Original Address

The original address (and optionally, the subnet mask) that is being translated.

Translated Address

The IP address to which the traffic is translated.

Port Redirection

(When the static rule is defined on a port) Information about the port that is being translated, including the local and global port numbers.

Advanced

The advanced options that are enabled.

Add button

Opens the NAT Static Rule Dialog Box. From here you can create a static translation rule.

Edit button

Opens the NAT Static Rule Dialog Box. From here you can edit the selected static translation rule.

Delete button

Deletes the selected static translation rules from the table.

Static Rule Type

The type of local address requiring translation by this static rule:

•Static Host—A single host requiring static address translation.

•Static Network—A subnet requiring static address translation.

•Static Port—A single port requiring static address translation. If you select this option, you must define port redirection parameters.

Original Address

The address or the name of a network/host object. Enter the address or object name, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

•When Static Network is selected as the Static Rule Type, this field defines the network address and subnet mask. For example, if you want to create n-to-n mappings between the private addresses in a subnet to corresponding inside global addresses, enter the address of the subnet you want translated, and then enter the network mask in the Mask field.

•When Static Port or Static Host is selected as the Static Rule Type, this field defines the IP address only. For example, if you want to create a one-to-one mapping for a single host, enter the IP address of the host to translate. Do not enter a subnet mask in the Mask field.

Note We recommend not entering a local address belonging to this router, as it could cause Security Manager management traffic to be translated. Translating this traffic will cause a loss of communication between the router and Security Manager.

Translated Address

The type of address translation to perform:

•Specify IP—The IP address that acts as the translated address. Enter the address or the name of a network/host object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

–If you selected Static Port or Static Host as the static rule type (to create a one-to-one mapping between a single inside local address and a single inside global address), enter the global address in this field. A subnet mask is not required.

–If you selected Static Network as the static rule type (to map the original, local addresses of a subnet to the corresponding global addresses), enter the IP address that you want to use in the translation in this field. The network mask is taken automatically from the mask entered in the Original Address field.

•Use Interface IP—The interface whose address should be used as the translated address. (This is typically the interface from which translated packets leave the router.) Enter the address or the name of a network/host object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Note The Interface option is not available when Static Network is the selected static rule type. Only one static rule may be defined per interface.

Port Redirection

Applies only when Static Port is the selected static rule type.

Redirect Port—When selected, specifies port information for the inside device in the translation. This enables you to use the same public IP address for multiple devices as long as the port specified for each device is different. Enter information in the following fields:

•Protocol—The protocol type: TCP or UDP.

•Local Port—The port number on the source network. Valid values range from 1 to 65535.

•Global Port—The port number on the destination network that the router is to use for this translation. Valid values range from 1 to 65535.

When deselected, port information is not included in the translation.

Advanced

Applies only when using the Translated IP option for address translation.

Defines advanced options:

•No Alias—When selected, prohibits an alias from being created for the global address.

The alias option is used to answer Address Resolution Protocol (ARP) requests for global addresses that are allocated by NAT. You can disable this feature for static entries by selecting the No alias check box.

When deselected, global address aliases are permitted.

•No Payload—When selected, prohibits an embedded address or port in the payload from being translated.

The payload option performs NAT between devices on overlapping networks that share the same IP address. When an outside device sends a DNS query to reach an inside device, the local address inside the payload of the DNS reply is translated to a global address according to the relevant NAT rule. You can disable this feature by selecting the No payload check box.

When deselected, embedded addresses and ports in the payload may be translated, as described above.

•Create Extended Translation Entry—When selected, creates an extended translation entry (addresses and ports). This enables you to associate multiple global addresses with a single local address. This is the default.

When deselected, creates a simple translation entry that allows you to associate a single global address with the local address.

Traffic Flow

The ACL that defines the traffic that is being translated.

Translated Address

Indicates whether the translated address is based on an interface or on a defined address pool.

Port Translation

Indicates whether Port Address Translation (PAT) is being used by this dynamic NAT rule.

Add button

Opens the NAT Dynamic Rule Dialog Box. From here you can create a dynamic translation rule.

Edit button

Opens the NAT Dynamic Rule Dialog Box. From here you can edit the selected dynamic translation rule.

Delete button

Deletes the selected dynamic translation rules from the table.

Traffic Flow

Access List—The ACL policy object that specifies the traffic requiring dynamic translation. Enter the object name, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Note Make sure that the ACL you select does not permit the translation of Security Manager management traffic over any device address on this router. Translating this traffic will cause a loss of communication between the router and Security Manager.

Translated Address

The method for performing dynamic address translation:

•Interface—The router interface used for address translation. PAT is used to distinguish each host on the network. Enter the name of the interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

•Address Pool—Translates addresses using a set of addresses defined in an address pool. Enter one or more address ranges, including the prefix, using the format min1-max1/prefix (in CIDR notation). You can add as many address ranges to the address pool as required, but all ranges must share the same prefix. Separate multiple entries with commas.

Enable Port Translation (Overload)

When selected, the router uses port addressing (PAT) if the pool of available addresses runs out.

When deselected, PAT is not used.

Note PAT is selected by default when you use an interface on the router as the translated address.

Do Not Translate VPN Traffic (Site-to-Site VPN only)

This setting applies only in situations where the NAT ACL overlaps the crypto ACL used by the site-to-site VPN. Because the interface performs NAT first, any traffic arriving from an address within this overlap would get translated, causing the traffic to be sent unencrypted. Leaving this check box selected prevents that from happening.

When selected, address translation is not performed on VPN traffic.

When deselected, the router performs address translation on VPN traffic in cases of overlapping addresses between the NAT ACL and the crypto ACL.

Note We recommend that you leave this check box selected, even when performing NAT into IPsec, as this setting does not interfere with the translation that is performed to avoid a clash between two networks sharing the same set of internal addresses.

Note This option does not apply to remote access VPNs.

Max Entries

The maximum number of entries allowed in the dynamic NAT table. Values range from 1 to 2147483647.

By default, this field is left blank, which means that the number of entries in the table is unlimited.

Timeout (sec.)

The timeout value applied to all dynamic translations except PAT (overload) translations.

The default is 86400 seconds (24 hours).

UDP Timeout (sec.)

The timeout value applied to User Datagram Protocol (UDP) ports. The default is 300 seconds (5 minutes).

Note This value applies only when the Overload feature is enabled.

DNS Timeout (sec.)

The timeout value applied to Domain Naming System (DNS) server connections. The default is 60 seconds.

Note This value applies only when the Overload feature is enabled.

TCP Timeout (sec.)

The timeout value applied to Transmission Control Protocol (TCP) ports. The default is 86400 seconds (24 hours).

Note This value applies only when the Overload feature is enabled.

FINRST Timeout (sec.)

The timeout value applied when a Finish (FIN) packet or Reset (RST) packet (both of which terminate connections) is found in the TCP stream. The default is 60 seconds.

Note This value applies only when the Overload feature is enabled.

ICMP Timeout (sec.)

The timeout value applied to Internet Control Message Protocol (ICMP) flows. The default is 60 seconds.

Note This value applies only when the Overload feature is enabled.

PPTP Timeout (sec.)

The timeout value applied to NAT Point-to-Point Tunneling Protocol (PPTP) flows. The default is 86400 seconds (24 hours).

Note This value applies only when the Overload feature is enabled.

SYN Timeout (sec.)

The timeout value applied to TCP flows after a synchronous transmission (SYN) message (used for precise clocking) is encountered. The default is 60 seconds.

Note This value applies only when the Overload feature is enabled.

Interface Type

The interface type. Subinterfaces are displayed indented beneath their parent interface.

Interface Name

The name of the interface.

Enabled

Indicates whether the interface is currently enabled (managed by Security Manager) or disabled (shutdown state).

IP Address

The IP address of interfaces defined with a static address.

IP Address Type

The type of IP address assigned to the interface—static, DHCP, PPPoE, or unnumbered. (IP address is defined by a selected interface role.)

Interface Role

The interface roles that are assigned to the selected interface.

Add button

Opens the Create Router Interface Dialog Box. From here you can create an interface on the selected router.

Edit button

Opens the Create Router Interface Dialog Box. From here you can edit the selected interface.

Delete button

Deletes the selected interfaces from the table.

Enabled

Whether the interface is enabled (no shutdown). If you deselect this option, the interface is created in the configuration but it is shut down.

Type

Specifies whether you are defining an interface or subinterface.

Name

Applies only to interfaces.

The name of the interface. Enter a name manually, or click Select to display a dialog box for generating a name automatically. See Interface Auto Name Generator Dialog Box.

Logical interfaces require a number after the name:

•The range for dialer interfaces is 0-799.

•The range for loopback interfaces is 0-2147483647.

•The range for BVI interfaces is 1-255.

•The only allowed value for null interfaces is 0.

Parent

Applies only to subinterfaces.

The parent interface of the subinterface. Choose the parent interface from this list.

Subinterface ID

Applies only to subinterfaces.

The ID number of the subinterface.

IP

The method of IP address assignment for the interface:

•Static IP—Defines a static IP address and subnet mask for the interface. Enter this information in the fields that appear below the option.

Note You can define the mask using either dotted decimal (for example, 255.255.255.255) or CIDR notation (/32). See Contiguous and Discontiguous Network Masks, page 8-65.

•DHCP—The interface obtains its IP address dynamically from a DHCP server.

•PPPoE—The router automatically negotiates its own registered IP address from a central server (via PPP/IPCP). The following interface types support PPPoE:

–Async

–Serial

–High-Speed Serial Interface (HSSI)

–Dialer

–BRI, PRI (ISDN)

–Virtual template

–Multilink

•Unnumbered—The interface obtains its IP address from a different interface on the device. Choose an interface from the Interface list. This option can be used with point-to-point interfaces only.

Note Layer 2 interfaces do not support IP addresses. Deployment fails if you define an IP address on a Layer 2 interface.

Layer Type

The OSI layer at which the interface is defined:

•Unknown—The layer is unknown.

•Layer 2—The data link layer, which contains the protocols that control the physical layer (Layer 1) and how data is framed before being transmitted on the medium. Layer 2 is used for bridging and switching. Layer 2 interfaces do not have IP addresses.

•Layer 3—The network layer, which is primarily responsible for the routing of data in packets across logical internetwork paths. This routing is accomplished through the use of IP addresses.

Negotiation

Available on ASRs; applies to Fast Ethernet and Gigabit Ethernet interfaces only.

Auto-negotiation detects the capabilities of remote devices and negotiates the best possible performance between the two devices. When Negotiation is enabled, the Duplex and Speed options are disabled.

Duplex

The interface transmission mode:

•None—The transmission mode is returned to its device-specific default setting.

•Full—The interface transmits and receives at the same time (full duplex).

•Half—The interface can transmit or receive, but not at the same time (half duplex). This is the default.

•Auto—The router automatically detects and sets the appropriate transmission mode, either full or half duplex. Not available on ASRs; use auto-negotiation instead.

Note When using Auto mode, be sure that the port on the active network device to which you connect this interface is also set to automatically negotiate the transmission mode. Otherwise, select the appropriate fixed mode.

Note You can configure a duplex value only if you set the Speed to a fixed speed, not Auto.

Note This setting does not apply to serial, HSSI, ATM, PRI, DSL, tunnel, or loopback interfaces.

Speed

Applies only to Fast Ethernet and Gigabit Ethernet interfaces.

The speed of the interface:

•None—The setting is not configurable on the device.

•10—10 megabits per second (10Base-T networks).

•100—100 megabits per second (100Base-T networks). This is the default for Fast Ethernet interfaces.

•1000—1000 megabits per second (Gigabit Ethernet networks). This is the default for Gigabit Ethernet interfaces.

•Auto—The router automatically detects and sets appropriate interface speed. Not available on ASRs; use auto-negotiation.

Note When using Auto mode, be sure that the port on the active network device to which you connect this interface is also set to automatically negotiate the transmission speed. Otherwise, select the appropriate fixed speed.

MTU

The maximum transmission unit, which refers to the maximum packet size, in bytes, that this interface can handle.

Valid values for serial, Ethernet, and Fast Ethernet interfaces range from 64 to 17940 bytes.

Valid values for Gigabit Ethernet interfaces range from 1500 to 9216 bytes.

Encapsulation

The type of encapsulation performed by the interface:

•None—No encapsulation.

•DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q standard. Applies only to Ethernet subinterfaces.

•Frame Relay—IETF Frame Relay encapsulation. Applies only to serial interfaces (not serial subinterfaces).

Note IETF Frame Relay encapsulation provides interoperability between a Cisco IOS router and equipment from other vendors. To configure Cisco Frame Relay encapsulation, use CLI commands or FlexConfigs.

VLAN ID

Applies only to subinterfaces with encapsulation type DOT1Q.

The VLAN ID associated with this subinterface. The VLAN ID specifies where 802.1Q tagged packets are sent and received on this subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094.

Note All VLAN IDs must be unique among all subinterfaces configured on the same physical interface.

Tip To configure DOT1Q encapsulation on an Ethernet interface without associating the VLAN with a subinterface, enter the vlan-id dot1q command using CLI commands or FlexConfigs. See Understanding FlexConfig Policies and Policy Objects, page 18-1. Configuring VLANs on the main interface increases the number of VLANs that can be configured on the router.

Native VLAN

Applies only when the encapsulation type is DOT1Q and you are configuring a physical interface that is meant to serve as an 802.1Q trunk interface. Trunking is a way to carry traffic from several VLANs over a point-to-point link between two devices.

When selected, the Native VLAN is associated with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) The native VLAN is the VLAN to which all untagged VLAN packets are logically assigned by default. This includes the management traffic associated with the VLAN. If no VLAN ID is defined, the default is 1.

For example, if the VLAN ID of this interface is 1, all incoming untagged packets and packets with VLAN ID 1 are received on the main interface and not on a subinterface. Packets sent from the main interface are transmitted without an 802.1Q tag.

When deselected, the Native VLAN is not associated with this interface.

Note The Native VLAN cannot be configured on a subinterface of the trunk interface. Be sure to configure the same Native VLAN value at both ends of the link; otherwise, traffic may be lost or sent to the wrong VLAN.

DLCI

Applies only to serial subinterfaces with Frame Relay encapsulation.

Enter the data-link connection identifier to associate with the subinterface. Valid values range from 16 to 1007.

Note Security Manager configures serial subinterfaces as point-to-point not multipoint.

Description

Additional information about the interface (up to 1024 characters).

Roles

The interface roles assigned to this interface. A message is displayed if no roles have yet been assigned.

Type

The type of interface. Your selection from this list forms the first part of the generated name, as displayed in the Result field. For more information, see Table 13-1 on page 13-13.

Card

The card related to the interface.

Note When defining a BVI interface, enter the number of the corresponding bridge group.

Slot

The slot related to the interface.

Port

The port related to the interface.

Note The information you enter in these fields forms the remainder of the generated name, as displayed in the Result field.

Result

The name generated by Security Manager from the information you entered for the interface type and location. The name displayed in this field is read-only.

Tip After closing this dialog box, you can edit the generated name in the Create Router Interface dialog box, if required.

Interface

The interface on which the advanced settings are defined. Enter the name of an interface or interface role, or click Select to select it. If the you want is not listed, click the Create button to create it.

Note The only advanced settings supported on Layer 2 interfaces are Max. Bandwidth, Load Interval, and CDP.

Max Bandwidth

The bandwidth value to communicate to higher-level protocols in kilobits per second (kbps). The value you define in this field is an informational parameter only; it does not affect the physical interface.

Load Interval

The length of time, in seconds, used to calculate the average load on the interface. Valid values range from 30 to 600 seconds, in multiples of 30 seconds. The default is 300 seconds (5 minutes). Load interval is not supported on subinterfaces.

Modify the default to shorten the length of time over which load averages are computed. You can do this if you want load computations to be more reactive to short bursts of traffic.

Load data is gathered every 5 seconds. This data is used to compute load statistics, including input/output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data.

Tip You can use this option to increase or decrease the likelihood of activating a backup interface; for example, a backup dial interface may be triggered by a sudden spike in the load on an active interface.

TCP Maximum Segment Size

The maximum segment size (MSS) of TCP SYN packets that pass through this interface. Valid values range from 500 to 1460 bytes. If you do not specify a value, the MSS is determined by the originating host.

This option helps prevent TCP sessions from being dropped as they pass through the router. Use this option when the ICMP messages that perform auto-negotiation of TCP frame size are blocked (for example, by a firewall). We highly recommend using this option on the tunnel interfaces of DMVPN networks.

For more information, see TCP MSS Adjustment at this URL:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

Note Typically, the optimum MSS is 1452 bytes. This value plus the 20-byte IP header, the 20-byte TCP header, and the 8-byte PPPoE header add up to a 1500-byte packet that matches the MTU size for the Ethernet link.

Helper Addresses

The helper addresses that are used to forward User Datagram Protocol (UDP) broadcasts that are received on this interface. Enter one or more addresses or the names of the network/host objects, or click Select to select an object from a list or to create a new object.

By default, routers do not forward broadcasts outside of their subnet. Helper addresses provide a solution by enabling the router to forward certain types of UDP broadcasts as a unicast to an address on the destination subnet. For more information, see Understanding Helper Addresses, page 13-19.

Interface Throughput Delay

The expected delay for the interface in tens of microseconds (for example, 3000 translates to 30,000 microseconds). You can enter a value between 1 and 16777215, and the default varies by the type of interface.

Higher-level protocols might use delay information to make operating decisions. For example, IGRP can use delay information to differentiate between a satellite link and a land link. This setting is for informational purposes only and does not affect the actual delay on the interface.

Cisco Discovery Protocol settings

Settings related to the Cisco Discovery Protocol (CDP). CDP is a media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches. It is primarily used to obtain protocol addresses of neighboring devices and to discover the platform of those devices. The options are:

•Enable CDP—Whether to enable the Cisco Discovery Protocol (CDP) on this interface. You cannot enable CDP on ATM interfaces.

•Log CDP Messages—On Ethernet interfaces, whether to log duplex mismatches for this interface.

Enable Redirect Messages

Whether to enable the sending of Internet Control Message Protocol (ICMP) redirect messages if the device is forced to resend a packet through the same interface on which it was received to another device on the same subnet. Redirect messages are sent when the device wants to instruct the originator of the packet to remove it from the route and substitute a different device that offers a more direct path to the destination.

Enable Unreachable Messages

Whether to enable the sending of ICMP unreachable messages. Unreachable messages are sent in two circumstances:

•If the interface receives a nonbroadcast packet destined for itself that uses an unknown protocol, the interface sends an ICMP unreachable message to the source.

•If the device receives a packet that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it sends an ICMP host unreachable message to the originator of the packet.

Note This is the only advanced setting supported by the null0 interface.

Enable Mask Reply Messages

Whether to enable the sending of ICMP mask reply messages. Mask reply messages are sent in response to mask request messages, which are sent when a device needs to know the subnet mask for a particular subnetwork.

Enable Maintenance Operation Protocol (MOP)

Whether to enable MOP on the interface. You can use MOP for utility services such as uploading and downloading system software, remote testing, and problem diagnosis.

Enable Virtual Fragment Reassembly (VFR)

Whether to enable virtual fragmentation reassembly (VFR) on this interface. VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs that can protect the network from various fragmentation attacks. For more information, see Virtual Fragmentation Reassembly at this URL:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_virt_frag_reassm_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Enable Proxy ARP

Whether to enable proxy Address Resolution Protocol (ARP) on the interface. Proxy ARP, defined in RFC 1027, is the technique in which one host, usually a router, answers ARP requests intended for another machine, thereby accepting responsibility for routing packets to the real destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway.

Enable NBAR Protocol Discovery

Whether to enable network-based application recognition (NBAR) on this interface to discover traffic and keep traffic statistics for all protocols known to NBAR. Protocol discovery provides a method to discover application protocols traversing an interface so that QoS policies can be developed and applied to them. For more information, go to:

http://www.cisco.com/en/US/products/ps6616/products_qanda_item09186a00800a3ded.shtml

Enable Directed Broadcasts

ACL

Whether to have directed broadcast packets "exploded" as a link-layer broadcast when this interface is directly connected to the destination subnet. When deselected, directed broadcast packets that are intended for the subnet to which this interface is directly connected are dropped rather than being broadcast. This is the default.

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address on a different subnet from the node on which it originated. In such cases, the packet is forwarded as if it was a unicast packet until it reaches its destination subnet.

This option affects only the final transmission of the directed broadcast on its destination subnet; it does not affect the transit unicast routing of IP directed broadcasts.

If you enable directed broadcasts, you can apply an ACL to determine which directed broadcasts are permitted to be broadcast on the destination subnet. All other directed broadcasts destined for the subnet to which this interface is directly connected are dropped. Enter the name of a standard or extended ACL object, or click Select to select an object from a list or to create a new object.

Tip Because directed broadcasts, and particularly ICMP directed broadcasts, have been abused by malicious persons, we recommend deselecting this option on interfaces where directed broadcasts are not needed. When you enable directed broadcasts, apply an ACL to restrict their use.

Enable Unicast RFP

Whether to enable unicast reverse path forwarding (RFP) on the interface. When you enable Unicast RPF on an interface, the router examines all packets that are received on that interface. The router checks to make sure that the source address appears in the FIB, and takes action based on your unicast RFP settings. Use unicast RFP to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate DoS attacks based on source IP address spoofing. For more information on unicast RFP, see the description of the ip verify unicast source reachable-via command in the Cisco IOS Interface and Hardware Component Command Reference.

To enable unicast RFP, you must also globally enable Cisco Express Forwarding (CEF). For more information on CEF, see CEF Interface Settings on Cisco IOS Routers, page 13-22.

Mode

How strict to make unicast RFP:

•Loose Mode—The default. Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet if the source is reachable through any interface on the router.

Use loose mode on interfaces where asymmetric paths allow packets from valid source networks (networks contained in the FIB). For example, routers that are in the core of an ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router.

•Strict Mode—Examines incoming packets to determine whether the source address is in the FIB and permits the packet only if the source is reachable through the interface on which the packet was received.

Use strict mode on interfaces where only one path allows packets from valid source networks (networks contained in the FIB). Also, use strict mode when a router has multiple paths to a given network as long as the valid networks are switched through the incoming interfaces. Packets for invalid networks are dropped. For example, routers at the edge of the network of an ISP are likely to have symmetrical reverse paths. Strict mode is also applicable in certain multihomed situations, provided that optional Border Gateway Protocol (BGP) attributes, such as weight and local preference, are used to achieve symmetric routing.

Allow Use Of Default Route for RFP Verification

Whether to permit Unicast RPF to successfully match on prefixes that are known through the default route when determining whether to pass packets. Normally, sources found in the FIB but only by way of the default route are dropped.

Allow Self Ping

Whether to allow the router to ping its own interfaces. By default, when you enable Unicast RPF, packets that are generated by the router and destined to the router are dropped, thereby making certain troubleshooting and management tasks difficult to accomplish.

---

Caution Allowing self-ping opens a potential denial of service (DoS) hole.

---

ACL

(For Unicast RFP)

If you enable unicast RFP, you can apply an ACL to refine how packets are handled when a reverse path is not found. If you specify an ACL, when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Enter the name of a standard or extended ACL object, or click Select to select an object from a list or to create a new object.

Interface Name

The name of the IPS module interface. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it.

Fail Over Mode

How the module should handle traffic inspection during a module failure, either to fail open (passing all traffic without inspection) or fail closed (dropping all traffic). The default is fail open.

IPS Module Service Module Monitoring Settings table

The list of interfaces on the router that the IPS module should monitor.

The table shows the name of the interface or interface role, whether monitoring is inline or promiscuous, and whether an ACL is used to filter traffic for inspection on the interface. Inline mode puts the IPS module directly into the traffic flow, allowing it to stop attacks by dropping malicious traffic before it reaches the intended target. In promiscuous mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. If the ACL is matched, the matched traffic is not inspected.

•To add an interface to the table, click the Add button and fill in the IPS Monitoring Information Dialog Box.

•To edit the settings for an interface, select it and click the Edit button.

•To delete an interface, select it and click the Delete button.

Interface Name

A name of the interface or interface role that the module should monitor. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it.

Monitoring Mode

How the interface should be monitored:

•Inline mode—The IPS module is directly in the traffic flow, allowing it to stop attacks by dropping malicious traffic before it reaches the intended target.

•Promiscuous mode—Packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet.

Access List

The name of the standard or extended access list policy object to use to filter traffic on this interface for inspection, if you want to apply one. A matched ACL causes traffic not to be inspected for that ACL. Click Select to select the ACL or to create a new one.

Enable Cisco Express Forwarding

Whether to enable CEF globally on the device. The option is greyed out if you cannot disable CEF on the device. You can configure other settings on the page only if you enable CEF globally.

CEF Network Accounting

These options are for configuring CEF accounting globally. If you collect accounting statistics, you can view them using the show ip cef command on the router. You can select the following options to enable different types of accounting:

•Enable Accounting for Traffic Through Non-Recursive Prefixes—For network prefixes with directly connected next hops, non-recursive accounting enables express forwarding of the collection of packets through a prefix.

•Enable Per-Prefix Accounting—Accounting statistics based on the packet's network prefix.

•Enable Prefix Length Accounting—Accounting statistics based on the network prefix length.

•Enable Load Balance Hash Accounting—When you use per-destination load balancing (the default), CEF uses a series of 16 hash buckets to distribute the available paths based on the source and destination addresses. Enabling load balance hash accounting provides per-hash-bucket counters.

CEF Interface Settings table

The interfaces on the router for which you are defining special CEF configurations. When you enable CEF globally, by default, all interfaces on the router enable CEF and use per-destination load balancing. Add interfaces to this table only if you want to configure different behavior for the interfaces.

The table shows the name of the interface or interface role, whether CEF is enabled or disabled, and whether the interface is load balancing based on destination or on a per-packet basis. For a detailed explanation of the fields, see CEF Interface Settings Dialog Box.

•To add an interface to the table, click the Add button.

•To edit the settings for an interface, select it and click the Edit button.

•To delete an interface, select it and click the Delete button.

Interface Name

The name of the interface or interface role for which you are configuring CEF. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it.

Enable CEF on Interface

Whether to enable CEF on the interface. CEF is enabled by default.

Load Balancing

How the interface should balance traffic, either per-destination or per-packet.

In per-destination load balancing, all packets for a given source-destination pair take the same path. In per-packet load balancing, packets for a given source-destination pair can take different equal-cost routes, and thus reach their destination out of order.

The default is to balance the load based on the destination of the traffic.

Interface

The interface role that the dialer interface uses.

Profile Name

The name of the dialer profile.

Dial Pool

The dialing pool that this dialer profile uses.

Dial Group

The dialer group that this dialer profile uses.

Interesting Traffic ACL

The ACL that defines which traffic can use this dialer profile.

Dial String

The phone number that the dialer calls.

Idle Timeout

The defined interval after which an uncontested idle line is disconnected.

Fast Idle

The defined interval after which a contested idle line is disconnected.

Add button

Opens the Dialer Profile Dialog Box. From here you can define a dialer profile.

Edit button

Opens the Dialer Profile Dialog Box. From here you can edit the selected dialer profile.

Delete button

Deletes the selected dialer profiles from the table.

Interface

The name of the interface role that the physical interface uses.

Pools

The dial pools related to this physical interface.

Switch Type

The ISDN switch type that the physical interface uses.

SPID1

The first service provider identifier (SPID) related to this interface.

SPID2

The second SPID related to this interface.

Add button

Opens the Dialer Physical Interface Dialog Box. From here you can define a dialer physical interface.

Edit button

Opens the Dialer Physical Interface Dialog Box. From here you can edit the selected dialer physical interface.

Delete button

Deletes the selected dialer physical interfaces from the table.

Name

A descriptive name for the dialer profile. This name enables you to assign the correct dialer pool to the physical interface. You can also use the profile name as a reference to the site to which this dialer interface serves as a backup.

Interface

The virtual dialer interface to associate with the dialer profile. Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Pool ID

The dialer pool ID. Each pool can contain multiple physical interfaces and can be associated with multiple dialer interfaces. Each dialer interface, however, is associated with only one pool.

Group

The group ID, which identifies the dialer group that this dialer interface uses.

Interesting Traffic ACL

The extended, numbered ACL that defines which packets are permitted to initiate calls using this dialer profile. The valid ACL number range is 100 to 199.

Enter the name of the ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Dialer String (Remote Phone Number)

The phone number of the destination that the dialer contacts.

Idle Timeout

The default amount of idle time before an uncontested line is disconnected. The default is 120 seconds.

Fast Idle Timeout

The default amount of idle time before a contested line is disconnected. The default is 20 seconds.

Line contention occurs when a busy line is requested to send another packet to a different destination.

ISDN BRI

The physical BRI interface associated with the dialer interface. Enter the name of an interface or interface role object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Pools

Associates dialer pools with a physical interface. Enter the names of one or more pools (as defined in the Dialer Profile Dialog Box), or click Select to display a selector. Use commas to separate multiple entries.

Switch Type

The ISDN switch type.

Options for North America are:

•basic-5ess—Lucent (AT&T) basic rate 5ESS switch

•basic-dms100—Northern Telecom DMS-100 basic rate switch

•basic-ni—National ISDN switches

Options for Australia, Europe, and the UK are:

•basic-1tr6—German 1TR6 ISDN switch

•basic-net3—NET3 ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3 switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system

•vn3—French VN3 and VN4 ISDN BRI switches

Option for Japan is:

•ntt—Japanese NTT ISDN switches

Option for Voice/PBX system is:

•basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 ()

SPID1

Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as the switch type.

The service provider identifier (SPID) for the ISDN service to which the interface subscribes. Some service providers in North America assign SPIDs to ISDN devices when you first subscribe to an ISDN service. If you are using a service provider that requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid assigned SPID to the service provider when accessing the switch to initialize the connection.

Valid SPIDs can contain up to 20 characters, including spaces and special characters.

Note We recommend that you do not enter a SPID for interfaces using the AT&T 5ESS switch type, even though they are supported.

SPID2

Applies only when you select DMS-100 or NI as the switch type.

The service provider identifier (SPID) for a second ISDN service to which the interface subscribes. Valid SPIDs can contain up to 20 alphanumeric characters (no spaces are permitted).

ATM Interface

The ATM interface on which ADSL settings are defined.

Interface Card

The type of device or ADSL interface card on which the ATM interface resides.

Bandwidth Change

Indicates whether the router makes dynamic adjustments to VC bandwidth as overall bandwidth changes. (This is relevant only when IMA groups are configured on the ATM interface.)

DSL Operating Mode

The DSL operating mode for this interface.

Tone Low

Indicates whether the interface is using the low tone set (carrier tones 29 through 48).

Add button

Opens the ADSL Settings Dialog Box. From here you can define the ADSL settings for a selected ATM interface.

Edit button

Opens the ADSL Settings Dialog Box. From here you can edit the selected ADSL definition.

Delete button

Deletes the selected ADSL definition from the table.

ATM Interface

The ATM interface on which ADSL settings are defined. Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Note We recommend that you do not define an interface role that includes ATM interfaces from different interface cards. The different settings supported by each card type may cause deployment to fail.

Note You can create only one ADSL definition per interface.

Interface Card

The device type or the type of interface card installed on the router:

•[blank]—The interface card type is not defined.

•WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL over POTS (ordinary telephone lines).

•WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the router warns the DSLAM of imminent line drops when the router is about to lose power.)

•WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides ADSL over POTS with Dying Gasp support.

•HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that provides ADSL over POTS.

•HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that provides ADSL over ISDN.

•HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over POTS with an ISDN BRI port for backup.

•HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over ISDN with an ISDN BRI port for backup.

Interface Card (continued)

•857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface.

•876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface.

•877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface.

•1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that provides ADSL over POTS.

•1802 ADSLoISDN—Cisco 1802 Integrated Services Router that provides ADSL over ISDN.

Note When discovering from a live device, the correct interface card type will already be displayed. If you did not perform discovery on a live device, or if Security Manager cannot detect the type of interface card installed on the device, this field displays "Unknown".

Allow bandwidth change on ATM PVCs

When selected, the router makes dynamic adjustments to VC bandwidth in response to changes in the overall bandwidth of the Inverse Multiplexing over ATM (IMA) group defined on the ATM interface.

When deselected, PVC bandwidth must be adjusted manually (using the CLI) whenever an individual physical link in the IMA group goes up or down.

DSL Operating Mode

The operating mode configured for this ADSL line:

•auto—Performs automatic negotiation with the DSLAM located at the central office (CO). This is the default.

•ansi-dmt—The line trains in ANSI T1.413 Issue 2 mode.

•itu-dmt—The line trains in G.992.1 mode.

•splitterless—The line trains in G.992.2 (G.Lite) mode.

•etsi—The line trains in ETSI (European Telecommunications Standards Institute) mode.

•adsl2—The line trains in G.992.3 (adsl2)mode.

•adsl2+—The line trains in G.992.5 (adsl2+) mode.

Note See Table 13-3 on page 13-26 for a description of the operating modes that are supported by each card type.

Use low tone set

When selected, the interface card uses carrier tones 29 through 48.

When deselected, the interface card uses carrier tones 33 through 56.

Note Leave this option deselected when the interface card is operating in accordance with Deutsche Telekom specification U-R2.

Name

The name of the DSL controller.

Description

An optional description of the controller.

Shutdown

Indicates whether the DSL controller is in shutdown mode.

Configure ATM Mode

Indicates whether the DSL controller has been set into ATM mode.

Line Termination

The line termination set for the router (CPE or CO).

DSL Mode

The operating mode defined for the DSL controller.

Line Mode

The line mode defined for the DSL controller.

Line Rate

The line rate (in kbps) defined for the DSL controller.

Note A value is displayed in this column only if the line mode is not set to Auto.

SNR Margin Current

The current signal-to-noise ratio on the controller.

SNR Margin Snext

The self near-end crosstalk (Snext) signal-to-noise ratio on the controller.

Add button

Opens the SHDSL Controller Dialog Box. From here you can define the settings for a DSL controller.

Edit button

Opens the SHDSL Controller Dialog Box. From here you can edit the selected DSL controller definition.

Delete button

Deletes the selected DSL controller definition from the table.

Name

The name of the controller. Enter a name manually, or click Select to display a dialog box for generating a name. See Controller Auto Name Generator Dialog Box.

Description

Additional information about the controller (up to 80 characters).

Shutdown

When selected, the DSL controller is in shutdown state. However, its definition is not deleted.

When deselected, the DSL controller is enabled. This is the default.

Configure ATM mode

When selected, sets the controller into ATM mode and creates an ATM interface with the same ID as the controller. This is the default. You must enable ATM mode and then perform rediscovery to configure ATM or PVCs on the device.

When deselected, ATM mode is disabled. No ATM interface is created on deployment.

Note You cannot remove ATM mode from a controller after it has been saved in Security Manager.

Line Termination

The line termination that is set for the router:

•CPE—Customer premises equipment. This is the default.

•CO—Central office.

DSL Mode

The DSL operating mode, including regional operating parameters, used by the controller:

•[blank]—The operating mode is not defined. (When deployed, the Annex A standard for North America is used.)

•A—Supports Annex A of the G.991.2 standard for North America.

•A-B—Supports Annex A or Annex B. Available only when the Line Term is set to CPE. The appropriate mode is selected when the line trains.

•A-B-ANFP—Supports Annex A or Annex B-ANFP. Available only when the Line Term is set to CPE. The appropriate mode is selected when the line trains.

•B—Supports Annex B of the G.991.2 standard for Europe.

•B-ANFP—Supports Annex B-ANFP (Access Network Frequency Plan).

Note The available DSL modes are dependent on the selected line termination.

Line Mode

The line mode used by the controller:

•auto—The controller operates in the same mode as the other line termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the default for CPE line termination.

•2-wire—The controller operates in two-wire mode. This is the default for CO line termination.

•4-wire—The controller operates in four-wire mode.

Note You can select Auto only when you configure the controller as the CPE.

Line

Applies only when the Line Mode is defined as 2-wire.

The pair of wires to use:

•line-zero—RJ-11 pin 1 and pin 2. This is the default for CO line termination.

•line-one—RJ-11 pin 3 and pin 4.

Exchange Handshake

Applies only when the Line Mode is defined as 4-wire.

The type of handshake mode to use:

•[blank]—The handshake mode is not specified. (When deployed, the enhanced option is used.) This is the default.

•enhanced—Exchanges handshake status on both wire pairs.

•standard—Exchanges handshake status on the master wire pair only.

Line Rate

Does not apply when the Line Mode is defined as Auto.

The DSL line rate (in kbps) available for the SHDSL port:

•auto—The controller selects the line rate. This is available only in 2-wire mode.

•Supported line rates:

–For 2-wire mode: 192, 256, 320, 384, 448, 512, 576, 640, 704, 768, 832, 896, 960, 1024, 1088, 1152, 1216, 1280, 1344, 1408, 1472, 1536, 1600, 1664, 1728, 1792, 1856, 1920, 1984, 2048, 2112, 2176, 2240, and 2304.

–For 4-wire mode: 384, 512, 640, 768, 896, 1024, 1152, 1280, 1408, 1536, 1664, 1792, 1920, 2048, 2176, 2304, 2432, 2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456, 3584, 3712, 3840, 3968, 4096, 4224, 4352, 4480, and 4608.

Note Third-party equipment may use a line rate that includes an additional SHDSL overhead of 8 kbps for 2-wire mode or 16 kbps for 4-wire mode.

Current

The current signal-to-noise (SNR) ratio on the controller, in decibels (dB). Valid values range from -10 to 10 dB.

This option can create a more stable line by making the line train more than current noise margin plus SNR ratio threshold during training time. If any external noise is applied that is less than the set SNR margin, the line will be stable.

Note Select disable to disable the current SNR.

Snext

The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the controller, in decibels. Valid values range from -10 to 10 dB.

This option can create a more stable line by making the line train more than SNEXT threshold during training time. If any external noise is applied that is less than the set SNEXT margin, the line will be stable.

Note Select disable to disable the SNEXT SNR.

Type

The type of interface. This field displays the value DSL and is read-only.

Card

The card related to the controller.

Slot

The slot related to the controller.

Port

The port related to the controller.

Note The information you enter in these fields forms the remainder of the generated name, as displayed in the Result field.

Result

The name generated by Security Manager from the information you entered for the controller location. The name displayed in this field is read-only.

Tip After closing this dialog box, you can edit the generated name in the SHDSL dialog box, if required.

ATM Interface

The ATM interface on which the PVC is defined.

Interface Card

The type of device or WAN interface card on which the ATM interface resides.

PVC ID

The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the PVC.

Settings

Additional settings configured for the PVC, including encapsulation, the number of PPPoE sessions, and the VPN service name.

QoS

Quality-of-service settings defined for the PVC, such as traffic shaping.

Protocol

The IP protocol mappings (static maps or Inverse ARP) configured for the PVC.

OAM

The F5 Operation, Administration, and Maintenance (OAM) loopback, continuity check, and AIS/RDI definitions configured for the PVC.

OAM-PVC

The OAM management cells that are configured for the PVC.

Add button

Opens the PVC Dialog Box. From here you can define a PVC.

Edit button

Opens the PVC Dialog Box. From here you can edit the selected PVC.

Delete button

Deletes the selected PVC from the table.

ATM Interface

The ATM interface on which the PVC is defined. Enter the name of an interface, subinterface, or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Note We strongly recommend not defining an interface role that includes ATM interfaces from different interface cards. The different settings supported by each card type may cause deployment to fail.

Interface Card

The type of WAN interface card installed on the router or the router type:

•[blank]—The interface card type is not defined.

•WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL over POTS (ordinary telephone lines).

•WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides ADSL over ISDN with Dying Gasp support. (With Dying Gasp, the router warns the DSLAM of imminent line drops when the router is about to lose power.)

•WIC-1ADSL-DG—A 1-port ADSL WAN interface card that provides ADSL over POTS with Dying Gasp support.

•HWIC-1ADSL—A 1-port high-speed ADSL WAN interface card that provides ADSL over POTS.

•HWIC-1ADSLI—A 1-port high-speed ADSL WAN interface card that provides ADSL over ISDN.

•HWIC-ADSL-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over POTS with an ISDN BRI port for backup.

•HWIC-ADSLI-B/ST—A 2-port high-speed ADSL WAN interface card that provides ADSL over ISDN with an ISDN BRI port for backup.

•WIC-1-SHDSL-V2—A 1-port multiline G.SHDSL WAN interface card with support for 2-wire mode and enhanced 4-wire mode.

•WIC-1-SHDSL-V3—A 1-port multiline G.SHDSL WAN interface card with support for 2-wire mode and 4-wire mode (standard & enhanced).

•NM-1A-T3—A 1-port ATM network module with a T3 link.

•NM-1A-OC3-POM—A 1-port ATM network module with an optical carrier level 3 (OC-3) link and three operating modes (multimode, single-mode intermediate reach (SMIR), and single-mode long-reach (SMLR)).

Interface Card (continued)

•NM-1A-E3—A 1-port ATM network module with an E3 link.

•857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface.

•876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface.

•877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface.

•878 G.SHDSL—Cisco 878 Integrated Services Router with a G.SHDSL interface.

•1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that provides ADSL over POTS.

•1802 ADSLoISDN—Cisco 1802 Integrated Services Router that provides ADSL over ISDN.

•1803 G.SHDSL—Cisco 1803 Integrated Services Router that provides 4-wire G.SHDSL.

Note To ensure proper policy validation, we highly recommend that you define a value in this field. When you discover a live device, the correct interface card type will already be displayed. If you did not perform discovery on a live device, or if Security Manager cannot detect the type of interface card installed on the device, this field displays "Unknown".

Settings tab

Defines basic PVC settings, such as the VPI/VCI and encapsulation. See PVC Dialog Box—Settings Tab.

QoS tab

Defines ATM traffic shaping and other quality-of-service settings for the PVC. See PVC Dialog Box—QoS Tab.

Protocol tab

Defines the IP protocol mappings configured for the PVC (static maps or Inverse ARP). See PVC Dialog Box—Protocol Tab.

Advanced button

Defines F5 Operation, Administration, and Maintenance (OAM) settings for the PVC. See PVC Advanced Settings Dialog Box—OAM Tab.

VPI

The virtual path identifier of the PVC. In conjunction with the VCI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values for most platforms range from 0 to 255.

For Cisco 2600 and 3600 Series routers using Inverse Multiplexing for ATM (IMA), valid values range from 0 to 15, 64 to 79, 128 to 143, and 192 to 207.

Note VPI/VCI values must be unique for all the PVCs configured on a selected interface. VPI/VCI values are unique to a single link only and might change as cells traverse the ATM network.

VCI

The 16-bit virtual channel identifier of the PVC. In conjunction with the VPI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values vary by platform. Typically, values up to 31 are reserved for special traffic (such as ILMI) and should not be used. 3 and 4 are invalid.

Note VPI/VCI values must be unique for all the PVCs configured on a selected interface. VPI/VCI values are unique to a single link only and might change as cells traverse the ATM network.

Handle

An optional name to identify the PVC. The maximum length is 15 characters.

Management PVC (ILMI)

Does not apply when configuring the PVC on a subinterface.

When selected, designates this PVC as the management PVC for this ATM interface by enabling communication with the Interim Local Management Interface (ILMI). ILMI is a protocol defined by the ATM Forum for setting and capturing physical layer, ATM layer, virtual path, and virtual circuit parameters on ATM interfaces. See Understanding ILMI, page 13-33.

When deselected, this PVC does not act as the management PVC. This is the default.

Note The VPI/VCI for the management PVC is typically set to 0/16.

Type

Does not apply when the Management PVC (ILMI) check box is enabled.

The ATM adaptation layer (AAL) and encapsulation type to use on the PVC:

•[blank]—The encapsulation type is not defined. (When deployed, aal5snap is applied.)

•aal2—For PVCs dedicated to AAL2 Voice over ATM. AAL2 is used for variable bit rate (VBR) traffic, which can be either realtime (VBR-RT) or non-realtime (VBR-NRT).

•aal5autoppp—Enables the router to distinguish between incoming PPP over ATM (PPPoA) and PPP over Ethernet (PPPoE) sessions and create virtual access for both PPP types based on demand.

•aal5ciscoppp—For the proprietary Cisco version of PPP over ATM.

•aal5mux—Enables you to dedicate the PVC to a single protocol, as defined in the Protocol field.

•aal5nlpid—Enables ATM interfaces to work with High-Speed Serial Interfaces (HSSI) that are using an ATM data service unit (ADSU) and running ATM-Data Exchange Interface (DXI).

•aal5snap—Supports Inverse ARP and incorporates the Logical Link Control/Subnetwork Access Protocol (LLC/SNAP) that precedes the protocol datagram. This allows multiple protocols to traverse the same PVC.

Virtual Template

The virtual template used for PPP over ATM on this PVC. Enter the name of a virtual template interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

When a user dials in, the virtual template is used to configure a virtual access interface. When the user is done, the virtual access interface goes down and the resources are freed for other dial-in users.

Note If you modify the virtual template settings on an existing PVC, you must enter the shutdown command followed by the no shutdown command on the ATM subinterface to restart the interface. This causes the newly configured parameters to take effect.

Protocol

Applies only when aal5mux is the defined encapsulation type.

The protocol carried by the MUX-encapsulated PVC:

•frame-relay—Frame-Relay-ATM Network Interworking (FRF.5) on the Cisco MC3810.

•fr-atm-srv—Frame-Relay-ATM Service Interworking (FRF.8) on the Cisco MC3810.

•ip—IP protocol.

•ppp—IETF-compliant PPP over ATM. You must specify a virtual template when using this protocol type.

•voice—Voice over ATM.

Enable ILMI

When selected, enables ILMI management on this PVC.

When deselected, ILMI management on this PVC is disabled.

Inverse ARP

When selected, the Inverse Address Resolution Protocol (Inverse ARP) is enabled on the PVC.

When deselected, Inverse ARP is disabled. This is the default.

Inverse ARP is used to learn the Layer 3 addresses at the remote ends of established connections. These addresses must be learned before the virtual circuit can be used.

Note Use the Protocol tab to define static mappings of IP addresses instead of dynamically learning the addresses using Inverse ARP. See PVC Dialog Box—Protocol Tab.

PPPoE Max Sessions

The maximum number of PPP over Ethernet sessions that are permitted on the PVC.

VPN Service Name

The static domain name to use on this PVC. The maximum length is 128 characters.

Use this option when you want PPP over ATM (PPPoA) sessions in the PVC to be forwarded according to the domain name supplied, without starting PPP.

Tx Ring Limit

The maximum number of transmission packets that can be placed on a transmission ring on the WAN interface card (WIC) or interface.

The range of valid values depends on the type of interface card selected in the Settings tab. See PVC Dialog Box—Settings Tab.

Traffic Shaping

The type of service to define on the PVC:

•[null]—The bit rate is not defined.

•ABR—Available Bit Rate. A best-effort service suitable for applications that do not require guarantees against cell loss or delays.

•CBR—Constant Bit Rate service. Delay-sensitive data, such as voice or video, is sent at a fixed rate, providing a service similar to a leased line.

•UBR—Unspecified Bit Rate service. A best-effort service suitable for applications that are tolerant to delay and do not require realtime responses.

•UBR+—Unspecified Bit Rate service. Unlike UBR, UBR+ attempts to maintain a guaranteed minimum rate.

•VBR-NRT—Variable Bit Rate - Non-Real Time service. A service suitable for non-realtime applications that are bursty in nature. VBR is more efficient than CBR and more reliable than UBR.

•VBR-RT—Variable Bit Rate - Real Time service. A service suitable for realtime applications that are bursty in nature.

For more information about each service class, see Understanding ATM Service Classes, page 13-32.

ABR

The following fields are displayed when ABR is selected as the Bit Rate:

•PCR—The peak cell rate in kilobits per second (kbps). It specifies the maximum value of the ABR.

•MCR—The minimum cell rate in kilobits per second (kbps). It specifies the minimum value of the ABR.

The ABR varies between the MCR and the PCR. It is dynamically controlled using congestion control mechanisms.

CBR

The following field is displayed when CBR is selected as the Bit Rate:

•Rate—The constant bit rate (also known as the average cell rate) for the PVC in kilobits per second (kbps). An ATM VC configured for CBR can send cells at this rate for as long as required.

UBR

The following field is displayed when UBR is selected as the Bit Rate:

•PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded.

UBR+

The following fields are displayed when UBR+ is selected as the Bit Rate:

•PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded.

•MCR—The minimum guaranteed cell rate for output in kilobits per second (kbps). Traffic is always allowed to be sent at this rate.

Note UBR+ requires Cisco IOS Software Release 12.4(2)XA or later, or version 12.4(6)T or later.

VBR-NRT

The following fields are displayed when VBR-NRT is selected as the Bit Rate:

•PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded.

•SCR—The sustained cell rate for output in kilobits per second (kbps). This value, which must be lower than or equal to the PCR, represents the maximum rate at which cells can be transmitted without incurring data loss.

•MBS—The maximum burst cell size for output. This value represents the number of cells that can be transmitted above the SCR but below the PCR without penalty.

VBR-RT

The following fields are displayed when VBR-RT is selected as the Bit Rate:

•Peak Rate—The peak information rate for realtime traffic in kilobits per second (kbps).

•Average Rate—The average information rate for realtime traffic in kilobits per second (kbps). This value must be lower than or equal to the peak rate.

•Burst—The burst size for realtime traffic, in number of cells. Configure this value if the PVC carries bursty traffic.

These values configure traffic shaping between realtime traffic (such as voice and video) and data traffic to ensure that the carrier does not discard realtime traffic, for example, voice calls.

Random Detect

When selected, enables Weighted Random Early Detection (WRED) or VIP-distributed WRED (DWRED) on the PVC.

When deselected, WRED and DWRED are disabled. This is the default.

WRED is a queue management method that selectively drops packets as the interface becomes congested. See Tail Drop vs. WRED, page 13-102.

IP Protocol Mapping

Displays the IP protocol mappings configured for the PVC.

Add button

Opens the Define Mapping Dialog Box. From here you can define an IP protocol mapping.

Edit button

Opens the Define Mapping Dialog Box. From here you can edit the selected mapping.

Delete button

Deletes the selected mapping from the table.

IP Options

The type of IP protocol mapping to use:

•IP Address—Select this option when using static mapping. Enter the address or the name of a network/host object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

•InARP—Inverse ARP. Select this option when using dynamic mapping. This allows the PVC to resolve its own network addresses without configuring a static map. Dynamic mappings age out and are refreshed periodically every 15 minutes by default.

Note InARP can be used only when aal5snap is the defined encapsulation type for the PVC. See PVC Dialog Box—Settings Tab.

Broadcast Options

Indicates whether to use this map entry when sending IP broadcast packets (such as EIGRP updates):

•Broadcast—The map entry is used for broadcast packets.

•No Broadcast—The map entry is used only for unicast packets.

•None—Broadcast options are disabled.

OAM tab

Defines loopback, connectivity check, and AIS/RDI settings. See PVC Advanced Settings Dialog Box—OAM Tab.

OAM-PVC tab

Enables OAM loopbacks and connectivity checks on the PVC. See PVC Advanced Settings Dialog Box—OAM-PVC Tab.

Enable OAM Retry

When selected, OAM management settings can be defined.

When deselected, OAM management settings cannot be defined.

Note If Enable OAM Management is deselected in the OAM-PVC tab, these settings are saved in the device configuration but are not applied.

Down Count

The number of consecutive, unreceived, end-to-end loopback cell responses that cause the PVC to move to the down state. The default is 3.

Up Count

The number of consecutive end-to-end loopback cell responses that must be received in order to move the PVC to the up state. The default is 5.

Retry Frequency

The interval between loopback cell verification transmissions in seconds. The default is 1 second.

If a PVC is up and a loopback cell response is not received within the specified interval (as defined in the Frequency field of the PVC-OAM tab), loopback cells are transmitted at the frequency defined here to verify whether the PVC is down. If the number of consecutive cells that do not receive a response matches the defined down count, the PVC is moved to the down state.

Enable AIS-RDI Detection

When selected, alarm indication signal (AIS) cells and remote defect indication (RDI) cells are used to report connectivity failures at the ATM layer of the PVC.

When deselected, AIS/RDI cells are disabled.

AIS cells notify downstream devices of the connectivity failure. The last ATM switch then generates RDI cells in the upstream direction towards the device that sent the original failure notification.

Down Count

The number of consecutive AIS/RDI cells that cause the PVC to go down. Valid values range from 1 to 60. The default is 1.

Up Count

The number of seconds after which a PVC is brought up if no AIS/RDI cells are received. Valid values range from 3 to 60 seconds. The default is 3.

Enable Segment Continuity Check

When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of a segment.

When deselected, segment CC activation and deactivation requests are disabled.

Note If Configure Continuity Check is deselected in the OAM-PVC tab, these settings are saved in the device configuration but are not applied.

Activation Count

The maximum number of times that the activation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.

Deactivation Count

The maximum number of times that the deactivation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.

Retry Frequency

The interval between activation/deactivation retries, in seconds. The default is 30 seconds.

Enable End-to-End Continuity Check

When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of the PVC.

When deselected, segment CC activation and deactivation requests are disabled.

Note If Configure Continuity Check is deselected in the OAM-PVC tab, these settings are saved in the device configuration but are not applied.

Activation Count

The maximum number of times that the activation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.

Deactivation Count

The maximum number of times that the deactivation request is sent before the receipt of an acknowledgement. Valid values range from 3 to 600. The default is 3.

Retry Frequency

The interval between activation/deactivation retries, in seconds. The default is 30 seconds.

Enable OAM Management

When selected, OAM loopback cell generation and OAM management are enabled on the PVC.

When deselected, OAM loopback cells and OAM management are disabled. However, continuity checks can still be performed.

Frequency

The interval between loopback cell transmissions. Valid values range from 0 to 600 seconds.

Segment Continuity Check

The current configuration of OAM F5 continuity checks performed on PVC segments:

•None—Segment continuity checks (CC) are disabled.

•Deny Activation Requests—The PVC rejects activation requests from peer devices, which prevents OAM F5 CC management from being activated on the PVC.

•Configure Continuity Check—Segment CCs are enabled on the PVC. The router on which CC management is configured sends a CC activation request to the router at the other end of the segment, directing it to act as either a source or a sink.

Segment CCs occur on a PVC segment between the router and a first-hop ATM switch.

Direction

Applies only when CC management is enabled.

The direction in which CC cells are transmitted:

•both—CC cells are transmitted in both directions.

•sink—CC cells are transmitted toward the router that initiated the CC activation request.

•source—CC cells are transmitted away from the router that initiated the CC activation request.

Keep VC up after segment failure

When selected, the PVC is kept in the up state when CC cells detect connectivity failure.

When deselected, the PVC is brought down when CC cells detect connectivity failure.

Keep VC up after end-to-end failure

When selected, specifies that if AIS/RDI cells are received, the PVC is not brought down because of end CC failure or loopback failure.

When deselected, the PVC is brought down because of end CC failure or loopback failure.

End-to-End Continuity Check

The current configuration of OAM F5 end-to-end continuity checks on the PVC:

•None—End-to-end continuity checks (CC) are disabled.

•Deny Activation Requests—The PVC rejects activation requests from peer devices, which prevents OAM F5 CC management from being activated on the PVC.

•Configure Continuity Check—End-to-end CCs are enabled on the PVC. The router on which CC management is configured sends a CC activation request to the router at the other end of the connection, directing it to act as either a source or a sink.

End-to-end CC monitoring is performed on the entire PVC between two ATM end stations.

Direction

Applies only when CC management is enabled.

The direction in which CC cells are transmitted:

•both—CC cells are transmitted in both directions.

•sink—CC cells are transmitted toward the router that initiated the CC activation request.

•source—CC cells are transmitted away from the router that initiated the CC activation request.

Keep VC up after end-to-end failure

When selected, the PVC is kept in the up state when CC cells detect connectivity failure.

When deselected, the PVC is brought down when CC cells detect connectivity failure.

Keep VC up after segment failure

When selected, specifies that if AIS/RDI cells are received, the PVC is not brought down because of a segment CC failure.

When deselected, the PVC is brought down because of a segment CC failure.

Interface

The interface that is configured for PPP/MLP.

Authentication

The types of authentication used on the PPP connection.

Authorization

The method list used for AAA authorization on the PPP connection.

Multilink

Indicates whether Multilink PPP (MLP) is enabled on this PPP connection.

Endpoint

The type of default endpoint discriminator to use when negotiating the use of MLP with the peer.

Multiclass

Indicates whether the Multiclass Multilink PPP (MCMP) feature is enabled on this PPP connection.

Group

The number of the multilink-group interface to which the physical link is restricted.

Interleave

Indicates whether the PPP multilink interleave feature is enabled on this PPP connection.

Add button

Opens the PPP Dialog Box. From here you can define the authentication and multilink settings for the PPP connection.

Edit button

Opens the PPP Dialog Box. From here you can edit the selected PPP connection.

Delete button

Deletes the selected PPP connection from the table.

Interface

The interface on which PPP encapsulation is enabled. Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

The following interface types support PPP:

•Async

•Group-Async

•Serial

•High-Speed Serial Interface (HSSI)

•Dialer

•BRI, PRI (ISDN)

•Virtual template

•Multilink

You cannot define PPP on:

•Subinterfaces.

•Serial interfaces with Frame Relay encapsulation.

•Virtual template interfaces defined as Ethernet or tunnel types (serial is supported).

Note You can define only one PPP connection per interface.

Note Deployment might fail if you define PPP on a virtual template that is also used in an 802.1x policy. See 802.1x Policy Page.

PPP tab

Defines the type of authentication and authorization to perform on the PPP connection. See PPP Dialog Box—PPP Tab.

MLP tab

Defines how to split and recombine sequential datagrams across multiple logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP Tab.

This tab is greyed out and cannot be opened for devices that do not support the configuration settings.

PPP Encapsulation

When selected, indicates that PPP encapsulation is enabled for the selected interface. This field is read-only.

Protocol

The authentication protocols to use:

•CHAP—Challenge-Handshake Authentication Protocol.

•PAP—Password Authentication Protocol.

•MS-CHAP—Version 1 of the Microsoft version of CHAP (RFC 2433).

•MS-CHAP-2—Version 2 of the Microsoft version of CHAP (RFC 2759).

•EAP—Extensible Authentication Protocol.

You may select one or more authentication protocols, as required.

Options

The authentication options to use:

•Call In—When selected, authentication is performed on incoming calls.

•Call Out—When selected, authentication is performed on outgoing calls.

•Call Back—When selected, authentication is performed on callback.

•One Time—When selected, one-time passwords are used for authentication. One-time passwords are considered highly secure since each one is used only once. When deselected, one-time passwords are not used.

Note AAA authentication must be enabled in order to use one-time passwords. See AAA Policy Page. One-time passwords cannot be used with CHAP.

•Optional—When selected, allows a mobile station in a Packet Data Serving Node (PDSN) configuration to receive Simple IP and Mobile IP services without using CHAP or PAP.

When deselected, mobile stations must use CHAP or PAP to receive Simple IP and Mobile IP services.

Authenticate Using

AAA authentication settings for the PPP connection:

•PPP Default List—Defines a default list of methods to be queried when authenticating a user for PPP. Enter the names of one or more AAA server group objects (up to four) in the Prioritized Method List field, or click Select to select it. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Tip After you create the default list for one PPP connection, you can use it for other PPP connections on this device.

•Prioritized Method List—Defines a sequential list of methods to be queried when authenticating a user for this PPP connection only.

Note Leave this field blank to perform authentication using the local database on the router.

Username

The username to send in PAP authentication requests. The username is case sensitive.

Password

The password to send in PAP authentication requests. Enter the password again in the Confirm field. The password can contain 1 to 25 uppercase or lowercase alphanumeric characters. The password is case sensitive.

The username and password are sent if the peer requests the router to authenticate itself using PAP.

Encrypted Password

When selected, this indicates that the password you entered is already encrypted.

When deselected, this indicates that the password you entered is in clear text.

Hostname

By default, the router uses its hostname to identify itself to the peer. If required, you can enter a different hostname to use for all CHAP challenges and responses. For example, use this field to specify a common alias for all routers in a rotary group.

Secret

The secret used to compute the response value for any CHAP challenge from an unknown peer. Enter the secret again in the Confirm field.

Encrypted Secret

When selected, this indicates that the password you entered is already encrypted. When deselected, this indicates that the password you entered is in clear text.

Authorize Using

AAA authorization settings for the PPP connection:

•AAA Policy Default List—Uses the default authorization method list that is defined in the device's AAA policy. See AAA Policy Page.

•Prioritized Method List—Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select it. Use the up and down arrows to define the order in which selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Note Leave this field blank to perform authorization using the local database on the router.

Enable Multilink PPP (MLP)

When selected, MLP is enabled on this PPP connection.

When deselected, MLP is disabled.

Allow Multiple Data Classes

When selected, enables multiple data classes on the MLP bundle. Delay-sensitive traffic is placed into Class 1, where it can be interleaved but never fragmented. Normal data traffic is placed into Class 0, which is subject to fragmentation just as regular multilink packets are.

When deselected, all traffic is subject to fragmentation.

Enable Interleaving of Packets Among Fragments of Larger Packets

When selected, enables the interleaving of packets among the fragments of larger packets on the MLP bundle.

Note If you enable interleaving without defining a fragment delay, the default delay of 30 seconds is configured. This value does not appear in Security Manager or in the device configuration.

When deselected, interleaving is disabled.

Note Serial interfaces do not support interleaving.

Multilink Group

Applies only to serial, Group-Async, and multilink interfaces.

Restricts the physical link to the selected multilink-group interface. Enter the name of a multilink interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

This option is typically used in static leased-line environments, where the remote systems to which the device's serial lines are connected are known in advance.

In effect, this option dedicates a specific interfaces to a particular user, even when that user is not connected. If a peer at the other end of the link tries to join a different bundle, the connected is severed.

Maximum Fragment Delay

The maximum amount of time that should be required to transmit a fragment on the MLP bundle. Valid values range from 1 to 1000 milliseconds.

Fragment size is determined by the defined fragment delay and the bandwidth of the links.

Note Serial interfaces do not support this feature.

Endpoint Type

The identifier used by the router when transmitting packets on the MLP bundle:

•[null]—Negotiation is conducted without using an endpoint discriminator. (No CLI command is generated.)

•Hostname—The hostname of the router. This option is useful when multiple routers are using the same username to authenticate but have different hostnames.

•IP—A defined IP address. Enter the address or the name of a network/host object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

•MAC—The MAC address of a specific interface. Enter the name of the interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

•None—Negotiation is conducted without using an endpoint discriminator. (The relevant CLI command is generated, but no endpoint discriminator is provided.) This option is useful when the router is connected to a malfunctioning peer that does not handle the endpoint discriminator properly.

•Phone—An E.164-compliant telephone number. Enter the number in the field displayed.

•String—A character string. Enter the string in the field displayed.

The default endpoint discriminator is either the globally configured hostname, or the PAP username or CHAP hostname (depending on the authentication protocol being used), if you have configured those values on the PPP tab.

MRRU Local Peer

The maximum receive reconstructed unit (MRRU) value of the local peer. This value represents the maximum size packet that the local router is capable of receiving.

Valid values range from 128 to 16384 bytes. The default is the maximum transmission unit (MTU) of the multilink group interface and 1524 bytes for all other interfaces.

MRRU Remote Peer

The maximum receive reconstructed unit (MRRU) value of the remote peer. This value represents the maximum size packet that the remote peer is capable of receiving.

Valid values range from 128 to 16384 bytes. The default is 1524 bytes.

Maximum FIFO Queue Size

The maximum queue depth when the bundle uses first-in, first-out (FIFO) queuing. Valid values range from 2 to 255 packets. The default is 8.

Maximum QoS Queue Size

The maximum queue depth when the bundle uses non-FIFO queuing. Valid values range from 2 to 255 packets. The default is 2.

Authentication tab

Defines the login authentication methods to use and the sequence in which to use them. See AAA Page—Authentication Tab.

Authorization tab

Defines the types of network, EXEC, and command authorization to perform and the methods to use for each type. See AAA Page—Authorization Tab.

Accounting tab

Defines types of connection, EXEC, and command accounting to perform and the methods to use for each type. See AAA Page—Accounting Tab.

Enable Device Login Authentication

When selected, enables the authentication of all users when they log in to the device, using the methods defined in the method list.

When deselected, authentication is not performed.

Prioritized Method List

Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Supported methods include Line, Local, Kerberos, RADIUS, TACACS+, and None.

Note If you select None as a method, it must appear as the last method in the list.

Maximum Number of Attempts

The maximum number of unsuccessful authentication attempts before a user is locked out. This feature is disabled by default. Valid values range from 1 to 65535.

Note From the standpoint of the user, there is no distinction between a normal authentication failure and an authentication failure due to being locked out. The system administrator has to explicitly clear the status of a locked-out user using clear commands.

Enable Network Authorization

When selected, enables the authorization of network connections, such as PPP, SLIP, or ARAP connections, using the methods defined in the method list.

When deselected, network authorization is not performed.

Prioritized Method List

Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Supported methods include RADIUS, TACACS+, Local, and None.

Note RADIUS uses the same server for authentication and authorization. Therefore, if you use define a RADIUS method list for authentication, you must define the same method list for authorization.

Note If you select None as a method, it must appear as the last method in the list.

Enable CLI/EXEC Operations Authorization

When selected, this type of authorization determines whether the user is permitted to open an EXEC (CLI) session, using the methods defined in the method list.

When deselected, EXEC authorization is not performed.

Prioritized Method List

Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Privilege Level

The privilege level to which the command authorization definition applies.

Prioritized Method List

The method list to use when authorizing users with this privilege level.

Add button

Opens the Command Authorization Dialog Box. From here you can configure a command authorization definition.

Edit button

Opens the Command Authorization Dialog Box. From here you can edit the command authorization definition.

Delete button

Deletes the selected command authorization definitions from the table.

Privilege Level

The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15.

Prioritized Method List

Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Supported methods include TACACS+, Local, and None.

Note If you select None as a method, it must appear as the last method in the list.

Enable Connection Accounting

When selected, enables the recording of information about outbound connections (such as Telnet) made over this device, using the methods defined in the method list.

When deselected, connection accounting is not performed.

Generate Accounting Records for

Defines when the device sends an accounting notice to the accounting server:

•Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record.

•Stop Only—Generates an accounting record at the end of the user process only.

•None—Disables this type of accounting.

Prioritized Method List

Defines a sequential list of methods to be queried when creating connection accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

Supported methods include RADIUS and TACACS+.

Enable Broadcast to Multiple Servers

When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.

When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list.

Enable CLI/EXEC Operations Accounting

When selected, enables the recording of basic information about user EXEC sessions, using the methods defined in the method list.

When deselected, EXEC accounting is not performed.

Generate Accounting Records for

See description Table M-98 on page M-100.

Prioritized Method List

Defines a sequential list of methods to be queried when creating connection accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

Enable Broadcast to Multiple Servers

When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.

Privilege Level

The privilege level to which the command authorization definition applies.

Generate Accounting Records for

The points in the process where the device sends an accounting notice to the accounting server.

Enable Broadcast

Whether accounting records are broadcast to multiple servers simultaneously.

Prioritized Method List

The method list to use when authorizing users with this privilege level.

Add button

Opens the Command Accounting Dialog Box. From here you can configure a command accounting definition.

Edit button

Opens the Command Accounting Dialog Box. From here you can edit the command accounting definition.

Delete button

Deletes the selected command accounting definitions from the table.

Privilege Level

The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15.

Generate Accounting Records for

Defines when the device sends an accounting notice to the accounting server:

•Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the "start" accounting record.

•Stop Only—Generates an accounting record at the end of the user process only.

•None—No accounting records are generated.

Prioritized Method List

Defines a sequential list of methods to be used when creating accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to perform accounting using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

TACACS+ is the only supported method, but you can select multiple AAA server groups configured with TACACS+.

Note If you select None as a method, it must appear as the last method in the list.

Enable Broadcast to Multiple Servers

When selected, enables the sending of accounting records to multiple AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.

When deselected, accounting records are sent only to the first server in the first AAA server group defined in the method list.

Enable Secret Password

The enable secret password for entering privileged EXEC mode on the router. This option offers better security than the Enable Password option.

The enable secret password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed.

Note You can discover an encrypted password, but any password you enter must be in clear text. If you modify an encrypted password, it is saved as clear text.

Note After you set an enable secret password, you can switch to an enable password only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image.

Enable Password

The enable password for entering privileged EXEC mode on the router.

The enable password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored. Question marks are also allowed.

Note You must enter the password in clear text.

Enable Password Encryption Service

When selected, encrypts all passwords on the device, including the enable password (which is otherwise saved in clear text).

For example, use this option to encrypt username passwords, authentication key passwords, console and VTY line access passwords, and BGP neighbor passwords. This command is primarily used for keeping unauthorized individuals from viewing your passwords in your configuration file.

When deselected, device passwords are stored unencrypted in the configuration file.

Note This option does not provide a high level of network security. You should also take additional network security measures.

Username

The username that can be used to access the router. The username must be a single word up to 64 characters in length. Spaces and quotation marks are not allowed.

Encryption

Indicates whether password information for the user is encrypted using MD5 encryption.

Privilege Level

The privilege level assigned to the user.

Add button

Opens the User Account Dialog Box. From here you can define a user account.

Edit button

Opens the User Account Dialog Box. From here you can edit the selected user.

Delete button

Deletes the selected user accounts from the table.

Username

The username for accessing the router.

Password

The password for accessing the router with this user account.

Note You can discover an encrypted password, but any password you enter must be in clear text.

Confirm

Confirms the password for this user account.

Encrypt password using MD5

When selected, uses MD5 encryption to encrypt the password for this user account. This is the default.

When deselected, the password is sent to the router unencrypted.

Privilege Level

The privilege level assigned to the user account. Valid values range from 0 to 15:

•0—Grants access to these commands only: disable, enable, exit, help, and logout.

•1—Enables nonprivileged access to the router (normal EXEC-mode use privileges).

•15—Enables privileged access to the router (traditional enable privileges).

Note Levels 2-14 are not normally used in a default configuration, but custom configurations can be created by moving commands that are normally at level 15 to a lower level and commands that are normally at level 1 to a higher level. You can configure the privilege levels of commands using the CLI or by defining a FlexConfig.

Group Number

The number that identifies the bridge group.

Group Interfaces

The interfaces and interface roles that are included in the bridge group.

Add button

Opens the Bridge Group Dialog Box. From here you can define a bridge group.

Edit button

Opens the Bridge Group Dialog Box. From here you can edit the bridge group.

Delete button

Deletes the selected bridge groups from the table.

Group Number

The number assigned to the bridge group. Valid values range from 1 to 255.

Group Interfaces

The interfaces that are included in the bridge group. Enter the name of one or more interfaces and interface roles, or click Select to select them. If the object that you want is not listed, click the Create button to create it.

You can select most Layer 3 interfaces, including serial interfaces, provided the serial interface is configured with high-level data link control (HDLC) or Frame Relay encapsulation. Each interface can belong to only one bridge group.

You can select a LAN subinterface only if the parent interface is configured with Inter-Switch Link (ISL) or 802.1Q encapsulation.

Note Certain types of interfaces, such as loopback, tunnel, null, and BVI, cannot be bridged.

Note Make sure that your bridge group does not prevent Security Manager from communicating with the device.

Device Time Zone

The time zone in which the router is located, expressed in relation to GMT (Greenwich Mean Time), also known as UTC (Coordinated Universal Time).

Daylight Savings Time (Summer Time)

The type of DST to apply to the local time on the router:

•Set by Date—Enables you to define the exact date and time when DST begins and ends.

•Set by Day—Enables you to define the relative recurring date and time when DST begins and ends. For example, you can use this option when DST begins the last Sunday of March and ends the last Sunday of October.

•None—Daylight savings time is not used.

Start

The date and time when DST begins:

•Date—Click the calendar icon to select the start date.

•Hour—Select the start hour.

•Minute—Select the start minute.

End

The date and time when DST ends:

•Date—Click the calendar icon to select the end date.

•Hour—Select the end hour.

•Minute—Select the end minute.

Note Cisco IOS Software supports dates up to and including December 31st, 2035.

Specify Recurring Time

When selected, the router implements DST according to the dates and times specified in this policy.

When deselected, the router implements DST according to the schedule used throughout most of the United States.

Start

The relative date and time when daylight savings time begins:

•Month—Select the month.

•Week—Select the week of the month (1, 2, 3, 4, first, or last).

•Weekday—Select the day of the week.

•Hour—Select the hour.

•Minute—Select the minute.

For example, if DST begins at 1:00 a.m. on the last Sunday of each March, select March, last, Sunday, 1, and 00.

End

The relative date and time when daylight savings time ends:

•Month—Select the month.

•Week—Select the week of the month (1, 2, 3, 4, first, or last).

•Weekday—Select the day of the week.

•Hour—Select the hour.

•Minute—Select the minute.

CPU Utilization Statistics

Settings related to the history table for CPU utilization statistics:

•History Table Entry Limit—The percentage of CPU utilization that a process must use to be included in the history table.

•History Table Size—The length of time for which CPU statistics are stored in the history table. Valid values range from 5 to 86400 seconds (24 hours). The default is 600 seconds (10 minutes).

CPU Total Utilization

The thresholds for total CPU utilization that trigger notifications:

•Enable CPU Total Utilization—When selected, CPU total utilization thresholds are enabled. When deselected, these thresholds are disabled and do not trigger notifications. This is the default.

•Maximum Total Utilization Resources—The percentage of CPU resources that, when usage exceeds this level for the defined interval, triggers a notification.

•Maximum Total Utilization Violation Duration—The violation interval that triggers a maximum CPU threshold notification. Valid values range from 5 to 86400 seconds (24 hours).

•Minimum Total Utilization Resources—The percentage of CPU resources that, when usage falls below this level for the defined interval, triggers a notification.

•Minimum Total Utilization Violation Duration—The violation interval that triggers a minimum CPU threshold notification. Valid values range from 5 to 86400 seconds (24 hours).

CPU Interrupt Utilization

The thresholds for CPU interrupt utilization that trigger notifications:

•Enable CPU Interrupt Utilization—When selected, CPU interrupt utilization thresholds are enabled. When deselected, these thresholds are disabled and do not trigger notifications. This is the default.

•Maximum Interrupt Utilization Resources—The percentage of CPU resources that, when usage exceeds this level for the defined interval, triggers a notification.

•Maximum Interrupt Utilization Violation Duration—The violation interval that triggers a maximum CPU threshold notification. Valid values range from 5 to 86400 seconds (24 hours).

•Minimum Interrupt Utilization Resources—The percentage of CPU resources that, when usage falls below this level for the defined interval, triggers a notification.

•Minimum Interrupt Utilization Violation Duration—The violation interval that triggers a minimum CPU threshold notification. Valid values range from 5 to 86400 seconds (24 hours).

CPU Process Utilization

The thresholds for CPU process utilization that trigger notifications:

•Enable CPU Process Utilization—When selected, CPU process utilization thresholds are enabled. When deselected, these thresholds are disabled and do not trigger notifications. This is the default.

•Maximum Process Utilization Resources—The percentage of CPU resources that, when usage exceeds this level for the defined interval, triggers a notification.

•Maximum Process Utilization Violation Duration—The violation interval that triggers a maximum CPU threshold notification. Valid values range from 5 to 86400 seconds (24 hours).

•Minimum Process Utilization Resources—The percentage of CPU resources that, when usage falls below this level for the defined interval, triggers a notification.

•Minimum Process Utilization Violation Duration—The violation interval that triggers a minimum CPU threshold notification. Valid values range from 5 to 86400 seconds (24 hours).

Extended CPU History Size

The size of the history to collect for the extended CPU load, in increments of 5 seconds. Valid values range from 2 to 720. The default is 12, which is equivalent to a 1-minute history.

Enable Automatic CPU Hog Profiling

When selected, automatic CPU Hog profiling is enabled. This is the default.

When deselected, automatic CPU Hog profiling is disabled.

This feature predicts when a process could hog the CPU and begins profiling that process.

Note To view the CPU Hog profile data, use the show processes cpu autoprofile hog command in the CLI.

Enable HTTP

When selected, an HTTP server is enabled on the router.

When deselected, HTTP is disabled on the router. This is the default for devices that were not discovered.

HTTP Port

The port number to use for HTTP. Valid values are 80 or any value from 1024 to 65535. The default is 80.

Enable SSL

When selected, a secure HTTP server (HTTP over SSL or HTTPS) is enabled on the router.

When deselected, HTTPS is disabled. This is the default for devices that were not discovered.

Note If SSL is disabled (or if the HTTP policy as a whole is unassigned), Security Manager cannot communicate with the device after deployment unless you change the transport protocol for this device to SSH. This setting can be found in Device Properties.

Note We recommend that you disable HTTP when SSL is enabled. This is required to ensure only secure connections to the server.

SSL Port

The port number to use for HTTPS. Valid values are 443 or any value from 1025 to 65535. The default is 443.

Allow Connection From

The name of the standard numbered ACL that restricts use of HTTP and HTTPS on this device. Enter the name of an ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Note If you define an ACL, make sure that it includes the Security Manager server. Otherwise, Security Manager cannot communicate with this device using SSL.

Authenticate Using

The type of authentication to use:

•AAA—Performs AAA login authentication.

•Enable Password—Uses the enable password configured on the router. This is the default.

•Local Database—Uses the local username database configured on the router.

•TACACS—Uses the TACACS or XTACACS server configured on the router. Applies only to devices using an IOS software version prior to 12.3(8) or 12.3(8)T.

Enable Device Login Authentication

Applies only when AAA is selected as the authentication method.

When selected, authentication is based on the methods defined in the Prioritized Method List field.

When deselected, the default authentication list defined in the router's AAA policy is used. See AAA Page—Authentication Tab.

Prioritized Method List

Applies only when the Enable Device Login Authentication check box is selected.

Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authenticate users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Note If you select None as a method, it must appear as the last method in the list.

Enable CLI/EXEC Operations Authorization

Applies only when AAA is selected as the authentication method.

When selected, EXEC authorization is based on the methods defined in the Prioritized Method List field. This type of authorization determines whether the user is permitted to open an EXEC (CLI) session.

When deselected, the default EXEC authorization list defined in the router's AAA policy is used. See AAA Page—Authorization Tab.

Note If you leave this option deselected, make sure that EXEC authorization is enabled in the router's AAA policy. Otherwise, you will be unable to connect to the device via HTTP or HTTPS (SSL). This applies to Security Manager as well as other applications, such as SDM and the device's web interface.

Prioritized Method List

Applies only when the Enable CLI/EXEC Operations Authorization check box is selected.

Defines a sequential list of methods to be queried when authorizing a user to open an EXEC (CLI) session. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Note If you select None as a method, it must appear as the last method in the list.

Privilege Level

The privilege level to which the command authorization definition applies.

Prioritized Method List

The method list to use when authorizing users with this privilege level.

Add button

Opens the Command Authorization Override Dialog Box. From here you can configure a command authorization definition.

Edit button

Opens the Command Authorization Override Dialog Box. From here you can edit the command authorization definition.

Delete button

Deletes the selected command authorization definitions from the table.

Privilege Level

The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15.

Prioritized Method List

Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used. If the object that you want is not listed, click the Create button to create it.

The device tries initially to authorize users using the first method in the list. If that method fails to respond, the device tries the next method, and so on, until a response is received.

Supported methods include TACACS+, Local, and None.

Note If you select None as a method, it must appear as the last method in the list.