDM toolbar, and click Edit >
Preferences > Preview commands before delivering to router.
Step 2 In the Cisco SDM toolbar, click Configure.
Step 3 In the Cisco SDM taskbar, click Interfaces and Connections.
Step 4 The Create Connection tab displays the available DSL connection types, for
example, ADSL (PPPoE or RFC 1483 routing or PPPoA). Choose an available
connection type.
Step 5 Click Create Connection to start the wizard. The wizard Welcome screen
describes the tasks you will complete.
Step 6 Click Next to go to the subsequent screens to configure the connection.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-13
Configuring a DSL Connection
Step 7 Cisco SDM displays the Summary screen when you have completed the
configuration. Review the configuration. If you need to make changes, click Back
to return to the screen in which you need to make changes, then return to the
Summary screen.
Step 8 If you want to test the connection after sending the configuration to the router,
check Te st the connectivity after configuring. After you click Finish, Cisco
SDM tests the connection and displays the test results in another screen.
Step 9 To send the configuration to the router, click Finish.
The DSL Connection Reference describes the screens that Cisco SDM displays.
DSL Connection Reference
• WAN Wizard Interface Welcome Window
• Select Interface
• Encapsulation: PPPoE
Chapter 5 Configuring WAN Connections
• Encapsulation Autodetect
• IP Address: ATM or Ethernet with PPPoE/PPPoA
• IP Address: ATM with RFC 1483 Routing
• Authentication
• Advanced Options
• PVC
• Summary
IP Address: ATM or Ethernet with PPPoE/PPPoA
Choose the method that the WAN interface will use to obtain an IP address.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-14
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring a DSL Connection
Field Reference
Table 5-11 describes the fields in this screen.
Table 5-11 ATM or Ethernet with PPPoE or PPPoA
Element Description
Static IP Address If you choose Static IP Address, enter the IP address and subnet
mask or the network bits in the fields provided.
Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a
remote DHCP server. Enter the name of the DHCP server that will
assign addresses.
IP Unnumbered Choose IP Unnumbered if you want the interface to share an IP
address that has already been assigned to another interface. Then
choose the interface whose IP address you want to use for the
interface you are configuring.
Easy IP (IP Negotiated) Choose Easy IP (IP Negotiated) if the router will obtain an IP
address through PPP/IPCP address negotiation.
Dynamic DNS Choose dynamic DNS if you want to update your DNS servers
automatically whenever the WAN interface IP address changes.
Click the Dynamic DNS button to configure dynamic DNS.
IP Address: ATM with RFC 1483 Routing
Choose the method that the WAN interface will use to obtain an IP address.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
5-15
Chapter 5 Configuring WAN Connections
Configuring a DSL Connection
Field Reference
Table 5-12 describes the fields in this screen.
Table 5-12 ATM with RFC 1483 Routing
Element Description
Static IP Address If you choose Static IP Address, enter the IP address and subnet
mask or the network bits in the fields provided. For more
information, see IP Addresses and Subnet Masks.
Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a
remote DHCP server. Enter the name of the DHCP server that will
assign addresses.
IP Unnumbered Click IP Unnumbered if you want the interface to share an IP
address that has already been assigned to another interface. Then
choose the interface whose IP address you want to use for the
interface you are configuring.
Dynamic DNS Choose dynamic DNS if you want to update your DNS servers
automatically whenever the WAN interface IP address changes.
Click the Dynamic DNS button to configure dynamic DNS.
Encapsulation Autodetect
In this window, choose the type of encapsulation that the WAN link will use. Ask
your service provider or network administrator which type of encapsulation is
used for this link. The interface type determines the types of encapsulation
available.
Cisco Router and Security Device Manager 2.5 User’s Guide
5-16
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring a DSL Connection
Field Reference
Table 5-13 describes the fields in this screen.
Table 5-13 Encapsulation Fields
Element Description
Autodetect Click Au todete ct to have Cisco SDM discover the encapsulation
type. If Cisco SDM succeeds, it will automatically supply the
encapsulation type and other configuration parameters it discovers.
Note Cisco SDM supports autodetect on SB106, SB107, Cisco
836, and Cisco 837 routers. However if you are configuring
a Cisco 837 router and the router is running Cisco IOS
Release 12.3(8)T or 12.3(8.3)T, the autodetect feature is not
supported.
Encapsulations Available for ADSL, G.SHDSL, or ADSL over ISDN
PPPoE Provides Point-to-Point Protocol over Ethernet encapsulation. This
option is available when you have selected an Ethernet interface or
an ATM interface. An ATM subinterface and a dialer interface will
be created when you configure PPPoE over an ATM interface.
The PPPoE radio button will be disabled if your router is running a
version of Cisco IOS that does not support PPPoE encapsulation.
PPPoA Point-to-Point protocol over ATM. This option is available when
you have selected an ATM interface. An ATM subinterface and a
dialer interface will be created when you configure PPPoA over an
ATM interface.
The PPPoA radio button will be disabled if your router is running a
version of Cisco IOS that does not support PPPoA encapsulation.
RFC 1483 routing
with AAL5-SNAP
RFC 1483 routing
with AAL5-MUX
This option is available when you have selected an ATM interface.
An ATM subinterface will be created when you configure an RFC
1483 connection. This subinterface will be visible in the Summary
window.
This option is available when you have selected an ATM interface.
An ATM subinterface will be created when you configure an RFC
1483 connection. This subinterface will be visible in the Summary
window.
OL-4015-12
Cisco Router and Security Device Manager 2.5 User’s Guide
5-17
Configuring a DSL Connection
Table 5-13 Encapsulation Fields
Element Description
Encapsulations Available for Serial Interfaces
Frame Relay
Provides Frame Relay encapsulation. This option is available when
you have selected a serial interface. A serial subinterface will be
created when you create a Frame Relay connection. This
subinterface will be visible in the Summary window.
Note If a Frame Relay serial connection has been added to an
interface, only Frame Relay encapsulation will be enabled
in this window when subsequent serial connections are
configured on the same interface.
Point-to-Point Protocol
Provides PPP encapsulation. This option is available when you have
selected a serial interface.
High Level Data Link Control
Provides HDLC encapsulation. This option is available when you
have selected a serial interface.
PVC
Chapter 5 Configuring WAN Connections
5-18
ATM routing uses a two-layer hierarchical scheme, virtual paths and virtual
channels, denoted by the virtual path identifier (VPI) and virtual channel
identifier (VCI), respectively. A particular virtual path may carry a number of
different virtual channels corresponding to individual connections. When
switching is performed based on the VPI, all cells on that particular virtual path
are switched regardless of the VCI. An ATM switch may route according to VCI,
VPI, or both VCI and VPI.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter 5 Configuring WAN Connections
Configuring a DSL Connection
Field Reference
Table 5-14 describes the fields in this screen.
Table 5-14 PVC Fields
Element Description
VPI Enter the VPI value obtained from your service provider or system
administrator. The virtual path identifier (VPI) is used in ATM
switching and routing to identify the path used for a number of
connections. Enter the VPI value given to you by your service
provider.
VCI Enter the VCI value obtained from your service provider or system
administrator. The virtual circuit identifier (VCI) is used in ATM
switching and routing to identify a particular connection within a
path that it may share with other connections. Enter the VCI value
given to you by your service provider.
Cisco IOS Default Values
The values shown in the following table are Cisco IOS defaults. Cisco SDM will
not overwrite these values if they have been changed during a prior configuration,
but if your router has not been previously configured, these are the values that will
be used
Connection Type Parameter Value
ADSL
G.SHDSL
ADSL over
• Operating mode • Auto
• Operating mode
• Line rate
• Equipment type
• Operating mode • Auto
• Annex A (United States)
• Auto
• CPE
ISDN
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
5-19
Configuring an ISDN Connection
Configuring an ISDN Connection
Complete these steps to configure an ISDN connection:
Step 1 If you want to review the IOS CLI commands that you send to the router when
you complete the configuration, go to the Cisco SDM toolbar, and click Edit >
Preferences > Preview commands before delivering to router.
Step 2 In the Cisco SDM toolbar, click Configure.
Step 3 In the Cisco SDM taskbar, click Interfaces and Connections.
Step 4 In the Create Connection tab, click ISDN (PPP).
Step 5 Click Create Connection to start the wizard. The wizard Welcome screen
describes the tasks you will complete.
Step 6 Click Next to go to the subsequent screens to configure the connection.
Step 7 Cisco SDM displays the Summary screen when you have completed the
configuration. Review the configuration. If you need to make changes, click Back
to return to the screen in which you need to make changes, then return to the
Summary screen.
Chapter 5 Configuring WAN Connections
Step 8 If you want to test the connection after sending the configuration to the router,
check Te st the connectivity after configuring. After you click Finish, Cisco
SDM tests the connection and displays the test results in another screen.
Step 9 To send the configuration to the router, click Finish.
The ISDN Connection Reference describes the screens that Cisco SDM displays.
ISDN Connection Reference
• ISDN Wizard Welcome Window
• Select Interface
• IP Address: ISDN BRI or Analog Modem
• Switch Type and SPIDs
• Authentication
Cisco Router and Security Device Manager 2.5 User’s Guide
5-20
OL-4015-12
Chapter 5 Configuring WAN Connections
• Advanced Options
• Dial String
• Summary
ISDN Wizard Welcome Window
PPP is the only type of encoding supported over an ISDN BRI by Cisco SDM.
IP Address: ISDN BRI or Analog Modem
Choose the method that the ISDN BRI or analog modem interface will use to
obtain an IP address.
Field Reference
Table 5-15 describes the fields in this screen.
Table 5-15 IP Address for ISDN BRI or Analog Modem Fields
Configuring an ISDN Connection
Element Description
Static IP Address If you choose Static IP Address, enter the IP address and subnet
mask or the network bits in the fields provided. For more
information, see IP Addresses and Subnet Masks.
IP Unnumbered Choose IP Unnumbered if you want the interface to share an IP
address that has already been assigned to another interface. Then,
choose the interface that has the IP address that you want the
interface that you are configuring to use.
Easy IP (IP Negotiated) Choose IP Negotiated if the interface will obtain an IP address
from your ISP through PPP/IPCP address negotiation whenever a
connection is made.
Dynamic DNS Choose Dynamic DNS if you want to update your DNS servers
automatically whenever the WAN interface IP address changes.
Click the Dynamic DNS button to configure dynamic DNS.
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
5-21
Chapter 5 Configuring WAN Connections
Configuring an ISDN Connection
Switch Type and SPIDs
ISDN BRI connections require identification of the ISDN switch type, and in
some cases, identification of the B channels using service profile ID (SPID)
numbers. This information will be provided to you by your service provider.
Field Reference
Table 5-16 describes the fields in this screen.
Table 5-16 Switch Type and SPIDs Fields
Element Description
ISDN Switch Type Choose the ISDN switch type. Contact your ISDN service provider
for the switch type for your connection.
Cisco SDM supports these BRI switch types:
–
• For North America:
–
basic-5ess—Lucent (AT&T) basic rate 5ESS switch
–
basic-dms100—Northern Telecom DMS-100 basic rate
switch
5-22
–
basic-ni—National ISDN switches
• For Australia, Europe, and the UK:
–
basic-1tr6—German 1TR6 ISDN switch
–
basic-net3—NET3 ISDN BRI for Norway NET3, Australia
NET3, and New Zealand NET3switch types;
ETSI-compliant switch types for Euro-ISDN E-DSS1
signaling system
–
vn3—French ISDN BRI switches
• For Japan:
–
ntt—Japanese NTT ISDN switches
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Loading...