Introducing Cisco SDM
Cisco Security Device Manager (SDM) is a web-based tool that can be used to manage Cisco IOS routers. It can be used as an alternative to the CLI because the majority of tasks that can be performed with the CLI can also be completed with the SDM. As the Security Device Manager evolves, Cisco is putting heavier emphasis on its use in their courses. Time mastering the SDM here will be time well spent.
NOTE
In Q2 of 2008, Cisco announced a new web-based GUI tool called the Cisco Configuration Professional (CCP). It is expected that CCP will eventually replace SDM. Not all ISRs are supported by CCP, however, though this support is coming. For more information on CCP, navigate to http://www.cisco.com/go/ccp.
There are five basic services that SDM manages:
- Routing
- Switching
- Security (including VPN, firewall, and IOS)
- Wireless
- QoS
It also contains a knowledge base of Cisco IOS configurations. Its built-in tutorials, context-sensitive help, and smart wizards supplement its ease of use.
Figure 3.3 is a screenshot of the opening Cisco SDM screen on a Cisco 871 ISR.
Not all ISRs have enough flash to run the full SDM out of flash. If this is the case, you can either:
- Install Cisco SDM locally on a Windows PC.
- Run the Cisco SDM Express.
Files Required to Run Cisco SDM from the Router
There are certain files that are required to run the Cisco SDM from the router’s flash file system. If these files don’t exist, they will need to be downloaded from Cisco. They come as part of a comprehensive download that also includes the files required to run the SDM applet from a PC workstation. Factory fresh routers from Cisco will have these files in flash. If they are not there, it means that someone has deleted them, perhaps because the organization’s security policy specifies that only the CLI can be used to configure the router.
NOTE
For more information about Cisco SDM and to download a package that contains the files necessary to run SDM from flash as well as the standalone SDM applet for use on a PC, navigate to http://www.cisco.com/go/sdm.
These files are needed to run Cisco SDM 2.2a and later from the router:
- sdmconfig-modelxxx.cfg: The default configuration for the model of ISR (for example: sdmconfig-2811.cfg)
- sdm.tar
- es.tar (for SDM Express; can be deleted if only the SDM is being used)
- common.tar
- home.shtml
- home.tar
- wlanui.tar (if ISR has wireless interfaces)
This router does not have all the files necessary to run SDM:
cisco871#show flash 28672K bytes of processor board System flash (Intel Strataflash) Directory of flash:/ 1 -rwx 18924888 Mar 15 2008 16:51:09 -05:00 c870- advipservicesk9-mz.124-15.T4.bin 2 -rwx 3179 Feb 14 2008 19:21:31 -05:00 sdmconfig-8xx.cfg 3 -rwx 1038 Feb 14 2008 19:21:10 -05:00 home.shtml 4 -rwx 112640 Feb 14 2008 19:21:46 -05:00 home.tar 5 -rwx 931840 Feb 14 2008 19:23:48 -05:00 es.tar 6 -rwx 1505280 Feb 14 2008 19:28:44 -05:00 common.tar … output omitted … 27611136 bytes total (4065280 bytes free)
Using Cisco SDM Express
Because the router in the previous example doesn’t have enough flash memory, not all the files necessary to run the Cisco SDM are present. If you browse to https://router-ip-address, the Cisco SDM Express will launch instead. On a new router, you browse to http://10.10.10.1 that is the default IP address of a new router. The initial configuration is completed by using the Cisco SDM Express Wizard. After the initial configuration of the router is complete, the Cisco SDM Express is no longer offered. Subsequent changes to the configuration use the full Cisco SDM.
Figure 3.4 illustrates the Cisco SDM Express.
Launching Cisco SDM
After you have completed the router’s initial configuration with the SDM Express, you can now launch the SDM for more advanced configuration chores. There are two ways to launch the SDM, as follows:
- Cisco SDM on a PC. Use the Cisco SDM Launcher. The default location is Start->Programs->All Programs->Cisco Systems->Cisco SDM->Cisco SDM.
- Cisco SDM in Router Flash Memory. Open up a web browser and browse using either HTTP or HTTPS to the IP address that has been configured on the router. Figure 3.5 shows both the SDM Launcher and using a web browser to access the Cisco SDM. If you choose to use a web browser to launch SDM, it must meet the requirements in Table 3.1.
NOTE
Other java-enabled web browsers are likely to work, but Cisco TAC will support those list ed in Table 3.1.
Accomplishing tasks on the Cisco SDM is done through buttons along the top of the SDM home page corresponding to different modes. Figure 3.6 illustrates these buttons.
In summary, these modes are as follows:
- Configure Mode. Provides its own task panel with buttons that represent the different configuration tasks and wizards for the novice.
- Monitor Mode. Provides its own task panel with views to the current status of the router.
- Refresh. Updates the current running configuration on the router with the Cisco SDM.
- Save. Saves the running configuration to the startup configuration on the router (CLI: copy running-config startup-config).
Cisco SDM Smart Wizards
When you press the Configure mode button, a task panel appears. Pressing some of the buttons in this task panel will launch a smart wizard. Figure 3.7 shows some of the tasks that come up when you press the Configure mode button.
The following smart wizards are available from the tasks shown in Figure 3.7. Note that there is more than one wizard for each task. For example, in the Virtual Private Network (VPN) Wizards, you can configure site-to-site IPsec VPNs, remote-access Ipsec and Secure Sockets Layer (SSL) VPNs, Dynamic Multipoint VPNs (DMVPNs), and others. VPNs are discussed in Chapter 7, “Virtual Private Networks with Ipsec.”
- Interfaces and Connections Wizards. Configure serial and LAN interfaces.
- Firewall and ACL Wizards. Configure basic or advanced firewall.
- VPN Wizards. Configure different types of VPNs.
- Security Audit Wizards. Perform a router security audit.
- Routing Wizards. Configure static routes and dynamic routing protocols.
- NAT Wizards. Configure basic and advanced NAT.
- Intrusion Prevention Wizards. Configure the IOS IPS.
- Quality of Service Wizards. Configure QoS to prioritize traffic as it flows through the router.
- NAC Wizards. Configure Network Admission Control policies.
Advanced Configuration with SDM
If you scroll down one more button in the Configuration Task Panel (shown in Figure 3.7), you see a button marked Additional Tasks. Figure 3.8 shows the advanced configuration tasks that come up when you click the Additional Tasks button.
Here are the tasks that can be completed in the Additional Tasks menu illustrated in Figure 3.8:
- Router Properties. Some of the tasks that you can complete include configuring the router hostname, domain, password, date, and time.
- Router Access. Some of the tasks that you can complete include rolebased user access, management, and SSH.
- DNS and DDNS. Some of the tasks that you can complete include configuring Domain Name Service (DNS) and Dynamic DNS.
- ACLs. You can create and edit standard, extended, and named ACLs here.
- AAA. The major tasks that you can accomplish include configuring local and external authentication and authorization.
- Router Provisioning. The USB port can be configured here for secure device provisioning.
- 802.1X. Port-based authentication through IEEE standard Extensible Authentication Protocol (EAP) using IEEE 802.1X can be configured here.
Cisco SDM Monitor Mode
In monitor mode, you can view important information about your router, including the firewall status, interface status, and active VPN connections. You can also view the router event log. This is illustrated in Figure 3.9.
Here is a summary of the information that can be viewed in monitor mode:
- Monitor Overview Window. Shows router status (CPU usage, flash memory usage, and flash usage) and a list of the error log entries.
- Interface Status. Shows whether interfaces are up or down, bandwidth utilization, and so on.
- Firewall Status. Shows a log with the number of access attempts that the router’s firewall has denied.
- VPN Status. Statistics about active VPN connections.
- QoS Status. Shows policy information on the interfaces.
- NAC Status. Shows the number of NAC sessions on the router.
- Logging. Contains the router event log grouped by severity level.