Cisco Security Manager supports the management and configuration of security features and other platform-specific features on Cisco IOS access security routers. You configure these features in the form of policies, each of which defines a different aspect of the configuration of the router. For a detailed explanation of the policy paradigm used by Security Manager, see Chapter 5 "Managing Policies".
You can discover the configurations that are already defined on Cisco IOS routers. The discovery process imports the device configuration into Security Manager as policies and policy objects that you can then manage as required. For more information, see Discovering Router Policies.
Note Security Manager supports Cisco IOS Software Releases 12.3 and higher. However, a limited number of policies are supported for routers running Cisco IOS Software Release 12.1 or 12.2. See Configuring Routers Running IOS Software Releases 12.1 and 12.2.
By right-clicking a policy type in one of the policy selectors, you can assign a policy to a single router, share the policy among multiple routers, or unassign the policy from the device.
The following topics describe how to configure platform policies and interface policies on Cisco IOS routers:
–Basic Interface Settings on Cisco IOS Routers
–Advanced Interface Settings on Cisco IOS Routers
–IPS Module Interface Settings on Cisco IOS Routers
–CEF Interface Settings on Cisco IOS Routers
–Dialer Interfaces on Cisco IOS Routers
–ADSL on Cisco IOS Routers
–SHDSL on Cisco IOS Routers
–PVCs on Cisco IOS Routers
–PPP on Cisco IOS Routers
•Device administration policies:
–AAA on Cisco IOS Routers
–User Accounts and Device Credentials on Cisco IOS Routers
–Bridging on Cisco IOS Routers
–Time Zone Settings on Cisco IOS Routers
–CPU Utilization Settings on Cisco IOS Routers
–HTTP and HTTPS on Cisco IOS Routers
–Line Access on Cisco IOS Routers
–Optional SSH Settings on Cisco IOS Routers
–SNMP on Cisco IOS Routers
–DNS on Cisco IOS Routers
–Hostnames and Domain Names on Cisco IOS Routers
–Memory Settings on Cisco IOS Routers
–Secure Device Provisioning on Cisco IOS Routers
–DHCP on Cisco IOS Routers
–NTP on Cisco IOS Routers
–802.1x on Cisco IOS Routers
–Network Admission Control on Cisco IOS Routers
–Logging on Cisco IOS Routers
•Quality of Service:
–Quality of Service on Cisco IOS Routers
–BGP Routing on Cisco IOS Routers
–EIGRP Routing on Cisco IOS Routers
–OSPF Routing on Cisco IOS Routers
–RIP Routing on Cisco IOS Routers
–Static Routing on Cisco IOS Routers
Note The settings on the Policy Management page of the Security Manager Administration window determine which router platform policies can be managed with Security Manager. Any policy type that you do not select in this window does not appear on the configuration pages of Security Manager.
Configuring Routers Running IOS Software Releases 12.1 and 12.2
Security Manager provides limited support for routers running Cisco IOS Software Releases 12.1 and 12.2 (with the exception of the ASR 1000 Series, which supports more features). You can configure the following policies on these routers:
•Access Rules (Layer 3 only). See Chapter 15 "Managing Firewall Access Rules".
•Access Rule Settings. See Chapter 15 "Managing Firewall Access Rules".
•Interfaces. See Basic Interface Settings on Cisco IOS Routers.
•FlexConfigs. See Chapter 7 "Managing FlexConfigs".
All other policies require Cisco IOS Software Release 12.3 or higher. For more information about supported devices, see Supported Devices and Software Versions for Cisco Security Manager.
Discovering Router Policies
You can discover the configurations of your Cisco IOS routers and import these configurations as policies into Security Manager. This makes it possible to add existing devices and manage them with Security Manager without having to manually configure each device policy by policy. For more information, see Adding Devices to the Device Inventory.
You can discover all Cisco IOS commands that can be configured with Security Manager. Discovery ignores unsupported commands, which means that they are left intact on the device even after subsequent deployments. Additionally, in cases where Security Manager can discover the command, but not all the subcommands and keywords related to that command, the unsupported elements are ignored and left intact on the device.
You can also rediscover the configurations of devices that you are already managing with Security Manager at any time. Be aware, however, that performing rediscovery overwrites the policies that you have defined in Security Manager, and is therefore not generally recommended. For more information, see Discovering Policies on Devices Already in Security Manager.
Note We recommend that you perform deployment immediately after you discover the policies on a Cisco IOS router, before you make any changes to policies or unassign policies from the device. Otherwise, the changes that you configure in Security Manager might not be deployed to the device.
Note If a policy that is not configured in Security Manager was configured on the device using an out-of-band method (such as the CLI) between the time of the first discovery and rediscovery, we recommend that you perform deployment immediately after rediscovery.
•Working with Deployment and the Configuration Archive