Using Management Center for VPN Routers 1.3
Managing Devices
Download this chapter
Managing DevicesManaging Devices
Download the complete book
Using Management Center for VPN Routers 1.3 - full book PDFUsing Management Center for VPN Routers 1.3 - full book PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing Devices

Understanding the Router MC Device Hierarchy

Viewing and Managing the Device Hierarchy

Editing Device Information

Moving Devices and Groups

Deleting a Device or a Device Group

Working with Device Groups

Working with HA Groups

Creating a Device Group/HA Group

Renaming a Device Group

Importing Devices

Accessing the Import Wizard

Selecting the Target Device Group

Choosing the Import Method

Specifying Import Parameters

Selecting Devices for Import and Defining Their Role

Viewing the Device Import Summary

Viewing Import Status

Reimporting Devices

Adding Unmanaged Spokes to Your VPN

Managing Device Credentials

Editing Credentials

Synchronizing Credentials


Managing Devices

To define VPN and firewall policies for your devices with Router MC, you must first import the devices into the application. You can then manage your devices within the Router MC device hierarchy.

Options available below the Devices tab allow you to manage your device hierarchy by importing devices, creating device groups, and moving or deleting devices and groups.

Note Router MC provides a taskflow that leads you easily through the steps required to manage your devices. By clicking each icon in the taskflow diagram, you can move directly to the relevant page for performing the required task. At any point, you can return to Devices taskflow by clicking the Devices tab. See Devices Tab, page 1-18 for more information.

The following topics provide information about managing devices:

Understanding the Router MC Device Hierarchy

Viewing and Managing the Device Hierarchy

Working with Device Groups

Importing Devices

Viewing Import Status

Reimporting Devices

Adding Unmanaged Spokes to Your VPN

Managing Device Credentials

Understanding the Router MC Device Hierarchy

Router MC displays your imported devices in the form of a hierarchy, made up of device groups and individual devices. The highest level of the hierarchy is the Global object, and it contains all the device groups and devices in the Router MC device inventory. The Global object is always present. You can create device groups under which you can group your devices for administrative convenience. See Viewing and Managing the Device Hierarchy for more information.

How are devices added to the hierarchy?

To manage devices with Router MC, you must import them into the application. When you import a device, Router MC reads and stores its domain name, its interfaces, and their IP addresses. You specify the position in the hierarchy in which you want the imported devices to be located, either directly under the Global object, or in a device group that you previously created. The devices are represented in the device hierarchy by an icon indicating the type of device, and the host name or IP address specified at import. See Importing Devices for more information.

What is the advantage of grouping devices?

Grouping permits you to configure and manage multiple devices simultaneously, and therefore scales well in large networks.

A group can contain any combination of:

Hubs that you have combined virtually for administrative convenience

Spokes that you have combined virtually for administrative convenience

Subgroups

Groups and subgroups are equivalent to folders, offering an organizational convenience, but they have no topological significance unless you use them in a consistent way that is related to your own network topology.

Any group can include other subgroups within it. For example, you could create a group for all of your corporate finance facilities in Canada, and create within that a series of more localized subgroups for your payroll, billing, and investor relations departments. Then you could apply policy changes globally, or just among those devices in Canada supporting your financial services staff, or just in a particular department, or just in a specific device in your inventory.

See Working with Device Groups for more information.

What are the principles of policy inheritance within the hierarchy?

Inheritance is the means by which policies propagate downward through the hierarchy. You can define policies globally for all devices, for groups of devices, or for individual devices.

Policies that you apply at one level in your hierarchy apply equally to every lower level, by means of inheritance, unless they are overridden at a lower level. For example, hub policies that you create and apply on the Global level apply to your entire inventory of hubs. Policies that you create and apply for a group affect that group and all of its subgroups. Policies that you define on an individual device override any inherited policies and apply to that device only.

Viewing and Managing the Device Hierarchy

The Device Hierarchy page under the Devices tab displays the device hierarchy and provides options for managing groups and devices. Select Devices > Device Hierarchy to access this page. Table 1-1 describes the elements in the Device Hierarchy page.

Note You can also view the device hierarchy in the Object Selector, which is located along the left side of pages in the Configuration tab.

The following options are available for managing devices and groups in the hierarchy:

Editing Device Information

Deleting a Device or a Device Group

Adding Unmanaged Spokes to Your VPN

Working with Device Groups

Table 1-1 describes the elements in the Device Hierarchy page.

Table 1-1 Device Hierarchy—GUI Reference 

GUI Element
Description

All tab

Displays the entire device hierarchy.

Selection tab

Displays only the devices you selected in the hierarchy.

Icons

Each device or device group is represented in the device hierarchy by an icon. The icon indicates the type of device or group, as shown in Table 1-11 on page 1-33.

Check boxes

Select the check box to the left of any named object (group or device) in the hierarchy to select that object for managing. If you select a group, you will also select all of its devices and subgroups.

+/- icons

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the tree.

Edit button

Select a device or multiple devices and click Edit to change the role (hub or spoke), the model, or the IOS version of the selected device(s). Select a device group and click Edit to rename that device group. See Editing Device Information for more information.

Move button

Click to move devices or groups from one position to another in the device hierarchy. See Editing Device Information for more information.

Delete button

Select one or more devices or groups in the tree and click Delete to remove them from your hierarchy. If you delete a group, you will also delete all of its devices and subgroups unless you first move them elsewhere, and you will delete all policies associated with the group.

Create Group button

Click to create a device group or an HA group. See Creating a Device Group/HA Group for more information.

Add Unmanaged Spoke button

Click to add an unmanaged spoke to your inventory. Unmanaged spokes are VPN devices in your inventory that are unavailable for direct Router MC configuration. Router MC uses the policy settings of an unmanaged spoke only to configure—by inference—its associated hub. For direct configuration of an unmanaged spoke, you must use its CLI, or use other software intended for that purpose. See Adding Unmanaged Spokes to Your VPN for more information.


Editing Device Information

You can edit the following device information:

Device role: You can change the role of a device in your hierarchy. For example, you can change a device's role from hub to spoke, or from spoke to hub, as your requirements for your network change over time. You might also decide to use a specific device for firewall purposes, instead of VPN. The role you define for a device determines which types of policies can be defined on and deployed to the device. For example, firewall policies will only be deployed to devices with firewall, hub/firewall, or spoke/firewall roles.

Model: You can specify a different model for the device(s), if the device was imported from a file (not live device import).

IOS Version: You can specify a different IOS version for the device(s).

Note Changing device roles might affect VPN connectivity. If so, you will receive errors when you try to create a job to deploy to the device. For example, if a spoke is assigned to a hub and you change the spoke's role to hub, an error would be generated.

Before You Begin

If the device you want to edit is currently included in a job that has not yet been deployed, you must either deploy the job or reject it to free the device for editing.

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Step 2 Select the device(s) in your hierarchy whose information you want to change, and click Edit. The Edit Device(s)/Group dialog box appears.

Note You must select a device or multiple individual devices, not a device group. If you select a device group, you will only be able to rename the group. See Renaming a Device Group.

Step 3 Edit the device information in the fields provided.

Step 4 Click OK.

Moving Devices and Groups

You can move devices and groups within the device hierarchy. For example, you can move individual devices from one group to another, or you can move a group of devices under another group.

Note You might create temporary policy anomalies when you move devices or groups, because Router MC polices are associated with them. For example, you could move or import a nonstandard device into a group for which you have previously created a group-level policy that requires the presence of a specific device interface.

Before You Begin

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Step 2 Select the device(s) or groups you want to move.

Step 3 Click Move. The Move Devices dialog box appears. Table 1-2 describes the elements in the Move Devices dialog box.

Step 4 Click a group in the Move Devices tree into which you want to move the object you just selected.

Step 5 Click OK. The device(s) or group is moved to the location you specified.

Table 1-2 describes the elements in the Move Devices dialog box.

Table 1-2 Move Devices—GUI Reference 

GUI Element
Description

+/- icons

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the tree.

Move to area

Click the group folder in the tree into which you want to move your selected device(s) or group. The name of the selected group appears in the text field below the tree.

OK button

Click to confirm the move.

Cancel button

Click to cancel the move.


Deleting a Device or a Device Group

You can delete devices or device groups that you no longer want to manage with Router MC. When you delete a device group, all the devices in the group are deleted. If you want to keep the devices that are currently in a group, but delete the group containing them, you must move the devices before you delete their parent group. See Editing Device Information.

If your proposed deletion creates any conflicts within the network, Router MC generates an error message.

You will receive an error message if you try to delete:

The `Global' group.

Objects that are locked by any activity.

Hubs that are referenced by any spoke that you have not also selected for deletion.

Devices that are currently included in a job that has not yet been deployed.

If you select multiple devices for deletion and there is a problem deleting one or more of the selected devices, the delete operation stops and none of the devices are deleted.

Before You Begin

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Step 2 Select the devices or groups you want to delete.

Step 3 Click Delete. The selected objects are deleted immediately.

Working with Device Groups

Grouping provides an easy and scalable mechanism for assigning common policies simultaneously to a set of devices, rather than doing so individually and in sequence. Device groups allow you to divide your network by any strategy you choose, including geographic locale, organizational function, corporate priority, or schedule of deployment.

Tip It is best to group your devices according to the policies that should apply to them. The primary benefits of grouping relate to managing policies across multiple similar devices simultaneously. (Those benefits are less available to you if you group devices by other criteria, such as their physical location, which might not relate in any clear way to your device policy requirements.) A group that contains a combination of hubs and spokes will disperse its policies to those devices in ways that apply appropriately to them.

Router MC supports two types of groups:

Standard device groups that can contain any combination of devices of any type. Standard device groups can also contain subgroups.

High Availability (HA) groups, that can only contain hubs. See Working with HA Groups for more information about HA groups.

The following topics provide information for working with device groups and HA groups:

Working with HA Groups

Creating a Device Group/HA Group

Renaming a Device Group

Moving Devices and Groups

Deleting a Device or a Device Group

Working with HA Groups

A High Availability (HA) group consists of two or more hub devices that use Hot Standby Routing Protocol (HSRP) and reverse routing injection (RRI) to provide transparent, automatic router failover. By sharing a virtual IP address, the hubs in the HA group present the appearance of a single virtual router or default gateway to the hosts on a LAN. One of the hubs in the HA group is always active and assumes the virtual IP address, while the others are standby hubs. The hubs in the group watch for hello packets from the active and the standby routers. If the active router becomes unavailable for any reason, a standby hub takes ownership of the virtual IP address and takes over the hub functionality. This transfer is seamless and transparent to hosts on the LAN, and to the peering devices.

Note You cannot set the priority of the hubs in the HA group using Router MC. The device with the lowest IP address on the internal or external subnet has the highest priority.

You can create an HA group in the same way as you create a standard device group. See Creating a Device Group/HA Group for more information. You define settings for the HA group in Configure > Settings > Hub > HA Settings. See Defining HA Group Settings, page 1-25 for more information.

Keep the following points in mind when working with HA groups:

An HA group can contain hubs only.

A hub can belong to one HA group only.

A Catalyst with VPN Services Module device cannot belong to an HA group.

Hubs can be imported into an HA group or can be moved to an HA group, as with standard device groups.

When a hub is moved into an HA group, any existing hub-specific policies, such as dynamic shared key or dynamic crypto policies, will be deleted. If a spoke is assigned to the hub, the assignment will be transferred to the HA group.

A hub that belongs to an HA group cannot be configured on its own, with the exception of dynamic crypto policies that can be defined on individual hubs in the HA group.

If you create a job that includes an HA group only, with no assigned spokes, only the HSRP and RRI configuration will be deployed to the hubs in the group. No crypto configuration will be deployed.

The role of a hub in an HA group cannot be changed to spoke.

An HA group acts as a single, logical hub for hub assignment. An HA group can be selected for primary or secondary hub assignment. See Specifying a Spoke's Hub Assignment, page 1-40 for more information.

A hub that belongs to an HA group cannot be assigned to a spoke individually.

Router MC does not support HSRP together with GRE.

For each HA group, you must specify the virtual IP addresses that will serve as the group's VPN and inside interfaces. See Defining HA Group Settings, page 1-25, for more information.

During generation of configurations, all hubs in the HA group receive the same commands, which must be deployed to the HA group as a unit. You cannot deploy to individual hubs in the group.

Creating a Device Group/HA Group

It is recommended to create device groups and HA groups before importing your devices.

Before You Begin

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Click Create Group. The Create Device Group dialog box appears. Table 1-3 describes the elements in the Create Device Group dialog box.

Step 2 Enter a name for the new group in the Name field.

Step 3 Select the type of group you want to create, either a standard device group or an HA group.

Step 4 Click the group in the tree within which you want to create the new group.

Step 5 Click Create.

Table 1-3 describes the elements in the Create Device Group dialog box.

Table 1-3 Create Device Group—GUI Reference 

GUI Element
Description

Name field

Enter a name for the new group (not more than fifty characters).

+/- icons

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the device tree.

Group Type radio buttons

Select a radio button to specify the type of group you want to create, a standard device group or an HA group.

Create in area

Click the group folder in the tree in which you want to create the new group. The name of the target group appears in the text field below the tree.

Create button

Click to create the new group.

Cancel button

Click to cancel the creation of the new group.


Renaming a Device Group

You can change the name of any device group in your device hierarchy, to reflect organizational or other changes.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Step 2 Select the device group you want to rename, and click Edit. The Edit Device/Group dialog box appears.

Step 3 Enter a new name for the device group (not more than fifty characters) in the New Group Name field, and click OK to save your change. Or, click Cancel to close the Edit Device/Group dialog box without saving your change.

Importing Devices

To import a device is to bring into Router MC a range of identifying information for the device, such as its domain name, its interfaces and subinterfaces, and the IP addresses for its interfaces and subinterfaces. Following import, these devices appear in your Router MC device hierarchy. You can only manage a device in Router MC after you have imported it.

You import devices into Router MC using the Import wizard, accessed from the Device Import page of Devices tab. See Accessing the Import Wizard. You can import devices into either the Global (root) level of your Router MC hierarchy, or to any existing device group.

You can import single devices individually, or multiple devices simultaneously. Router MC imports devices either by reading the information directly from the devices during SSH sessions through a process called device discovery, or from a file that contains information about the device.

Importing Devices with Dynamically Assigned IP Addresses

Router MC can import devices that have dynamic IP addresses obtained from a DHCP server. If you specify during import that a device has a dynamic IP address, Router MC uses the device's host name to retrieve its IP address from Auto Update Server (AUS), which must be installed and connected to your system. See Prerequisites for Working With Dynamically Addressed Devices, page A-10 for information about using AUS with Router MC.

Only spoke devices with dynamic IP addresses can be imported (not hubs).

These devices can be imported one at a time. At this stage, you cannot import dynamic IP devices from a file, or import multiple dynamic IP devices from a CSV file.

Note When managing dynamic IP devices, you must use GRE with DMVPN for failover and routing. See Understanding GRE with DMVPN, page 1-6 for more information.

Table 1-4 describes the elements in the Device Import page.

Table 1-4 Device Import—GUI Reference 

GUI Element
Description

All tab

Displays the entire device hierarchy.

Selection tab

Displays only the devices you selected in the hierarchy.

Icons

Each device or device group is represented in the device hierarchy by an icon. The icon indicates the type of device or group, as shown in Table 1-11 on page 1-33.

Note You must select a device or device group in the hierarchy before you import or re-import devices.

Check boxes

Select the check box to the left of any named object (group or device) in the hierarchy to select that object for managing. If you select a group, you will also select all of its devices and subgroups.

+/- icons

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the tree.

Re-import button

Select a device or device group in the device hierarchy and click this button to re-import the device or group. This is useful if device information has changed and you want to bring the new device information into Router MC. See Reimporting Devices for more information.

Import button

Click to access the Import wizard to import devices into Router MC, into the selected device group. See Importing Devices for more information.

Last Import Status button

Click to display the import status of the devices in the most recent import operation. See Viewing Import Status for more information.


Accessing the Import Wizard

To import devices, you must access the Import wizard.

Before You Begin

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Import. The Device Import page is displayed.

Step 2 Click Import. The first page of the Import wizard appears. See Choosing the Import Method.

Note If you are accessing the Import wizard from the Devices taskflow, as described in Table 1-3 on page 1-18, the first page of the wizard that opens requires you to select a target device group. See Selecting the Target Device Group.

Selecting the Target Device Group

Note The Target Device Group page is only available if you are using the Devices taskflow to import your devices. See Table 1-3 on page 1-18 for more information.

In the Target Device Group page of the Import wizard, you specify the device group into which your devices should be imported.

Procedure

Step 1 Select a target device group in the tree by clicking its name.

The name of the selected group appears in the text box below the tree. All the devices you select for import will be imported into the selected group.

Step 2 Click Next. The Choose Import Method page appears. Proceed to Choosing the Import Method.

Table 1-5 describes the elements in the Target Device Group page.

Table 1-5 Target Device Group—GUI Reference 

GUI Element
Description

+/- icons

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the tree.

Import To

Click the group folder in the tree into which you want to import your selected device(s). The name of the selected group appears in the text field below the tree.

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your selections.


Choosing the Import Method

You can import a device either by direct device discovery, or from a file containing the device information:

With direct discovery, Router MC connects with SSH to a running, accessible device and gathers the device information directly from the device. Router MC can import multiple live devices from a CSV file.

When you import a device from a file, you direct Router MC to read a file that contains the output of the CLI command show run for that device.

Note Catalyst devices with VPN Services Module and devices with dynamic IP addresses can only be imported by direct device discovery.

Procedure

Step 1 Select the required import method.

Step 2 Click Next. The Parameters page appears. Proceed to Specifying Import Parameters.

Table 1-6 describes the elements in the Choose Import Method page.

Table 1-6 Choose Import Method—GUI Reference 

GUI Element
Description

Import Multiple Device Config Files in a Specified Directory radio button

Imports multiple device configuration files from a directory.

By default, configuration files must be named <primary-device-name>.cfg.

An administrator can change the required suffix for the configuration files in the Admin tab. See Defining System Settings, page 1-1 for more information.

Import Single Device Config File radio button

Imports a single device configuration file.

Single Device Import radio button

Imports one device by means of an SSH session to read its device information. For devices with dynamic IP addresses, the IP address is retrieved from Auto Update Server (AUS). See Prerequisites for Working With Dynamically Addressed Devices, page A-10 for more information about using AUS.

Multiple Device Import via CSV File radio button

Using a plain text file that contains comma-separated values, including device IP address and administrative passwords, Router MC connects directly to multiple devices through SSH and collects their device information. You can create this file by using the export function in Cisco Resource Manager Essentials (RME), or you can create it manually in the correct format. See Providing the Correct CSV File Format for Multiple Device Import, page A-3 for more information about the format of the CSV file.

Back button

Available only if Target Device Group appears in the TOC. See Selecting the Target Device Group.

Click to go back to the previous page in the wizard.

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your settings.


Specifying Import Parameters

Specifying import parameters allows Router MC to identify the device to be imported and to read its device information. The required import parameters vary depending on the import method you selected. See Table 1-7 for a description of the Import Parameters page, including all its variations.

Complete the following procedure to specify import parameters.

Procedure

Step 1 Enter the required import parameters.

Step 2 Click Next. The Import Devices page appears. Proceed to Selecting Devices for Import and Defining Their Role

Table 1-7 describes the elements in the Import Parameters page.

Table 1-7 Import Parameters—GUI Reference 

Import Method
Displayed GUI Element
Description

Import Multiple Device Config Files in a Specified Directory/Import Single Device Config File

Configuration Directory/Configuration File field

Enter the full path on the server to a directory containing the device configuration files, or enter the path on the server to the device configuration file.

OR

Click Browse to browse to the required directory/configuration file.

Router MC will import all files with the correct suffix present in the specified directory. To import a specific file from the directory, include the filename in the path.

Browse button

Click to navigate through the directory structure on the Router MC server to locate the device configuration files of the devices you want to import.

Required File Suffix field

Displays the required filename suffix for the configuration files. The default suffix is .cfg. Instructions for changing this default setting are in Defining System Settings, page 1-1.

Import Target

Displays the selected object (Global or device group) in the device hierarchy into which the device(s) will be imported. See Importing Devices.

Default Role field

This field enables you to specify a role that is valid for all or most of the devices you are importing, instead of having to specify each device's role individually. If necessary, you can change the role of specific devices in the next page in the wizard, the Import Devices page. See Selecting Devices for Import and Defining Their Role for information about the different device roles.

 

Default Model field

This field enables you to specify a device model that is valid for all or most of the devices you are importing, instead of having to specify each device's model individually. If necessary, you can change the model of specific devices in the next page in the wizard, the Import Devices page.

 

Default IOS Version field

This field enables you to specify an IOS version that is valid for all or most of the devices you are importing, instead of having to specify each device's IOS version individually. If necessary, you can change the IOS version of specific devices in the next page in the wizard, the Import Devices page.

Multiple Device Import via CSV File

CSV File field

Enter the full path and CSV file name, if known. Or, click Browse.

Browse button

Click to navigate through the directory structure on the Router MC server to the CSV file.

Default Role field

This field enables you to specify a role that is valid for all or most of the devices you are importing, instead of having to specify each device's role individually. If necessary, you can change the role of specific devices in the next page in the wizard, the Import Devices page. See Selecting Devices for Import and Defining Their Role for information about the different device roles.

Single Device Import

Device IP/Name radio button

Select this option if you are importing a device with a fixed IP address. In the adjacent field, enter the device IP address or its qualified DNS name. It is recommended that you identify the device by the IP address of its external interface.

Dynamic IP hostname radio button

Select this option if you are importing a spoke with a dynamic IP address obtained from a DHCP server. In the adjacent field, enter the host name of the device (not the DNS name).

Note To import a dynamic IP device, Auto Update Server (AUS) settings must be defined in the Admin tab. See Defining Configuration Support Settings, page 1-3.

Username field

Enter the login name for an administrative account on the device.

Password field

Enter the password for accessing the device.

Enable Password field

Enter the enable password for the device.

Back button

Click to go back to the previous page in the wizard.

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your settings.


Selecting Devices for Import and Defining Their Role

After you have confirmed your import method and import parameters, you can select or deselect devices for importing, specify their role in the system, and specify the device model and IOS version.

Router MC requires that you define the role of each device you import, so that only relevant configurations are deployed to the device, based on its role. For example, you might define both VPN and firewall policies on a device group. These policies are inherited by all the devices in the group. However, only firewall configurations will be deployed to the devices whose role is "Firewall", and only VPN configurations will be deployed to hub or spoke devices.

A device can have one of the following roles:

Hub: The device serves as a primary or secondary hub in a VPN. On deployment, only hub-specific VPN configurations are deployed to the device.

Spoke: The device serves as a spoke in a VPN. On deployment, only spoke-specific VPN configurations are deployed to the device.

Firewall: The device is intended for use as a firewall device only. It will not participate in a VPN. On deployment, only firewall configurations will be deployed to the device.

Hub/Firewall: The device is intended for use as a hub in a VPN and will also provide firewall functionality. Both hub-related VPN configurations and firewall configurations will be deployed to the device.

Spoke/Firewall: The device is intended for use as a spoke in a VPN and will also provide firewall functionality. Both spoke-related VPN configurations and firewall configurations will be deployed to the device.

Note A Catalyst VPN Services Module device can only serve as a hub. If you import it as a spoke, Router MC will automatically change its role to hub.

Procedure

Step 1 In the Import column, make sure that the check boxes next to the devices you want to import are selected. Deselect the devices you do not want to import.

Step 2 In the Role column, select the role each device will have in the device hierarchy.

Step 3 If Summary appears in the TOC, click Next. The Device Import Summary page appears. Proceed to Viewing the Device Import Summary.

OR

If Summary does not appear in the TOC, click Finish to complete the device import procedure, or go back to a previous step in the wizard to change your definitions, as required.

Table 1-8 describes the elements in the Import Devices page.

Table 1-8 Import Devices—GUI Reference 

GUI Element
Description

Import column

To require Router MC to import a device listed in the table, select its check box. To select all devices, select the check box above the column. To prevent Router MC from importing a listed device, deselect its check box. If a device already exists in your device hierarchy, "Previously imported" will appear in this column.

Device column

Displays the name or IP address of the device.

Role column

Specify the role of the device in your device hierarchy. Router MC only deploys relevant configurations to the device, based on its role. For example, only firewall configurations will be deployed to a device whose role is Firewall, even if other VPN policies are defined on the device (through inheritance from a higher level object). See Selecting Devices for Import and Defining Their Role for information about the different device roles.

Model column

This column is only present when importing from file. Specify the device model.

IOS Version column

This column is only present when importing from file. Specify the IOS version on the device.

Rows per page list box

Enables you to change the number of devices displayed per page.

<< link;
>> link

Click the << link, when it is available, to return to the previous screen in the device marking table. Click the >> link, when it is available, to advance to the next screen in the device marking table.

Back button

Click to go back to the previous page in the wizard.

Next button

Available only if Summary appears in the TOC. See Defining System Settings, page 1-1.

Click to go to the next page in the wizard.

Finish button

Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1.

Click to exit the wizard and complete the device import procedure.

Cancel button

Click to exit the wizard without saving your settings.


Viewing the Device Import Summary

Note The Device Import Summary page is only available if the Show Summary Step in Wizards check box in the System Settings page is selected. See Defining System Settings, page 1-1.

After you have completed all of the preliminary steps for device import, you can review your definitions.

You can return to a previous wizard screen to make corrections if you have to make changes.

Procedure

Step 1 Review the text in the Device Import Summary text area.

Step 2 Do any one of the following:

Click Finish to confirm your selections, import the specified devices, and commit the changes to your device inventory. The Import Status page appears, displaying the devices to be imported and their status. See Table 1-10.

Click Back to step through previous wizard screens and correct errors if you need to.

Click Cancel to discard all of your selections and end the process of importing devices.

Table 1-9 describes the elements in the Device Import Summary page.

Table 1-9 Import Summary—GUI Reference 

GUI Element
Description

Device Import Summary area

Identifies each device that you have selected for import, by listing its name, role, and parent device group. For devices imported from file, it also shows the device model and IOS version.

Back button

Click to go back to the previous page in the wizard.

Finish button

Click to exit the wizard and complete the device import procedure.

Cancel button

Click to exit the wizard without saving your settings.


Viewing Import Status

After you complete the Import wizard, the Import Status dialog box automatically appears, allowing you to view the import progress and status for each device you chose to import. You can click the Last Import Status button in the Device Import page at any time to view the status of the devices in the most recent import operation.

Table 1-10 describes the elements in the Import Status dialog box.

Table 1-10 Import Status—GUI Reference 

GUI Element
Description

Pending column

Displays the number of devices that are going to be imported but for which the import process has not yet started.

In Progress column

Displays the number of devices for which the import process is in progress.

Completed column

Displays the number of devices that Router MC has successfully imported into the device hierarchy as a result of your most recent import operation.

Failed column

Displays the number of devices from your most recent import operation, for which the import operation failed. When failures occur, Router MC displays a brief explanation of the cause of failure.

Device Name column

Identifies each imported device by name.

Device Status column

Displays a status message for each device included in your most recent import operation. The status messages are:

Completed—The import operation has completed successfully.

In progress—The import operation has not yet concluded.

Pending—The import operation has not yet begun.

Failed—The import operation for the device failed.

Time column

Displays the time at which Router MC assigned the listed import status to the device.


Reimporting Devices

Router MC allows you to reimport existing devices. This is useful if information on the device has changed since the last import and you want to bring the new device information into Router MC. For example, if the IP address of interfaces on the device has changed.

The reimport process is the same as the import process. Router MC reads the device information either directly from the live device or from a configuration file containing the device information. See Importing Devices for more information.

Before You Begin

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Import. The Device Import page is displayed.

Step 2 In the device hierarchy, select the device(s) or groups you want to reimport and click Re-import. The Choose Method page appears.

Step 3 Select the required reimport method:

Re-import of multiple device configuration files from a specified directory

Re-import of a single device configuration file

Single Device Re-import

Multiple Device Re-import via CSV File

If you have selected a single device for reimport, Router MC will reimport just that one device, even if you have selected as your import method a CSV file or a directory that contains other, additional devices.

Note If you have selected more than one device for reimport, the "Single Device Import" method is not shown.

See Table 1-6 for information about import methods.

Step 4 Click Next. The Parameters page appears.

Step 5 For reimport from configuration file(s), browse to or enter the path on the server to the directory that contains the device configuration file(s). For device discovery, specify the parameters of the single device or the path to the CSV file, for multiple devices. See Table 1-7 for information about the import parameters.

Step 6 If Summary appears in the TOC, click Next. The Device Re-import Summary page appears.

Step 7 Click Finish to start the reimport process. Otherwise, click Cancel to discard your changes, or click Back to return to a previous page in the wizard and modify your reimport definitions.

Adding Unmanaged Spokes to Your VPN

A VPN-enabled device that has a valid and known IP address or DNS device name can become a spoke in your hub-and-spoke VPN, even if Router MC does not manage it directly.

Unmanaged spokes are VPN devices in your inventory that are unavailable for direct Router MC configuration. Router MC uses the policy settings of an unmanaged spoke only to configure—by inference—its assigned hub. For direct configuration of an unmanaged spoke, you must use its CLI, or use other software intended for that purpose.

You can extend your hub-and-spoke VPNs to devices (such as Cisco PIXen or Cisco VPN concentrators) that do not use Cisco IOS.

Before You Begin

If workflow mode is enabled, make sure that you are working within the context of an open activity. See Managing Activities, page 1-7.

Procedure

Step 1 Select Devices > Device Hierarchy. The Device Hierarchy page appears.

Step 2 Click Add Unmanaged Spoke. The Add Unmanaged Spoke dialog box appears.

Step 3 Type the IP address or DNS device name of the unmanaged spoke in the Device IP or Hostname field.

Step 4 Select the group in which you want to add the unmanaged spoke in the hierarchy in the Into Group area.

Step 5 Click OK.

Table 1-11 describes the elements in the Add Unmanaged Spoke dialog box.

Table 1-11 Add Unmanaged Spoke—GUI Reference 

GUI Element
Description

Device IP or Hostname field

Enter the IP address or the DNS device name of the unmanaged spoke.

Into Group area

Displays the device hierarchy from which you select the group in which you want to add the unmanaged spoke.

+/- signs

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the Into Group hierarchy.

OK button

Click to complete the addition of the unmanaged spoke.

Cancel button

Click to cancel the addition of the unmanaged spoke.


Managing Device Credentials

Router MC can connect directly to a device for deployment only if it can authenticate itself to that device with a username and password. The Credentials page under the Devices tab allows you to edit the credentials of specific devices or to synchronize the credentials of all devices from a CSV file.

Table 1-12 describes the elements in the Credentials page.

Table 1-12 Credentials—GUI Reference 

GUI Element
Description

All tab

Displays the entire device hierarchy.

Selection tab

Displays only the devices you selected in the hierarchy.

Icons

Each device or device group is represented in the device hierarchy by an icon. The icon indicates the type of device or group, as shown in Table 1-11 on page 1-33.

Check boxes

Select the check box next to a device to select it.

+/- icons

Click the plus sign to expand, or click the minus sign to collapse, the selected level in the tree.

Edit Credentials button

Click to edit the credentials of the devices selected in the device hierarchy. See Editing Credentials for more information.

Sync from CSV button

Click to synchronize the credentials of multiple devices from a specified CSV file. See Synchronizing Credentials for more information.


Editing Credentials

If the credentials on a device or multiple devices have changed, you can update Router MC with the changes.

Procedure

Step 1 Select Devices > Credentials. The Credentials page appears.

Step 2 Select the required group(s) or device(s) in the device hierarchy.

Step 3 Click Edit Credentials. The Credentials Parameters dialog box appears.

Step 4 If the device information was imported directly from the live device, its credentials are displayed. Click Override if you want to change the credentials.

Step 5 Enter the device credential parameters in the relevant fields.

Step 6 Click Apply.

Table 1-13 describes the elements in the Credentials page.

Note Credentials are not linked to the activity within which they are specified. The credentials that you specify are committed to the database immediately, even if the activity has not been approved. The credentials are not removed if the activity is closed or deleted.

Table 1-13 Credentials—GUI Reference 

GUI Element
Description

Username field

Enter the username for logging into the device.

Password field

Enter the password for logging into the device.

Password (Confirm) field

Re-enter the password for confirmation.

Enable field

Enter the enable password. This password activates enable mode on a Cisco IOS device, if an enable password is configured on that device.

Enable (Confirm) field

Re-enter the enable password for confirmation.

Apply button

Click to apply your definitions. The credentials are immediately committed to the database, even if the activity has not been approved.

Defaults button

The Defaults button is present when any object other than Global is selected in the hierarchy. Click to remove your local definitions and restore the inherited default values.

Close button

Click to close the dialog box.


Synchronizing Credentials

You can update the credentials of multiple devices simultaneously from a CSV file.

Note All the devices in the specified CSV file are synchronized. You cannot select specific devices for credentials synchronization.

Procedure

Step 1 Select Devices > Credentials. The Credentials page appears.

Step 2 Click Sync from CSV. The Sync Credentials from CSV dialog box appears.

Step 3 Enter the path to the CSV file that contains the device information, or click Browse to navigate to it.

Step 4 Click Synchronize.