By: Michael Watkins, Kevin Wallace
Solution provider takeaway: The CCNA Security Official Exam Ceritifcation Guide
Download the .pdf of the chapter here.
Cisco IOS routers support many features (including security features) that require complex configurations. To aid in a number of these configuration tasks, Cisco introduced the Cisco Security Device Manager (SDM) interface. This section introduces SDM, discusses how to configure and launch SDM, and how to navigate the SDM wizards.
Cisco SDM provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router, as shown in Figure 3-3. Not only does SDM offer multiple "smart wizards," but configuration tutorials also are provided. Even though SDM stands for Security Device Manager, several nonsecurity features also can be configured via SDM, such as routing and quality-of-service (QoS) features.
Some newer Cisco routers come with SDM preinstalled, but SDM needs to be installed on other supported platforms. Go to http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm to download the current version of SDM and its release notes. Cisco SDM offers the following benefits:
- SDM's smart wizards use Cisco TAAC best-practice recommendations for a variety of configuration scenarios.
- SDM intelligently determines an appropriate security configuration based on what it learns about a router's configuration (for example, a router's interfaces, NAT configuration and existing security configuration).
- SDM supports multiple security features such as wizard-based VPN configuration, router security auditing, and One-Step Lockdown configuration.
- SDM, which is supported in Cisco IOS 12.2(11)T6 and later, does not impact a router's DRAM or CPU.
Preparing to Launch Cisco SDM
If you plan to run SDM on a router that does not already have SDM installed, you need to install SDM either from a CD accompanying the router or from a download from the Cisco IOS Software Center. The installation is wizard-based. You are prompted to install SDM either on an administrator's PC, in the router's flash, or both.
SDM can connect to the managed router using secure HTTP (that is, HTTPS). The commands shown in Table 3-10 can be used to configure the router for HTTP support. Example 3-20 illustrates the use of these commands.
|Router(config)# ip http server||Enables an HTTP server on a router|
|Router(config)# ip http secureserver||Enables a secure HTTP (HTTPS) server on a
|Router(config)# ip http
|Configures a local authentication method for
accessing the HTTPS server
name privilege 15 secret 0
|Configures a username and password to be used for
authentication local to the router
Example 3-20 HTTPS Server Configuration for R1
R1(config)# ip http server
R1(config)# ip http secure-server
R1(config)# ip http authentication local
R1(config)# username kevin privilege 15 secret 0 cisco
To verify that the required SDM files are installed on a router, you can issue the show flash command. The output of this command should show, at a minimum, the following SDM files:
If you run SDM from a router's flash, as opposed to running SDM from a PC, the first time you connect to the router via a browser, you are taken to the Cisco SDM Express interface. Specifically, on a new router that has SDM installed, you point your browser to http:// 10.10.10.1. Alternatively, on an existing router, you point your browser to an active IP address on the router. Cisco SDM Express guides you through the initial SDM configuration on a router. Subsequent connections to your router via a browser take you directly to SDM, as opposed to Cisco SDM Express. However, if you run SDM from a PC, you can launch Cisco SDM by choosing Start > Programs > Cisco Systems > Cisco SDM.
Exploring the Cisco SDM Interface
Notice the toolbar across the top of the SDM page, as highlighted in Figure 3-4. You can use this toolbar to navigate between the Home, Configure, and Monitor views.
The Home view provides summary information about the router platform. For example, this summary information shows you the router model, memory capacity, flash capacity, IOS version, and an interface summary.
After clicking the Configure button, you see a screen similar to the one shown in Figure 3-5. Notice the wizards available in the Tasks bar. Available configuration wizards are described in Table 3-11.
|Cisco SDM Wizard||Description|
|Interfaces and Connections||Helps you configure LAN and WAN interfaces|
|Firewall and ACL||Supports the configuration of basic and advanced IOSbased
|VPN||Helps you configure a secure site-to-site VPN, Cisco
Easy VPN Server, Cisco Easy VPN Remote, and
|Security Audit||Identifies potential security vulnerabilities in a router's
current configuration and tweaks the router's
configuration to eliminate those weaknesses
|Routing||Allows an administrator to modify and view routing
configurations for the RIP, OSPF, or EIGRP routing
|NAT||Helps you configure Network Address Translation
|Intrusion Prevention||Walks an administrator through the process of
configuring an IOS-based IPS
|Quality of Service||Provides wizards for configuring Network Admission
Control (NAC) features such as Extensible
Authentication Protocols (EAP)
|NAC||Helps you configure NAC|
In addition to the configuration wizards, notice the Additional Tasks button, as shown in Figure 3-6.
Advanced administrators can use graphical interfaces to configure these additional tasks.
Examples of these tasks are DHCP configuration, DNS configuration, and AAA configuration.
After clicking the Monitor button, you see a screen similar to the one shown in Figure 3 7. Clicking the various buttons in the Tasks bar allows you to monitor the status of various router features. Examples are firewall status, VPN status, and IPS status.
This chapter has introduced SDM. Subsequent chapters will detail how you can leverage SDM to configure a variety of security options. For exam purposes, you should be comfortable with navigating the various SDM screens and performing basic configuration tasks.
CCNA Security Official Exam Ceritifcation Guide
Defending the perimeter
Password-protecting a router
Configuring privilege levels
Cisco Security Device Manager overview
About the book
CCNA Security Official Exam Ceritifcation Guide is an exam prep book that focuses on the objectives for the CCNA Security IINS exam. Purchase the book from Prentice Hall.
Copyright 2008, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.
This was first published in October 2008