Security Device Manager-1

This chapter provides information and commands concerning the following topics:
• Security Device Manager: Connecting with CLI
• Security Device Manager: Connecting with GUI
• SDM Express Wizard with no CLI preconfiguration
• Resetting the router to factory defaults using SDM
• SDM user interfaces
— Configuring interfaces using SDM
— Configuring routing using SDM
• SDM monitor mode
• Using SDM to configure a router to act as a DHCP server
• Using SDM to configure an interface as a DHCP client
• Using SDM to configure NAT/PAT
• What to do if you lose SDM connectivity because of an erase startup-config command

Security Device Manager: Connecting with CLI

NOTE: Cisco recommends that you use the Cisco Router and Security Device Manager (SDM) to configure your router. However, Cisco also realizes that most implementations of a router with SDM will be to use the command- line interface (CLI) for initial configuration; then, after the routers have been added to the network, all future configuration will take place using SDM.

If you have a router that has the SDM files already installed on it, console into the router and power the router on. If there is no configuration on the router, the Startup Wizard will appear.

Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username “cisco” With the password “cisco”. The default username and password have a privilege level of 15

Please change the publicly known initial credentials using SDM or the CLI.

Here are the cisco IOS commands

Username privilege 15
secret 0
No username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START GUIDE for
your router or go to http://www.cisco.com/go/sdm

User Access Verification

Username:cisco
(Enter username cisco)

Password:xxxxx
(Enter password cisco)

yourname#
(Now at CLI prompt)

yourname#configure terminal
(Moves to global configuration mode.)
yourname(config)#username scott
privilege 15 secret 0 tower

Sets the local username and password for working with SDM. This takes effect after you save the configuration to NVRAM and reload the router.

yourname(config)#no username cisco

Removes the default username of cisco from the configuration.

yourname(config)#hostname 2821

Sets the host name of the router

2821(config)#no ip http access-class 23

Removes ACL 23 from the configuration

NOTE: Access list 23 is an access control list (ACL) that permits only addresses from the 10.10.10.0/29 subnet to access the router through the GUI. This ACL was part of the default configuration of the router when it was shipped from Cisco. If you are going to change the IP address of the LAN interface and then use the GUI to configure the rest of the router, you need to remove this ACL so that using the GUI will work.

2821(config)#interface gigabitethernet 0/0

Moves to interface configuration mode

2821(config-if)#ip address 192.168.100.1 255.255.255.0
Sets the IP address and netmask

2821(config-if)#no shutdown
Enables the interface

2821(config-if)#exit
Returns to global configuration mode

2821(config)#exit
Returns to privileged mode

2821#copy running-config startup-config
Saves the configuration to NVRAM

From here, you can either continue configuring the router with the CLI or you can connect to the router using the GUI and continue the configuration using SDM, which is explained in the next section.

Security Device Manager: Connecting with GUI

SDM has, by default, a one-time username and password set on a router. This one-time username/password combination is cisco/cisco. Plug your router’s first Fast Ethernet (or Gigabit Ethernet) port into a switch. Plug your PC into the same switch. Configure your PC’s IP address to be 10.10.10.2/29 (10.10.10.2 with a subnet mask of 255.255.255.248). Open your PC’s Internet browser and enter the following command in the browser’s address bar: http://10.10.10.1/

You will see a screen similar to the one shown in Figure 29-1. This is where you will use the username/password combination of cisco/cisco.

NOTE: If you have begun your configuration through the CLI, as shown in the previous section, you need to set your PC’s address to 192.168.100.2/24 or something else in the 192.168.100.0/24 network. You cannot use 192.168.100.1/24 because that was the address you set on your router’s Fast Ethernet or Gigabit Ethernet interface. You also use the username and password credentials that you have previously configured from the CLI, and not the default credentials

Figure 29-1 Connect to Router Challenge Window

From here, you will see a pop-up asking you whether you want to use HTTP or HTTPS, as shown in Figure 29-2. Click OK to use HTTPS, or click Cancel to use HTTP. This example uses HTTPS.

Figure 29-2 HTTP or HTTPS

You might be asked to enter your username/password combination again or to accept a digital signature from Cisco IOS Software. If you are challenged, go ahead and enter cisco/cisco or the username/password configured in CLI. If you are asked to verify a digital signature, click OK.

NOTE: If you have already started your configuration from the CLI, you do not need to go through the next section.

SDM Express Wizard with No CLI Preconfiguration

If you are connecting to the router through the GUI and there is no configuration on the router, you are taken to the first screen of the Cisco SDM Express Wizard, shown in Figure 29-3. Click Next to continue, or click Cancel to exit the wizard.

Figure 29-3 Welcome to the Cisco SDM Express Wizard

Figure 29-4 shows the first screen of the SDM Express Wizard—the basic configuration. Here, you enter such information as your router’s name, the domain to which the router belongs, the username and password of the device, and the enable secret password.

Figure 29-4 Basic Configuration

Figure 29-5 shows the next screen—Router Provisioning. Here, you provision (set up) this router using one of two choices—SDM Express or a CNS Server. Continue using SDM Express by leaving that radio button checked and clicking Next to continue.

Figure 29-5 Router Provisioning

The screen in Figure 29-6 asks you to configure the LAN interface on the router. The router
in this example is a 2821, so you have Gigabit Ethernet LAN interfaces, along with VLAN
1 to choose from. If you are using a 2811, you have Fast Ethernet interfaces to choose from.
Change the IP address on the LAN from the default 10.10.10.1 to 192.168.100.1/24, and
then click Next.

Figure 29-6 LAN Interface Configuration

Figure 29-7 shows the DHCP Server Configuration screen, where you can configure the router to act as a DHCP server for other hosts on the LAN. For the purposes of this example, you are not going to configure the DHCP server, so click Next.

Figure 29-7 DHCP Server Configuration

The next item to set up on the router is the WAN interface. Although you have three possible
WAN interfaces, as shown in Figure 29-8, you are allowed to configure only one interface through the SDM Express Wizard. For the interface you want to configure, highlight that
interface and click Add Connection. From here, you are taken to another window asking
you to configure each interface—IP address, encapsulation type, subnet mask, and so on.
Figure 29-9 and Figure 29-10 show the screens where you enter this information. Enter all
the appropriate information in each screen, click OK, and then click Next when done.

Figure 29-8 WAN Configuration

Figure 29-9 Add Serial Connection

Figure 29-11 shows the Advanced Options for the Internet (WAN) interface, where you are
asked to set up a default route for your router. Enter the appropriate information, if needed,
or uncheck the Create Default Route box if you do not want a default route set; then
click Next.

Figure 29-10 Add Gigabit Ethernet Connection

Figure 29-11 Internet (WAN)—Advanced Options

The next screen of the SDM Express Wizard asks whether you want to enable Network
Address Translation (NAT) on this router. Figure 29-12 shows the main screen, and
Figure 29-13 shows the pop-up window that appears when you want to add an address
translation rule. When you have finished entering your NAT information, click Next.

Figure 29-12 Internet (WAN)—Private IP Addresses

Figure 29-13 Add Address Translation Rule

Figure 29-14 shows the Security Configuration Screen, where you can select different security settings for the router. If you are unsure about what to select, leave the default settings of everything checked, and then click Next.

Figure 29-14 Security Configuration

Figure 29-15 shows a summary for the SDM Express configuration. Here, you can scroll up
and down to see the summary of changes that you made to the router. If you are satisfied with the changes, click Finish. If not, click Back and make your changes.

Figure 29-15 Cisco SDM Express Configuration

Cisco SDM Express provides final instructions on how to reconnect to the router if you made changes to the LAN interface, as shown in Figure 29-16.

Figure 29-16 Reconnection Instructions

After resetting your PC’s address to one in the same subnet as the router’s LAN interface,
restart your Internet browser and enter the router’s LAN interface address in the address bar.
You might be asked to select either HTTP or HTTPS, as shown in Figure 29-2. Depending
on your browser setup, you might be asked for your username/password again, or be asked
to disable pop-ups. SDM needs pop-ups enabled to function.
Figure 29-17 shows the screen that appears when SDM is loading up into the browser. You
might be asked to enter your username/password combination again, or to accept a digital
signature from Cisco IOS Software. If you are challenged, go ahead and enter your new
username and password. If you are asked to verify a digital signature, click OK.
Figure 29-18 shows the home screen of the SDM. From here, you can go to other screens
to configure and monitor the status of the router.

Figure 29-17 Loading Cisco SDM

Figure 29-18 Cisco SDM Home Page

Resetting the Router to Factory Defaults Using SDM

Starting at the SDM home page, to reset the router back to factory defaults, first click the
Configure button at the top of the SDM screen, and then clickAdditional Tasks on the left
side of the screen under the Tasks column. Depending on the resolution of your desktop,
you might have to scroll down on the left side of the screen to see the Additional Tasks
button.
The Additional Tasks screen contains a section called Configuration Management, as
shown in Figure 29-19. One of the options here is Reset to Factory Defaults. This screen
shows you how to reconnect to the router after resetting it. Click the Reset Router button
to start the process. A pop-up will appear asking you to confirm your desire to reset the
router. Clicking Yes resets the router. Another pop-up will appear asking you to relaunch
SDM to continue, as shown in Figure 29-20.

Figure 29-19 Resetting the Router

Figure 29-20 Relaunch SDM to Continue

Security Device Manager-2

SDM User Interfaces

Many screens within SDM allow you to perform different tasks, as described in the sections that follow.
Configuring Interfaces Using SDM
Starting from the home page, click Configure from the top line and then Interfaces and Connections on the category bar on the left side of the screen under the Tasks column. Here
you will be shown a screen link, as displayed in Figure 29-21.

Figure 29-21 Interfaces and Connections

To configure an interface that has not been previously configured, select the connection you
want to make and click the Create New Connection button. You are taken to a wizard screen that looks like Figure 29-22. For this example, you want to configure the other LAN interface on this router, GigabitEthernet 0/1. Choose the interface you want to configure, and then click Next.

Figure 29-22 LAN Wizard


Figure 29-23 shows the first screen of the wizard, which provides information about what the wizard will be able to accomplish. Click Next to continue to the next screen.

Figure 29-23 LAN Wizard

Figure 29-24 shows the next screen of the wizard. If you want this interface to be a gateway for a LAN, with no trunking involved, select the Configure this interface for straight routing option, and then click the Next button to continue.

Figure 29-24 LAN Wizard


In the next screen, shown in Figure 29-25, you can assign an IP address and subnet mask to the interface. Click Next to continue.

Figure 29-25 LAN Wizard: IP Address and Subnet Mask


After assigning the IP address and subnet mask, you are taken to the next screen of the wizard (shown in Figure 29-26), which asks whether you want to enable a DHCP server on this interface. The default answer is No. Click Next to continue.

Figure 29-26 LAN Wizard: DHCP Server


Figure 29-27 shows the final screen of the wizard, where you see a summary of what you have configured. If you want to test the connectivity of the interface, check the box at the bottom of the screen, Test the connectivity after configuring, and click Finish, or just click Finish to send your changes to the router for implementation.

Figure 29-27 LAN Wizard: Summary

After the configuration is sent to the router, you are taken back to the Interfaces and Connections screen. If you want to make changes to your interfaces, choose the Edit Interface/Connection tab, highlight the interface you want to edit, and click the Edit button. Here you can makes changes to the address or subnet mask; you can also associate ACL or inspection rules to the interface. NAT and quality of service (QoS) options can also be edited from here.

Configuring Routing Using SDM
Starting from the SDM home page, Figure 29-28 shows the screen that appears when you click Configure from the top line and then Routing on the category bar on the left side of the screen under the Tasks column.

Figure 29-28 Routing

Clicking the Add button in the middle of the Static Routing section allows you to create a static route, as shown in Figure 29-29. Clicking the Edit button on the right side of the Dynamic Routing section of this screen allows you to configure the dynamic routing protocols of RIP, Open Shortest Path First Protocol (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP), as shown in Figure 29-30.

Figure 29-29 Add IP Static Route


Figure 29-30 Edit IP Dynamic Routing

SDM Monitor Mode

Figure 29-31 shows the monitor mode of the SDM. Monitor mode lets you view current information about the router, its interfaces, its firewall status, active VPN connections, and
any messages in the router event log.

Figure 29-31 SDM Monitor Mode

The following table describes how to navigate through the SDM monitor mode to accomplish some key tasks.

Task/SDM Navigation

View information about router interfaces:

From the toolbar, click Monitor Mode, and then in the left frame, click Interface Status. From the Select Interface field on the upper-left side of the Interface Status window, select the interface for which you want to view information, and then in the Available Items group, select the information you want to view.

View graphs of CPU or memory usage:

From the toolbar, click Monitor Mode, and then click the Overview page.

View information about the firewall:

From the toolbar, click Monitor Mode,and then in the left frame, click Firewall Status.

View information about VPN Connections

From the toolbar, click Monitor Mode, and then in the left frame, click VPN Status. From the Select a Category field, select whether to view information about Internet Key Exchange security associations (IKE SA), IPsec Tunnels, or Dynamic Multipoint VPN (DMVPN) Tunnels.

View messages in the router event log
From the toolbar, click Monitor Mode,and then in the left frame, click Logging.

Using SDM to Configure a Router to Act as a DHCP Server

From the home page of the SDM, click Configure, and then click Additional Tasks from the category bar on the left side under Tasks. From there, you should see the section titled DHCP on the left side of the Configure window (see Figure 29-32).

Figure 29-32 Additional Tasks: DHCP

Click DHCP Pools to bring up a screen showing you which DHCP pools have already been created. Click theAdd button to create a new DHCP pool from the screen in Figure 29-33.

Figure 29-33 Add DHCP Pool


After entering your DHCP Information, click OK. You should see a pop-up window that
shows the status of the commands being delivered to the router, as shown in Figure 29-34.

Figure 29-34 Command Delivery Status

As shown in Figure 29-35, clicking the DHCP Pool Status button will show you which IP
addresses have been leased out in this DHCP pool.

Figure 29-35 DHCP Pool Status

Security Device Manager-3

Using SDM to Configure an Interface as a DHCP Client

Having a router interface get an IP address from a DHCP server is often used when you are connecting your router to a Digital Subscriber Line (DSL) or cable modem for access to the Internet. The IP address for the interface needs to come from your provider. As shown in Figure 29-36, start in the Configure screen of SDM, and click the Interfaces and Connections button on the category bar. Select the connection named Ethernet (PPPoE or Unencapsulated Routing), and then click the Create New Connection button at the bottom of the screen. The Ethernet WAN Configuration Wizard will pop up, as shown inFigure 29-37. Click the Next button to begin.

Figure 29-36 Interfaces and Connections

Figure 29-37 Welcome to the Ethernet WAN Configuration Wizard

The next screen of the wizard, shown in Figure 29-38, asks whether you need to configure the router as a Point-to-Point Protocol over Ethernet (PPPoE) client. Check with your Internet service provider (ISP) to determine whether you need this.

Figure 29-38 Encapsulation

Figure 29-39 shows the next screen of the wizard. Because you want this interface to be assigned an IP address from the ISP, choose the radio button named Dynamic (DHCP Client). If the ISP has provided you with a host name, enter it in the Hostname box. Click Next when finished.

Figure 29-39 IP Address

Figure 29-40 shows the next screen of the wizard: Authentication. Enter the appropriate information as provided by your ISP. Click Next when you have finished.

Figure 29-40 Authentication

Figure 29-41 is the final screen of the Ethernet WAN Configuration Wizard, which provides a summary of what you have entered and what will be delivered to the router. If you need to make changes, click Back, or click Finish to send your configuration to the router.

Figure 29-41 Summary

The Interfaces and Connections screen has a tab named Edit Interface Connection. By clicking on this, you will see all interfaces on your router. Select the interface that you chose to make a DHCP client (assume it is GigabitEthernet 0/1 for this example), and then click the Test Connection button, as shown in Figure 29-42. Clicking the Start button begins a series of tests to determine whether the interface is working, as shown in Figure 29-43.

Figure 29-42 Connectivity Testing and Troubleshooting

Figure 29-43 Test Connection Successful

Using SDM to Configure NAT/PAT

From the Configure screen of SDM, click the NAT button on the category bar, as shown in Figure 29-44. You have two options: Basic or Advanced NAT. Make your selection, and then click the Launch the selected task button to begin configuration. The NAT Wizard then appears on the screen, as shown in Figure 29-45. Click Next to begin the wizard.

Figure 29-44 NAT

Figure 29-45 NAT Wizard

The next screen in the wizard, shown in Figure 29-46, allows you to choose the interface that connects to the Internet—the outside interface. For this example, the GigabitEthernet 0/1 interface is connected to the Internet. You also choose your range of IP addresses that will be translated—your inside interfaces. For this example, choose the addresses that are connected to the Internal LAN—GigabitEthernet 0/0 for this example. Click Next when finished.

Figure 29-46 Sharing the Internet Connection

Figure 29-47 shows the summary of the configuration that you will deliver to the router. If this is correct, click Finish; otherwise, click Back to return to the previous screen and make your corrections.

Figure 29-47 Summary of the Configuration

Good luck for your studies........