Using Management Center for VPN Routers 1.3
Getting Started with Router MC
Download this chapter
Getting Started with Router MCGetting Started with Router MC
Download the complete book
Using Management Center for VPN Routers 1.3 - full book PDFUsing Management Center for VPN Routers 1.3 - full book PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Getting Started with Router MC

Starting Router MC

Logging Out of Router MC

Understanding Router MC Workflow Modes

What is Workflow Enabled Mode?

What is Workflow Disabled Mode?

Comparison of Workflow Modes

Changing the Workflow Mode

Understanding the Router MC User Taskflow

Router MC User Taskflow (Workflow Disabled Mode)

Router MC User Taskflow (Workflow Enabled Mode)

Working With the Router MC User Interface

The Router MC Home Page

Getting to Know the Router MC Tabs

Devices Tab

Configuration Tab

Deployment Tab

Workflow Tab

Reports Tab

Admin Tab

Understanding the Router MC Pages

Using Router MC Tables

Using Router MC Wizards

Using the Object Selector

Managing Java Plug-In Security Warnings

Preparing the Router MC Working Environment (Administrators)


Getting Started with Router MC

The following topics provide information about getting started with Router MC:

Starting Router MC

Logging Out of Router MC

Understanding Router MC Workflow Modes

Understanding the Router MC User Taskflow

Working With the Router MC User Interface

Preparing the Router MC Working Environment (Administrators)

Starting Router MC

You can access Router MC from the VPN/Security Management Solution drawer of the CiscoWorks desktop.

Before You Begin

Before you log into CiscoWorks and start Router MC, you must complete the following tasks:

Make sure that your browser is configured for CiscoWorks, and that CiscoWorks Common Services 2.2 has been installed successfully. See "Installation and Setup Guide for CiscoWorks Common Services 2.2 on Windows 2000/Solaris" for more information.

Before you start Router MC, you should make sure Router MC is installed correctly. See "Installing Management Center for VPN Routers 1.3 on Windows 2000 and Solaris" for more information.

Note The screens displayed in the following procedure are taken from Internet Explorer. If you are using Netscape 7 as your browser, the screens might appear different, but the functionality remains the same.

Procedure

Step 1 Start the CiscoWorks Server from your web browser. The default URL is:

http://server_name: port number

The server_name is the assigned DNS name or IP address of the CiscoWorks Server.

The port number is either the port number you previously entered when prompted to supply one for the CiscoWorks Server installation, or the default port number, 1741.

Alternatively, if you chose during the installation of CiscoWorks Common Services 2.2 to place a Windows shortcut on the server's desktop, double-click that shortcut.

The CiscoWorks desktop appears, as shown in Figure 1-1. The Login Manager appears in the left pane, and the CiscoWorks splash screen appears in the right pane.

Figure 1-1 Logging into the CiscoWorks Desktop

Step 2 Log into the CiscoWorks desktop. Enter the following information in the Login Manager:

a. Enter your username in the Name field.

b. Enter your password in the Password field.

If you are a network administrator, when CiscoWorks Common Services 2.2 was installed, you should have been prompted to change the existing administrative password. This change prevents unauthorized users from accessing privileged applications. See "Installation and Setup Guide for CiscoWorks Common Services 2.2 on Windows 2000/Solaris" for more information.

c. Click Connect.

You are now logged into the CiscoWorks desktop. The CiscoWorks navigation tree appears in the left pane.

Note Login sessions time out after two hours of inactivity, at which time you might be prompted to log in again.

Step 3 From the navigation tree, click the VPN/Security Management Solution drawer. The Management Center folder appears in the left pane.

Step 4 Click Management Center. The VPN Routers folder appears in the left pane under the Management Center drawer, as shown in Figure 1-2. Other applications might also be listed, depending on what you have installed.

Figure 1-2 VPN Routers in the CiscoWorks Desktop

Step 5 Click VPN Routers. The Home page of Router MC appears, as shown in Figure 1-5.

Note Only one instance of Router MC can be running in your web browser at any one time. If Router MC is running already and you start a second instance of it from the CiscoWorks desktop, the second instance will replace the first instance in your browser window.

Logging Out of Router MC

When you finish working with Router MC, you must close the application and log out of CiscoWorks.

Procedure

Step 1 In any open page, click the Close link in the upper right corner of the page. When Router MC closes, you return to the CiscoWorks Desktop window.

Note You can still use the CiscoWorks desktop without logging in again. For example, you could open a new Router MC page and start a new session.

Step 2 To end your CiscoWorks session, click Logout in the CiscoWorks Desktop window.

A message appears informing you that your login session has been terminated, and the Login Manager window appears (see Figure 1-1). To start a new session, you must log in again.

Understanding Router MC Workflow Modes

Router MC provides two modes of operation that allow adaptation for different organizational working environments: Workflow Enabled mode and Workflow Disabled mode. Administrators can select the required mode in the Admin tab under System Settings.

The following topics provide information about the Workflow modes:

What is Workflow Enabled Mode?

What is Workflow Disabled Mode?

Comparison of Workflow Modes

Changing the Workflow Mode

Router MC User Taskflow (Workflow Disabled Mode)

Router MC User Taskflow (Workflow Enabled Mode)

What is Workflow Enabled Mode?

Workflow Enabled mode is an advanced mode of operation in which device management and policy configuration changes performed by one user can be reviewed and approved by another user before being deployed to the relevant devices. This imposes a formal change tracking and management system. Workflow Enabled mode is suitable for organizations in which there is division of responsibility among security and network operators for defining VPN or firewall policies and deploying these policies to devices. For example, a security operator might be responsible for defining security policies on devices, another security operator might be responsible for approving the policy definitions, and a network operator for deploying the resulting configurations to a device. This separation of responsibility helps maintain the integrity of deployed device configurations.

In Workflow Enabled mode:

To enable distributed configuration change management, a user must create an activity before performing device management and policy configuration tasks. An activity is essentially a proposal to make device or configuration changes. The changes made within the activity are only applied after the activity is approved by a user with the appropriate permissions. An activity can either be submitted to another user for review and approval, or it can be approved by the current user (depending on how Workflow Enabled mode is set up). See Chapter 1, "Working with Activities" for detailed information about activities.

To deploy configurations to the relevant devices, a user must create a job. A job defines the devices to which configurations will be deployed, and the deployment method to be used. Workflow mode can be set up to require approval of jobs before configurations can be deployed to the devices. See Managing Deployment in Workflow Enabled Mode, page 1-10.

What is Workflow Disabled Mode?

Some organizations have no division of responsibility between users when defining and administering their VPN and firewall policies. These organizations can use Workflow Disabled mode, which is the default mode of operation in Router MC. In Workflow Disabled mode, there is no need to create activities and jobs. On login, Router MC automatically creates an activity. This activity is transparent to the user and does not need to be managed in any way. When the user requests to save and deploy configuration changes, Router MC automatically creates a job.

Workflow Disabled mode does not allow multiple users with the same user name and password to be logged into Router MC at the same time. If another user logs in with the same user name and password while you are working, your session will be terminated and you will have to log in again.

Comparison of Workflow Modes

Table 1-1 highlights the differences between the Workflow Enabled and Workflow Disabled modes.

Table 1-1 Comparison Between Workflow Enabled and Workflow Disabled Modes 

FAQ
Workflow Disabled Mode
Workflow Enabled Mode

What is the default mode for Router MC?

Default

Not default

How do I know which mode is currently selected?

In Admin > System Settings, the Use Workflow Enabled mode check box is not selected.

The Deployment tab is present.

In Admin > System Settings, the Use Workflow Enabled mode check box is selected.

The Workflow tab is present.

Must I create activities to make configuration changes?

No. Router MC automatically creates an activity when you log in.

Yes

Must I create jobs to deploy configurations to devices?

No

Yes

What are the differences in the tabs in the UI?

Deployment tab for viewing the status of the current deployment or for initiating deployment to the devices.

Workflow tab for management of activities and jobs.

How do I deploy my configuration changes to the devices?

Click the Save and Deploy icon in the Actions bar in the top right section of the page.

Go to Workflow > Job Management and create a job.

At what stage are the CLI commands for my configuration changes generated?

When deployment is initiated by clicking the Save and Deploy icon.

During the job creation process.

How do I delete my current changes?

Click the Undo Changes icon in the Actions bar in the top right section of the page.

Go to Workflow > Job Management and delete the current job.

Can multiple users log into Router MC at the same time?

Yes, but only if each one has a different username and password. Access to Router MC is discontinued if a user with the same username logs into Router MC.

Yes. Each user can open a different activity and make configuration changes.

What if another user is configuring the devices I want to configure?

You will receive a message indicating that the devices are locked by another activity. See Activities and Object Locking, page 1-3.

You will receive a message indicating that the devices are locked by another activity. See Activities and Object Locking, page 1-3.


Changing the Workflow Mode

The default mode in Router MC is Workflow Disabled mode. If you have Administrator permissions, you can change the Workflow mode in the Admin tab, under System Settings. See Defining System Settings, page 1-1.

Note When you change the Workflow mode, the change will take effect for all Router MC users working off the same server.

Important notes for changing from Workflow Enabled mode to Workflow Disabled mode:

All activities with Editable status must be approved or deleted before you can switch to Workflow Disabled mode.

All generated jobs must be deployed or rejected so that the locks on the devices in the jobs will be released.

If you switch to Workflow Disabled mode and then you restore an earlier version of the database, the application will automatically revert to Workflow Enabled mode if the restored database had any activities in editable state. Approve or delete the editable activities, and then you can change to Workflow Disabled mode.

Procedure

Step 1 Select Admin > System Settings. The System Settings page appears.

Step 2 For Workflow Enabled mode, select the Use Workflow Enabled mode check box. For Workflow Disabled mode, deselect the Use Workflow Enabled mode check box.

Step 3 Click Apply.

Understanding the Router MC User Taskflow

This section provides an overview of the sequence of steps you would typically perform to configure VPN and/or firewall policies and deploy them to your devices.

The required steps differ slightly depending on whether Workflow mode is enabled or disabled, as follows:

Router MC User Taskflow (Workflow Disabled Mode)

Router MC User Taskflow (Workflow Enabled Mode)

Router MC User Taskflow (Workflow Disabled Mode)

Figure 1-3 illustrates the end-to-end user taskflow for configuring VPN and firewall policies and deploying them to the relevant devices, when using Workflow Disabled mode (default).

Figure 1-3 Router MC User Taskflow in Workflow Disabled Mode

The following steps describe the basic Router MC user tasks when Workflow mode is disabled:

1. Create Device Groups: Best practice is to organize your devices in a hierarchy. When you create device groups, you divide your device inventory strategically to facilitate management and deployment. All devices within a device group can share common policies, which can be deployed to a set of devices at the same time, rather than individually. Device groups help you to keep a clear picture of the relationships between the devices in your network. See Understanding the Router MC Device Hierarchy, page 1-2

2. Import Devices: When you import devices, you bring their device information into the device inventory, allowing you to manage the devices using Router MC. You can import device information by having Router MC query the devices directly or by importing device information that is contained in a file. See Importing Devices, page 1-12

3. Define VPN and/or Firewall Settings:

If you are configuring a VPN, you must specify the inside interfaces, internal networks, and VPN interfaces on the hub and spoke. You can also choose the method to be used for resiliency, either IKE keepalive or GRE. Additional VPN settings not covered in the basic user taskflow include more advanced configurations for GRE, and packet fragmentation. See Working With General VPN Settings, page 1-2.

If you are configuring firewall policies to be deployed to your devices, you must define the parameters required for implementing Context-Based Access Control (CBAC) and for defining access rules, such as fragmentation, timeouts, half-open connections, logging, and Access Control List (ACL) ranges. See Defining General Firewall Settings, page 1-2.

4. Define VPN Policies and/or Access Rules:

For VPN policy configuration, you must define an IKE policy and a tunnel policy. The IKE policy defines a combination of security parameters to be used during IKE negotiation and authentication of peers. See Chapter 1, "Defining IKE Policies." A tunnel policy defines the VPN connection from a spoke to its assigned hub. Tunnel policies that you define on the spoke are then implemented on the hub. You can select the authentication and encryption algorithms that will be used to secure the traffic. See Chapter 1, "Defining VPN Tunnel Policies."

Note Router MC provides predefined default IKE and tunnel policies, that you can use if the policy definitions match your requirements.

To define your network security policy for firewall policy configuration, you must use Access Rules. Access rules provide traffic filtering by enabling the implementation of ACLs and CBAC inspection rules on the devices' interfaces. See Configuring Firewall Access Rules, page 1-27.

5. Save and Deploy: Clicking the Save and Deploy icon saves your configurations and displays the Deployment wizard, allowing you to deploy the generated CLI commands to the relevant devices. See Chapter 1, "Deploying Configurations."

Router MC User Taskflow (Workflow Enabled Mode)

Figure 1-4 illustrates the end-to-end user taskflow for configuring VPN and firewall policies and deploying them to the relevant devices, when using Workflow Enabled mode (default).

Figure 1-4 Router MC User Taskflow in Workflow Enabled Mode

The following steps describe the basic Router MC user tasks when Workflow mode is enabled.

1. Create an Activity: When Workflow mode is enabled, all device management and VPN configuration must be done within the context of an activity. When you create an activity, you prepare a proposal to create or change VPN or firewall configurations on specific devices. This proposal must be approved before configurations can be deployed to the devices. See Chapter 1, "Working with Activities."

2. Create Device Groups: Best practice is to organize your devices in a hierarchy. When you create device groups, you divide your device inventory strategically to facilitate management and deployment. All devices within a device group can share common policies, which can be deployed to a set of devices at the same time, rather than individually. Device groups help you to keep a clear picture of the relationships between the devices in your network. See Understanding the Router MC Device Hierarchy, page 1-2

3. Import Devices: When you import devices, you bring their device information into the device inventory, allowing you to manage the devices using Router MC. You can import device information by having Router MC query the devices directly or by importing device information that is contained in a file. See Importing Devices, page 1-12

4. Define VPN and/or Firewall Settings:

If you are configuring a VPN, you must specify the inside interfaces, internal networks, and VPN interfaces on the hub and spoke. You can also choose the method to be used for resiliency, either IKE keepalive or GRE. Additional VPN settings not covered in the basic user taskflow include more advanced configurations for GRE, and packet fragmentation. See Working With General VPN Settings, page 1-2.

If you are configuring firewall policies to be deployed to your devices, you must define the parameters required for implementing Context-Based Access Control (CBAC) and for defining access rules, such as fragmentation, timeouts, half-open connections, logging, and Access Control List (ACL) ranges. See Defining General Firewall Settings, page 1-2.

5. Define VPN Policies and/or Access Rules:

For VPN policy configuration, you must define an IKE policy and a tunnel policy. The IKE policy defines a combination of security parameters to be used during IKE negotiation and authentication of peers. See Chapter 1, "Defining IKE Policies." A tunnel policy defines the VPN connection from a spoke to its assigned hub. Tunnel policies that you define on the spoke are then implemented on the hub. You can select the authentication and encryption algorithms that will be used to secure the traffic. See Chapter 1, "Defining VPN Tunnel Policies."

Note Router MC provides predefined default IKE and tunnel policies, that you can use if the policy definitions match your requirements.

To define your network security policy for firewall policy configuration, you must use Access Rules. Access rules provide traffic filtering by enabling the implementation of ACLs and CBAC inspection rules on the devices' interfaces. See Configuring Firewall Access Rules, page 1-27.

6. Approve Your Activity: Upon completing your VPN or firewall configurations, the activity must be approved before the configurations are committed to the database, and can be deployed. See Chapter 1, "Working with Activities."

7. Create and Deploy a Job: When you create a job, you specify the devices or device groups to which you want to deploy the configurations, and you choose whether to deploy directly to your devices or to files. CLI commands are generated according to your configurations and you can view them before deployment. See Chapter 1, "Deploying Configurations."

Working With the Router MC User Interface

The following topics will familiarize you with the Router MC user interface:

The Router MC Home Page

Getting to Know the Router MC Tabs

Understanding the Router MC Pages

Using Router MC Tables

Using Router MC Wizards

Using the Object Selector

Managing Java Plug-In Security Warnings

The Router MC Home Page

The Router MC Home page is the main page of the application (see Figure 1-5). It opens after you have logged into the CiscoWorks desktop, and selected VPN/Security Management Solution > Management Center > VPN Routers from the navigation tree in the desktop.

Figure 1-5 Router MC Home Page

Taskflow Diagram on Home Page

The Router MC Home page provides an overview of the application, and a taskflow to help you get up and running quickly with Router MC.

The taskflow takes you through all the steps required for overall VPN or firewall configuration, from importing your devices through deployment. By clicking each icon in the taskflow diagram, you can move directly to the relevant page in the application for performing the required task. At any point you can return to the taskflow by clicking the Home link at the top of each page.

Table 1-2 describes the Router MC Home Page taskflow diagram.

Note The taskflow differs depending on whether Workflow mode is enabled or disabled.

Table 1-2 Router MC Home Page Taskflow

Icon
Description

Available only if Workflow mode is enabled.

Click to open the Activity Management page that lets you create and manage an activity. See Managing Activities, page 1-7.

Click to open the Devices tab that contains options for importing and managing your devices. See Devices Tab.

Click to open the Configuration tab that contains options for configuring VPN and firewall settings and policies. See Configuration Tab.

Available only if Workflow mode is enabled.

Click to open the Jobs page that lets you view a list of jobs and their statuses, create new jobs, and deploy jobs. See Managing Jobs, page 1-13.


Getting to Know the Router MC Tabs

The Router MC tabs provide access to the product's functionality.

The following topics describe the tabs in Router MC:

Devices Tab

Configuration Tab

Deployment Tab

Workflow Tab

Reports Tab

Admin Tab

Devices Tab

The Devices tab contains options that enable you to manage your device hierarchy by importing devices, creating device groups, and moving or deleting devices and groups. It also contains a taskflow that leads you through the recommended device management steps (see Taskflow Diagram in Devices Tab).

The options bar displays the following options:

Device Hierarchy: Use this option to view your device hierarchy, create device groups, and move or delete devices/groups.

Device Import: Use this option to import devices into the Router MC device hierarchy, and re-import devices, if necessary.

Credentials: Use this option to edit credentials for selected devices or synchronize credentials for all the devices in a specified CSV file.

See Chapter 1, "Managing Devices" for more information.

Taskflow Diagram in Devices Tab

The Devices tab provides a taskflow that leads you easily through the steps required to manage your devices. By clicking each icon in the taskflow diagram, you can move directly to the relevant page for performing the required task. At any point, you can return to Devices taskflow by clicking the Devices tab.

Table 1-3 describes the Devices taskflow diagram.

Table 1-3 Devices Taskflow 

Icon
Description

Click to open the Create Device Group dialog box that lets you create device groups and HA groups, into which you import your devices. See Creating a Device Group/HA Group, page 1-10.

Click to open the first page of the Import wizard that lets you import your devices into Router MC. See Accessing the Import Wizard, page 1-14.

Click to open the Configuration tab that contains options for configuring VPN and firewall settings and policies on your devices. See Configuration Tab.


Configuration Tab

The Configuration tab contains options that enable you to configure VPN and firewall settings and policies for deployment to your devices. It also contains a taskflow that leads you through the recommended VPN and firewall configuration steps (see Taskflow Diagrams in Configuration Tab).

The options bar displays the following options:

Settings: Use this option to define VPN and firewall settings that provide a framework for network behavior and policy implementation. Configurable VPN settings include failover and routing and fragmentation settings, and the interfaces on the hubs and spokes to be used for VPN connections. See Chapter 1, "Configuring VPN Settings" for more information.

Firewall settings include the parameters required for implementing CBAC and for defining access rules. See Defining General Firewall Settings, page 1-2 for more information.

Access Rules: Use this option to create access rules that define whether specific traffic flows on an interface should be permitted, denied, or inspected. See Configuring Firewall Access Rules, page 1-27 for more information.

IKE: Use this option to create and manage IKE policies and to define preshared keys and CA enrollment parameters. See Chapter 1, "Defining IKE Policies" for more information.

Tunnels: Use this option to create and manage IPSec tunnel policies. See Chapter 1, "Defining VPN Tunnel Policies" for more information.

Translation Rules: Use this option to define address pools and traffic filters for Network Address Translation (NAT). See Chapter 1, "Configuring Translation Rules" for more information.

Building Blocks: Use this option to create network groups, service groups, and transform sets, which are reusable named components that can be referenced by multiple policies. See Chapter 1, "Working with Building Blocks" for more information.

Upload: Use this option to transfer existing configurations on a device to a selected object in Router MC. See Chapter 1, "Uploading Device Configurations" for more information.

View Configs: Use this option to preview the CLI commands generated for a device according to your policy definitions. See Viewing Device Configurations, page 1-30 for more information.

Taskflow Diagrams in Configuration Tab

The Configuration tab provides two taskflows; one that leads you through the steps required for basic VPN configuration, and another for basic firewall configuration. By clicking each icon in a taskflow diagram, you can move directly to the relevant page for performing the required task. At any point, you can return to the taskflows by clicking the Configuration tab.

Note The currently selected object is also displayed. You can change the object selection by clicking the icon. The object selector opens. See Using the Object Selector.

The following tables describe the basic VPN and firewall configuration taskflow diagrams.

Table 1-4 Basic VPN Configuration Taskflow

Icon
Description

Click to open the Spoke Inside Interfaces page in which you select the interfaces on the spoke that will serve as inside interfaces. See Specifying a Spoke's Inside Interfaces, page 1-31.

Click to open the Spoke VPN Interface page in which you select which of the spoke's interfaces to use as the VPN interface. See Specifying a Spoke's VPN Interface, page 1-35.

Click to open the Hub Assignment page in which you specify which hub will serve as the IPSec peer for each of your spokes, and the interface on the hub that will be the tunnel endpoint interface. See Specifying a Spoke's Hub Assignment, page 1-40.

Click to open the Hub Inside Interfaces page in which you select the hub's interfaces that will function as the inside interfaces. See Specifying a Hub's Inside Interfaces, page 1-20.

Click to open the Failover and Routing page for defining a resiliency method to be used on your devices. See Understanding Failover and Routing, page 1-2.

Click to view a summary of your VPN policies. This summary indicates which policies have already been defined, and lets you access each policy to view and edit it, if required.


Table 1-5 Basic Firewall Configuration Taskflow

Icon
Description

Click to open the Access rules Parameters page in the Access Rules wizard, for creating an access rule that will enable the implementation of ACLs and CBAC inspection rules on your devices' interfaces.

See Defining the Parameters for the Access Rule, page 1-36.

Click to view a summary of your firewall policies. A dialog box opens, indicating which firewall policies have already been defined. From this dialog box, you can also access each policy to view and edit it, if required.


If Workflow mode is disabled, when you have completed your VPN or firewall configuration steps, you simply click on the Save and Deploy icon to save your configurations and deploy them. See Deploying Configurations to Devices (Workflow Disabled Mode), page 1-3.

If Workflow mode is enabled, when you have completed your VPN or firewall configuration steps, you must approve your activity and then deploy your job. See Deploying a Job, page 1-23.

Deployment Tab

The Deployment tab is only visible when Workflow mode is disabled. It contains options that enable you to view the deployment status of your VPN and firewall policies, and the CLI commands that will be deployed to your devices.

Note If you want to save and deploy any configurations changes you have made, click the Save and Deploy icon at the top of the Deployment tab.

The options bar displays the following options:

Deployment Status: Use this option to view a summary of the status of your deployments, such as, deploying, deployed, rejected, and so forth. See Viewing Deployment Status Information (Workflow Disabled Mode), page 1-5.

View Configs: Use this option to view the CLI commands that will be written to your devices (or to configuration files) to implement your VPN and firewall definitions. See Viewing Device Configurations (Workflow Disabled Mode), page 1-8.

Workflow Tab

The Workflow tab is only visible if Workflow mode is enabled. It contains the options that enable you to create and manage activities, create and manage jobs, view the CLI commands generated for a job, and display the status of devices in a deployment job.

The options bar displays the following options:

Activity Management: Use this option to create and manage activities. If Workflow mode is enabled, all device management and configuration tasks must be done within the context of an activity. When an activity is approved, its policy definitions and configurations are committed and can be deployed to the devices. See Chapter 1, "Working with Activities" for more information.

Job Management: Use this option to view a list of deployment jobs and their statuses, create new jobs, and deploy jobs. See Managing Jobs, page 1-13 for more information.

Status: Use this option to view the deployment status of a job and of each device in the job relative to the job status. See Viewing a Job's Deployment Status, page 1-27 for more information.

View Configs: Use this option to view the CLI commands that will be written to your devices (or to configuration files) to implement your VPN and firewall definitions. See Viewing Device Configurations, page 1-30 for more information.

Reports Tab

The Reports tab contains the options that enable you to view reports on various Router MC functions.

The options bar displays the following options:

Deployment: Use this option to view the deployment status of all the devices managed by Router MC.

Activities: Use this option to view all existing active activities and information about each one.

Audit Trail: Use this option to generate an audit trail report to track past events that occurred in Router MC, such as inventory or policy changes.

Hub-Spoke Assignment: Use this option to generate a report showing the spokes assigned to all hubs in the system, or to selected hubs.

See Chapter 1, "Viewing Reports" for more information.

Admin Tab

The Admin tab contains the options that enable administrators to define overall system settings, configure the settings that affect the performance and behavior of the Router MC application, and the Auto Update Server (AUS) settings.

The options bar displays the following options:

System Settings: Use this option to change the Router MC system settings, such as, enabling Workflow mode, activity and job approval settings, and settings for historical jobs and activities.

Configuration Support Settings: Use this option to define various Router MC configuration settings, such as, the GRE routing range, and dialer interface ranges.

Auto Update Server Settings: Use this option to specify the location of the AUS server and provide AUS contact information for Router MC.

See Chapter 1, "Router MC Administration" for more information.

Understanding the Router MC Pages

All the pages in the web-based Router MC user interface have a consistent look and feel. Figure 1-6 shows an example of the user interface.

Figure 1-6 Router MC User Interface Elements

Table 1-6 describes the common elements in the Router MC user interface.

Table 1-6 Router MC User Interface Elements 

Number
Area
Description

1

Path bar

Provides a context for the displayed page. Shows the navigation path to the displayed page.

2

Tab

Provides access to Router MC features. See Getting to Know the Router MC Tabs.

3

Options bar

Displays the options available for the selected tab.

4

Actions bar

Visible only when Workflow mode is disabled, on the Home, Devices and Configuration pages. See Table 1-7 for a description of each icon in the Actions bar.

Activity bar

Visible only when Workflow mode is enabled, on the Home, Devices and Configuration pages. Displays activity icons that change depending on what state the activity is in.

If you haven't yet opened an activity, the Activity bar displays "none" and two icons. See Table 1-8 for a description of each icon in the Activity bar.

4

Activity bar

If you are already working in an activity, the activity bar displays the name of the current activity and the following icons:

For more information on activities, see Managing Activities, page 1-7.

5

Tools

Contains the Home, Close, Help, and About links.

Home: Returns you to the Router MC application's home page, from anywhere in the application. See The Router MC Home Page.

Close: Exits the Router MC application, returning you to the CiscoWorks Desktop window. Any open activities will be closed. You do not need to log in again to open a new Router MC page with a new session. To end your CiscoWorks session, click Logout in the CiscoWorks Desktop window.

Help: Opens a new window that displays context-sensitive help for the displayed page. From this window, you can also access the overall help contents, index, and search tool.

About: Displays the Router MC version and copyright.

6

Instructions box

Provides an overview of the tasks you can perform on the page.

7

Page

Displays the area in which you perform application tasks.

8

Object bar

Displays the object selected in the Object Selector.

9

Object Selector

Shows a hierarchy of the objects (devices and device groups) that are in your device inventory, and lets you select objects to configure.


Table 1-7 Description of Icons in Actions Bar 

Icon
Description

Save and Deploy: Generates configurations for devices and allows you to deploy them.

Undo Changes: Discards all changes to configurations and device inventories since the last save.

View Details: Opens a dialog box that displays the changes made to configurations and device inventories since the last save.


Table 1-8 Description of Icons in Activity Bar 

Icon
Description

Add New Activity: Opens a dialog box that lets you create an activity.

Open An Activity: Opens a dialog box that lets you open an existing activity.

Approve Activity: Opens a dialog box that lets you commit the activity's configurations to the database so that they can be deployed. (Available only if the submission step of the activity workflow is disabled and you have the authority to approve configurations.)

Submit Activity: Opens a dialog box that lets you submit an activity for approval. (Available only if the submission step of the activity workflow is enabled and you have the authority to submit configurations.)

Reject Activity: Opens a dialog box that lets you prevent an activity's configurations from being committed to the database. (Available only if you have the authority to approve configurations.)

Delete Activity: Deletes the current activity, after confirmation.

Lock Current Object: Locks the currently selected object in the activity.

Close Activity: Opens a dialog box that lets you close or approve the activity.

View Details: Opens a dialog box that lets you view a history of the current activity.


Using Router MC Tables

In Router MC, lists of items are displayed in tables. A table consists of column headers with column titles, rows containing information for each item in the table, a table footer with the table action buttons, and one or more table pages containing the table contents. Figure 1-7 shows an example of a table.

Figure 1-7 Router MC Table Elements

Each editable row contains a check box for selecting an item, followed by information specific to the item. This information is organized in columns, categorically.

Where relevant, you can select specific items in the list, or you can select all items by selecting the check box located in the column heading row.

Action buttons initiate actions or commands for the page. In general, you must select a table item before you click the required action button. (Some actions do not require any item selection, for example, creating a new item.) Buttons that are not relevant, or for which you do not have permissions, are grayed out.

You can change the table display in the following ways:

Change the number of rows you want to display on a table page. Select the number of rows in the Rows per page list box in the table footer.

Scroll up or down the table and view items on previous or subsequent pages, respectively. Click the << button before the current page number to return to the previous page, or click the >> button after the current page number to go to the next page.

Using Router MC Wizards

Router MC wizards guide you through the steps required to complete specific tasks in Router MC. Figure 1-8 shows an example of a page in a wizard.

Figure 1-8 Router MC Wizard Elements

Table 1-9 describes the common elements in a Router MC wizard.

Table 1-9 Router MC Wizard Elements 

Number
Element
Description

1

TOC

The TOC or table of contents lists the steps in the wizard.

When editing a policy, these steps allow quick navigation to a specific wizard step or field.

Note The Summary step in the TOC is not available, if the Show Summary Step in Wizards check box in the System Settings page, is deselected. See Defining System Settings, page 1-1.

2

Wizard page

A wizard page represents one step in an ordered list of steps, and provides the area in which you work.

3

Action buttons

Action buttons allow you to navigate through the wizard and to finish or cancel the wizard. The availability of these buttons depends on the current step. If a button is not available, it will be grayed out.


The following describes when the action buttons can be used:

The first and last steps in a wizard will have grayed out Back and Next buttons, respectively.

If you want to exit the wizard without saving any changes, click the Cancel button.

The Finish button is only available in the last step of a wizard. Click Finish to submit your changes and then exit the wizard. The settings that you define or edit are applied only when you click the Finish button.

Note Whenever a wizard is open, all navigation options that are not relevant to the wizard are disabled. Router MC requires that you either finish a wizard, or cancel it. If you click a tab or button outside the scope of the current wizard task, an error message will remind you to first cancel or finish the wizard.

Using the Object Selector

The Object Selector is located along the left side of the Router MC page. It shows the hierarchy of device groups and devices that you are managing with Router MC, and lets you select an object, or objects, for configuration (see Figure 1-9).

The Object Selector is based on a framework of folders, subfolders, and their contents. Click the + icon next to the folder or subfolder to expand its contents. Click the - icon to collapse its contents. The Global folder contains either a list of all the devices imported into the application, or an organized tree view of all the devices organized into device group subfolders. Individual devices constitute the lowest-level of contents possible within a folder or a subfolder.

When an object is selected, its name appears in the object bar of the displayed page (see Figure 1-6). If you have not selected an object, Global shows as the default in the object bar, meaning that any new or changed configurations will be applied to all objects within the hierarchy.

Figure 1-9 Object Selector

Table 1-10 describes the elements in the Object Selector.

Table 1-10 Router MC Object Selector Elements 

Number
Element
Description

1

Object Selector bar

Opens and closes the Object Selector.

When closed, the Object Selector appears as a narrow green bar with a red right-facing arrow. Click this bar to open the Object Selector. When opened, the Object Selector appears as shown in Figure 1-9. After it is opened, you can click on the green bar again to close the Object Selector.

2

Global folder

Contains the available groups and devices in your device inventory, in a hierarchy.

3

Device group subfolder

Contains devices and/or subgroups.

4

Device

The individual object contained in the group or subgroup.


Each device or device group is represented in the device hierarchy by an icon. The icon indicates the type of device or device group, as shown in Table 1-11.

Note If you point with your mouse to any individual device in the Object Selector or the device hierarchy in the Devices tab, a tool tip displays the device type.

Table 1-11 Description of Icons in Device Hierarchy 

Icon
Description

Hub

Spoke

Unmanaged spoke

Firewall

Firewall and hub

Firewall and spoke

Device group

HA group (folder open)


Managing Java Plug-In Security Warnings

If you are working with Java plug-in 1.4.x, you might get the following security warning when you first navigate to a page that uses the Object Selector:

Click Yes or Always in the security warning popup to accept the certificate, otherwise you will not be able to work with Router MC. If you click Always, you will not get the warning again. If you click Yes, you will be able to continue working with Router MC, but you will get the warning again the next time you log into Router MC and start navigating. Closing the popup or pressing Esc is the same as refusing the certificate.

Note Please do not try to navigate to another page or perform any action in Router MC while the security warning popup is loading, otherwise the browser might freeze. Wait a few seconds for the popup to load, accept the certificate, and then continue working.

Preparing the Router MC Working Environment (Administrators)

Administrators can set up Router MC according to the requirements of the organization. Consider the following questions when setting up Router MC:

How will users be authenticated and authorized?

Authentication and authorization for Router MC is managed either by the CiscoWorks server or by the Cisco Secure Access Control Server (ACS). By default, authentication and authorization is managed by CiscoWorks. See Appendix A, "Router MC User Permissions" for more information.

Which Workflow mode is appropriate for your organization?

Router MC provides two modes of operation that allow adaptation for different organizational working environments: Workflow Enabled mode and Workflow Disabled mode. See Understanding Router MC Workflow Modes for more information.

Does your organization have an existing VPN setup?

If you have an existing VPN setup and you are now migrating to Router MC, by default your VPN configurations will remain intact. If you do not want to maintain your existing VPN configurations, you can set up Router MC to remove them and deploy only the new CLI commands. You can do this by disabling an option in the Configuration Support Settings under the Admin tab. See Defining Configuration Support Settings, page 1-3 for more information.

Do you want Router MC to manage preshared keys only?

If you have an existing IPSec setup, you can set up Router MC to manage only the preshared keys on your devices. In this way, you can change the preshared keys on multiple devices simultaneously, without having to configure any VPN settings or policies. See Using Router MC for Preshared Key Management Only, page 1-22 for more information.

Will Router MC be used to manage dynamically addressed devices?

If you intend to manage spokes that have dynamic IP addresses, you must set up Router MC to work with Auto Update Server (AUS). Router MC polls AUS for the device IP address and interface names. See Defining the Auto Update Server (AUS) Settings, page 1-5 for more information.