Guest

Cisco Security Manager

Migrating from 1800/2800/3800 ISRs to 1900/2900/3900 ISRs Using Cisco Security Manager 3.3.1

  • Viewing Options

  • PDF (590.5 KB)
  • Feedback
Migrating from 1800/2800/3800 ISRs to 1900/2900/3900 ISRs Using Cisco Security Manager 3.3.1

Table Of Contents

Migrating from 1800/2800/3800 ISRs to 1900/2900/3900 ISRs Using Cisco Security Manager 3.3.1

Abstract

Overview

Understanding the Differences Between the ISR Models That Affect Migration

Overview of the Migration Process Using Security Manager

Preparing the New ISR G2 Device for Migration

Preparing the Old Device Policies in Security Manager

Copying Policies from the Old Device to the New Device

Migrating Site-to-Site VPN Policies

Finishing Up


Migrating from 1800/2800/3800 ISRs to 1900/2900/3900 ISRs Using Cisco Security Manager 3.3.1


First Published: November 2009

Abstract

Cisco Security Manager is an enterprise-class security management software application. You can use it to manage security policies on a wide variety of devices. At times, you will want to replace devices in your network with newer models to improve overall network performance, provide new services, or for a variety of other reasons.

This paper describes how to use Cisco Security Manager 3.3.1 to replace older model integrated services routers (1800, 2800, and 3800 ISR series) with newer generation 2 models (1900, 2900, and 3900 ISR series). Although this paper is specific to these router models, you can use these concepts and techniques to help you replace any Security Manager-supported hardware device.

This paper assumes that you are already using Security Manager to manage the device that you intend to replace. You must also first upgrade to Security Manager 3.3.1 before you can manage 1900, 2900, or 3900 series integrated services routers.

For more information about Cisco Security Manager, see http://www.cisco.com/go/csmanager.

Overview

The 1900, 2900, and 3900 integrated services routers (ISR) series are the next generation, or Generation 2 (G2), of Cisco's integrated service routers. These next generation devices consist of the following new platforms:

1900 Series Integrated Services Routers—1941, 1941W

2900 Series Integrated Services Routers—2901, 2911, 2921, 2951

3900 Series Integrated Services Routers—3925, 3945

These platforms provide up to five times the performance of the existing equivalent ISR platforms and provide a simpler licensing scheme using Cisco IOS Software version 15.0(1)M.

You can replace your existing 1800, 2800, and 3800 series ISRs with the corresponding new models. However, you will need to migrate from your existing ISR to a new one in a phased manner to avoid any disruption of your network and to take advantage of new services available in the new router models. This paper describes how to accomplish this migration using Cisco Security Manager 3.3.1.

The following table shows the typical match between existing ISR models to the new ISR models.

Table 1 Typical Migration Path From 1800/2800/3800 to 1900/2900/3900 ISRs 

Old Router
New Router

3845

3945

3825

3925

2851

2951

2821

2921

2811

2911

2801

2901

1841

1941, 1941W


You can also upgrade the router model during migration. For example, you could go from a 2821 to a 2951, 3925, or 3945 depending on your network requirements.

For more information about the 1900, 2900, and 3900 series integrated services routers, see the following topics:

Cisco Integrated Services Router Generation 2 Q&A (which includes tables comparing the equivalent older and newer ISR models): http://www.cisco.com/en/US/prod/collateral/routers/ps10538/qa_c67_553891_ps10537_Products_Q_and_A_Item.html

Cisco Integrated Service Routers: http://www.cisco.com/go/isr

1900, 2900, 3900 Series Comparison: http://www.cisco.com/en/US/products/ps10538/prod_series_comparison.html

In Depth Overview of Network Security Features for Integrated Services Routers Generation 2: http://www.cisco.com/en/US/prod/collateral/routers/ps10538/white_paper_c11_556320_ps10537_Products_White_Paper.html

Network Security Features for Cisco Integrated Services Routers Generation 2 Platform: http://www.cisco.com/en/US/prod/collateral/routers/ps10538/data_sheet_c78-556151.html

Cisco ISR G2 Management Overview: http://www.cisco.com/en/US/prod/collateral/routers/ps10538/white_paper_c78_556613.html

Understanding the Differences Between the ISR Models That Affect Migration

The ISR G2 platforms have feature parity with the older generation ISRs, including CLI commands. However, there are two main changes that affect migration:

Slot numbering—There is a change in slot numbering in some of the new platforms compared to the existing ISR slot numbering for the similar older router model. For more details, see:

http://www.cisco.com/en/US/prod/collateral/routers/ps10537/product_bulletin_ISRG2_Manageability.pdf

Software packaging and Licensing—The older platforms have separate images for each feature set, such as IP Base, Advanced Security, Advanced IP Services, Advanced Enterprise, and so forth, with no licensing support. The ISR G2 platforms support both image level and feature level licensing mechanisms.

For image level licensing, a universal image that contains all levels of software packages is loaded onto the system. At boot time, the system checks for the availability of the highest level of license and brings up the appropriate software features or subsystems.

Feature level licensing supports enforcement of licenses for individual features. Features have to check for the availability of the required license before enabling themselves. If the required license is not available, the feature disables itself.

For more information about Cisco software licensing and activation, see the following topics:

Cisco's Integrated Services Routers Generation Two Licensing and Packaging: http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985_ps10537_Products_White_Paper.html

Cisco IOS Software Activation Conceptual Overview: http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/csa_overview.html.

Cisco IOS Software Activation Home Page: http://www.cisco.com/go/sa.

Overview of the Migration Process Using Security Manager


Tip You should test the migration process in your lab before migrating devices in your production environment to ensure the smoothest transition with the least disruption to your network. The migration process described in this document explains how to copy all policies from the old to the new device, but in your specific situation, you might want to selectively copy only specific policies and configure other policies as new policies. When you copy policies, you should review the policies on the new device to ensure that they provide the desired configuration.


To migrate from an older to newer ISR G2 model, you can use the Copy Policies Between Devices command in Security Manager. Using this command, you can copy policies between your older router and the newer model with which you will replace it. This command is available in Device view when you right-click the old device in the device tree, or on the Policy menu (with or without the device being selected).

You can copy the following types of policies safely between an older ISR and the corresponding newer model. After copying the policies, run the validation process to ensure that there are no errors or warnings using the File > Validate command. Note that validation automatically runs before you can deploy the configuration, so you do not need to run it separately; however, it is a good test for your configuration changes.

Firewall

IPS (intrusion prevention system, if you have it enabled)

NAT (network address translation)

Remote Access VPN

Interfaces

Platform


Note You cannot copy Site-to-Site VPN policies. If the device participates in a Site-to-Site VPN, use the Site-to-Site VPN Manager to update the required policies.


To complete the migration, follow these steps:


Step 1 Prepare the new device with the minimum configuration required for Security Manager to access it, apply configuration changes, and copy the required policies. For the detailed steps, see Preparing the New ISR G2 Device for Migration.

Step 2 Prepare the policies for the old device in Security Manager to be copied to the new device. For detailed information, see Preparing the Old Device Policies in Security Manager.

Step 3 Add the new device to Security Manager, create device-level policy object overrides (if necessary), and copy policies from the old device to the new device. If you have not already upgraded to Security Manager 3.3.1, you must do so before you can add 1900, 2900, or 3900 series devices to the inventory. For the detailed steps, see Copying Policies from the Old Device to the New Device.

Step 4 If the device participates in a Site-to-Site VPN, edit the VPN policies to replace the old device with the new one. For the detailed steps, see Migrating Site-to-Site VPN Policies.

Step 5 Verify that the new device is functioning correctly, and remove the old device from the network.

Step 6 Delete the old device from the Security Manager inventory.


Preparing the New ISR G2 Device for Migration

You must do some preliminary configuration of the new 1900, 2900, or 3900 series routers before you can perform migration using Security Manager. The following list explains hardware preparation and initial configuration using the console and the router's command line interface (CLI) and IOS software commands. For more extensive information on performing initial configurations, see Cisco 2900 and 3900 Series Hardware Installation Guide (http://www.cisco.com/en/US/products/ps10537/prod_installation_guides_list.html) or Cisco 1900 Series Integrated Router Hardware Installation (http://www.cisco.com/en/US/docs/routers/access/1900/hardware/installation/guide/1900_HIG.html).

Modules and slot numbering—Ensure that the same or compatible physical modules are present in the new router that match the existing router. The slot numbers should match between the new and old routers to avoid any deployment failures. For example, if the HWIC-16A module is present in Slot 3 of a 2801 router, the same module should be present in slot 3 of the replacement 2901 router.

Software packaging and licensing—Security Manager does not install, manage, or validate device licenses. You must ensure that you activate the appropriate licenses in the new router for the features you are using, either with evaluation or permanent licenses. The new router must have equal or more feature support compared to the image running on the old router or you can encounter migration failures if you copy policies not supported by the licenses on the new router. From the perspective of performing migration using Security Manager, you should have at least the following licenses installed before migration:

Securityk9 image license

SSL VPN feature license

For more information about installing licenses, see:

IOS Software Activation Command Guide: http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/15_0/csa_book.html.

Cisco IOS Software Activation Command Reference: http://www.cisco.com/en/US/docs/ios/csa/command/reference/csa_book.html.

User credentials and device access—Configure the new router with the following:

One user with the same credentials as the primary credentials of the old router (the credentials used by Security Manager for managing the device).

If you are migrating IPS policies, also configure a user that matches the HTTP credentials of the old router (which are used to manage IPS policies).

Appropriate transport settings. Configure settings for SSL and SSH as described in the chapter on preparing devices in the User Guide for Cisco Security Manager, http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/ivprep.html.

To find the usernames, right-click the old device in Security Manager and select Device Properties, then select Credentials from the device properties table of contents. The passwords are masked, so you must know them. If you use SSL for device access (the recommended configuration), it is likely that the same user is used for both primary and HTTP credentials. However, if you use SSH or Telnet, you might be using different accounts. (Because Telnet passes user credentials in clear text, you should never use Telnet to connect to any security device.)

During migration, you should manage both devices using the same account. This ensures that when you deploy the configuration with user account and transport settings, Security Manager does not lose the ability to log into the device.

IP routing—If you intend to copy any routing policies, ensure that you enable IP routing on the new device.

RSA Key Pair—If you intend to copy the SSH policy (Platform > Device Admin > Device Access > Secure Shell), ensure that an RSA key pair is configured on the new device.

SSL VPN logos and CSD packages—If you intend to copy SSL VPN policies, you must manually copy any custom logos and Cisco Secure Desktop (CSD) packages used by those policies on the old device to the new device before copying the policies.

IOS-IPS configuration—If you intend to copy IPS policies, ensure that:

The IPS public key is configured on the new device to get IOS-IPS signature updates from Cisco.com.

Create a directory in flash on the new device where IOS-IPS related files will be kept.

Connect to network—Connect at least one interface to a network to which the Security Manager server has access, configure an IP address for the interface, and enable the interface. You must be able to ping this IP address from the Security Manager server; it does not matter if you can ping it from the workstation on which you are using the Security Manager client.

Preparing the Old Device Policies in Security Manager

Many policies in Security Manager are not specific to the device hardware, but some relate directly to the hardware configuration. Of particular concern is policies that relate to specific interfaces.

The interface types and names on the new device should match with the interface types and names on the old device. If they do not match, you can convert the old policies that specify interface names to use interface role policy objects instead of explicit interface names, and then create device-level overrides for the interface roles on the new device to specify the new interface names before copying policies. Interface roles are a convenient means that Security Manager provides to help you create policies that apply to multiple devices; the roles themselves are translated into real interface names when Security Manager creates device configurations for deployment.

The older ISRs have the following integrated FastEthernet/GigabitEthernet port configurations, where the FastEthernet ports are named FastEthernet0/0 and FastEthernet0/1, and the GigabitEthernet ports are GigabitEthernet0/0 and GigabitEthernet0/1:

Interface Type
1841
2801
2811
2821
2851
3825
3845

FastEthernet Ports

2

2

2

GigabitEthernet Ports

2

2

2

2


The newer ISRs have the following integrated GigabitEthernet port configurations, where the GigabitEthernet ports are named GigabitEthernet0/0, GigabitEthernet0/1, and GigabitEthernet0/2:

Interface Type
1941
2901
2911
2921
2951
3925
3945

FastEthernet Ports

GigabitEthernet Ports

2

2

3

3

3

3

3


As you can see from these tables:

The 2821, 2851, 3825, and 3845 routers have interfaces of the same name and type on the equivalent 2900/3900 series router. Thus, you do not necessarily need to convert policies to use interface roles and create device-level overrides. However, note that there is an additional GigabitEthernet0/2 interface. If you intend to use the new interface right away, and it will serve the same security role as one of the existing interfaces, you might want to create device-level overrides for the relevant policies so that they are also applied to the GigabitEthernet0/2 interface. (Note that in the migration procedure discussed in this paper, the GigabitEthernet0/2 interface is not always defined in the Interfaces policy, so you might need to manually add it during some steps if you need the interface to be functional during the migration.)

The 1841, 2801, and 2811 routers do not have GigabitEthernet ports, so you must create the device-level overrides to specify the appropriate GigabitEthernet port on the new models that equate to the old FastEthernet ports. Device-level overrides are also necessary if you are migrating from one of these models to a higher-end ISR.

To convert policies from using interface names to interface roles:


Step 1 Create an interface role with the required naming pattern and ensure that you allow device-level overrides. For example, if you are migrating from an 1841 to a 1941, you can create an interface role named FE0-0 with the naming pattern FastEthernet0/0, as shown in Figure 1.

To create the interface role, select Tools > Policy Object Manager, select Interface Roles from the table of contents in the Policy Object Manager, click the New Object (+) button, fill in the Add Interface Role dialog box and click OK. Create roles for each of the old interfaces.


Tip If you are already using interface roles, simply ensure that the roles you use allow device-level overrides, or that they include naming patterns that will select the correct GigabitEthernet interface on the new device when the policies are copied.


Figure 1 Creating an Interface Role Object for FastEthernet0/0

Step 2 Edit each policy that specifies interface names and replace the names with the equivalent interface role.

Some policies, such as Firewall Access Rules, include a Find and Replace tool that you can use to search for the interface name (see Figure 2). Click the binoculars icon button below the rule table, select Interface Role as the type, enter the interface name and in the Replace field, the name of the equivalent interface role. Then use the Find Next and Replace buttons, or the Replace All button, to convert each rule that uses an interface name to one that uses an interface role.

Figure 2 Replacing an Interface Name with an Interface Role


Copying Policies from the Old Device to the New Device

After you prepare the new device with an initial configuration, which provides the basic ability for Security Manager to contact the device and deploy configurations to it, you can add the new device to the Security Manager inventory and copy the old device policies to the new device.

This procedure assumes the following:

That you already upgraded Cisco Security Manager to version 3.3.1. This is the first release that supports the 1900, 2900, and 3900 series ISRs. For information about installing Security Manager, see the Installation Guide for Cisco Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html.

That you are using non-Workflow mode. If you are using Workflow mode, you will need to start an activity to copy policies and to create deployment jobs. The procedure is the same with the addition of Workflow-management steps.

That you have submitted all changes to the database before starting this procedure. This ensures that you need only respond to validation problems related to the devices you are migrating during this procedure.


Step 1 Use the Security Manager client to log in with a user account that has sufficient privileges to modify devices and all policies.

Step 2 In Device view, select File > New Device and add the new device to the Security Manager inventory using the New Device wizard:

For Method, choose Add Device from Network.

On page 2 of the wizard:

Enter the hostname or IP address of the new ISR G2 device and the display name you want to use in Security Manager (if different from the default).

For OS Type, select IOS 12.3+.

For Discover Device Settings options, select Policies and Inventory and then select all check boxes.

On page 3, enter the credentials you configured in Preparing the New ISR G2 Device for Migration.

Step 3 After the device is successfully added, deploy the device configuration to file. This kind of dummy deployment ensures that Security Manager takes full ownership of the policies under management for the device.

a. Select File > Submit and Deploy to submit the newly discovered policies to the database and to start a deployment job. During submission, the device policies are validated. Resolve any errors before deployment, but you can ignore warnings for now.

b. In the Deploy Saved Changes dialog box, select the new router and deselect any other devices.

c. Click Edit Deployment Method, select File under Method, and then select an appropriate folder on the Security Manager server. The configuration will be deployed to this folder.

d. Click OK in the Edit Deployment Method dialog box, then click Deploy in the Deploy Saved Changes dialog box. A status window will show the results of the deployment.

Step 4 Create device-level overrides for any interface role policy objects that need to be overridden, as explained in Preparing the Old Device Policies in Security Manager.

a. Right-click the new device in the device tree and select Device Properties.

b. Open the Policy Object Overrides folder in the device properties and select Interface Roles.

c. Right-click the role that needs to be overridden and select Create Override.

d. Change the interface pattern to the desired pattern. For example, Figure 3 shows how to replace FastEthernet0/0 with GigabitEthernet0/0. Click OK to save the override, then click Close to close the device properties window.

Figure 3 Creating an Interface Role Override

Step 5 Copy the policies from the old device to the new one:

a. Right-click the old device and select Copy Policies Between Devices. This command opens the Copy Policies wizard at step 2, where you can select all the policies that you want to copy (Figure 4). (If you start the wizard by selecting Policy > Copy Policies Between Devices, the wizard opens at step 1, where you need to select the old device and click Next.)

Do not select either of the check boxes on this page (leave them unchecked). For information on how these options affect processing, click Help.

Figure 4 Selecting Policies to Copy

b. Click Next and select the new device to which you are copying policies (Figure 5). (You can select more than one device if there is more than one device to which you want to apply the selected policies.)

Figure 5 Selecting the Target Device

c. Click Finish. The policies for the new device are populated with the values from the old device, with any object overrides that you configured modifying the meaning of the copied policies.

Step 6 Select the new device in the device tree and then look at each policy configured for the device. Make any changes needed. For example:

The configuration location for IPS policies on the new device might be different from the old device.

The file name or location of a custom SSL VPN logo might be different on the new device compared to the old device.

Step 7 If you elected to copy the Interface policy, the policy from the old device overwrites the interface policy on the new device, overwriting the management IP address of the new device in Security Manager (in the Interfaces policy but not in the device properties). If you deploy the configuration (assuming the interface names actually match those available on the device), the deployment will change the management IP address on the device and make it impossible for Security Manager to reach it, causing deployment failures. (Security Manager always uses the IP address or hostname configured in the device properties during deployment.)

To avoid this problem, and to ensure that all copied policies are successfully deployed to the new device, select the Interfaces > Interfaces policy of the new device and make any required changes:

Change the IP address of the management interface to the original address (which should be reflected in the device properties).

Ensure that all interface names are appropriate for the device (change FastEthernet to GigabitEthernet where necessary). Because this policy does not allow the use of interface role objects, device-level overrides cannot resolve interface names for this policy.

Disable (shut down) all interfaces other than the management interface so that the IP addresses are not duplicated after deployment. Right-click the interface, select Edit Row, and deselect the Enable check box.


Note The copy policy process completely replaces target policies, so any extra interfaces on the new device will not be seen at this stage of the migration. This will be corrected later.


Step 8 Right-click the new device and select Preview Configuration to verify that the configuration to be deployed is what you expect. Policies are validated before you can view the configuration. Fix all errors, and selectively fix warnings as your needs require.

Step 9 If you copied IOS-IPS policies, you must now apply the signature update on the new device with the latest (or appropriate) signature level before you deploy IOS-IPS policies. Select Tools > Apply IPS Update and follow the wizard instructions. Click Help in the wizard for detailed information.

Step 10 Select File > Submit and Deploy to submit your changes to the database and to deploy them to the device. Select just the new device for deployment, and ensure that the deployment method is Device (to copy the changes directly to the device), or follow the deployment standards for your organization. Use the deployment status window to verify that the deployment is successful.

Step 11 Log into the old device (for example, using SSH) and unconfigure all of the interfaces including the management IP address that Security Manager uses to manage the device.

Step 12 Remove the physical wires from the old device and plug them into the correct ports of the new device.

Step 13 Log into the new device and change the IP address of the management interface to the original device's management IP address.

Step 14 In Security Manager, right-click the new device and select Device Properties. On the General tab, change the IP address in the Identity section to the IP address of the old device (which you just configured on the management interface of the new device).

Step 15 Select the Interfaces > Interfaces policy and make the following changes by right-clicking each row in turn and selecting Edit Row:

Enable all interfaces that you previously disabled.

Change the IP address of the management interface to the one you configured in the device properties.

Step 16 Select File > Submit and Deploy to submit your changes to the database and to deploy them to the device. Select just the new device for deployment and ensure that the deployment method is Device. Use the deployment status window to verify that the deployment is successful.

Step 17 Right-click the new device and select Discover Policies on Device. In the Create Discovery Task window, select Live Device discovery, and select only the Inventory policy discovery option; deselect all other options in the Policies to Discover section.

Inventory discovery will update the Interfaces policy with any additional interfaces on the device (such as GigabitEthernet0/2).

After this discovery completes successfully, the new device should be fully operational with policies and interface configurations that match the old device that you replaced, with the exception of Site-to-Site VPN configurations. If the device is part of a Site-to-Site VPN, continue with the next migration step.


Migrating Site-to-Site VPN Policies

After you copy policies from the old device to the new one and deploy policies, you can remove the old device from all Site-to-Site VPNs in which it participates and replace it with the new device.


Step 1 Select the old device in Device view and select the Site to Site VPN policy. This policy lists all Site-to-Site VPN topologies to which the old device belongs.

Step 2 For each topology, remove the old device, add the new device, and ensure that the correct VPN interface is selected for the new device. How you complete this task can differ based on the VPN technology you are using:

For most types of VPN, right-click the topology and select Edit VPN Topology. This command opens the Create VPN wizard with all pages of the wizard in a tabbed view.

On the Device Selection tab, remove the old device and add in the new device.

On the End Points tab, edit the VPN interface and protected networks information for the new device, if necessary.

For GET VPN topologies, right-click the topology and select Edit VPN Policies. Replace the old device with the new one in the Group Members or Key Servers policy.

You can also use the Edit VPN Policies method for other types of topologies, but the policy you need to edit is the Peers policy.

Step 3 Verify that you have removed the old device from all topologies. The Site to Site VPN policy for the old device should not have any topologies listed. You might have to click a different policy, then reselect the Site to Site VPN policy, to ensure that you are seeing an up-to-date list.

Step 4 Right-click the new device and select Preview Configuration. Inspect the configuration to verify that you are generating the desired delta configuration with the new VPN policies. Fix all errors, and selectively fix warnings as your needs require.

Step 5 Select File > Submit and Deploy to submit your changes to the database and to deploy them to the device. Select just the new device for deployment and ensure that the deployment method is Device. Use the deployment status window to verify that the deployment is successful.

Step 6 Log into the new device and check that the expected VPN tunnels are established. Test that you can send the expected traffic over each VPN topology in which the device participates.


Finishing Up

At this point, the new device should be functioning correctly and providing the same services as the old device. You should do the following:

Verify that the new device is fully functional, for example, by sending traffic over it.

Delete the old device from the Security Manager inventory. Although it does no harm to leave the device in the inventory, it does consume a Security Manager license until you delete it. To delete the device from the inventory, right-click the device and select Delete Device.

Take advantage of the new features available with the new device. For example, if the new device has an extra interface compared to the old device, and you connect it to your network, ensure that you update all affected policies to include the new interface.