Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Intrusion Prevention System (IPS)

Configuring Cisco IOS IPS Using IPS MC 2.2

Downloads

Configuration Guide

The CiscoWorks Management Center for IPS Sensors (IPS MC) is the management console for Cisco® IPS devices. IPS MC Version 2.2 supports provisioning of the intrusion prevention system (IPS) feature on Cisco IOS® Software routers. This document focuses on configuring Cisco IOS IPS routers using IPS MC 2.2.

For more detailed information regarding how to use IPS MC, including how to use it to configure devices that are not based on Cisco IOS Software, refer to the CiscoWorks Management Center for IPS Sensors User Guide at: http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_book09186a00805b53e3.html

BASIC UNDERSTANDING OF CONFIGURATION TASKS

IPS MC is used to manage the configuration of a group of Cisco IOS IPS routers. Note that IPS MC does not manage the alerts from routers running IPS; the recommended Cisco product for IPS monitoring is the Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS). Configuration management consists of a series of tasks described in this document. These tasks can be divided into three phases-import, configuration, and deployment (Figure 1). Each phase has its own set of responsibilities and functions:

Import: Import a router into IPS MC. You must import a router into IPS MC before you can use IPS MC to configure it. A router cannot be imported unless an initial IPS configuration exists on the router (details are given later in this guide).

Configuration: Configure the device. For example, you can configure a Cisco IOS IPS router to use one of the Cisco recommended pretuned signature files. Configuration changes are stored in IPS MC, but not sent to the router in this phase.

Deployment: Deliver configuration changes to the actual device. During this phase you commit the changes made in configuration tasks to the routers.

Additional Tasks: IPS MC provides an autodownload function to automatically download signature updates from Cisco.com.

Figure 1. IPS MC Configuration Task Flow

Understanding this phased approach is essential to effectively using IPS MC. It is different from device-based management GUIs such as Cisco Router and Security Device Manager (SDM). Device-based GUIs act directly on a single router, whereas IPS MC is designed to work on groups of routers (and other IPS devices such as Cisco IPS 4200 Series Sensors) networkwide.
This document provides information about each of the tasks in the diagram to guide you in using IPS MC to manage Cisco IOS IPS routers.

INITIAL CONFIGURATION OF CISCO IOS IPS ROUTERS

To successfully import or add a Cisco IOS IPS router to IPS MC, you must perform certain initial or "prerequisite" configuration steps on the Cisco IOS IPS routers. The following summarizes those steps.
You must enable Secure Shell (SSH) Protocol in a Cisco IOS IPS router for configuration, import, and deployment through Cisco IPS MC. In addition, the Security Device Event Exchange (SDEE) protocol must be enabled for event reporting purposes (although these alerts are not sent to IPS MC, because IPS MC is used only for provisioning, not reporting). Finally, you need to make sure the clock setting on the IPS router is synchronized with the IPS MC.
To configure SSH on the router, follow these steps (in configuration mode).

Step 1. Create a local username and password for the router.

Router#config terminal
Router(config)# username <username> password <password>

Step 2. Enable local login on the vty lines interface.

Router#config terminal
Router(config)#line vty 0 15
Router(config-line)#login local
Router(config-line)#exit

If the transport input or transport output command-line interface (CLI) is configured under vty line configuration, make sure SSH is enabled. For example:
Router#conf terminal
Router(config)#line vty 0 15
Router(config-line)#transport input ssh telnet
Router(config-line)#exit

Step 3. Generate a 1024-bit RSA key if there is no existing key. SSH is automatically enabled after cryptography key generation.

Router#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#crypto key generate rsa
The name for the keys will be: Router.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config)#
*Jan 23 00:44:40.952: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router config)#

Step 4. Next, enable SDEE on the router.

Router(config)#ip ips notify sdee

Step 5. Enable HTTPS. HTTP or HTTPS is required for IPS MC to communicate with the router with SDEE to gather event information.

Router(config)#ip http authentication local
Router(config)#ip http secure-server

Step 6. Use the external Network Time Protocol (NTP) server or clock command to configure the clock setting on the IPS router.

Router(config)#clock set hh:mm:ss day month year

Now the Cisco IOS IPS router is ready and can be imported to IPS MC for further configuration and management.

IMPORTING A CISCO IOS IPS ROUTER INTO IPS MC

When you have the prerequisite configuration on the router, you can add (or "import") it into IPS MC.

Step 1. Start your browser and point to the server running CiscoWorks. The default port number of the web server is 1741, so you should use a URL similar to the following: http://<server ip address>:1741/. Input the name and password to log in (Figure 2).

Figure 2. CiscoWorks Login Page

Step 2. When logged in, choose VPN/Security Management Solution on the left side, and select Management Center. Click IPS Sensors (Figure 3).

Figure 3. Start IPS MC

Step 3. IPS MC will launch in a separate browser window. From the main user interface, there are 5 major tasks-Devices, Configuration, Deployment, Report, and Admin.

Devices-This task is for managing all the devices using IPS MC. Use this function to perform initial setup of devices managed by the system (Figure 4).

Configuration-The device provisioning function is done through this task. You can configure devices at individual device level or at group level. One device group can contain multiple devices. All changes made through configuration tasks must be saved; the function does not immediately make changes to the devices. You must use the deployment task to make changes take effect.

Deployment-Use this task to deliver configuration changes to devices. Through this task, you can deliver changes for your saved configuration tasks. Schedule capability provides flexible control of when the configuration changes should take effect.

Report-Use this task to generate various system operation reports.

Admin-System administration tasks such as database management, system configuration, and license management can be performed here.

Figure 4. IPS MC Main Window

Step 4. Choose Device -> Sensor to add new devices (Figure 5).

Figure 5. Import Cisco IOS IPS Router Using IPS MC

Step 5. The Select Type user interface shows. You need to tell IPS MC what type of "add" function you want to perform. For devices that are currently running on the network, you can choose the Import configuration from device option. For devices that you are planning to add into the system, you can choose the Create default configuration option (Figure 6). The options and their descriptions follow:

Figure 6. Select Import Option

Import configuration from device-Use this option to add an existing device into IPS MC.

Create default configuration-Use this option if you are planning to add a device to IPS MC but the device is not running on the network yet.

Add multiple devices-When you add multiple devices, IPS MC can read a .csv file or an .xml file containing device information and adds them all.

Tip: The sample .csv format and .xml format files are located in: InstallDirectory\MDC\etc\ids\ and are named MultipleAddDevices-format.csv and MultipleAddDevices-format.xml, respectively.

Step 6. Select the group to which you want to add the Cisco IOS IPS router, or use the default global group. Then click Next.

Step 7. Provide the information in the Identification page. If the user does not have privilege level 15 access rights, you need to supply the enable password. In the last row of thee Identification page, check Use SSH Credentials (Figure 7).

Figure 7. Enter Sensor Information

Step 8. Click Next. You will be taken to the Add Sensor Summary page. Click Finish.

Step 9. Now you should have your device successfully added into IPS MC.

If you encounter errors during the import process, make sure you check the following:

Prerequisite configuration-These configurations are required for IPS MC to communicate with Cisco IOS IPS routers.

Connectivity-Make sure IPS MC can reach the Cisco IOS IPS routers.

Clock-Check the times on the IPS MC and the Cisco IOS IPS router. The time is a critical component of the HTTPS certificate that is used for authentication. The times have to be within 12 hours (best practice is at most a few hours) of each other.

Cisco IOS IPS Certificate-Sometimes the Cisco IOS IPS certificate stored is incorrect. To delete a certificate from Cisco IOS IPS, you need to remove the trustpoint from the Cisco IOS IPS router.

• Additional Configuration

If ip http timeout-policy is configured with a low number of maximum requests, such as:
ip http timeout-policy idle 600 life 86400 requests 1

You need to increase the maximum request number.

For example: ip http timeout-policy idle 600 life 86400 requests 8400

CONFIGURING THE CISCO IOS IPS ROUTER TO USE PRETUNED SIGNATURE FILES

After the router is imported into IPS MC, the next step is to select the Signature Definition File (SDF), a text-based file that includes the threat signatures that the IPS router will use, and the action to take (for example, drop, TCP reset, alarm) when each signature is triggered. Cisco Systems® recommends the use of Cisco pretuned SDF files. Currently there are three such files: "attack-drop.sdf", "128MB.sdf", and "256MB.sdf"; details about how to choose the SDF based on DRAM memory in the routers are given later in this guide. IPS MC can automatically download these files from Cisco.com. Refer to the section "Autodownloading Signature Updates" for more details.
In this task, we use a single device as an example and start with a router with no IPS configuration. The same process can also be used for multiple devices on a group level.

Step 1. Select Configuration and then use the Object Selector to the left to select the Cisco IOS IPS router that you want to configure (Figure 8).

Figure 8. IPS MC Configuration-Object Selector

Most of the configuration settings in IPS MC 2.2 can be configured at the group level as well as at the individual device level; for example, the global, iosips, and sdmlab groups are all configurable object groups. In this example, we will choose an individual device-cisco of sdmlab group.
After object selection, on the top of the center IPS MC GUI, a path bar shows the current scope of configuration. For instance, "Scope: Global > sdmlab > cisco". "cisco" is the name of the router we selected from the object selector, and it is the current configuration object.

Step 2. Choose Settings from the GUI. The Settings section allows you to change configuration settings for the selected object. Configuration settings specific to Cisco IOS IPS routers are in the TOC section. Following is a list of tasks that are available under the TOC section (Figure 9).

Identification-Cisco IOS IPS router basic information; you can specify a pretuned SDF file here

Signature-Cisco IOS IPS router signatures

Signature Wizard-A signature wizard to add customized signatures

Cisco IOS IPS Rules-For configuring Cisco IOS IPS rules that are used to apply to interfaces

Cisco IOS IPS Filters-Cisco IOS IPS filters

Cisco IOS IPS Reassembly-Interface IP virtual-reassembly configuration

Cisco IOS IPS SDEE Properties-For configuring SDEE settings

Cisco IOS IPS General Properties-Additional Cisco IOS IPS-related configurations

Figure 9. Configuration Settings

Step 3. Select Identification to configure pretuned SDF files (Figure 10).

Figure 10. Cisco IOS IPS Router Identification

Step 4. Select the pretuned SDF appropriate for the router and click Apply to apply changes.

Step 5. Go to the Pending task and save all the changes (Figure 11).

Figure 11. Pending Configuration Changes

Step 6. At this point, the configuration task is completed. To make your changes take effect on the device, you need to go through the deployment task to deploy your changes to the target device.

Tip: If you are changing the SDF type, you may get the following message: "When changing the SDF type, you can choose to keep or discard signature tuning information on the device. Click OK to discard. Click Cancel to keep."

Step 7. You need to click `Cancel' to keep your signature tuning information (Figure 12).

Figure 12. Change SDF Type Confirmation

Note: Cisco IOS IPS can support more than 1600 signatures, a number that is beyond the memory capacity of routers to accept. The SDFs have been developed as a convenient way to select and load the most vital signatures. Currently you can choose from three SDFs; they vary in size to enable you to select an SDF file according to the DRAM capacity of your routers. The available choices follow:

UNSET-The SDF type is not set.

ATTACK-DROP-This SDF is for routers with 64 MB of DRAM.

256MB-This SDF is for routers with 256 MB of DRAM.

128MB-This SDF is for routers with 128 MB of DRAM.

Note: The 128- and 256-MB SDFs require a 2.001 engine or greater. This information is available in the Settings->Identification UI -> Version field.

Warning: IPS MC does not include memory-management functions for Cisco IOS IPS routers. Be careful when selecting SDF files for your Cisco IOS IPS router. Ensure that the Cisco IOS IPS router has sufficient memory to run the selected SDF file.

Step 8. Now you have successfully chosen a pretuned SDF for the router-cisco. You can perform additional signature tuning such as add or edit, or even create your own signatures. Or you can go directly to the step "Creating a Rule to Apply to the Interface(s)" and skip the signature tuning tasks.

MODIFYING PRETUNED SDF SIGNATURES

After selecting a pretuned SDF file for a router, you can do additional signature tuning tasks. You can add, edit, delete, and modify signatures to best fit your needs, or you can even create your own signatures when necessary. The following gives an example of how to add additional signatures and modify the actions using IPS MC. Select the device or device groups you want to configure, and then go to Settings->Signatures->IOS IPS.

Step 1. Use signature configuration to enable or disable, select or unselect, add a signature, delete a signature, change signature actions, and edit signature parameters (Figure 13). Use the Signature Wizard to the left to create customized signatures.

Figure 13. Signature Edit User Interface

Step 2. In the signature configuration user interface, some information is shown by default. Selected refers to whether the signature is going to be included in the SDF file sent to the router. If a signature is not selected, it will not be added. Enabled applies only if a signature is selected. When a signature is disabled, the IPS engines will not send events for that specific signature. If a signature is unselected it is also automatically disabled.

Step 3. The last two columns (Prop Src and Param Src) tell you where the signature and its parameter, respectively, come from. The signature could have been taken from pretuned SDF files or from factory default which you can find in the IOS-Sxxx.zip file updates (it is shown as IOS IPS Defaults). These values apply to the parameter column as well.

Step 4. While adding signatures to Cisco IOS IPS routers, memory considerations must be accounted for. If you add more signatures than the Cisco IOS IPS router can process, IPS MC will fail to deploy the configuration changes to the devices.

Following is an example to add signatures 5489/x to the Cisco IOS IPS router.

Step 5. Select Configuration and then use the Object Selector to select the Cisco IOS IPS router that you want to configure IPS signatures for.

Step 6. Select Configuration -> Settings -> Signatures -> IOS IPS. On the resulting signature list, select Filter by ID, and type signature ID 5489. Click Filter to search for signatures (Figure 14).

Figure 14. Search Signature

Note: IPS MC does not support new categorization available in Cisco SDM.

Step 7. Check the checkbox next to signatures that have not been selected, and click Select on the bottom tool bar (Figure 15).

Figure 15. Signature Selection

Step 8. Now click Edit to change signature actions. You must check the Override checkbox to make changes. Check the Selected checkbox and select alarm, drop, and reset in the Actions box. Click OK when finished (Figure 16).

Figure 16. Signature Actions

Step 9. Now all signatures are changed with desired actions (Figure 17).

Figure 17. Updated Signatures

Step 10. Go to the Pending task and save all the changes. This completes the configuration task.

Tip: Pay close attention to the Prop Src column. After modification, the source changed to the device named "cisco", meaning all the tuning information is saved separately from the default pretuned SDF files. This mechanism gives IPS MC the ability to retain customized signature changes.
In the previous section when you changed the SDF file types, the IPS MC asked you whether you want to keep signature tuning information; this is the signature tuning information it referred to.

CHOOSING CUSTOMIZED SIGNATURES

If you do not want to use the default pretuned SDF files, you can use steps specified in the section "Modifying Pretuned SDF Signatures" to select tuning signatures for your devices. In the identification page, you need to make sure the SDF type is UNSET. Refer to figure 10-Cisco IOS IPS Router Identification.

CREATING A RULE TO APPLY TO THE INTERFACE(S)

After tuning the signature, you need to enable IPS on the Cisco IOS routers. To enable IPS on the router, you must create an IPS rule and apply it to at least one interface.

Step 1. Select Configuration and then use the Object Selector to select the Cisco IOS IPS router that you want to configure. Verify in the path bar that your scope is at the device level, not at a group level.

Step 2. Select Configuration > Settings > IOS IPS Rules. Next, click Add to bring up the IPS Rules page. Enter information for the rule name and interface to which you want to apply the rule and direction (Figure 18).

Figure 18. Cisco IOS IPS Rule

Step 3. Click OK. Similarly, you can create rules for both directions for an interface (Figure 19).

Figure 19. Cisco IOS IPS Rule Summary

Step 4. You need to save the configuration changes and go through the deployment process to deliver changes to the affected device or group of devices.

You can perform other IPS-related configurations too, but all other tasks are optional and not required. You can find all the options to the left of the configuration user interface. This document does not cover the optional configuration options.

DEPLOYING THE CONFIGURATION

After you make all the configuration changes, you need to use the Deployment task to commit the changes to the devices; all the configurations you have made so far are saved locally on the IPS MC server.
To deploy configuration changes, go to the Deployment user interface and do the following:

Step 1. Select the Deployment task on the top menu bar, and select Generate to generate configuration changes (Figure 20).

Figure 20. Generate Configuration Changes

Step 2. Select the device "cisco" that you just configured and click Generate.

Step 3. Click OK to accept the generated configuration, and then click OK. Now a status window pops up. Click Refresh until the generation task completes successfully (Figure 21).

Figure 21. Configuration Generation Status Window

Step 4. Select Approve and sdmlab group to see a list of configurations that need approval (Figure 22).

Figure 22.

Step 5. Select the task(s) and click Approve. Then go to Deploy and click Submit. Then you have a user interface to select devices that you want to submit the deployment task for. Select device cisco, and click Deploy (Figure 23).

Figure 23. Submit Tasks

Step 6. The following user interface shows a list of configuration changes. Select the configuration you just made to device cisco, and click Next (Figure 24).

Figure 24. Deploy Configuration to Device

Step 7. Now you can either immediately deploy the changes or schedule a task to do it at a later time. In this example, choose the Immediate option. Then click Next (Figure 25).

Figure 25. Deployment Job Scheduler

Step 8. A brief job summary is shown and ready to be deployed. Click Finish (Figure 26).

Figure 26. Deployment Job Summary

Step 9. At the end of the deployment, a popup window shows the status of the deployment process (Figure 27).

Figure 27. Deployment Status

Now, you have successfully deployed Cisco IOS IPS configurations to the device. When configuring multiple devices, you can make configuration changes on the group level and then apply the changes to all Cisco IOS IPS routers that belong to the same group.
Tip: This process is lengthy, and a quick-delivery function is available. Following is how to set it up.

Step 10. On the top of the user interface is a row of small icons. With your mouse over the first one, you can see the tool tip shown in Figure 28.

Figure 28. Tool Tip

Step 11. To enable the Generate and Deploy task, go to Admin->System Configuration ->Configuration File Management and uncheck Enable manual configuration file change approval checkbox (Figure 29).

Figure 29. Configuration File Management Settings

Step 12. Now with your mouse over the first icon, it shows that the task is enabled (Figure 30).

Figure 30. Generate and Deploy Auto Approval Enabled

Step 13. Now you do not have to go through the Generate->Approve->Deploy process; simply click this icon, IPS MC will automatically generate configuration changes and deploy them to the devices.

AUTODOWNLOADING SIGNATURE UPDATES

IPS MC supports autodownload signature updates from Cisco.com. It can download signature updates for sensor platforms as well as for Cisco IOS IPS platforms. To configure this feature, go to Admin->System Configuration -> Auto Download IPS Updates (Figure 31).

Figure 31. IPS MC Auto Download

You must have a valid Cisco.com account to be able to download this signature update. To check the autodownloaded files, go to the IPS MC installation home directory; by default it is: \program files\CSCOpx\MDC\etc\ids\updates. Figure 32 shows a screen shot of the downloaded files in this directory. You can see that sensor update files, the Cisco IOS Software update file, and pretuned SDF files are downloaded.

Figure 32. Autodownloaded Files

UPDATE CISCO IOS IPS ROUTER WITH NEW SDF FILES

For Cisco IOS IPS routers deployed with preetuned SDF files, as soon as a new version of the SDF files are available through autodownload or copied to the updates directory, Cisco IPS MC recognizes the new version. After a user interface refresh, device icons turn yellow for applicable devices (Figure 33).

Figure 33. IPS MC Device-Yellow Icon Indicates New Updates

Step 1. Go to Deployment and go through the Generate, Approve, and Deploy process. Figure 34 shows a screen shot of the Generate user interface.

Figure 34. Generate Configuration to Update SDF

Step 2. After successful deployment, the Cisco IOS IPS router is using a new version of SDF files.

Text Box: Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 526-4100 European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel: 31 0 20 357 1000Fax: 31 0 20 357 1100 Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883 Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website at www.cisco.com/go/offices.Argentina · Australia · Austria · Belgium · Brazil · Bulgaria · Canada · Chile · China PRC · Colombia · Costa Rica · Croatia · Cyprus Czech Republic · Denmark · Dubai, UAE · Finland · France · Germany · Greece · Hong Kong SAR · Hungary · India · Indonesia · Ireland · Israel Italy · Japan · Korea · Luxembourg · Malaysia · Mexico · The Netherlands · New Zealand · Norway · Peru · Philippines · Poland · Portugal Puerto Rico · Romania · Russia · Saudi Arabia · Scotland · Singapore · Slovakia · Slovenia · South Africa · Spain · Sweden · Switzerland · Taiwan Thailand · Turkey · Ukraine · United Kingdom · United States · Venezuela · Vietnam · ZimbabweCopyright 2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)Printed in the USA XXX-XXXXX-XX 03/06 Text Box: Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 526-4100 European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel: 31 0 20 357 1000Fax: 31 0 20 357 1100 Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883 Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website at www.cisco.com/go/offices.Argentina · Australia · Austria · Belgium · Brazil · Bulgaria · Canada · Chile · China PRC · Colombia · Costa Rica · Croatia · Cyprus Czech Republic · Denmark · Dubai, UAE · Finland · France · Germany · Greece · Hong Kong SAR · Hungary · India · Indonesia · Ireland · Israel Italy · Japan · Korea · Luxembourg · Malaysia · Mexico · The Netherlands · New Zealand · Norway · Peru · Philippines · Poland · Portugal Puerto Rico · Romania · Russia · Saudi Arabia · Scotland · Singapore · Slovakia · Slovenia · South Africa · Spain · Sweden · Switzerland · Taiwan Thailand · Turkey · Ukraine · United Kingdom · United States · Venezuela · Vietnam · ZimbabweCopyright 2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)Printed in the USA XXX-XXXXX-XX 03/06