APPENDIX K Router Platform User Interface Reference The main pages available in Cisco Security Manager for configuring and managing platform-specific policies on Cisco IOS routers are discussed in the following topics: NAT policies: • NAT Policy Page, page K-3 Interface policies: • Router Interfaces Page, page K-17 • Never Block Networks Dialog Box, page N-132 • AIM-IPS Interface Settings Page, page K-34 • Dialer Policy Page, page K-36 • ADSL Policy Page, page K-42 • SHDSL Policy Page, page K
Appendix K • CPU Policy Page, page K-107 • Device Access policies: Router Platform User Interface Reference – HTTP Policy Page, page K-110 – Console Policy Page, page K-117 – VTY Policy Page, page K-129 – Secure Shell Policy Page, page K-147 – SNMP Policy Page, page K-149 • DNS Policy Page, page K-158 • Hostname Policy Page, page K-160 • Memory Policy Page, page K-161 • Secure Device Provisioning Policy Page, page K-163 • Server Access policies: – DHCP Policy Page, page K-167 – NTP Policy Pag
Appendix K Router Platform User Interface Reference NAT Policy Page Tip Use the Policy Management page in the Security Manager Administration window to control which router platform policy pages are available in Security Manager. For more information, see Policy Management Page, page A-40.
Appendix K Router Platform User Interface Reference NAT Policy Page Navigation Path Go to the NAT Policy Page, page K-3, then click the Interface Specification tab. Related Topics • NAT Page—Static Rules Tab, page K-6 • NAT Page—Dynamic Rules Tab, page K-12 • NAT Page—Timeouts Tab, page K-15 Field Reference Table K-1 NAT Interface Specification Tab Element Description NAT Inside Interfaces The interfaces that act as the inside interfaces for address translation.
Appendix K Router Platform User Interface Reference NAT Policy Page Field Reference Table K-2 Edit Interfaces Dialog Box—NAT Inside Interfaces Element Description Interfaces The interfaces that act as the inside interfaces for address translation. You can enter interfaces, interface roles, or both. For more information, see Specifying Interfaces During Policy Definition, page 9-135. Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface roles.
Appendix K Router Platform User Interface Reference NAT Policy Page Field Reference Table K-3 Edit Interfaces Dialog Box—NAT Outside Interfaces Element Description Interfaces The interfaces that act as the outside interfaces for address translation. You can enter interfaces, interface roles, or both. For more information, see Specifying Interfaces During Policy Definition, page 9-135. Select button Opens an Object Selectors, page F-593 for selecting interfaces and interface roles.
Appendix K Router Platform User Interface Reference NAT Policy Page Field Reference Table K-4 NAT Static Rules Tab Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Original Address The original address (and optionally, the subnet mask) that is being translated. Translated Address The IP address to which the traffic is translated.
Appendix K Router Platform User Interface Reference NAT Policy Page Related Topics • Defining Static NAT Rules, page 15-8 • Disabling the Alias Option for Attached Subnets, page 15-15 • Disabling the Payload Option for Overlapping Networks, page 15-15 • Basic Interface Settings on Cisco IOS Routers, page 15-20 • Understanding Interface Role Objects, page 9-132 Field Reference Table K-5 NAT Static Rule Dialog Box Element Description Static Rule Type The type of local address requiring trans
Appendix K Router Platform User Interface Reference NAT Policy Page Table K-5 NAT Static Rule Dialog Box (Continued) Translated Address The type of address translation to perform: • Specify IP—The IP address that acts as the translated address. Enter an address or the name of a network/host object in the Translated IP/Network field, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference NAT Policy Page Table K-5 NAT Static Rule Dialog Box (Continued) Port Redirection Applies only when Static Port is the selected static rule type. Redirect Port—When selected, specifies port information for the inside device in the translation. This enables you to use the same public IP address for multiple devices as long as the port specified for each device is different.
Appendix K Router Platform User Interface Reference NAT Policy Page Table K-5 Advanced NAT Static Rule Dialog Box (Continued) Applies only when using the Translated IP option for address translation. Defines advanced options: • No Alias—When selected, prohibits an alias from being created for the global address. The alias option is used to answer Address Resolution Protocol (ARP) requests for global addresses that are allocated by NAT.
Appendix K Router Platform User Interface Reference NAT Policy Page NAT Page—Dynamic Rules Tab Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address translation rules. A dynamic address translation rule dynamically maps hosts to addresses, using either the globally registered IP address of a specific interface or addresses included in an address pool that are globally unique in the destination network. For more information, see Defining Dynamic NAT Rules, page 15-16.
Appendix K Router Platform User Interface Reference NAT Policy Page Table K-6 NAT Dynamic Rules Tab (Continued) Save button Saves your changes to the Security Manager server but keeps them private. Note Tip To publish your changes, click the Submit icon on the toolbar. To choose which columns to display in the table, right-click a column header, then select Show Columns. For more information about table display options, see Table Columns and Column Heading Features, page 3-26.
Appendix K Router Platform User Interface Reference NAT Policy Page Field Reference Table K-7 NAT Dynamic Rule Dialog Box Element Description Traffic Flow Access List—The extended ACL that specifies the traffic requiring dynamic translation. Enter the name of an ACL object, or click Select to display an Object Selectors, page F-593. If the ACL you want is not listed, click the Create button in the selector to display the dialog box for defining an extended ACL object.
Appendix K Router Platform User Interface Reference NAT Policy Page Table K-7 NAT Dynamic Rule Dialog Box (Continued) Do Not Translate VPN Traffic (Site-to-Site VPN only) This setting applies only in situations where the NAT ACL overlaps the crypto ACL used by the site-to-site VPN. Because the interface performs NAT first, any traffic arriving from an address within this overlap would get translated, causing the traffic to be sent unencrypted.
Appendix K Router Platform User Interface Reference NAT Policy Page Related Topics • Specifying NAT Timeouts, page 15-19 • NAT Page—Interface Specification Tab, page K-3 • NAT Page—Static Rules Tab, page K-6 • NAT Page—Dynamic Rules Tab, page K-12 Field Reference Table K-8 NAT Timeouts Tab Element Description Max Entries The maximum number of entries allowed in the dynamic NAT table. Values range from 1 to 2147483647.
Appendix K Router Platform User Interface Reference Router Interfaces Page Table K-8 NAT Timeouts Tab (Continued) ICMP Timeout (sec.) The timeout value applied to Internet Control Message Protocol (ICMP) flows. The default is 60 seconds. Note PPTP Timeout (sec.) This value applies only when the Overload feature is enabled. The timeout value applied to NAT Point-to-Point Tunneling Protocol (PPTP) flows. The default is 86400 seconds (24 hours). Note SYN Timeout (sec.
Appendix K Router Platform User Interface Reference Router Interfaces Page Field Reference Table K-9 Router Interfaces Page Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Interface Type The interface type. Subinterfaces are displayed indented beneath their parent interface. Interface Name The name of the interface.
Appendix K Router Platform User Interface Reference Router Interfaces Page Note Unlike other router policies, the Interfaces policy cannot be shared among multiple devices. The Advanced Settings policy, however, may be shared. See Local Policies vs. Shared Policies, page 7-4. Navigation Path Go to the Router Interfaces Page, page K-17, then click the Add or Edit button beneath the table.
Appendix K Router Platform User Interface Reference Router Interfaces Page Table K-10 Create Router Interface Dialog Box (Continued) Subinterface ID Applies only to subinterfaces. The ID number of the subinterface. IP The source of the IP address for the interface: • Note Static IP—Defines a static IP address and subnet mask for the interface. Enter this information in the fields that appear below the option. You can define the mask using either dotted decimal (for example, 255.255.255.
Appendix K Router Platform User Interface Reference Router Interfaces Page Table K-10 Layer Type Duplex Create Router Interface Dialog Box (Continued) The OSI layer at which the interface is defined: • Unknown—The layer is unknown. • Layer 2—The data link layer, which contains the protocols that control the physical layer (Layer 1) and how data is framed before being transmitted on the medium. Layer 2 is used for bridging and switching. Layer 2 interfaces do not have IP addresses.
Appendix K Router Platform User Interface Reference Router Interfaces Page Table K-10 Create Router Interface Dialog Box (Continued) Speed Applies only to Fast Ethernet and Gigabit Ethernet interfaces. The speed of the interface: • 10—10 megabits per second (10Base-T networks). • 100—100 megabits per second (100Base-T networks). This is the default for Fast Ethernet interfaces. • 1000—1000 megabits per second (Gigabit Ethernet networks). This is the default for Gigabit Ethernet interfaces.
Appendix K Router Platform User Interface Reference Router Interfaces Page Table K-10 VLAN ID Create Router Interface Dialog Box (Continued) Applies only to subinterfaces with encapsulation type DOT1Q. The VLAN ID associated with this subinterface. The VLAN ID specifies where 802.1Q tagged packets are sent and received on this subinterface; without a VLAN ID, the subinterface cannot send or receive traffic. Valid values range from 1 to 4094.
Appendix K Router Platform User Interface Reference Router Interfaces Page Table K-10 Create Router Interface Dialog Box (Continued) DLCI Applies only to serial subinterfaces with Frame Relay encapsulation. Enter the data-link connection identifier to associate with the subinterface. Valid values range from 16 to 1007. Note Security Manager configures serial subinterfaces as point-to-point not multipoint. Description Additional information about the interface (up to 1024 characters).
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Field Reference Table K-11 Interface Auto Name Generator Dialog Box Element Description Type The type of interface. Your selection from this list forms the first part of the generated name, as displayed in the Result field. For more information, see Table 15-1 on page 15-21. Card The card related to the interface. Note When defining a BVI interface, enter the number of the corresponding bridge group.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Navigation Path • (Device view) Select Interfaces > Settings > Advanced Settings from the Policy selector. • (Policy view) Select Router Interfaces > Settings > Advanced Settings from the Policy Type selector. Right-click Advanced Settings to create a policy, or select an existing policy from the Shared Policy selector.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Table K-12 Advanced Interface Settings Page (Continued) Save button Saves your changes to the Security Manager server but keeps them private. Note Tip To publish your changes, click the Submit button on the toolbar. To choose which columns to display in the table, right-click a column header, then select Show Columns.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Field Reference Table K-13 Advanced Interface Settings Dialog Box Element Description Interface The interface on which the advanced settings are defined. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Table K-13 Advanced Interface Settings Dialog Box (Continued) TCP Maximum Segment Size The maximum segment size (MSS) of TCP SYN packets that pass through this interface. Valid values range from 500 to 1460 bytes. If you do not specify a value, the MSS is determined by the originating host. This option helps prevent TCP sessions from being dropped as they pass through the router.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Table K-13 Advanced Interface Settings Dialog Box (Continued) Cisco Discovery Protocol settings Enable CDP When selected, the Cisco Discovery Protocol (CDP) is enabled on this interface. This the default. When deselected, CDP is disabled on this interface.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Table K-13 Advanced Interface Settings Dialog Box (Continued) ICMP Messages settings Enable Redirect Messages When selected, enables the sending of Internet Control Message Protocol (ICMP) redirect messages if the device is forced to resend a packet through the same interface on which it was received to another device on the same subnet. This is the default. When deselected, disabled redirect messages.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Table K-13 Advanced Interface Settings Dialog Box (Continued) Additional settings Enable Virtual Fragment Reassembly (VFR) When selected, virtual fragmentation reassembly (VFR) is enabled on this interface. When deselected, disables VFR. This is the default. VFR is a feature that enables the Cisco IOS Firewall to create dynamic ACLs that can protect the network from various fragmentation attacks.
Appendix K Router Platform User Interface Reference Advanced Interface Settings Page Table K-13 Advanced Interface Settings Dialog Box (Continued) Enable Directed Broadcasts When selected, directed broadcast packets are “exploded” as a link-layer broadcast when this interface is directly connected to the destination subnet. When deselected, directed broadcast packets that are intended for the subnet to which this interface is directly connected are dropped rather than being broadcast.
Appendix K Router Platform User Interface Reference AIM-IPS Interface Settings Page AIM-IPS Interface Settings Page Use the AIM-IPS Interface Settings page to define the settings on the Cisco Intrusion Prevention System Advanced Integration Module. You can install AIM-IPS in Cisco 1841, 2800 series, and 3800 series routers. Note Caution AIM-IPS must be running IPS 6.0 or later. Cisco IOS IPS and the Cisco IPS AIM cannot be used together. Cisco IOS IPS must be disabled when the AIM IPS is installed.
Appendix K Router Platform User Interface Reference AIM-IPS Interface Settings Page Table K-14 AIM-IPS Interface Settings Page (Continued) Interface Name The name of the interface role that the AIM-IPS uses. Monitoring Mode Inline or Promiscuous: Inline mode puts the AIM-IPS directly into the traffic flow, allowing it to stop attacks by dropping malicious traffic before it reaches the intended target.
Appendix K Router Platform User Interface Reference Dialer Policy Page Related Topics • Basic Interface Settings on Cisco IOS Routers, page 15-20 Field Reference Table K-15 IPS Monitoring Information Dialog Box Element Description Interface Name A name selected from among available interfaces. Select button Opens the Interface Selector dialog box.
Appendix K Router Platform User Interface Reference Dialer Policy Page • (Policy view) Select Router Interfaces > Settings > Dialer from the Policy Type selector. Right-click Dialer to create a policy, or select an existing policy from the Shared Policy selector.
Appendix K Router Platform User Interface Reference Dialer Policy Page Table K-16 Dialer Page (Continued) Pools The dial pools related to this physical interface. Switch Type The ISDN switch type that the physical interface uses. SPID1 The first service provider identifier (SPID) related to this interface. SPID2 The second SPID related to this interface. Add button Opens the Dialer Physical Interface Dialog Box, page K-40. From here you can define a dialer physical interface.
Appendix K Router Platform User Interface Reference Dialer Policy Page • Basic Interface Settings on Cisco IOS Routers, page 15-20 • Understanding Interface Role Objects, page 9-132 Field Reference Table K-17 Dialer Profile Dialog Box Element Description Name A descriptive name for the dialer profile. This name enables you to assign the correct dialer pool to the physical interface. You can also use the profile name as a reference to the site to which this dialer interface serves as a backup.
Appendix K Router Platform User Interface Reference Dialer Policy Page Table K-17 Dialer Profile Dialog Box (Continued) Fast Idle Timeout The default amount of idle time before a contested line is disconnected. The default is 20 seconds. Line contention occurs when a busy line is requested to send another packet to a different destination. OK button Saves your changes locally on the client and closes the dialog box.
Appendix K Router Platform User Interface Reference Dialer Policy Page Field Reference Table K-18 Dialer Physical Interface Dialog Box Element Description ISDN BRI The physical BRI interface associated with the dialer interface. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464.
Appendix K Router Platform User Interface Reference ADSL Policy Page Table K-18 Dialer Physical Interface Dialog Box (Continued) SPID1 Applies only when you select Basic-DMS-100, Basic-NI, or Basic-5ess as the switch type. The service provider identifier (SPID) for the ISDN service to which the interface subscribes. Some service providers in North America assign SPIDs to ISDN devices when you first subscribe to an ISDN service.
Appendix K Router Platform User Interface Reference ADSL Policy Page Related Topics • PVC Policy Page, page K-54 • SHDSL Policy Page, page K-47 • ADSL on Cisco IOS Routers, page 15-38 • Chapter K, “Router Platform User Interface Reference” Field Reference Table K-19 ADSL Page Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. ATM Interface The ATM interface on which ADSL settings are defined.
Appendix K Router Platform User Interface Reference ADSL Policy Page Tip To choose which columns to display in the table, right-click a column header, then select Show Columns. For more information about table display options, see Table Columns and Column Heading Features, page 3-26. ADSL Settings Dialog Box Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM interface.
Appendix K Router Platform User Interface Reference ADSL Policy Page Field Reference Table K-20 ADSL Settings Dialog Box Element Description ATM Interface The ATM interface on which ADSL settings are defined. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464.
Appendix K Router Platform User Interface Reference ADSL Policy Page Table K-20 ADSL Settings Dialog Box (Continued) Interface Card (continued) • 857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface. • 876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface. • 877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface. • 1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that provides ADSL over POTS.
Appendix K Router Platform User Interface Reference SHDSL Policy Page Table K-20 ADSL Settings Dialog Box (Continued) DSL Operating Mode The operating mode configured for this ADSL line: • auto—Performs automatic negotiation with the DSLAM located at the central office (CO). This is the default. • ansi-dmt—The line trains in ANSI T1.413 Issue 2 mode. • itu-dmt—The line trains in G.992.1 mode. • splitterless—The line trains in G.992.2 (G.Lite) mode.
Appendix K Router Platform User Interface Reference SHDSL Policy Page • (Policy view) Select Router Interfaces > Settings > DSL > SHDSL from the Policy Type selector. Right-click SHDSL to create a policy, or select an existing policy from the Shared Policy selector.
Appendix K Router Platform User Interface Reference SHDSL Policy Page Table K-21 SHDSL Page (Continued) Delete button Deletes the selected DSL controller definition from the table. Save button Saves your changes to the Security Manager server but keeps them private. Note Tip To publish your changes, click the Submit button on the toolbar. To choose which columns to display in the table, right-click a column header, then select Show Columns.
Appendix K Router Platform User Interface Reference SHDSL Policy Page Table K-22 SHDSL Dialog Box (Continued) Shutdown When selected, the DSL controller is in shutdown state. However, its definition is not deleted. When deselected, the DSL controller is enabled. This is the default. Configure ATM mode When selected, sets the controller into ATM mode and creates an ATM interface with the same ID as the controller. This is the default.
Appendix K Router Platform User Interface Reference SHDSL Policy Page Table K-22 SHDSL Dialog Box (Continued) Line Mode The line mode used by the controller: • auto—The controller operates in the same mode as the other line termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the default for CPE line termination. • 2-wire—The controller operates in two-wire mode. This is the default for CO line termination. • 4-wire—The controller operates in four-wire mode.
Appendix K Router Platform User Interface Reference SHDSL Policy Page Table K-22 SHDSL Dialog Box (Continued) Line Rate Does not apply when the Line Mode is defined as Auto. The DSL line rate (in kbps) available for the SHDSL port: • auto—The controller selects the line rate. This is available only in 2-wire mode.
Appendix K Router Platform User Interface Reference SHDSL Policy Page Table K-22 SHDSL Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-23 Controller Auto Name Generator Dialog Box (Continued) Result The name generated by Security Manager from the information you entered for the controller location. The name displayed in this field is read-only. Tip OK button After closing this dialog box, you can edit the generated name in the SHDSL dialog box, if required. Saves your changes locally on the client and closes the dialog box.
Appendix K Router Platform User Interface Reference PVC Policy Page Field Reference Table K-24 PVC Page Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. ATM Interface The ATM interface on which the PVC is defined. Interface Card The type of device or WAN interface card on which the ATM interface resides. PVC ID The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the PVC.
Appendix K Router Platform User Interface Reference PVC Policy Page PVC Dialog Box Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs). Navigation Path Go to the PVC Policy Page, page K-54, then click the Add or Edit button beneath the table. Related Topics • Defining ATM PVCs, page 15-52 Field Reference Table K-25 PVC Dialog Box Element Description ATM Interface The ATM interface on which the PVC is defined.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-25 Interface Card PVC Dialog Box (Continued) The type of WAN interface card installed on the router or the router type: • [blank]—The interface card type is not defined. • WIC-1ADSL—A 1-port ADSL WAN interface card that provides ADSL over POTS (ordinary telephone lines). • WIC-1ADSL-I-DG—A 1-port ADSL WAN interface card that provides ADSL over ISDN with Dying Gasp support.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-25 PVC Dialog Box (Continued) Interface Card (continued) • NM-1A-E3—A 1-port ATM network module with an E3 link. • 857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface. • 876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface. • 877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface. • 878 G.SHDSL—Cisco 878 Integrated Services Router with a G.SHDSL interface.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-25 PVC Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. PVC Dialog Box—Settings Tab Use the Settings tab of the PVC dialog box to configure the basic settings of the PVC, including: • ID settings.
Appendix K Router Platform User Interface Reference PVC Policy Page Field Reference Table K-26 PVC Dialog Box—Settings Tab Element Description PVC ID settings VPI The virtual path identifier of the PVC. In conjunction with the VCI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values for most platforms range from 0 to 255.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-26 PVC Dialog Box—Settings Tab (Continued) Encapsulation settings Type Does not apply when the Management PVC (ILMI) check box is enabled. The ATM adaptation layer (AAL) and encapsulation type to use on the PVC: • [blank]—The encapsulation type is not defined. (When deployed, aal5snap is applied.) • aal2—For PVCs dedicated to AAL2 Voice over ATM.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-26 PVC Dialog Box—Settings Tab (Continued) Virtual Template The virtual template used for PPP over ATM on this PVC. Enter the name of a virtual template interface or interface role, or click Select to display an Object Selectors, page F-593. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-26 PVC Dialog Box—Settings Tab (Continued) Inverse ARP When selected, the Inverse Address Resolution Protocol (Inverse ARP) is enabled on the PVC. When deselected, Inverse ARP is disabled. This is the default. Inverse ARP is used to learn the Layer 3 addresses at the remote ends of established connections. These addresses must be learned before the virtual circuit can be used.
Appendix K Router Platform User Interface Reference PVC Policy Page Navigation Path Go to the PVC Dialog Box, page K-56, then click the QoS tab.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-27 PVC Dialog Box—QoS Tab (Continued) Traffic Shaping settings Traffic Shaping The type of service to define on the PVC: • [null]—The bit rate is not defined. • ABR—Available Bit Rate. A best-effort service suitable for applications that do not require guarantees against cell loss or delays. • CBR—Constant Bit Rate service.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-27 UBR PVC Dialog Box—QoS Tab (Continued) The following field is displayed when UBR is selected as the Bit Rate: • UBR+ The following fields are displayed when UBR+ is selected as the Bit Rate: • PCR—The peak cell rate for output in kilobits per second (kbps). Cells in excess of the PCR may be discarded. • MCR—The minimum guaranteed cell rate for output in kilobits per second (kbps).
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-27 PVC Dialog Box—QoS Tab (Continued) IP QoS settings Random Detect When selected, enables Weighted Random Early Detection (WRED) or VIP-distributed WRED (DWRED) on the PVC. When deselected, WRED and DWRED are disabled. This is the default. WRED is a queue management method that selectively drops packets as the interface becomes congested. See Tail Drop vs. WRED, page 15-156.
Appendix K Router Platform User Interface Reference PVC Policy Page Field Reference Table K-28 PVC Dialog Box—Protocol Tab Element Description IP Protocol Mapping Displays the IP protocol mappings configured for the PVC. Add button Opens the Define Mapping Dialog Box, page K-68. From here you can define an IP protocol mapping. Edit button Opens the Define Mapping Dialog Box, page K-68. From here you can edit the selected mapping. Delete button Deletes the selected mapping from the table.
Appendix K Router Platform User Interface Reference PVC Policy Page Field Reference Table K-29 Define Mapping Dialog Box Element Description IP Options The type of IP protocol mapping to use: • IP Address—Select this option when using static mapping. Enter the address or network/host object, or click Select to display an Object Selectors, page F-593. If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477.
Appendix K Router Platform User Interface Reference PVC Policy Page For more information, see Defining OAM Management on ATM PVCs, page 15-56. Navigation Path Go to the PVC Dialog Box, page K-56, then click Advanced. Related Topics • PVC Policy Page, page K-54 Field Reference Table K-30 PVC Advanced Settings Dialog Box Element Description OAM tab Defines loopback, connectivity check, and AIS/RDI settings. See PVC Advanced Settings Dialog Box—OAM Tab, page K-70.
Appendix K Router Platform User Interface Reference PVC Policy Page Note The settings defined in this tab are dependent on the settings defined in the OAM-PVC tab. See PVC Advanced Settings Dialog Box—OAM-PVC Tab, page K-73. Navigation Path Go to the PVC Advanced Settings Dialog Box, page K-69, then click the OAM tab.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-31 PVC Advanced Settings Dialog Box—OAM Tab (Continued) AIS-RDI settings Enable AIS-RDI Detection When selected, alarm indication signal (AIS) cells and remote defect indication (RDI) cells are used to report connectivity failures at the ATM layer of the PVC. When deselected, AIS/RDI cells are disabled. AIS cells notify downstream devices of the connectivity failure.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-31 PVC Advanced Settings Dialog Box—OAM Tab (Continued) End-to-End Continuity Check settings Enable End-to-End Continuity Check When selected, OAM F5 continuity check (CC) activation and deactivation requests are sent to a device at the other end of the PVC. When deselected, segment CC activation and deactivation requests are disabled.
Appendix K Router Platform User Interface Reference PVC Policy Page Related Topics • PVC Dialog Box, page K-56 Field Reference Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab Element Description OAM settings Enable OAM Management When selected, OAM loopback cell generation and OAM management are enabled on the PVC. When deselected, OAM loopback cells and OAM management are disabled. However, continuity checks can still be performed.
Appendix K Router Platform User Interface Reference PVC Policy Page Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued) Direction Applies only when CC management is enabled. The direction in which CC cells are transmitted: Keep VC up after segment failure • both—CC cells are transmitted in both directions. • sink—CC cells are transmitted toward the router that initiated the CC activation request.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-32 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued) Direction Applies only when CC management is enabled. The direction in which CC cells are transmitted: Keep VC up after end-to-end failure • both—CC cells are transmitted in both directions. • sink—CC cells are transmitted toward the router that initiated the CC activation request.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Field Reference Table K-33 PPP/MLP Page Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Interface The interface that is configured for PPP/MLP. Authentication The types of authentication used on the PPP connection. Authorization The method list used for AAA authorization on the PPP connection.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page PPP Dialog Box Use the PPP dialog box to configure PPP connections on the router. When you configure a PPP connection, you can define the type of authentication and authorization to perform and define multilink parameters. Navigation Path Go to the PPP/MLP Policy Page, page K-76, then click the Add or Edit button beneath the table. Related Topics • Defining PPP Connections, page 15-61 User Guide for Cisco Security Manager 3.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Field Reference Table K-34 PPP Dialog Box Element Description Interface The interface on which PPP encapsulation is enabled. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-34 PPP Dialog Box (Continued) MLP tab Defines how to split and recombine sequential datagrams across multiple logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP Tab, page K-84. OK button Saves your changes locally on the client and closes the dialog box.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-35 Protocol PPP Dialog Box—PPP Tab (Continued) The authentication protocols to use: • CHAP—Challenge-Handshake Authentication Protocol. • PAP—Password Authentication Protocol. • MS-CHAP—Version 1 of the Microsoft version of CHAP (RFC 2433). • MS-CHAP-2—Version 2 of the Microsoft version of CHAP (RFC 2759). • EAP—Extensible Authentication Protocol. You may select one or more authentication protocols, as required.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-35 PPP Dialog Box—PPP Tab (Continued) Authenticate Using AAA authentication settings for the PPP connection: • PPP Default List—Defines a default list of methods to be queried when authenticating a user for PPP. Enter the names of one or more AAA server group objects (up to four) in the Prioritized Method List field, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-35 PPP Dialog Box—PPP Tab (Continued) CHAP Authentication settings Hostname By default, the router uses its hostname to identify itself to the peer. If required, you can enter a different hostname to use for all CHAP challenges and responses. For example, use this field to specify a common alias for all routers in a rotary group.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page PPP Dialog Box—MLP Tab Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters for the selected PPP connection. Navigation Path Go to the PPP Dialog Box, page K-78, then click the MLP tab. Related Topics • PPP Dialog Box—PPP Tab, page K-80 Field Reference Table K-36 PPP Dialog Box—MLP Tab Element Description Enable Multilink PPP (MLP) When selected, MLP is enabled on this PPP connection.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-36 PPP Dialog Box—MLP Tab (Continued) Multilink Group Applies only to serial, Group-Async, and multilink interfaces. Restricts the physical link to the selected multilink-group interface. Enter the name of a multilink interface or interface role, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference PPP/MLP Policy Page Table K-36 PPP Dialog Box—MLP Tab (Continued) Endpoint Type The identifier used by the router when transmitting packets on the MLP bundle: • [null]—Negotiation is conducted without using an endpoint discriminator. (No CLI command is generated.) • Hostname—The hostname of the router. This option is useful when multiple routers are using the same username to authenticate but have different hostnames. • IP—A defined IP address.
Appendix K Router Platform User Interface Reference AAA Policy Page Table K-36 PPP Dialog Box—MLP Tab (Continued) MRRU Remote Peer The maximum receive reconstructed unit (MRRU) value of the remote peer. This value represents the maximum size packet that the remote peer is capable of receiving. Valid values range from 128 to 16384 bytes. The default is 1524 bytes. Maximum FIFO Queue Size The maximum queue depth when the bundle uses first-in, first-out (FIFO) queuing.
Appendix K Router Platform User Interface Reference AAA Policy Page • VTY Policy Page, page K-129 • Chapter K, “Router Platform User Interface Reference” Field Reference Table K-37 AAA Page Element Description Authentication tab Defines the login authentication methods to use and the sequence in which to use them. See AAA Page—Authentication Tab, page K-88. Authorization tab Defines the types of network, EXEC, and command authorization to perform and the methods to use for each type.
Appendix K Router Platform User Interface Reference AAA Policy Page • Understanding Method Lists, page 15-69 • AAA Server Group Dialog Box, page F-12 • Predefined AAA Authentication Server Groups, page 9-15 Field Reference Table K-38 AAA Page—Authentication Tab Element Description Enable Device Login Authentication When selected, enables the authentication of all users when they log in to the device, using the methods defined in the method list. When deselected, authentication is not performed.
Appendix K Router Platform User Interface Reference AAA Policy Page AAA Page—Authorization Tab Use the Authorization tab of the AAA page to define the type of authorization services to enable on the device and the methods to use for each type. Security Manager supports the following types of authorization: • Network—Authorizes various types of network connections, such as PPP. • EXEC—Authorizes the launching of EXEC sessions.
Appendix K Router Platform User Interface Reference AAA Policy Page Table K-39 AAA Page—Authorization Tab (Continued) Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
Appendix K Router Platform User Interface Reference AAA Policy Page Table K-39 AAA Page—Authorization Tab (Continued) Add button Opens the Command Authorization Dialog Box, page K-92. From here you can configure a command authorization definition. Edit button Opens the Command Authorization Dialog Box, page K-92. From here you can edit the command authorization definition. Delete button Deletes the selected command authorization definitions from the table.
Appendix K Router Platform User Interface Reference AAA Policy Page Table K-40 Command Authorization Dialog Box (Continued) Prioritized Method List Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
Appendix K Router Platform User Interface Reference AAA Policy Page Note You can use the method lists defined in this policy on the console and VTY lines that are used to communicate with the device. See Console Policy Page, page K-117 and VTY Line Dialog Box—Authentication Tab, page K-136. Navigation Path Go to the AAA Policy Page, page K-87, then click the Accounting tab.
Appendix K Router Platform User Interface Reference AAA Policy Page Table K-41 AAA Page—Accounting Tab (Continued) Prioritized Method List Defines a sequential list of methods to be queried when creating connection accounting records for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
Appendix K Router Platform User Interface Reference AAA Policy Page Table K-41 AAA Page—Accounting Tab (Continued) Generate Accounting Records for The points in the process where the device sends an accounting notice to the accounting server. Enable Broadcast Whether accounting records are broadcast to multiple servers simultaneously. Prioritized Method List The method list to use when authorizing users with this privilege level. Add button Opens the Command Accounting Dialog Box, page K-96.
Appendix K Router Platform User Interface Reference AAA Policy Page Field Reference Table K-42 Command Accounting Dialog Box Element Description Privilege Level The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15. Generate Accounting Records for Defines when the device sends an accounting notice to the accounting server: • Start and Stop—Generates accounting records at the beginning and the end of the user process.
Appendix K Router Platform User Interface Reference Accounts and Credential s Policy Page Table K-42 Command Accounting Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page.
Appendix K Router Platform User Interface Reference Accounts and Credential s Policy Page Field Reference Table K-43 Accounts and Credentials Page Element Description Enable Secret Password The enable secret password for entering privileged EXEC mode on the router. This option offers better security than the Enable Password option. The enable secret password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored.
Appendix K Router Platform User Interface Reference Accounts and Credential s Policy Page Table K-43 Accounts and Credentials Page (Continued) Username The username that can be used to access the router. The username must be a single word up to 64 characters in length. Spaces and quotation marks are not allowed. Encryption Indicates whether password information for the user is encrypted using MD5 encryption. Privilege Level The privilege level assigned to the user.
Appendix K Router Platform User Interface Reference Accounts and Credential s Policy Page Navigation Path Go to the Accounts and Credential s Policy Page, page K-98, then click the Add or Edit button beneath the table.
Appendix K Router Platform User Interface Reference Bridging Policy Page Table K-44 User Account Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. Bridging Policy Page Use the Bridging page to define bridge groups that can perform integrated routing and bridging on the router.
Appendix K Router Platform User Interface Reference Bridging Policy Page Table K-45 Bridging Page (Continued) Edit button Opens the Bridge Group Dialog Box, page K-103. From here you can edit the bridge group. Delete button Deletes the selected bridge groups from the table. Save button Saves your changes to the Security Manager server but keeps them private. Note Tip To publish your changes, click the Submit icon on the toolbar.
Appendix K Router Platform User Interface Reference Clock Policy Page Field Reference Table K-46 Bridge Group Dialog Box Element Description Group Number The number assigned to the bridge group. Valid values range from 1 to 255. Group Interfaces The interfaces that are included in the bridge group. Enter the name of one or more interfaces and interface roles, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference Clock Policy Page Tip You can configure the local time on the router by defining an NTP policy or by configuring the clock set command using the CLI. Navigation Path • (Device view) Select Platform > Device Admin > Clock from the Policy selector. • (Policy view) Select Router Platform > Device Admin > Clock from the Policy Type selector. Right-click Clock to create a policy, or select an existing policy from the Shared Policy selector.
Appendix K Router Platform User Interface Reference Clock Policy Page Table K-47 Clock Page (Continued) Additional Set by Date fields Start End The date and time when DST begins: • Date—Click the calendar icon to select the start date. • Hour—Select the start hour. • Minute—Select the start minute. The date and time when DST ends: • Date—Click the calendar icon to select the end date. • Hour—Select the end hour. • Minute—Select the end minute.
Appendix K Router Platform User Interface Reference CPU Policy Page Table K-47 Clock Page (Continued) End The relative date and time when daylight savings time ends: Save button • Month—Select the month. • Week—Select the week of the month (1, 2, 3, 4, first, or last). • Weekday—Select the day of the week. • Hour—Select the hour. • Minute—Select the minute. Saves your changes to the Security Manager server but keeps them private.
Appendix K Router Platform User Interface Reference CPU Policy Page Field Reference Table K-48 CPU Page Element Description CPU Utilization Statistics Settings related to the history table for CPU utilization statistics: CPU Total Utilization • History Table Entry Limit—The percentage of CPU utilization that a process must use to be included in the history table. • History Table Size—The length of time for which CPU statistics are stored in the history table.
Appendix K Router Platform User Interface Reference CPU Policy Page Table K-48 CPU Interrupt Utilization CPU Page (Continued) The thresholds for CPU interrupt utilization that trigger notifications: • Enable CPU Interrupt Utilization—When selected, CPU interrupt utilization thresholds are enabled. When deselected, these thresholds are disabled and do not trigger notifications. This is the default.
Appendix K Router Platform User Interface Reference HTTP Policy Page Table K-48 CPU Page (Continued) Extended CPU History Size The size of the history to collect for the extended CPU load, in increments of 5 seconds. Valid values range from 2 to 720. The default is 12, which is equivalent to a 1-minute history. Enable Automatic CPU When selected, automatic CPU Hog profiling is enabled. This is the default. Hog Profiling When deselected, automatic CPU Hog profiling is disabled.
Appendix K Router Platform User Interface Reference HTTP Policy Page HTTP Page—Setup Tab Use the Setup tab of the HTTP page to enable HTTP and HTTP over Secure Socket Layer (HTTP over SSL or HTTPS) on the router. You can optionally limit access to these protocols to the addresses defined in an access control list.
Appendix K Router Platform User Interface Reference HTTP Policy Page Table K-49 Enable SSL HTTP Page—Setup Tab (Continued) When selected, a secure HTTP server (HTTP over SSL or HTTPS) is enabled on the router. When deselected, HTTPS is disabled. This is the default for devices that were not discovered.
Appendix K Router Platform User Interface Reference HTTP Policy Page Related Topics • HTTP Page—Setup Tab, page K-111 • HTTP and HTTPS on Cisco IOS Routers, page 15-83 Field Reference Table K-50 HTTP Page—AAA Tab Element Description Authenticate Using The type of authentication to use: • AAA—Performs AAA login authentication. • Enable Password—Uses the enable password configured on the router. This is the default. • Local Database—Uses the local username database configured on the router.
Appendix K Router Platform User Interface Reference HTTP Policy Page Table K-50 HTTP Page—AAA Tab (Continued) Prioritized Method List Applies only when the Enable Device Login Authentication check box is selected. Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference HTTP Policy Page Table K-50 HTTP Page—AAA Tab (Continued) Prioritized Method List Applies only when the Enable CLI/EXEC Operations Authorization check box is selected. Defines a sequential list of methods to be queried when authorizing a user to open an EXEC (CLI) session. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference HTTP Policy Page Command Authorization Override Dialog Box Use the Command Authorization Override dialog box to define which methods to use when authorizing the EXEC commands that are associated with a given privilege. This enables you to authorize all commands associated with a specific privilege level, from 0 to 15. Navigation Path From the HTTP Page—AAA Tab, page K-112, click the Add button beneath the Command Authorization Override table.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-51 Command Authorization Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. Console Policy Page Use the Console page to configure access to the router over the console port.
Appendix K Router Platform User Interface Reference Console Policy Page Console Page—Setup Tab Use the Setup tab of the Console page to define the basic parameters of the console port. This includes the password for accessing the port, the privilege level assigned to users, the protocols that are permitted, and the ACLs that limit access. Navigation Path Go to the Console Policy Page, page K-117, then click the Setup tab.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-52 Console Page—Setup Tab (Continued) Privilege Level Disable all the EXEC sessions to the router via this line The privilege level assigned to users connected to the console port. Valid values range from 0 to 15: • 0—Grants access to these commands only: disable, enable, exit, help, and logout. • 1—Enables nonprivileged access to the router (normal EXEC-mode use privileges).
Appendix K Router Platform User Interface Reference Console Policy Page Table K-52 Console Page—Setup Tab (Continued) Output Protocols The protocols that you can use for outgoing connections on the console port: • All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. • None—No protocols are permitted. This makes the port unusable by outgoing connections.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-52 Console Page—Setup Tab (Continued) Save button Saves your changes to the Security Manager server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. Console Page—Authentication Tab Use the Authentication tab of the Console page to define the AAA authentication methods to perform on users who attempt to access the console port.
Appendix K Router Platform User Interface Reference Console Policy Page Field Reference Table K-53 Console Page—Authentication Tab Element Description Authenticate Using Authentication settings for the console port: • None—Authentication is not performed. This is the default. • Local Database—Uses the local username database for authentication. • AAA Policy Default List—Uses the default authentication method list that is defined in the device’s AAA policy.
Appendix K Router Platform User Interface Reference Console Policy Page Console Page—Authorization Tab Use the Authorization tab of the Console page to define the EXEC and command authorization methods to perform on users who access the console port. Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 15-70. Navigation Path Go to the Console Policy Page, page K-117, then click the Authorization tab.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-54 Console Page—Authorization Tab (Continued) Prioritized Method List Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference Console Policy Page Console Page—Accounting Tab Use the Accounting tab of the Console page to define the EXEC, connection, and command accounting methods to perform on users who access the console port. Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 15-70. Navigation Path Go to the Console Policy Page, page K-117, then click the Accounting tab.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-55 Console Page—Accounting Tab (Continued) Generate Accounting Records for Applies only when Custom Method List is selected as the EXEC method. Defines when the device sends an accounting notice to the accounting server: • Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the “start” accounting record.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-55 Console Page—Accounting Tab (Continued) Connection Accounting settings Perform Connection Accounting Using The accounting method to use for recording information about outbound connections made over the console line: • None—Accounting is not performed. This is the default. • AAA Policy Default List—Uses the default connection accounting method list that is defined in the device’s AAA policy.
Appendix K Router Platform User Interface Reference Console Policy Page Table K-55 Console Page—Accounting Tab (Continued) Prioritized Method List Applies only when Custom Method List is selected as the connection method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-55 Console Page—Accounting Tab (Continued) Edit button Opens the Command Accounting Dialog Box—Line Access, page K-145. From here you can edit the command accounting definition. Delete button Deletes the selected command accounting definitions from the table. Accounting tab button Save button Saves your changes to the Security Manager server but keeps them private.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-56 VTY Lines Page (Continued) Line The relative line number of the VTY line. This field may also contain multiple VTY lines configured as a contiguous group. Line/Line Group Parameters Input Protocols The protocols that you can use for incoming connections on the VTY line. Output Protocols The protocols that you can use for outgoing connections on the VTY line. Privilege Level The privilege level assigned to users.
Appendix K Router Platform User Interface Reference VTY Policy Page Tip To choose which columns to display in the table, right-click a column header, then select Show Columns. For more information about table display options, see Table Columns and Column Heading Features, page 3-26. VTY Line Dialog Box Use the VTY Line dialog box to configure one or more VTY lines (up to 16) that enable remote users to access the router.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-57 VTY Line Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. VTY Line Dialog Box—Setup Tab Use the Setup tab of the VTY Line dialog box to define the basic parameters of the VTY line.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-58 VTY Line Dialog Box—Setup Tab (Continued) Ending VTY Line Number Applies only when configuring a group of lines. The relative line number of the last VTY line in the group. Note Password When you configure a group of lines, all the lines in the group must fall within one of two ranges, 0-4 or 6-15. The password for accessing this VTY line. The password is case sensitive and can contain up to 80 alphanumeric characters.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-58 VTY Line Dialog Box—Setup Tab (Continued) Exec Timeout The amount of time (in seconds) that the EXEC command interpreter waits to detect user input on the line. If no input is detected, the line is disconnected. Valid values range from 0 to 2147483. The default is 600 (10 minutes). Setting the value to 0 disables the timeout.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-58 VTY Line Dialog Box—Setup Tab (Continued) Output Protocols The protocols that you can use for outgoing connections on this line: • All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. • None—No protocols are permitted. This makes the port unusable by outgoing connections.
Appendix K Router Platform User Interface Reference VTY Policy Page VTY Line Dialog Box—Authentication Tab Use the Authentication tab of the VTY Line dialog box to define the authentication methods to perform on users who attempt to access the selected VTY line or group of lines. Navigation Path Go to the VTY Line Dialog Box, page K-131, then click the Authentication tab.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-59 VTY Line Dialog Box—Authentication Tab (Continued) Prioritized Method List Applies only when Custom Method List is selected as the authentication method. Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference VTY Policy Page • Console Page—Authentication Tab, page K-121 Field Reference Table K-60 VTY Line Dialog Box—Authorization Tab Element Description EXEC Authorization settings Authorize EXEC Operations Using The authorization method that determines whether a user is allowed to run an EXEC session: • None—Authorization is not performed. This is the default.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-60 VTY Line Dialog Box—Authorization Tab (Continued) Command Authorization settings Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Privilege Level The privilege level to which the command authorization definition applies. Prioritized Method List The method list to use when authorizing users with this privilege level.
Appendix K Router Platform User Interface Reference VTY Policy Page Field Reference Table K-61 VTY Line Dialog Box—Accounting Tab Element Description EXEC Accounting settings Perform EXEC Accounting Using The accounting method to use for recording basic information about user EXEC sessions: • None—Accounting is not performed. This is the default. • AAA Policy Default List—Uses the default EXEC accounting method list that is defined in the device’s AAA policy.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-61 VTY Line Dialog Box—Accounting Tab (Continued) Prioritized Method List Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-61 VTY Line Dialog Box—Accounting Tab (Continued) Generate Accounting Records for Applies only when Custom Method List is selected as the connection method. Defines when the device sends an accounting notice to the accounting server: • Start and Stop—Generates accounting records at the beginning and the end of the user process.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-61 VTY Line Dialog Box—Accounting Tab (Continued) Command Accounting settings Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Privilege Level The privilege level to which the command authorization definition applies. Generate Accounting Records for The points in the process where the device sends an accounting notice to the accounting server.
Appendix K Router Platform User Interface Reference VTY Policy Page Field Reference Table K-62 Command Authorization Dialog Box—Line Access Element Description Privilege Level The privilege level for which you want to define a command authorization list. Valid values range from 0 to 15. Note If you do not define a value, level 1 is assigned by default. This value does not appear in the device configuration.
Appendix K Router Platform User Interface Reference VTY Policy Page Command Accounting Dialog Box—Line Access Use the Command Accounting dialog box to define which methods to use when recording information about the EXEC commands that are executed for a given privilege. Each accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the name of the user who executed it.
Appendix K Router Platform User Interface Reference VTY Policy Page Table K-63 Command Accounting Dialog Box—Line Access (Continued) Generate Accounting Records for Applies only when Custom Method List is selected. Defines when the device sends an accounting notice to the accounting server: • Start and Stop—Generates accounting records at the beginning and the end of the user process. The user process begins regardless of whether the accounting server receives the “start” accounting record.
Appendix K Router Platform User Interface Reference Secure Shell Policy Page Table K-63 Command Accounting Dialog Box—Line Access (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page.
Appendix K Router Platform User Interface Reference Secure Shell Policy Page Field Reference Table K-64 Secure Shell Page Element Description SSH Version The version of SSH to use when connecting to the router: Timeout • 1 and 2—SSH version 1 and SSH version 2. This is the default. • 1—SSH version 1 only. • 2—SSH version 2 only. The amount of time the router should wait for the SSH client to respond during the negotiation phase before disconnecting.
Appendix K Router Platform User Interface Reference SNMP Policy Page Table K-64 Secure Shell Page (Continued) Regenerate Key During When selected, regenerates the RSA key pair on the router during the next Deployment deployment. This option is useful if you are concerned that the secrecy of the keys might be compromised. When deselected, a new key pair is not generated. Modulus Size Note This check box is not deselected automatically after deployment.
Appendix K Router Platform User Interface Reference SNMP Policy Page • (Policy view) Select Router Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Right-click SNMP to create a policy, or select an existing policy from the Shared Policy selector.
Appendix K Router Platform User Interface Reference SNMP Policy Page Table K-65 SNMP Page (Continued) Edit button Open the Trap Receiver Dialog Box, page K-153. From here you can edit the selected SNMP host. Delete button Deletes the selected SNMP hosts from the table. Additional fields and buttons SNMP Server Properties The name and contact information of the system administrator responsible for the SNMP server/agent (that is, the router).
Appendix K Router Platform User Interface Reference SNMP Policy Page Related Topics • SNMP Policy Page, page K-149 • Trap Receiver Dialog Box, page K-153 • SNMP Traps Dialog Box, page K-155 • Defining SNMP Agent Properties, page 15-102 • SNMP on Cisco IOS Routers, page 15-101 Field Reference Table K-66 Permission Dialog Box Element Description Community String The community string for accessing the router’s MIB. String length ranges from 1 to 128 characters.
Appendix K Router Platform User Interface Reference SNMP Policy Page Trap Receiver Dialog Box Use the Trap Receiver dialog box to define the SNMP hosts that receive traps generated by the router. This includes defining the version of SNMP to use. Navigation Path Go to the SNMP Policy Page, page K-149, then click the Add or Edit button beneath the Trap Receiver table.
Appendix K Router Platform User Interface Reference SNMP Policy Page Table K-67 Trap Receiver Dialog Box (Continued) Community String Applies only when version 1 or version 2c is selected. The password required to access the SNMP host. Enter the string again in the Confirm field. Note User Name We recommend that you use one of the strings defined in the Permissions table as the password to the SNMP host. You may, however, enter a different password. String length ranges from 1 to 128 characters.
Appendix K Router Platform User Interface Reference SNMP Policy Page SNMP Traps Dialog Box Use the SNMP Traps dialog box to select the events in the router that should generate SNMP traps. Tip You can configure SNMP traps not included in this dialog box by defining FlexConfigs. For more information, see Understanding FlexConfig Objects, page 9-52. Note To lessen possible degradation of system performance, select only those traps that are needed for network monitoring purposes.
Appendix K Router Platform User Interface Reference SNMP Policy Page Field Reference Table K-68 SNMP Traps Dialog Box Element Description Standard SNMP Traps Enables or disables standard SNMP traps. Options are: IPsec Traps • Cold start—Sends a trap when the router reinitializes in a way that could change the configuration of the SNMP agent (or any other trap-receiving entity).
Appendix K Router Platform User Interface Reference SNMP Policy Page Table K-68 SNMP Traps Dialog Box (Continued) Other Traps Enables or disables additional SNMP traps. Options are: • Syslog—Sends syslog messages to the SNMP host. • TTY—Sends Cisco-specific notifications when a Transmission Control Protocol (TCP) connection closes. • BGP—Sends notifications when Border Gateway Protocol (BGP) state changes occur. See BGP Routing on Cisco IOS Routers, page 15-179.
Appendix K Router Platform User Interface Reference DNS Policy Page DNS Policy Page Use the DNS policy page to define the local IP host table and the Domain Name System (DNS) servers that the router should use for translating hostnames to IP addresses. You can also prevent the router from performing DNS lookups by disabling the DNS feature. Navigation Path • (Device view) Select Platform > Device Admin > DNS from the Policy selector.
Appendix K Router Platform User Interface Reference DNS Policy Page Table K-69 DNS Page (Continued) Domain Lookup When selected, the router performs lookups on the defined DNS servers. This is the default. When deselected, lookups on remote DNS servers are disabled. Save button Saves your changes to the Security Manager server but keeps them private. Note To publish your changes, click the Submit icon on the toolbar.
Appendix K Router Platform User Interface Reference Hostname Policy Page Table K-70 IP Host Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. Hostname Policy Page Use the Hostname page to define the hostname and domain name assigned to the router.
Appendix K Router Platform User Interface Reference Memory Policy Page Table K-71 Hostname Page (Continued) Save button Saves your changes to the Security Manager server but keeps them private. Note To publish your changes, click the Submit icon on the toolbar. Memory Policy Page Use the Memory page to define settings related to router memory, including: • The amount of time to retain the memory log. • The thresholds for available processor and I/O memory.
Appendix K Router Platform User Interface Reference Memory Policy Page Field Reference Table K-72 Memory Page Element Description Maintain Memory Log The number of hours that the router should maintain the log containing the history of memory consumption on the device. Valid values range from 12 to 72 hours. The default is 24 (1 day). Note Processor Threshold The processor memory threshold in kilobytes.
Appendix K Router Platform User Interface Reference Secure Device Provisioning Policy Page Table K-72 Memory Page (Continued) Perform Sanity Checks The types of sanity checks to perform: • Buffer—When selected, performs sanity checks on all buffers. Sanity checks are performed when a packet buffer is allocated and when the packet buffer is returned to the buffer pool. • Queue—When selected, performs sanity checks on all queues. • All—When selected, performs sanity checks on all buffers and queues.
Appendix K Router Platform User Interface Reference Secure Device Provisioning Policy Page • Chapter K, “Router Platform User Interface Reference” • Secure Device Provisioning Workflow, page 15-112 • Understanding AAA Server Group Objects, page 9-15 • Understanding PKI Enrollment Objects, page 9-154 • Understanding FlexConfig Objects, page 9-52 Field Reference Table K-73 Secure Device Provisioning Page Element Description Introducer Authentication (AAA) The AAA server group that authentica
Appendix K Router Platform User Interface Reference Secure Device Provisioning Policy Page Table K-73 Secure Device Provisioning Page (Continued) Petitioner Authentication The CA server that authenticates the identity of the petitioner: • Note • Local CA Server—Select this option when the router itself is already configured to act as the CA server. Enter the name of the local CA in the field provided.
Appendix K Router Platform User Interface Reference Secure Device Provisioning Policy Page Table K-73 Secure Device Provisioning Page (Continued) Bootstrap Configuration The source of the bootstrap configuration to provide to the petitioner for first-time configuration: • Non-Security Manager URL—Used when the bootstrap configuration is located externally to Security Manager. Enter its location in the URL field.
Appendix K Router Platform User Interface Reference DHCP Policy Page DHCP Policy Page Use the DHCP policy page to define a DHCP server policy on the selected router. This includes specifying the address pools used by the DHCP server when assigning addresses to requesting clients. For more information, see Defining DHCP Policies, page 15-121. Navigation Path • (Device view) Select Platform > Device Admin > Server Access > DHCP from the Policy selector.
Appendix K Router Platform User Interface Reference DHCP Policy Page Table K-74 DHCP Policy Page (Continued) Delete button Deletes the selected DHCP database agents. Excluded IPs Excluded IPs or IP Ranges The IP addresses and/or address ranges to exclude from DHCP. These addresses are not assigned by the DHCP server to DHCP clients requesting addresses. Enter one or more network addresses or network/host objects, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference DHCP Policy Page Table K-74 DHCP Policy Page (Continued) Option 66 The IP address of the TFTP server required by IP phones for configuration, as defined using DHCP option 66. Add button Opens the IP Pool Dialog Box, page K-171. From here you can define a DHCP IP address pool. Edit button Opens the IP Pool Dialog Box, page K-171. From here you can edit the selected IP pool. Delete button Deletes the selected IP pools.
Appendix K Router Platform User Interface Reference DHCP Policy Page Tip To choose which columns to display in the table, right-click a column header, then select Show Columns. For more information about table display options, see Table Columns and Column Heading Features, page 3-26. DHCP Database Dialog Box Use the DHCP Database dialog box to define external DHCP database agents that contain the automatic bindings. Each database URL that you define must be unique.
Appendix K Router Platform User Interface Reference DHCP Policy Page Table K-75 DHCP Database Dialog Box (Continued) Write Delay The interval (in seconds) between updates sent from the DHCP server to the external DHCP database agent. The minimum delay is 60 seconds. The default is 300 seconds (5 minutes). OK button Saves your changes locally on the client and closes the dialog box.
Appendix K Router Platform User Interface Reference DHCP Policy Page Table K-76 IP Pool Dialog Box (Continued) Network The IP address and subnet mask of the IP pool. This subnet contains the range of available IP addresses that the DHCP server may assign to clients. Enter an address and mask or the name of a network/host object, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference DHCP Policy Page Table K-76 IP Pool Dialog Box (Continued) Domain Name The domain name for DHCP clients using this IP pool. This name places these clients in the general grouping of networks that make up the domain. Import All When selected, enables remote DHCP servers to import specific DHCP options (such as the DNS server) from a centralized server. Use this option to enable configuration information to be updated automatically.
Appendix K Router Platform User Interface Reference NTP Policy Page Table K-76 IP Pool Dialog Box (Continued) Option 150 (IP Addresses) The IP address of the TFTP server used to provide configuration files to IP phones. These configuration files define parameters required by IP phones to connect to Cisco CallManager. Enter up to eight (8) network addresses or network/host objects, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference NTP Policy Page • Understanding Interface Role Objects, page 9-132 Field Reference Table K-77 NTP Page Element Description Source Interface The source address for all packets sent to an NTP server. This setting might be necessary when the NTP server cannot respond to the address from which the packet originated (for example, due to a firewall). The source interface must have an IP address.
Appendix K Router Platform User Interface Reference NTP Policy Page Table K-77 NTP Page (Continued) Trusted Indicates whether the authentication key defined for this NTP server is a trusted key. Add button Opens the NTP Server Dialog Box, page K-176. From here you can define an NTP server. Edit button Opens the NTP Server Dialog Box, page K-176. From here you can edit the selected NTP server. Delete button Deletes the selected NTP server from the table.
Appendix K Router Platform User Interface Reference NTP Policy Page Field Reference Table K-78 NTP Server Dialog Box Element Description IP Address The IP address of the NTP server. Enter an address or the name of a network/host object, or click Select to display an Object Selectors, page F-593. If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477. From here, you can define a network/host object.
Appendix K Router Platform User Interface Reference NTP Policy Page Table K-78 NTP Server Dialog Box (Continued) Preferred When selected, this NTP server is preferred over other NTP servers of similar accuracy. If this server is used for synchronization, the time offset used to correct the local clock is calculated from this server only.
Appendix K Router Platform User Interface Reference 802.1x Policy Page 802.1x Policy Page Use the 802.1x policy page to create policies that limit VPN access to authorized users. Authenticated traffic is allowed to pass through a designated physical interface on the router. Unauthenticated traffic is allowed to pass through a virtual interface to the Internet but is not allowed to access the VPN. For more information, see Defining 802.1x Policies, page 15-131. Note 802.
Appendix K Router Platform User Interface Reference 802.1x Policy Page Field Reference Table K-79 802.1x Page Element Description AAA Server Group The RADIUS AAA server group that authenticates the credentials of users trying to access a VPN tunnel. Enter the name of a AAA server group object, or click Add to display an Object Selectors, page F-593. If the AAA server group you want is not listed, click the Create button in the selector to display the AAA Server Group Dialog Box, page F-12.
Appendix K Router Platform User Interface Reference 802.1x Policy Page Table K-79 802.1x Page (Continued) Interface The trusted, physical interface that provides VPN access to authenticated traffic. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464. From here you can create an interface role object.
Appendix K Router Platform User Interface Reference 802.1x Policy Page Table K-79 802.1x Page (Continued) Client reauthentication period timeout Applies only when the Enable client reauthentication check box is selected. Quiet period The amount of time the router remains in a quiet state after a failed authentication exchange with the client. Authentication exchanges might fail, for example, because the client provided an invalid password.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Network Admission Control Policy Page Network Admission Control (NAC) policies enable Cisco IOS routers acting as network access devices (NADs) to enforce access privileges when an endpoint tries to connect to a network. Access decisions are made on the basis of information provided by the endpoint device, such as its current antivirus state, thus keeping insecure nodes from infecting the network.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Navigation Path Go to the Network Admission Control Policy Page, page K-183, then click the Setup tab.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Table K-80 Allow Clientless Network Admission Control Setup Tab (Continued) When selected, enables devices that do not have the Cisco Trust Agent (CTA) installed to be authenticated through the use of a username and password configured on the ACS. If you select this check box, enter the username and password (including confirmation) in the fields provided.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Network Admission Control Page—Interfaces Tab Use the Network Admission Control Interfaces tab to select and configure the router interfaces on which to perform NAC. This includes configuring the Intercept ACL and selected EoU interface parameters. A NAC policy must include at least one interface definition in order to function.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Table K-81 Network Admission Control Interfaces Tab (Continued) Save button Saves your changes to the Security Manager server but keeps them private. Note Tip To publish your changes, click the Submit icon on the toolbar. To choose which columns to display in the table, right-click a column header, then select Show Columns.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Field Reference Table K-82 NAC Interface Configuration Dialog Box Element Description Interface The interface that will perform NAC on connecting devices. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593. If the interface role you want is not listed, click the Create button in the selector to display the Interface Role Dialog Box, page F-464.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Network Admission Control Page—Identities Tab Use the Network Admission Control Identities tab to view, create, edit, and delete NAC identity profiles and identity actions. Identity profiles define a specific action to perform on traffic received from selected devices, as identified by their IP address, MAC address, or device type.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Table K-83 Network Admission Control Identities Tab (Continued) Identity Actions Table Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Action Name The name of the identity action. ACL The ACL applied to profiles to which this identity action is assigned.
Appendix K Router Platform User Interface Reference Network Admission Control Policy Page Related Topics • NAC Identity Action Dialog Box, page K-191 • Defining NAC Identity Parameters, page 15-143 Field Reference Table K-84 NAC Identity Profile Dialog Box Element Description Action Name The name of the action to assign to the profile. Enter the name of an action, or click Select to display a selector. For more information about creating actions, see NAC Identity Action Dialog Box, page K-191.
Appendix K Router Platform User Interface Reference Logging Setup Policy Page • Defining NAC Identity Parameters, page 15-143 • Understanding Access Control List Objects, page 9-30 Field Reference Table K-85 NAC Identity Action Dialog Box Element Description Name A descriptive name for the identity action. Use this name when you select an action to assign to a NAC identity profile. See NAC Identity Profile Dialog Box, page K-190.
Appendix K Router Platform User Interface Reference Logging Setup Policy Page Note We strongly recommend that you define an NTP policy on all routers on which logging is enabled in order to create accurate timestamps for each log message. For more information, see NTP Policy Page, page K-174. Note If you unassign a logging setup policy, the default logging configuration is restored on the device upon deployment.
Appendix K Router Platform User Interface Reference Logging Setup Policy Page Table K-86 Logging Setup Page (Continued) Source Interface The source address for all outgoing log messages sent to a syslog server. This setting may be necessary when the syslog server cannot respond to the address from which the log message originated (for example, due to a firewall). If you do not define a value in this field, the address of the outgoing interface is used.
Appendix K Router Platform User Interface Reference Logging Setup Policy Page Table K-86 Logging Buffer Logging Setup Page (Continued) Defines whether log messages are saved locally to a buffer on the device. • Enable Buffer—When selected, log messages are saved to a buffer on the device. This is the default. When deselected, a log buffer is not maintained on the device. • Buffer Size—The size of the buffer in bytes. Valid values range from 4096 to 4294967295 bytes (4 kilobytes to 4 gigabytes).
Appendix K Router Platform User Interface Reference Logging Setup Policy Page Table K-86 Rate Limit Logging Setup Page (Continued) Limits the rate of log messages sent to the syslog server. • Enable Rate Limit—When selected, the rate limit is enabled. When deselected, the rate limit is disabled. • Messages per Sec.—The maximum number of logging messages that can be sent per second. Valid values range from 1 to 10000. The default is 10 messages per second.
Appendix K Router Platform User Interface Reference Syslog Servers Policy Page Table K-86 Logging Setup Page (Continued) Save button Saves your changes to the Security Manager server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. Syslog Servers Policy Page Use the Syslog Servers page to create, edit, and delete servers that collect log messages from the router. For more information, see Defining Syslog Servers, page 15-149.
Appendix K Router Platform User Interface Reference Syslog Servers Policy Page Table K-87 Syslog Servers Page (Continued) IP Address The name of the syslog server, as represented by a network/host object, or its IP address. XML Indicates whether the syslog server receives log messages in XML format. Add button Opens the Syslog Server Dialog Box, page K-198. From here you can define a syslog server. Edit button Opens the Syslog Server Dialog Box, page K-198.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Related Topics • Defining Syslog Servers, page 15-149 • Logging on Cisco IOS Routers, page 15-144 • Understanding Network/Host Objects, page 9-144 Field Reference Table K-88 Syslog Server Dialog Box Element Description IP Address The IP address of the syslog server. Enter an IP address or the name of a network/host object, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page • (Policy view) Select Router Platform > Quality of Service from the Policy Type selector. Right-click Quality of Service to create a policy, or select an existing policy from the Shared Policy selector.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-89 Quality of Service Page (Continued) Sustained Burst Applies only when you enable hierarchical shaping on this interface. The normal burst size allowed on this interface, in milliseconds. Excess Burst Applies only when you enable hierarchical shaping on this interface. The excess burst size allowed on this interface, in milliseconds. Add button Opens the QoS Policy Dialog Box, page K-203.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-89 Quality of Service Page (Continued) Edit button Opens the QoS Class Dialog Box, page K-205. From here you can edit the selected QoS class. Delete button Deletes the selected QoS classes from the table. Control Plane QoS Classes Table Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. No. The sequential number of the class.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page QoS Policy Dialog Box Use the QoS Policy dialog box to select an interface on which you want to define QoS parameters. In addition, you can use this dialog box to configure a single set of shaping parameters for all the traffic on the selected interface (known as hierarchical shaping). Using hierarchical shaping eliminates the need to configure shaping parameters for each QoS class defined on the interface.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-90 QoS Policy Dialog Box (Continued) Direction The direction of the traffic on which to configure QoS: • Output—Traffic that exits the interface. • Input—Traffic that enters the interface. Hierarchical Shaping settings Enable Shaping When selected, configures hierarchical traffic shaping on the selected interface. When deselected, hierarchical shaping is not used.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-90 Sustained Burst QoS Policy Dialog Box (Continued) The normal burst size. If you select average as the shaping type, data bursts during an interval are limited to this value. The range of valid values is determined by the CIR: • When the CIR is defined by percentage—Valid values range from 10 to 2000 milliseconds.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Note QoS is applied to packets on a first-match basis. The router examines the table of QoS classes starting from the top and applies the properties of the first class whose matching criteria matches the packet. Therefore, it is important that you define and order your classes carefully. The default class should be placed last to prevent traffic that matches a specific class from being treated as unmatched traffic.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Field Reference Table K-91 QoS Class Dialog Box Element Description Set as Default Class When selected, enables you to define the default class for all traffic that does not match the other QoS classes on this interface. When deselected, enables you to define a specific QoS class on this interface.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page QoS Class Dialog Box—Matching Tab Use the Matching tab of the QoS Class dialog box to define which traffic over the selected interface is considered to be part of this class. Note When you define the default class, the Matching tab is disabled. Navigation Path Go to the QoS Class Dialog Box, page K-205, then click the Matching tab.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-92 Protocol QoS Class Dialog Box—Matching Tab (Continued) One or more protocols included in this class map. Click Add to display a selector. Select one or more items from the Available Protocols list, then click >> to add them to the Selected Protocols list. The only protocol available for the control plane is ARP; ARP and CDP are not available for input classes configured on an interface.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Edit ACLs Dialog Box—QoS Classes When configuring a QoS policy on a Cisco IOS router, use the Edit ACLs dialog box to specify which ACLs should be included in the matching criteria for the selected class. Traffic matching this criteria is included as part of the class. Navigation Path Go to the QoS Class Dialog Box—Matching Tab, page K-208, then click Edit in the ACL field.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page QoS Class Dialog Box—Marking Tab Use the Marking tab of the QoS Class dialog box to classify packets. Traffic policers and shapers use these classifications to ensure adherence to the contracted level of service. Downstream devices use this classification to identify the packets and apply the appropriate QoS functions to them. Note The Marking tab is unavailable when you define a QoS policy on the control plane.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-94 QoS Class Dialog Box—Marking Tab (Continued) Precedence The precedence value with which to mark the traffic in this class: DSCP • network (7) • internet match (6) • critical (5) • flash-override (4) • flash (3) • immediate (2) • priority (1) • routine (0) The DSCP value (0 to 63) with which to mark the traffic in this class.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page • Defining QoS on the Control Plane, page 15-168 • Quality of Service Policy Page, page K-199 Field Reference Table K-95 QoS Class Dialog Box—Queuing and Congestion Avoidance Tab Element Description Enable Queuing and Congestion Avoidance When selected, enables you to define queuing parameters for the selected QoS class. When deselected, disables all queuing options for the selected QoS class.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-95 QoS Class Dialog Box—Queuing and Congestion Avoidance Tab (Continued) Bandwidth The minimum bandwidth to guarantee to this class (a specific class or the default class). You can define this amount by: Queue Limit • Percentage—Valid values range from 0 to 100% of the total available bandwidth. • Kbit/sec—Valid values range from 8-2000000 kilobits per second.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page • Quality of Service Policy Page, page K-199 Field Reference Table K-96 QoS Class Dialog Box—Policing Tab Element Description Enable Policing When selected, enables you to configure Class-Based Policing to control the maximum rate of traffic for this class.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-96 QoS Class Dialog Box—Policing Tab (Continued) Excess Burst The excess burst size, which determines how large traffic bursts can be before all traffic exceeds the rate limit. In the token bucket algorithm, it represents the full size of the second (exceed) token bucket.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page QoS Class Dialog Box—Shaping Tab Use the Shaping tab of the QoS Class dialog box to control the rate of output traffic for the selected QoS class. Shaping typically delays excess traffic by using a buffer, or queuing mechanism, to hold packets and shape the flow when the data rate of the source is higher than expected.
Appendix K Router Platform User Interface Reference Quality of Service Policy Page Table K-97 QoS Class Dialog Box—Shaping Tab (Continued) Type The type of shaping to perform: CIR • Average—Limits the data rate for each interval to the sustained burst rate (also known as the committed burst rate or Bc), achieving an average rate no higher than the committed information rate (CIR). Additional packets are buffered until they can be sent.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Table K-97 QoS Class Dialog Box—Shaping Tab (Continued) Excess Burst The excess burst size. If you select peak as the shaping type, data bursts during an interval can equal the sum of the sustained burst value plus this value. The average data rate over multiple intervals, however, will continue to conform to the CIR.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Related Topics • Chapter K, “Router Platform User Interface Reference” BGP Page—Setup Tab Use the BGP Setup tab to define the number of the autonomous system (AS) in which the selected router is located. You must then define which networks are included in the AS and which networks are the internal and external neighbors of the router.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Table K-98 Networks BGP Setup Tab (Continued) The networks associated with the BGP route. Enter one or more network addresses or network/host objects, or click Select to display an Object Selectors, page F-593. If the network you want is not listed, click the Create button in the selector to display the Network/Host Dialog Box, page F-477. From here you can define a network/host object.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Neighbors Dialog Box Use the Neighbors dialog box to define the internal and external neighbors of the selected router. Navigation Path Go to the BGP Page—Setup Tab, page K-220, then click the Add or Edit button in the Neighbors field.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Table K-99 Neighbors Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Table K-100 BGP Redistribution Tab (Continued) Static Type When redistributing static routes, indicates the type of static route, IP or OSI. Add button Opens the BGP Redistribution Mapping Dialog Box, page K-224. From here you can define BGP redistribution mappings. Edit button Opens the BGP Redistribution Mapping Dialog Box, page K-224. From here you can edit the selected BGP redistribution mapping.
Appendix K Router Platform User Interface Reference BGP Routing Policy Page Field Reference Table K-101 Element BGP Redistribution Mapping Dialog Box Description Protocol to Redistribute The routing protocol that is being redistributed: • Static—Redistributes IP or OSI static routes. You can define a single mapping for each route. • EIGRP—Redistributes an EIGRP autonomous system. Enter the AS number in the displayed field. You can define a single mapping for each AS. • RIP—Redistributes RIP routes.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page EIGRP Routing Policy Page Enhanced Interior Gateway Routing Protocol (EIGRP) is a scalable interior gateway protocol that provides extremely quick convergence times with minimal network traffic.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Field Reference Table K-102 EIGRP Setup Tab Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. AS Number The autonomous system number that identifies the autonomous system to other routers. Networks The names of the networks included in the route.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Related Topics • Defining EIGRP Routes, page 15-185 • Supported IP Address Formats, page 9-145 • Understanding Network/Host Objects, page 9-144 Field Reference Table K-103 EIGRP Setup Dialog Box Element Description AS Number The autonomous system number for the EIGRP route. This number is used to identify the autonomous system to other routers. Valid values are from 1 to 65535.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Edit Interfaces Dialog Box—EIGRP Passive Interfaces When you configure an EIGRP routing policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will not send updates to their routing neighbors. Navigation Path Go to the EIGRP Setup Dialog Box, page K-227, then click the Edit button in the Passive Interfaces field.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Note You can access the EIGRP Interfaces tab only after defining at least one EIGRP autonomous system in the Setup tab. See EIGRP Page—Setup Tab, page K-226. Navigation Path Go to the EIGRP Routing Policy Page, page K-226, then click the Interfaces tab.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Tip To choose which columns to display in the table, right-click a column header, then select Show Columns. For more information about table display options, see Table Columns and Column Heading Features, page 3-26. EIGRP Interface Dialog Box Use the EIGRP Interface dialog box to add or edit interface definitions for a selected EIGRP autonomous system.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Table K-106 EIGRP Interface Dialog Box (Continued) Hello Interval The default interval between hello packets sent by the router to its neighbors. Routers send hello packets to each other to dynamically learn of other routers on their directly attached networks. Valid values range from 1 to 65535 seconds. The default is 5 seconds. Split Horizon When selected, the split horizon feature is used to prevent routing loops.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Field Reference Table K-107 EIGRP Redistribution Tab Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. EIGRP AS Number The area ID of the EIGRP route into which other routes are being redistributed. Protocol The protocol that is being redistributed. AS/Process ID The AS number or process ID of the route being redistributed.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page EIGRP Redistribution Mapping Dialog Box Use the EIGRP Redistribution Mapping dialog box to add or edit the properties of an EIGRP redistribution mapping. Navigation Path Go to the EIGRP Page—Redistribution Tab, page K-232, then click the Add or Edit button beneath the table. Note You must create at least one EIGRP AS before you can access the EIGRP Redistribution dialog box. See EIGRP Page—Setup Tab, page K-226.
Appendix K Router Platform User Interface Reference EIGRP Routing Policy Page Table K-108 EIGRP Redistribution Mapping Dialog Box (Continued) Protocol to Redistribute (continued) • OSPF—Redistributes a different OSPF process. You can define a single mapping for each process. Select a process from the displayed list, then select one or more match criteria: – Internal—Routes that are internal to a specific AS.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page Table K-108 EIGRP Redistribution Mapping Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. OSPF Interface Policy Page Use the OSPF Interface page to view, create, edit, and delete interface-specific OSPF settings.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page Table K-109 OSPF Interface Page (Continued) Key ID The identification number of the authentication key used for MD5 authentication. Cost The cost of sending packets over the selected interface, if this value is different from the cost as normally calculated. Priority The priority of the selected interface. MTU Ignore Indicates whether Maximum Transmission Rate (MTU) detection is disabled on the selected interface.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page OSPF Interface Dialog Box Use the OSPF Interface dialog box to add or edit the properties of OSPF interfaces. Navigation Path Go to the OSPF Interface Policy Page, page K-236, then click the Add or Edit button beneath the table.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page Table K-110 Authentication OSPF Interface Dialog Box (Continued) Type—The authentication type used by the selected interface: • MD5—Uses the MD5 hash algorithm for authentication. This is the default. • Clear Text—Uses a clear text password for authentication. • None—Uses no authentication. Note The authentication type used on an interface must match the authentication type defined for the area.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page Table K-110 OSPF Interface Dialog Box (Continued) Priority The default priority of the interface. The priority is used to determine which routers become the designated router (DR) and backup designated router (BDR) for that segment. The higher the number, the higher the priority. The default priority is 1. Valid values range from 0 to 255.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page Table K-110 OSPF Interface Dialog Box (Continued) Retransmit Interval The interval between LSA retransmissions (in seconds) over the selected interface. The default is 5 seconds. Valid values range from 1 to 65535 seconds. Note Dead Interval We recommend that you increase this value for serial lines and virtual links.
Appendix K Router Platform User Interface Reference OSPF Interface Policy Page Table K-110 OSPF Interface Dialog Box (Continued) Configure Network Type When selected, enables you to select a network type that differs from the default medium used by the interface. When deselected, the network type is equivalent to the default medium used by the interface.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page OSPF Process Policy Page OSPF is an interior gateway routing protocol that uses link states instead of distance vectors for path selection. OSPF propagates link-state advertisements (LSAs) instead of routing table updates, which enables OSPF networks to converge quickly.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Navigation Path Go to the OSPF Process Policy Page, page K-243, then click the Setup tab.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page OSPF Setup Dialog Box Use the OSPF Setup dialog box to add or edit an OSPF process. Navigation Path Go to the OSPF Process Page—Setup Tab, page K-243, then click the Add or Edit button beneath the table. Related Topics • Defining OSPF Process Settings, page 15-193 Field Reference Table K-112 OSPF Setup Dialog Box Element Description Process ID The process ID number for the OSPF process.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Edit Interfaces Dialog Box—OSPF Passive Interfaces When you configure an OSPF routing policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will not send updates to their routing neighbors. Navigation Path Go to the OSPF Setup Dialog Box, page K-245, then click the Edit button in the Passive Interfaces field.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page OSPF Process Page—Area Tab Use the OSPF Area tab to create, edit, and delete the areas and networks contained in each OSPF process. This includes selecting the type of authentication used by each area. Navigation Path Go to the OSPF Process Policy Page, page K-243, then click the Area tab.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Tip To choose which columns to display in the table, right-click a column header, then select Show Columns. For more information about table display options, see Table Columns and Column Heading Features, page 3-26. OSPF Area Dialog Box Use the OSPF Area dialog box to add or edit the properties of an OSPF area.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Table K-115 OSPF Area Dialog Box (Continued) Authentication The type of authentication used for the area: • MD5—(Recommended) Uses the MD5 hash algorithm for authentication. • Clear Text—Uses clear text for authentication. • None—No authentication is used. Note OK button The authentication type must be the same for all routers and access servers in an area.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Field Reference Table K-116 OSPF Process Redistribution Tab Element Description OSPF Redistribution Mapping Table Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. OSPF Process ID The ID of the OSPF routing domain into which other routes are being redistributed. Protocol The protocol that is being redistributed.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Table K-116 OSPF Process Redistribution Tab (Continued) Add button Opens the OSPF Max Prefix Mapping Dialog Box, page K-254. From here you can define maximum prefix values for OSPF processes. Edit button Opens the OSPF Max Prefix Mapping Dialog Box, page K-254. From here you can edit the maximum prefix value defined for the selected OSPF process. Delete button Deletes the selected max prefix mappings from the table.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Field Reference Table K-117 OSPF Redistribution Mapping Dialog Box Element Description Process ID The OSPF process into which other routes are being redistributed. You must select a process ID number from the list of OSPF processes defined in the OSPF Process Page—Setup Tab, page K-243. Protocol to Redistribute The routing protocol that is being redistributed: • Static—Redistributes static routes.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page Table K-117 OSPF Redistribution Mapping Dialog Box (Continued) Protocol to Redistribute (continued) • OSPF—Redistributes a different OSPF process. You can define a single mapping for each process. Select a process from the displayed list, then select one or more match criteria: – Internal—Routes that are internal to a specific AS.
Appendix K Router Platform User Interface Reference OSPF Process Policy Page OSPF Max Prefix Mapping Dialog Box Use the OSPF Max Prefix Mapping dialog box to add or edit the maximum number of routes that can be redistributed into an OSPF process. Navigation Path Go to the OSPF Process Page—Redistribution Tab, page K-249, then click the Add or Edit button beneath the Prefix Mapping table.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Table K-118 OSPF Max Prefix Mapping Dialog Box (Continued) OK button Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. RIP Routing Policy Page RIP is a distance-vector routing protocol that uses hop count as the metric for path selection.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Related Topics • Defining RIP Setup Parameters, page 15-210 • RIP Page—Authentication Tab, page K-257 • RIP Page—Redistribution Tab, page K-260 • Supported IP Address Formats, page 9-145 • Understanding Network/Host Objects, page 9-144 Field Reference Table K-119 RIP Setup Tab Element Description Networks The directly connected networks associated with the RIP route.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Edit Interfaces Dialog Box—RIP Passive Interfaces When you configure a RIP routing policy on a Cisco IOS router, use the Edit Interfaces dialog box to specify which interfaces will not send updates to their routing neighbors. Navigation Path Go to the RIP Page—Setup Tab, page K-255, then click the Edit button in the Passive Interfaces field.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Navigation Path Go to the RIP Routing Policy Page, page K-255, then click the Authentication tab.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page RIP Authentication Dialog Box Use the RIP Authentication dialog box to add or edit the neighbor authentication properties of RIP interfaces. Navigation Path Go to the RIP Page—Authentication Tab, page K-257, then click the Add or Edit button beneath the table.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Table K-122 RIP Authentication Dialog Box (Continued) Key The shared key used for authentication (MD5 or clear text). This key must be shared with all other devices sending updates to, and receiving updates from, the selected device. The key can contain up to 80 alphanumeric characters; the first character cannot be a number. Spaces are allowed. Enter the key again in the Confirm field.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Field Reference Table K-123 RIP Redistribution Tab Element Description Filter Enables you to filter the information displayed in the table. For more information, see Filtering Tables, page 3-24. Protocol The protocol that is being redistributed. AS/Process ID The autonomous system (AS) number or process ID of the route being redistributed. Metric The value that determines the priority of the redistributed route.
Appendix K Router Platform User Interface Reference RIP Routing Policy Page Field Reference Table K-124 RIP Redistribution Mapping Dialog Box Element Description Protocol to Redistribute The routing protocol that is being redistributed: Protocol to Redistribute (continued) • Static—Redistributes static routes. You can define a single mapping for each route. • EIGRP—Redistributes an EIGRP autonomous system. Enter the AS number in the displayed field. You can define a single mapping for each AS.
Appendix K Router Platform User Interface Reference Static Routing Policy Page Table K-124 RIP Redistribution Mapping Dialog Box (Continued) Transparent Metric When selected, maintains the original metric of the route being redistributed. When deselected, the value specified in the Metric field is used. OK button Saves your changes locally on the client and closes the dialog box.
Appendix K Router Platform User Interface Reference Static Routing Policy Page Table K-125 Static Routing Page (Continued) Default Route Indicates whether the static route is the default route for unknown packets being forwarded by this router. Interface or IP Address The IP address or the interface name associated with the gateway router that is the next hop address for this router. Distance The number of hops from the gateway IP to the destination.
Appendix K Router Platform User Interface Reference Static Routing Policy Page Related Topics • Defining Static Routes, page 15-215 • Static Routing on Cisco IOS Routers, page 15-215 Field Reference Table K-126 Static Routing Dialog Box Element Description Destination Network Address information for the destination network defined by this static route. • Use as Default Route—When selected, makes this the default route on this router.
Appendix K Router Platform User Interface Reference Static Routing Policy Page Table K-126 Static Routing Dialog Box (Continued) Forwarding (Next Hop) The method of forwarding data to the destination network: • Forwarding Interface—The router interface that forwards packets to the remote network. Enter the name of an interface or interface role, or click Select to display an Object Selectors, page F-593.
Appendix K Router Platform User Interface Reference Static Routing Policy Page Table K-126 OK button Static Routing Dialog Box (Continued) Saves your changes locally on the client and closes the dialog box. Note To save your changes to the Security Manager server so that they are not lost when you log out or close your client, click Save on the source page. User Guide for Cisco Security Manager 3.
Appendix K Router Platform User Interface Reference Static Routing Policy Page User Guide for Cisco Security Manager 3.