PIX/ASA/FWSM Platform User Interface Reference
|
|
- Junior Booker
- 5 years ago
- Views:
Transcription
1 CHAPTER 50 PIX/ASA/FWSM Platform User Interface Reference The following topics describe the options available for configuring and managing security services and policies for PIX firewalls, Firewall Services Modules (FWSMs) on Catalyst 6500 series switches, and Adaptive Security Appliances (ASAs). These topics are organized in the order in which they appear in Device view. All of these elements may not apply to the currently selected device, according to its operating mode and configuration. Interfaces Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Platform Bridging, page ARP Table Page, page ARP Inspection Page, page MAC Address Table Page, page MAC Learning Page, page Management IP Page, page Device Admin AAA Page, page Authentication Tab, page Authorization Tab, page Accounting Tab, page Banner Page, page Boot Image/Configuration Page, page Clock Page, page Credentials Page, page CPU Threshold Page, page
2 Interfaces Page: PIX and ASA Chapter 50 Interfaces Page: PIX and ASA The Interfaces page displays configured interfaces, subinterfaces and redundant interfaces, and lets you add, edit and delete them. Transparent firewall mode allows only two interfaces to pass traffic; however, if your platform includes a dedicated management interface, you can use it (either the physical interface or a subinterface) as a third interface for management traffic. If you bootstrapped a new security device, the set-up feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device. The Interfaces page settings vary based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are configuring. To access the Interfaces page, select a security device in Device View and then select Interfaces from the Device Policy selector. Configuring Firewall Device Interfaces, page 39-2 Using the Add/Edit Interface Dialog Box, page 39-7 Table 50-1 Interfaces Page Interfaces Table Interface Type Name IP Address IP Address Type The kind of interface. This value is derived from the hardware ID setting of the selected interface, or selection of the Redundant Interface option. Valid options are: Ethernet GigabitEthernet TenGigabitEthernet (ASA 5580 only) Redundant The interface ID. All physical interfaces are listed automatically. For ASA/PIX 7.0 devices, subinterfaces are indicated by the interface ID followed by.n, where n is the subinterface number. The IP address of the interface, or in transparent mode, the word native. Transparent mode interfaces do not use IP addresses. The method by which the IP address is provided. Valid options are: static The IP address is manually defined. dhcp The IP address is obtained via a DHCP lease. pppoe The IP address is obtained using PPPoE. 50-2
3 Chapter 50 Interfaces Page: PIX and ASA Table 50-1 Interfaces Page (Continued) Interface Role Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Valid options include: All-Interfaces The interface is a member of the default role assigned to all interfaces. Internal This interface is a member of the default role associated with all inside interfaces. External This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page Hardware Port Identifies the type of interface installed in the device, as well as the port or slot where the interfaces is installed. For subinterfaces, this value identifies the physical interface with which the subinterfaces is associated. Enabled Indicates if the interface is enabled: true or false. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. VLAN ID For a subinterface, this is the VLAN ID, an integer between 1 and Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple-context mode, you can only set the VLAN ID in the system configuration. If this value is not specified, the column displays native. Security Level The interface security level; a value between 0 and 100. Management Only Indicates whether the interface allows traffic to the security appliance for management purposes only: true or false. MTU The maximum transmission unit (MTU); that is, the maximum packet size, in bytes, that the interface can handle. By default, the MTU is Member Indicates whether this interface is a member of a redundant interface pair: true or false. 50-3
4 Interfaces Page: PIX and ASA Chapter 50 Table 50-1 ASR Group Interfaces Page (Continued) A description of the interface. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. If this interface is part of an asymmetric routing group, this is its ASR group number. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Add/Edit Interface Dialog Box Use the Add/Edit Interface dialog box to add or edit an interface, subinterface, or redundant interface. See About Redundant Interfaces, page 39-4 for more information about redundant interfaces. You can enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive data, but the configuration information is retained. In multiple-context mode, you can only add interfaces in the system configuration. See the Chapter 49, Configuring Security Contexts on Firewall Devices page for information about assigning interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not specify an interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. The options appearing in the Add/Edit Interface dialog box vary based on the selected device type, the mode of the device (routed or transparent), and the type of interface you are defining, such as physical, virtual, logical, or subinterface. See the following sections for specific information: Add/Edit Interface Dialog Box (PIX/ASA), page 50-5 Add/Edit Interface Dialog Box (ASA 5505), page Add/Edit Interface Dialog Box (PIX 6.3), page You can access the Add/Edit Interface dialog box from the Interfaces page. For more information, see Interfaces Page: PIX and ASA, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 ASA 5505 Ports and Interfaces Page, page Advanced Interface Settings Dialog Box, page Add VPND Group Dialog Box, page PPPoE Users Dialog Box, page
5 Chapter 50 Interfaces Page: PIX and ASA Add/Edit Interface Dialog Box (PIX/ASA) The Add/Edit Interface dialog box is used to define and configure interfaces. Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) Enable Interface Management Only Redundant Interface Type Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. In multiple-context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, that interface is down in all contexts that share it. Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a Primary or Secondary ISP interface to be management only. Select this option to define a redundant interface. When this option is checked, the Type option is disabled, the Hardware Port, Duplex and Speed options disappear, and the Redundant ID, Primary Interface and Secondary Interface options appear. Redundant ID Provide an identifier for this redundant interface; valid IDs are the integers from 1 to 8. Primary Interface Choose the primary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Secondary Interface Choose the secondary member of the redundant interface pair from this list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair. Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot have a Name, IP Address, or Security Level assigned. In fact, do not configure any options other than Duplex and Speed on the member interfaces. See About Redundant Interfaces, page 39-4 for more information. Type of interface. Valid values are: Interface Settings represent a physical interface. Subinterface Settings represent a logical interface attached to the same network as its underlying physical interface. Note This option is not available when Redundant Interface is selected. 50-5
6 Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Name Hardware Port Subinterface ID Media Type Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. Supported interface names include: Inside Connects to your internal network. Must be the most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be the least secure interface. Note Do not name this interface if you intend to use it for device failover, or as a member of a redundant interface. For a physical interface, this is the specific hardware port assigned to the interface. This value also represents a name by which subinterfaces can be associated with the interface. Valid values are: Ethernet0 to Ethernetn GigabitEthernet0 to GigabitEthernetn GigabitEthernets/n TenGigabitEthernets/n (ASA 5580 only) where s represents a slot number, and n represents a port number, up to the maximum number of network ports in the slot or device. For a subinterface, choose any enabled physical interface to which the subinterface is to be assigned. If you do not see an interface ID, be sure that Interface is defined and enabled. Note This option is not visible when Redundant Interface is selected. Sets the subinterface ID as an integer between 1 and The number of subinterfaces allowed depends on your platform. Note You cannot change the ID after you set it. When you enter a hardware port ID with slot/port numbers in the Hardware Port field, the Media Type options are enabled. Specify the media type for the interface: RJ45 Port uses RJ-45 connectors. SFP Port uses fiber SFP connectors. Required for TenGigabitEthernet interface cards. 50-6
7 Chapter 50 Interfaces Page: PIX and ASA Table 50-2 IP Type Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Specifies the addressing for the interface; choose one of the following methods and provide related parameters: Static IP Provide a static IP Address and Subnet Mask that represents the security device on this interface s connected network. The IP address must be unique for each interface. The Subnet mask can be expressed in dotted decimal format (for example, ), or by entering the number of bits in the network mask (for example, 24). Do not use or for an interface connected to the network because this will stop traffic on that interface. If you omit the Subnet Mask value, a classful network is assumed. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Use DHCP Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: DHCP Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1. All routes have a value or metric that represents its priority of use. (This metric is also referred to as administrative distance. ) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use. Obtain Default Route using DHCP Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page Enable Tracking for DHCP Learned Route If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following option becomes available: Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information. 50-7
8 Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) IP Type (cont.) PPPoE (PIX and ASA 7.2+) Enables Point-to-Point Protocol over Ethernet (PPPoE) for automatic assignment of an IP address from a PPPoE server on the connected network; this option is not supported with failover. The following options become available: Note VPDN Group Name (required) Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page for more information. IP Address If provided, this static IP address is used for connection and authentication, instead of a negotiated address. Subnet Mask The subnet mask to be used in conjunction with the provided IP Address. PPPoE Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255; defaults to 1. All routes have a value or metric that represents its priority of use. (This metric is also referred to as administrative distance. ) When two or more routes to the same destination are available, devices use administrative distance to decide which route to use. Obtain Default Route using PPPoE Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. Enable Tracking for PPPoE Learned Route If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: Dual ISP Interface If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Enter or Select the name of the SLA monitor object that defines the route tracking (connectivity monitoring) to be applied to this interface. See Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information. You can configure DHCP and PPPoE only on the outside interface of a security appliance. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. 50-8
9 Chapter 50 Interfaces Page: PIX and ASA Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) VLAN ID Duplex Speed Sets the VLAN ID, between 1 and Some VLAN IDs might be reserved on connected switches; see the switch documentation for more information. In multiple-context mode, you can only set the VLAN in the system configuration. Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type. For TenGigabitEthernet (ASA 5580 only), Duplex is automatically set to Full. Note This option is not visible when Redundant Interface is selected. Lists the speed options for a physical interface; not applicable to logical interfaces. The speeds available depend on the interface type (set automatically for a TenGigabitEthernet interface; available only on ASA 5580) non-negotiable Note This option is not visible when Redundant Interface is selected. MTU Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are bytes. Default is 1500 for all types except PPPoE, for which the default is For multiple context mode, set the MTU in the context configuration. Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between
10 Interfaces Page: PIX and ASA Chapter 50 Table 50-2 Add/Edit Interface Dialog Box (PIX/ASA) (Continued) Active MAC Address Standby MAC Address Roles Use this field to manually assign a private MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. By default, a physical interface uses the burned-in MAC address, and all its subinterfaces use the same burned-in MAC address. A redundant interface uses the MAC address of the primary interface, and if you change the order of the member interfaces, the MAC address of the redundant interface changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to a redundant interface using this field, it is used regardless of the member interface MAC addresses. You also can set a standby MAC address for use with device-level failover. If the active unit fails over and the standby unit becomes active, the new active unit begins using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page Add/Edit Interface Dialog Box (ASA 5505) The Add/Edit Interface dialog box presented on an ASA 5505 lets you configure VLAN interfaces on the device. You can access the dialog box from the Interfaces tab on the ASA 5505 Ports and Interfaces Page, page Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) Enable Interface Management Only Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. Reserves this interface for device administration. Only traffic for management of this device is accepted; pass-through traffic for other interfaces and devices is rejected. You cannot set a primary or backup ISP interface to be management only
11 Chapter 50 Interfaces Page: PIX and ASA Table 50-3 Name IP Type Add/Edit Interface Dialog Box (ASA 5505) (Continued) Sets an interface name up to 48 characters in length. The name should be a logical name for the interface that relates to its use. If you are using failover, do not name interfaces that you are reserving for failover communications. Supported interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be least secure interface. Specifies the address type for the interface; choose one of the following methods and provide related parameters: Static IP Provide a static IP Address and Subnet Mask that represents the security device on this interface s connected network. If you omit the Subnet Mask value, a classful network is assumed. Use DHCP Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: DHCP Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. Obtain Default Route using DHCP Select this option to obtain a default route from the DHCP server so that you do not need to configure a default static route. See also Configuring Static Routes, page Enable Tracking for DHCP Learned Route If Obtain Default Route using DHCP is selected, you can select this option to enable route tracking via a specific Service Level Agreement (SLA) monitor. The following options become available: Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.) PPPoE (PIX and ASA 7.2+) Enables PPPoE for automatic assignment of an IP address of an IP address from a PPPoE server on the connected network; not supported with failover. VPDN Group Name (required) Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page for more information
12 Interfaces Page: PIX and ASA Chapter 50 Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued) IP Type (cont.) IP Address If provided, this static IP address is used for connection and authentication, instead of a negotiated address. Note Subnet Mask The subnet mask to be used in conjunction with the provided IP Address. PPPoE Learned Route Metric (required) Assign an administrative distance to the learned route. Valid values are 1 to 255. If this field is blank, the administrative distance for learned routes defaults to 1. Obtain Default Route using PPPoE Select this option to obtain a default route from the PPPoE server; sets the default routes when the PPPoE client has not yet established a connection. When using this option, you cannot have a statically defined route in the configuration. Enable Tracking for PPPoE Learned Route If Obtain Default Route using PPPoE is selected, you can select this option to enable route tracking for PPPoE-learned routes. The following options become available: Dual ISP Interface If you are defining interfaces for dual ISP support, choose Primary or Secondary to indicate which connection you are configuring. Tracked SLA Monitor Required if Enable Tracking for DHCP Learned Route is selected. Provide the name of the SLA Monitor object to be used for route tracking. You can use the Select button to select from a list of available SLA monitors. (Refer to Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7 for more information.) You can configure DHCP and PPPoE only on the outside interface of a security appliance. MTU VLAN ID Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are bytes. Default is 1500 for all types except PPPoE, for which the default is For multiple context mode, set the MTU in the context configuration. Sets the VLAN ID, between 1 and For multiple-context mode, you can only set the VLAN ID in the system configuration
13 Chapter 50 Interfaces Page: PIX and ASA Table 50-3 Add/Edit Interface Dialog Box (ASA 5505) (Continued) Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Block Traffic To Backup Interface Active MAC Address Standby MAC Address Roles Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between Restricts this VLAN interface from initiating contact with the VLAN chosen here. Choose a backup ISP for this interface. The backup interface does not pass traffic unless the default route through the primary interface fails. To ensure that traffic can pass over the backup interface, be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. Use this field to manually assign a MAC address to the interface. MAC addresses are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. If you assign an Active MAC Address, you also can assign a Standby MAC Address. Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple-context mode, the system description is independent of the context description. For a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page
14 Interfaces Page: PIX and ASA Chapter 50 Add/Edit Interface Dialog Box (PIX 6.3) Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) Enable Interface Type Name Hardware Port IP Type Enables this interface to pass traffic. In addition to this setting, you must specify an IP address and a name before traffic can pass according to your security policy. You must enable a physical interface before any traffic can pass through any enabled subinterfaces. Type of VLAN interface. Valid values are: Logical VLAN is associated with a logical interface. Physical VLAN is on the same network as its underlying hardware interface. Sets an interface name up to 48 characters in length. The name should be a logical name of the interface that relates to its use. Supported interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone (Intermediate interface). Also known as a perimeter network. Outside Connects to an external network or the Internet. Must be least secure interface. When defining a physical network interface, this value represents the name identifies the interface type and its slot or port in the device. When you add a logical network interface, you can choose any enabled physical interface to which you want to add a logical interface. If you do not see the desired hardware port, verify that the interface is enabled. Valid values are: ethernet0 to ethernetn. gb-ethernetn. where n represents the number of network interfaces in the device. Specifies the address type for the interface. Static IP Assigns a static IP address and mask to the interface. Use DHCP Assigns a dynamic IP address and mask to the interface. Use PPPoE Provides an authenticated method of assigning an IP address to the interface. Note You can configure DHCP and PPPoE only on the outside interface of a firewall device
15 Chapter 50 Interfaces Page: PIX and ASA Table 50-4 IP Address Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Identifies the IP address of the interface. This field is available if Static IP or PPPoE is the IP type. IP address must be unique for each interface. The IP address is blank for interfaces that use dynamic addressing. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Subnet Mask Obtain Default Route using DHCP Retry Count Obtain default route using PPPoE For a static IP address, select Static IP from the IP Type list and then enter the IP address and mask in the IP Address field. To obtain the IP address from a DHCP server, select Use DHCP from the IP Type list. Identifies the network mask for IP address of the interface. You can express the value in dotted decimal format (for example, ) or by entering the number of bits in the network mask (for example, 24). Note Do not use or for an interface connected to the network because those mask values stop traffic on that interface. Available only if Use DHCP is selected for IP Type. If selected, the firewall device sets the default route using the default gateway parameter the DHCP server returns. Otherwise, you must manually define the default route as a static route on the Configuring Static Routes, page Identifies the number of tries before an error is returned. Valid values are 4 through 16. Available only if Use PPPoE is selected for IP Type. If selected, the PPPoE client on the firewall device queries the concentrator for a default route. Otherwise, the firewall device generates a default route using the address of the concentrator as the default gateway
16 Interfaces Page: PIX and ASA Chapter 50 Table 50-4 Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Speed and Duplex MTU Physical VLAN ID Logical VLAN ID Lists the speed options for a physical interface; not applicable to logical interfaces. auto Set Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed sensing network interface card. 10baset 10-Mbps Ethernet half-duplex. 10full 10-Mbps Ethernet full-duplex. 100basetx 100-Mbps Ethernet half-duplex. 100full 100-Mbps Ethernet full-duplex. 1000auto 1000-Mbps Ethernet to auto-negotiate full- or half -duplex. Tip We recommend that you do not use this option to maintain compatibility with switches and other devices in your network. 1000full Auto-negotiate, advertising 1000-Mbps Ethernet full-duplex. 1000full nonnegotiate 1000-Mbps Ethernet full-duplex. aui 10-Mbps Ethernet half-duplex communication with an AUI cable interface. bnc 10-Mbps Ethernet half-duplex communication with a BNC cable interface. Note We recommend that you specify the speed of the network interfaces in case your network environment includes switches or other devices that do not handle autosensing correctly. Sets the number of bytes in the maximum transmission unit (MTU). The value depends on the type of network connected to the interface. Valid values are bytes. Default is 1500 for all types except PPPoE, for which the default is For a physical interface, sets the VLAN ID, between 1 and This VLAN ID must not be in use on connected devices. Identifies the alias, a value between 1 and 4094, of the VLAN associated with this logical interface. This value is required if the logical interface type is selected
17 Chapter 50 Interfaces Page: PIX and ASA Table 50-4 Security Level Roles Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between 1 and 99. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page Advanced Interface Settings Dialog Box You can access the Advanced Interface Settings dialog box from the Interfaces page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more information about these pages, see Interfaces Page: PIX and ASA, page 50-2 or ASA 5505 Ports and Interfaces Page, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Add VPND Group Dialog Box, page PPPoE Users Dialog Box, page
18 Interfaces Page: PIX and ASA Chapter 50 Table 50-5 Advanced Interface Settings Dialog Box Traffic between interfaces with same security levels PPPoE Users button VPDN Groups (PIX and ASA 7.2+) Group Name PPPoE Username PPP Authentication Controls communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Disabled Does not allow communication between interfaces on the same security level. Inter-interface Enables traffic flows between interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between interfaces in the firewall device. Intra-interface Enables traffic flows between sub-interfaces with the same security level setting. When this option is enabled, you are not required to define translation rules to enable traffic flow between sub-interfaces assigned to an interface. Both Allows both intra- and inter-interface communications among interfaces and sub-interfaces with the same security level. Click to access the PPPoE Users dialog box. Displays the group name. Displays the PPPoE username. Indicates the PPP Authentication method for this VPDN group: PAP CHAP MSCHAP Add VPND Group Dialog Box You can access the Add VPND Group dialog box from the Advanced Interface Settings dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Advanced Interface Settings Dialog Box, page PPPoE Users Dialog Box, page
19 Chapter 50 Interfaces Page: PIX and ASA Table 50-6 Add VPND Group Dialog Box Group Name PPPoE Username PPP Authentication Enter the group name. Select the PPPoE username. Select the PPP Authentication method: PAP CHAP MSCHAP PPPoE Users Dialog Box You can access the PPPoE Users dialog box from the Advanced Interface Settings dialog box and from the Add VPND Group dialog box. For more information about the Advanced Interface Settings dialog box, see Advanced Interface Settings Dialog Box, page For more information about the Add VPND Group dialog box, see Add VPND Group Dialog Box, page Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Advanced Interface Settings Dialog Box, page Add VPND Group Dialog Box, page Add and Edit PPPoE User Dialog Boxes, page Table 50-7 PPPoE Users Dialog Box PPPoE Users (PIX and ASA 7.2+) Username Store in Local Flash Displays the PPPoE username. Indicates whether this PPPoE user account is to be stored in local flash (True or False)
20 Interfaces Page: FWSM Chapter 50 Add and Edit PPPoE User Dialog Boxes You can access the Add PPPoE User and Edit PPPoE User dialog boxes from the PPPoE Users dialog box. For more information about the PPPoE Users dialog box, see PPPoE Users Dialog Box, page Note The Add PPPoE User and Edit PPPoE User dialog boxes are virtually identical. The following descriptions apply to both. Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: PIX and ASA, page 50-2 Interfaces Page: FWSM, page ASA 5505 Ports and Interfaces Page, page Add/Edit Interface Dialog Box, page 50-4 FWSM Add/Edit Interface Dialog Box, page Advanced Interface Settings Dialog Box, page Add VPND Group Dialog Box, page PPPoE Users Dialog Box, page Table 50-8 Add and Edit PPPoE User Dialog Boxes Username Password Confirm Store Username and Password in Local Flash Provide a name for the PPPoE user. Enter a password for this user. Re-enter the password. Select this option to store the PPPoE user information in flash memory. Interfaces Page: FWSM The FWSM Interfaces page displays the virtual interfaces (VLANs) configured on the selected Firewall Services Module. You can add or delete logical VLAN interfaces, and also enable communication between interfaces on the same security level. Inactive interfaces can be disabled. When disabled, the interface does not transmit or receive packets, but the configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. If you bootstrapped a new firewall device, the setup feature configures only the addresses and names associated with the inside interface. You must define the remaining interfaces on that device before you can specify access and translation rules for traffic traversing that firewall device
21 Chapter 50 Interfaces Page: FWSM The Interfaces page settings vary based on the device version, the operational mode (routed vs. transparent), and whether the device hosts a single or multiple contexts. Thus, some fields in the following table might not apply, depending on the device you are defining. To access this page, select an FWSM in Device View and then select Interfaces from the Device Policy selector. Configuring Firewall Device Interfaces, page 39-2 FWSM Add/Edit Interface Dialog Box, page Add/Edit Bridge Group Dialog Box, page Advanced Interface Settings Dialog Box, page Table 50-9 FWSM Interfaces Page Interfaces Tab Name IP Address Interface Role The name assigned to the interface. The IP address and subnet mask assigned to the interface. Lists the interface roles associated with the interface. Interface roles are objects that are replaced with actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Valid options include: All-Interfaces The interface is a member of the default role assigned to all interfaces. Internal This interface is a member of the default role associated with all inside interfaces. External This interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page VLAN ID The VLAN to which this logical interface is assigned. Bridge Group The bridge group to which this interface is assigned (transparent mode only). Enabled Indicates if the interface is enabled: true or false. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Security Level Displays the interface security level; a value between 0 and 100. Management Only Indicates if this interface allows traffic to the security appliance for management purposes only
22 Interfaces Page: FWSM Chapter 50 Table 50-9 FWSM Interfaces Page (Continued) ASR Group A description of the interface, if provided. In the case of a failover or state link, the description is fixed as LAN Failover Interface, STATE Failover Interface, or LAN/STATE Failover Interface, for example. You cannot edit this description. Displays the ASR group number if this interface is part of an asymmetric routing group. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Bridge Groups Tab (transparent mode only) Bridge Group The name of the bridge group. ID The identifier assigned to this bridge group. Interface A The first VLAN assigned to this bridge group. Interface B The second VLAN assigned to this bridge group. IP The management IP address assigned to the bridge group. The only IP configuration required for the security appliance is to set the management IP address for each bridge group. The security appliance uses this address as the source address for traffic originating on the appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. A transparent firewall does not participate in IP routing. Netmask Displays the netmask for the management IP address. The description of this bridge group, if one was provided. FWSM Add/Edit Interface Dialog Box Use the Add/Edit Interface dialog box to add or edit a virtual interface. In multiple context mode, you can only add interfaces in the system configuration. See the Chapter 49, Configuring Security Contexts on Firewall Devices page to assign interfaces to contexts. If you intend to use a physical interface for failover, do not configure the interface in this dialog box; instead, use the Failover page. In particular, do not set the interface name, as this parameter disqualifies the interface from being used as the failover link; other parameters are ignored. After you assign the interface as the failover link or state link, you cannot edit or delete the interface from the Interfaces page. The only exception is if you set a physical interface to be the state link, then you can configure the speed and duplex. The options appearing in the Add/Edit Interface dialog box vary based on the selected device version, and its mode (routed or transparent). You can access the FWSM Add/Edit Interface dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page
23 Chapter 50 Interfaces Page: FWSM Configuring Firewall Device Interfaces, page 39-2 Interfaces Page: FWSM, page Add/Edit Bridge Group Dialog Box, page Advanced Interface Settings Dialog Box, page Table FWSM Add/Edit Interface Dialog Box Enable Interface Management Only Name Enables this logical interface on the device. When disabled, the interface does not transmit or receive packets, but its configuration information is retained. Note You can add any logical VLAN interface to the FWSM, but only VLANs that are assigned to the FWSM by its parent switch or router can pass traffic. Sets the interface to accept traffic to the security appliance only, and not through traffic. You can assign an alphanumeric alias of up to 48 characters to the VLAN for ease of identification. However, note that Security Manager does not support named interfaces for FWSMs operating in multiple-context mode. Special interface names are: Inside Connects to your internal network. Must be most secure interface. DMZ Demilitarized zone attached to an intermediate interface. DMZ is also known as a perimeter network. You can name a DMZ interface any name you choose. Typically, DMZ interfaces are prefixed with DMZ to identify the interface type. Outside Connects to an external network or the Internet. Must be least secure interface. Note You cannot name more than two interfaces on an FWSM operating in transparent mode. IP Address The IP address for the interface. VLAN ID Enter the desired VLAN ID between 1 and Some VLAN IDs might be reserved on connected switches, so see the switch documentation for more information. For multiple-context mode, you can only set the VLAN in the system configuration. Security Level Sets the security level of the interface. Value are between 0 (lowest) and 100 (highest). The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces. Outside interface is always 0. Inside interface is always 100. DMZ interfaces are between If desired, you can enter a description of the logical interface
24 Interfaces Page: FWSM Chapter 50 Table Roles ASR Group FWSM Add/Edit Interface Dialog Box (Continued) Lists the interface roles associated with the interface. Interface roles are objects that are replaced with the actual interface IP addresses when the configuration is generated for each device. They allow you to define generic rules ones that can apply to multiple interfaces. Default options include: All-Interfaces Indicates the interface is a member of the default role assigned to all interfaces. Internal Indicates this interface is a member of the default role associated with all inside interfaces. External Indicates this interface is a member of the default role associated with all outside interfaces. For more information on roles and how to define and use them, see Understanding Interface Role Objects, page To add this interface to an asymmetric routing group, enter the ASR group number in this field. Stateful failover must be enabled for asymmetric routing support to function properly between units in failover configurations. Valid values for ASR group range from 1 to 32. Add/Edit Bridge Group Dialog Box Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an FWSM operating in transparent mode. A transparent firewall connects the same network on its inside and outside interfaces. Each pair of interfaces belongs to a bridge group, to which you must assign a management IP address. You can configure up to eight bridge groups of two interfaces each. Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the security appliance, and traffic must exit the security appliance before it is routed by an external router back to another bridge group in the security appliance. You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces page. For more information about the Interfaces page, see Interfaces Page: FWSM, page Interfaces in Routed and Transparent Modes, page 39-4 Bridging Support for FWSM 3.1, page Configuring Firewall Device Interfaces, page
Completing Interface Configuration (Transparent Mode)
CHAPTER 9 Completing Interface Configuration (Transparent Mode) This chapter includes tasks to complete the interface configuration for all models in transparent firewall mode. This chapter includes the
More informationInterfaces for Firepower Threat Defense
This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,
More informationConfiguring Interfaces (Transparent Mode)
8 CHAPTER This chapter includes tasks to complete the interface configuration in transparent firewall mode. This chapter includes the following sections: Information About Completing Interface Configuration
More informationInterfaces for Firepower Threat Defense
This chapter includes Firepower Threat Defense interface configuration including Ethernet settings, EtherChannels, VLAN subinterfaces, IP addressing, and more. About Firepower Threat Defense Interfaces,
More informationConfiguring the PPPoE Client
CHAPTER 72 This section describes how to configure the PPPoE client provided with the ASA. It includes the following topics: PPPoE Client Overview, page 72-1 Username and Password, page 72-2 Enabling PPPoE,
More informationViewing Network Status, page 116. Configuring IPv4 or IPv6 Routing, page 116. Configuring the WAN, page 122. Configuring a VLAN, page 137
Networking Using the Networking module to configure your Internet connection, VLAN, DMZ, zones, routing, Quality of Service (QoS), and related features. It includes the following sections: Viewing Network
More informationConfiguring PPP over Ethernet with NAT
CHAPTER 3 The Cisco Secure Router 520 Ethernet-to-Ethernet routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT). Multiple PCs can be connected to
More informationStarting Interface Configuration (ASA 5505)
CHAPTER 13 Starting Interface Configuration (ASA 5505) This chapter includes tasks for starting your interface configuration for the ASA 5505, including creating VLAN interfaces and assigning them to switch
More informationPIX/ASA: PPPoE Client Configuration Example
PIX/ASA: PPPoE Client Configuration Example Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram CLI Configuration ASDM Configuration
More informationConfiguring VLAN Interfaces
CHAPTER1 The Cisco Application Control Engine (ACE) module does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign
More informationConfiguring VLAN Interfaces
CHAPTER1 The Cisco Application Control Engine (ACE) module does not have any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign
More informationVLAN Configuration. Understanding VLANs CHAPTER
CHAPTER 11 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the CGR 2010 ESM. It includes information about VLAN membership
More informationInterface Configuration Mode Commands
Interface Configuration Mode Commands Use the mode for setting, viewing, and testing the configuration of WAAS software features on a specific interface. To enter this mode, enter the interface command
More informationConfiguring VLANs. Understanding VLANs CHAPTER
CHAPTER 11 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco ME 3400 Ethernet Access switch. It includes information
More informationDPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0
DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,
More informationChapter 3 LAN Configuration
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. This chapter contains the following sections
More informationAggregate Interfaces and LACP
The following topics explain aggregate interface configuration and how LACP functions on managed devices: About Aggregate Interfaces, on page 1 LAG Configuration, on page 2 Link Aggregation Control Protocol
More informationCisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address
Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Document ID: 71118 Contents Introduction Prerequisites Requirements Components
More informationConfiguring VLANs. Understanding VLANs CHAPTER
7 CHAPTER This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco MWR 2941 router. It includes information about VLAN
More informationConfiguring VLANs. Understanding VLANs CHAPTER
CHAPTER 14 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN
More informationProvisioning Broadband Aggregators Topics
CHAPTER 7 The Cisco Broadband Access Center software enables you to provision services on broadband aggregators. Provisioning occurs after you create administrative networks and network devices. See Chapter
More informationUser Guide TL-R470T+/TL-R480T REV9.0.2
User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface
More informationConfiguring PPP over Ethernet with NAT
This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco
More informationInterface Configuration Mode Commands
Chapter 3 CLI Commands Interface Configuration Mode Commands Use the mode for setting, viewing, and testing the configuration of WAAS software features on a specific interface. To enter this mode, enter
More informationMatch-in-VRF Support for NAT
The feature supports Network Address Translation (NAT) of packets that communicate between two hosts within the same VPN routing and forwarding (VRF) instance. In intra-vpn NAT, both the local and global
More informationUIP1869V User Interface Guide
UIP1869V User Interface Guide (Firmware version 0.1.8 and later) Table of Contents Opening the UIP1869V's Configuration Utility... 3 Connecting to Your Broadband Modem... 5 Setting up with DHCP... 5 Updating
More informationUniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
More informationthrough ftp-map Commands
CHAPTER 12 12-1 email Chapter 12 email To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint
More informationEtherChannel and Redundant Interfaces
This chapter tells how to configure EtherChannels and redundant interfaces. Note For multiple context mode, complete all tasks in this section in the system execution space. To change from the context
More informationConfiguring VLANs. Understanding VLANs CHAPTER
CHAPTER 12 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership
More informationPT Activity 8.6.1: CCNA Skills Integration Challenge Topology Diagram
Topology Diagram All contents are Copyright 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 7 Addressing Table for HQ Device Interface IP Address Subnet
More informationConfiguring DHCP Features and IP Source Guard
CHAPTER 23 This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the IE 3000 switch. It also describes how to
More informationService Managed Gateway TM. Configuring Dual ADSL PPP with Worker Standby or Load Share Mode
Service Managed Gateway TM Configuring Dual ADSL PPP with Worker Standby or Load Share Mode Issue 1.3 Date 15 November 2011 Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2 Readership... 3 1.3
More informationConfiguring VLANs. Understanding VLANs CHAPTER
CHAPTER 11 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on your Catalyst 3550 switch. It includes information about VLAN
More informationCisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router
ADMINISTRATION GUIDE Cisco Small Business RV320/RV325 Gigabit Dual WAN VPN Router 78-20928-02 Contents Chapter 1: Getting Started 7 Using the Getting Started Window 7 Features of the User Interface 8 Chapter
More informationChapter 5 Advanced Configuration
Chapter 5 Advanced Configuration This chapter describes how to configure the advanced features of your DG834N RangeMax TM NEXT Wireless ADSL2+ Modem Router. Configuring Advanced Security The modem router
More informationLevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver
LevelOne FBR-1416 1W, 4L 10/100 Mbps ADSL Router User s Manual Ver 1.00-0510 Table of Contents CHAPTER 1 INTRODUCTION... 1 FBR-1416 Features... 1 Package Contents... 3 Physical Details... 3 CHAPTER 2
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationStatic NAT Mapping with HSRP
This module contains procedures for configuring Network Address Translation (NAT) to support the increasing need for highly resilient IP networks. This network resiliency is required where application
More informationConfiguring Network Access to the GGSN
CHAPTER 7 This chapter describes how to configure access from the gateway GPRS support node (GGSN) to a serving GPRS support node (SGSN), public data network (PDN), and optionally to a Virtual Private
More informationBarracuda Link Balancer
Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.3 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.3-111215-01-1215
More informationConfiguring the Catalyst 3920
CHAPTER 5 Configuring the Catalyst 3920 You might not have to configure the Catalyst 3920 for it to work in your network; it is shipped with default configuration parameters and can function with these
More information2 WAN 4LAN Medium Scale Multi-Wan QoS Router
2 WAN 4LAN Medium Scale Multi-Wan QoS Router Load Balancing, Bandwidth Management, Network Security Management English User s Manual Index 1 Introduction... 1 2 Hardware Installation... 2 2.1 Indicators
More informationMultiple Context Mode
This chapter describes how to configure multiple security contexts on the Cisco ASA. About Security Contexts, page 1 Licensing for, page 12 Prerequisites for, page 13 Guidelines for, page 14 Defaults for,
More informationSetting Up Virtual Routers
Virtual Routers The following topics describe how to set up virtual routers in the Firepower System: Virtual Routers, on page 1 Routed Interfaces, on page 2 Configuring Physical Routed Interfaces, on page
More informationSample Configurations
APPENDIXA This appendix illustrates and describes a number of common ways to implement the ASA, and includes the following sections: Example 1: Multiple Mode Firewall With Outside Access, page A-1 Example
More informationMulti-Homing Broadband Router. User Manual
Multi-Homing Broadband Router User Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel...
More informationChapter 10 - Configure ASA Basic Settings and Firewall using ASDM
Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.
More informationConfiguring Management Access
37 CHAPTER This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS (using ASDM), how to authenticate and authorize users, how to create login banners, and how
More informationNAT Box-to-Box High-Availability Support
The feature enables network-wide protection by making an IP network more resilient to potential link and router failures at the Network Address Translation (NAT) border. NAT box-to-box high-availability
More informationCHAPTER 7 ADVANCED ADMINISTRATION PC
ii Table of Contents CHAPTER 1 INTRODUCTION... 1 Broadband ADSL Router Features... 1 Package Contents... 3 Physical Details... 4 CHAPTER 2 INSTALLATION... 6 Requirements... 6 Procedure... 6 CHAPTER 3 SETUP...
More informationBroadband Router. User s Manual
Broadband Router User s Manual 1 Introduction... 4 Features... 4 Minimum Requirements... 4 Package Content... 4 Note... 4 Get to know the Broadband Router... 5 Back Panel... 5 Front Panel... 6 Setup Diagram...7
More informationConfiguring Private VLANs
36 CHAPTER This chapter describes private VLANs (PVLANs) on Catalyst 4500 series switches. It also provides restrictions, procedures, and configuration examples. This chapter includes the following major
More informationFirewall Mode Overview
CHAPTER 16 This chapter describes how to set the firewall mode, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple context
More informationConfiguring DHCP Features and IP Source Guard
CHAPTER 21 This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the switch. It also describes how to configure
More informationConfiguring Stateful Interchassis Redundancy
The Stateful Interchassis Redundancy feature enables you to configure pairs of devices to act as backups for each other. This module describes conceptual information about and tasks for configuring stateful
More informationConfiguring Gigabit Ethernet Interfaces (J-Web Procedure)
Configuring Gigabit Ethernet Interfaces (J-Web Procedure) An Ethernet interface must be configured for optimal performance in a high-traffic network. To configure properties on a Gigabit Ethernet interface
More informationStatic and Default Routes
This chapter describes how to configure static and default routes on the Cisco ASA. About, on page 1 Guidelines for, on page 3 Configure Default and Static Routes, on page 3 Monitoring a Static or Default
More informationL2TP Network Server. LNS Service Operation
This chapter describes the support for Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) functionality on Cisco ASR 5500 chassis and explains how it is configured. The product Administration Guides
More informationPeplink Balance Multi-WAN Routers
Peplink Balance Multi-WAN Routers Model 20/30/210/310/380/390/580/710/1350 User Manual Firmware 5.1 September 10 Copyright & Trademarks Specifications are subject to change without prior notice. Copyright
More informationConfiguration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0
Configuration Guide TL-ER5120/TL-ER6020/TL-ER6120 1910012186 REV3.0.0 June 2017 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Viewing Status Information... 2 System
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management
More informationDSL/CABLE ROUTER with PRINT SERVER
USER S MANUAL DSL/CABLE ROUTER with PRINT SERVER MODEL No:SP888BP http://www.micronet.info 1 Content Table CHAPTER 0:INTRODUCTION... 4 FEATURES... 4 MINIMUM REQUIREMENTS... 4 PACKAGE CONTENT... 4 GET TO
More informationL2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application
Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features
More informationTransparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple
More informationConfiguring VLANs. Understanding VLANs CHAPTER
CHAPTER 9 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094). It includes information about VLAN membership modes, VLAN configuration
More informationConfiguring Private VLANs
CHAPTER 15 This chapter describes how to configure private VLANs on the Cisco 7600 series routers. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco
More informationPeplink SD Switch User Manual. Published on October 25th, 2018
Peplink SD Switch User Manual Published on October 25th, 2018 1 Table of Contents Switch Layout 4 Specifications 5 Hardware Overview 6 Quick Start Functions 7 Reset Switch 7 Connect Ethernet 7 Connect
More informationMulti-Function Wireless A/P Router User s Guide
Multi-Function Wireless A/P Router User s Guide Model CNWR-811P Wireless Access Point Router W / Printer Sharing TABLE OF CONTENTS CHAPTER 1 INTRODUCTION...1 CNWR-811P Features...1 Package Contents...3
More informationConfiguring Interfaces
Network Configuring Interfaces Configuring PortShield Interfaces Configuring Wire Mode VLAN Translation Setting Up Failover and Load Balancing Configuring Network Zones Configuring DNS Settings Configuring
More informationCisco CP Express Wizard
CHAPTER1 These help topics introduce Cisco Configuration Professional Express (Cisco CP Express) wizard, describe the configurations you can perform with it, and explain the information required in each
More informationRX3041. User's Manual
RX3041 User's Manual Table of Contents 1 Introduction... 2 1.1 Features and Benefits... 3 1.2 Package Contents... 3 1.3 Finding Your Way Around... 4 1.4 System Requirements... 6 1.5 Installation Instruction...
More informationConfiguring VLANs. Understanding VLANs CHAPTER
CHAPTER 10 This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership
More informationCisco IOS Commands. abort CHAPTER
CHAPTER 2 abort Use the abort VLAN database command to abandon the proposed new VLAN database, exit VLAN database mode, and return to privileged EXEC mode. abort This command has no arguments or keywords.
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationConfiguring Private VLANs
36 CHAPTER This chapter describes private VLANs (PVLANs) on Catalyst 4500 series switches. It also provides restrictions, procedures, and configuration examples. This chapter includes the following major
More information07/ CONFIGURING SECURITY SETTINGS
SECURITY LOG Malformed packet: Failed parsing a packed has been blocked because it is malformed. Maximum security enabled service a packet has been accepted because it belongs to a permitted service in
More informationUser module. Guest Configuration APPLICATION NOTE
User module Guest Configuration APPLICATION NOTE USED SYMBOLS Used symbols Danger important notice, which may have an influence on the user s safety or the function of the device. Attention notice on possible
More informationOV504R6. Quick Start Guide
OV504R6 Quick Start Guide 1 Overview The router is a highly ADSL2/2+ Integrated Access Device and can support ADSL link with downstream up to 24 Mbps and upstream up to 1 Mbps. It is designed to provide
More informationIntroduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel...
Introduction... 3 Features... 3 Minimum Requirements... 3 Package Content... 3 Note... 3 Get to know the Broadband Router... 4 Back Panel... 4 Front Panel... 5 Setup Diagram... 6 Getting started... 7 Chapter
More informationManaging Firewall Services
CHAPTER 11 Firewall Services manages firewall-related policies in Security Manager that apply to the Adaptive Security Appliance (ASA), PIX Firewall (PIX), Catalyst Firewall Services Module (FWSM), and
More informationStateful Failover Technology White Paper
Stateful Failover Technology White Paper Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization, link switching Abstract: A firewall device is usually the access point
More informationSample Configurations
APPENDIXB This appendix illustrates and describes a number of common ways to implement the security appliance, and includes the following topics: Example 1: Multiple Mode Firewall With Outside Access,
More informationConfiguring VLANs. Finding Feature Information. Prerequisites for VLANs
Finding Feature Information, page 1 Prerequisites for VLANs, page 1 Restrictions for VLANs, page 2 Information About VLANs, page 2 How to Configure VLANs, page 7 Monitoring VLANs, page 19 Where to Go Next,
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationTestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified
TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE Modified 2017-07-10 TestOut Routing and Switching Pro Outline- English 6.0.x Videos: 133 (15:42:34) Demonstrations: 78 (7:22:19) Simulations:
More informationConfiguring Gigabit Ethernet Interfaces
This chapter explains how to configure the Gigabit Ethernet (GE) interface on the Cisco ASR 901 router. Configuring the Interface, page 1 Setting the Speed and Duplex Mode, page 2 Enabling the Interface,
More informationChapter 3 LAN Configuration
Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50. These features can be found under the Network
More informationTroubleshooting DHCP server configuration 28
Contents DHCP overview 1 Introduction to DHCP 1 DHCP address allocation 1 Allocation mechanisms 1 Dynamic IP address allocation process 2 IP address lease extension 2 DHCP message format 3 DHCP options
More informationDHCP and DDNS Services for Threat Defense
The following topics explain DHCP and DDNS services and how to configure them on Threat Defense devices. About DHCP and DDNS Services, on page 1 Guidelines for DHCP and DDNS Services, on page 3 Configure
More informationMPLS VPN Half-Duplex VRF
The feature provides scalable hub-and-spoke connectivity for subscribers of an Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service. This feature addresses the limitations of hub-and-spoke
More informationCarrier Grade Network Address Translation
(CGN) is a large-scale NAT that translates private IPv4 addresses into public IPv4 addresses. CGN employs Network Address and Port Translation methods to aggregate multiple private IPv4 addresses into
More informationvsphere Networking Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 EN
Update 1 ESXi 5.1 vcenter Server 5.1 vsphere 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check
More informationexam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)
100-105.exam Number: 100-105 Passing Score: 800 Time Limit: 120 min CISCO 100-105 Interconnecting Cisco Networking Devices Part 1 (ICND) Exam A QUESTION 1 Which route source code represents the routing
More informationConfiguring Port Channels
CHAPTER 5 This chapter describes how to configure port channels and to apply and configure the Link Aggregation Control Protocol (LACP) for more efficient use of port channels in Cisco DCNM. For more information
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationConfiguring Web-Based Authentication
This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure
More informationPPPoE on ATM. Finding Feature Information. Prerequisites for PPPoE on ATM. Restrictions for PPPoE on ATM
This feature module describes the PPP over Ethernet (PPPoE) on ATM feature. The feature provides the ability to connect a network of hosts over a simple bridging-access device to a remote access concentrator.
More informationNetworking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ
Networking for Data Acquisition Systems Fabrice Le Goff - 14/02/2018 - ISOTDAQ Outline Generalities The OSI Model Ethernet and Local Area Networks IP and Routing TCP, UDP and Transport Efficiency Networking
More informationContent 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE...
Content 1 OVERVIEW...1 1.1FEATURES...1 1.2 PACKETCONTENTS...3 1.3 SYSTEM REQUIREMENTS... 1.4 FACTORY DEFAULTS...4 1.5 WARNINGS AND CAUTIONS...4 2 HARDWARE DESCRIPTION... 6 3 HARDWARE INSTALLATION...8 4
More information