Table Of Contents
CNS Configuration Engine and Token Management Server
Building Blocks and Policy Objects
Security Manager Discovery for IOS Routers
Firewall Rules and Related Configurations
Migrating from Router MC
This chapter provides an overview of migrating from Router MC to Security Manager 3.0. This Chapter contains the following sections:
•
Building Blocks and Policy Objects
•
Device Bootstrapping
There are differences in the device bootstrapping requirements between Router MC and Security Manager. Detailed instructions for bootstrapping devices for use with Security Manager are provided in the User Guide for Cisco Security Manager 3.0. See the section in Chapter 5 entitled Preparing the Devices for Security Manager to Manager.
Direct Deployment to Device
When deploying directly to a device, Router MC uses SSH to communicate with IOS routers. Security Manager uses both SSL and SSH by default, so you need to enable SSL in addition to SSH on a device. However, you can configure Security Manager to use SSH only, if required.
Auto Update Server
Router MC supports using the Auto Update Server as a deployment transport option for IOS routers. If the AUS server IP address will change when migrating to AUS 3.0 (included with Security Manager 3.0), then you need to update the cns exec statement on each affected device. You can configure the AUS settings using the CLI interface of the device.
CNS Configuration Engine and Token Management Server
Security Manager introduces two new deployment transport options, which were not available in Router MC: the CNS Configuration Engine and Token Management Server (TMS). If either of these transport options will be used, you need to follow the respective device-specific bootstrapping steps.
Supported Device OS Versions
Cisco Security Manager 3.0 supports IOS 12.3, while Router MC supports IOS 12.2 and 12.3. As a result you must upgrade routers to IOS 12.3 for management by Security Manager. For detailed IOS support, refer to the Supported Devices and Software Versions for Cisco Security Manager 3.0 document.
Device Inventory
You cannot export the device inventory data from Router MC and then import the data into Security Manager. You can add device information to Security Manager using various methods as described in User Guide for Cisco Security Manager 3.0.
Building Blocks and Policy Objects
Router MC supports the definition of named, re-usable policy components called building blocks. Security Manager provides the equivalent capability; however, they are called policy objects in Security Manager. IOS does not support the concept of building blocks or policy objects. As a result the meta information for a building block in Router MC, such as the building block name and description, does not appear in the device configuration. When the device is added to Security Manager, the building block meta information cannot be discovered from the device. If you need to retain the specific names of the building blocks, you need to first re-create the building blocks in Security Manager as the corresponding policy objects. Then when Security Manager discovers the device configuration, it will match it with the corresponding policy objects in some cases. Refer to Table 3-1 for details on the e level of Router MC building block data migration to Security Manager.
Building blocks in Router MC are also defined in the context of the device grouping hierarchy. For example, you can have a Network Object building block defined at the scope of the Global group called MyFTPServer with a value of 10.10.10.1 and another one of the same name, but with a value of 10.10.10.2 defined within the scope of one of the sub-groups. A rule defined on a device using the MyFTPServer will get the appropriate value for the object based on its position in the grouping hierarchy.
Security Manager Discovery for IOS Routers
When an IOS router is migrated from Router MC management to Security Manager, Security Manager can auto-discover some device configuration; however, many key settings managed by Router MC are not discovered. Security Manager can discover the following information:
•
•
•
•
Information that is not discovered includes:
•
•
•
•
The following sections address some of these areas in further detail.
•
•
•
Firewall Rules and Related Configurations
The procedure for dealing with migrating firewall rules and related configuration from Router MC to Security Manager is essentially the same as that discussed in the Chapter Migrating from Firewall MC. Even though Security Manager does support discovery of the firewall configuration, there are many other considerations to deal with as described.
VPNs
When you add an existing device to Security Manager, Security Manager does not discover the existing VPN configuration. Delete the VPNs using Router MC just prior to migrating the devices to Security Manager and then recreate the VPNs using Security Manager. This guarantees that there is a clean migration between the two management systems without any unmanaged VPN artifacts left on the device. The downside with this approach though is that there is a temporary outage of the VPNs during the migration.
NAT
NAT settings made with Router MC on VPN spokes are not auto-discovered by Security Manager. Therefore, you must re-create these settings using the Security Manager GUI.
Config Additions
Prepended or appended config additions done in Router MC can be handled using the FlexConfig feature of Security Manager. If the config statements correspond to new features supported by Security Manager, you can manage these features using the Security Manager GUI rather than through the FlexConfig feature.