Using Management Center for VPN Routers 1.3
Uploading Device Configurations
Download this chapter
Uploading Device ConfigurationsUploading Device Configurations
Download the complete book
Using Management Center for VPN Routers 1.3 - full book PDFUsing Management Center for VPN Routers 1.3 - full book PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Uploading Device Configurations

Understanding the Upload Function

Uploading Configurations From a Device


Uploading Device Configurations

You can upload configurations that exist on a device into Router MC so that you can manage them using Router MC.

The following topics provide information about uploading device configurations:

Understanding the Upload Function

Uploading Configurations From a Device

Understanding the Upload Function

Using Router MC, you can convert the existing configurations on a device into Router MC policies for future editing and managing. This means that if you have used CLI commands to configure policies on the device, you do not have to redefine the policies in Router MC. You simply import the device into Router MC and then upload its policies.

You can also use the upload function to copy the configurations from a single device to another device or to a group of devices, without having to recreate the policies on each device.

Router MC uploads from the current configuration on the device. After a device has been imported, you can use the View Configs feature to see what commands exist in the device's current configuration. See Viewing Device Configurations (Workflow Disabled Mode), page 1-8 for more information about how to view the current configuration on the device.

After an upload is complete, you should see all uploaded configurations reflected in the Router MC interface. For example, if you upload a preshared key, it will appear in the Preshared Key page under Configuration > IKE when the device or group to which you uploaded is selected in the Object Selector.

Which Configurations Can Be Uploaded?

Router MC supports the uploading of:

Selected VPN configuration commands. In general, you can upload VPN configurations that are not peer-specific, and that are reusable. These include transform sets, preshared keys, group preshared keys, CA policies, and IKE policies, and IPSec lifetime.

Firewall configuration commands, including ACL and Context-Based Access Control (CBAC) configurations.

Router MC ignores any CLI commands that it does not support.

Prerequisites for Successful Upload

To use the upload function successfully, consider the following prerequisites:

Configurations can only be uploaded to a target device/group that supports the configurations. For example, group preshared keys are only supported by hubs. Therefore, you cannot upload this configuration type to a spoke.

VPN configurations can only be uploaded to devices that are defined as VPN devices, meaning either hubs or spokes. Firewall configurations can only be uploaded to devices defined as firewall devices. The device role is defined when the device is imported, but can be edited at a later stage. See Selecting Devices for Import and Defining Their Role, page 1-20, and Editing Device Information, page 1-5 for more information.

When uploading CA policies:

Router MC supports one CA policy per device. If there are two or more CA policies configured on the device, Router MC uploads the first one only.

The CA identity command must specify an enrollment URL, otherwise the CA policy will not be uploaded.

If the IOS version on the device supports the CA identity command, the CA identity must be identical to the device domain name.

Router MC will not upload the CA policy from one device to another if the devices support different CA types (identity CA or trustpoint CA).

Router MC supports one preshared key per device. If there are two or more preshared keys configured on the device, Router MC uploads the first one only.

Router MC uploads IKE policies only when they use either a preshared key or RSA Signature for authentication.

When uploading half-open connection commands, if the device only has the minimum value configured, Router MC will use the default maximum value.

Router MC only uploads ACLs that are attached to the IP access group command for a specific interface on the device.

Uploading Configurations From a Device

To upload device configurations, you must first import the source device into Router MC. You then specify the target object, meaning the device or group to which you want to upload the source device's configurations. You can then do the upload operation.

Following a valid and successful upload, Router MC generates an upload report that shows:

Which policies were uploaded.

Error or warning messages describing any problems encountered.

The actual CLI syntax of the uploaded policies.

Before You Begin:

Import the device from which you want to upload configurations. See Importing Devices, page 1-12.

If workflow mode is enabled, make sure you are working within the context of an open activity. See What is Workflow Enabled Mode?, page 1-6.

Procedure:

Step 1 Select Configuration > Upload. The Upload page appears. See Table 1-1 for a description of the Upload page.

Step 2 In the Upload From area, select the source device, meaning the device that contains the configuration policies you want to upload. The name of the device appears in the text box below the hierarchy.

Step 3 Click Select Target. The Upload Target dialog box appears. Table 1-2 describes the elements in the Upload Target dialog box.

Step 4 In the Upload To area, select the target object, meaning the object to which you want to upload policies. The target object can be a group or an individual device. If the target object is a group, the policies will be uploaded to all the descendents of that group.

Step 5 Click OK. The Upload Target dialog box closes, and the selected target object will appear in Upload To area of the Upload page.

Step 6 If you want to replace the existing policies on the target object with the uploaded policies, select the Override existing policies check box. Click Upload. The upload report appears, indicating which policies were uploaded successfully and listing errors or warnings if problems were encountered.

Table 1-1 describes the elements in the Upload page.

Table 1-1 Upload—GUI Reference 

GUI Element
Description

Upload From area

Displays device tree from which you select the source device, meaning the device from which you want to upload configurations. The name of the selected device appears in the text box below the tree.

+/- signs

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the tree.

Select Target button

Click to open the Upload Target dialog box, in which you select the target object, meaning the object to which you want to upload policies. See Table 1-2 for a description of the Upload Target dialog box.

Upload To area

Displays the selected target object.

Override existing policies check box

Select to override the existing policies on the target device(s) with the uploaded policies from the source device. This applies specifically to policies that cannot exist in multiple instances on a device, such as preshared keys and CA policies. If this check box is not selected, and one of these policies is defined on the device, the policy from the source device will not be uploaded.

Upload button

Click to start the upload operation.


Table 1-2 describes the elements in the Upload Target dialog box.

Table 1-2 Upload Target—GUI Reference 

GUI Element
Description

Upload To area

Select the target object to which you want to upload policies. The target object can be a group or an individual device. If the target object is a group, the policies will be uploaded to all the descendents of that group.

OK button

Click to accept the selection and close the dialog box.

Cancel button

Click to cancel any selection and close the dialog box.