Defining IPsec Networks and Customers

Transcription

1 CHAPTER 4 Defining the IPsec Network Elements In this product, a VPN network is a unique group of targets; a target can be a member of only one network. Thus, a VPN network allows a provider to partition the working space into manageable segments that are unique and do not overlap other networks. A configlet is a partial IOS configuration file that contains a set of Cisco IOS commands created by the VPN Solutions Center provisioning process. The IOS commands in the configlet consist only of the commands necessary for modifying the router s current configuration to enable service request deployment. VPN Solutions Center downloads the configlet to the router, executing the commands in the configlet to change the router s configuration. VPN Solutions Center then collects the updated version of the configuration file from the router; it is this version of the configuration file that VPNSC uses to audit service request deployment. A configlet is also referred to as a VPNSC configlet. In the set-up phase of VPN Solutions Center provisioning, you complete the following tasks: Defining Target Routers, page 4-1. Defining a New IPsec VPN Customer, page 4-20 Defining Devices as Managed or Unmanaged, page 4-30 Creating Customer-Specific Policies, page 4-33 Defining Terminal Servers in VPN Solutions Center Software, page 4-36 Defining Target Routers Every device that the VPN Solutions Center software manages must be defined as a target. A target is any device from which the VPN Solutions Center software can collect information (a router or Netflow Collector). In most cases, these targets are Cisco routers that function as an edge router in the IPsec VPN. Tips When you define target names in the VPN Solutions Center software, the target names you specify must match the actual IOS host names of the corresponding devices. Note The Simple Network Management Protocol (SNMP) must be configured on each edge router in the service provider network. To determine whether SNMP is enabled and set the SNMP community strings on a router, see the Setting Up SNMPv1 and SNMPv2 on the Routers in the Service Provider Network section on page

2 Defining the IPsec Network Elements Chapter 4 There are two methods for defining targets and organizing them into the appropriate networks (or target groups): Importing the pertinent router configuration files VPN Solutions Center automatically populates the interface information into the Repository for each imported target, using the interface specifications in the configuration files. Defining individual targets manually You can define targets manually when you want to create, edit, or delete targets in a network. When you define targets manually, VPN Solutions Center does not automatically populate the interface information into the Repository. For details, see the Adding a New Router to the Network section on page Defining Targets by Importing Router Configuration Files Importing your router configuration files into the VPN Solutions Center software is a quick way to define the MPLS VPN networks and the targets in them. This method lets you specify a directory of router configuration files and the network for these routers. VPN Solutions Center creates the network and the targets (routers) in the network based on the imported configuration files. When employing this method, note that not all the necessary information is present after you import the files. You must then proceed to define the additional target information, such as the IP addresses, passwords, and so forth. When you import router configuration files in VPN Solutions Center, this task does not create new target entries in the Repository it only adds new datasets for existing targets. To import router configuration files, follow these steps: Step 2 Step 3 Create a directory of configuration files for a given set of devices and copy the appropriate configuration files into the directory. Device names within each directory must be unique. A typical set includes edge routers in the customer s network. From the VPN Console menu, choose Setup > Create Targets From Router Configurations. An informational window displays the following information: This will create targets based on the router configuration files in a specified directory. A network will be created for the new targets. You will be asked to enter the following information: Directory containing the router configuration files The default convention for naming configuration files is device_name.domain_name.com. But adherence to this nomenclature is not required. Network name for the new targets Domain name for the targets (optional) Specifying the domain name is necessary only if a fully domain-qualified hostname is needed to resolve the IP address of the target (router). Click OK. The Create Targets From Router Configurations dialog box appears (see Figure 4-1). 4-2

3 Chapter 4 Defining the IPsec Network Elements Figure 4-1 Creating Targets From Router Configuration Files Step 4 Enter the directory path, network name, and (optionally) the domain name. a. The directory path is the path to the router configuration files. To browse for the directory path, click Select and choose the appropriate directory. Figure 4-2 Browsing for the Configuration File Directory b. The Network Name field includes a drop-down list that provides all the currently defined networks. To select the network name from the list, click the Down Arrow icon, then select the appropriate network name. The network name should reflect the customer s name. c. The domain name indicates the service provider s domain. Caution Step 5 It is important to understand that when you specify both the domain name of a device and the IP address of a device, the IP address overrides the specified domain name. When you have entered the fields to your satisfaction, click OK. You receive the following message: You re about to import router configurations into an existing network. The effect will be additive. Do you want to continue? 4-3

4 Defining the IPsec Network Elements Chapter 4 Step 6 Step 7 Click Yes. The VPN Solutions Center software imports the router configuration files from the indicated directory. For every valid configuration file, the VPN Solutions Center software creates a target, and defines the target s role as Cisco router. A valid configuration file is one in which the hostname statement is present in the file. If a configuration file does not contain the hostname statement, VPN Solutions Center software regards the file as invalid and does not import the configuration file into the Repository. Under the Networks folder in the hierarchy pane, the software adds the specified network name. To display the window that lists the targets in a network, double-click the network name in the hierarchy pane. The software displays the Network window, as shown in Figure 4-3. Figure 4-3 VPN Console Network Window The targets (routers) that you imported are displayed in the Network window. Automatic Removal of Configuration Files Not Generated by VPN Solutions Center Having pre-existing configuration files that were not generated by the VPN Solutions Center software could lead to problems in provisioning the IPsec VPNs. As part of the provisioning process, VPN Solutions Center automatically removes the pre-existing, manually created IPsec configuration files and replaces these files with those generated by the VPN Solutions Center software. This feature is set in the csm.properties file with the following property: netsys.provisioning.nonvpnipsecoverride = true The default setting for this property is true, which enables the automatic removal of configuration files that were not generated by the VPN Solutions Center software. 4-4

5 Chapter 4 Defining the IPsec Network Elements Finding a Specific Network To find a specific network, follow these steps: From the VPN Console window, choose Find > Find Network. The Find dialog box appears with the category Network already selected (see Figure 4-4). Figure 4-4 Find Network Dialog Box Step 2 Step 3 Step 4 Step 5 In the Find What field, enter the name of the network you want to find. If you want the search to match the case of the network name you enter, check the Match Case check box. Choose the direction of the search by clicking the Up or Down radio button. When you have completed the search parameters, click Find Next. The VPNSC software locates the indicated network and highlights it in the hierarchy pane, as shown in Figure 4-5. Figure 4-5 Network Found in VPNSC Hierarchy Pane Step 6 Close the Find window. 4-5

6 Defining the IPsec Network Elements Chapter 4 Setting the Passwords for Multiple Edge Device Routers Now that you have imported the router configuration files and assigned them to a VPN network (acme_net in our example), you have completed the initial phase required to define the targets. Now you must enter the rest of the information the product software requires to implement the targets. The first task is to set the passwords for the edge device routers in the customer network. The values and parameters you set here must be identical to the values and parameters set on the corresponding edge device routers. Step 2 Step 3 Step 4 From the hierarchy pane, click the open-close icon for the Networks folder. Double-click the desired network from the list of networks. As shown in Figure 4-3 on page 4-4, the Network window appears in the data pane on the right, displaying the name of each router in the selected network, along with its domain name and role (in this case, Cisco Router). At this point, you have the option to enter information for a single target (router) or multiple targets. If the targets share some characteristics, such as the same login or enable passwords, you can define those parameters once for multiple routers, then return to the Network window to edit individual targets for those parameters that are unique for each router. This is the procedure described in the following steps. Select the edge device routers from the list for which you want to define the common parameters. To select multiple targets from the list, hold down the Ctrl key while you click the desired targets. From the Network window, choose Actions > Edit Multiple > Edit Existing Passwords. The Edit Multiple Targets dialog box appears, with the Passwords dialog box displayed (see Figure 4-6). From this dialog box, you can also set the Retries and Timeout parameters for SNMP and Telnet. Figure 4-6 Setting Passwords for Multiple Edge Device Routers Step 5 For each field you want to set, check the checkbox next to the field name, as shown in Figure 4-6. Step 6 Enter the Login Username and passwords for the selected edge device routers in the appropriate fields. 4-6

7 Chapter 4 Defining the IPsec Network Elements Step 7 Step 8 If desired, you can set the Retries and Timeout parameters for SNMP and Telnet. When the information is complete, click OK. Specifying the Transport Method for Each Edge Device Router After setting the passwords for the edge device routers in the customer network, specify the configuration file transport method for each edge device router. Step 2 Step 3 Step 4 From the hierarchy pane, click the open-close icon for the Networks folder. Double-click the desired network from the list of networks. As shown in Figure 4-3 on page 4-4, the Network window appears in the data pane on the right, displaying the name of each router in the selected network, along with its domain name and role. From the Networks window, select the router name for the edge device you want to edit. Choose Actions > Edit Target. The Edit Target dialog box appears (see Figure 4-7). Figure 4-7 Edit Target Dialog Box Step 5 The Network, Target Name, and Domain fields are filled in based on your selection from the Networks window. From the Transport drop down menu, choose the configuration file transport method you are using. TGS_SSH: The default configuration file transport method for VPN Solutions Center IPsec mode is TGS_SSH (Telnet Gateway Server Secure Shell). TGS_TFTP: If you choose TGS_TFTP as the default transport method, be sure to enable TFTP (Trivial File Transfer Protocol) on the VPN Solutions Center workstation and on the target routers. For details, see the Enabling TFTP on the VPN Solutions Center Workstation section on page 2-8. TGS_Telnet: The TGS_Telnet option is the default transport method for the MPLS mode. 4-7

8 Defining the IPsec Network Elements Chapter 4 Step 6 In the Description field, enter pertinent information about the selected edge device router. At this point, you can either complete this task by clicking OK, or proceed to the next task, specifying the IP address on the selected router. If you choose to complete this task for this router, specify the transport method for the other routes in the network by repeating this procedure for each router. Specifying the IP Address for the Router s Loopback Interface After setting the configuration transport method for the selected edge device router, specify the IP address for the router s loopback interface. From the Edit Target dialog box (as shown in Figure 4-7 on page 4-7), choose the IP Addresses tab. Step 2 From the IP Addresses dialog box, click Add. The Add IP Address dialog box appears (see Figure 4-8). Figure 4-8 Specifying the IP Address Step 3 Enter the IP address for the router s loopback interface, then click OK. The IP Addresses dialog box now displays the newly assigned IP address (see Figure 4-9). Figure 4-9 IP Address Assigned to an Edge Device Router Step 4 Click OK. 4-8

9 Chapter 4 Defining the IPsec Network Elements Setting the SNMPv3 Parameters for VPNSC Target Routers Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. This section describes how to set the SNMPv3 parameters on the routers defined in VPN Solutions Center software. Tips The SNMPv3 parameters you specify in the VPN Solutions Center software must match the SNMPv3 parameters set on the target routers (see the Setting the SNMPv3 Parameters on the Routers in the Service Provider Network section on page 2-5). If you do not require security levels in SNMP operations, setting these parameters is not necessary. In this case, SNMP operations use the SNMPv2C model by matching community strings. Authentication is the process of ensuring message integrity and protection against message replays. Authentication includes both data integrity and authenticating data origin. VPN Solutions Center 2.0 supports two SNMPv3 security levels: AuthNoPriv (authentication/no privacy). For this security level, authentication is required, but no encryption occurs. This level uses strong authentication based on the HMAC-MD5 or HMAC-SHA algorithms. These correspond respectively to the MD5 and SHA Authentication Protocol options in the SNMPv3 Parameters dialog box (Figure 4-10). AuthPriv (authentication/privacy). For this security level, authentication is required and encryption occurs.this level uses strong authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Encryption for this security level employs the DES-56 standard. See Table 2-1 on page 2-6 for more details on SNMP security models and levels. To set the SNMPv3 parameters for the target edge device routers defined in VPN Solutions Center, follow these steps: Step 2 Step 3 Step 4 Step 5 From the hierarchy pane, click the open-close icon for the Networks folder. Double-click the desired network from the list of networks. The Network window appears in the data pane on the right, displaying the name of each router in the selected network, along with its domain name and role. From the Networks window, select the router name for the edge device you want to edit. Choose Actions > Edit Target. The Edit Target dialog box appears (see Figure 4-7 on page 4-7). Choose the SNMPv3 Parameters tab. The SNMPv3 Parameters dialog box appears (see Figure 4-10). 4-9

10 Defining the IPsec Network Elements Chapter 4 Figure 4-10 SNMPv3 Parameters Dialog Box Step 6 Step 7 Step 8 If appropriate, define the parameters for the AuthNoPriv security level. User Name. The user name configured on the specified edge device router. This user must have permission to the object identification numbers (OIDs) specified in the security request (that is, write permission for a set request, and read permission for a get request). Password. The user authentication password. Auth Protocol. The authentication protocol. The available options are None, MD5, or SHA. If appropriate, define the parameters for the AuthPriv security level. User Name. The user name configured on the specified edge device router. This user must have permission to the object identification numbers (OIDs) specified in the security request (that is, write permission for a set request, and read permission for a get request). Password. The user authentication password. Auth Protocol. The authentication protocol. The available options are None, MD5, or SHA. Privacy Password. The encryption password. Privacy Protocol. The encryption protocol. Currently, only DES-56 is supported. When the SNMPv3 parameters are correctly entered, click OK. 4-10

11 Chapter 4 Adding a New Router to the Network Adding a New Router to the Network When you manually add a new router (target) to the network, you must complete two tasks: Define the new target as defined in this section Populate the device s interface information to the Repository as described in the Populating IP Address Information to the Repository section on page In the event you need to add a new target (router) to an IPsec VPN network, follow these steps: Step 2 Step 3 Step 4 From the VPN Console hierarchy pane, choose the Devices tab. Open the Networks folder and select the pertinent network. Double-click the selected network. The Network window appears, displaying the names of the devices in the selected network. From the Network window, choose Actions>New Target. The New Target dialog box appears (see Figure 4-11). Figure 4-11 Defining a New Target Step 5 Enter the values for the parameters in the General dialog box. a. From the Network drop-down list, specify the network name. b. In the Target Name field, specify the name of the device. c. In the Domain field, specify the domain name for the device. d. In the Role field, set the role to Cisco Router. e. In the Transport field, choose TGS_SSH. The Transport field configures the method of communication between the VPN Solutions Center workstation and the specified router The default is TGS_SSH for IPsec operations. f. In the Description field, enter any pertinent information about the terminal server device, such as the type of device, its location, and any other information that could be helpful to service provider operators. 4-11

12 Adding a New Router to the Network Chapter 4 Step 6 Specifying the Device Passwords and SNMP and Telnet Parameters Choose the Passwords tab. The New Target Passwords dialog box appears (see Figure 4-12). Note The values set in this dialog box must match the corresponding values set on the actual device. Figure 4-12 New Target Passwords Dialog Box Step 7 Step 8 Step 9 Enter the appropriate values for the fields in the Passwords dialog box. a. Enter the Login User name. b. Enter the Login Password for the device, then verify the password. c. If the Enable User name exists on the device, enter it in the Enable User field. d. If the Enable Password is set on the device, enter it in the Enable Password field. e. Set the SNMP Read-Only and SNMP Read-Write community strings in the corresponding fields. f. Set the SNMP and Telnet Retries value.the default is three retries. g. Set the SNMP and Telnet Timeout value (in seconds). The default is 60 seconds. Specifying the IP Addresses for the New Target Choose the IP Addresses tab. To specify the IP addresses for reaching this terminal server device, click Add. The Add IP Address dialog box appears (see Figure 4-13). 4-12

13 Chapter 4 Adding a New Router to the Network Figure 4-13 Add IP Address Dialog Box 0 Enter the IP address for the terminal server device, then click OK. If this IP address is also the designated management interface the secured interface on the device that the VPN Solutions Center Network Management Subnet uses to communicate with the device check the This address is the management interface checkbox. For information about the management interface, see the Assigning the Management Interface on an Edge Device section on page The address you entered is displayed in the IP Addresses for reaching this target area (see Figure 4-14). Figure 4-14 New Target IP Addresses Dialog Box You can also specify an IP address as the management interface from this dialog box. To add additional IP addresses for this device, repeat Steps 9 and

14 Adding a New Router to the Network Chapter 4 1 Specifying the SNMPv3 Parameters Choose the SNMPv3 Parameters tab. The SNMPv3 Parameters dialog box appears (see Figure 4-15). Figure 4-15 SNMPv3 Parameters Dialog Box If appropriate, define the parameters for the AuthNoPriv security level. User Name. The user name configured on the specified edge device router. This user must have permission to the object identification numbers (OIDs) specified in the security request (that is, write permission for a set request, and read permission for a get request). Password. The user authentication password. Auth Protocol. The authentication protocol. The available options are None, MD5, or SHA. If appropriate, define the parameters for the AuthPriv security level. User Name. The user name configured on the specified edge device router. This user must have permission to the object identification numbers (OIDs) specified in the security request (that is, write permission for a set request, and read permission for a get request). Password. The user authentication password. Auth Protocol. The authentication protocol. The available options are None, MD5, or SHA. Privacy Password. The encryption password. Privacy Protocol. The encryption protocol. Currently, only DES-56 is supported. When the SNMPv3 parameters are correctly entered, proceed to the next tab, Terminal Server. Associating a Terminal Server with the New Device To associate a terminal server device with the new edge device router, choose the Terminal Server tab. The Terminal Server dialog box appears (see Figure 4-16). 4-14

15 Chapter 4 Adding a New Router to the Network Figure 4-16 Terminal Server for New Target Router a. From the Terminal Server drop-down list, select the terminal server device you want to associate with the new target router. You can disassociate a terminal server from a device by clicking Disassociate. b. In the Port Number field, enter the port number on the terminal server. c. When the parameters are set satisfactorily, click OK. Populating IP Address Information to the Repository After you manually add a new device to a network, you must populate the IP addresses into the Repository database as follows: Step 2 From the VPN Console, choose Monitoring > Configure Traps > Populate interface information for Cisco Router Targets. Step through the Populate Interface Information wizard. This wizard sets up a scheduled task that polls for information about router interfaces. It extracts the interface name, index number, and IP address and subnet mask for each interface. The collected interface information is stored with each router definition. Deleting Targets From a Network If you need to delete a target from a VPN Solutions Center network, make sure that the target router is not part of any active service request or a service request that could be activated. To delete a target from a network, follow these steps: Step 2 From the VPN Console, select the Devices tab (if it is not already selected). From the Targets list, double-click the name of the network the device is in. The Networks window appears (see Figure 4-17). 4-15

16 Creating Default Policies Chapter 4 Figure 4-17 List of Devices in the Selected Network Step 3 Step 4 Step 5 In the Networks window, select the names of the targets to be deleted. Choose Actions > Delete Targets. You receive the following message: WARNING! When a target in a persistent task is deleted, it can cause problems. Are you sure you want to delete the selected target(s)? To delete the selected target, click Yes. To cancel the delete operation, click No. Creating Default Policies Before you define VPN Customers and VPNS, it is a good idea to set the default policies. You can create a set of default policies that can then be automatically applied to new Customers and incorporated into new service requests without requiring further modification. Default customer default policies that are created after a new Customer is defined are not accessible by that new Customer. Thus, any new default policies cannot be assigned to service requests for that Customer. To create a set of default policies, follow these steps: From the VPN Console, choose Setup > New Default Customer Policy. The dialog box shown in Figure 4-18 appears. Figure 4-18 Entering the Policy Name Step 2 Enter a unique name for the default customer policy, then click OK. The Edit Policy dialog box appears (see Figure 4-19). 4-16

17 Chapter 4 Creating Default Policies Figure 4-19 Editing Global Parameters for the Default Policy Step 3 If necessary, modify the default global parameters. The IPsec Lifetime parameters are global lifetime settings. A Lifetime is associated with each security association, beyond which the SA cannot be used. There are two lifetimes: a timed lifetime, specified in terms of the duration of the SA; and a traffic-volume lifetime, specified the number of bytes secured using this SA. A security association expires after the first of these lifetimes is reached. If you change a global lifetime, the new lifetime value will not be applied to existing security associations. If you wish to use the new values immediately, you can clear all or part of the security association database. The IKE Keepalive parameters are a Cisco proprietary extension to IKE that detects failures in IKE negotiation. After an IKE session is established, each node sends keepalive packets to its peers. When a peer does not respond, the sending node tears down the IKE/IPsec tunnel with the non-responding peer. a. IPsec Lifetime in Seconds. The default is 14,400 seconds (four hours). b. IPsec Lifetime in Kilobytes. The traffic-volume lifetime. The default IPsec lifetime in Kilobytes is 4,608,000 KB (10 MB per second for one hour). c. IKE Keepalive Interval in Seconds. This is the time interval between each keepalive packet. d. IKE Keepalive Retry Interval in Seconds. If there is no response from a peer, this value determines how many seconds until VPN Solutions Center begins sending keepalive packets again to the non-responding peer. e. Diffie-Hellman Group ID. Diffie-Hellman is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecure communications channel. IKE uses Diffie-Hellman to establish session keys. 4-17

18 Creating Default Policies Chapter 4 Step 4 By default, Diffie-Hellman groups are enabled. You can disable these groups by clicking the Enabled checkbox. VPN Solutions Center supports two Diffie-Hellman groups: Group 1 a MODP group with a 768-bit modulus; Group 2 a MODP group with a 1024-bit modulus. Choose the appropriate Diffie-Hellman group for the current security association. When you have set the global parameters satisfactorily, choose the Proposals tab. The Proposals dialog box appears (see Figure 4-20). Figure 4-20 Proposals Dialog Box for Default Customer Policies Step 5 Set the IKE Proposal parameters as necessary. To view the options available in each field, double-click the field, then choose the appropriate option from the drop-down list. a. Authentication Preshared key RSA Signature RSA Encryption b. Encryption DES 3DES c. Hash Algorithm SHA MD5 4-18

19 Chapter 4 Creating Default Policies Step 6 Step 7 Step 8 d. DH Group ID Group One: a 768-bit modulus Group Two: a 1024-bit modulus e. Lifetime (sec). Enter the duration for the IKE proposal in seconds. Set the IPsec Proposal parameters as necessary. a. AH Not Set SHA-HMAC MD5-HMAC b. ESP Authentication Not Set SHA-HMAC MD5-HMAC c. ESP Encryption Not Set DES 3DES Null Cipher d. Compression Not Set LZS e. Lifetime (sec). Specify the duration for the IPsec proposal in seconds. f. Lifetime (KB). Specify the number of bytes secured using the IPsec proposal. Note that a security association expires after the first of these lifetimes is reached. When the IKE Proposal and IPsec Proposal parameters are set satisfactorily, click OK. The Save Status dialog box appears, which notes the path and filename of the Default Customer Policy. Click OK. You can also create Customer Policies for individual customers. For details, see the Creating Customer-Specific Policies section on page

20 Defining a New IPsec VPN Customer Chapter 4 Defining a New IPsec VPN Customer Defining an IPsec VPN customer requires the following tasks: Entering the name of the VPN customer (see the section below). Defining the customer sites (see Defining Customer Sites section on page 4-21). Assigning an edge device for each customer site (see the Assigning an Edge Device to a Site section on page 4-23) Defining the secure and nonsecured interfaces on each edge device (see the Defining a Device s Secured, Nonsecured, and Tunnel Endpoint Interfaces section on page 4-25). Specifying whether edge devices are managed or unmanaged; and if a device is managed, indicate its SA Agent/SLA probe status (see the Defining Devices as Managed or Unmanaged section on page 4-30). Creating policies for each customer. Defining the IPsec VPN. To define a new VPN customer, follow these steps: From the VPN Console menu bar, choose Setup > New VPN Customer. The Enter Customer Name dialog box appears (see Figure 4-21). Figure 4-21 Entering the Customer Name Step 2 Enter the name of the VPN customer, then click OK. The first character in the customer name must be a letter. The customer name can contain letters, numbers, and these punctuation characters: period, underscore, and dash. The Customer name cannot exceed 63 characters. The Edit Customer dialog box appears (see Figure 4-22). 4-20

21 Chapter 4 Defining a New IPsec VPN Customer Figure 4-22 Edit Customer Dialog Box Step 3 Step 4 In the Contact Information area, enter contact information for the VPN customer. To save the new information to the VPNSC 2.0 Repository, click Apply. Next, define the sites for the current customer (see the next section). Defining Customer Sites To define the sites for a new or existing Customer, follow these steps: Step 2 From the VPN Console hierarchy pane, choose the Customers tab. Select the name of the Customer in the hierarchy pane, then right-click. The Customer menu appears (see Figure 4-23). 4-21

22 Defining a New IPsec VPN Customer Chapter 4 Figure 4-23 Customer Menu Step 3 From the Customer menu, choose New Site. The Enter Customer Site Name dialog box appears (see Figure 4-24). Figure 4-24 Entering the Customer Site Name Step 4 Enter the name of the customer site, then click OK. The first character in the Customer Site name must be a letter. The customer name can contain letters, numbers, and these punctuation characters: period, underscore, and dash. The Customer Site name cannot exceed 63 characters. The Edit Site dialog box is displayed (see Figure 4-25). Figure 4-25 Site Information Displayed Step 5 In the Location Information area, enter the pertinent site location information, then click Apply. 4-22

23 Chapter 4 Defining a New IPsec VPN Customer Step 6 Repeat the steps in this procedure to define each additional customer site. Next, assign an edge device to each customer site (see the next section). Assigning an Edge Device to a Site Once you create one or more sites in VPN Solutions Center, your next task is to assign at least one edge device router to each site. To do so, follow these steps: Step 2 From the VPN Console hierarchy pane, choose the Customers tab. Expand the VPN Customers folder until you can see the current set of sites for the chosen customer (see Figure 4-26). Figure 4-26 Customer Sites List Step 3 Step 4 Click the name of the site that you want to assign an edge device to. The Edit Site dialog box displays the name of the selected site. From the Edit Site dialog box, choose Site > Add Edge Device. You can also select the name of the site and right-click. From the menu, choose Add Edge Device. The Add IPsec Edge Device dialog box appears (see Figure 4-27). 4-23

24 Defining a New IPsec VPN Customer Chapter 4 Figure 4-27 Add IPsec Edge Device Dialog Box Step 5 In the Add IPsec Edge Device dialog box, do the following: a. In the Network drop-down menu, choose the appropriate network name. b. In the Role drop-down menu, choose Cisco Router. c. From the list of routers, select the line that lists the name of the router you want to assign to the selected site. d. When all the elements are set satisfactorily, click OK. The newly added router is assigned to the site. As shown in Figure 4-28, you can see the device displayed in the Edge Devices folder for the site. Figure 4-28 Newly Added Edge Devices Displayed in the Customers Tab 4-24

25 Chapter 4 Defining a New IPsec VPN Customer Step 6 Repeat this procedure for each site. Next, define the secured and nonsecured interfaces on each edge device in the customer s VPN (see the next section). Defining a Device s Secured, Nonsecured, and Tunnel Endpoint Interfaces An edge device router must have a secured (encrypted) interface and a nonsecured (unencrypted) interface associated with the device. The secured interface faces the service provider network, and the nonsecured interface faces the customer s intranet. The edge device router must also have a secured tunnel endpoint. The tunnel endpoint interface can be either a loopback interface (with the IP address in the service provider s address space) or an interface that is not a loopback. Note Cisco recommends that the secured tunnel endpoint interface and the management interface for that device should be configured to be the same interface. For information on defining the management interface, see Assigning the Management Interface on an Edge Device section on page To define the secured, nonsecured, and tunnel endpoint interfaces for a device, follow these steps: Step 2 Step 3 From the VPN Console hierarchy pane, choose the Customers tab. From the Customers tab, expand the Customer hierarchy until you can see the sites and the names of the edge devices in the Edge Devices folders for the selected Customer. Select the name of the edge device you want to define, then right-click. As shown in Figure 4-29, the Edge Device menu appears. Figure 4-29 Opening the Edge Device Step 4 From the Edge Device menu, choose Open Edge Device. The Edit Edge Device dialog box appears (see Figure 4-30). 4-25

26 Defining a New IPsec VPN Customer Chapter 4 Figure 4-30 Device-Related Settings for the Selected Edge Device Step 5 Choose the IPsec Interfaces tab. The IPsec Interfaces dialog box appears (see Figure 4-31). Figure 4-31 Assigning the Device Interfaces a. From the list of Available Interfaces, choose the tunnel endpoint interface, then click Make Tunnel Endpt. The selected interface is displayed in the Secured Tunnel Endpoint pane. The edge device router must have a secure tunnel endpoint. A tunnel endpoint is a virtual not an actual interface that is required by IPsec to define the end point of an IPsec tunnel. The tunnel endpoint interface can be either a loopback interface (with the IP address in the service provider s address space) or an interface that is not a loopback. 4-26

27 Chapter 4 Defining a New IPsec VPN Customer Note Cisco recommends that the secure tunnel endpoint interface and the management interface for that device should be assigned to the same interface. For information on defining the management interface, see Assigning the Management Interface on an Edge Device section on page If you assign a non-loopback interface as the tunnel endpoint interface, note the following: When you assign a non-loopback interface as the secured tunnel endpoint, that interface is also assigned as the secured interface. VPN Solutions Center can allow only one secured interface configured for an edge device. b. From the list of Available Interfaces, choose the secured interface (which faces the service provider network), then click Make Secured. The selected interface is displayed in the Secured Interfaces pane. If you selected a non-loopback interface as the tunnel endpoint, VPN Solutions Center already assigned it as the secured interface. c. From the list of Available Interfaces, choose the nonsecured interface (which faces the customer s network), then click Make Nonsecured. The selected interface is displayed in the Nonsecured Interfaces pane (see Figure 4-32). Figure 4-32 Functions for the Device Interfaces Assigned 4-27

28 Defining a New IPsec VPN Customer Chapter 4 Step 6 The OSPF Area Border Router Attribute If the selected target is an OSPF Area Border Router (ABR), check the OSPF Area Border Router checkbox. (By default, the OSPF Area Border Router option is not enabled.) Tips Step 7 Step 8 When you specify an edge device as an OSPF Area Border Router, be sure to include at least one loopback interface (for each OSPF area specified in the service requests) to the list of nonsecured interfaces. When the router interfaces are defined to your satisfaction, click Apply. Repeat this procedure for each device in each customer site. Assigning the Management Interface on an Edge Device The VPN Solutions Center Network Management Subnet resides inside the service provider network, and communicates with edge device routers through an assigned management interface. Configuration changes are managed by VPN Solutions Center software and transported to the appropriate edge devices through the management interface. Each edge device has one secured interface through which secure traffic flows to and from the other edge devices in an IPsec VPN. Cisco recommends that the secured tunnel endpoint interface and the management interface for that device should be configured to be the same interface. The secured tunnel endpoint can be either the secured interface or the loopback interface on the edge device. To assign a device interface as the management interface, follow these steps: Step 2 From the VPN Console hierarchy pane, choose the Customers tab. From the Customers tab, expand the Customer hierarchy until you can see the sites and the names of the edge devices in the Edge Devices folders for the selected Customer. Step 3 Select the name of the edge device on which you want to assign the management interface, then right-click. The Edge Device menu appears. Step 4 From the Edge Device menu, choose Open Edge Device. The Edit Edge Device dialog box appears. Step 5 From the Edit Edge Device dialog box, choose the IP Addresses tab (see Figure 4-33 on page 4-29). 4-28

29 Chapter 4 Defining a New IPsec VPN Customer Figure 4-33 Selecting the IP Address for the Management Interface Step 6 From the displayed list of IP addresses for reaching this target router, choose either the IP address for the secured interface or the IP address for the loopback interface. Note Step 7 Step 8 If you need to check to see the list of secured interfaces before you assign the management interface, choose the IPsec Interfaces tab, then note the appropriate IP address in the list of secured interfaces. When the appropriate interface is highlighted, click Set As Management Interface. The selected IP address in the list now displays with the designation management interface ; for example: (found on loopback0, management interface) If the management interface for this device is set satisfactorily, click Apply. The change is added to the VPN Solutions Center Repository. When you add an IP address to a target router, the Add IP Address dialog box provides an option to designate the interface the new IP address is assigned to as a management interface. 4-29

30 Defining a New IPsec VPN Customer Chapter 4 Defining Devices as Managed or Unmanaged VPN Solutions Center 2.0 allows you to specify for each edge device whether it is a managed or unmanaged device. A managed device is managed by the service provider who uses VPN Solutions Center software to make changes in device configurations. If an edge device in unmanaged, VPN Solutions Center is not responsible for configuring that device. Unmanaged devices can only be configured by the Customer that owns that device. For managed devices, you can specify whether these devices support SA Agent and can therefore collect SLA data this is the Managed Device with SLA Probe option. For information on configuring a device so that SA Agent is enabled, see the Enabling SA Agent on an Edge Device section on page 2-7. When you enable the Managed Device with SLA Probe option, two additional options become available: Automating SLA Probe Provisioning Automate SLA Probe Provisioning Provision SLA Probe Inside IPsec Tunnel When you enable the Automate SLA Probe Provisioning option, VPN Solutions Center automatically configures a set of user-specified SLA probe types between the peer edge devices specified in the service request. These settings are applied per edge device; that is, you can have SLA probes automatically configured on none, some, or all of the edge devices in a service request. Enabling this option makes it easier (and less error prone) to set up the standard set of probe types that you need to collect SLA data. Note If you enable the Managed Device with SLA Probe option, but do not enable the Automate SLA Probe Provisioning option, you must manually configure the SLA probes for each device. VPN Solutions Center supports the following SLA probe types: User Datagram Protocol Echo (UDP Echo). The default probe type is UDP Echo. Internet Control Message Protocol Echo (ICMP Echo) Transmission Control Protocol Connect (TCP Connect) Jitter (voice jitter) Domain Name System (DNS) Hyper Text Transfer Protocol (HTTP) Dynamic Host Configuration Protocol (DHCP) Step 2 Step 3 From the VPN Console hierarchy pane, choose the Customers tab. In the hierarchy pane, expand the Customer hierarchy until you can see the sites and the names of the edge devices in the Edge Devices folders for the selected Customer. Select the name of the edge device you want to define, then right-click. The Edge Device menu appears. 4-30

31 Chapter 4 Defining a New IPsec VPN Customer Step 4 From the Edge Device menu, choose Open Edge Device. The Edit Edge Device dialog box appears (see Figure 4-34). Figure 4-34 Device-Related Settings for the Selected Edge Device Step 5 Choose the Management tab. The Management dialog box appears (see Figure 4-35). Figure 4-35 IPsec Management Dialog Box Step 6 Step 7 Choose the Managed Device with SLA Probe radio button. Check the Automate SLA Probe Provisioning checkbox. 4-31

32 Defining a New IPsec VPN Customer Chapter 4 Step 8 Step 9 When you enable the Automate SLA Probe Provisioning option, VPN Solutions Center automatically configures a set of user-specified SLA probe types between the peer edge devices specified in the service request. These settings are applied per edge device; that is, you can have SLA probes automatically configured on none, some, or all of the edge devices in a service request. Enabling this option makes it easier (and less error prone) to set up the standard set of probe types that you need to collect SLA data. When the device management options are set satisfactorily, click Apply. Repeat this procedure for each device in each customer site. Editing the csm.properties File to Enable Additional SLA Probe Types Since UDP Echo is the only SLA probe type configured by default, if you need to configure and run other probe types, you must specify those probe types by editing the csm.properties file to do so. Thus, if you wish to take advantage of the VPN Solutions Center s Automate SLA Probe Provisioning option, make sure that the corresponding list of desired probe types is specified in the csm.properties file. The section in the csm.properties file that specifies these properties is titled SLA Auto-Config Properties. The parameters for each SLA probe type are specified in the csm.properties file. 1. Find the following lines in the file that enable the probe types: ### List of probe types to be created (space-delimited) # Types = echo tcpconnect udpecho jitter dns http dhcp; Default = udpecho netsys.vpn.autoprobeconfig.rtttypes = udpecho The netsys.vpn.autoprobeconfig.rtttypes parameter specifies which probes are automatically configured. You can enable as many probe types as you want in a space-delimited list by adding any additional types to the line. 2. Add the desired list of SLA probe types to the line. For each SLA probe type, there are additional properties that specify the parameters for that particular probe type. 3. Edit these type properties as necessary to fully configure the SLA probe. 4. Save the csm.properties file, then exit the file. Once you a) specify the desired probes and their parameters in the csm.properties file and b) enable the Automate SLA Probe Provisioning option for a particular edge device, when that edge device is included in a service request, VPN Solutions Center configures the specified set of SLA probes to each of its peers. You must schedule the SLA probe in order for the probe to be provisioned. Provisioning an SLA Probe Inside an IPsec Tunnel With the Provision SLA Probe Inside IPsec Tunnel option, you can specify whether you want the SLA probe packets to be sent inside the IPsec tunnel (in encrypted form).if you want the probe traffic to be protected in the same way as other IPsec traffic, enable this option. When this option is not enabled, VPN Solutions Center sends the SLA probe packets outside the IPsec tunnel (in clear form). Note Sending SLA probe packets outside the IPsec tunnel requires that you enable the Extended Services Internet Access option for all service requests involving the specified edge device. For information on setting this option, see the Defining a Service Request for the VPN section on page

33 Chapter 4 Defining a New IPsec VPN Customer Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 From the VPN Console hierarchy pane, choose the Customers tab. In the hierarchy pane, expand the Customer hierarchy until you can see the sites and the names of the edge devices in the Edge Devices folders for the selected Customer. Select the name of the edge device you want to define, then right-click. The Edge Device menu appears. From the Edge Device menu, choose Open Edge Device. The Edit Edge Device dialog box appears (see Figure 4-34 on page 4-31). Choose the Management tab. The Management dialog box appears (see Figure 4-35 on page 4-31). Choose the Managed Device with SLA Probe radio button. Check the Provision SLA Probe Inside IPsec Tunnel checkbox. With this option, you can specify whether you want the SLA probe packets to be sent inside the IPsec tunnel (in encrypted form).if you want the probe traffic to be protected in the same way as other IPsec traffic, enable this option. When this option is not enabled, VPN Solutions Center sends the SLA probe packets outside the IPsec tunnel (in clear form). When the device management options are set satisfactorily, click Apply. Repeat this procedure for each device in each customer site. Creating Customer-Specific Policies To create policies for a specific customer, follow these steps: Step 2 Step 3 Step 4 From the VPN Console hierarchy pane, choose the Customers tab. From the Customers tab, select the customer name, then right-click. The Customer menu appears. From the Customer menu, choose Open Customer. The Edit Customer dialog box opens (see Figure 4-22 on page 4-21). From the Edit Customer dialog box, choose Customer > New Policy. The Enter Policy Name dialog box appears (see Figure 4-36). Figure 4-36 Entering the Customer-Specific Policy Name 4-33

34 Defining a New IPsec VPN Customer Chapter 4 Step 5 Enter the policy name, then click OK. The first character in the policy name must be a letter. The policy name can contain letters, numbers, and these punctuation characters: period, underscore, and dash. The policy name cannot exceed 63 characters. The Policies dialog box appears, displaying the Global Parameters tab (see Figure 4-37). Figure 4-37 Global Parameters for a Customer-Specific Policy Step 6 In most cases, the global parameters for the customer-specific policy is sufficient. For details on these parameters, see the Creating Default Policies section on page Modify the global parameters as necessary, then choose the Proposals tab. The Proposals dialog box appears (see Figure 4-38). 4-34

35 Chapter 4 Defining a New IPsec VPN Customer Figure 4-38 Proposal Parameters for a Customer-Specific Policy Step 7 Step 8 The default values set in this dialog box are taken from the userprofile file. To change any of the values, double-click the pertinent field, then choose the new parameter value from the list. When satisfied with the policy settings, click Apply to save the data to the Repository. Deleting a Customer from VPN Solutions Center To delete a customer from VPN Solutions Center software, follow these steps: Step 2 From the VPN Console, choose the Customers tab. Select the name of the VPN customer you want to delete, then right-click. The Customer menu appears (see Figure 4-39). 4-35

36 Defining Terminal Servers in VPN Solutions Center Software Chapter 4 Figure 4-39 Customer Menu Step 3 Step 4 Choose Delete Customer. The following confirmation message appears: Are you sure you want to delete this customer? To delete the selected customer definition, click Yes. The customer definition is removed from the VPN Solutions software. To cancel the operation, click No. Defining Terminal Servers in VPN Solutions Center Software A terminal server is a communications processor that connects asynchronous devices such as terminals, printers, hosts, and modems to a LAN or WAN. In VPN Solutions Center 2.0, terminal servers provide a way to provision edge device routers from a workstation. The VPN Solutions Center workstation is connected on a LAN to the terminal server device (typically a Cisco 2500 Series router). Each of the terminal server device s ports have a port number. Each serial line can be connected to an edge device router s console port. In this way, a VPN Solutions Center operator can communicate directly with an edge device router. In the VPN Solutions Center software, you first define a target as a terminal server, and then associate that terminal server device with a particular edge device router. Defining a Target as a Terminal Server To define a target as a terminal server in VPN Solutions Center software, follow these steps: Step 2 Step 3 From the VPN Console, choose the Devices tab. Expand the Devices hierarchy until you can see the names of the Networks. Select the pertinent network name, then double-click. The Networks window appears. 4-36

37 Chapter 4 Defining Terminal Servers in VPN Solutions Center Software Step 4 From the Networks window, choose Actions > New Target. The New Target dialog box appears (see Figure 4-40). Figure 4-40 New Target Dialog Box Step 5 Step 6 Enter the values for the parameters in the General dialog box. a. From the Network drop-down list, specify the network name. b. In the Target Name field, specify the name of the terminal server device. c. Optionally, in the Domain field, specify the domain name for the device. If you do not specify the domain server name, VPN Solutions Center uses the target name; then, using, DNS, it performs a domain lookup. d. In the Role field, set the role to Terminal Server. When you define the role of the device as a terminal server, the Transport field is disabled. e. In the Description field, enter any pertinent information about the terminal server device, such as the type of device and its location. Specifying the Device Passwords and SNMP and Telnet Parameters Choose the Passwords tab. The New Target Passwords dialog box appears (see Figure 4-41). Note The values set in this dialog box must match the corresponding values set on the actual device. 4-37

38 Defining Terminal Servers in VPN Solutions Center Software Chapter 4 Figure 4-41 New Target Passwords Dialog Box Step 7 Step 8 Step 9 Enter the appropriate values for the fields in the Passwords dialog box. a. Enter the Login User name. b. Enter the Login Password for the device, then verify the password. c. If the Enable User name exists on the device, enter it in the Enable User field. d. If the Enable Password is set on the device, enter it in the Enable Password field. e. Set the SNMP Read-Only and SNMP Read-Write community strings in the corresponding fields. f. Set the SNMP and Telnet Retries value.the default is three retries. g. Set the SNMP and Telnet Timeout value (in seconds). The default is 60 seconds. Choose the IP Addresses tab. To specify the IP addresses for reaching this terminal server device, click Add. The Add IP Address dialog box appears (see Figure 4-42). Figure 4-42 Add IP Address Dialog Box 0 Enter the IP address for the terminal server device, then click OK. To add additional IP addresses for this device, repeat Step 6 and Step

39 Chapter 4 Defining Terminal Servers in VPN Solutions Center Software 1 Specifying the SNMPv3 Parameters Choose the SNMPv3 Parameters tab. The SNMPv3 Parameters dialog box appears (see Figure 4-43). Figure 4-43 SNMPv3 Parameters Dialog Box If appropriate, define the parameters for the AuthNoPriv security level. User Name. The user name configured on the specified edge device router. This user must have permission to the object identification numbers (OIDs) specified in the security request (that is, write permission for a set request, and read permission for a get request). Password. The user authentication password. Auth Protocol. The authentication protocol. The available options are None, MD5, or SHA. If appropriate, define the parameters for the AuthPriv security level. User Name. The user name configured on the specified edge device router. This user must have permission to the object identification numbers (OIDs) specified in the security request (that is, write permission for a set request, and read permission for a get request). Password. The user authentication password. Auth Protocol. The authentication protocol. The available options are None, MD5, or SHA. Privacy Password. The encryption password. Privacy Protocol. The encryption protocol. Currently, only DES-56 is supported. When the SNMPv3 parameters are correctly entered, proceed to the next tab, Terminal Server, to associate the terminal server device with an edge device router (as described in the next section). 4-39

40 Defining Terminal Servers in VPN Solutions Center Software Chapter 4 Associating Edge Device Routers with a Terminal Server When a terminal server device is defined in VPN Solutions Center software, you can then associate one or more edge device routers in the network with that terminal server device. Then a workstation connected to the terminal server device can communicate with all of the routers associated with the terminal server. To associate a terminal server with edge device routers, follow these steps: In the New Target window, choose the Terminal Server tab. The Terminal Server dialog box appears (see Figure 4-44). Figure 4-44 Terminal Server Dialog Box Step 2 This dialog box provides a procedure for adding access from the terminal server to a single edge router device or adding access to multiple edge router devices. Adding Terminal Server Access to a Single Device To assign terminal server access to a single router device, click Add. A new row appears in the window. If there are multiple targets in the Repository, the Target field displays a drop-down list. Step 3 In the Target field, click the down arrow to see a list of targets (as shown in Figure 4-44). Step 4 Step 5 Step 6 Select the name of the device you want terminal server access to. The cursor appears in the Port Number field. Enter the terminal server port number for access to the selected router. When finished, click OK. 4-40

41 Chapter 4 Defining Terminal Servers in VPN Solutions Center Software Adding Terminal Server Access to Multiple Devices To assign terminal server access to multiple router devices, click Chooser. The Target Choose dialog box appears (see Figure 4-45). Figure 4-45 Selecting Multiple Devices for Terminal Server Access Step 2 Step 3 Step 4 From the list of devices listed in the Target Chooser, select the routers for which you want access from the terminal server. To select multiple items in a list, press Ctrl+Click. Note that when you select multiple routers from the list, the Port Number field is grayed out. When you finish selecting the routers that are to be accessible from the selected terminal server, click OK. You return to the Terminal Server dialog box, where the routers that you selected are added to the list of targets for the terminal server. In the Port Number field for each new router, enter the appropriate terminal server port numbers for access to the selected routers, then click OK. You have now completed defining a device as a terminal server and configured terminal server access to the routers. 4-41

42 Running IOS Commands from the VPN Console Chapter 4 Running IOS Commands from the VPN Console You can run Cisco IOS commands on a router s command line by using VPN Solutions Center s Exec Command feature. This feature makes it easy to run commands on multiple routers at once. The Exec Command Console puts you in Enable mode, thus you can run any IOS commands that are executable in Enable mode. Executing commands in this way does not change the router s configuration file. VPN Solutions Center simply runs the commands you enter and returns the command s response, just as it does when communicating with a router through a console. To execute an IOS command on a router, follow these steps: Step 2 From the VPN Console menu bar, choose Tools > Exec Command. The Cisco VPN Solutions Center browser appears. If the browser is not already running, you must log in. In the Netscape Password dialog box, enter the VPN Solutions Center administrative user name and password, then click OK. The VPN Solutions Center Exec Command Console page appears (see Figure 4-46). Figure 4-46 The Exec Command Console 4-42

43 Chapter 4 Running IOS Commands from the VPN Console Step 3 Step 4 Step 5 Step 6 You can run commands in the Exec Command Console in either of two ways: Specifying a command input file that contains a set of valid Cisco IOS commands. The command input file must be a text file. There is no practical limit to the number of commands that be included in a command input file. Entering commands manually in the Commands pane. From the Network drop-down menu, choose the name of the network that the target router resides in. The routers in the selected network are displayed in the window below the Network field. From the list of routers, select one or more routers on which you want to run the command. To run IOS commands from a command input file: a. Enter the path and name of the command input file in the Input file field. You can also specify the name and path for the command input file by clicking Browse and selecting the file in its directory. b. Click Load File. c. Click Send. To enter commands manually, in the Commands pane, enter the commands you want to run, then click Send. If you need to erase the contents of the Commands pane, click Clear. Then reenter the commands as needed. The lower pane displays the output from the command you entered for each device you selected. 4-43

44 Modifying a Router s Configuration From the VPN Console Chapter 4 Modifying a Router s Configuration From the VPN Console VPN Solutions Center provides a mechanism called the Download Console that allows you to download configuration files or any set of IOS commands to one or more routers. The Download Console adds the IOS commands to the router s existing configuration file. By default, VPN Solutions Center sets the modified configuration file as the running configuration. The following procedure describes a typical scenario in which you need to download a previous version of a router s configuration file to one or more routers. To do that, you must first use the Version Console to retrieve a previous version of the configuration file, and then use the Download Console to download the configuration file to the selected routers. Retrieving a Previous Version of a Configuration File To retrieve a previous version of a configuration file stored on the VPN Solutions Center workstation, follow these steps: From the VPN Console menu bar, choose Tools > Version Console. The Version Console appears (see Figure 4-47). Figure 4-47 The Version Console Step 2 Step 3 Step 4 The Version Console organizes the configuration files by networks and their associated routers. Expand the Version Console hierarchy until you can see the router icons and the names of the routers in the pertinent network. Select the router icon for the router that contains the configuration file of interest, then right-click. Choose Open. As shown in Figure 4-48, the Version Console displays the version list for the selected router. The versions are displayed according to the dates and times the configuration files were collected, and organized with the most recent version listed first, the next most recent second, and so on. 4-44

45 Chapter 4 Modifying a Router s Configuration From the VPN Console Figure 4-48 List of Configuration File Versions Step 5 Step 6 To open one of the configuration file versions, select the appropriate version, then right-click. Choose Open. The Version window appears, displaying the selected version of the configuration file (see Figure 4-49). The version number and hostname of the router are displayed in the title bar. Figure 4-49 Previous Configuration File Displayed Step 7 To save the desired version of the file to a specified file, from the Version window menu bar, choose File > Save As. The Save As dialog box appears (see Figure 4-50). 4-45

46 Modifying a Router s Configuration From the VPN Console Chapter 4 Figure 4-50 Saving a Configuration File Step 8 Step 9 Enter the filename that you want to save the configuration file to, then click Save As. You return to the Version window. Click Close. Using the Download Console to Modify a Configuration The Download Console downloads the IOS commands to the selected routers.you can download an actual IOS configuration file, or a file that contains a desired set of IOS commands. By default, VPN Solutions Center sets the modified configuration file as the running configuration. To download a set of IOS commands to one or more routers, follow these steps: Step 2 From the VPN Console menu bar, choose Tools > Download Console. The Download Console dialog box appears. To open a file from which you want to extract a set of IOS commands that you want to download to selected routers, from the Download Console dialog box, choose File > Import Config. The Open dialog box appears (see Figure 4-51). Figure 4-51 Opening the IOS Commands File 4-46

47 Chapter 4 Modifying a Router s Configuration From the VPN Console Step 3 Select the file you want to open, then click Open. The contents of the selected file are displayed in the Edit Commands pane, as shown in Figure 4-52.The upper right pane displays the list of target routers in the Target Routers pane. The lower right pane is the Download Status pane. Figure 4-52 The IOS Commands File Displayed in the Download Console Edit commands pane Target routers pane Name of file being edited Download status pane Step 4 Step 5 Step 6 Step 7 You can edit the text displayed in the Edit Commands pane as necessary by using the standard keyboard commands to cut, copy, or paste the text. When you are satisfied with the set of commands displayed in the edit commands pane, select the routers that you want to download the IOS commands to from the target routers pane. a. From the Network drop-down menu, choose the appropriate target network name. The list of network devices in the selected network are displayed. b. From the Role drop-down menu, choose Cisco Router. The list of Cisco routers in the selected network are displayed. c. From the Target Routers pane, select one or more target routers. Click Download. You receive the following message: Are you sure you wish to download the configlet to the selected routers? To proceed with downloading the set of IOS commands, click Yes. To cancel the IOS commands download operation, click No. VPN Solutions Center downloads the commands displayed in the Edit Commands pane to the selected routers. These commands are added to the existing configuration on the selected routers. Figure 4-53 shows the Download Console as it appears when the IOS command download operation is complete. The status of the download operation is displayed in the Download Status pane. 4-47

48 Modifying a Router s Configuration From the VPN Console Chapter 4 Figure 4-53 IOS Command File Download Operation Complete Step 8 Use the scroll bar in the Download Status pane to view the status information that the routers return in response to the downloaded IOS commands. To exit from the Download Console, choose File > Exit. 4-48