-
User Guide for Cisco Security Manager 3.1
-
Preface
-
Getting to Know Security Manager
-
Performing Administrative Tasks
-
Working With the Security Manager User Interface
-
Using Map View
-
Managing Devices
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing SSL VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Catalyst Devices
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Using Tools
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Devices User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager General Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
SSL VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
FlexConfig User Interface Reference
-
Tools User Interface Reference
-
Index
-
Table Of Contents
Router Platform User Interface Reference
NAT Page—Interface Specification Tab
Edit Interfaces Dialog Box—NAT Inside Interfaces
Edit Interfaces Dialog Box—NAT Outside Interfaces
Create Router Interface Dialog Box
Interface Auto Name Generator Dialog Box
Advanced Interface Settings Page
Advanced Interface Settings Dialog Box
Dialer Physical Interface Dialog Box
Controller Auto Name Generator Dialog Box
PVC Advanced Settings Dialog Box
PVC Advanced Settings Dialog Box—OAM Tab
PVC Advanced Settings Dialog Box—OAM-PVC Tab
Command Authorization Dialog Box
Accounts and Credentials Policy Page
Command Authorization Override Dialog Box
Console Page—Authentication Tab
Console Page—Authorization Tab
VTY Line Dialog Box—Authentication Tab
VTY Line Dialog Box—Authorization Tab
VTY Line Dialog Box—Accounting Tab
Command Authorization Dialog Box—Line Access
Command Accounting Dialog Box—Line Access
Secure Device Provisioning Policy Page
Network Admission Control Policy Page
Network Admission Control Page—Setup Tab
Network Admission Control Page—Interfaces Tab
NAC Interface Configuration Dialog Box
Network Admission Control Page—Identities Tab
NAC Identity Profile Dialog Box
NAC Identity Action Dialog Box
Quality of Service Policy Page
QoS Class Dialog Box—Matching Tab
Edit ACLs Dialog Box—QoS Classes
QoS Class Dialog Box—Marking Tab
QoS Class Dialog Box—Queuing and Congestion Avoidance Tab
QoS Class Dialog Box—Policing Tab
QoS Class Dialog Box—Shaping Tab
BGP Redistribution Mapping Dialog Box
Edit Interfaces Dialog Box—EIGRP Passive Interfaces
EIGRP Redistribution Mapping Dialog Box
Edit Interfaces Dialog Box—OSPF Passive Interfaces
OSPF Process Page—Redistribution Tab
OSPF Redistribution Mapping Dialog Box
OSPF Max Prefix Mapping Dialog Box
Edit Interfaces Dialog Box—RIP Passive Interfaces
RIP Redistribution Mapping Dialog Box
Router Platform User Interface Reference
The main pages available in Cisco Security Manager for configuring and managing platform-specific policies on Cisco IOS routers are discussed in the following topics:
NAT policies:
Interface policies:
•
Advanced Interface Settings Page
Device Admin policies:
•
•
•
•
Identity policies:
•
Logging policies:
Quality of Service policies:
•
Routing policies:
Tip
NAT Policy Page
You can configure NAT policies on a Cisco IOS router from the following tabs on the NAT policy page:
•
Network Address Translation (NAT) converts private, internal LAN addresses into globally routable IP addresses. NAT enables a small number of public IP addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 14-5.
Navigation Path•
•
Related Topics•
NAT Page—Interface Specification Tab
Use the NAT Interface Specification tab to define the inside and outside interfaces on the router used for NAT. Inside interfaces are interfaces that connect to the private networks served by the router. Outside interfaces are interfaces that connect to the WAN or the Internet.
Navigation PathGo to the NAT Policy Page, then click the Interface Specification tab.
Related TopicsField Reference
Table K-1 NAT Interface Specification Tab
NAT Inside Interfaces
The interfaces that act as the inside interfaces for address translation. Click Edit to display the Edit Interfaces Dialog Box—NAT Inside Interfaces. From here you can define these interfaces.
NAT Outside Interfaces
The interfaces that act as the outside interfaces for address translation. Click Edit to display the Edit Interfaces Dialog Box—NAT Outside Interfaces. From here you can define these interfaces.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Edit Interfaces Dialog Box—NAT Inside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will act as the inside interfaces for address translation. Inside interfaces typically connect to a LAN that the router serves.
Navigation PathGo to the NAT Page—Interface Specification Tab, then click the Edit button in the NAT Inside Interfaces field.
Related Topics•
•
Field Reference
Table K-2 Edit Interfaces Dialog Box—NAT Inside Interfaces
Interfaces
The interfaces that act as the inside interfaces for address translation. You can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition, page 8-117.
Select button
Opens an object selector for selecting interfaces and interface roles. Using the selector eliminates the need to manually enter this information.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can define an interface role object.
OK button
Saves your changes and closes the dialog box. Your selections are displayed in the NAT Inside Interfaces field of the NAT Interface Specification tab.
Edit Interfaces Dialog Box—NAT Outside Interfaces
When you configure a translation rules policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will act as the outside interfaces for address translation. Outside interfaces typically connect to your organization's WAN or to the Internet.
Navigation PathGo to the NAT Page—Interface Specification Tab, then click the Edit button in the NAT Outside Interfaces field.
Related Topics•
•
Field Reference
Table K-3 Edit Interfaces Dialog Box—NAT Outside Interfaces
Interfaces
The interfaces that act as the outside interfaces for address translation. You can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy Definition, page 8-117.
Select button
Opens an object selector for selecting interfaces and interface roles. Using the selector eliminates the need to manually enter this information.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can define an interface role object.
OK button
Saves your changes and closes the dialog box. Your selections are displayed in the NAT Outside Interfaces field of the NAT Interface Specification tab.
NAT Page—Static Rules Tab
Use the NAT Static Rules tab to create, edit, and delete static address translation rules. For more information, see Defining Static NAT Rules, page 14-8.
Navigation PathGo to the NAT Policy Page, then click the Static Rules tab.
Related Topics•
Field Reference
Table K-4 NAT Static Rules Tab
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Original Address
The original address (and optionally, the subnet mask) that is being translated.
Translated Address
The IP address to which the traffic is translated.
Port Redirection
(When the static rule is defined on a port) Information about the port that is being translated, including the local and global port numbers.
Advanced
The advanced options that are enabled.
Add button
Opens the NAT Static Rule Dialog Box. From here you can create a static translation rule.
Edit button
Opens the NAT Static Rule Dialog Box. From here you can edit the selected static translation rule.
Delete button
Deletes the selected static translation rules from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
NAT Static Rule Dialog Box
Use the NAT Static Rule dialog box to add or edit static address translation rules.
Navigation PathGo to the NAT Page—Static Rules Tab, then click the Add or Edit button beneath the table.
Related Topics•
•
•
•
•
Field Reference
Table K-5 NAT Static Rule Dialog Box
Static Rule Type
The type of local address requiring translation by this static rule:
•
•
•
Original Address
Enter an address or the name of a network/host object, or click Select to display an object selector.
•
•
If the network or host you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-434. From here you can define a network/host object.
Note
Translated Address
The type of address translation to perform:
•
–
–
If the network or host you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-434. From here you can define a network/host object.
•
If the interface role you want is not listed, click the Create button or the Edit button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
Note
Port Redirection
Applies only when Static Port is the selected static rule type.
Redirect Port—When selected, specifies port information for the inside device in the translation. This enables you to use the same public IP address for multiple devices as long as the port specified for each device is different. Enter information in the following fields:
•
•
•
When deselected, port information is not included in the translation.
Advanced
Applies only when using the Translated IP option for address translation.
Defines advanced options:
•
The alias option is used to answer Address Resolution Protocol (ARP) requests for global addresses that are allocated by NAT. You can disable this feature for static entries by selecting the No alias check box.
When deselected, global address aliases are permitted.
•
The payload option performs NAT between devices on overlapping networks that share the same IP address. When an outside device sends a DNS query to reach an inside device, the local address inside the payload of the DNS reply is translated to a global address according to the relevant NAT rule. You can disable this feature by selecting the No payload check box.
When deselected, embedded addresses and ports in the payload may be translated, as described above.
•
When deselected, creates a simple translation entry that allows you to associate a single global address with the local address.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
NAT Page—Dynamic Rules Tab
Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address translation rules. A dynamic address translation rule dynamically maps hosts to addresses, using either the globally registered IP address of a specific interface or addresses included in an address pool that are globally unique in the destination network.
For more information, see Defining Dynamic NAT Rules, page 14-16.
Navigation PathGo to the NAT Policy Page, then click the Dynamic Rules tab.
Related Topics•
Field Reference
Table K-6 NAT Dynamic Rules Tab
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Traffic Flow
The ACL that defines the traffic that is being translated.
Translated Address
Indicates whether the translated address is based on an interface or on a defined address pool.
Port Translation
Indicates whether Port Address Translation (PAT) is being used by this dynamic NAT rule.
Add button
Opens the NAT Dynamic Rule Dialog Box. From here you can create a dynamic translation rule.
Edit button
Opens the NAT Dynamic Rule Dialog Box. From here you can edit the selected dynamic translation rule.
Delete button
Deletes the selected dynamic translation rules from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
NAT Dynamic Rule Dialog Box
Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation rules.
Navigation PathGo to the NAT Page—Dynamic Rules Tab, then click the Add or Edit button beneath the table.
Related Topics•
•
•
•
Field Reference
Table K-7 NAT Dynamic Rule Dialog Box
Traffic Flow
Access List—The extended ACL that specifies the traffic requiring dynamic translation. Enter the name of an ACL object, or click Select to display an object selector.
If the ACL you want is not listed, click the Create button in the selector to display the dialog box for defining an extended ACL object. For more information, see Add and Edit Extended Access List Pages, page F-36.
Note
Translated Address
The method for performing dynamic address translation:
•
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
•
Enable Port Translation (Overload)
When selected, the router uses port addressing (PAT) if the pool of available addresses runs out.
When deselected, PAT is not used.
Note
Do Not Translate VPN Traffic (Site-to-Site VPN only)
This setting applies only in situations where the NAT ACL overlaps the crypto ACL used by the site-to-site VPN. Because the interface performs NAT first, any traffic arriving from an address within this overlap would get translated, causing the traffic to be sent unencrypted. Leaving this check box selected prevents that from happening.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN traffic in cases of overlapping addresses between the NAT ACL and the crypto ACL.
Note
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
NAT Page—Timeouts Tab
Use the NAT Timeouts tab to view or modify the default timeout values for PAT (overload) translations. These timeouts cause a dynamic translation to expire after a defined period of non-use. In addition, you can use this page to place a limit on the number of entries allowed in the dynamic NAT table and to modify the default timeout on all dynamic translations that are not PAT translations.
Note
Navigation PathGo to the NAT Policy Page, then click the Timeouts tab.
Related Topics•
•
Field Reference
Router Interfaces Page
Use the Router Interfaces page to view, create, edit, and delete interface definitions (physical and virtual) on a selected Cisco IOS router. The Router Interfaces page displays interfaces that were discovered by Security Manager as well as interfaces added manually after you added the device to the system.
For more information, see Basic Interface Settings on Cisco IOS Routers, page 14-21.
Navigation PathSelect a Cisco IOS router from the Device selector, then select Interfaces > Interfaces from the Policy selector.
Related Topics•
•
•
Field Reference
Table K-9 Router Interfaces Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Interface Type
The interface type. Subinterfaces are displayed indented beneath their parent interface.
Interface Name
The name of the interface.
Enabled
Indicates whether the interface is currently enabled (managed by Security Manager) or disabled (shutdown state).
IP Address
The IP address of interfaces defined with a static address.
IP Address Type
The type of IP address assigned to the interface—static, DHCP, PPPoE, or unnumbered. (IP address is defined by a selected interface role.)
Interface Role
The interface roles that are assigned to the selected interface.
Add button
Opens the Create Router Interface Dialog Box. From here you can create an interface on the selected router.
Edit button
Opens the Create Router Interface Dialog Box. From here you can edit the selected interface.
Delete button
Deletes the selected interfaces from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
Create Router Interface Dialog Box
Use the Create Router Interface dialog box to create and edit physical and virtual interfaces on the selected Cisco IOS router.
Note
Navigation PathGo to the Router Interfaces Page, then click the Add or Edit button beneath the table.
Related Topics•
•
•
Field Reference
Table K-10 Create Router Interface Dialog Box
Enabled
When selected, the router interface is enabled.
When deselected, the router interface is in shutdown state. However, its definition is not deleted.
Type
Specifies whether you are defining an interface or subinterface.
Name
Applies only to interfaces.
The name of the interface. Enter a name manually, or click Select to display a dialog box for generating a name automatically. See Interface Auto Name Generator Dialog Box.
Note
•
•
•
•
Parent
Applies only to subinterfaces.
The parent interface of the subinterface. Select the parent interface from the displayed list.
Subinterface ID
Applies only to subinterfaces.
The ID number of the subinterface.
IP
The source of the IP address for the interface:
•
Note
•
•
–
–
–
–
–
–
–
•
Note
Layer Type
The OSI layer at which the interface is defined:
•
•
•
Duplex
The interface transmission mode:
•
•
•
•
Note
Note
Note
Speed
Applies only to Fast Ethernet and Gigabit Ethernet interfaces.
The speed of the interface:
•
•
•
•
Note
MTU
The maximum transmission unit, which refers to the maximum packet size, in bytes, that this interface can handle.
Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64 to 17940 bytes.
Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes.
Encapsulation
The type of encapsulation performed by the interface:
•
•
•
Note
VLAN ID
Applies only to subinterfaces with encapsulation type DOT1Q.
The VLAN ID associated with this subinterface. The VLAN ID specifies where 802.1Q tagged packets are sent and received on this subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094.
Note
TipNative VLAN
Applies only when the encapsulation type is DOT1Q and you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface. Trunking is a way to carry traffic from several VLANs over a point-to-point link between two devices.
When selected, the Native VLAN is associated with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) The native VLAN is the VLAN to which all untagged VLAN packets are logically assigned by default. This includes the management traffic associated with the VLAN. If no VLAN ID is defined, the default is 1.
For example, if the VLAN ID of this interface is 1, all incoming untagged packets and packets with VLAN ID 1 are received on the main interface and not on a subinterface. Packets sent from the main interface are transmitted without an 802.1Q tag.
When deselected, the Native VLAN is not associated with this interface.
Note
DLCI
Applies only to serial subinterfaces with Frame Relay encapsulation.
Enter the data-link connection identifier to associate with the subinterface. Valid values range from 16 to 1007.
Note
Description
Additional information about the interface (up to 1024 characters).
Roles
The interface roles assigned to this interface. A message is displayed if no roles have yet been assigned.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Interface Auto Name Generator Dialog Box
Use the Interface Auto Name Generator dialog box to have Security Manager generate a name for the interface based on the interface type and its location in the router.
Navigation PathGo to the Create Router Interface Dialog Box, select Interface from the Type list, then click Select in the Name field.
Related Topics•
•
Field Reference
Table K-11 Interface Auto Name Generator Dialog Box
Type
The type of interface. Your selection from this list forms the first part of the generated name, as displayed in the Result field. For more information, see Table 14-1 on page 14-22.
Card
The card related to the interface.
Note
Slot
The slot related to the interface.
Port
The port related to the interface.
Note
Result
The name generated by Security Manager from the information you entered for the interface type and location. The name displayed in this field is read-only.
TipOK button
Saves your changes locally on the client and closes the dialog box.
Note
Advanced Interface Settings Page
Use the Advanced Interface Settings page to view, create, edit, and delete advanced interface definitions (physical and virtual) on a selected Cisco IOS router. Examples of advanced settings include Cisco Discovery Protocol (CDP) settings, ICMP message settings, and virtual fragment reassembly settings.
For more information, see Advanced Interface Settings on Cisco IOS Routers, page 14-29.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-12 Advanced Interface Settings Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Interface
The interface or interface role for which advanced settings are defined.
Max Bandwidth
The bandwidth value to communicate to higher-level protocols in kilobits per second (kbps).
Load Interval
The length of time used to calculate the average load for this interface.
CDP
Indicates whether CDP and CDP logging are enabled on this interface.
Redirects
Indicates whether ICMP redirect messages are enabled on this interface.
Unreachables
Indicates whether ICMP unreachable messages are enabled on this interface.
Mask Reply
Indicates whether ICMP mask reply messages are enabled on this interface.
Directed Broadcasts
Indicates whether directed broadcasts that are intended for the subnet to which this interface is attached are exploded as broadcasts on that subnet.
Add button
Opens the Advanced Interface Settings Dialog Box. From here you can define advanced settings on the selected interface.
Edit button
Opens the Advanced Interface Settings Dialog Box. From here you can edit the selected interface.
Delete button
Deletes the selected advanced interface definitions from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
Advanced Interface Settings Dialog Box
Use the Advanced Interface Settings dialog box to define a variety of advanced settings on a selected interface, including:
•
•
•
•
•
•
•
Navigation PathGo to the Advanced Interface Settings Page, then click the Add or Edit button beneath the table.
Related Topics•
•
•
•
Field Reference
Table K-13 Advanced Interface Settings Dialog Box
Interface
The interface on which the advanced settings are defined. Enter the name of an interface or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
Note
Note
Max Bandwidth
The bandwidth value to communicate to higher-level protocols in kilobits per second (kbps).
Note
Load Interval
The length of time, in seconds, used to calculate the average load on the interface. Valid values range from 30 to 600 seconds, in multiples of 30 seconds. The default is 300 seconds (5 minutes).
Modify the default to shorten the length of time over which load averages are computed. You can do this if you want load computations to be more reactive to short bursts of traffic.
Load data is gathered every 5 seconds. This data is used to compute load statistics, including input/output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data.
TipNote
TCP Maximum Segment Size
The maximum segment size (MSS) of TCP SYN packets that pass through this interface. Valid values range from 500 to 1460 bytes. If you do not specify a value, the MSS is determined by the originating host.
This option helps prevent TCP sessions from being dropped as they pass through the router. Use this option when the ICMP messages that perform auto-negotiation of TCP frame size are blocked (for example, by a firewall). We highly recommend using this option on the tunnel interfaces of DMVPN networks.
For more information, see TCP MSS Adjustment at this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html.
Note
Helper Addresses
The helper addresses that are used to forward User Datagram Protocol (UDP) broadcasts that are received on this interface. Enter one or more addresses or network/host objects, or click Select to display an object selector.
If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-434. From here, you can define a network/host object.
By default, routers do not forward broadcasts outside of their subnet. Helper addresses provide a solution by enabling the router to forward certain types of UDP broadcasts as a unicast to an address on the destination subnet.
For more information, see Understanding Helper Addresses, page 14-30.
Enable CDP
When selected, the Cisco Discovery Protocol (CDP) is enabled on this interface. This the default.
When deselected, CDP is disabled on this interface.
CDP is a media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. It is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices.
Note
Log CDP Messages
Applies only to Ethernet interfaces.
When selected, duplex mismatches for this interface are displayed in a log. This is the default.
When deselected, duplex mismatches for this interface are not logged.
Enable Ingress Accounting
When selected, NetFlow accounting is enabled on traffic arriving on this interface.
When deselected, NetFlow accounting on arriving traffic is disabled. This is the default.
Cisco IOS NetFlow provides the metering base for a key set of applications including network traffic accounting, usage-based network billing, network planning, as well as Denial Services monitoring capabilities, network monitoring, outbound marketing, and data mining capabilities for both service provider and enterprise customers.
Note
Enable Egress Accounting
When selected, enables NetFlow accounting on traffic leaving this interface.
When deselected, disables NetFlow accounting on traffic leaving this interface. This is the default.
Note
Enable Redirect Messages
When selected, enables the sending of Internet Control Message Protocol (ICMP) redirect messages if the device is forced to resend a packet through the same interface on which it was received to another device on the same subnet. This is the default.
When deselected, disabled redirect messages.
Redirect messages are sent when the device wants to instruct the originator of the packet to remove it from the route and substitute a different device that offers a more direct path to the destination.
Enable Unreachable Messages
When selected, enables the sending of ICMP unreachable messages. This is the default.
When deselected, disables unreachable messages.
Unreachable messages are sent in two circumstances:
•
•
Note
Enable Mask Reply Messages
When selected, enables the sending of ICMP mask reply messages.
When deselected, disables mask reply messages. This is the default.
Mask reply messages are sent in response to mask request messages, which are sent when a device needs to know the subnet mask for a particular subnetwork.
Enable Virtual Fragment Reassembly (VFR)
When selected, virtual fragmentation reassembly (VFR) is enabled on this interface.
When deselected, disables VFR. This is the default.
VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs that can protect the network from various fragmentation attacks. For more information, see Virtual Fragmentation Reassembly at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_virt_frag_reassm.html.
Enable Proxy ARP
When selected, enables proxy Address Resolution Protocol (ARP) on the interface. This is the default.
When deselected, disables proxy ARP.
Proxy ARP, defined in RFC 1027, is the technique in which one host, usually a router, answers ARP requests intended for another machine, thereby accepting responsibility for routing packets to the real destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway.
Enable NBAR Protocol Discovery
When selected, enables network-based application recognition (NBAR) on this interface to discover traffic and keep traffic statistics for all protocols known to NBAR.
When deselected, disables NBAR. This is the default.
Protocol discovery provides a method to discover application protocols traversing an interface so that QoS policies can be developed and applied to them. For more information, go to:
Enable Directed Broadcasts
When selected, directed broadcast packets are "exploded" as a link-layer broadcast when this interface is directly connected to the destination subnet.
When deselected, directed broadcast packets that are intended for the subnet to which this interface is directly connected are dropped rather than being broadcast. This is the default.
An IP directed broadcast is an IP packet whose destination address is a valid broadcast address on a different subnet from the node on which it originated. In such cases, the packet is forwarded as if it was a unicast packet until it reaches its destination subnet.
This option affects only the final transmission of the directed broadcast on its destination subnet; it does not affect the transit unicast routing of IP directed broadcasts.
Note
ACL
Applies only when directed broadcasts are enabled.
The standard access list that determines which directed broadcasts are permitted to be broadcast on the destination subnet. All other directed broadcasts destined for the subnet to which this interface is directly connected are dropped. Enter the name of an ACL object, or click Select to display an object selector.
If the standard ACL you want is not listed, click the Create button in the selector to display the Add and Edit Standard Access List Pages, page F-45. From here you can create an ACL object.
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Dialer Policy Page
Use the Dialer page to define the relationship between physical Basic Rate Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when you configure the dial backup feature for site-to-site VPNs.
For more information, see Dialer Interfaces on Cisco IOS Routers, page 14-34.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-14 Dialer Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Interface
The interface role that the dialer interface uses.
Profile Name
The name of the dialer profile.
Dial Pool
The dialing pool that this dialer profile uses.
Dial Group
The dialer group that this dialer profile uses.
Interesting Traffic ACL
The ACL that defines which traffic can use this dialer profile.
Dial String
The phone number that the dialer calls.
Idle Timeout
The defined interval after which an uncontested idle line is disconnected.
Fast Idle
The defined interval after which a contested idle line is disconnected.
Add button
Opens the Dialer Profile Dialog Box. From here you can define a dialer profile.
Edit button
Opens the Dialer Profile Dialog Box. From here you can edit the selected dialer profile.
Delete button
Deletes the selected dialer profiles from the table.
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Interface
The name of the interface role that the physical interface uses.
Pools
The dial pools related to this physical interface.
Switch Type
The ISDN switch type that the physical interface uses.
SPID1
The first service provider identifier (SPID) related to this interface.
SPID2
The second SPID related to this interface.
Add button
Opens the Dialer Physical Interface Dialog Box. From here you can define a dialer physical interface.
Edit button
Opens the Dialer Physical Interface Dialog Box. From here you can edit the selected dialer physical interface.
Delete button
Deletes the selected dialer physical interfaces from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
Dialer Profile Dialog Box
Use the Dialer Profile dialog box to add or edit dialer profiles.
Navigation PathGo to the Dialer Policy Page, then click the Add or Edit button beneath the Dialer Profile table.
Related Topics•
•
•
•
•
Field Reference
Table K-15 Dialer Profile Dialog Box
Name
A descriptive name for the dialer profile. This name enables you to assign the correct dialer pool to the physical interface. You can also use the profile name as a reference to the site to which this dialer interface serves as a backup.
Interface
The virtual dialer interface to associate with the dialer profile. Enter the name of an interface or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
Pool ID
The dialer pool ID. Each pool can contain multiple physical interfaces and can be associated with multiple dialer interfaces. Each dialer interface, however, is associated with only one pool.
Group
The group ID, which identifies the dialer group that this dialer interface uses.
Interesting Traffic ACL
The extended, numbered ACL that defines which packets are permitted to initiate calls using this dialer profile.
Enter the name of an extended, numbered ACL object, or click Select to display an object selector. The valid ACL number range is 100 to 199.
If the extended ACL you want is not listed, click the Create button in the selector to display the Extended Tab, page F-34. From here you can create an ACL object.
Dialer String (Remote Phone Number)
The phone number of the destination that the dialer contacts.
Idle Timeout
The default amount of idle time before an uncontested line is disconnected. The default is 120 seconds.
Fast Idle Timeout
The default amount of idle time before a contested line is disconnected. The default is 20 seconds.
Line contention occurs when a busy line is requested to send another packet to a different destination.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Dialer Physical Interface Dialog Box
Use the Dialer Physical Interface dialog box to add or edit the properties that associate physical BRI interfaces with dialer interfaces.
Note
Navigation PathGo to the Dialer Policy Page, then click the Add or Edit button beneath the Dialer Physical Interfaces table.
Related Topics•
•
•
•
Field Reference
Table K-16 Dialer Physical Interface Dialog Box
ISDN BRI
The physical BRI interface associated with the dialer interface. Enter the name of an interface or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
Pools
Associates dialer pools with a physical interface. Enter the names of one or more pools (as defined in the Dialer Profile Dialog Box), or click Select to display a selector. Use commas to separate multiple entries.
Switch Type
The ISDN switch type.
Options for North America are:
•
•
•
Options for Australia, Europe, and the UK are:
•
•
•
Options for Japan are:
•
Options for Voice/PBX systems:
•
SPID1
Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as the switch type.
The service provider identifier (SPID) for the ISDN service to which the interface subscribes. Some service providers in North America assign SPIDs to ISDN devices when you first subscribe to an ISDN service. If you are using a service provider that requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid assigned SPID to the service provider when accessing the switch to initialize the connection.
Valid SPIDs can contain up to 20 characters, including spaces and special characters.
Note
SPID2
Applies only when you select DMS-100 or NI as the switch type.
The service provider identifier (SPID) for a second ISDN service to which the interface subscribes. Valid SPIDs can contain up to 20 alphanumeric characters (no spaces are permitted).
OK button
Saves your changes locally on the client and closes the dialog box.
Note
ADSL Policy Page
Use the ADSL page to create, edit, and delete ADSL definitions on the ATM interfaces of the router. For more information, see Defining ADSL Settings, page 14-42.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-17 ADSL Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
ATM Interface
The ATM interface on which ADSL settings are defined.
Interface Card
The type of device or ADSL interface card on which the ATM interface resides.
Bandwidth Change
Indicates whether the router makes dynamic adjustments to VC bandwidth as overall bandwidth changes. (This is relevant only when IMA groups are configured on the ATM interface.)
DSL Operating Mode
The DSL operating mode for this interface.
Tone Low
Indicates whether the interface is using the low tone set (carrier tones 29 through 48).
Add button
Opens the ADSL Settings Dialog Box. From here you can define the ADSL settings for a selected ATM interface.
Edit button
Opens the ADSL Settings Dialog Box. From here you can edit the selected ADSL definition.
Delete button
Deletes the selected ADSL definition from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
ADSL Settings Dialog Box
Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM interface.
Note
Navigation PathGo to the ADSL Policy Page, then click the Add or Edit button beneath the table.
Related Topics•
Field Reference
Table K-18 ADSL Settings Dialog Box
ATM Interface
The ATM interface on which ADSL settings are defined. Enter the name of an interface or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can define an interface role object.
Note
Note
Interface Card
The device type or the type of interface card installed on the router:
•
•
•
•
•
•
•
•
Interface Card
(continued)•
•
•
•
•
Note
Allow bandwidth change on ATM PVCs
When selected, the router makes dynamic adjustments to VC bandwidth in response to changes in the overall bandwidth of the Inverse Multiplexing over ATM (IMA) group defined on the ATM interface.
When deselected, PVC bandwidth must be adjusted manually (using the CLI) whenever an individual physical link in the IMA group goes up or down.
DSL Operating Mode
The operating mode configured for this ADSL line:
•
•
•
•
•
•
•
Note
Use low tone set
When selected, the interface card uses carrier tones 29 through 48.
When deselected, the interface card uses carrier tones 33 through 56.
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
SHDSL Policy Page
Use the SHDSL page to create, edit, and delete DSL controller definitions on the router. For more information, see Defining SHDSL Controllers, page 14-46.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-19 SHDSL Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Name
The name of the DSL controller.
Description
An optional description of the controller.
Shutdown
Indicates whether the DSL controller is in shutdown mode.
Configure ATM Mode
Indicates whether the DSL controller has been set into ATM mode.
Line Termination
The line termination set for the router (CPE or CO).
DSL Mode
The operating mode defined for the DSL controller.
Line Mode
The line mode defined for the DSL controller.
Line Rate
The line rate (in kbps) defined for the DSL controller.
Note
SNR Margin Current
The current signal-to-noise ratio on the controller.
SNR Margin Snext
The self near-end crosstalk (Snext) signal-to-noise ratio on the controller.
Add button
Opens the SHDSL Controller Dialog Box. From here you can define the settings for a DSL controller.
Edit button
Opens the SHDSL Controller Dialog Box. From here you can edit the selected DSL controller definition.
Delete button
Deletes the selected DSL controller definition from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
SHDSL Controller Dialog Box
Use the SHDSL Controller dialog box to configure SHDSL controllers.
Navigation PathGo to the SHDSL Policy Page, then click the Add or Edit button beneath the table.
Related Topics•
•
Field Reference
Table K-20 SHDSL Dialog Box
Name
The name of the controller. Enter a name manually, or click Select to display a dialog box for generating a name. See Controller Auto Name Generator Dialog Box.
Description
Additional information about the controller (up to 80 characters).
Shutdown
When selected, the DSL controller is in shutdown state. However, its definition is not deleted.
When deselected, the DSL controller is enabled. This is the default.
Configure ATM mode
When selected, sets the controller into ATM mode and creates an ATM interface with the same ID as the controller. This is the default. You must enable ATM mode and then perform rediscovery to configure ATM or PVCs on the device.
When deselected, ATM mode is disabled. No ATM interface is created on deployment.
Note
Line Termination
The line termination that is set for the router:
•
•
DSL Mode
The DSL operating mode, including regional operating parameters, used by the controller:
•
•
•
•
•
•
Note
Line Mode
The line mode used by the controller:
•
•
•
Note
Line
Applies only when the Line Mode is defined as 2-wire.
The pair of wires to use:
•
•
Exchange Handshake
Applies only when the Line Mode is defined as 4-wire.
The type of handshake mode to use:
•
•
•
Line Rate
Does not apply when the Line Mode is defined as Auto.
The DSL line rate (in kbps) available for the SHDSL port:
•
•
–
–
Note
Current
The current signal-to-noise (SNR) ratio on the controller, in decibels (dB). Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than current noise margin plus SNR ratio threshold during training time. If any external noise is applied that is less than the set SNR margin, the line will be stable.
Note
Snext
The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the controller, in decibels. Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train more than SNEXT threshold during training time. If any external noise is applied that is less than the set SNEXT margin, the line will be stable.
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Controller Auto Name Generator Dialog Box
Use the Controller Auto Name Generator dialog box to have Security Manager generate a name for the DSL controller based on its location in the router.
Navigation PathGo to the SHDSL Controller Dialog Box, then click Select in the Name field.
Related Topics•
Field Reference
PVC Policy Page
Use the PVC page to create, edit, and delete permanent virtual connections (PVCs) on the router. PVCs allow direct and permanent connections between sites to provide a service that is similar to a leased line. These PVCs can be used in ADSL, SHDSL, or pure ATM environments. For more information, see Defining ATM PVCs, page 14-55.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-22 PVC Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
ATM Interface
The ATM interface on which the PVC is defined.
Interface Card
The type of device or WAN interface card on which the ATM interface resides.
PVC ID
The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the PVC.
Settings
Additional settings configured for the PVC, including encapsulation, the number of PPPoE sessions, and the VPN service name.
QoS
Quality-of-service settings defined for the PVC, such as traffic shaping.
Protocol
The IP protocol mappings (static maps or Inverse ARP) configured for the PVC.
OAM
The F5 Operation, Administration, and Maintenance (OAM) loopback, continuity check, and AIS/RDI definitions configured for the PVC.
OAM-PVC
The OAM management cells that are configured for the PVC.
Add button
Opens the PVC Dialog Box. From here you can define a PVC.
Edit button
Opens the PVC Dialog Box. From here you can edit the selected PVC.
Delete button
Deletes the selected PVC from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
PVC Dialog Box
Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs).
Navigation PathGo to the PVC Policy Page, then click the Add or Edit button beneath the table.
Related Topics•
Field Reference
Table K-23 PVC Dialog Box
ATM Interface
The ATM interface on which the PVC is defined. Enter the name of an interface, subinterface, or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can define an interface role object.
Note
Interface Card
The type of WAN interface card installed on the router or the router type:
•
•
•
•
•
•
•
•
•
•
•
•
Interface Card (continued)
•
•
•
•
•
•
•
•
Note
Settings tab
Defines basic PVC settings, such as the VPI/VCI and encapsulation. See PVC Dialog Box—Settings Tab.
QoS tab
Defines ATM traffic shaping and other quality-of-service settings for the PVC. See PVC Dialog Box—QoS Tab.
Protocol tab
Defines the IP protocol mappings configured for the PVC (static maps or Inverse ARP). See PVC Dialog Box—Protocol Tab.
Advanced button
Defines F5 Operation, Administration, and Maintenance (OAM) settings for the PVC. See PVC Advanced Settings Dialog Box—OAM Tab.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
PVC Dialog Box—Settings Tab
Use the Settings tab of the PVC dialog box to configure the basic settings of the PVC, including:
•
•
•
•
•
Navigation PathGo to the PVC Dialog Box, then click the Settings tab.
Related Topics•
•
Field Reference
Table K-24 PVC Dialog Box—Settings Tab
VPI
The virtual path identifier of the PVC. In conjunction with the VCI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values for most platforms range from 0 to 255.
For Cisco 2600 and 3600 Series routers using Inverse Multiplexing for ATM (IMA), valid values range from 0 to 15, 64 to 79, 128 to 143, and 192 to 207.
Note
VCI
The 16-bit virtual channel identifier of the PVC. In conjunction with the VPI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values vary by platform. Typically, values up to 31 are reserved for special traffic (such as ILMI) and should not be used. 3 and 4 are invalid.
Note
Handle
An optional name to identify the PVC. The maximum length is 15 characters.
Management PVC (ILMI)
Does not apply when configuring the PVC on a subinterface.
When selected, designates this PVC as the management PVC for this ATM interface by enabling communication with the Interim Local Management Interface (ILMI). ILMI is a protocol defined by the ATM Forum for setting and capturing physical layer, ATM layer, virtual path, and virtual circuit parameters on ATM interfaces. See Understanding ILMI, page 14-52.
When deselected, this PVC does not act as the management PVC. This is the default.
Note
Type
Does not apply when the Management PVC (ILMI) check box is enabled.
The ATM adaptation layer (AAL) and encapsulation type to use on the PVC:
•
•
•
•
•
•
•
Virtual Template
The virtual template used for PPP over ATM on this PVC. Enter the name of a virtual template interface or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can define an interface role object.
When a user dials in, the virtual template is used to configure a virtual access interface. When the user is done, the virtual access interface goes down and the resources are freed for other dial-in users.
Note
Protocol
Applies only when aal5mux is the defined encapsulation type.
The protocol carried by the MUX-encapsulated PVC:
•
•
•
•
•
Enable ILMI
When selected, enables ILMI management on this PVC.
When deselected, ILMI management on this PVC is disabled.
Inverse ARP
When selected, the Inverse Address Resolution Protocol (Inverse ARP) is enabled on the PVC.
When deselected, Inverse ARP is disabled. This is the default.
Inverse ARP is used to learn the Layer 3 addresses at the remote ends of established connections. These addresses must be learned before the virtual circuit can be used.
Note
PPPoE Max Sessions
The maximum number of PPP over Ethernet sessions that are permitted on the PVC.
VPN Service Name
The static domain name to use on this PVC. The maximum length is 128 characters.
Use this option when you want PPP over ATM (PPPoA) sessions in the PVC to be forwarded according to the domain name supplied, without starting PPP.
PVC Dialog Box—QoS Tab
Use the QoS tab of the PVC dialog box to configure the ATM traffic shaping and other quality-of-service settings of the PVC, including:
•
•
•
These settings regulate the flow of traffic over the PVC by queuing traffic that exceeds the defined allowable bit rates.
Note
Navigation PathGo to the PVC Dialog Box, then click the QoS tab.
Related Topics•
•
•
•
Field Reference
Table K-25 PVC Dialog Box—QoS Tab
Tx Ring Limit
The maximum number of transmission packets that can be placed on a transmission ring on the WAN interface card (WIC) or interface.
The range of valid values depends on the type of interface card selected in the Settings tab. See PVC Dialog Box—Settings Tab.
Traffic Shaping
The type of service to define on the PVC:
•
•
•
•
•
•
•
For more information about each service class, see Understanding ATM Service Classes, page 14-50.
ABR
The following fields are displayed when ABR is selected as the Bit Rate:
•
•
The ABR varies between the MCR and the PCR. It is dynamically controlled using congestion control mechanisms.
CBR
The following field is displayed when CBR is selected as the Bit Rate:
•
UBR
The following field is displayed when UBR is selected as the Bit Rate:
•
UBR+
The following fields are displayed when UBR+ is selected as the Bit Rate:
•
•
Note
VBR-NRT
The following fields are displayed when VBR-NRT is selected as the Bit Rate:
•
•
•
VBR-RT
The following fields are displayed when VBR-RT is selected as the Bit Rate:
•
•
•
These values configure traffic shaping between realtime traffic (such as voice and video) and data traffic to ensure that the carrier does not discard realtime traffic, for example, voice calls.
Random Detect
When selected, enables Weighted Random Early Detection (WRED) or VIP-distributed WRED (DWRED) on the PVC.
When deselected, WRED and DWRED are disabled. This is the default.
WRED is a queue management method that selectively drops packets as the interface becomes congested. See Tail Drop vs. WRED, page 14-158.
PVC Dialog Box—Protocol Tab
Use the Protocol tab of the PVC dialog box to add, edit, or delete the protocol mappings configured for the PVC. You may configured static mappings or Inverse ARP (broadcast or nonbroadcast) for each PVC, but not both.
Note
•
Navigation PathGo to the PVC Dialog Box, then click the Protocol tab.
Related Topics•
•
Field Reference
Table K-26 PVC Dialog Box—Protocol Tab
IP Protocol Mapping
Displays the IP protocol mappings configured for the PVC.
Add button
Opens the Define Mapping Dialog Box. From here you can define an IP protocol mapping.
Edit button
Opens the Define Mapping Dialog Box. From here you can edit the selected mapping.
Delete button
Deletes the selected mapping from the table.
Define Mapping Dialog Box
Use the Define Mapping dialog box to configure the IP protocol mappings to use on the ATM PVC. Mappings are required by the PVC to discover which IP address is reachable at the other end of a connection. Mappings can either be learned dynamically using Inverse ARP (InARP) or defined statically. Static mappings are best suited for simple networks that contain only a few nodes.
Note
Tip
Navigation PathGo to the PVC Dialog Box—Protocol Tab, then click Add or Edit.
Related Topics•
Field Reference
Table K-27 Define Mapping Dialog Box
IP Options
The type of IP protocol mapping to use:
•
If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-434. From here, you can define a network/host object.
•
Note
Broadcast Options
Indicates whether to use this map entry when sending IP broadcast packets (such as EIGRP updates):
•
•
•
OK button
Saves your changes locally on the client and closes the dialog box.
Note
PVC Advanced Settings Dialog Box
Use the PVC Advanced Settings dialog box to configure F5 Operation, Administration, and Maintenance (OAM) functionality on an ATM PVC. OAM is used to detect connectivity failures at the ATM layer.
For more information, see Defining OAM Management on ATM PVCs, page 14-59.
Navigation PathGo to the PVC Dialog Box, then click Advanced.
Related TopicsField Reference
Table K-28 PVC Advanced Settings Dialog Box
OAM tab
Defines loopback, connectivity check, and AIS/RDI settings. See PVC Advanced Settings Dialog Box—OAM Tab.
OAM-PVC tab
Enables OAM loopbacks and connectivity checks on the PVC. See PVC Advanced Settings Dialog Box—OAM-PVC Tab.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
PVC Advanced Settings Dialog Box—OAM Tab
Use the OAM tab of the PVC Advanced Settings dialog box to define:
•
•
•
For more information, see Defining OAM Management on ATM PVCs, page 14-59.
Note
Navigation PathGo to the PVC Advanced Settings Dialog Box, then click the OAM tab.
Related TopicsField Reference
Table K-29 PVC Advanced Settings Dialog Box—OAM Tab
Enable OAM Retry
When selected, OAM management settings can be defined.
When deselected, OAM management settings cannot be defined.
Note
Down Count
The number of consecutive, unreceived, end-to-end loopback cell responses that cause the PVC to move to the down state. The default is 3.
Up Count
The number of consecutive end-to-end loopback cell responses that must be received in order to move the PVC to the up state. The default is 5.
Retry Frequency
The interval between loopback cell verification transmissions in seconds. The default is 1 second.
If a PVC is up and a loopback cell response is not received within the specified interval (as defined in the Frequency field of the PVC-OAM tab), loopback cells are transmitted at the frequency defined here to verify whether the PVC is down. If the number of consecutive cells that do not receive a response matches the defined down count, the PVC is moved to the down state.
Enable AIS-RDI Detection
When selected, alarm indication signal (AIS) cells and remote defect indication (RDI) cells are used to report connectivity failures at the ATM layer of the PVC.
When deselected, AIS/RDI cells are disabled.
AIS cells notify downstream devices of the connectivity failure. The last ATM switch then generates RDI cells in the upstream direction towards the device that sent the original failure notification.
Down Count
The number of consecutive AIS/RDI cells that cause the PVC to go down. Valid values range from 1 to 60. The default is 1.
Up Count
The number of seconds after which a PVC is brought up if no AIS/RDI cells are received. Valid values range from 3 to 60 seconds. The default is 3.
Enable Segment Continuity Check
When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of a segment.
When deselected, segment CC activation and deactivation requests are disabled.
Note
Activation Count
The maximum number of times that the activation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
Deactivation Count
The maximum number of times that the deactivation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
Retry Frequency
The interval between activation/deactivation retries, in seconds. The default is 30 seconds.
Enable End-to-End Continuity Check
When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of the PVC.
When deselected, segment CC activation and deactivation requests are disabled.
Note
Activation Count
The maximum number of times that the activation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
Deactivation Count
The maximum number of times that the deactivation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.
Retry Frequency
The interval between activation/deactivation retries, in seconds. The default is 30 seconds.
PVC Advanced Settings Dialog Box—OAM-PVC Tab
Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable loopback cells and connectivity checks (CCs) on the PVC. These functions test the connectivity of the virtual connection.
For more information, see Defining OAM Management on ATM PVCs, page 14-59.
Note
Navigation PathGo to the PVC Advanced Settings Dialog Box, then click the OAM-PVC tab.
Related TopicsField Reference
PPP/MLP Policy Page
Use the PPP/MLP page to create, edit, and delete PPP connections on the router. For more information, see Defining PPP Connections, page 14-63.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-31 PPP/MLP Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Interface
The interface that is configured for PPP/MLP.
Authentication
The types of authentication used on the PPP connection.
Authorization
The method list used for AAA authorization on the PPP connection.
Multilink
Indicates whether Multilink PPP (MLP) is enabled on this PPP connection.
Endpoint
The type of default endpoint discriminator to use when negotiating the use of MLP with the peer.
Multiclass
Indicates whether the Multiclass Multilink PPP (MCMP) feature is enabled on this PPP connection.
Group
The number of the multilink-group interface to which the physical link is restricted.
Interleave
Indicates whether the PPP multilink interleave feature is enabled on this PPP connection.
Add button
Opens the PPP Dialog Box. From here you can define the authentication and multilink settings for the PPP connection.
Edit button
Opens the PPP Dialog Box. From here you can edit the selected PPP connection.
Delete button
Deletes the selected PPP connection from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
PPP Dialog Box
Use the PPP dialog box to configure PPP connections on the router. When you configure a PPP connection, you can define the type of authentication and authorization to perform and define multilink parameters.
Navigation PathGo to the PPP/MLP Policy Page, then click the Add or Edit button beneath the table.
Related Topics•
Field Reference
Table K-32 PPP Dialog Box
Interface
The interface on which PPP encapsulation is enabled. Enter the name of an interface or interface role, or click Select to display an object selector.
The following interface types support PPP:
•
•
•
•
•
•
•
•
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
You cannot define PPP on:
•
•
•
Note
Note
PPP tab
Defines the type of authentication and authorization to perform on the PPP connection. See PPP Dialog Box—PPP Tab.
MLP tab
Defines how to split and recombine sequential datagrams across multiple logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP Tab.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
PPP Dialog Box—PPP Tab
Use the PPP tab of the PPP dialog box to define the types of authentication and authorization to perform on the PPP connection.
Navigation PathGo to the PPP Dialog Box, then click the PPP tab.
Related TopicsField Reference
Table K-33 PPP Dialog Box—PPP Tab
PPP Encapsulation
When selected, indicates that PPP encapsulation is enabled for the selected interface. This field is read-only.
Protocol
The authentication protocols to use:
•
•
•
•
•
You may select one or more authentication protocols, as required.
Options
The authentication options to use:
•
•
•
•
Note
•
When deselected, mobile stations must use CHAP or PAP to receive Simple IP and Mobile IP services.
Authenticate Using
AAA authentication settings for the PPP connection:
•
The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
TipIf the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
•
Note
Username
The username to send in PAP authentication requests. The username is case sensitive.
Password
The password to send in PAP authentication requests. Enter the password again in the Confirm field. The password can contain 1 to 25 uppercase or lowercase alphanumeric characters. The password is case sensitive.
The username and password are sent if the peer requests the router to authenticate itself using PAP.
Encrypted Password
When selected, this indicates that the password you entered is already encrypted.
When deselected, this indicates that the password you entered is in clear text.
Hostname
By default, the router uses its hostname to identify itself to the peer. If required, you can enter a different hostname to use for all CHAP challenges and responses. For example, use this field to specify a common alias for all routers in a rotary group.
Secret
The secret used to compute the response value for any CHAP challenge from an unknown peer. Enter the secret again in the Confirm field.
Encrypted Secret
When selected, this indicates that the password you entered is already encrypted. When deselected, this indicates that the password you entered is in clear text.
Authorize Using
AAA authorization settings for the PPP connection:
•
•
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
Note
PPP Dialog Box—MLP Tab
Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters for the selected PPP connection.
Navigation PathGo to the PPP Dialog Box, then click the MLP tab.
Related TopicsField Reference
Table K-34 PPP Dialog Box—MLP Tab
Enable Multilink PPP (MLP)
When selected, MLP is enabled on this PPP connection.
When deselected, MLP is disabled.
Allow Multiple Data Classes
When selected, enables multiple data classes on the MLP bundle. Delay-sensitive traffic is placed into Class 1, where it can be interleaved but never fragmented. Normal data traffic is placed into Class 0, which is subject to fragmentation just as regular multilink packets are.
When deselected, all traffic is subject to fragmentation.
Enable Interleaving of Packets Among Fragments of Larger Packets
When selected, enables the interleaving of packets among the fragments of larger packets on the MLP bundle.
Note
When deselected, interleaving is disabled.
Note
Multilink Group
Applies only to serial, Group-Async, and multilink interfaces.
Restricts the physical link to the selected multilink-group interface. Enter the name of a multilink interface or interface role, or click Select to display an object selector.
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
This option is typically used in static leased-line environments, where the remote systems to which the device's serial lines are connected are known in advance.
In effect, this option dedicates a specific interfaces to a particular user, even when that user is not connected. If a peer at the other end of the link tries to join a different bundle, the connected is severed.
Maximum Fragment Delay
The maximum amount of time that should be required to transmit a fragment on the MLP bundle. Valid values range from 1 to 1000 milliseconds.
Fragment size is determined by the defined fragment delay and the bandwidth of the links.
Note
Endpoint Type
The identifier used by the router when transmitting packets on the MLP bundle:
•
•
•
•
•
•
•
The default endpoint discriminator is either the globally configured hostname, or the PAP username or CHAP hostname (depending on the authentication protocol being used), if you have configured those values on the PPP tab.
MRRU Local Peer
The maximum receive reconstructed unit (MRRU) value of the local peer. This value represents the maximum size packet that the local router is capable of receiving.
Valid values range from 128 to 16384 bytes. The default is the maximum transmission unit (MTU) of the multilink group interface and 1524 bytes for all other interfaces.
MRRU Remote Peer
The maximum receive reconstructed unit (MRRU) value of the remote peer. This value represents the maximum size packet that the remote peer is capable of receiving.
Valid values range from 128 to 16384 bytes. The default is 1524 bytes.
Maximum FIFO Queue Size
The maximum queue depth when the bundle uses first-in, first-out (FIFO) queuing. Valid values range from 2 to 255 packets. The default is 8.
Maximum QoS Queue Size
The maximum queue depth when the bundle uses non-FIFO queuing. Valid values range from 2 to 255 packets. The default is 2.
AAA Policy Page
Use the AAA page to define the default authentication, authorization, and accounting methods to use on the router. You do this by configuring method lists, which define which methods to use and the sequence in which to use them.
Note
Navigation Path•
•
Related Topics•
•
•
•
Field Reference
Table K-35 AAA Page
Authentication tab
Defines the login authentication methods to use and the sequence in which to use them. See AAA Page—Authentication Tab.
Authorization tab
Defines the types of network, EXEC, and command authorization to perform and the methods to use for each type. See AAA Page—Authorization Tab.
Accounting tab
Defines types of connection, EXEC, and command accounting to perform and the methods to use for each type. See AAA Page—Accounting Tab.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
AAA Page—Authentication Tab
Use the Authentication tab of the AAA page to define the methods used to authenticate users who access the device. Authentication methods are defined in a method list, which define the security protocols to use, such as RADIUS and TACACS+.
Note
Navigation PathGo to the AAA Policy Page, then click the Authentication tab.
Related Topics•
•
•
•
Field Reference
Table K-36 AAA Page—Authentication Tab
Enable Device Login Authentication
When selected, enables the authentication of all users when they log in to the device, using the methods defined in the method list.
When deselected, authentication is not performed.
Prioritized Method List
Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
Supported methods include Line, Local, Kerberos, RADIUS, TACACS+, and None.
Note
Maximum Number of Attempts
The maximum number of unsuccessful authentication attempts before a user is locked out. This feature is disabled by default. Valid values range from 1 to 65535.
Note
AAA Page—Authorization Tab
Use the Authorization tab of the AAA page to define the type of authorization services to enable on the device and the methods to use for each type. Security Manager supports the following types of authorization:
•
•
•
Note
Navigation PathGo to the AAA Policy Page, then click the Authorization tab.
Related Topics•
•
•
•
Field Reference
Table K-37 AAA Page—Authorization Tab
Enable Network Authorization
When selected, enables the authorization of network connections, such as PPP, SLIP, or ARAP connections, using the methods defined in the method list.
When deselected, network authorization is not performed.
Prioritized Method List
Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
Supported methods include RADIUS, TACACS+, Local, and None.
Note
Note
Enable CLI/EXEC Operations Authorization
When selected, this type of authorization determines whether the user is permitted to open an EXEC (CLI) session, using the methods defined in the method list.
When deselected, EXEC authorization is not performed.
Prioritized Method List
See description above.
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Privilege Level
The privilege level to which the command authorization definition applies.
Prioritized Method List
The method list to use when authorizing users with this privilege level.
Add button
Opens the Command Authorization Dialog Box. From here you can configure a command authorization definition.
Edit button
Opens the Command Authorization Dialog Box. From here you can edit the command authorization definition.
Delete button
Deletes the selected command authorization definitions from the table.
Command Authorization Dialog Box
Use the Command Authorization dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege level. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15.
Navigation PathFrom the AAA Page—Authorization Tab, click the Add button beneath the Command Authorization table.
Related Topics•
•
•
Field Reference
Table K-38 Command Authorization Dialog Box
Privilege Level
The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15.
Prioritized Method List
Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
Supported methods include TACACS+, Local, and None.
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
AAA Page—Accounting Tab
Use the Accounting tab of the AAA page to define the type of accounting services to enable on the device and the methods to use for each type. Security Manager supports the following types of accounting:
•
•
•
In addition, you use the Accounting page to determine when accounting records should be generated and whether they should be broadcast to more than one AAA server.
Note
Navigation PathGo to the AAA Policy Page, then click the Accounting tab.
Related Topics•
•
•
•
Field Reference
Table K-39 AAA Page—Accounting Tab
Enable Connection Accounting
When selected, enables the recording of information about outbound connections (such as Telnet) made over this device, using the methods defined in the method list.
When deselected, connection accounting is not performed.
Generate Accounting Records for
Defines when the device sends an accounting notice to the accounting server:
•
•
•
Prioritized Method List
Defines a sequential list of methods to be queried when creating connection accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
Supported methods include RADIUS and TACACS+.
Enable Broadcast to Multiple Servers
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.
When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list.
Enable CLI/EXEC Operations Accounting
When selected, enables the recording of basic information about user EXEC sessions, using the methods defined in the method list.
When deselected, EXEC accounting is not performed.
Generate Accounting Records for
See description above.
Prioritized Method List
See description above.
Enable Broadcast to Multiple Servers
See description above.
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Privilege Level
The privilege level to which the command authorization definition applies.
Generate Accounting Records for
The points in the process where the device sends an accounting notice to the accounting server.
Enable Broadcast
Whether accounting records are broadcast to multiple servers simultaneously.
Prioritized Method List
The method list to use when authorizing users with this privilege level.
Add button
Opens the Command Accounting Dialog Box. From here you can configure a command accounting definition.
Edit button
Opens the Command Accounting Dialog Box. From here you can edit the command accounting definition.
Delete button
Deletes the selected command accounting definitions from the table.
Command Accounting Dialog Box
Use the Command Accounting dialog box to define which methods to use when recording information about the EXEC commands that are executed for a given privilege level. Each accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the name of the user who executed it.
Navigation PathFrom the AAA Page—Accounting Tab, click the Add button beneath the Command Accounting table.
Related Topics•
•
•
Field Reference
Table K-40 Command Accounting Dialog Box
Privilege Level
The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15.
Generate Accounting Records for
Defines when the device sends an accounting notice to the accounting server:
•
•
•
Prioritized Method List
Defines a sequential list of methods to be used when creating accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
TACACS+ is the only supported method, but you can select multiple AAA server groups configured with TACACS+.
Note
Enable Broadcast to Multiple Servers
When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.
When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list.
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Accounts and Credentials Policy Page
Use the Accounts and Credentials page to define the enable password or enable secret password assigned to the router. In addition, you can define a list of usernames that can be used to access the router.
For more information, see Defining Accounts and Credential Policies, page 14-75.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-41 Accounts and Credentials Page
Enable Secret Password
The enable secret password for entering privileged EXEC mode on the router. This option offers better security than the Enable Password option.
The enable secret password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed.
Note
Note
Enable Password
The enable password for entering privileged EXEC mode on the router.
The enable password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed.
Note
Enable Password Encryption Service
When selected, encrypts all passwords on the device, including the enable password (which is otherwise saved in clear text).
For example, use this option to encrypt username passwords, authentication key passwords, console and VTY line access passwords, and BGP neighbor passwords. This command is primarily used for keeping unauthorized individuals from viewing your passwords in your configuration file.
When deselected, device passwords are stored unencrypted in the configuration file.
Note
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Username
The username that can be used to access the router. The username must be a single word up to 64 characters in length. Spaces and quotation marks are not allowed.
Encryption
Indicates whether password information for the user is encrypted using MD5 encryption.
Privilege Level
The privilege level assigned to the user.
Add button
Opens the User Account Dialog Box. From here you can define a user account.
Edit button
Opens the User Account Dialog Box. From here you can edit the selected user.
Delete button
Deletes the selected user accounts from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
User Account Dialog Box
Use the User Account dialog box to define a username and password combination that can be used by Security Manager to access the router. You can also define the privilege level of the user account, which determines whether you can configure all commands on this router or only a subset of them.
Note
Navigation PathGo to the Accounts and Credentials Policy Page, then click the Add or Edit button beneath the table.
Related Topics•
•
•
Field Reference
Bridging Policy Page
Use the Bridging page to define bridge groups that can perform integrated routing and bridging on the router. For more information, see Defining Bridge Groups, page 14-80.
Navigation Path•
•
Related Topics•
•
Field Reference
Table K-43 Bridging Page
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Group Number
The number that identifies the bridge group.
Group Interfaces
The interfaces and interface roles that are included in the bridge group.
Add button
Opens the Bridge Group Dialog Box. From here you can define a bridge group.
Edit button
Opens the Bridge Group Dialog Box. From here you can edit the bridge group.
Delete button
Deletes the selected bridge groups from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Tip
Bridge Group Dialog Box
Use the Bridge Group dialog box to define bridge groups on the router. Each bridge group can contain multiple Layer 3 interfaces of various types, including serial interfaces.
Note
Navigation PathGo to the Bridging Policy Page, then click the Add or Edit button beneath the table.
Related Topics•
•
•
Field Reference
Table K-44 Bridge Group Dialog Box
Group Number
The number assigned to the bridge group. Valid values range from 1 to 255.
Group Interfaces
The interfaces that are included in the bridge group. Enter the name of one or more interfaces and interface roles, or click Select to display an object selector.
You can select most Layer 3 interfaces, including serial interfaces, provided the serial interface is configured with high-level data link control (HDLC) or Frame Relay encapsulation. Each interface can belong to only one bridge group.
You can select a LAN subinterface only if the parent interface is configured with Inter-Switch Link (ISL) or 802.1Q encapsulation.
Note
If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-420. From here you can create an interface role object.
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Clock Policy Page
Use the Clock page to configure the time zone in which the router is located and the settings for Daylight Saving Time (DST). For more information, see Time Zone Settings on Cisco IOS Routers, page 14-81.
Tip
Navigation Path•
•
Related Topics•
Field Reference
CPU Policy Page
Use the CPU page to configure settings related to router CPU utilization, including the thresholds for sending log messages, the size of the CPU history table, and whether to enable automatic CPU Hog profiling.
For more information, see Defining CPU Utilization Settings, page 14-84.
Navigation Path•
•
Related Topics•
Field Reference
HTTP Policy Page
Use the HTTP page to configure HTTP and HTTPS access on the router. You can configure HTTP policies on a Cisco IOS router from the following tabs on the HTTP policy page:
For more information, see HTTP and HTTPS on Cisco IOS Routers, page 14-85.
Navigation Path•
•
Related Topics•
HTTP Page—Setup Tab
Use the Setup tab of the HTTP page to enable HTTP and HTTP over Secure Socket Layer (HTTP over SSL or HTTPS) on the router. You can optionally limit access to these protocols to the addresses defined in an access control list.
Note
Navigation PathGo to the HTTP Policy Page, then click the Setup tab.
Related Topics•
Field Reference
Table K-47 HTTP Page—Setup Tab
Enable HTTP
When selected, an HTTP server is enabled on the router.
When deselected, HTTP is disabled on the router. This is the default for devices that were not discovered.
HTTP Port
The port number to use for HTTP. Valid values are 80 or any value from 1024 to 65535. The default is 80.
Enable SSL
When selected, a secure HTTP server (HTTP over SSL or HTTPS) is enabled on the router.
When deselected, HTTPS is disabled. This is the default for devices that were not discovered.
Note
Note
SSL Port
The port number to use for HTTPS. Valid values are 443 or any value from 1025 to 65535. The default is 443.
Allow Connection From
The numbered ACL that restricts use of HTTP and HTTPS on this device. Enter the name of an ACL object, or click Select to display an object selector.
If the standard ACL you want is not listed, click the Create button in the selector to display the Add and Edit Standard Access List Pages, page F-45. From here you can create an ACL object.
Note
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
HTTP Page—AAA Tab
Use the AAA tab of the HTTP page to define the authentication and authorization methods to perform on users who attempt to access the router using HTTP or HTTPS.
Navigation PathGo to the HTTP Policy Page, then click the AAA tab.
Related Topics•
Field Reference
Table K-48 HTTP Page—AAA Tab
Authenticate Using
The type of authentication to use:
•
•
•
•
Enable Device Login Authentication
Applies only when AAA is selected as the authentication method.
When selected, authentication is based on the methods defined in the Prioritized Method List field.
When deselected, the default authentication list defined in the router's AAA policy is used. See AAA Page—Authentication Tab.
Prioritized Method List
Applies only when the Enable Device Login Authentication check box is selected.
Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
Note
Enable CLI/EXEC Operations Authorization
Applies only when AAA is selected as the authentication method.
When selected, EXEC authorization is based on the methods defined in the Prioritized Method List field. This type of authorization determines whether the user is permitted to open an EXEC (CLI) session.
When deselected, the default EXEC authorization list defined in the router's AAA policy is used. See AAA Page—Authorization Tab.
Note
Prioritized Method List
Applies only when the Enable CLI/EXEC Operations Authorization check box is selected.
Defines a sequential list of methods to be queried when authorizing a user to open an EXEC (CLI) session. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
Note
Filter
Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24.
Privilege Level
The privilege level to which the command authorization definition applies.
Prioritized Method List
The method list to use when authorizing users with this privilege level.
Add button
Opens the Command Authorization Override Dialog Box. From here you can configure a command authorization definition.
Edit button
Opens the Command Authorization Override Dialog Box. From here you can edit the command authorization definition.
Delete button
Deletes the selected command authorization definitions from the table.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
Command Authorization Override Dialog Box
Use the Command Authorization Override dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege level. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15.
Navigation PathFrom the HTTP Page—AAA Tab, click the Add button beneath the Command Authorization Override table.
Related TopicsField Reference
Table K-49 Command Authorization Dialog Box
Privilege Level
The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15.
Prioritized Method List
Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an object selector. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.
If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-14. From here you can define a AAA server group object.
Supported methods include TACACS+, Local, and None.
Note
OK button
Saves your changes locally on the client and closes the dialog box.
Note
Console Policy Page
Use the Console page to configure access to the router over the console port. You can configure console policies on a Cisco IOS router from the following tabs on the Console policy page:
•
•
For more information, see Line Access on Cisco IOS Routers, page 14-89.
Navigation Path•
•
Related Topics•
Console Page—Setup Tab
Use the Setup tab of the Console page to define the basic parameters of the console port. This includes the password for accessing the port, the privilege level assigned to users, the protocols that are permitted, and the ACLs that limit access.
Navigation PathGo to the Console Policy Page, then click the Setup tab.
Related Topics•
•
•
Field Reference
Table K-50 Console Page—Setup Tab
Password
The password for accessing the console port.
The password is case sensitive and can contain up to 80 alphanumeric characters. The first character cannot be a number. Spaces are not allowed.
Enter the password again in the Confirm field.
Privilege Level
The privilege level assigned to users connected to the console port. Valid values range from 0 to 15:
•
•
•
Note
Note
Disable all the EXEC sessions to the router via this line
When selected, disables EXEC sessions over this line. Select this option when you want to allow only an outgoing connection on the console. This option is useful for keeping the console port free from unsolicited incoming data that can tie up the line.
When deselected, EXEC sessions are enabled on the console port. This is the default.
Note
Exec Timeout
The amount of time (in seconds) that the EXEC command interpreter waits to detect user input on the console port. If no input is detected, the line is disconnected. Valid values range from 0 to 2147483. The default is 600 (10 minutes). Setting the value to 0 disables the timeout.
Note
Output Protocols
The protocols that you can use for outgoing connections on the console port:
•
•
•
–
–
–
Note
Note
Inbound Access List
The ACL that restricts incoming connections on the console port. Enter the name of an ACL object, or click Select to display an object selector.
If the standard ACL you want is not listed, click the Create button in the selector to display the Add and Edit Standard Access List Pages, page F-45. From here you can create an ACL object.
Permit VRF Interface Connections
Applies only when an inbound ACL is defined on the console port.
When selected, accepts incoming connections from interfaces that belong to a VRF. When deselected, rejects incoming connections from interfaces that belong to a VRF.
Outbound Access List
The ACL that restricts outgoing connections on the console port. Enter the name of an ACL object, or click Select to display an object selector.
If the standard ACL you want is not listed, click the Create button in the selector to display the Add and Edit Standard Access List Pages, page F-45. From here you can create an ACL object.
Save button
Saves your changes to the Security Manager server but keeps them private.
Note
