Table Of Contents
Introduction
What is Router MC?
What's New in Router MC 1.3?
Router MC Features
Router MC 1.3 Supported Devices
Basic Concepts in Router MC
Hub-and-Spoke Topology
VPN and Firewall Policies
Device Hierarchy and Inheritance
Workflow Modes
Activities
Jobs
Building Blocks
Device Import
Upload of Existing Policies on Devices into Router MC
Supported Tunneling Technologies
Router MC Integration with CiscoWorks Common Services
Prerequisites for Working with Router MC
Introduction
The following topics provide an overview of Management Center for VPN Routers (Router MC):
•
What is Router MC?
•Basic Concepts in Router MC
•Supported Tunneling Technologies
•Router MC Integration with CiscoWorks Common Services
•Prerequisites for Working with Router MC
What is Router MC?
Router MC is a web-based application designed for large-scale management of VPN and firewall configurations on Cisco routers.
Router MC enables the setup and maintenance of VPN connections between multiple Cisco VPN router devices, in a hub-and-spoke topology (see Hub-and-Spoke Topology). It enables you to provision all of the critical connectivity, security, and performance parameters of a site-to-site VPN, quickly and easily. Router MC allows for easy migration from leased line connections to Internet or Intranet-based VPN connections. It also allows for the overlay of a VPN over a Frame Relay network for added security.
Router MC also enables the configuration of IOS routers to function as firewall devices.
Router MC is scalable to a large number of devices. Its hierarchical device grouping and policy inheritance features enable the configuration of multiple like devices simultaneously, instead of having to configure each device individually. It also uses reusable policy components that can be referenced across multiple connections.
Router MC translates the configurations into CLI commands and either deploys them directly to the devices in the network, or to a configuration file for each router.
What's New in Router MC 1.3?
Router MC 1.3 provides the following new features:
•GRE configuration for devices with dynamic IP addresses. See Understanding GRE Configuration for Dynamically Addressed Spokes, page 1-8.
•Dial backup configuration for primary link failover. See Configuring Dial Backup, page 1-43.
•Filtering by protocol and port when creating a tunnel policy. See Defining a Traffic Filter, page 1-10.
•Additional firewall configuration features:
–Support for authentication proxy in firewall configuration. See Defining Authentication Proxy Settings, page 1-18 and Configuring Authentication Proxy Access Rules, page 1-55.
–URL filtering for HTTP traffic using N2H2 or Websense. See Defining URL Filtering, page 1-20 and Defining the Inspect Action's Parameters, page 1-42.
–Additional predefined services for CBAC inspection, including Skinny, SIP, RTSP, and ICMP. See Defining the Parameters for the Access Rule, page 1-36.
–ICMP qualifier messages for the ICMP protocol that can be selected as a service when creating an access rule. See Specifying Protocol and Ports, page 1-24 .
–Enhanced access rule definition that includes the option to have Router MC create an additional ACL to permit inspected traffic from a specific source and destination. See Defining the Parameters for the Access Rule, page 1-36.
–ACL logging—logging of all filtered traffic that matches the access rule to an external Syslog server. See Defining the Parameters for the Access Rule, page 1-36.
•Router MC now keeps existing security-related CLI commands that were not configured using Router MC on the devices, instead of removing them and creating new Router MC specific commands. This enables you to add devices to an existing network and manage them with Router MC, without affecting the policies that are already defined in your network. This is now the default behavior of Router MC, however, you can set the application to remove existing policies and replace them with Router MC generated CLI commands, if required. See Defining Configuration Support Settings, page 1-3.
•Support for preshared key management only. Router MC can be set up to manage only preshared keys on your devices, and no other policies. See Using Router MC for Preshared Key Management Only, page 1-22.
•The default working mode is now Workflow Disabled mode. In this mode, there is no need to create an activity before making configuration changes or to create a job before deploying policies to your devices. See Understanding Router MC Workflow Modes, page 1-5.
•Router MC now provides hot-linked taskflow diagrams that lead you through all the steps required for VPN or firewall configuration, from importing your devices through deployment. By clicking each icon in the taskflow diagram, you can move directly to the relevant page in the application to perform the required task. See Taskflow Diagram on Home Page, page 1-16, Taskflow Diagram in Devices Tab, page 1-18, and Taskflow Diagrams in Configuration Tab, page 1-20.
•Router MC provides the following default policies on the Global level:
–Failover and routing: IKE Keepalive.
–Preshared key: Auto-generated key, main mode address.
–Tunnel policy: Transform set with 3DES and SHA, ACL permitting all traffic tunnels all traffic between the internal networks and inside interfaces on the peers, in both directions.
–IKE policy: 3DES, SHA.
•Router MC now enables the configuration of global lifetime settings for the crypto IPSec security association (SA). See Defining the IPSec Lifetime, page 1-25.
•Support for 1711/1712 devices with inside VLAN interfaces.
Router MC Features
Table 1-1 highlights the main features and benefits of Router MC (it is not a comprehensive list of features).
Table 1-1 Router MC Features
Feature
|
Description
|
Scalable configuration of multiple devices simultaneously.
|
You can define policies globally for your entire network or at a group level so that they apply to a set of devices, rather than having to configure each device individually. Changes can be made at the device level, if desired.
|
Optimized to support a large number of devices.
|
Router MC uses device grouping and reusable policy components to enable VPN and firewall configuration that scales to hundreds of devices.
|
Enables configuration of VPN policies, firewall policies, or both.
|
Router MC supports the configuration of a VPN in a hub-and-spoke topology. It also supports the configuration of firewall functionality and access rules on Cisco IOS routers.
|
Provides default global policies.
|
Router MC provides default failover and routing, preshared key, tunnel and IKE policies. You can change these policies or define new policies, as required.
|
Simplified policy definition.
|
Router MC simplifies the creation of complex configurations by providing a wizard-based interface that steps you through the creation of IKE policies, tunnel policies, transform sets, access rules, and other policies.
|
Translation of policies to CLI commands.
|
Router MC provides a web-based interface for configuring and managing VPN and firewall policies, without requiring CLI command knowledge. Policies are translated to CLI commands which are deployed to the devices.
|
Inference of hub configuration from spoke policies.
|
IKE and tunnel policies are defined on spokes only. The hub commands required to implement the VPN connection are inferred from the policies on the spoke and automatically written to the relevant hub.
|
Ability to preview the CLI commands generated by Router MC.
|
Router MC allows you to view the CLI commands generated for your VPN configurations that will be deployed to your devices. You can preview these commands at the configuration stage and at the deployment stage.
|
Enhanced resiliency in VPN.
|
Router MC supports the configuration of a VPN in a hub-and-spoke topology, where a secondary hub might be used for resiliency in the event of primary hub failure. Furthermore, Router MC supports the use of HSRP for hub high availability, and allows for stateful failover between hubs.
|
IKE Keepalive or GRE for failover and routing.
|
In a two-hub topology, IKE Keepalive is the default failover mechanism. Router MC also supports GRE with EIGRP or OSPF routing protocols, for enhanced resiliency and routing functionality.
|
Split tunneling based on ACLs.
|
Router MC enables you to create filters (ACLs) to designate a specific flow of traffic to be secured in your IPSec tunnels. Packets that match the ACL will be secured in the tunnel, while other traffic on the interface will flow unsecured.
|
Support for NAT configuration on spokes.
|
NAT can be enabled on spokes when internal private network addresses must be converted into legal addresses for transmission of packets over the Internet.
|
Import of device information by direct device discovery or from a file.
|
For import of device information into Router MC, the application can query physical devices if you specify the IP/host address and password of the device, or if you provide a CSV file. Alternatively, Router MC can read device information from a file(s) in a specified directory on the server. For Greenfield deployment, where the devices do not exist in your network, you can create configuration files using a tool such as Cisco ConfigMaker, and export the files to a directory for import into Router MC.
|
Deployment of configurations directly to devices or to files.
|
Router MC can deploy your configurations directly to your devices in the form of CLI commands, or it can generate files containing the relevant CLI commands that you can write to your devices at a later stage. The ability to deploy to a file enables you to define VPN configurations for devices that do not yet exist in your network (Greenfield deployment).
|
Support for dynamically addressed devices.
|
Router MC supports the management of devices with dynamically assigned IP addresses.
|
Deployment of configurations to a group of devices or to a single device.
|
Router MC provides flexible deployment options, enabling you to deploy to a group of devices simultaneously, or to individual devices.
|
Rollback.
|
Router MC allows you to return to the devices' previous configuration if you are not satisfied with the configuration after deployment of VPN policies.
|
Upload of existing configurations.
|
The upload feature enables you to bring certain VPN or firewall configurations that exist on your devices into the Router MC user interface. It also allows you to copy certain VPN or firewall settings and policies from one device to other devices.
|
Reporting of configuration and deployment status.
|
Router MC provides reports indicating the current deployment status of all devices in your device inventory. It also allows you to view the current configurations on the devices and incremental configurations resulting from policy definition.
|
Spoke-to-spoke connectivity.
|
When GRE is enabled, two or more spokes can transfer data to each other over the GRE tunnel, through the hub. In addition, when DMVPN is enabled, direct spoke-to-spoke communication can be achieved, without the need to go through the hub. This creates a full mesh topology.
|
Support for Frame Relay networks.
|
Router MC provides the ability to deploy a hub-and-spoke VPN configuration over a Frame Relay network.
|
Router MC 1.3 Supported Devices
Updated information about the Cisco IOS routers and minimum IOS software versions supported by Router MC 1.3 is maintained on Cisco.com.
Log into Cisco.com, then select Products & Services > Network Management CiscoWorks > CiscoWorks Management Center for VPN Routers > Technical Documentation > Device Support Tables.
Basic Concepts in Router MC
The following topics describe the key concepts used in Router MC:
•Hub-and-Spoke Topology
•VPN and Firewall Policies
•Device Hierarchy and Inheritance
•Activities
•Jobs
•Building Blocks
•Device Import
•Upload of Existing Policies on Devices into Router MC
Hub-and-Spoke Topology
In a hub-and-spoke VPN topology, multiple remote devices (spokes) communicate securely with a central device (hub). A separate, secured tunnel extends between the centralized hub and each of the individual spokes. See Figure 1-1.
This topology is usually representative of an Intranet VPN that connects an enterprise's main and branch office locations using persistent connections to a third-party network or the Internet. VPNs in a hub-and-spoke topology make it easy and affordable to provide all employees with full access to the enterprise network, regardless of the size, number, or location of its remote operations.
In Router MC, a hub refers to a Cisco IOS VPN-enabled router, generally located at an enterprise's main office. Spokes are also routers, generally located at an enterprise's branch offices.
Following are the general characteristics of a hub-and-spoke topology:
•Geographically dispersed remote sites (branch offices), where spokes are located.
•One site designated as "central" or "corporate" site (main office), where the hub(s) is located. The spokes at the branch offices connect to the hub(s) at the main office.
• Hubs are typically located within topologically complex sites.
•Spokes are typically located within very simple sites with one or more subnets.
•There is no direct connectivity between spokes (traffic could route from spoke to spoke through the hub).
•The majority of traffic is initiated by hosts at the spoke site, but some traffic might be initiated from the central site to the spokes.
Figure 1-1 Hub-and-spoke topology
VPN and Firewall Policies
In Router MC, you configure policies that define the VPN or firewall functionality you want on your devices. Router MC translates your policies into CLI commands that can be deployed to the relevant devices.
Policies include:
•VPN Settings: VPN settings and policies that provide a framework for network behavior and VPN policy implementation. VPN settings include selection of failover method and routing protocol, packet fragmentation settings, specification of internal networks and inside interfaces for hubs and spokes, and hub assignment for spokes. See Configuring VPN Settings, page 1-1 for more information.
•Firewall Settings: Parameters that define the framework for implementing Context-Based Access Control (CBAC) and access rules for firewall functionality. See Working with Hub Settings, page 1-19 for more information.
•Access Rules: Access rules enable IOS routers to be used as firewall devices. They define specific traffic flows and whether to permit, deny or inspect these flows when they are detected on an interface. Access rules defined in Router MC are implemented on the devices' interfaces as Access Control Lists (ACLs) and Context Based Access Control (CBAC) inspection rules. See Understanding Access Rules, page 1-27 for more information.
•IKE Policies: Define the combination of security parameters to be used during IKE negotiation between two IPSec peers, including the encryption and authentication algorithms, and the Diffie-Hellman group identifier. See Defining IKE Policies, page 1-1 for more information.
•Tunnel Policies: Define what data will be securely transmitted through the tunnel (crypto ACL), and which authentication and encryption algorithms will be applied to the data to ensure its authenticity, integrity, and confidentiality (transform set).
In Router MC, tunnel policies are defined on spokes. Router MC generates the relevant CLI commands for the spoke and also automatically adds matching policies on the spoke's corresponding hub so that the VPN connection between the peers can be established. If you always deploy to both peers of the VPN connection together, Router MC will ensure compatible policy configuration.
See Defining VPN Tunnel Policies, page 1-1 for more information.
•Network Address Translation (NAT) Policies: Enable the devices in your secured private network to access outside networks for nonconfidential purposes without monopolizing the resources required for VPN connections. See Configuring Translation Rules, page 1-1 for more information.
Device Hierarchy and Inheritance
Router MC allows you to group your devices under the default Global device group to create a hierarchy of devices. Using device groups facilitates efficient management of a large number of devices by enabling you to define VPN or firewall policies on multiple devices simultaneously, rather than having to configure each device individually.
Policy inheritance in the device hierarchy is implemented in a top-down fashion. The Global group is the highest level object.
•Policies defined on the Global level are inherited by all devices in the device inventory.
•Policies defined on a device group are inherited by all the groups and devices contained within that group, and override the global configurations (if any) for those devices.
•Policies defined on an individual device apply to that device only, and override any policies inherited from higher level objects in the hierarchy.
To take full advantage of the device grouping and inheritance features, you should plan your device groups carefully before defining any polices. You are recommended to group devices with similar attributes together so that you can define policies on the entire group of devices, rather than on individual devices.
See Managing Devices, page 1-1 for more information.
Workflow Modes
Router MC provides two workflow modes for optimal support of different types of organizations:
•Workflow Enabled mode—supports organizations that have a specific employee workflow for defining and managing security policies in their networks. For example, organizations in which there is division of responsibility among security and network operators for defining VPN or firewall policies and deploying these policies to devices. This mode allows device management and policy configuration changes performed by one user to be reviewed and approved by another user before being deployed to the relevant devices. In Workflow Enabled mode, users create activities for device management and policy configuration tasks, and jobs for deployment tasks. See Activities, and Jobs, for a summary of the concepts of activities and jobs.
•Workflow Disabled mode—This is the default Router MC mode of operation. It is suitable for organizations that have no division of responsibility between users in VPN and firewall policy definition and administration. In this mode, users simply define policies and deploy them, without the need to create activities and jobs. Router MC creates the required activities and jobs in the background.
See Understanding Router MC Workflow Modes, page 1-5 for more information.
Activities
An activity is a temporary context within which you make VPN configuration changes to specific objects (global, device groups or devices). In Workflow Disabled mode, Router MC manages activities for you. In Workflow Enabled mode, before you make any configuration changes, you must create a new activity or open an existing activity. The activity must be approved before its configuration changes are committed to the Router MC database, at which point they are ready for deployment to the relevant devices or files.
An activity can only be opened by one person at a time, but can be worked on by several people in sequence. This means that before the activity is approved, another user can open it and make further configuration changes to the selected objects.
The objects being configured within the activity, and all their descendants in the hierarchy, are locked until the activity is approved or deleted. No other activity can have the same objects or any of their descendents selected for configuration. This ensures that there is no overlap between users, which might result in configuration discrepancies.
See Working with Activities, page 1-1 for more information.
Jobs
A job is a deployment session in which you specify the devices to which VPN and firewall configurations should be deployed. Router MC generates the CLI commands for the devices specified in the job, based on the policies you defined. These commands can be previewed before deployment takes place. Within the context of the job, you can specify whether to deploy the commands directly to the devices in the network or to a file.
In Workflow Enabled mode, you must create a job to deploy your configurations. In Workflow Disabled mode, Router MC creates a job in the background when you click Save and Deploy.
See Deploying Configurations, page 1-1 for more information.
Note To deploy configurations directly to your devices, you must enable SSH on the devices. See Enabling SSH for Live Device Deployment, page A-1 for more information.
Building Blocks
Building blocks are reusable, named, global components that can be referenced by multiple policies. When referenced, a building block is incorporated as an integral component of the policy. If you change the definition of a building block, this change is reflected in all policies that reference that building block.
Building blocks aid in policy definition by eliminating the need to define that component each time you define a policy. For example, although transform sets are integral to tunnel policies, you can define several transform sets independently of your tunnel policy definitions. These transform sets are always available for selection when you create tunnel policies (on the object on which you defined them and its descendants).
The following building blocks can be defined:
•Transform Sets: A combination of security protocols, algorithms and other settings that specify exactly how the data in the IPSec tunnel will be encrypted and authenticated. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. See Working with Transform Sets, page 1-2 for more information.
•Network Groups: Named collections of networks and/or hosts. A network group name can be referenced during the definition of policies, instead of having to specify each network or host individually for each policy definition. See Working with Network Groups, page 1-13 for more information.
•Service Groups: Named collections of protocol and port definition mappings that describe specific network services. Service groups can be referenced during the definition of access rules. See Working with Service Groups, page 1-20 for more information.
Device Import
In Router MC, importing devices means bringing information about the devices you want to manage into the device inventory. Router MC imports devices either by querying the physical devices for information, or by reading device information from a file or multiple files in a specified directory on the server. Devices can be imported individually or in groups.
See Importing Devices, page 1-12 for more information.
Upload of Existing Policies on Devices into Router MC
Upload refers to the process of transferring policies that exist on a device into Router MC. This means that you do not have to redefine all your VPN or firewall configurations when you start using Router MC, or when you want to copy policies from one device to other devices.
Router MC only supports the upload of policies that are not peer-specific. These include transform sets, preshared keys, group preshared keys, CA policies, routing policies, and IKE policies.
See Uploading Device Configurations, page 1-1 for more information.
Supported Tunneling Technologies
Router MC supports the following tunneling technologies:
•IPSec
IPSec is a framework of open standards that provides data confidentiality, data integrity, and data origin authentication between peers that are connected over unprotected networks, such as the Internet. IPSec provides security services at the IP layer. IPSec uses IKE to authenticate IPSec peers, negotiate IPSec keys, and automatically negotiate IPSec security associations. Router MC supports authentication by preshared keys or by RSA signature using a Certification Authority (CA).
While IPSec has the advantage of supporting dynamic tunnels, the drawbacks are that IPSec tunnels only support encapsulation of IP packets, can only carry unicast packets and have no end-to-end interface management protocol, resulting in lower resiliency. IPSec uses IKE Keepalive which provides a measure of resiliency, however it is inferior to GRE resiliency because there is no means by which to assess IP peer status.
•IPSec with Generic Route Encapsulation (GRE)
GRE is a tunneling protocol that can encapsulate a variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to devices at remote points over an IP internetwork. With this technology, IPSec is used on top of GRE. GRE packet encapsulation occurs prior to the IPSec process. GRE encapsulates the entire original packet with a standard IP header and GRE header. IPSec views the GRE packet as an unremarkable IP packet and performs encryption and authentication services, as dictated by IKE negotiated parameters. Because GRE can carry multicast and broadcast traffic, it is possible to configure a routing protocol for the virtual GRE tunnels. The routing protocol provides a mechanism to detect loss of connectivity and reroute packets to the backup GRE tunnel, thus providing high resiliency.
•IPSec with GRE over a Frame Relay network
This option provides all the advantages of using IPSec with GRE and the ability to create secure VPN tunnels over a Frame Relay network. Router MC supports a Frame Relay topology in which the hub acts only as a VPN endpoint, while each spoke acts as both a VPN endpoint and a Frame Relay endpoint. This means that there must be a device in the hub subnet, before the VPN endpoint at the hub, which acts as the second Frame Relay endpoint.
•IPSec with GRE and DMVPN
Dynamic Multipoint VPN (DMVPN) combines generic routing encapsulation (GRE) tunnels, IPSecurity (IPSec) encryption, and Next Hop Resolution Protocol (NHRP). It allows for the management of devices with dynamically assigned IP addresses. It also enables direct spoke-to-spoke communication, without the need to go through the hub. See Understanding GRE with DMVPN, page 1-6 for more information.
Table 1-2 shows the features supported by IPSec vs. IPSec with GRE. The same features are supported when GRE is used in a Frame Relay network.
Table 1-2 IPSec compared to IPSec with GRE
Feature
|
IPSec
|
IPSec+GRE
|
Ability to secure non-IP protocols
|
No
|
Yes
|
Spoke to spoke connectivity
|
No
|
Yes—through the hub
|
Dynamic tunneling
|
Yes
|
No
|
Split tunneling
|
Fine-grained using extended ACL
|
Network-based granularity
|
Resilience
|
Low—uses IKE Keepalive
|
High—uses routing protocol
|
NAT
|
Yes
|
Yes
|
Router MC Integration with CiscoWorks Common Services
Router MC is integrated with CiscoWorks Common Services which supplies core server side components required by Router MC, such as Apache Web server, SSL libraries, SSH libraries, embedded SQL database, Tomcat servlet engine, the CiscoWorks desktop, and others.
CiscoWorks Common Services provides centralized management of certain functions for all the VMS products you have installed. These functions include:
•Backup and restore of data
•Integration with ACS or CMF for user authentication and permissions
•Licensing
•Starting/stopping the database
•Logging of administration tasks
These functions are not performed from within the Router MC user interface. Access the CiscoWorks Common Services online help for information about these functions, as follows:
1. Click Help in the CiscoWorks desktop.
2. Click Main in the toolbar.
3. Select VPN Security Management Solution > Common Services.
Prerequisites for Working with Router MC
To work successfully with Router MC, certain prerequisites must be met. These are described in Appendix A, "Router MC Operating Prerequisites."
