The Router MC has an inherent basic user work flow as shown in Figure
. Most Router MC
tasks are ordered as follows:
Task 1 – Create an activity.
All router management and VPN configuration must be done within the
context of an activity. When an activity is created, a proposal to create or
change VPN or firewall configurations on specific routers is prepared. This
proposal must be approved before configurations can be deployed to the
routers.
Task 2 – Create device groups.
Organize the routers
in a hierarchy. When device groups are created, the router inventory is
strategically divided to facilitate management and deployment. All routers
within a device group can share common policies, which can be deployed to a set
of routers at the same time, rather than individually. Device groups help to
keep a clear picture of the relationships between the routers in the
network.
Task 3 – Import devices.
When devices are imported,
the router information is brought into the device inventory, allowing
administrators to manage the routers using Router MC. Router information can be
imported by having Router MC query the routers directly or by importing router
information that is contained in a file.
Task 4 – Define VPN and/or
firewall settings.
There are two ways to complete this task:
- If a VPN is being configured, the inside interfaces and internal networks
on the hub and spoke must be specified, as well as the VPN interface on the
spokes and the hubs to which the spokes are assigned. The method to be used for
resiliency, either IKE keepalive or GRE, can be specified. Additional VPN
settings not covered in the basic user workflow include more advanced
configurations for GRE, and packet fragmentation.
- If firewall policies to be deployed to the routers are being configured,
the parameters required for implementing CBAC and for defining access rules,
such as fragmentation, timeouts, half-open connections, logging, and ACL
ranges, bust be defined.
Task 5 – Define VPN policies and/or firewall ACLs.
There are two
ways to complete this task:
- For VPN policy configuration, an IKE policy and a tunnel policy must be
defined. The IKE policy defines a combination of security parameters to be used
during IKE negotiation and authentication of peers. A tunnel policy defines the
VPN connection from a spoke to its assigned hub. Tunnel policies are defined on
the spoke are then implemented on the hub. The authentication and encryption
algorithms that will be used to secure the traffic can be selected.
- To define the network security policy for firewall policy configuration,
ACLs must be used. ACLs provide traffic filtering by enabling the
implementation of ACLs and CBAC inspection rules on the interfaces of the
managed routers.
Task 6 – Approve the activity.
Upon completing the VPN or
firewall configurations, the activity must be approved before the
configurations are committed to the database, and can be deployed.
Task 7 – Create and deploy a job.
When a job is created the
devices or device groups to which the configurations will be deployed are
specified. Administrators have the option to deploy directly to the routers or
to files. CLI commands are generated according to the configurations. These
commands can be reviewed before deployment.
Common configuration tasks
include:
- Configuring general Cisco IOS Firewall settings
- Building access rules
- Using Building Blocks
- Using Upload
These are shown in the demonstration activities below.