-
User Guide for Cisco Security Manager 3.2.1
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
IPS User Interface Reference
-
Catalyst Platform User Interface Reference
-
Deployment User Interface Reference
-
FlexConfig User Interface Reference
-
Index
-
Table Of Contents
Catalyst Platform User Interface Reference
Interfaces/VLANs Page—VLANs Tab
Create and Edit VLAN Dialog Boxes
Access Port Selector Dialog Box
Trunk Port Selector Dialog Box
Interfaces/VLANs Page—VLAN Groups Tab
Create and Edit VLAN Group Dialog Boxes
Service Module Slot Selector Dialog Box
Interfaces/VLANs Page—Interfaces Tab
Create and Edit Interface Dialog Boxes—Access Port Mode
Create and Edit Interface Dialog Boxes—Routed Port Mode
Create and Edit Interface Dialog Boxes—Trunk Port Mode
Create and Edit Interface Dialog Boxes—Dynamic Mode
Create and Edit Interface Dialog Boxes—Subinterfaces
Create and Edit Interface Dialog Boxes—Unsupported Mode
Interfaces/VLANs Page—Summary Tab
Create and Edit IDSM EtherChannel VLANs Dialog Boxes
Create and Edit IDSM Data Port VLANs Dialog Boxes
IDSM Slot-Port Selector Dialog Box
Create and Edit VLAN ACL Dialog Boxes
Create and Edit VLAN ACL Content Dialog Boxes
Interface Selector Dialog Box—VLAN ACL Content
Catalyst Platform User Interface Reference
The following topics describe the pages available for viewing and configuring policies for Cisco Catalyst switches and Cisco 7600 Series routers:
These pages are primarily organized under the Interfaces/VLANs folder and Platform folder in Device view and under the Catalyst Platform folder for shared policies in Policy view.
Catalyst Summary Info Page
Use the Catalyst Summary Info page to view high-level system information, including any service modules, ports, and VLANs that Security Manager has discovered.
Navigation Path
(Device view) Right-click a Catalyst 6500 Series switch or Cisco 7600 Series router, then select Catalyst Summary Info, or select Tools > Catalyst Summary Info.
Related Topics
•
"Catalyst Platform User Interface Reference"
Field Reference
Table M-1 Catalyst Summary Info Page
Hostname
Displays the configured hostname of the device.
Device Type
Displays a brief description of the device.
Serial Number
Displays the serial number of the device.
OS Version
Displays the Cisco IOS image version the device is running.
Image
Displays the name of the image running on the device.
Last Update
Displays a time stamp for the most recent discovery.
Total Ports
Displays the total number of configured ports, combining access ports, routed ports, and trunk ports.
Access Ports
Displays the number of configured access ports on the chassis.
Trunk Ports
Displays the number of configured trunk ports on the chassis.
Routed Ports
Displays the number of configured routed ports on the chassis.
Total VLANs
Displays the total number of configured VLANs on the chassis and all its services modules.
Layer 2 VLANs
Displays the number of VLANs that run on Layer 2.
Layer 3 VLANs
Displays the number of VLANs that run on Layer 3.
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Slot
Identifies the slot to which a service module is attached.
Device Type
Displays a brief description of the service module.
Serial Number
Displays the serial number of the service module.
Model
Displays the model type of the service module.
OS Version
Identifies the OS version that is installed and running on the service module.
Assigned VLANs
Displays the total number of VLANs to which an FWSM is assigned.
TipContexts
Displays the total number of configured security contexts for an FWSM that runs in multicontext mode.
Tip
Note
Interfaces/VLANs Page
Use the Interfaces/VLANs page to define and organize the interfaces and VLANs of Cisco Catalyst switches and Cisco 7600 Series routers. The Interfaces/VLANs page consists of the following tabs:
•
•
•
•
Note
Navigation Path
(Device view) Select Interfaces/VLANs from the Device selector.
Related Topics
•
Interfaces/VLANs Page—VLANs Tab
Use the VLANs tab to view and configure VLANs on supported Cisco Catalyst switches and Cisco 7600 Series routers.
Navigation Path
•
Related Topics
•
•
•
•
•
Field Reference
Table M-2 Interfaces/VLANs Page—VLANs Tab
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
VLAN ID
Interface-specific identity of the VLAN that a table row describes. The VLAN ID specifies where 802.1Q tagged packets are sent and received on the subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 2 to 4094 (VLAN ID 1 is reserved).
Note
TipName
Name of the corresponding VLAN for an interface or subinterface.
Interface
Identifies the logical name of the interface (interface role) or physical interface.
Type
Specifies whether a VLAN has access to Layer 2 or Layer 3.
Status
Indicates whether a VLAN is active or suspended.
Add Row button
Opens the Create VLAN dialog box to define a new VLAN.
Edit Row button
Opens the Edit VLAN dialog box to edit the selected VLAN.
Delete Row button
Deletes the selected VLAN.
Save button
Saves your changes to the server but keeps them private.
Note
Create and Edit VLAN Dialog Boxes
Use the Create VLAN dialog box (or the Edit VLAN dialog box) to configure or reconfigure VLAN settings and attributes.
Navigation Path
Go to the Interfaces/VLANs Page—VLANs Tab, then click the Add or Edit button beneath the table.
Related Topics
•
•
•
Field Reference
Table M-3 Create and Edit VLAN Dialog Box
VLAN ID
Displays the VLAN ID if one is configured. Otherwise, enter the ID manually. The VLAN ID specifies where 802.1Q tagged packets are sent and received on an interface or subinterface; without a VLAN ID, the interface or subinterface cannot send or receive traffic. Each VLAN must have an ID. Valid values range from 1 to 4094.
Note
TipName
Enter a name for the VLAN, or view the VLAN name if you entered one previously. Each VLAN must have an ID, and can optionally have a name. The maximum length is 32 characters.
Group
The VLAN group to which the VLAN belongs. A VLAN can be associated with one group only.
You can associate the VLAN with an existing group, or select Add Group to open the Create VLAN Group dialog box.
Status
The current status of the VLAN:
•
•
Type
Indicates whether the specified VLAN is configured for Layer 2 or Layer 3, and enables you to choose the kind of VLAN that you prefer.
A Layer 3 VLAN requires an IP address and creates a VLAN interface.
Switch Virtual Interface
Applies only when defining a Layer 3 VLAN.
•
•
•
•
Access Ports (Select button)
Lists which access ports are associated with the specified VLAN, if any are associated, and enables you to add or remove access port associations for the specified VLAN. You can associate any number of access ports with a VLAN.
Click Select to open the Access Port Selector Dialog Box. From here, you can associate access ports with the specified VLAN, or remove access port associations from the VLAN.
Trunk Ports (Select button)
Lists which trunk ports are associated with the specified VLAN, if any are associated, and enables you to add or remove trunk port associations for the specified VLAN. A VLAN can belong to the allowed list of one or more trunk ports. You can include a VLAN in a trunk port group.
Click Select to open the Trunk Port Selector Dialog Box. From here, you can associate trunk ports with the specified VLAN, or remove trunk port associations from the VLAN.
OK button
Saves your changes and closes the dialog box.
Access Port Selector Dialog Box
Use the Access Port Selector dialog box to define which access ports are associated with a selected VLAN.
Navigation Path
Open the Create and Edit VLAN Dialog Boxes, then click Select in the Access Ports field.
Related Topics
•
•
Field Reference
Table M-4 Access Port Selector Dialog Box
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Available Access Ports
Displays the access ports that are not assigned to a particular VLAN.
Add >> button
Adds interfaces that are selected in the Available Access Ports list to the Selected Access Ports list.
Remove << button
Removes selected interfaces from the Selected Access Ports list.
Selected Access Ports
Displays the interface objects that are selected.
Add Row button
Opens the Create Interface dialog box to define a new interface.
Edit Row button
Opens the Edit Interface dialog box to edit the selected interface.
OK button
Saves your changes and closes the dialog box.
Trunk Port Selector Dialog Box
Use the Trunk Port Selector dialog box to define which trunk ports are associated with a selected VLAN.
Navigation Path
Open the Create and Edit VLAN Dialog Boxes, then click Select in the Trunk Ports field.
Related Topics
•
•
Field Reference
Table M-5 Trunk Port Selector Dialog Box
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Available Trunk Ports
Displays all available trunk ports.
Add >> button
Adds interfaces that are selected in the Available Trunk Ports list to the Selected Trunk Ports list.
Remove << button
Removes selected interfaces from the Selected Trunk Ports list.
Selected Trunk Ports
Displays the interface objects that are selected.
Add Row button
Opens the Create Interface dialog box to define a new interface.
Edit Row button
Opens the Edit Interface dialog box to edit the selected interface.
OK button
Saves your changes and closes the dialog box.
Interfaces/VLANs Page—VLAN Groups Tab
Use the VLAN Groups tab to view and configure VLAN groups on supported 6500 Series switches and 7600 Series routers.
Navigation Path
•
Related Topics
•
•
•
•
Field Reference
Table M-6 Interfaces/VLANs Page—VLAN Groups Tab
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
VLAN Group
Numeric ID of a VLAN group that is configured on the selected device.
Service Module Slots
Associates the chassis slot number (in which the relevant services module is installed) with the interface through which a particular VLAN participates in the VLAN group.
VLAN IDs
The VLAN IDs associated with this group. Valid values range from 1 to 65535.
Add Row button
Opens the Create VLAN Group dialog box to define a new VLAN group.
Edit Row button
Opens the Edit VLAN Group dialog box to edit the selected VLAN group.
Delete Row button
Deletes the selected VLAN group.
Save button
Saves your changes to the server but keeps them private.
Note
Create and Edit VLAN Group Dialog Boxes
Use the Create and Edit VLAN Group dialog box to configure or reconfigure the attributes of VLAN groups, which are logical groups of VLANs that you want to associate with one another when you define VLAN port policies.
Navigation Path
Do one of the following:
•
•
Related Topics
•
Field Reference
Table M-7 Create and Edit VLAN Group Dialog Boxes
VLAN Group ID
The 802.1q VLAN group name. Valid values range from 1 to 65535.
Service Module Slots (Select button)
The chassis slot number (in which the relevant services module is installed) that is associated with the interface through which a particular VLAN participates in the VLAN group.
Enter the slot number or click Select to open the Service Module Slot Selector Dialog Box.
Note
VLAN IDs (Select button)
The comma-separated IDs of all VLANs that are part of the group. Each VLAN can be a member of only one group.
Click Select to open the Service Module Slot Selector Dialog Box. From here, you can select VLANs to include in the VLAN group.
OK button
Saves your changes and closes the dialog box.
Service Module Slot Selector Dialog Box
Use the Service Module Slot Selector dialog box to associate a service module with a VLAN.
Navigation Path
Go to the Create and Edit VLAN Group Dialog Boxes, then click Select in the Service Module Slots field.
Related Topics
Field Reference
Table M-8 Service Module Selector Dialog Box
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Available Service Module Slots
Displays the defined service module slots.
Add >> button
Moves selected service module slots from the Available Service Module Slots list to the Selected Service Module Slots list.
Remove << button
Removes selected service module slots from the Selected Service Modules list.
Selected Service Module Slots
Displays the selected service module slots.
OK button
Saves your changes and closes the dialog box.
VLAN Selector Dialog Box
Use the VLAN Selector dialog box to associate VLANs with interfaces, VLAN groups, and VACLs.
Navigation Path
You can access this dialog box when you define interfaces, VLAN groups, IDSM settings, or VACLs by clicking the Select button in any field used for defining VLANs.
Related Topics
•
•
Field Reference
Table M-9 VLAN Selector Dialog Box
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Available VLANs
Displays defined VLANs that have not been assigned to a VLAN group.
Add >> button
Moves selected VLANs from the Available VLANs list to the Selected VLANs list.
Remove << button
Removes selected VLANs from the Selected VLANs list.
Selected VLANs
Displays the selected VLANs.
VLAN Ranges
The VLAN ranges entered manually before the selector was opened, if any.
OK button
Saves your changes and closes the dialog box.
Interfaces/VLANs Page—Interfaces Tab
Use the Interfaces tab to view and configure interfaces and subinterfaces on supported Cisco Catalyst switches and Cisco 7600 Series routers and their associated services modules (blades).
Navigation Path
(Device view) Select Interfaces/VLANs from the Device selector, then click the Interfaces tab.
Related Topics
•
•
•
•
Field Reference
Table M-10 Interfaces/VLANs Page—Interfaces Tab
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Name
Interface type, chassis slot, and the number of the interface card. For example, FastEthernet 2/7 means Fast Ethernet, slot 2, interface 7.
Mode
Configuration mode for physical ports:
•
•
•
•
•
•
VLAN ID
The VLAN ID associated with the described subinterface, displayed only for Ethernet interfaces and VLAN interfaces.
IP Address
The IP address of the interface.
Enabled
Indicates whether the interface is enabled or disabled (shutdown state).
Interface Roles
The interface roles whose naming patterns match this interface. See Understanding Interface Role Objects, page 9-96.
Description
An optional description of the interface.
Add Row button
Opens the Create Interface dialog box, where you can define a new interface. For more information, see the instructions for the relevant mode:
•
•
•
•
Edit Row button
Opens the Edit Interface dialog box, where you can edit the selected interface. For more information, see the instructions for the relevant mode:
•
•
•
•
•
Delete Row button
Deletes the selected interface.
Save button
Saves your changes to the server but keeps them private.
Note
Create and Edit Interface Dialog Boxes—Access Port Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in access port mode.
Navigation Path
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Access Port from the Mode list.
Related Topics
•
•
•
•
•
•
Field Reference
Table M-11 Create and Edit Interface Dialog Boxes—Access Port Mode
Enable Interface
When selected, enables the interface.
When deselected, disables the interface using the shutdown command.
Type
Specifies whether the definitions apply to an interface or a subinterface.
For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces.
Name (Select button)
Displays the generated interface name, if the name has been set.
Click Select to open the Interface Auto Name Generator Dialog Box, page J-19. From here, you can enter or edit the details that Security Manager uses to generate an interface name.
Mode
The port configuration type for this interface.
Select Access Port to display the configuration options that are relevant for access ports.
VLAN ID (Select button)
Displays the interface-specific identity of the VLAN to use in access port mode, if you have selected a VLAN. Otherwise, click Select to open the VLAN Selector Dialog Box.
The VLAN ID specifies where 802.1Q tagged packets are sent and received on the subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094. Some VLAN IDs might be reserved on connected devices, so see the device documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
Note
TipEnable Port Security
When selected, enables you to restrict input to an interface by limiting the MAC addresses that are allowed to access the port.
When deselected, disables port security.
Max. MAC Addresses
Applies only when Enable Port Security is selected.
The maximum number of secure MAC addresses for the interface. Valid values range from 1 to 4097.
Note
Violation Policy
The action to take if a security violation occurs:
•
•
•
A security violation occurs if a workstation whose MAC address is not in the address table attempts to access the interface after the maximum number of secure MAC addresses is configured.
Enable VACL Capture
When selected, enables VACL capture. If the capture bit is set, ports with the capture function enabled can receive forwarded packets.
When deselected, disables VACL capture.
Capture VLANs (Select button)
Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box.
Enter a comma-separated list of VLAN IDs or click Select to open the VLAN Selector Dialog Box.
VACLs can capture VLAN packets only when they are initially routed or bridged into the VLAN. Only forwarded packets can be captured.
Speed
The speed of the physical interface:
•
•
•
•
•
•
Duplex
The duplex setting of the interface:
•
•
•
If the speed is set to Auto, the duplex setting must also be set to Auto.
MTU
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type.
Description
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns.
Note
Flow Control Receive
The flow control setting for incoming frames:
•
•
•
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full.
Flow Control Send
The flow control setting for outgoing frames:
•
•
•
Roles
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects, page 9-96.
OK button
Saves your changes and closes the dialog box.
Create and Edit Interface Dialog Boxes—Routed Port Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical interfaces that run in routed port mode on Layer 3.
Navigation Path
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Routed Port from the Mode list.
Related Topics
•
•
•
•
•
•
Field Reference
Table M-12 Create and Edit Interface Dialog Boxes—Routed Port Mode
Enable Interface
When selected, enables the interface.
When deselected, disables the interface using the shutdown command.
Type
Specifies whether the definitions apply to an interface or a subinterface.
For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces.
Name (Select button)
Displays the generated interface name, if the name has been set.
Click Select to open the Interface Auto Name Generator Dialog Box, page J-19. From here, you can enter or edit the details that Security Manager uses to generate an interface name.
Mode
The port configuration type for this interface.
Select Routed Port to display the configuration options that are relevant for routed ports.
IP Type
The type of IP address used by the port:
•
IP Address (Select button)
Enables you to enter an IP address, or you can click Select to open the Networks/Hosts Selector, where you can select an IP address.
Helper IP Addresses (Select button)
Enables you to assign a helper IP address to the interface. A helper IP address converts broadcast DHCP requests to unicast requests that are directed exclusively to the DHCP server.
Mask
Enables you to specify the subnet mask. You can enter a netmask value or you can select a netmask from the list. If you enter a netmask, you can express its value in dotted decimal format (for example, 255.255.255.0) or you can enter the number of bits (for example, 24).
Note
Speed
The speed of the physical interface:
•
•
•
•
•
•
Duplex
The duplex setting of the interface:
•
•
•
If the speed is set to Auto, the duplex setting must also be set to Auto.
MTU
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type.
Description
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns.
Note
Flow Control Receive
The flow control setting for incoming frames:
•
•
•
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full.
Flow Control Send
The flow control setting for outgoing frames:
•
•
•
Roles
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects, page 9-96.
OK button
Saves your changes and closes the dialog box.
Create and Edit Interface Dialog Boxes—Trunk Port Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in trunk port mode.
Navigation Path
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Trunk Port from the Mode list.
Related Topics
•
•
•
•
•
Field Reference
Table M-13 Create and Edit Interface Dialog Boxes—Trunk Port Mode
Enable Interface
When selected, enables the interface.
When deselected, disables the interface using the shutdown command.
Type
Specifies whether the definitions apply to an interface or a subinterface.
For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces.
Name (Select button)
Displays the generated interface name, if the name has been set.
Click Select to open the Interface Auto Name Generator Dialog Box, page J-19. From here, you can enter or edit the details that Security Manager uses to generate an interface name.
Mode
The port configuration type for this interface.
Select Trunk Port to display the configuration options that are relevant for trunk ports.
Encapsulation
Select one of the following:
•
•
TipNative VLAN (Select button)
Enables you to select the Native VLAN to associate with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) This option applies to you only if you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface.
You must first specify DOT1Q as the encapsulation type.
The Native VLAN of a trunk interface is the VLAN to which all untagged VLAN packets are logically assigned. This includes the management traffic associated with the VLAN.
When deselected, the Native VLAN is not associated with this interface.
Note
Click Select to open the VLAN Selector Dialog Box. From here, you can associate a native VLAN with the described interface.
Enable DTP negotiation
When selected, enables Dynamic Trunking Protocol (DTP) negotiation. DTP manages trunk auto-negotiation (ISL and 802.1Q) between devices.
When deselected, disables DTP negotiation.
Allowed VLANs (Select button)
Enables you to specify which VLANs are allowed on the trunk. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200). Valid IDs range from 1 to 4094.
Or, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs to include on the trunk.
Prune VLANs (Select button)
Enables you to specify which VLANs are eligible for pruning. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200.)
Or, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs that are eligible for pruning.
Enable VACL Capture
When selected, enables VACL capture. If the capture bit is set, ports with the capture function enabled can receive forwarded packets.
When deselected, disables VACL capture.
Capture VLANs (Select button)
Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box.
Enter a comma-separated list of VLAN IDs, or click Select to open the VLAN Selector Dialog Box.
VACLs can capture VLAN packets only when they are initially routed or bridged into the VLAN. Only forwarded packets can be captured.
Enable Port Security
Applies only to devices running IOS Software Version 12.2(18)SXE2 or later.
When selected, enables you to restrict input to an interface by limiting the MAC addresses that are allowed to access the port.
When deselected, disables port security.
Note
Max. MAC Addresses
Applies only when Enable Port Security is selected.
The maximum number of secure MAC addresses for the interface. Valid values range from 1 to 4097.
Note
Violation Policy
The action to take if a security violation occurs:
•
•
•
A security violation occurs if a workstation whose MAC address is not in the address table attempts to access the interface after the maximum number of secure MAC addresses is configured.
Speed
The speed of the physical interface:
•
•
•
•
•
•
Duplex
The duplex setting of the interface:
•
•
•
If the speed is set to Auto, the duplex setting must also be set to Auto.
MTU
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type.
Description
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns.
Note
Flow Control Receive
The flow control setting for incoming frames:
•
•
•
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full.
Flow Control Send
The flow control setting for outgoing frames:
•
•
•
Roles
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects, page 9-96.
OK button
Saves your changes and closes the dialog box.
Create and Edit Interface Dialog Boxes—Dynamic Mode
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in dynamic mode. Dynamic ports can convert the link into a trunk link based on the settings of the neighboring port.
Navigation Path
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Dynamic from the Mode list.
Related Topics
•
•
•
•
•
•
Field Reference
Table M-14 Create and Edit Interface Dialog Boxes—Dynamic Mode
Enable Interface
When selected, enables the interface.
When deselected, disables the interface using the shutdown command.
Type
Specifies whether the definitions apply to an interface or a subinterface.
For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces.
Name (Select button)
Displays the generated interface name, if the name has been set.
Click Select to open the Interface Auto Name Generator Dialog Box, page J-19. From here, you can enter or edit the details that Security Manager uses to generate an interface name.
Mode
The port configuration type for this interface.
Select Dynamic to display the configuration options that are relevant for dynamic ports.
Dynamic Mode
The dynamic trunk mode:
•
•
Access VLAN ID
The access VLAN ID to use when the port does not function as a trunking link. This can occur when the neighboring interface is not set to trunk, auto, or desirable mode.
Valid values range from 1 to 4094.
Encapsulation
Select one of the following:
•
•
•
TipNative VLAN (Select button)
Enables you to select the Native VLAN to associate with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) This option applies to you only if you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface.
You must first specify DOT1Q as the encapsulation type.
The Native VLAN of a trunk interface is the VLAN to which all untagged VLAN packets are logically assigned. This includes the management traffic associated with the VLAN.
When deselected, the Native VLAN is not associated with this interface.
Note
Click Select to open the VLAN Selector Dialog Box. From here, you can associate a native VLAN with the described interface.
Allowed VLANs (Select button)
Enables you to specify which VLANs are allowed on the trunk. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200). Valid IDs range from 1 to 4094.
Alternatively, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs to include on the trunk.
Prune VLANs (Select button)
Enables you to specify which VLANs are eligible for pruning. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200.)
Alternatively, click Select to open the VLAN Selector Dialog Box. From here, you can select the VLANs that are eligible for pruning.
Enable VACL Capture
When selected, enables VACL capture. If the capture bit is set, ports with the capture function enabled can receive forwarded packets.
When deselected, disables VACL capture.
Capture VLANs (Select button)
Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box.
Enter a comma-separated list of VLAN IDs or click Select to open the VLAN Selector Dialog Box.
VACLs can capture VLAN packets only when they are initially routed or bridged into the VLAN. Only forwarded packets can be captured.
Speed
The speed of the physical interface:
•
•
•
•
•
•
Duplex
The duplex setting of the interface:
•
•
•
If the speed is set to Auto, the duplex setting must also be set to Auto.
MTU
The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type.
Description
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns.
Note
Flow Control Receive
The flow control setting for incoming frames:
•
•
•
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full.
Flow Control Send
The flow control setting for outgoing frames:
•
•
•
Roles
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects, page 9-96.
OK button
Saves your changes and closes the dialog box.
Create and Edit Interface Dialog Boxes—Subinterfaces
Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of subinterfaces defined on Catalyst 6500/7600 devices.
Navigation Path
Go to the Interfaces/VLANs Page—Interfaces Tab, click Add or Edit to open the Create/Edit Interface dialog box, then select Subinterface from the Type list.
Related Topics
•
•
•
•
•
•
•
Field Reference
Table M-15 Create and Edit Interface Dialog Boxes—Subinterfaces
Enable Interface
When selected, enables the subinterface.
When deselected, disables the subinterface using the shutdown command.
Type
Specifies whether the definitions apply to an interface or a subinterface. Select Subinterface.
Parent
Identifies the parent interface of the subinterface.
Subint. ID
Specifies the ID for the subinterface. The numeric ID string cannot exceed 10 characters.
IP Type
The type of IP address used by the subinterface:
•
IP Address (Select button)
Enables you to enter an IP address, or you can click Select to open an Object Selectors, page F-455. From here, you can select an IP address.
Helper IP Addresses
Enables you to assign a helper IP address to the subinterface. A helper IP address converts broadcast DHCP requests to unicast requests that are directed exclusively to the DHCP server.
Mask
Enables you to specify the subnet mask. You can enter a netmask value or you can select a netmask from the list. If you enter a netmask, you can express its value in dotted decimal format (for example, 255.255.255.0) or you can enter the number of bits (for example, 24).
Note
Encapsulation
The encapsulation type defined for the subinterface:
•
•
•
TipVLAN ID
Applies only when encapsulation is defined for the subinterface.
The VLAN ID associated with the subinterface.
Description
A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns.
Note
OK button
Saves your changes and closes the dialog box.
Create and Edit Interface Dialog Boxes—Unsupported Mode
If you discover an interface configured with a mode that is not supported by Security Manager (such as dot1q-tunnel or private-vlan), the interface is displayed in Unsupported mode. You can view the attributes of this interface, but you cannot make any changes to the configuration unless you first change the mode. All definition fields, other than Mode, are read-only.
Navigation Path
Go to the Interfaces/VLANs Page—Interfaces Tab, select an interface whose mode is defined as Unsupported, then click Add or Edit to open the Create/Edit Interface dialog box.
Related Topics
•
•
•
•
Field Reference
Table M-16 Create and Edit Interface Dialog Boxes—Unsupported Mode
Enable Interface
When selected, indicates that the interface is enabled.
When deselected, indicates that the interface has been disabled using the shutdown command.
Type
Specifies whether the definitions apply to an interface or a subinterface.
Name (Select button)
Displays the name of the interface.
Mode
Displays Unsupported, which designates an interface whose mode is not supported by Security Manager.
Select a different option to change the interface mode.
Note
Speed
Displays the speed of the physical interface:
•
•
•
•
•
•
Duplex
Displays the duplex setting of the interface:
•
•
•
If the speed is set to Auto, the duplex setting must also be set to Auto.
MTU
Displays the maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type.
Description
Displays a text description of the interface. For multiple context mode, the system description is independent of the context description.
Flow Control Receive
Displays the flow control setting for incoming frames:
•
•
•
Flow control frames (also called pause frames) are special packets that signal a source to stop sending frames for a defined interval when buffers are full.
Flow Control Send
Displays the flow control setting for outgoing frames:
•
•
•
Roles
Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules—ones that can apply to multiple interfaces. See Understanding Interface Role Objects, page 9-96.
OK button
Applies only when you change the Mode to a different setting.
Saves your changes and closes the dialog box.
Cancel button
Closes the dialog box.
Interfaces/VLANs Page—Summary Tab
Use the Summary tab to view attributes of all VLANs, VLAN groups, interfaces, and subinterfaces configured on supported 6500 Series and 7600 Series chassis and their associated services modules (blades).
Navigation Path
•
Related Topics
•
•
•
Field Reference
Table M-17 Interfaces/VLANs Page—Summary Tab
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
VLAN ID
The VLAN ID associated with an interface or subinterface. The VLAN ID specifies where 802.1Q tagged packets are sent and received on the specified an interface or subinterface; without a VLAN ID, the interface or subinterface cannot send or receive traffic.
Note
VLAN Name
Name of the VLAN that corresponds to an interface or subinterface. For example, VLAN003 or Trunk1.
VLAN Group
Numeric identity of a VLAN group that is configured on the VLAN that a table row describes.
VLAN Type
Specifies whether a VLAN has access to Layer 2 or Layer 3.
IP Address/Mask
The IP address and corresponding subnet mask of the VLAN configured on an interface or subinterface.
Access Port
Displays the assigned name, if a name is assigned, of the access port that a VLAN uses.
Trunk Port
Specifies which VLANs are permitted to carry traffic over the trunk.
Slot (-Port)
Associates the chassis slot number (in which the relevant services module is installed) with the port number, as a hyphenated pair in the format x -y, for example 3-1.
Blade Type
Identifies the kind of services module on which a particular VLAN is configured, such as FWSM or VPNSM.
Security Context
Identifies the security context associated with an interface, but only if Multiple Mode is active on the installed module and an Admin context is configured for the module.
Security Context Interface
Displays the physical interface and subinterface IDs for which a security context inspects traffic. The displayed ID can represent a physical interface, a single sub-interface (defined as a range of one), or a range of sub-interfaces.
Security Level
Displays the security level of an interface, where values range from 0 (the lowest security) to 100 (the highest):
•
•
•
IDSM Settings Page
Use the IDSM Settings page to view and configure the VLAN settings for data ports and channel groups on Intrusion Detection System Service Modules (IDSM).
Navigation Path
You can access this page from:
•
•
Related Topics
•
•
•
Field Reference
Table M-18 IDSM Settings Page
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Save button
Saves your changes to the server but keeps them private.
Note
Channel Group
Identifies the EtherChannel group to which the Ethernet interface is assigned.
Module Slot-Data Port
Identifies the IDSM service module data port by number (1 or 2) to distinguish between the two ports.
Each IDSM service module (blade) has two data ports. You can configure a data port individually or you can assign it to an EtherChannel group. All data ports in a channel group are configured at the group level
Mode
Indicates whether the running mode is trunk (IPS) or capture (IDS).
Capture Enabled
Indicates whether the specified channel group is configured as a capture destination.
Allowed VLANs
Lists which VLANs are allowed for the specified channel group.
Add Row button
Opens the Create IDSM EtherChannel VLANs dialog box. From here you can define which traffic is directed to the data ports in an EtherChannel group and which sensing mode is used.
Edit Row button
Opens the Edit IDSM EtherChannel VLANs dialog box. From here you can modify the attributes of an EtherChannel VLAN definition.
Delete Row button
Deletes the selected VLAN from the IDSM.
Module Slot-Data Port
Identifies the IDSM service module data port by number (1 or 2), to distinguish between the two ports.
Mode
Indicates whether the running mode is trunk (IPS) or capture (IDS). To change the mode, select and edit the relevant table row.
Capture Enabled
Indicates whether the specified data port is configured as a capture destination.
Allowed VLANs
Lists which VLANs are allowed for the specified data port.
Add Row button
Opens the Create IDSM Data Port VLANs dialog box. From here you can define which traffic is directed to a specific data port and which sensing mode is used.
Edit Row button
Opens the Edit IDSM Data Port VLANs dialog box. From here you can modify the attributes of a data port VLAN definition.
Delete Row button
Deletes the selected VLAN from the IDSM.
Create and Edit IDSM EtherChannel VLANs Dialog Boxes
Use the Create IDSM EtherChannel VLANs dialog box (or the Edit IDSM EtherChannel VLANs dialog box) to configure or reconfigure the attributes of an IDSM EtherChannel VLAN.
Navigation Path
Go to the IDSM Settings Page, then click the Add or Edit button beneath the EtherChannel VLANs table.
Related Topics
•
•
•
Field Reference
Table M-19 Create and Edit IDSM EtherChannel VLANs Dialog Boxes
Channel Group
The EtherChannel group to which the Ethernet interface is assigned.
Slot-Ports (Select button)
Associates the chassis slot number (in which the relevant services module is installed) with the data port in the format x -y, where x is the slot number and y is the port number. For example, 2-1 refers to data port 1 in slot 2.
Click Select to open the IDSM Slot-Port Selector Dialog Box. From here, you can select the IDSM slot-port combinations to include in the EtherChannel group.
Mode
The running mode of the EtherChannel group:
•
•
Capture Enabled
Applies only when the running mode is Capture (IDS).
When selected, configures the specified channel group as a capture destination. When deselected, the channel group does not act as a capture destination.
VLAN IDs (Select button)
Identifies which VLANs the specified channel group should allow.
Click Select to open the VLAN Selector Dialog Box. From here, you can select VLANs to include or exclude.
OK button
Saves your changes and closes the dialog box.
Create and Edit IDSM Data Port VLANs Dialog Boxes
Use the Create IDSM Data Port VLANs dialog box (or the Edit IDSM Data Port VLANs dialog box) to define which traffic is directed to an IDSM data port and which sensing mode is used on that traffic.
Navigation Path
Go to the IDSM Settings Page, then click the Add or Edit button beneath the Data Port VLANs table.
Related Topics
•
•
•
Field Reference
Table M-20 Create and Edit IDSM Data Port VLANs Dialog Boxes
Slot-Port
Associates the chassis slot number (in which the relevant services module is installed) with the data port in the format x -y, where x is the slot number and y is the port number. For example, 2-1 refers to data port 1 in slot 2.
Click Select to open the IDSM Slot-Port Selector Dialog Box. From here, you can select the IDSM slot-port combinations to include in the data port VLAN definition.
Mode
The running mode of the data port:
•
•
Capture Enabled
Applies only when the running mode is Capture (IDS).
When selected, configures the specified channel group as a capture destination. When deselected, the channel group does not act as a capture destination.
VLAN IDs (Select button)
Identifies which VLANs the specified data port should allow.
Click Select to open the VLAN Selector Dialog Box. From here, you can select VLANs to include or exclude.
OK button
Saves your changes locally on the client and closes the dialog box.
IDSM Slot-Port Selector Dialog Box
Use the IDSM Slot-Port Selector dialog box to associate slot-port objects with EtherChannel groups.
Navigation Path
Go to the Create and Edit IDSM EtherChannel VLANs Dialog Boxes or the Create and Edit IDSM Data Port VLANs Dialog Boxes, then click Select in the Slot-Port field.
Related Topics
Field Reference
Table M-21 IDSM Slot-Port Selector Dialog Box
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Available IDSM Slot-Ports list
Displays the available slot-port definitions.
Add >> button
Applies only when selecting slot-ports for EtherChannel VLANs.
Adds IDSM slot-port objects that you selected in the Available IDSM Slot-Ports list to the Selected IDSM Slot-Ports list.
Remove << button
Applies only when selecting slot-ports for EtherChannel VLANs.
Removes selected IDSM slot-port objects from the Selected IDSM Slot-Ports list.
Selected IDSM Slot-Ports list
Displays the IDSM slot-port objects that are selected for an association with a data port or an EtherChannel group.
OK button
Saves your changes and closes the dialog box.
VLAN Access Lists Page
Use the VLAN Access Lists page to view and configure VLAN access lists for Cisco Catalyst switches and Cisco 7600 Series routers.
Navigation Path
You can access this page from:
•
•
Related Topics
•
•
•
•
Field Reference
Table M-22 VLAN Access Lists Page
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
VLAN ACL
Displays the VLAN ACL name.
Sequence
Specifies the map sequence number. VACL sequences are applied in order of sequence, from lowest number to highest.
Matching
Displays the Match ACLs, if any are defined. VACL matching occurs only when an ACL permit is encountered. ACL denies are ignored.
Action
Specify whether the action is to drop, drop and log, forward, forward and capture, or redirect packets.
Note
VLAN IDs
Interface-specific identity of the VLAN that a table row describes. The VLAN ID specifies where 802.1Q tagged packets are sent and received on the subinterface; without a VLAN ID, the subinterface cannot send or receive traffic.
Add Row button
Opens the Create VLAN ACL dialog box, where you can define a new VACL.
Edit Row button
Opens the Edit VLAN ACL dialog box, where you can edit the selected VACL.
Delete Row button
Deletes the selected access list.
Log Table Size
Displays the log table size.
Valid sizes range from 0 to 2048 and the default is 500. Logged packets from new flows are dropped when the table is full.
Max. Packet Rate
Displays the maximum redirect VACL logging packet rate per second.
Valid rates range from 10 to 5000 packets per second and the default rate is 2000. Packets that exceed the limit are dropped.
Logging Threshold
Displays the logging threshold if one is set. By default, no threshold is set.
When you configure VACL logging, IP packets that are denied generate log messages on a per-flow basis if the threshold for a flow is reached in any interval of less than 5 minutes. Only dropped IP packets can be logged.
Capture Interfaces
Identifies the interface that captures forwarded packets in which the capture bit is set. You can configure any interface as the capture interface.
The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured.
Note
Save button
Saves your changes to the server but keeps them private.
Note
Create and Edit VLAN ACL Dialog Boxes
Use the Create VLAN ACL dialog box (or the Edit VLAN ACL dialog box) to configure or reconfigure VACL attributes.
Navigation Path
Go to the VLAN Access Lists Page, then click the Add or Edit button beneath the table.
Related Topics
•
•
•
•
Field Reference
Table M-23 Create and Edit VLAN ACL Dialog Boxes
VLAN ACL Name
The user-defined name for the VACL.
VLANs (Select button)
Enables you to designate the VLANs to which the VACL should be applied. Do one of the following:
•
•
Sequence Map
Identifies the VLAN access map in which the described entry has an assigned sequence number.
A VLAN access map can consist of one or more map sequences, where each sequence pairs a match clause, which specifies ACLs for traffic filtering, to an action clause, which specifies the action to take if a match occurs.
Filter
Enables you to filter the information displayed in the table, after you click the arrow to display the filtering bar. For more information, see Filtering Tables, page 3-17.
Sequence
Specifies the map sequence number.
Matching
Displays the match ACLs, if any are defined.
Action
Specifies the action to take on packets that meet the criteria defined in the match ACLs.
Up button
Moves a VACL sequence up one row in the table.
Select a sequence in the table to activate the button.
Down button
Moves a VACL sequence down one row in the table.
Select a sequence in the table to activate the button.
Add Row button
Opens the Create VLAN ACL Content dialog box, where you can define a new VACL sequence.
Edit Row button
Opens the Edit VLAN ACL Content dialog box, where you can reconfigure the attributes of the selected VACL sequence.
Delete Row button
Deletes the selected VACL sequence.
OK button
Saves your changes and closes the dialog box.
Create and Edit VLAN ACL Content Dialog Boxes
Use the Create VLAN ACL Content dialog box (or the Edit VLAN ACL Content dialog box) to configure or reconfigure VACL sequences.
Navigation Path
Go to the Create and Edit VLAN ACL Dialog Boxes, then click the Add or Edit button beneath the Sequence Map table.
Related Topics
•
•
Field Reference
Table M-24 Create and Edit VLAN ACL Content Dialog Boxes
Sequence
Specify the map sequence number for the VLAN access map. Valid values range from 1 to 65535.
Match ACLs (Select button)
Specify which ACLs the sequence should include in its match clause.
Enter the names of the standard and extended ACL objects to include in the sequence, or click Select to display an Object Selectors, page F-455.
Action
The option to perform on packets that meet the criteria defined in the match ACLs:
•
•
•
•
•
Interfaces (Select button)
Applies only when the specified action is Redirect.
The destination interfaces for redirect packets. Enter the names of up to five physical interfaces, or click Select to open the Interface Selector Dialog Box—VLAN ACL Content. The redirect interfaces must be in the VLAN for which the VACL access map is configured.
Note
OK button
Saves your changes and closes the dialog box.
Interface Selector Dialog Box—VLAN ACL Content
Use the Interface Selector dialog box to define redirect interfaces when you create entries for a VACL sequence map.
Navigation Path
Open the Create and Edit VLAN ACL Content Dialog Boxes, select Redirect as the action, then click Select in the Interfaces field.
Related Topics
•
Field Reference
