Table Of Contents
Release Notes for Management Center for Cisco Security Agents 4.5.1 Revision 1
These release notes are for use with Management Center for Cisco Security Agents (CSA MC) 4.5.1. The following information is provided:
This CSA 4.5.1 release is supported with VMS 2.3.
If you are upgrading from 4.x.x to 4.5.1 you already have VMS installed. If this is a new installation, it is recommended that you do not install other VMS products on the system to which are installing Management Center for Cisco Security Agents. Only install the "Common Services" needed for VMS in addition to CSA MC.
Caution When you install VMS 2.3, by default, checkboxes for several VMS products on the "Select Components" install screen are selected. You should click the Deselect button. Then select the "Common Services" checkbox and click Next to continue.
Obtaining a License Key
The Management Center for Cisco Security Agents CD contains a license key which is used to operate the MC itself. If you need further license keys, before deploying Cisco Security Agents, you should obtain a license key from Cisco. To receive your license key, you must use the Product Authorization Key (PAK) label affixed to the claim certificate for CSA MC located in the separate licensing envelope.
To obtain a production license, register your software at one of the following web sites.
If you are a registered user of Cisco.com, use this website:
If you are not a registered user of Cisco.com, use this website: http://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl.
After registration, the software license will be sent to the email address that you provided during the registration process. Retain this document with your VMS bundle product software records.
File Integrity Check Instructions
You can perform integrity checks on the files provided with Management Center for Cisco Security Agents 4.5.1. Use the verify_digests.exe file provided to check the MD5 hashes of the files.
When you run the verify_digests.exe file, you can enter the CD drive letter and check the files on the CD itself or you can copy the files to your system and check them from the directory to which they were copied.
The following output is displayed:
•The output displays "OK" if the hashes match and the files are valid.
•If the hashes do not match, "Failure" is displayed. Contact Cisco if this occurs.
How to install obtain and install VMS 2.3:
Step 1 If you have not received a CD containing VMS 2.3, you should download these four files: VMS-23-W2k-CD1-image-K9.z01, VMS-23-W2k-CD1-image-K9.z02, VMS-23-W2k-CD1-image-K9.z03, VMS-23-W2k-CD1-image-K9.zip from http://www.cisco.com/pcgi-bin/tablebuild.pl/vms into a scratch directory
Step 2 Run winzip on the fourth file and unzip the entire contents into a temporary directory. (You should find that you have 410 files occupying about 650MB of space.)
Step 3 Run vmmc_verify_digest.exe to ensure the integrity of your download.
Step 4 Run autorun.exe to begin the VMS 2.3 installation process. (When you install VMS 2.3, by default, checkboxes for several VMS products on the "Select Components" install screen are selected. You should click the Deselect button. Then select the Common Services checkbox and click Next to continue.)
Step 5 Complete the VMS 2.3 installation by rebooting your system when prompted.
How to install CSA MC V4.5.1:
Note The Management Center for Cisco Security Agents V4.5 kit is signed by Cisco Systems. This can be verified using Windows Explorer File ->Properties ->Digital Signatures.
Step 1 Open a command prompt window and cd into the product directory. Run setup.exe. Alternatively, you can use Windows Explorer to navigate to the product directory. Then, double-click the setup.exe file to begin the installation.
Step 2 You can now follow the standard installation directions provided in the Installation Guide. The Installation Guide appears as a PDF file in the Documentation directory at the top level.
Note The agent kits are provided in test mode in order to minimize any possible adverse impact of initial agent installation.
The provided policies are meant as a starting point to enterprise security. In general, you will want to run in test mode and create exceptions with the event wizard to create a suitable rule set for your environment. At that point, you can remove your agents from the test mode group and allow them to operate in protect mode. Test mode is turned on in the Auto-enrollment groups for each OS type. From the Group page, expand the Rule overrides section and uncheck the Test mode checkbox to turn test mode off for that group. Then Generate rules.
The following are issues that exist with the product, but are not product bugs. Therefore, they are not in the bug list.
•Issue: In some environments, the shipped installation policy may not allow non-standard installations. It is recommended that you tune the policy accordingly or stop the agent service to allow the installation.
Solution: You may change the File access control rule in this module to query the user if your security policy permits the use of the application in question.
–Issue: Linux Agent UI: For gnome desktop environments, the install script will only modify the default session config file for launching the agent UI automatically every time a user starts a gnome desktop session. But if a user already has their own session file ( ~/.gnome2/session ), the default session file (/usr/share/gnome/default.session) will not be effective. Therefore, the agent UI will not automatically start when the user logs in. In such a case, the user must add the agent UI (/opt/CSCOsca/bin/ciscosecui) manually (using "gnome-session-properties" utility) to make the agent UI auto-start. The user may also need to add a panel notification area applet to the control panel.
–Issue: Once a rootkit has been detected on a system, the rootkit system state is not removed until the system is rebooted.
Solution: Reboot system to reset rootkit system state.
–Issue: The pre-built reports configured for Analysis Deployment Investigation are meant as samples. You will likely have to edit or add to the existing report configurations to gather comprehensive information.
–Issue: Data access control rules for iPlanet running on Solaris systems are untested and unsupported. CSA ships with a data filter that you must manually install to use Data access control rules for iPlanet applications on Solaris. If you use this functionality, be aware that it is unsupported and that this filter may be removed in a future release.
–Issue: There have been issues with Compaq/HP Teaming and the Cisco Security agent (CSA). Symptoms include the NICs not being enabled automatically after an agent installation. This has to do with issues between Compaq/HP Teaming software and the agent's network shim. This is an example of the behavior: Installing CSA on an HP DL380G2 server with an HP-NC3163 Ethernet card disables the ethernet card. After CSA is installed, and before the PC is rebooted to complete the installation, the ethernet adapter is disabled.
Solutions: There are several different solutions to this issue:
•Do not install the network shim; it is an optional product.
•Reboot the system immediately after CSA is installed.
•Dissolve the team before installing CSA. Then, re-create the team after CSA has been installed.
There may be other issues between CSA's network shim and Compaq/HP Teaming and thus we highly recommend dissolving the team prior to installing CSA if you plan to install the network shim.
–Issue: The Desktop interface applications, client HTTP protocol rule in the Windows System Hardening module prevents Windows Find Files/Folders functionality from accessing sa.windows.com. When the rule is applied, the event text reads like this:
"The process 'C:\WINDOWS\explorer.exe' (as user HostName\Administrator) attempted to communicate with 10.123.124.125 on TCP port 80. The attempted access was to initiate a connection as a client (operation = CONNECT). The operation was denied."
The Windows search function is vulnerable to a redirection attack and the rule is designed to prevent just such an attack.
This release contains the following new features:
Displaying Packet Information in Human-Readable Form
For any event that provides packet information as part of the event details, that packet information can be displayed in human-readable form provided that "Ethereal" software is installed on the same system as CSA MC.
See the User Guide for links to Ethereal and instructions on how to read packet information.
Internationalization and Localization for Windows Agents
The Cisco Security Agent now accepts and displays query text characters appropriately for the supported, selected language type. Supported languages are Chinese (Simplified), French, German, Italian, Japanese, Korean, and Spanish. It also displays events in non-ASCII characters so that internationalization of events is possible. See Internationalization Support for details about language support.
Bulk Transfer of Hosts from Group to Group
This new feature allows you to search for all the hosts that meet a certain criteria and then act on the hosts found by that search. From the page displaying the search results you will be able to move or copy hosts from one group to another or delete hosts.
Update Groups Associated with Agent Kits
After an agent kit is made and deployed, new groups can be associated with the kit and existing groups can be removed from the kit.
One use for this feature is to prolong the life of installation images by requiring fewer changes to agent kits. For example, agent kits would most likely be deployed in test mode until all the rules, rule-modules, and policies are fine-tuned to meet the needs of your enterprise. An image installed on new desktops during the testing period would include an agent kit, which includes the Test Mode Systems group, which makes all other groups run in test mode.
Once the period of testing is over, the image deployed for new desktops would still include the Test Mode System group but it may no longer be needed because the rules and policies have been finalized and it is time to "go live" for some or all of your enterprise. This feature would allow you to remove the Test Mode System group from the agent kit that is currently included in the installation image for all desktops. When the agent on a new desktop registers with CSA MC for the first time, the Test Mode System group will be removed from the agent kit and the new desktop will not run in test mode.
Use Network Address Class Notation
You can now specify a range of IP addresses in network address sets using Network Address Class Notation. For example you can now specify a range using the syntax: 22.214.171.124/16. This indicates the range of addresses:
126.96.36.199 - 188.8.131.52
Cisco Trust Agent (CTA) Support
The Cisco Security Agent is a supported configuration for the Cisco Trust Agent feature for both CTA versions 1.0 and 2.0. For configuration details, please refer to the Cisco Trust Agent documentation.
CSA Supports the Distribution of a Wider Variety of CTA Installation Kits
After the installation of CSA MC you can copy additional CTA installer files to the system running CSA MC. When you create agent kits, you will be able to select from the different CTA installer kits. Some installer kits include the CTA supplicant, others do not.
System Requirements (CSA MC)
CSA MC is a component of the VPN/Security Management Solution (VMS).
For information on all bundle features and their requirements, see CiscoWorks2000 VPN/Security Management Solution Quick Start Guide.
Table 1 shows VMS bundle server requirements for Windows 2000 systems.
Table 1 Server Requirements
•Pager alerts require a Hayes Compatible Modem.
•For optimal viewing of the CSA MC UI, you should set your display to a resolution of 1024 x 768 or higher.
•On a system where CSA MC has never been installed, the CSA MC setup program first installs MSDE with Service Pack 3a. If the CSA MC installation detects any other database type attached to an existing installation of MSDE, the installation will abort. This database configuration is not supported.
•If MSDE Service Pack 2 or earlier is present on the system, you must uninstall that version of MSDE or upgrade it before proceeding further.
SQL Server Desktop Engine Installation
As part of the installation process on a system where CSA MC has not previously been installed, the setup program first installs Microsoft SQL Server Desktop Engine (MSDE). You can use the included Microsoft SQL Server Desktop Engine (provided with the product) if you are planning to deploy no more than 500 agents. When the MSDE installation completes, it may prompt you to reboot the system. In that case, you must reboot the system before restarting the CSA MC setup program. If the MSDE installation does not prompt you to reboot the system, you may restart the setup program without rebooting the system.
Caution If the CSA MC installation detects any other database type attached to an existing installation of MSDE, the CSA MC installation will abort. This database configuration is not supported by Cisco. (Installation process aborts if any databases other than those listed here are found: master, tempdb, model, msdb, pubs, Northwind, profiler and AnalyzerLog.)
For a local database configuration, you also have the option of installing Microsoft SQL Server 2000 instead of using the Microsoft SQL Server Desktop Engine that is provided. Microsoft SQL Server Desktop Engine has a 2 GB limit. In this case, you can have CSA MC and Microsoft SQL Server 2000 on the same system if you are planning to deploy no more than 5,000 agents. Note that of you are using SQL Server 2000, it must be licensed separately and it must be installed on the system before you begin the CSA MC installation. (See the Installation Guide for details on installation options.)
We also recommend that you format the disk to which you are installing CSA MC as NTFS. FAT32 limits all file sizes to 4 GB.
System Requirements (Agent)
To run Cisco Security Agent on your Windows XP, Windows Server 2003, Windows 2000 or Windows NT 4.0 servers and desktop systems, the requirements are as follows:
Table 2 Agent Requirements (Windows)
Note Cisco Security Agent uses approximately 20 MB of memory. This applies to agents running on all supported Microsoft and UNIX platforms.
To run Cisco Security Agent on your Solaris server systems, the requirements are as follows:
Table 3 Agent Requirements (Solaris)
Caution On Solaris systems running Cisco Security Agents, if you add a new type of Ethernet interface to the system, you must reboot that system twice for the agent to detect it and apply rules to it accordingly.
To run the Cisco Security Agent on your Linux systems, the requirements are as follows:
Table 4 Agent Requirements (Linux)
Upgrading CSA from versions earlier than Cisco Security Agent V4.0.X is not supported.
See "Installing Management Center for Cisco Security Agents" provided as a PDF file in Documentation directory on the product CD for product installation instructions.
Duplicate Configuration Naming Convention
Configuration items shipped with CSA MC and provided by Cisco contain a version column with a version number. Administrator-created items have no version number.
When you import configuration items provided by Cisco, if it is found that there is already an existing exact match for an item, the new configuration data is not copied over. Instead, the existing item will be reused and the name will reflect the new versioning.
If the import process finds that there is an existing item with the same name, the same version number, and different configuration components (variables, etc.), the newly imported item is changed by appending the name of the export file. The new item is always the item that the export file name appended to it. Existing items are not renamed or reversioned if there is a collision.
Also note that CSA MC automatically appends the name of the export file to any administrator configured item collision it finds during administrator imports. The imported item is given a different name and both new and old items can co-exist in the database.
All Cisco Security Agent kits contain localized support for English, French, German, Italian, Japanese, Korean, Simplified Chinese, and Spanish language desktops. This support is automatic in each agent kit and no action is required by the administrator. The agent UI, events, and help system will appear in the language of the end user's desktop.
The following table lists CSA localized support and qualification for various OS types.
Table 5 CSA Localizations
Explanation of terms:
Localized: Cisco Security Agent kits contain localized support for the languages identified in Table 5. This support is automatic in each agent kit and no action is required by the administrator. The agent UI, events, and help system will appear in the language of the end user's desktop. All localized languages are agent qualified and supported. (CSA MC is not localized.)
Qualified: The Cisco Security Agent was tested on these language platforms. Cisco security agent drivers are able to handle the local characters in file paths and registry paths. All qualified languages are supported.
Supported: The Cisco Security Agent is suitable to run on these language platforms. The localized characters are supported by all agent functions.
Refer to the following tables.
Internationalization Support Tables
The following tables detail the level of support for each localized version of Windows operating systems. Note that support for a localized operating system is different from localized agent. A localized operating system may be supported even though the corresponding language is not translated in the agent. In this case, the dialogs will appear in English. The tables below define the operating system support, not agent language support. Note, for Multilingual User Interface (MUI) supported languages, installs are always in English (Installshield does not support MUI), and the UI/dialogs are in English unless the desktop is Chinese (Simplified), French, German, Italian, Japanese, Korean, or Spanish.
Any Windows 2000, Windows XP or Windows 2003 platforms/versions not mentioned in the tables below should be treated as not supported.
The following letter combinations are used to describe the level of support:
Support Level Key
Table 7 Windows 2000 Support
Table 8 Windows XP Support
Table 9 Windows 2003 Support
On non-localized but tested and supported language platforms, the administrator is responsible for policy changes arising from directory naming variations between languages.
If the previous operating system tables do not indicate that CSA is localized (L) then the system administrator is responsible for checking to ensure that the tokens are in the language they expect and the directory path is the one they intend to protect. See Installing Management Center for Cisco Security Agent, Revision 1 for the procedure to determine if language tokens are correct.
Cisco Security Agent Policies
CSA MC default agent kits, groups, policies, rule modules, and configuration variables provide a high level of security coverage for desktops and servers. These default agent kits, groups, policies, rule modules, and configuration variables cannot anticipate all possible local security policy requirements specified by your organization's management, nor can they anticipate all local combinations of application usage patterns. We recommend deploying agents using the default configurations and then monitoring for possible tuning to your environment.
Policy Changes from CSA 4.5 to CSA 4.5.1
Changes to rules in CSA 4.5.1 were made to increase security, be less restrictive, or be more efficient. After you upgrade from 4.5 to 4.5.1, look for evidence of a rule change in the rule module list page or policy list page in CSA MC. If a rule has changed you will see a 4.5.1 version of a rule module or policy alongside the rule modules and policies of previous versions.
You can easily compare the new policy to the old policy to see exactly what changed. See the "Using Security Management Center for Cisco Security Agent" manual for information about the Compare Tool.
Policies Changed for Security Reasons
Security changes were made to enforce stricter security where it was needed. These policies changed to provide greater security:
Cisco Trust Agent - Windows: One rule in the Network Admission Control Quarantine Module was changed so that it is now shipped as "disabled" rather than "enabled." The rule prevents all network access outside the system except by Cisco Trust Agent (CTA) and by anti-virus software. The rule protects networked assets but also prevents the local agent from being remediated. This rule was disabled, and not removed, because the rule could be used as a template for a rule which better suits your individual enterprise.
Microsoft SQL Server 2000 - Windows: Two rules were changed to provide proper access to .ndf files. So that Microsoft SQL Server 2000 could access its own .ndf file type, MS SQL Server Services and MS SQL user applications were explicitly allowed to read and write .ndf files. To prevent access to .ndf files from "vulnerable applications," these applications were explicitly denied write access to .ndf files.
Operating System - Base Permissions - Solaris: The System Hardening Module (Solaris) was changed to prevent a telnetted buffer overflow attack documented in the CERT (Computer Emergency Response Team) advisory, CA-2001-21.
Operating System - Base Protection - Solaris: The System Hardening Rule Module (Solaris) was changed to prevent known exploits against sadmin daemon. By default, the tool starts in a weak authentication mode and can be easily spoofed. The sadmin daemon is not necessary and the rule prevents it from being started.
MS Management Applications application class. A change to the MS Management Applications applications class changed rules in several policies. The application class was changed because it referred to any mmc.exe executable in any path. Now the application class references only the explicit path to mmc.exe. This change prevents Trojan Horse attacks. These policies were affected by this change:
•DHCP Servers - Windows
•DNS Servers - Windows
•Operating Systems - Base Permissions - Windows
•Web Server - Microsoft IIS - Windows
•Microsoft SQL Server 2000 - Windows
Policies Changed to Be Less Restrictive
Some changes were made to make rule modules and policies less restrictive. Often these changes were made by adding new rules, which allowed more behavior, to rule modules. These changes will help new customers during the pilot phase of CSA by reducing the number of denials that require investigation.
These policies were made less restrictive:
•General Applications - Base Security - Windows
•General Applications - Multi-level Security - Windows
•Installation Applications - Solaris
•Installation Applications - Windows
•Operating System Base protection - Linux
•Web Server - Apache
Policies Changed for Efficiency Reasons
Efficiency changes were made by combining rules to reduce the overall number of rules, expanding application classes to include more commonly used text editors, and by enhancing rule descriptions. These changes do not change the security benefit of a rule.
These policies were made more efficient:
•E-mail Client - Basic Security - Windows
•E-mail Client - Multi Level Security - Windows
•Network Personal Firewall
•Operating System - Base Protection - Windows
•Web Browser - Linux
•Web Server - Apache
CSA MC Local Agent and Policies
When you install CSA MC, an agent containing the policies necessary to protect a system only running CSA MC and Security Monitor as part of your VMS bundle on the CiscoWorks system (the recommended configuration) is automatically installed as well. The policy in question contains a "restrictive" rule module which puts tighter restrictions on the system because it does not have to account for other VMS bundle products that might be running on the system.
If you are running additional products as part of your VMS bundle on the CiscoWorks system, you must remove the CiscoWorks Restrictive VMS Module from the CiscoWorks VMS Systems policy in order to allow this additional software to operate.
To do this, navigate to Configuration>Policies and locate "VMS CiscoWorks - Windows" in the list of policies. Click on the "VMS CiscoWorks - Windows" policy. This takes you to the main policy page with the list of rule module associations. Click the Modify rule module associations link. Locate the "CiscoWorks Restrictive VMS Module" in the right-side Attached rule modules swap box. Select this module and click the Remove button. Then Generate rules. (Note that this is not the recommended deployment.)
Caution If you are installing or uninstalling various VMS components, and you have a Cisco Security Agent protecting the VMS bundle, you should disable the agent service before you install or uninstall of any other VMS component. (You do not have to do this when installing or uninstalling CSA MC.) To disable the agent service, from a command prompt type net stop "Cisco Security Agent". (You may receive a prompt asking if you want to stop the agent service. You should click Yes.) To enable the service, type, net start "Cisco Security Agent".
If you do not disable the agent service and you attempt to alter a CiscoWorks system configuration, the agent may disallow the action or it may display multiple queries to which you must respond.
RME Gatekeeper Remote Access Issue
It is recommended that you do not install other VMS products on the system to which are installing Management Center for Cisco Security Agents. However, if you do not follow this recommendation, you should be aware of the following.
Remote access to the CiscoWorks RME Gatekeeper daemon is not required for correct operation of any of the components in the VMS bundle. Therefore, remote client access to this daemon is normally disabled through a deny rule in the "CiscoWorks VMS Module" within the CiscoWorks VMS Policy.
If other products that require the RME Gatekeeper daemon to be accessed remotely, such as Campus Manager or ACLM, are installed on the same system as the VMS bundle, the CSAMC "CiscoWorks VMS Module" protecting the VMS system should be modified as follows:
Step 1 Login to CSAMC and navigate to the "CiscoWorks VMS Module" in the VMS CiscoWorks Policy. The module is accessible from Configuration>Rule Modules [Windows] in the menu bar.
Step 2 Once you locate the module, you don't have to click on the module name. You can click the <#> rules link to access the rules list directly.
Step 3 From the "CiscoWorks VMS Module" rule list, change the Allow rule "CiscoWorks RME Gatekeeper daemon, server for TCP and UDP services" from Disabled to Enabled. (Select the checkbox beside the rule and click the Enable button in the footer frame of CSAMC. Remember to save your changes.)
Step 4 Generate rules.
Step 5 Optionally, force polling on the agent to download the rule change.
Cisco VPN Client Support
Cisco Security Agent is a supported configuration for the "Are You
There?" feature of the Cisco VPN Client, Release 4.0. For configuration
details, please refer to Chapter 1 of the Cisco VPN Client Administrator
Guide, in the section entitled "Configuring VPN Client Firewall Policy—Windows Only."
Table 10 provides information on known issues found in this release.
These are documents included in this release:
•Installing Management Center for Cisco Security Agents 4.5.1
•Using Management Center for Cisco Security Agents 4.5.1
•Release Notes for Management Center for Cisco Security Agents 4.5.1
The CSA security policies are described in their own policy description papers. These papers are maintained and distributed separately from the CSA 4.5.1 documentation above. All policy descriptions are contained in the "CSA_Policy_Descriptions.zip" file which can be downloaded through CSA's Product Postings area on Cisco.com
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at this URL:
You can access the Cisco website at this URL:
You can access CSA's Product Postings area at this URL:
You can access CSA's Hot Fix Postings area at this URL:
International Cisco websites can be accessed from this URL:
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
All users can order monthly or quarterly subscriptions through the online Subscription Store:
You can find instructions for ordering documentation at this URL:
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can e-mail your comments to firstname.lastname@example.org.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
•Streamline business processes and improve productivity
•Resolve technical issues with online support
•Download and test software packages
•Order Cisco learning materials and merchandise
•Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The type of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
•Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. There is little or no impact to your business operations.
•Priority level 3 (P3)—Operational performance of the network is impaired, but most business operations remain functional. You and Cisco are willing to commit resources during normal business hours to restore service to satisfactory levels.
•Priority level 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively impacted by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
•Priority level 1 (P1)—An existing network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Cisco TAC Website
The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies. To access the Cisco TAC website, go to this URL:
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
If you have Internet access, we recommend that you open P3 and P4 cases online so that you can fully describe the situation and attach any necessary files.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
Before calling, please check with your network operations center to determine the Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
•Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
This document is to be used in conjunction with the documents listed in the Obtaining Documentation section.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R)
Copyright © 2005, Cisco Systems, Inc.
All rights reserved.